fix(auth): cooldown live accounts on zero grouped removal

Use refresh-token scoped cooldown updates to avoid mutating stale account references when grouped removal returns zero.

Author: ndycode

index.ts

@@ -2167,11 +2167,16 @@ while (attempted.size < Math.max(1, accountCount)) {
 						logWarn(
 							`[${PLUGIN_NAME}] Expected grouped account removal after auth failures, but removed ${removedCount}.`,
 						);
-						accountManager.markAccountCoolingDown(
-							account,
+						const cooledCount = accountManager.markAccountsWithRefreshTokenCoolingDown(
+							account.refreshToken,
 							ACCOUNT_LIMITS.AUTH_FAILURE_COOLDOWN_MS,
 							"auth-failure",
 						);
+						if (cooledCount <= 0) {
+							logWarn(
+								`[${PLUGIN_NAME}] Unable to apply auth-failure cooldown; no live account found for refresh token.`,
+							);
+						}
 						accountManager.saveToDiskDebounced();
 						continue;
 					}

lib/accounts.ts

@@ -695,6 +695,22 @@ export class AccountManager {
 		account.cooldownReason = reason;
 	}
 
+	/**
+	 * Mark every in-memory account sharing a refresh token as cooling down.
+	 * @returns Number of live accounts updated.
+	 */
+	markAccountsWithRefreshTokenCoolingDown(
+		refreshToken: string,
+		cooldownMs: number,
+		reason: CooldownReason,
+	): number {
+		const matches = this.accounts.filter((account) => account.refreshToken === refreshToken);
+		for (const account of matches) {
+			this.markAccountCoolingDown(account, cooldownMs, reason);
+		}
+		return matches.length;
+	}
+
 	isAccountCoolingDown(account: ManagedAccount): boolean {
 		if (account.coolingDownUntil === undefined) return false;
 		if (nowMs() >= account.coolingDownUntil) {

test/index.test.ts

@@ -328,6 +328,7 @@ vi.mock("../lib/accounts.js", () => {
 		incrementAuthFailures() { return 1; }
 		async saveToDisk() {}
 		markAccountCoolingDown() {}
+		markAccountsWithRefreshTokenCoolingDown() { return 1; }
 		markRateLimited() {}
 		markRateLimitedWithReason() {}
 		consumeToken() { return true; }
@@ -1348,9 +1349,9 @@ describe("OpenAIOAuthPlugin fetch handler", () => {
 		const removeGroupedAccountsSpy = vi
 			.spyOn(AccountManager.prototype, "removeAccountsWithSameRefreshToken")
 			.mockReturnValue(0);
-		const markAccountCoolingDownSpy = vi.spyOn(
+		const markAccountsWithRefreshTokenCoolingDownSpy = vi.spyOn(
 			AccountManager.prototype,
-			"markAccountCoolingDown",
+			"markAccountsWithRefreshTokenCoolingDown",
 		);
 
 		globalThis.fetch = vi.fn().mockResolvedValue(
@@ -1367,8 +1368,8 @@ describe("OpenAIOAuthPlugin fetch handler", () => {
 		expect(globalThis.fetch).not.toHaveBeenCalled();
 		expect(incrementAuthFailuresSpy).toHaveBeenCalledTimes(1);
 		expect(removeGroupedAccountsSpy).toHaveBeenCalledTimes(1);
-		expect(markAccountCoolingDownSpy).toHaveBeenCalledWith(
-			expect.objectContaining({ index: 0 }),
+		expect(markAccountsWithRefreshTokenCoolingDownSpy).toHaveBeenCalledWith(
+			"refresh-1",
 			ACCOUNT_LIMITS.AUTH_FAILURE_COOLDOWN_MS,
 			"auth-failure",
 		);