ndycode
diff --git a/‎.github/dependabot.yml‎
Lines changed: 31 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 8 additions & 5 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 34 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 1 deletion b/‎.gitignore‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎AGENTS.md‎
Lines changed: 100 additions & 33 deletions b/‎AGENTS.md‎
Lines changed: 100 additions & 33 deletions
diff --git a/‎CODEOWNERS‎
Lines changed: 14 additions & 0 deletions b/‎CODEOWNERS‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎CUsersAdministratorDevToolsoc-chatgpt-multi-authfirst_fail.txt‎
Lines changed: 1 addition & 0 deletions b/‎CUsersAdministratorDevToolsoc-chatgpt-multi-authfirst_fail.txt‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "npm"
+    commit-message:
+      prefix: "deps"
+    groups:
+      dev-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"
@@ -28,17 +28,20 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Security audit
+        run: npm audit --audit-level=high
+
       - name: Run type check
         run: npm run typecheck
 
-      - name: Run tests
-        run: npm test
+      - name: Run tests with coverage
+        run: npm run coverage
 
       - name: Build
         run: npm run build
 
   lint:
-    name: Type Check
+    name: Lint
 
     runs-on: ubuntu-latest
 
@@ -55,5 +58,5 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      - name: Run type check
-        run: npm run typecheck
+      - name: Run ESLint
+        run: npm run lint
@@ -0,0 +1,34 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 3 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          queries: security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
@@ -8,4 +8,5 @@ opencode.json
 .opencode/
 tmp
 .codex-cache
-.sisyphus/
+.sisyphus/
+coverage/
@@ -1,57 +1,124 @@
 # PROJECT KNOWLEDGE BASE
 
-Generated: 2026-01-29
-Commit: 693b0cc
+Generated: 2026-01-30
+Commit: 6e53f46
 Branch: main
 
 ## OVERVIEW
-OpenCode plugin that swaps OpenAI SDK calls to the ChatGPT Codex backend with multi-account OAuth.
+OpenCode plugin: intercepts OpenAI SDK calls, routes through ChatGPT Codex backend with multi-account OAuth rotation.
 
 ## STRUCTURE
 ```
 ./
-├── index.ts                  # plugin entry point (not under src/)
-├── lib/                       # main source (auth, request, prompts, config)
-├── test/                      # vitest suites
-├── scripts/                   # install + build helpers
-├── assets/                    # static assets
-├── config/                    # OpenCode config examples
-├── docs/                      # architecture docs/diagrams
-├── dist/                      # build output (generated)
-└── SECURITY.md                # vuln reporting rules
+├── index.ts              # plugin entry (7-step fetch pipeline, tool registration)
+├── lib/                  # core logic (see lib/AGENTS.md)
+├── test/                 # vitest suites (see test/AGENTS.md)
+├── scripts/              # install + build helpers
+├── config/               # opencode.json examples (legacy/modern)
+├── docs/                 # architecture + user docs
+├── assets/               # static assets
+├── dist/                 # build output (generated, do not edit)
+└── winston/              # vendored logging (do not modify)
 ```
 
 ## WHERE TO LOOK
 | Task | Location | Notes |
 | --- | --- | --- |
-| Fetch flow orchestration | `index.ts` | 7-step request pipeline
-| OAuth flow + tokens | `lib/auth/auth.ts` | PKCE, refresh, JWT decode
-| OAuth callback server | `lib/auth/server.ts` | binds port 1455
-| Request mutation | `lib/request/request-transformer.ts` | model normalization + prompts
-| Request helpers | `lib/request/fetch-helpers.ts` | headers, rate limit handling
-| SSE response handling | `lib/request/response-handler.ts` | SSE to JSON
-| Prompt fetching/cache | `lib/prompts/codex.ts` | GitHub release ETag cache
-| Config parsing | `lib/config.ts` | CODEX_MODE + options
-| Tests | `test/` | vitest globals enabled
+| Plugin orchestration | `index.ts` | 7-step request pipeline, tool registration |
+| OAuth flow + PKCE | `lib/auth/auth.ts` | token refresh, JWT decode |
+| OAuth callback server | `lib/auth/server.ts` | binds port 1455 |
+| Multi-account rotation | `lib/accounts.ts` | health scoring, cooldown, selection |
+| Account storage | `lib/storage.ts` | V3 format, per-project/global paths |
+| Request transformation | `lib/request/request-transformer.ts` | model normalization, prompt injection |
+| Headers + rate limits | `lib/request/fetch-helpers.ts` | Codex headers, error mapping |
+| SSE to JSON | `lib/request/response-handler.ts` | stream parsing |
+| Prompt templates | `lib/prompts/codex.ts` | model-family detection, GitHub ETag cache |
+| Config parsing | `lib/config.ts` | CODEX_MODE, plugin options |
+| Session recovery | `lib/recovery/` | conversation state persistence |
+| Graceful shutdown | `lib/shutdown.ts` | cleanup on process exit |
+| Health monitoring | `lib/health.ts` | account health status |
+| Circuit breaker | `lib/circuit-breaker.ts` | failure isolation |
+| Tests | `test/` | vitest globals, 80% coverage threshold |
 
 ## CONVENTIONS
-- Source lives in `index.ts` and `lib/`; `dist/` is generated.
-- ESLint flat config: no `any`, unused args must be prefixed with `_`.
-- Test files relax lint rules; see `eslint.config.js`.
-- Build must copy `lib/oauth-success.html` into `dist/lib/` (see `scripts/copy-oauth-success.js`).
+- Source: root `index.ts` + `lib/`; `dist/` is generated output.
+- ESLint flat config: `no-explicit-any` enforced, unused args prefixed `_`.
+- Tests relax lint rules (see `eslint.config.js`).
+- Build copies `lib/oauth-success.html` to `dist/lib/` via `scripts/copy-oauth-success.js`.
+- ESM only (`"type": "module"`), Node >= 18.
 
 ## ANTI-PATTERNS (THIS PROJECT)
-- Do not edit `dist/` outputs or `tmp*` directories.
-- Do not open public security issues; follow `SECURITY.md` for reporting.
+- Do not edit `dist/`, `tmp*`, or `winston/` directories.
+- Do not use `as any`, `@ts-ignore`, `@ts-expect-error`.
+- Do not open public security issues; see `SECURITY.md`.
+- Do not hardcode ports other than 1455 for OAuth server.
 
 ## COMMANDS
 ```bash
-npm run build
-npm run typecheck
-npm test
-npm run lint
+npm run build       # tsc + copy oauth-success.html
+npm run typecheck   # type checking only
+npm test            # vitest once
+npm run test:watch  # vitest watch mode
+npm run lint        # eslint
 ```
 
 ## NOTES
-- OAuth callback server binds `http://127.0.0.1:1455/auth/callback`.
-- ChatGPT backend requires stateless requests (`store: false`, include encrypted reasoning).
+- OAuth callback: `http://127.0.0.1:1455/auth/callback`.
+- ChatGPT backend requires `store: false`, include `reasoning.encrypted_content`.
+- Per-project accounts: `.opencode/openai-codex-accounts.json` (walks up to find project root).
+- Global accounts: `~/.opencode/openai-codex-accounts.json`.
+- Prompt templates synced from Codex CLI GitHub releases with ETag caching.
+- 5xx server errors trigger account rotation and health penalty (same as network errors).
+- API deprecation/sunset headers (RFC 8594) are logged as warnings.
+- StorageError preserves original stack traces via `cause` parameter.
+- saveToDiskDebounced errors are logged but don't crash the plugin.
+
+## SKILL MAPPING (for delegate_task)
+
+Skills to load when delegating tasks in this codebase.
+
+### Core Skills (load on most tasks)
+
+| Skill | Justification |
+|-------|---------------|
+| `typescript-senior` | Strict mode, template literal types (`QuotaKey`), discriminated unions (`TokenResult`), Zod inference |
+| `node-backend` | ESM-first, `node:crypto`, Buffer API, async patterns |
+| `testing-js` | Vitest with 80% coverage threshold, `vi.mock`, `vi.useFakeTimers` |
+| `mcp-builder` | Uses `@opencode-ai/plugin/tool` pattern for tool registration |
+
+### Domain-Specific Skills (load when touching these areas)
+
+| Skill | When to Load | Key Files |
+|-------|--------------|-----------|
+| `auth-patterns` | OAuth flow, PKCE, JWT, token refresh | `lib/auth/auth.ts`, `lib/refresh-queue.ts` |
+| `secrets-management` | Token storage, credential handling | `lib/storage.ts`, account JSON files |
+| `api-design` | Request transformation, headers, SSE | `lib/request/` directory |
+| `error-observability` | Circuit breaker, health scoring, logging | `lib/circuit-breaker.ts`, `lib/logger.ts`, `lib/health.ts` |
+| `git-master` | Any git operations | - |
+| `github` | PRs, GitHub API (ETag caching) | `lib/prompts/codex.ts` |
+
+### Situational Skills
+
+| Skill | When to Load |
+|-------|--------------|
+| `clean-architecture` | Refactoring, new module design |
+| `property-based-testing` | Testing rotation logic, rate-limit edge cases |
+
+### Quick Reference
+
+```typescript
+// Auth work
+delegate_task(category="...", load_skills=["typescript-senior", "node-backend", "auth-patterns", "secrets-management"])
+
+// Request pipeline work  
+delegate_task(category="...", load_skills=["typescript-senior", "node-backend", "api-design", "error-observability"])
+
+// Testing
+delegate_task(category="...", load_skills=["typescript-senior", "node-backend", "testing-js"])
+
+// Plugin architecture
+delegate_task(category="...", load_skills=["typescript-senior", "node-backend", "mcp-builder"])
+
+// Git/GitHub operations
+delegate_task(category="quick", load_skills=["git-master", "github"])
+```
@@ -0,0 +1,14 @@
+# Default owner for everything
+* @ndycode
+
+# Core library code
+/lib/ @ndycode
+
+# Authentication
+/lib/auth/ @ndycode
+
+# Tests
+/test/ @ndycode
+
+# CI/CD and configuration
+/.github/ @ndycode