fix: preserve workspace identity in flagged cleanup

Author: ndycode

index.ts

@@ -117,6 +117,7 @@ import {
 	createTimestampedBackupPath,
 	loadFlaggedAccounts,
 	saveFlaggedAccounts,
+	withFlaggedAccountStorageTransaction,
 	clearFlaggedAccounts,
 	StorageError,
 	formatStorageErrorHint,
@@ -189,9 +190,16 @@ function getWorkspaceIdentityKey(account: {
 	accountId?: string;
 	refreshToken: string;
 }): string {
-	if (account.organizationId) return `organizationId:${account.organizationId}`;
-	if (account.accountId) return `accountId:${account.accountId}`;
-	return `refreshToken:${account.refreshToken}`;
+	const organizationId = account.organizationId?.trim();
+	const accountId = account.accountId?.trim();
+	const refreshToken = account.refreshToken.trim();
+	if (organizationId) {
+		return accountId
+			? `organizationId:${organizationId}|accountId:${accountId}`
+			: `organizationId:${organizationId}`;
+	}
+	if (accountId) return `accountId:${accountId}`;
+	return `refreshToken:${refreshToken}`;
 }
 
 function matchesWorkspaceIdentity(
@@ -205,6 +213,21 @@ function matchesWorkspaceIdentity(
 	return getWorkspaceIdentityKey(account) === identityKey;
 }
 
+function upsertFlaggedAccountRecord(
+	accounts: FlaggedAccountMetadataV1[],
+	record: FlaggedAccountMetadataV1,
+): void {
+	const identityKey = getWorkspaceIdentityKey(record);
+	const existingIndex = accounts.findIndex((flagged) =>
+		matchesWorkspaceIdentity(flagged, identityKey),
+	);
+	if (existingIndex >= 0) {
+		accounts[existingIndex] = record;
+		return;
+	}
+	accounts.push(record);
+}
+
 /**
  * OpenAI Codex OAuth authentication plugin for opencode
  *
@@ -2382,7 +2405,6 @@ while (attempted.size < Math.max(1, accountCount)) {
 
 			const workspaceDeactivated = isDeactivatedWorkspaceError(errorBody, response.status);
 			if (workspaceDeactivated) {
-				const identityKey = getWorkspaceIdentityKey(account);
 				const accountLabel = formatAccountLabel(account, account.index);
 				accountManager.refundToken(account, modelFamily, model);
 				accountManager.recordFailure(account, modelFamily, model);
@@ -2393,22 +2415,20 @@ while (attempted.size < Math.max(1, accountCount)) {
 				runtimeMetrics.lastErrorCategory = "workspace-deactivated";
 
 				try {
-					const flaggedStorage = await loadFlaggedAccounts();
 					const flaggedRecord: FlaggedAccountMetadataV1 = {
 						...account,
 						flaggedAt: Date.now(),
 						flaggedReason: "workspace-deactivated",
 						lastError: "deactivated_workspace",
 					};
-					const existingIndex = flaggedStorage.accounts.findIndex((flagged) =>
-						matchesWorkspaceIdentity(flagged, identityKey),
-					);
-					if (existingIndex >= 0) {
-						flaggedStorage.accounts[existingIndex] = flaggedRecord;
-					} else {
-						flaggedStorage.accounts.push(flaggedRecord);
-					}
-					await saveFlaggedAccounts(flaggedStorage);
+					await withFlaggedAccountStorageTransaction(async (current, persist) => {
+						const nextStorage: typeof current = {
+							...current,
+							accounts: current.accounts.map((flagged) => ({ ...flagged })),
+						};
+						upsertFlaggedAccountRecord(nextStorage.accounts, flaggedRecord);
+						await persist(nextStorage);
+					});
 				} catch (flagError) {
 					logWarn(
 						`Failed to persist deactivated workspace flag for ${accountLabel}: ${flagError instanceof Error ? flagError.message : String(flagError)}`,
@@ -3074,9 +3094,9 @@ while (attempted.size < Math.max(1, accountCount)) {
 									return;
 								}
 
-								const flaggedStorage = await loadFlaggedAccounts();
 								let storageChanged = false;
 								let flaggedChanged = false;
+								const flaggedUpdates = new Map<string, FlaggedAccountMetadataV1>();
 								const removeFromActive = new Set<string>();
 								const total = workingStorage.accounts.length;
 								let ok = 0;
@@ -3182,21 +3202,17 @@ while (attempted.size < Math.max(1, accountCount)) {
 													refreshResult.message ?? refreshResult.reason ?? "refresh failed";
 												console.log(`[${i + 1}/${total}] ${label}: ERROR (${message})`);
 												if (deepProbe && isFlaggableFailure(refreshResult)) {
-													const existingIndex = flaggedStorage.accounts.findIndex(
-														(flagged) => flagged.refreshToken === account.refreshToken,
-													);
 													const flaggedRecord: FlaggedAccountMetadataV1 = {
 														...account,
 														flaggedAt: Date.now(),
 														flaggedReason: "token-invalid",
 														lastError: message,
 													};
-													if (existingIndex >= 0) {
-														flaggedStorage.accounts[existingIndex] = flaggedRecord;
-													} else {
-														flaggedStorage.accounts.push(flaggedRecord);
-													}
-													removeFromActive.add(`refreshToken:${account.refreshToken}`);
+													flaggedUpdates.set(
+														getWorkspaceIdentityKey(flaggedRecord),
+														flaggedRecord,
+													);
+													removeFromActive.add(getWorkspaceIdentityKey(account));
 													flaggedChanged = true;
 												}
 												continue;
@@ -3279,20 +3295,16 @@ while (attempted.size < Math.max(1, accountCount)) {
 												errors += 1;
 												const message = error instanceof Error ? error.message : String(error);
 												if (message.includes("deactivated_workspace")) {
-													const existingIndex = flaggedStorage.accounts.findIndex((flagged) =>
-														matchesWorkspaceIdentity(flagged, getWorkspaceIdentityKey(account)),
-													);
 													const flaggedRecord: FlaggedAccountMetadataV1 = {
 														...account,
 														flaggedAt: Date.now(),
 														flaggedReason: "workspace-deactivated",
 														lastError: message,
 													};
-													if (existingIndex >= 0) {
-														flaggedStorage.accounts[existingIndex] = flaggedRecord;
-													} else {
-														flaggedStorage.accounts.push(flaggedRecord);
-													}
+													flaggedUpdates.set(
+														getWorkspaceIdentityKey(flaggedRecord),
+														flaggedRecord,
+													);
 													removeFromActive.add(getWorkspaceIdentityKey(account));
 													flaggedChanged = true;
 												}
@@ -3320,7 +3332,16 @@ while (attempted.size < Math.max(1, accountCount)) {
 									invalidateAccountManagerCache();
 								}
 								if (flaggedChanged) {
-									await saveFlaggedAccounts(flaggedStorage);
+									await withFlaggedAccountStorageTransaction(async (current, persist) => {
+										const nextStorage: typeof current = {
+											...current,
+											accounts: current.accounts.map((flagged) => ({ ...flagged })),
+										};
+										for (const flaggedRecord of flaggedUpdates.values()) {
+											upsertFlaggedAccountRecord(nextStorage.accounts, flaggedRecord);
+										}
+										await persist(nextStorage);
+									});
 								}
 
 								console.log("");
@@ -3524,7 +3545,11 @@ while (attempted.size < Math.max(1, accountCount)) {
 												await saveFlaggedAccounts({
 													version: 1,
 													accounts: flaggedStorage.accounts.filter(
-														(flagged) => flagged.refreshToken !== target.refreshToken,
+														(flagged) =>
+															!matchesWorkspaceIdentity(
+																flagged,
+																getWorkspaceIdentityKey(target),
+															),
 													),
 												});
 												invalidateAccountManagerCache();

lib/storage.ts

@@ -921,7 +921,28 @@ function normalizeFlaggedStorage(data: unknown): FlaggedAccountStorageV1 {
 		return { version: 1, accounts: [] };
 	}
 
-	const byRefreshToken = new Map<string, FlaggedAccountMetadataV1>();
+	const normalizeFlaggedIdentityPart = (value: unknown): string | undefined =>
+		typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+	const getFlaggedIdentityKey = (account: {
+		organizationId?: string;
+		accountId?: string;
+		refreshToken: string;
+	}): string => {
+		const organizationId = normalizeFlaggedIdentityPart(account.organizationId);
+		const accountId = normalizeFlaggedIdentityPart(account.accountId);
+		const refreshToken = normalizeFlaggedIdentityPart(account.refreshToken) ?? "";
+		if (organizationId) {
+			return accountId
+				? `organizationId:${organizationId}|accountId:${accountId}`
+				: `organizationId:${organizationId}`;
+		}
+		if (accountId) {
+			return `accountId:${accountId}`;
+		}
+		return `refreshToken:${refreshToken}`;
+	};
+
+	const byIdentityKey = new Map<string, FlaggedAccountMetadataV1>();
 	for (const rawAccount of data.accounts) {
 		if (!isRecord(rawAccount)) continue;
 		const refreshToken =
@@ -1000,16 +1021,18 @@ function normalizeFlaggedStorage(data: unknown): FlaggedAccountStorageV1 {
 			flaggedReason: typeof rawAccount.flaggedReason === "string" ? rawAccount.flaggedReason : undefined,
 			lastError: typeof rawAccount.lastError === "string" ? rawAccount.lastError : undefined,
 		};
-		byRefreshToken.set(refreshToken, normalized);
+		byIdentityKey.set(getFlaggedIdentityKey(normalized), normalized);
 	}
 
 	return {
 		version: 1,
-		accounts: Array.from(byRefreshToken.values()),
+		accounts: Array.from(byIdentityKey.values()),
 	};
 }
 
-export async function loadFlaggedAccounts(): Promise<FlaggedAccountStorageV1> {
+async function loadFlaggedAccountsUnlocked(
+	saveUnlocked: (storage: FlaggedAccountStorageV1) => Promise<void>,
+): Promise<FlaggedAccountStorageV1> {
 	const path = getFlaggedAccountsPath();
 	const empty: FlaggedAccountStorageV1 = { version: 1, accounts: [] };
 
@@ -1035,7 +1058,7 @@ export async function loadFlaggedAccounts(): Promise<FlaggedAccountStorageV1> {
 		const legacyData = JSON.parse(legacyContent) as unknown;
 		const migrated = normalizeFlaggedStorage(legacyData);
 		if (migrated.accounts.length > 0) {
-			await saveFlaggedAccounts(migrated);
+			await saveUnlocked(migrated);
 		}
 		try {
 			await fs.unlink(legacyPath);
@@ -1058,26 +1081,50 @@ export async function loadFlaggedAccounts(): Promise<FlaggedAccountStorageV1> {
 	}
 }
 
-export async function saveFlaggedAccounts(storage: FlaggedAccountStorageV1): Promise<void> {
-	return withStorageLock(async () => {
-		const path = getFlaggedAccountsPath();
-		const uniqueSuffix = `${Date.now()}.${Math.random().toString(36).slice(2, 8)}`;
-		const tempPath = `${path}.${uniqueSuffix}.tmp`;
+export async function loadFlaggedAccounts(): Promise<FlaggedAccountStorageV1> {
+	return withStorageLock(async () => loadFlaggedAccountsUnlocked(saveFlaggedAccountsUnlocked));
+}
+
+async function saveFlaggedAccountsUnlocked(storage: FlaggedAccountStorageV1): Promise<void> {
+	const path = getFlaggedAccountsPath();
+	const uniqueSuffix = `${Date.now()}.${Math.random().toString(36).slice(2, 8)}`;
+	const tempPath = `${path}.${uniqueSuffix}.tmp`;
 
+	try {
+		await fs.mkdir(dirname(path), { recursive: true });
+		const content = JSON.stringify(normalizeFlaggedStorage(storage), null, 2);
+		await fs.writeFile(tempPath, content, { encoding: "utf-8", mode: 0o600 });
+		await renameWithWindowsRetry(tempPath, path);
+	} catch (error) {
 		try {
-			await fs.mkdir(dirname(path), { recursive: true });
-			const content = JSON.stringify(normalizeFlaggedStorage(storage), null, 2);
-			await fs.writeFile(tempPath, content, { encoding: "utf-8", mode: 0o600 });
-			await renameWithWindowsRetry(tempPath, path);
-		} catch (error) {
-			try {
-				await fs.unlink(tempPath);
-			} catch {
-				// Ignore cleanup failures.
-			}
-			log.error("Failed to save flagged account storage", { path, error: String(error) });
-			throw error;
+			await fs.unlink(tempPath);
+		} catch {
+			// Ignore cleanup failures.
 		}
+		log.error("Failed to save flagged account storage", { path, error: String(error) });
+		throw error;
+	}
+}
+
+/**
+ * Executes a read-modify-write transaction for flagged account storage under the
+ * shared storage lock so concurrent callers cannot lose updates.
+ */
+export async function withFlaggedAccountStorageTransaction<T>(
+	handler: (
+		current: FlaggedAccountStorageV1,
+		persist: (storage: FlaggedAccountStorageV1) => Promise<void>,
+	) => Promise<T>,
+): Promise<T> {
+	return withStorageLock(async () => {
+		const current = await loadFlaggedAccountsUnlocked(saveFlaggedAccountsUnlocked);
+		return handler(current, saveFlaggedAccountsUnlocked);
+	});
+}
+
+export async function saveFlaggedAccounts(storage: FlaggedAccountStorageV1): Promise<void> {
+	return withStorageLock(async () => {
+		await saveFlaggedAccountsUnlocked(storage);
 	});
 }
 

test/fetch-helpers.test.ts

@@ -22,9 +22,9 @@ import type { Auth } from '../lib/types.js';
 import { URL_PATHS, OPENAI_HEADERS, OPENAI_HEADER_VALUES, CODEX_BASE_URL } from '../lib/constants.js';
 
 describe('Fetch Helpers Module', () => {
-		afterEach(() => {
-			vi.restoreAllMocks();
-		});
+	afterEach(() => {
+		vi.restoreAllMocks();
+	});
 
 	describe('shouldRefreshToken', () => {
 		it('should return true for non-oauth auth', () => {