Releases: ndycode/oc-codex-multi-auth
Releases · ndycode/oc-codex-multi-auth
Release list
v6.5.0
Added
oc-codex-multi-auth warmstandalone CLI command runs the account warm-up directly — in plain Node via the packagebin, with no agent/model in the loop and therefore no token cost. It opens every enabled account's rolling usage window (one minimalPOST /codex/responseseach), skips disabled accounts, classifies aquota/usage_limit429as a distinct failure rather than "warmed", supports--json, and exits non-zero when any account failed. Run it (ornpx -y oc-codex-multi-auth@latest warm) at the start of a session to stagger the rolling quota cooldowns. This addresses the request to run the warm-up as a direct command instead of an agent-invoked tool; the in-conversationcodex-warmtool remains for users who want it mid-session. (#182)
Fixed
- A standalone command's non-zero exit code now propagates to the process exit code instead of being dropped, so
oc-codex-multi-auth warmcorrectly exits1when an account fails (useful in scripts and CI) while read-only commands still exit0. warmno longer hard-fails when the Codex system-prompt file cannot be resolved (offline, cache miss, or a standalone run without the bundled prompt): the warm ping falls back to a minimal instruction, since it only needs a valid request to open the window, not the full prompt.
Notes
- This is a minor release that adds a new entry point; nothing in the existing request path,
rotationStrategyconfig, or the in-conversationcodex-warmtool changes behavior. The standalonewarmis the first standalone CLI command that performs network I/O (token refresh + one request per account) — the other standalone commands (status,health,doctor,limits,list) remain read-only and network-free.
v6.4.1
Fixed
- Local token-bucket depletion no longer leaks into persisted, cross-process state. 6.4.0 made a depleted account rotate by writing a synthetic window into
rateLimitResetTimes— but that field is saved to the shared accounts file and reloaded by every process, so one process exhausting its own in-memory proactive limiter could spuriously mark a server-healthy account as rate-limited in other concurrent processes (the multi-process / PID-offset deployment this tool targets). Account selection (sticky,hybrid,round-robin) andgetMinWaitTimeForFamilyare now token-bucket-aware directly: a locally-depleted account is skipped in-memory with no persisted state, and an all-depleted pool waits for token refill instead of returning a spurious 503. (#183) - A locally-depleted account no longer accrues a server-
429-style health penalty. The depletion path previously calledrecordRateLimit, mis-attributing a purely-local proactive throttle as an upstream rejection and deprioritizing a perfectly healthy account inhybridscoring for hours. (#183) codex-warmno longer reports a quota-exhausted account as "warmed". A429is now classified by reason: aquota/usage_limit429(the window is already spent) is surfaced as a distinct failure, while a transienttokens/concurrent429(window active) still counts as warmed. (#182)
Notes
- This is a patch release that corrects a regression introduced in 6.4.0; the
rotationStrategyconfig (#183) andcodex-warmtool (#182) added in 6.4.0 are unchanged in behavior except for the fixes above. Single-process usage was unaffected by the regression — the leak only manifested across concurrent processes sharing one accounts file. - The local token bucket is intentionally in-memory and per-process; only real server
429s belong in the persistedrateLimitResetTimes. Selectors now consult the bucket in-memory rather than encoding local back-pressure into shared state.
v6.3.4
Fixed
- A dark account pool now recovers without hand-editing JSON. When a stored account is left with a stale
auth-failure/network-errorcooldown or stalerateLimitResetTimes(future-dated reset), it stays ineligible for rotation even though the credential is alive — so every account can go dark and normal requests fail while--pureworks.codex-doctor --fixnow clears that stale state on accounts whose token refresh succeeds, clears the stale TUI quota cache, and the recovery self-heals across restarts. (#173, fixes #171) codex-doctor --fixno longer fails silently when a credential is genuinely dead: a failed token refresh now reportsN account(s) need re-loginand points atopencode auth login, instead of leaving an all-dark pool unrepaired with no surfaced cause. (#177)codex-healthnow surfaces the same recovery diagnostics ascodex-doctor(read-only): accounts blocked only by a stale cooldown/rate-limit (→codex-doctor --fix) and disabled duplicate entries (→codex-remove), plusstaleRecoverableSlots/disabledDuplicateSlotsin JSON output. (#177)- A disabled
accountIdSource: "token"duplicate (a re-login artifact) merging into the real org account by email no longer disables the canonical account. Storage dedup lets the org account's ownenabledstate govern the merge, so a single-account pool can no longer end up dark and unrecoverable; fail-closed is preserved for genuinely user-disabled accounts. (#180, fixes #171) - Storage dedup now compares account emails case-insensitively, matching the
codex-doctor/codex-healthdetectors. PreviouslyUser@Example.comanduser@example.comescaped dedup yet were still flagged as removable, so the two layers disagreed on identity. (#181) codex-doctorandcodex-healthnow surface a disabled account that holds a fresh login credential — the fingerprint of a recent re-login that landed on a disabled slot — so the user is told to re-enable it if intended instead of getting no signal. (#181)- Caller-cancellation during a retry/backoff wait now surfaces as a proper
AbortErrorcarrying the caller'ssignal.reason, instead of an opaquenew Error("Aborted")that dropped the cause. (#178)
Security
- Bumped
honoto 4.12.26, resolving a high-severity Windowsserve-staticpath traversal via encoded backslash (%5C) and four moderate advisories. This also clears the transitive@openauthjs/openauthadvisory. (#173) - Overrode
viteto ^7.3.5 (high + moderate, dev/test toolchain),@babel/coreto ^7.29.6 (low, no major bump), andbrace-expansion5.x to ^5.0.6 (moderate).npm auditnow reports 0 vulnerabilities. (#173)
Notes
- The recovery is repaired via
codex-doctor --fix(now also surfaced bycodex-health), not automatic self-heal in the request path — a future-dated cooldown/rate-limit is only cleared on an explicit repair, since auto-clearing would undermine the legitimate 401/429 backoff. - The
Error: Abortedsymptom reported on a clean pool (#176) had its sleep/backoff cancellation typed as a realAbortError, but the underlying root trigger is still being investigated and is tracked separately in #176.
v6.3.3
Fixed
- A stored OAuth account whose access token is invalidated server-side returns HTTP 401 (
Your authentication token has been invalidated. Please try signing in again.), but the request pipeline had no 401 handler, so persisted family routing kept pinning every request to the dead account slot. A request-path 401 is now treated as an account-health failure: the consumed token is refunded, the auth-failure counter is incremented, the refresh-token group is cooled down (or removed pastMAX_AUTH_FAILURES_BEFORE_REMOVAL), and the request rotates to the next healthy account. The counter is cleared on a successful request so a recovered account does not accumulate stale failures. (#172, fixes #171) codex-health/codex-doctornow flagtoken-invalidon an invalidated-token error (including a generic401 Unauthorizedbody), socodex-doctor --fixrepairs the active routing without manualactiveIndexJSON edits. (#172)
Notes
- Once the bad slot is cooled down, the next successful rotation persists the updated family routing, so the failure self-heals across restarts — no more manual
activeIndexediting. - Single-account pools: a 401 cannot fail over (nowhere to rotate); the account is cooled down and the request surfaces "no other account available."
v6.3.2
Bug Fixes
- Preserve versioned Codex model IDs — \gpt-5.3-codex-spark, \gpt-5.3-codex, and \gpt-5.2-codex\ are no longer collapsed to \gpt-5-codex\ before sending requests. Accounts where only the versioned model is available no longer receive \model_not_supported_with_chatgpt_account\ errors. (#170, fixes #169)
- Added \gpt-5.4-fast\ and \gpt-5.4-mini-fast\ as explicit model map entries so OpenCode fast-variant selectors resolve correctly.
Notes
- Reasoning effort -none\ is intentionally absent for the three Codex families above; requests with
one\ effort are coerced to \low\ as the backend rejects
one\ for these models. - \getReasoningConfig(), \getModelFamily(), and the fallback chain are unaffected — all three families continue to default to \xhigh\ reasoning and fall back correctly through the chain.
v6.3.1
What's Changed
Security
- Bump
hono4.12.18 → 4.12.23 (#168) to clear four moderate advisories (GHSA-f577-qrjj-4474, GHSA-3hrh-pfw6-9m5x, GHSA-xrhx-7g5j-rcj5, GHSA-2gcr-mfcq-wcc3), all fixed upstream in 4.12.21.honois a transitive dependency of@openauthjs/openauth(peer^4.0.0), pinned viaoverrides.npm audit --omit=dev: 0 vulnerabilities (was 2 moderate).- No source change —
honois used only inside@openauthjs/openauth's OAuth flow.
Full test suite: 2487 passing. Build / typecheck / lint clean.
v6.3.0
What's Changed
Added
- Mask account emails across all display surfaces (#164) —
maskEmailnow applies to command output, the interactive auth menu, delete/refresh confirmations, the standalone login menu, the interactive account picker, and runtime rotation/auth-failure messages, not just the TUI quota status. Raw emails remain only in opt-in--includeSensitiveJSON.
Fixed
- 16 deep-audit findings (#165) — data-loss, rotation, redaction, and concurrency bugs:
- Transient refresh failures (network/5xx) no longer trigger permanent account removal.
- Keychain load no longer swallows forward-compat (
UNSUPPORTED_SCHEMA_VERSION/ V2) errors. - Workspace-deactivation removes only the deactivated workspace, not refresh-token siblings.
- Refresh-token rotation propagates to sibling org-variant accounts.
runAccountCheck/ email hydration writes are transactional (no lost updates).- Health/token-bucket/backoff trackers remap on account removal (no misattributed rotation state).
- Token-bucket depletion rotates instead of aborting the whole pool.
- Empty-response retry actually retries (was a no-op 503 for single-account).
retry_after_msvsretry_afterscaled correctly.- Stream-stall/SSE exceptions refund the token and rotate.
codex-diffredaction is key-aware (opaque tokens no longer leak).- Flagged storage uses the keychain when
CODEX_KEYCHAIN=1. - Logger masks emails domain-preserving and adds cookie headers to the sensitive set.
Internal
- Deep stress suite (#166) — property-based and concurrency tests for the audited subsystems, each mutation-verified.
Full test suite: 2487 passing.
v6.2.0
Minor release bundling two feature PRs plus review polish.
Added
- TUI email masking (#160) — opt-in masking of the active account email in the prompt quota status and the quota details dialog. Config keys:
maskEmail,maskEmailInQuotaDetails. Env overrides:CODEX_TUI_MASK_EMAIL,CODEX_TUI_MASK_EMAIL_DETAILS. Both default to off, so existing output is unchanged.
Fixed
- Workspace-specific usage quotas (#161) —
codex-limitsand the TUI now deduplicate usage accounts by workspace identity (accountId+organizationId) before falling back to the refresh token, so multiple ChatGPT workspaces sharing a single login each show their own quota row. The freshest credential per workspace is queried; disabled and identity-less accounts are skipped;resolveCodexUsageActiveAccountno longer throws on sparse account slots. - Test isolation (#161) — rotation integration tests flush and dispose their managers before teardown, so debounced saves can no longer leak fixture accounts into the real local account store.
Internal
- Corrected inverted dedupe-direction comments; the #161 marker-recovery test now genuinely exercises the deduped-out-active path; added explicit
maskEmail: falsecoverage forformatPromptStatusText. - Synced the stale
.release-please-manifest.json(6.0.0→6.2.0).
Full Changelog: v6.1.10...v6.2.0
v6.1.10
v6.1.10
Added
- Added marketplace-ready plugin icon metadata via
.codex-plugin/plugin.jsoninterface.composerIcon. - Added packaged
assets/icon.svgfor Codex marketplace display. - Added standalone terminal diagnostics under the existing
oc-codex-multi-authbin:doctorstatuslistlimitsdashboardhealth --jsondiag
Fixed
- Fixed OAuth scope gating so normal OpenAI OAuth accounts only require baseline scopes:
openid,profile,email, andoffline_access. - Stopped connector-specific scopes from disabling otherwise valid OAuth logins.
- Collapsed duplicate personal workspace/token account entries from the same login identity.
- Preserved safe installer behavior while making unknown standalone commands fail with help instead of silently installing.
Validation
npm run typechecknpm run lint- Focused Vitest suite: 302 tests passed
- Full Vitest suite: 85 files passed, 2381 passed, 1 skipped
npm run buildnpm run audit:cinpm pack --dry-runnpm publish --dry-run- Packed tarball install smoke against real local account state
- Real OpenCode plugin session verified
codex-statustool execution
npm
- Published:
oc-codex-multi-auth@6.1.10 - Dist tag:
latest
v6.1.9
v6.1.9 - 2026-05-11
Fixed
- Legacy Codex selectors such as
gpt-5.2-codex,gpt-5.3-codex, and Spark now recover from entitlement-gatedgpt-5-codexresponses by falling back through the GPT-5.4 family. - Default fallback now continues from
gpt-5.4togpt-5.4-miniandgpt-5.4-nanoonly when the chain started fromgpt-5.5or canonicalgpt-5-codex, preserving strict behavior for direct GPT-5.4 selections. - Unsupported-model troubleshooting and configuration docs now document the canonical Codex fallback path and the
CODEX_AUTH_DISABLE_CODEX_AUTO_FALLBACK=1opt-out. - Current dependency security alert follow-ups are resolved.