Centralize Codex dashboard ownership into CodexDashboardAuthority

Introduces a single policy engine that evaluates dashboard ownership
(attach/displayOnly/failClosed) with allowed effects and cleanup sets,
replacing six scattered ownership-sensitive consumers across app and CLI
paths. Guards against circular evidence by filtering dashboard-derived
data from ownership proof. Adds credits provenance tracking and wires
authority decisions through the app refresh, CLI live fetch, and CLI
cache restore paths. Includes comprehensive test coverage with worked
example parity tests proving app/CLI agreement.

Author: ratulsarna

Sources/CodexBar/Providers/Codex/UsageStore+CodexAccountState.swift

@@ -34,7 +34,7 @@ extension UsageStore {
         phaseDidChange?(.credits)
 
         if self.settings.codexCookieSource.isEnabled {
-            let expectedGuard = self.currentCodexAccountScopedRefreshGuard()
+        let expectedGuard = self.currentCodexOpenAIWebRefreshGuard()
             await self.refreshOpenAIDashboardIfNeeded(
                 force: true,
                 expectedGuard: expectedGuard,
@@ -76,6 +76,7 @@ extension UsageStore {
         self.lastCreditsError = nil
         self.lastCreditsSnapshot = nil
         self.lastCreditsSnapshotAccountKey = nil
+        self.lastCreditsSource = .none
         self.creditsFailureStreak = 0
 
         self.clearCodexOpenAIWebStateForAccountTransition(targetEmail: self.codexAccountEmailForOpenAIDashboard())
@@ -179,31 +180,106 @@ extension UsageStore {
         return currentGuard.identity == expectedGuard.identity
     }
 
-    func shouldApplyOpenAIDashboardResult(
+    func shouldApplyOpenAIDashboardRefreshGuard(
         expectedGuard: CodexAccountScopedRefreshGuard,
-        dashboardAccountEmail: String?) -> Bool
+        routingTargetEmail: String?) -> Bool
     {
+        let normalizedRoutingTargetEmail = CodexIdentityResolver.normalizeEmail(routingTargetEmail)
+        let currentGuard = self.currentCodexOpenAIWebRefreshGuard()
+        guard currentGuard.source == expectedGuard.source else { return false }
+
         if expectedGuard.identity != .unresolved {
-            let currentGuard = self.currentCodexAccountScopedRefreshGuard()
-            guard currentGuard.source == expectedGuard.source else { return false }
             return currentGuard.identity == expectedGuard.identity
         }
 
-        let currentGuard = self.currentCodexOpenAIWebRefreshGuard()
-        guard currentGuard.source == expectedGuard.source else { return false }
         guard case .liveSystem = expectedGuard.source else { return false }
         guard currentGuard.identity == .unresolved else { return false }
-        let dashboardIdentity = CodexIdentityResolver.resolve(accountId: nil, email: dashboardAccountEmail)
-        guard dashboardIdentity != .unresolved else { return false }
-        let currentTargetIdentity = CodexIdentityResolver.resolve(
-            accountId: nil,
-            email: self.currentCodexOpenAIWebTargetEmail(
+        return CodexIdentityResolver.normalizeEmail(
+            self.currentCodexOpenAIWebTargetEmail(
                 allowCurrentSnapshotFallback: true,
-                allowLastKnownLiveFallback: false))
-        if currentTargetIdentity != .unresolved {
-            return dashboardIdentity == currentTargetIdentity
+                allowLastKnownLiveFallback: false)) == normalizedRoutingTargetEmail
+    }
+
+    func shouldApplyOpenAIWebNonSuccessResult(
+        expectedGuard: CodexAccountScopedRefreshGuard,
+        routingTargetEmail: String?) -> Bool
+    {
+        self.shouldApplyOpenAIDashboardRefreshGuard(
+            expectedGuard: expectedGuard,
+            routingTargetEmail: routingTargetEmail)
+    }
+
+    func codexDashboardKnownOwnerCandidates() -> [CodexDashboardKnownOwnerCandidate] {
+        let snapshot = self.settings.codexAccountReconciliationSnapshot
+        var candidates = snapshot.storedAccounts.map { account in
+            CodexDashboardKnownOwnerCandidate(
+                identity: snapshot.runtimeIdentity(for: account),
+                normalizedEmail: CodexIdentityResolver.normalizeEmail(snapshot.runtimeEmail(for: account)))
         }
-        return true
+
+        if let liveSystemAccount = snapshot.liveSystemAccount {
+            candidates.append(CodexDashboardKnownOwnerCandidate(
+                identity: snapshot.runtimeIdentity(for: liveSystemAccount),
+                normalizedEmail: CodexIdentityResolver.normalizeEmail(liveSystemAccount.email)))
+        }
+
+        return candidates
+    }
+
+    func trustedCurrentCodexUsageEmailForDashboardAuthority() -> String? {
+        guard let sourceLabel = self.lastSourceLabels[.codex], sourceLabel != "openai-web" else {
+            return nil
+        }
+        return CodexIdentityResolver.normalizeEmail(self.snapshots[.codex]?.accountEmail(for: .codex))
+    }
+
+    func currentCodexDashboardExpectedScopedEmail() -> String? {
+        switch self.settings.codexResolvedActiveSource {
+        case .liveSystem:
+            CodexIdentityResolver.normalizeEmail(
+                self.settings.codexAccountReconciliationSnapshot.liveSystemAccount?.email)
+        case .managedAccount:
+            CodexIdentityResolver.normalizeEmail(self.currentManagedCodexRuntimeEmail())
+        }
+    }
+
+    func makeCodexDashboardAuthorityInput(
+        dashboard: OpenAIDashboardSnapshot,
+        sourceKind: CodexDashboardSourceKind,
+        routingTargetEmail: String?) -> CodexDashboardAuthorityInput
+    {
+        let source = self.settings.codexResolvedActiveSource
+        return CodexDashboardAuthorityInput(
+            sourceKind: sourceKind,
+            proof: CodexDashboardOwnershipProofContext(
+                currentIdentity: self.currentCodexOpenAIWebIdentity(source: source),
+                expectedScopedEmail: self.currentCodexDashboardExpectedScopedEmail(),
+                trustedCurrentUsageEmail: self.trustedCurrentCodexUsageEmailForDashboardAuthority(),
+                dashboardSignedInEmail: dashboard.signedInEmail,
+                knownOwners: self.codexDashboardKnownOwnerCandidates()),
+            routing: CodexDashboardRoutingHints(
+                targetEmail: CodexIdentityResolver.normalizeEmail(routingTargetEmail),
+                lastKnownDashboardRoutingEmail: CodexIdentityResolver.normalizeEmail(
+                    self.lastKnownLiveSystemCodexEmail)))
+    }
+
+    func evaluateCodexDashboardAuthority(
+        dashboard: OpenAIDashboardSnapshot,
+        sourceKind: CodexDashboardSourceKind,
+        routingTargetEmail: String?) -> (input: CodexDashboardAuthorityInput, decision: CodexDashboardAuthorityDecision)
+    {
+        let input = self.makeCodexDashboardAuthorityInput(
+            dashboard: dashboard,
+            sourceKind: sourceKind,
+            routingTargetEmail: routingTargetEmail)
+        return (input, CodexDashboardAuthority.evaluate(input))
+    }
+
+    func codexDashboardAttachmentEmail(from input: CodexDashboardAuthorityInput) -> String? {
+        CodexIdentityResolver.normalizeEmail(
+            input.proof.expectedScopedEmail ??
+                input.proof.trustedCurrentUsageEmail ??
+                input.proof.dashboardSignedInEmail)
     }
 
     func rememberLiveSystemCodexEmailIfNeeded(_ email: String?) {

Sources/CodexBar/Providers/Codex/UsageStore+CodexRefresh.swift

@@ -36,6 +36,7 @@ extension UsageStore {
                 self.lastCreditsError = nil
                 self.lastCreditsSnapshot = credits
                 self.lastCreditsSnapshotAccountKey = expectedGuard.accountKey
+                self.lastCreditsSource = .api
                 self.creditsFailureStreak = 0
                 self.lastCodexAccountScopedRefreshGuard = expectedGuard
             }
@@ -69,6 +70,7 @@ extension UsageStore {
                         self.lastCodexAccountScopedRefreshGuard = expectedGuard
                     } else {
                         self.credits = nil
+                        self.lastCreditsSource = .none
                         self.lastCreditsError = "Codex credits are still loading; will retry shortly."
                     }
                 }
@@ -89,6 +91,7 @@ extension UsageStore {
                 } else {
                     self.lastCreditsError = message
                     self.credits = nil
+                    self.lastCreditsSource = .none
                 }
             }
         }

Sources/CodexBar/UsageStore+HistoricalPace.swift

@@ -66,26 +66,36 @@ extension UsageStore {
             self.setCodexHistoricalDataset(nil, accountKey: nil)
             return
         }
-        let ownership = self.codexHistoricalOwnershipContext(dashboard: self.openAIDashboard)
+        let ownership = self.codexHistoricalOwnershipContext()
         let dataset = await self.historicalUsageHistoryStore.loadCodexDataset(
             canonicalAccountKey: ownership.canonicalKey,
             canonicalEmailHashKey: ownership.canonicalEmailHashKey,
             legacyEmailHash: ownership.legacyEmailHash,
             hasAdjacentMultiAccountVeto: ownership.hasAdjacentMultiAccountVeto)
         self.setCodexHistoricalDataset(dataset, accountKey: ownership.canonicalKey)
         if let dashboard = self.openAIDashboard {
-            self.backfillCodexHistoricalFromDashboardIfNeeded(dashboard)
+            let authority = self.evaluateCodexDashboardAuthority(
+                dashboard: dashboard,
+                sourceKind: .liveWeb,
+                routingTargetEmail: self.lastOpenAIDashboardTargetEmail)
+            self.backfillCodexHistoricalFromDashboardIfNeeded(
+                dashboard,
+                authorityDecision: authority.decision,
+                attachedAccountEmail: self.codexDashboardAttachmentEmail(from: authority.input))
         }
     }
 
-    func backfillCodexHistoricalFromDashboardIfNeeded(_ dashboard: OpenAIDashboardSnapshot) {
+    func backfillCodexHistoricalFromDashboardIfNeeded(
+        _ dashboard: OpenAIDashboardSnapshot,
+        authorityDecision: CodexDashboardAuthorityDecision,
+        attachedAccountEmail: String?)
+    {
         guard self.settings.historicalTrackingEnabled else { return }
+        guard authorityDecision.allowedEffects.contains(.historicalBackfill) else { return }
         guard !dashboard.usageBreakdown.isEmpty else { return }
 
         let codexSnapshot = self.snapshots[.codex]
-        let ownership = self.codexHistoricalOwnershipContext(
-            preferredEmail: codexSnapshot?.accountEmail(for: .codex),
-            dashboard: dashboard)
+        let ownership = self.codexHistoricalOwnershipContext(preferredEmail: attachedAccountEmail)
         let referenceWindow: RateWindow
         let calibrationAt: Date
         if let dashboardWeekly = dashboard.secondaryLimit {
@@ -126,8 +136,7 @@ extension UsageStore {
     }
 
     private func codexHistoricalOwnershipContext(
-        preferredEmail: String? = nil,
-        dashboard: OpenAIDashboardSnapshot? = nil) -> CodexHistoricalOwnershipContext
+        preferredEmail: String? = nil) -> CodexHistoricalOwnershipContext
     {
         let resolvedIdentity = self.currentCodexRuntimeIdentity(
             source: self.settings.codexResolvedActiveSource,
@@ -139,9 +148,7 @@ extension UsageStore {
         let normalizedEmail = CodexIdentityResolver.normalizeEmail(
             preferredEmail ??
                 activeSourceEmail ??
-                self.snapshots[.codex]?.accountEmail(for: .codex) ??
-                dashboard?.signedInEmail ??
-                self.codexAccountEmailForOpenAIDashboard())
+                self.snapshots[.codex]?.accountEmail(for: .codex))
         let canonicalIdentity: CodexIdentity = switch resolvedIdentity {
         case .unresolved:
             if let normalizedEmail {