Skip to content

Allow using banked Codex reset credits#1690

Open
brahimhamichan wants to merge 6 commits into
steipete:mainfrom
brahimhamichan:codex-reset-credits
Open

Allow using banked Codex reset credits#1690
brahimhamichan wants to merge 6 commits into
steipete:mainfrom
brahimhamichan:codex-reset-credits

Conversation

@brahimhamichan

@brahimhamichan brahimhamichan commented Jun 20, 2026

Copy link
Copy Markdown

Status: product/write-action hold. Do not merge. Rebased, conflict-free implementation and exact-head local proof are complete. CI was approved and is running; the owner decision below remains unresolved.

Owner decision requested

Decision: Should CodexBar spend a finite provider-side Codex reset credit through an authenticated POST, or remain read-only and limit this work to reset inventory/expiry notifications?

Tradeoff: One-click consumption is convenient, confirms before spending, refreshes afterward, and scopes authentication to the selected account. It remains an irreversible provider-side write through a private endpoint contract; confirmation does not remove endpoint-stability, authorization, or accidental-spend risk.

Recommendation: Do not land the consume action yet. Keep CodexBar read-only until the provider contract is documented or explicitly approved. If immediate progress is desired, split and land the read-only inventory/notification work; retain this branch as the reviewed write-action option.

Summary

  • Builds on feat: Add Codex rate-limit reset credits to menu card #1638: displays the reset bank and adds a confirmed action to use one from CodexBar.
  • Routes fetch/use through the selected Codex account context, including every visible stacked account.
  • Filters expired cached credits at presentation and action time, so stale snapshots cannot enable an unusable reset.
  • Preserves reset-only snapshots in menu-card/stacked layouts; avoids empty padded usage cards.
  • Includes the missing Italian reset accessibility localization.

Addresses #1502 only if the write action is accepted; the issue stays open while this PR is held.

Validation

  • exact head: c248d0cce2acf07d36b042bc4c41c0b553aba427
  • rebased onto current origin/main; contributor authorship preserved
  • focused reset-credit decoder: 5 tests passed
  • focused reset-credit menu card: 6 tests passed
  • focused scoped-account refresh: 3 tests passed
  • complete make test: 44/44 shards passed
  • make check: passed
  • CODEXBAR_SIGNING=adhoc ./Scripts/package_app.sh debug: passed
  • autoreview: clean; no accepted/actionable findings, patch correct at 0.84 confidence
  • all review threads resolved with commit/file/line proof
  • CI first-time workflow approved; exact-head run pending

Maintainer QA intentionally did not invoke the live consume endpoint.

Existing contributor UI proof

Codex reset credits menu Codex reset credits settings

@clawsweeper

clawsweeper Bot commented Jun 20, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 1, 2026, 3:50 PM ET / 19:50 UTC.

Summary
This PR adds Codex reset-credit inventory/expiry UI and notifications plus a confirmed, account-scoped consume action that POSTs to the reset-credit consume endpoint, with localization and focused tests.

Reproducibility: not applicable. this is a feature PR for a new provider-side reset action, not a broken existing behavior. The PR includes screenshots and request-stub tests for the intended flow, while live maintainer QA intentionally avoided spending another credit.

Review metrics: 3 noteworthy metrics.

  • Files changed: 48 files affected. The PR spans core OAuth, UsageStore refresh/routing, menu/settings UI, localization, and tests, so merge review has broader surface than a single endpoint wrapper.
  • Provider write surface: 1 authenticated POST endpoint added. The main merge decision is whether CodexBar should add a write action that consumes provider-side reset credits.
  • Localization surface: 21 string catalogs changed. The new user-facing action and notifications add translated UI copy across every app locale.

Root-cause cluster
Relationship: fixed_by_candidate
Canonical: #1502
Summary: This PR is the candidate implementation for the open reset-credit consumption feature request; adjacent reset-credit display work does not supersede the consume decision.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Get explicit owner approval for the consume action or split the read-only reset inventory/notification work.
  • [P2] If approved, add fresh exact-head packaged proof of the confirmation, consume, and refresh flow before merge.

Risk before merge

  • [P1] Merging as-is would add an authenticated private provider-side POST that spends a finite Codex reset credit before the owner has approved that write boundary.
  • [P1] The confirmation UI and request-stub tests reduce accidental-use and account-routing risk, but they do not settle endpoint stability, provider authorization policy, or whether CodexBar should remain read-only.
  • [P1] Maintainer QA intentionally avoided invoking the live consume endpoint after repairs; if the write action is approved, the final merge head should still get packaged confirmation/consume/refresh proof and full exact-head validation.
  • [P1] The useful read-only inventory and expiry-notification work is currently coupled to the held consume action, so maintainers may want to split it before deciding on redemption.

Maintainer options:

  1. Hold for owner approval (recommended)
    Pause merge until the owner explicitly approves CodexBar spending reset credits through the private consume endpoint or the provider contract becomes documented.
  2. Split the read-only work
    Move reset-credit inventory, expiry filtering, and notifications into a separate read-only PR while leaving consume behind for product/auth review.
  3. Accept the write boundary
    If the owner accepts the provider-side write risk, require fresh packaged confirmation/consume/refresh proof and exact-head checks before landing.

Next step before merge

  • [P2] The next action is an owner product/auth decision about exposing provider-side reset-credit consumption, not an automated repair.

Security
Needs attention: The diff introduces an authenticated private provider-side write that consumes finite reset credits, so owner/provider-contract approval is needed before merge.

Review details

Best possible solution:

Keep this PR open until the owner chooses the product/auth boundary: either split and land read-only inventory/expiry work, or explicitly approve the consume action with final exact-head proof and validation.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a feature PR for a new provider-side reset action, not a broken existing behavior. The PR includes screenshots and request-stub tests for the intended flow, while live maintainer QA intentionally avoided spending another credit.

Is this the best way to solve the issue?

Unclear until owner approval: the implementation is mechanically plausible after account-scoping and expiry fixes, but the safest product path may be to keep CodexBar read-only or split the read-only reset inventory from the consume action.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against c3d33308ac06.

Label changes

Label justifications:

  • P2: This is a normal-priority user-facing feature with focused blast radius, but it is auth-sensitive and needs owner review before merge.
  • merge-risk: 🚨 auth-provider: The PR loads OAuth credentials from selected Codex account contexts and sends account-scoped reset-credit consume requests.
  • merge-risk: 🚨 security-boundary: The diff changes CodexBar from read-only usage reporting to an authenticated provider-side write that spends a finite account credit.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): Contributor screenshots show reset-credit UI and a before/after consume result, but maintainer QA intentionally did not repeat the live write on the final repaired head.
  • proof: sufficient: Contributor real behavior proof is sufficient. Contributor screenshots show reset-credit UI and a before/after consume result, but maintainer QA intentionally did not repeat the live write on the final repaired head.
  • proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. Contributor screenshots show reset-credit UI and a before/after consume result, but maintainer QA intentionally did not repeat the live write on the final repaired head.
Evidence reviewed

Security concerns:

  • [medium] Approve the private reset-credit write boundary — Sources/CodexBarCore/Providers/Codex/CodexOAuth/CodexOAuthUsageFetcher.swift:452
    The new consume path sends a bearer-authenticated POST to the private reset-credit consume endpoint and spends an account credit; confirmation helps UX, but it does not establish provider-contract or authorization-policy approval.
    Confidence: 0.9

What I checked:

Likely related people:

  • steipete: Owner review comments define the unresolved product/auth decision, and PR commits by steipete harden reset-credit state, layout, and localization on this branch. (role: repository owner and recent repair author; confidence: high; commits: a81b39d3f705, ef49a3eb2634, c248d0cce2ac; files: Sources/CodexBarCore/CreditsModels.swift, Sources/CodexBar/UsageStore+TokenAccounts.swift, Sources/CodexBar/MenuCardView+CodexResetCredits.swift)
  • rogdex24: Merged PR feat: Add Codex rate-limit reset credits to menu card #1638 added the reset-credit fetch/display model that this PR extends with consume behavior. (role: introduced current read-only reset-credit foundation; confidence: high; commits: 1ae28cfd50eb, cbd89aa02b89, 64bf84def52b; files: Sources/CodexBarCore/Providers/Codex/CodexOAuth/CodexOAuthUsageFetcher.swift, Sources/CodexBarCore/CreditsModels.swift, Sources/CodexBar/MenuCardView+CodexResetCredits.swift)
  • Yuxin Qiao: Local blame/log for the current checked-out reset-credit fetch/model files points to f2dede1, so this is a low-confidence routing signal from repository history rather than the PR discussion. (role: current checkout provenance on central files; confidence: low; commits: f2dede1d9086; files: Sources/CodexBarCore/Providers/Codex/CodexOAuth/CodexOAuthUsageFetcher.swift, Sources/CodexBarCore/CreditsModels.swift)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. labels Jun 20, 2026
@brahimhamichan

Copy link
Copy Markdown
Author

Screenshots of the implementation:

Codex 2026-06-20 9 18 40 PM CodexBar 2026-06-20 9 18 25 PM

@clawsweeper clawsweeper Bot added proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jun 20, 2026
@brahimhamichan brahimhamichan marked this pull request as ready for review June 20, 2026 22:10

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 35fbd302d4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBar/UsageStore+CodexResetCredits.swift Outdated
Comment thread Sources/CodexBar/UsageStore+CodexResetCredits.swift Outdated
@brahimhamichan

Copy link
Copy Markdown
Author

Before and after using the use rest button

Before: [had 3 rests]
Codex 2026-06-20 10 47 21 PM

After: [Left with 2 resets]
image

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jun 21, 2026
@brahimhamichan

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 21, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@brahimhamichan

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 21, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. labels Jun 21, 2026
@brahimhamichan

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 29, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. labels Jun 29, 2026
@steipete

steipete commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Maintainer overlap audit against current main (55327375) and exact head f84a022d:

This PR is not superseded by current reset-credit work. It uniquely adds the confirmed consume action, account-scoped POST, request id, UI confirmation, and completion/error handling. Focused exact-head tests are green: CodexRateLimitResetCreditsTests (5), CodexResetCreditsMenuCardTests (3), and CodexManagedRoutingTests (27).

I am not landing an undocumented write that consumes a finite credit without explicit product/auth approval. If approved, the PR should be rebased only after the active refresh/menu/localization work it overlaps (#1800, #1776, #1736, #1803), then receive fresh packaged confirmation-flow proof and an exact-head CI pass. Preserve contributor credit; there is unique work here, so do not evidence-close it as superseded.

Recommendation: keep open and request the owner decision on whether CodexBar should expose credit consumption at all. No merge from this review.

@steipete

steipete commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Maintainer repair complete at exact head 00da631f5.

Proof:

  • preserved contributor implementation and verified selected-account OAuth routing for both fetch and consume paths
  • request stub verifies POST /backend-api/wham/rate-limit-reset-credits/consume, selected account header, credit ID, and unique request ID without performing a live write
  • fixed reset-credit-only snapshots so they do not render an empty padded usage card
  • fixed the missing Italian localization exposed by the complete suite
  • focused reset-credit/OAuth/routing/notifier/menu suites: 76 tests passed
  • localization catalog suite: 18 tests passed
  • make check: green
  • ad-hoc packaged debug app: green
  • autoreview: clean, no accepted/actionable findings
  • complete sharded suite: final exact-head rerun recorded in the PR body

All existing review threads are resolved and their account-scoping concerns are covered by current tests. Maintainer QA intentionally did not invoke the real consume endpoint.

Product decision remains explicit in the PR body. My recommendation is do not land the provider-side consume action yet; split the read-only expiration inventory/notification work if that UI is wanted independently.

Overlap audit (2026-07-01):

Per the active-overlap gate, I am not rebasing #1690 until #1736 lands. That avoids manufacturing a temporary resolution against a moving menu/refresh surface.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

"expires_at": "2026-07-12T04:03:43.263391Z",

P2 Badge Freeze reset-credit decoder test time

This fixture expires the expected RateLimitResetCredit_earlier on July 12, 2026, but _decodeRateLimitResetCreditsForTesting stamps the snapshot with Date(). After July 12, 2026 the expected next expiring credit becomes the later fixture (and after July 18 it becomes nil), so the test suite starts failing without any code change; use a fixed injected clock or construct the snapshot with an explicit updatedAt.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBar/MenuCardView+CodexResetCredits.swift Outdated
Comment thread Sources/CodexBar/UsageStore+TokenAccounts.swift Outdated
@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. labels Jul 1, 2026
@steipete steipete force-pushed the codex-reset-credits branch from 00da631 to c248d0c Compare July 1, 2026 09:41

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c248d0cce2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".


public func availableCredits(at date: Date) -> [CodexRateLimitResetCredit] {
self.credits.filter { credit in
credit.status == .available && (credit.expiresAt ?? .distantPast) > date

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Treat no-expiry reset credits as available

When the API returns an available reset credit with expires_at: null, this filter maps the missing expiry to .distantPast, so the new count/action paths treat it as already expired. Since CodexRateLimitResetCredit.expiresAt is optional and the UI added a “No expiry” rendering path, those credits should remain visible and consumable instead of disappearing from the menu/settings; only non-nil expiries that are at or before date should be filtered out.

Useful? React with 👍 / 👎.

@brahimhamichan

Copy link
Copy Markdown
Author

@clawsweeper re-review

Pushed 93b1e764 to fix the no-expiry reset-credit finding: available credits with expires_at: null now remain available instead of being treated as expired.

Checks run:

  • swift test --filter CodexRateLimitResetCreditsTests
  • make check

@clawsweeper

clawsweeper Bot commented Jul 1, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@brahimhamichan

Copy link
Copy Markdown
Author

@clawsweeper re-review

Pushed final head 5e462f83 after merging current origin/main and resolving the refresh-context conflict. The no-expiry reset-credit fix from 93b1e764 is included.

Checks run on the merged tree:

  • swift test --filter CodexRateLimitResetCreditsTests
  • make check

@clawsweeper

clawsweeper Bot commented Jul 1, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added the merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. proof: sufficient Contributor real behavior proof is sufficient. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants