@iam-brain/opencode-codex-auth 1.2.4 → 1.3.0

package/dist/lib/codex-native/acquire-auth.js

@@ -1,22 +1,60 @@
 import { PluginFatalError, formatWaitTime, isPluginFatalError } from "../fatal-errors.js";
 import { ensureIdentityKey, normalizeEmail, normalizePlan } from "../identity.js";
 import { createStickySessionState, selectAccount } from "../rotation.js";
-import { ensureOpenAIOAuthDomain, saveAuthStorage } from "../storage.js";
+import { ensureOpenAIOAuthDomain, loadAuthStorage, saveAuthStorage } from "../storage.js";
 import { parseJwtClaims } from "../claims.js";
 import { formatAccountLabel } from "./accounts.js";
 import { extractAccountId, refreshAccessToken } from "./oauth-utils.js";
 const AUTH_REFRESH_FAILURE_COOLDOWN_MS = 30_000;
 const AUTH_REFRESH_LEASE_MS = 30_000;
-const LAST_USED_WRITE_INTERVAL_MS = 5_000;
+const LAST_USED_WRITE_INTERVAL_MS = 60_000;
 function isOAuthTokenRefreshError(value) {
     return value instanceof Error && ("status" in value || "oauthCode" in value);
 }
+const TERMINAL_REFRESH_ERROR_CODES = new Set([
+    "invalid_grant",
+    "invalid_refresh_token",
+    "refresh_token_revoked",
+    "token_revoked"
+]);
+function isTerminalRefreshCredentialError(error) {
+    if (isOAuthTokenRefreshError(error)) {
+        const oauthCode = typeof error.oauthCode === "string" ? error.oauthCode.trim().toLowerCase() : undefined;
+        if (oauthCode && TERMINAL_REFRESH_ERROR_CODES.has(oauthCode)) {
+            return true;
+        }
+    }
+    if (error instanceof Error) {
+        const message = error.message.trim().toLowerCase();
+        if (message.includes("invalid_grant"))
+            return true;
+        if (message.includes("refresh token") && (message.includes("invalid") || message.includes("expired"))) {
+            return true;
+        }
+        if (message.includes("refresh token") && message.includes("revoked")) {
+            return true;
+        }
+    }
+    return false;
+}
 export function createAcquireOpenAIAuthInputDefaults() {
     return {
         stickySessionState: createStickySessionState(),
         hybridSessionState: createStickySessionState()
     };
 }
+function buildAttemptKeyForCandidate(account, index) {
+    const identityKey = account.identityKey?.trim();
+    if (identityKey)
+        return identityKey;
+    const accountId = account.accountId?.trim();
+    const email = normalizeEmail(account.email);
+    const plan = normalizePlan(account.plan);
+    if (accountId && email && plan) {
+        return `${accountId}|${email}|${plan}`;
+    }
+    return `idx:${index}`;
+}
 export async function acquireOpenAIAuth(input) {
     let access;
     let accountId;
@@ -33,67 +71,74 @@ export async function acquireOpenAIAuth(input) {
     let rotationLogged = false;
     let lastSelectionTrace;
     try {
-        if (input.isSubagentRequest && input.context?.sessionKey) {
-            input.seenSessionKeys.delete(input.context.sessionKey);
-            input.stickySessionState.bySessionKey.delete(input.context.sessionKey);
-            input.hybridSessionState.bySessionKey.delete(input.context.sessionKey);
-        }
         while (true) {
             let refreshClaim;
             let shouldStop = false;
-            await saveAuthStorage(undefined, (authFile) => {
-                const now = Date.now();
-                const openai = authFile.openai;
-                if (!openai || openai.type !== "oauth") {
-                    throw new PluginFatalError({
-                        message: "Not authenticated with OpenAI. Run `opencode auth login`.",
-                        status: 401,
-                        type: "oauth_not_configured",
-                        param: "auth"
-                    });
-                }
-                const domain = ensureOpenAIOAuthDomain(authFile, input.authMode);
-                totalAccounts = domain.accounts.length;
-                if (domain.accounts.length === 0) {
-                    throw new PluginFatalError({
-                        message: `No OpenAI ${input.authMode} accounts configured. Run \`opencode auth login\`.`,
-                        status: 401,
-                        type: "no_accounts_configured",
-                        param: "accounts"
-                    });
-                }
-                const enabled = domain.accounts.filter((account) => account.enabled !== false);
-                if (enabled.length === 0) {
-                    throw new PluginFatalError({
-                        message: `No enabled OpenAI ${input.authMode} accounts available. Enable an account or run \`opencode auth login\`.`,
-                        status: 403,
-                        type: "no_enabled_accounts",
-                        param: "accounts"
-                    });
-                }
-                const rotationStrategy = input.configuredRotationStrategy ?? domain.strategy ?? "sticky";
-                if (!rotationLogged) {
-                    input.log?.debug("rotation begin", {
-                        strategy: rotationStrategy,
-                        activeIdentityKey: domain.activeIdentityKey,
-                        totalAccounts: domain.accounts.length,
-                        enabledAccounts: enabled.length,
-                        mode: input.authMode,
-                        sessionKey: input.context?.sessionKey ?? null
-                    });
-                    rotationLogged = true;
-                }
-                if (attempted.size >= domain.accounts.length) {
-                    shouldStop = true;
-                    return;
-                }
+            let shouldPersistSessionAffinityState = false;
+            const now = Date.now();
+            const authSnapshot = await loadAuthStorage(undefined, { lockReads: false });
+            const openai = authSnapshot.openai;
+            if (!openai || openai.type !== "oauth") {
+                throw new PluginFatalError({
+                    message: "Not authenticated with OpenAI. Run `opencode auth login`.",
+                    status: 401,
+                    type: "oauth_not_configured",
+                    param: "auth"
+                });
+            }
+            const domain = ensureOpenAIOAuthDomain(authSnapshot, input.authMode);
+            totalAccounts = domain.accounts.length;
+            if (domain.accounts.length === 0) {
+                throw new PluginFatalError({
+                    message: `No OpenAI ${input.authMode} accounts configured. Run \`opencode auth login\`.`,
+                    status: 401,
+                    type: "no_accounts_configured",
+                    param: "accounts"
+                });
+            }
+            const enabled = domain.accounts.filter((account) => account.enabled !== false);
+            if (enabled.length === 0) {
+                throw new PluginFatalError({
+                    message: `No enabled OpenAI ${input.authMode} accounts available. Enable an account or run \`opencode auth login\`.`,
+                    status: 403,
+                    type: "no_enabled_accounts",
+                    param: "accounts"
+                });
+            }
+            const rotationStrategy = input.configuredRotationStrategy ?? domain.strategy ?? "sticky";
+            if (!rotationLogged) {
+                input.log?.debug("rotation begin", {
+                    strategy: rotationStrategy,
+                    activeIdentityKey: domain.activeIdentityKey,
+                    totalAccounts: domain.accounts.length,
+                    enabledAccounts: enabled.length,
+                    mode: input.authMode,
+                    sessionKey: input.context?.sessionKey ?? null
+                });
+                rotationLogged = true;
+            }
+            const selectableEntries = domain.accounts
+                .map((account, index) => ({
+                account,
+                index,
+                attemptKey: buildAttemptKeyForCandidate(account, index)
+            }))
+                .filter((entry) => !attempted.has(entry.attemptKey));
+            if (selectableEntries.length === 0) {
+                input.log?.debug("rotation stop: exhausted candidate set", {
+                    attempted: attempted.size,
+                    totalAccounts: domain.accounts.length
+                });
+                shouldStop = true;
+            }
+            else {
                 const sessionState = rotationStrategy === "sticky"
                     ? input.stickySessionState
                     : rotationStrategy === "hybrid"
                         ? input.hybridSessionState
                         : undefined;
                 const selected = selectAccount({
-                    accounts: domain.accounts,
+                    accounts: selectableEntries.map((entry) => entry.account),
                     strategy: rotationStrategy,
                     activeIdentityKey: domain.activeIdentityKey,
                     now,
@@ -123,77 +168,141 @@ export async function acquireOpenAIAuth(input) {
                         totalAccounts: domain.accounts.length
                     });
                     shouldStop = true;
-                    return;
-                }
-                const selectedIndex = domain.accounts.findIndex((account) => account === selected);
-                const attemptKey = selected.identityKey ??
-                    selected.refresh ??
-                    (selectedIndex >= 0 ? `idx:${selectedIndex}` : `idx:${attempted.size}`);
-                if (attempted.has(attemptKey)) {
-                    input.log?.debug("rotation stop: duplicate attempt key", {
-                        attemptKey,
-                        selectedIdentityKey: selected.identityKey,
-                        selectedIndex
-                    });
-                    shouldStop = true;
-                    return;
-                }
-                attempted.add(attemptKey);
-                if (!input.isSubagentRequest && input.context?.sessionKey && sessionState) {
-                    input.persistSessionAffinityState();
-                }
-                input.log?.debug("rotation candidate selected", {
-                    attemptKey,
-                    selectedIdentityKey: selected.identityKey,
-                    selectedIndex,
-                    selectedEnabled: selected.enabled !== false,
-                    selectedCooldownUntil: selected.cooldownUntil ?? null,
-                    selectedExpires: selected.expires ?? null
-                });
-                if (lastSelectionTrace) {
-                    lastSelectionTrace = {
-                        ...lastSelectionTrace,
-                        attemptedCount: attempted.size,
-                        ...(selected.identityKey ? { selectedIdentityKey: selected.identityKey } : null),
-                        ...(selectedIndex >= 0 ? { selectedIndex } : null),
-                        attemptKey
-                    };
                 }
-                accountLabel = formatAccountLabel(selected, selectedIndex >= 0 ? selectedIndex : 0);
-                email = selected.email;
-                plan = selected.plan;
-                if (selected.access && selected.expires && selected.expires > now) {
-                    const previousLastUsed = typeof selected.lastUsed === "number" ? selected.lastUsed : undefined;
-                    if (previousLastUsed === undefined || now - previousLastUsed >= LAST_USED_WRITE_INTERVAL_MS) {
-                        selected.lastUsed = now;
+                else {
+                    const selectedEntry = selectableEntries.find((entry) => entry.account === selected);
+                    if (!selectedEntry) {
+                        shouldStop = true;
+                    }
+                    else {
+                        const { index: selectedIndex, attemptKey } = selectedEntry;
+                        if (attempted.has(attemptKey)) {
+                            input.log?.debug("rotation skip: duplicate attempt key", {
+                                attemptKey,
+                                selectedIdentityKey: selected.identityKey,
+                                selectedIndex
+                            });
+                        }
+                        else {
+                            attempted.add(attemptKey);
+                            if (!input.isSubagentRequest && input.context?.sessionKey && sessionState) {
+                                shouldPersistSessionAffinityState = true;
+                            }
+                            input.log?.debug("rotation candidate selected", {
+                                attemptKey,
+                                selectedIdentityKey: selected.identityKey,
+                                selectedIndex,
+                                selectedEnabled: selected.enabled !== false,
+                                selectedCooldownUntil: selected.cooldownUntil ?? null,
+                                selectedExpires: selected.expires ?? null
+                            });
+                            if (lastSelectionTrace) {
+                                lastSelectionTrace = {
+                                    ...lastSelectionTrace,
+                                    attemptedCount: attempted.size,
+                                    ...(selected.identityKey ? { selectedIdentityKey: selected.identityKey } : null),
+                                    ...(selectedIndex >= 0 ? { selectedIndex } : null),
+                                    attemptKey
+                                };
+                            }
+                            accountLabel = formatAccountLabel(selected, selectedIndex >= 0 ? selectedIndex : 0);
+                            email = selected.email;
+                            plan = selected.plan;
+                            const selectedIdentityKey = ensureIdentityKey(selected).identityKey;
+                            if (!selectedIdentityKey) {
+                                sawMissingIdentity = true;
+                            }
+                            else if (selected.access && selected.expires && selected.expires > now) {
+                                access = selected.access;
+                                accountId = selected.accountId;
+                                identityKey = selectedIdentityKey;
+                                const selectionStrategy = lastSelectionTrace?.strategy ?? input.configuredRotationStrategy ?? domain.strategy;
+                                if (selectionStrategy === "hybrid" || selectionStrategy === "round_robin") {
+                                    await saveAuthStorage(undefined, (authFile) => {
+                                        const currentDomain = ensureOpenAIOAuthDomain(authFile, input.authMode);
+                                        const currentByIdentity = selectedIdentityKey
+                                            ? currentDomain.accounts.find((account) => account.identityKey === selectedIdentityKey)
+                                            : undefined;
+                                        const current = currentByIdentity ?? currentDomain.accounts[selectedIndex];
+                                        if (!current)
+                                            return;
+                                        const currentIndex = currentDomain.accounts.findIndex((account) => account === current);
+                                        const currentAttemptKey = buildAttemptKeyForCandidate(current, currentIndex >= 0 ? currentIndex : selectedIndex);
+                                        if (currentAttemptKey !== attemptKey || current.enabled === false) {
+                                            return;
+                                        }
+                                        if (!current.identityKey && selectedIdentityKey) {
+                                            current.identityKey = selectedIdentityKey;
+                                        }
+                                        if (selectionStrategy === "round_robin" && current.identityKey) {
+                                            if (currentDomain.activeIdentityKey !== current.identityKey) {
+                                                currentDomain.activeIdentityKey = current.identityKey;
+                                            }
+                                            return;
+                                        }
+                                        const currentNow = Date.now();
+                                        const previousLastUsed = typeof current.lastUsed === "number" ? current.lastUsed : undefined;
+                                        if (previousLastUsed === undefined ||
+                                            currentNow - previousLastUsed >= LAST_USED_WRITE_INTERVAL_MS) {
+                                            current.lastUsed = currentNow;
+                                        }
+                                    });
+                                }
+                            }
+                            else if (!selected.refresh) {
+                                sawMissingRefresh = true;
+                                await saveAuthStorage(undefined, (authFile) => {
+                                    const currentDomain = ensureOpenAIOAuthDomain(authFile, input.authMode);
+                                    const currentByIdentity = selectedIdentityKey
+                                        ? currentDomain.accounts.find((account) => account.identityKey === selectedIdentityKey)
+                                        : undefined;
+                                    const current = currentByIdentity ?? currentDomain.accounts[selectedIndex];
+                                    if (!current)
+                                        return;
+                                    const currentIndex = currentDomain.accounts.findIndex((account) => account === current);
+                                    const currentAttemptKey = buildAttemptKeyForCandidate(current, currentIndex >= 0 ? currentIndex : selectedIndex);
+                                    if (currentAttemptKey !== attemptKey || current.enabled === false || current.refresh) {
+                                        return;
+                                    }
+                                    current.cooldownUntil = now + AUTH_REFRESH_FAILURE_COOLDOWN_MS;
+                                });
+                            }
+                            else {
+                                const leaseUntil = now + AUTH_REFRESH_LEASE_MS;
+                                await saveAuthStorage(undefined, (authFile) => {
+                                    const currentDomain = ensureOpenAIOAuthDomain(authFile, input.authMode);
+                                    const currentByIdentity = currentDomain.accounts.find((account) => account.identityKey === selectedIdentityKey);
+                                    const current = currentByIdentity ?? currentDomain.accounts[selectedIndex];
+                                    if (!current)
+                                        return;
+                                    const currentIndex = currentDomain.accounts.findIndex((account) => account === current);
+                                    const currentAttemptKey = buildAttemptKeyForCandidate(current, currentIndex >= 0 ? currentIndex : selectedIndex);
+                                    if (currentAttemptKey !== attemptKey)
+                                        return;
+                                    if (current.enabled === false ||
+                                        !current.refresh ||
+                                        current.refresh !== selected.refresh ||
+                                        (typeof current.refreshLeaseUntil === "number" && current.refreshLeaseUntil > now)) {
+                                        return;
+                                    }
+                                    current.refreshLeaseUntil = leaseUntil;
+                                    refreshClaim = {
+                                        identityKey: current.identityKey ?? selectedIdentityKey,
+                                        refreshToken: current.refresh,
+                                        leaseUntil,
+                                        selectedIndex: currentIndex >= 0 ? currentIndex : selectedIndex
+                                    };
+                                });
+                            }
+                        }
                     }
-                    access = selected.access;
-                    accountId = selected.accountId;
-                    identityKey = selected.identityKey;
-                    if (selected.identityKey)
-                        domain.activeIdentityKey = selected.identityKey;
-                    return;
-                }
-                if (!selected.refresh) {
-                    sawMissingRefresh = true;
-                    selected.cooldownUntil = now + AUTH_REFRESH_FAILURE_COOLDOWN_MS;
-                    return;
-                }
-                if (!selected.identityKey) {
-                    sawMissingIdentity = true;
-                    return;
                 }
-                const leaseUntil = now + AUTH_REFRESH_LEASE_MS;
-                selected.refreshLeaseUntil = leaseUntil;
-                refreshClaim = {
-                    identityKey: selected.identityKey,
-                    refreshToken: selected.refresh,
-                    leaseUntil,
-                    selectedIndex: selectedIndex >= 0 ? selectedIndex : 0
-                };
-            });
+            }
             if (access)
                 break;
+            if (shouldPersistSessionAffinityState) {
+                await input.persistSessionAffinityState();
+            }
             if (!refreshClaim) {
                 if (shouldStop || (totalAccounts > 0 && attempted.size >= totalAccounts)) {
                     break;
@@ -201,21 +310,24 @@ export async function acquireOpenAIAuth(input) {
                 continue;
             }
             try {
-                const tokens = await refreshAccessToken(refreshClaim.refreshToken);
+                const activeRefreshClaim = refreshClaim;
+                const tokens = await refreshAccessToken(activeRefreshClaim.refreshToken);
                 const refreshedExpires = Date.now() + (tokens.expires_in ?? 3600) * 1000;
                 const refreshedAccountId = extractAccountId(tokens);
                 const claims = parseJwtClaims(tokens.id_token ?? tokens.access_token);
                 await saveAuthStorage(undefined, (authFile) => {
                     const domain = ensureOpenAIOAuthDomain(authFile, input.authMode);
-                    const selected = domain.accounts.find((account) => account.identityKey === refreshClaim?.identityKey);
+                    const selected = activeRefreshClaim.identityKey
+                        ? domain.accounts.find((account) => account.identityKey === activeRefreshClaim.identityKey)
+                        : domain.accounts[activeRefreshClaim.selectedIndex];
                     if (!selected)
                         return;
                     const now = Date.now();
                     if (typeof selected.refreshLeaseUntil !== "number" ||
-                        selected.refreshLeaseUntil !== refreshClaim?.leaseUntil ||
+                        selected.refreshLeaseUntil !== activeRefreshClaim.leaseUntil ||
                         selected.refreshLeaseUntil <= now ||
-                        selected.refresh !== refreshClaim?.refreshToken) {
-                        if (selected.refreshLeaseUntil === refreshClaim?.leaseUntil) {
+                        selected.refresh !== activeRefreshClaim.refreshToken) {
+                        if (selected.refreshLeaseUntil === activeRefreshClaim.leaseUntil) {
                             delete selected.refreshLeaseUntil;
                         }
                         return;
@@ -241,7 +353,7 @@ export async function acquireOpenAIAuth(input) {
                     delete selected.cooldownUntil;
                     if (selected.identityKey)
                         domain.activeIdentityKey = selected.identityKey;
-                    accountLabel = formatAccountLabel(selected, refreshClaim?.selectedIndex ?? 0);
+                    accountLabel = formatAccountLabel(selected, activeRefreshClaim.selectedIndex);
                     email = selected.email;
                     plan = selected.plan;
                     access = selected.access;
@@ -250,20 +362,23 @@ export async function acquireOpenAIAuth(input) {
                 });
             }
             catch (error) {
-                const invalidGrant = isOAuthTokenRefreshError(error) && error.oauthCode?.toLowerCase() === "invalid_grant";
+                const invalidGrant = isTerminalRefreshCredentialError(error);
                 if (invalidGrant) {
                     sawInvalidGrant = true;
                 }
                 else {
                     sawRefreshFailure = true;
                 }
+                const activeRefreshClaim = refreshClaim;
                 await saveAuthStorage(undefined, (authFile) => {
                     const domain = ensureOpenAIOAuthDomain(authFile, input.authMode);
-                    const selected = domain.accounts.find((account) => account.identityKey === refreshClaim?.identityKey);
+                    const selected = activeRefreshClaim.identityKey
+                        ? domain.accounts.find((account) => account.identityKey === activeRefreshClaim.identityKey)
+                        : domain.accounts[activeRefreshClaim.selectedIndex];
                     if (!selected)
                         return;
-                    if (selected.refreshLeaseUntil !== refreshClaim?.leaseUntil ||
-                        selected.refresh !== refreshClaim?.refreshToken) {
+                    if (selected.refreshLeaseUntil !== activeRefreshClaim.leaseUntil ||
+                        selected.refresh !== activeRefreshClaim.refreshToken) {
                         return;
                     }
                     delete selected.refreshLeaseUntil;
@@ -284,84 +399,83 @@ export async function acquireOpenAIAuth(input) {
             }
         }
         if (!access) {
-            await saveAuthStorage(undefined, (authFile) => {
-                const now = Date.now();
-                const openai = authFile.openai;
-                if (!openai || openai.type !== "oauth") {
-                    throw new PluginFatalError({
-                        message: "Not authenticated with OpenAI. Run `opencode auth login`.",
-                        status: 401,
-                        type: "oauth_not_configured",
-                        param: "auth"
-                    });
-                }
-                const domain = ensureOpenAIOAuthDomain(authFile, input.authMode);
-                const enabledAfterAttempts = domain.accounts.filter((account) => account.enabled !== false);
-                if (enabledAfterAttempts.length === 0 && sawInvalidGrant) {
-                    throw new PluginFatalError({
-                        message: "All enabled OpenAI refresh tokens were rejected (invalid_grant). Run `opencode auth login` to reauthenticate.",
-                        status: 401,
-                        type: "refresh_invalid_grant",
-                        param: "auth"
-                    });
-                }
-                const nextAvailableAt = enabledAfterAttempts.reduce((current, account) => {
-                    const cooldownUntil = typeof account.refreshLeaseUntil === "number" && account.refreshLeaseUntil > now
-                        ? account.refreshLeaseUntil
-                        : account.cooldownUntil;
-                    if (typeof cooldownUntil !== "number" || cooldownUntil <= now)
-                        return current;
-                    if (current === undefined || cooldownUntil < current)
-                        return cooldownUntil;
+            const now = Date.now();
+            const authSnapshot = await loadAuthStorage(undefined, { lockReads: false });
+            const openai = authSnapshot.openai;
+            if (!openai || openai.type !== "oauth") {
+                throw new PluginFatalError({
+                    message: "Not authenticated with OpenAI. Run `opencode auth login`.",
+                    status: 401,
+                    type: "oauth_not_configured",
+                    param: "auth"
+                });
+            }
+            const domain = ensureOpenAIOAuthDomain(authSnapshot, input.authMode);
+            const enabledAfterAttempts = domain.accounts.filter((account) => account.enabled !== false);
+            if (enabledAfterAttempts.length === 0 && sawInvalidGrant) {
+                throw new PluginFatalError({
+                    message: "All enabled OpenAI refresh tokens were rejected (invalid_grant). Run `opencode auth login` to reauthenticate.",
+                    status: 401,
+                    type: "refresh_invalid_grant",
+                    param: "auth"
+                });
+            }
+            const nextAvailableAt = enabledAfterAttempts.reduce((current, account) => {
+                const cooldownUntil = typeof account.refreshLeaseUntil === "number" && account.refreshLeaseUntil > now
+                    ? account.refreshLeaseUntil
+                    : account.cooldownUntil;
+                if (typeof cooldownUntil !== "number" || cooldownUntil <= now)
                     return current;
-                }, undefined);
-                if (nextAvailableAt !== undefined) {
-                    const waitMs = Math.max(0, nextAvailableAt - now);
-                    throw new PluginFatalError({
-                        message: `All enabled OpenAI accounts are cooling down. Try again in ${formatWaitTime(waitMs)} or run \`opencode auth login\`.`,
-                        status: 429,
-                        type: "all_accounts_cooling_down",
-                        param: "accounts"
-                    });
-                }
-                if (sawInvalidGrant) {
-                    throw new PluginFatalError({
-                        message: "OpenAI refresh token was rejected (invalid_grant). Run `opencode auth login` to reauthenticate this account.",
-                        status: 401,
-                        type: "refresh_invalid_grant",
-                        param: "auth"
-                    });
-                }
-                if (sawMissingRefresh) {
-                    throw new PluginFatalError({
-                        message: "Selected OpenAI account is missing a refresh token. Run `opencode auth login` to reauthenticate.",
-                        status: 401,
-                        type: "missing_refresh_token",
-                        param: "accounts"
-                    });
-                }
-                if (sawMissingIdentity) {
-                    throw new PluginFatalError({
-                        message: "Selected OpenAI account is missing identity metadata. Run `opencode auth login` to reauthenticate.",
-                        status: 401,
-                        type: "missing_account_identity",
-                        param: "accounts"
-                    });
-                }
-                if (sawRefreshFailure) {
-                    throw new PluginFatalError({
-                        message: "Failed to refresh OpenAI access token. Run `opencode auth login` and try again.",
-                        status: 401,
-                        type: "refresh_failed",
-                        param: "auth"
-                    });
-                }
+                if (current === undefined || cooldownUntil < current)
+                    return cooldownUntil;
+                return current;
+            }, undefined);
+            if (nextAvailableAt !== undefined) {
+                const waitMs = Math.max(0, nextAvailableAt - now);
                 throw new PluginFatalError({
-                    message: `No enabled OpenAI ${input.authMode} accounts available. Enable an account or run \`opencode auth login\`.`,
-                    status: 403,
-                    type: "no_enabled_accounts",
+                    message: `All enabled OpenAI accounts are cooling down. Try again in ${formatWaitTime(waitMs)} or run \`opencode auth login\`.`,
+                    status: 429,
+                    type: "all_accounts_cooling_down",
                     param: "accounts"
                 });
+            }
+            if (sawInvalidGrant) {
+                throw new PluginFatalError({
+                    message: "OpenAI refresh token was rejected (invalid_grant). Run `opencode auth login` to reauthenticate this account.",
+                    status: 401,
+                    type: "refresh_invalid_grant",
+                    param: "auth"
+                });
+            }
+            if (sawMissingRefresh) {
+                throw new PluginFatalError({
+                    message: "Selected OpenAI account is missing a refresh token. Run `opencode auth login` to reauthenticate.",
+                    status: 401,
+                    type: "missing_refresh_token",
+                    param: "accounts"
+                });
+            }
+            if (sawMissingIdentity) {
+                throw new PluginFatalError({
+                    message: "Selected OpenAI account is missing identity metadata. Run `opencode auth login` to reauthenticate.",
+                    status: 401,
+                    type: "missing_account_identity",
+                    param: "accounts"
+                });
+            }
+            if (sawRefreshFailure) {
+                throw new PluginFatalError({
+                    message: "Failed to refresh OpenAI access token. Run `opencode auth login` and try again.",
+                    status: 401,
+                    type: "refresh_failed",
+                    param: "auth"
+                });
+            }
+            throw new PluginFatalError({
+                message: `No enabled OpenAI ${input.authMode} accounts available. Enable an account or run \`opencode auth login\`.`,
+                status: 403,
+                type: "no_enabled_accounts",
+                param: "accounts"
             });
         }
     }