@poolzin/pool-bot 2026.2.25 → 2026.2.26

package/dist/infra/net/ssrf.js

@@ -8,7 +8,11 @@ export class SsrFBlockedError extends Error {
         this.name = "SsrFBlockedError";
     }
 }
-const BLOCKED_HOSTNAMES = new Set(["localhost", "metadata.google.internal"]);
+const BLOCKED_HOSTNAMES = new Set([
+    "localhost",
+    "localhost.localdomain",
+    "metadata.google.internal",
+]);
 function normalizeHostnameSet(values) {
     if (!values || values.length === 0) {
         return new Set();
@@ -39,16 +43,72 @@ function matchesHostnameAllowlist(hostname, allowlist) {
     }
     return allowlist.some((pattern) => isHostnameAllowedByPattern(hostname, pattern));
 }
+function parseStrictIpv4Octet(part) {
+    if (!/^[0-9]+$/.test(part)) {
+        return null;
+    }
+    const value = Number.parseInt(part, 10);
+    if (Number.isNaN(value) || value < 0 || value > 255) {
+        return null;
+    }
+    // Accept only canonical decimal octets (no leading zeros, no alternate radices).
+    if (part !== String(value)) {
+        return null;
+    }
+    return value;
+}
 function parseIpv4(address) {
     const parts = address.split(".");
     if (parts.length !== 4) {
         return null;
     }
-    const numbers = parts.map((part) => Number.parseInt(part, 10));
-    if (numbers.some((value) => Number.isNaN(value) || value < 0 || value > 255)) {
-        return null;
+    for (const part of parts) {
+        if (parseStrictIpv4Octet(part) === null) {
+            return null;
+        }
+    }
+    return parts.map((part) => Number.parseInt(part, 10));
+}
+function classifyIpv4Part(part) {
+    if (/^0x[0-9a-f]+$/i.test(part)) {
+        return "hex";
+    }
+    if (/^0x/i.test(part)) {
+        return "invalid-hex";
+    }
+    if (/^[0-9]+$/.test(part)) {
+        return "decimal";
+    }
+    return "non-numeric";
+}
+function isUnsupportedLegacyIpv4Literal(address) {
+    const parts = address.split(".");
+    if (parts.length === 0 || parts.length > 4) {
+        return false;
+    }
+    if (parts.some((part) => part.length === 0)) {
+        return true;
+    }
+    const partKinds = parts.map(classifyIpv4Part);
+    if (partKinds.some((kind) => kind === "non-numeric")) {
+        return false;
     }
-    return numbers;
+    if (partKinds.some((kind) => kind === "invalid-hex")) {
+        return true;
+    }
+    if (parts.length !== 4) {
+        return true;
+    }
+    for (const part of parts) {
+        if (/^0x/i.test(part)) {
+            return true;
+        }
+        const value = Number.parseInt(part, 10);
+        if (Number.isNaN(value) || value > 255 || part !== String(value)) {
+            return true;
+        }
+    }
+    return false;
 }
 function stripIpv6ZoneId(address) {
     const index = address.indexOf("%");
@@ -148,6 +208,12 @@ const EMBEDDED_IPV4_RULES = [
         matches: (hextets) => hextets[0] === 0x2001 && hextets[1] === 0x0000,
         extract: (hextets) => [hextets[6] ^ 0xffff, hextets[7] ^ 0xffff],
     },
+    {
+        // ISATAP IID format: 000000ug00000000:5efe:w.x.y.z (RFC 5214 section 6.1).
+        // Match only the IID marker bits to avoid over-broad :5efe: detection.
+        matches: (hextets) => (hextets[4] & 0xfcff) === 0 && hextets[5] === 0x5efe,
+        extract: (hextets) => [hextets[6], hextets[7]],
+    },
 ];
 function extractIpv4FromEmbeddedIpv6(hextets) {
     for (const rule of EMBEDDED_IPV4_RULES) {
@@ -159,31 +225,49 @@ function extractIpv4FromEmbeddedIpv6(hextets) {
     }
     return null;
 }
-function isPrivateIpv4(parts) {
-    const [octet1, octet2] = parts;
-    if (octet1 === 0) {
-        return true;
-    }
-    if (octet1 === 10) {
-        return true;
-    }
-    if (octet1 === 127) {
-        return true;
-    }
-    if (octet1 === 169 && octet2 === 254) {
-        return true;
-    }
-    if (octet1 === 172 && octet2 >= 16 && octet2 <= 31) {
-        return true;
-    }
-    if (octet1 === 192 && octet2 === 168) {
-        return true;
+function ipv4ToUint(parts) {
+    const [a, b, c, d] = parts;
+    return (((a << 24) >>> 0) | (b << 16) | (c << 8) | d) >>> 0;
+}
+function ipv4RangeFromCidr(cidr) {
+    const base = ipv4ToUint(cidr.base);
+    const hostBits = 32 - cidr.prefixLength;
+    const mask = cidr.prefixLength === 0 ? 0 : (0xffffffff << hostBits) >>> 0;
+    const start = (base & mask) >>> 0;
+    const end = (start | (~mask >>> 0)) >>> 0;
+    return [start, end];
+}
+const BLOCKED_IPV4_SPECIAL_USE_CIDRS = [
+    { base: [0, 0, 0, 0], prefixLength: 8 },
+    { base: [10, 0, 0, 0], prefixLength: 8 },
+    { base: [100, 64, 0, 0], prefixLength: 10 },
+    { base: [127, 0, 0, 0], prefixLength: 8 },
+    { base: [169, 254, 0, 0], prefixLength: 16 },
+    { base: [172, 16, 0, 0], prefixLength: 12 },
+    { base: [192, 0, 0, 0], prefixLength: 24 },
+    { base: [192, 0, 2, 0], prefixLength: 24 },
+    { base: [192, 88, 99, 0], prefixLength: 24 },
+    { base: [192, 168, 0, 0], prefixLength: 16 },
+    { base: [198, 18, 0, 0], prefixLength: 15 },
+    { base: [198, 51, 100, 0], prefixLength: 24 },
+    { base: [203, 0, 113, 0], prefixLength: 24 },
+    { base: [224, 0, 0, 0], prefixLength: 4 },
+    { base: [240, 0, 0, 0], prefixLength: 4 },
+];
+const BLOCKED_IPV4_SPECIAL_USE_RANGES = BLOCKED_IPV4_SPECIAL_USE_CIDRS.map(ipv4RangeFromCidr);
+function isBlockedIpv4SpecialUse(parts) {
+    if (parts.length !== 4) {
+        return false;
     }
-    if (octet1 === 100 && octet2 >= 64 && octet2 <= 127) {
-        return true;
+    const value = ipv4ToUint(parts);
+    for (const [start, end] of BLOCKED_IPV4_SPECIAL_USE_RANGES) {
+        if (value >= start && value <= end) {
+            return true;
+        }
     }
     return false;
 }
+// Returns true for private/internal and special-use non-global addresses.
 export function isPrivateIpAddress(address) {
     let normalized = address.trim().toLowerCase();
     if (normalized.startsWith("[") && normalized.endsWith("]")) {
@@ -219,7 +303,7 @@ export function isPrivateIpAddress(address) {
         }
         const embeddedIpv4 = extractIpv4FromEmbeddedIpv6(hextets);
         if (embeddedIpv4) {
-            return isPrivateIpv4(embeddedIpv4);
+            return isBlockedIpv4SpecialUse(embeddedIpv4);
         }
         // IPv6 private/internal ranges
         // - link-local: fe80::/10
@@ -238,16 +322,23 @@ export function isPrivateIpAddress(address) {
         return false;
     }
     const ipv4 = parseIpv4(normalized);
-    if (!ipv4) {
-        return false;
+    if (ipv4) {
+        return isBlockedIpv4SpecialUse(ipv4);
     }
-    return isPrivateIpv4(ipv4);
+    // Reject non-canonical IPv4 literal forms (octal/hex/short/packed) by default.
+    if (isUnsupportedLegacyIpv4Literal(normalized)) {
+        return true;
+    }
+    return false;
 }
 export function isBlockedHostname(hostname) {
     const normalized = normalizeHostname(hostname);
     if (!normalized) {
         return false;
     }
+    return isBlockedHostnameNormalized(normalized);
+}
+function isBlockedHostnameNormalized(normalized) {
     if (BLOCKED_HOSTNAMES.has(normalized)) {
         return true;
     }
@@ -255,6 +346,13 @@ export function isBlockedHostname(hostname) {
         normalized.endsWith(".local") ||
         normalized.endsWith(".internal"));
 }
+export function isBlockedHostnameOrIp(hostname) {
+    const normalized = normalizeHostname(hostname);
+    if (!normalized) {
+        return false;
+    }
+    return isBlockedHostnameNormalized(normalized) || isPrivateIpAddress(normalized);
+}
 export function createPinnedLookup(params) {
     const normalizedHost = normalizeHostname(params.hostname);
     const fallback = params.fallback ?? dnsLookupCb;
@@ -306,13 +404,8 @@ export async function resolvePinnedHostnameWithPolicy(hostname, params = {}) {
     if (!matchesHostnameAllowlist(normalized, hostnameAllowlist)) {
         throw new SsrFBlockedError(`Blocked hostname (not in allowlist): ${hostname}`);
     }
-    if (!allowPrivateNetwork && !isExplicitAllowed) {
-        if (isBlockedHostname(normalized)) {
-            throw new SsrFBlockedError(`Blocked hostname: ${hostname}`);
-        }
-        if (isPrivateIpAddress(normalized)) {
-            throw new SsrFBlockedError("Blocked: private/internal IP address");
-        }
+    if (!allowPrivateNetwork && !isExplicitAllowed && isBlockedHostnameOrIp(normalized)) {
+        throw new SsrFBlockedError("Blocked hostname or private/internal/special-use IP address");
     }
     const lookupFn = params.lookupFn ?? dnsLookup;
     const results = await lookupFn(normalized, { all: true });
@@ -322,7 +415,7 @@ export async function resolvePinnedHostnameWithPolicy(hostname, params = {}) {
     if (!allowPrivateNetwork && !isExplicitAllowed) {
         for (const entry of results) {
             if (isPrivateIpAddress(entry.address)) {
-                throw new SsrFBlockedError("Blocked: resolves to private/internal IP address");
+                throw new SsrFBlockedError("Blocked: resolves to private/internal/special-use IP address");
             }
         }
     }

package/dist/infra/outbound/bound-delivery-router.js

@@ -0,0 +1,88 @@
+import { getSessionBindingService, } from "./session-binding-service.js";
+function isActiveBinding(record) {
+    return record.status === "active";
+}
+function resolveBindingForRequester(requester, bindings) {
+    const matchingChannelAccount = bindings.filter((entry) => entry.conversation.channel === requester.channel &&
+        entry.conversation.accountId === requester.accountId);
+    if (matchingChannelAccount.length === 0) {
+        return null;
+    }
+    const exactConversation = matchingChannelAccount.find((entry) => entry.conversation.conversationId === requester.conversationId);
+    if (exactConversation) {
+        return exactConversation;
+    }
+    if (matchingChannelAccount.length === 1) {
+        return matchingChannelAccount[0] ?? null;
+    }
+    return null;
+}
+export function createBoundDeliveryRouter(service = getSessionBindingService()) {
+    return {
+        resolveDestination: (input) => {
+            const targetSessionKey = input.targetSessionKey.trim();
+            if (!targetSessionKey) {
+                return {
+                    binding: null,
+                    mode: "fallback",
+                    reason: "missing-target-session",
+                };
+            }
+            const activeBindings = service.listBySession(targetSessionKey).filter(isActiveBinding);
+            if (activeBindings.length === 0) {
+                return {
+                    binding: null,
+                    mode: "fallback",
+                    reason: "no-active-binding",
+                };
+            }
+            if (!input.requester) {
+                if (activeBindings.length === 1) {
+                    return {
+                        binding: activeBindings[0] ?? null,
+                        mode: "bound",
+                        reason: "single-active-binding",
+                    };
+                }
+                return {
+                    binding: null,
+                    mode: "fallback",
+                    reason: "ambiguous-without-requester",
+                };
+            }
+            const requester = {
+                channel: input.requester.channel.trim().toLowerCase(),
+                accountId: input.requester.accountId.trim(),
+                conversationId: input.requester.conversationId.trim(),
+                parentConversationId: input.requester.parentConversationId?.trim() || undefined,
+            };
+            if (!requester.channel || !requester.conversationId) {
+                return {
+                    binding: null,
+                    mode: "fallback",
+                    reason: "invalid-requester",
+                };
+            }
+            const fromRequester = resolveBindingForRequester(requester, activeBindings);
+            if (fromRequester) {
+                return {
+                    binding: fromRequester,
+                    mode: "bound",
+                    reason: "requester-match",
+                };
+            }
+            if (activeBindings.length === 1 && !input.failClosed) {
+                return {
+                    binding: activeBindings[0] ?? null,
+                    mode: "bound",
+                    reason: "single-active-binding-fallback",
+                };
+            }
+            return {
+                binding: null,
+                mode: "fallback",
+                reason: "no-requester-match",
+            };
+        },
+    };
+}

package/dist/infra/outbound/channel-selection.js

@@ -5,35 +5,41 @@ function isKnownChannel(value) {
     return getMessageChannels().includes(value);
 }
 function isAccountEnabled(account) {
-    if (!account || typeof account !== "object")
+    if (!account || typeof account !== "object") {
         return true;
+    }
     const enabled = account.enabled;
     return enabled !== false;
 }
 async function isPluginConfigured(plugin, cfg) {
     const accountIds = plugin.config.listAccountIds(cfg);
-    if (accountIds.length === 0)
+    if (accountIds.length === 0) {
         return false;
+    }
     for (const accountId of accountIds) {
         const account = plugin.config.resolveAccount(cfg, accountId);
         const enabled = plugin.config.isEnabled
             ? plugin.config.isEnabled(account, cfg)
             : isAccountEnabled(account);
-        if (!enabled)
+        if (!enabled) {
             continue;
-        if (!plugin.config.isConfigured)
+        }
+        if (!plugin.config.isConfigured) {
             return true;
+        }
         const configured = await plugin.config.isConfigured(account, cfg);
-        if (configured)
+        if (configured) {
             return true;
+        }
     }
     return false;
 }
 export async function listConfiguredMessageChannels(cfg) {
     const channels = [];
     for (const plugin of listChannelPlugins()) {
-        if (!isKnownChannel(plugin.id))
+        if (!isKnownChannel(plugin.id)) {
             continue;
+        }
         if (await isPluginConfigured(plugin, cfg)) {
             channels.push(plugin.id);
         }

package/dist/infra/outbound/envelope.js

@@ -7,7 +7,7 @@ export function buildOutboundResultEnvelope(params) {
         : params.payloads.length === 0
             ? []
             : isOutboundPayloadJson(params.payloads[0])
-                ? params.payloads
+                ? [...params.payloads]
                 : normalizeOutboundPayloadsForJson(params.payloads);
     if (params.flattenDelivery !== false && params.delivery && !params.meta && !hasPayloads) {
         return params.delivery;

package/dist/infra/outbound/format.js

@@ -2,11 +2,13 @@ import { getChannelPlugin } from "../../channels/plugins/index.js";
 import { getChatChannelMeta, normalizeChatChannelId } from "../../channels/registry.js";
 const resolveChannelLabel = (channel) => {
     const pluginLabel = getChannelPlugin(channel)?.meta.label;
-    if (pluginLabel)
+    if (pluginLabel) {
         return pluginLabel;
+    }
     const normalized = normalizeChatChannelId(channel);
-    if (normalized)
+    if (normalized) {
         return getChatChannelMeta(normalized).label;
+    }
     return channel;
 };
 export function formatOutboundDeliverySummary(channel, result) {
@@ -15,14 +17,18 @@ export function formatOutboundDeliverySummary(channel, result) {
     }
     const label = resolveChannelLabel(result.channel);
     const base = `✅ Sent via ${label}. Message ID: ${result.messageId}`;
-    if ("chatId" in result)
+    if ("chatId" in result) {
         return `${base} (chat ${result.chatId})`;
-    if ("channelId" in result)
+    }
+    if ("channelId" in result) {
         return `${base} (channel ${result.channelId})`;
-    if ("roomId" in result)
+    }
+    if ("roomId" in result) {
         return `${base} (room ${result.roomId})`;
-    if ("conversationId" in result)
+    }
+    if ("conversationId" in result) {
         return `${base} (conversation ${result.conversationId})`;
+    }
     return base;
 }
 export function buildOutboundDeliveryJson(params) {

package/dist/infra/outbound/payloads.js

@@ -4,14 +4,17 @@ function mergeMediaUrls(...lists) {
     const seen = new Set();
     const merged = [];
     for (const list of lists) {
-        if (!list)
+        if (!list) {
             continue;
+        }
         for (const entry of list) {
             const trimmed = entry?.trim();
-            if (!trimmed)
+            if (!trimmed) {
                 continue;
-            if (seen.has(trimmed))
+            }
+            if (seen.has(trimmed)) {
                 continue;
+            }
             seen.add(trimmed);
             merged.push(trimmed);
         }
@@ -36,10 +39,12 @@ export function normalizeReplyPayloadsForDelivery(payloads) {
             replyToCurrent: payload.replyToCurrent || parsed.replyToCurrent,
             audioAsVoice: Boolean(payload.audioAsVoice || parsed.audioAsVoice),
         };
-        if (parsed.isSilent && mergedMedia.length === 0)
+        if (parsed.isSilent && mergedMedia.length === 0) {
             return [];
-        if (!isRenderablePayload(next))
+        }
+        if (!isRenderablePayload(next)) {
             return [];
+        }
         return [next];
     });
 }
@@ -70,9 +75,11 @@ export function normalizeOutboundPayloadsForJson(payloads) {
 }
 export function formatOutboundPayloadLog(payload) {
     const lines = [];
-    if (payload.text)
+    if (payload.text) {
         lines.push(payload.text.trimEnd());
-    for (const url of payload.mediaUrls)
+    }
+    for (const url of payload.mediaUrls) {
         lines.push(`MEDIA:${url}`);
+    }
     return lines.join("\n");
 }

package/dist/infra/outbound/session-binding-service.js

@@ -0,0 +1,123 @@
+import { normalizeAccountId } from "../../routing/session-key.js";
+function normalizeConversationRef(ref) {
+    return {
+        channel: ref.channel.trim().toLowerCase(),
+        accountId: normalizeAccountId(ref.accountId),
+        conversationId: ref.conversationId.trim(),
+        parentConversationId: ref.parentConversationId?.trim() || undefined,
+    };
+}
+function toAdapterKey(params) {
+    return `${params.channel.trim().toLowerCase()}:${normalizeAccountId(params.accountId)}`;
+}
+const ADAPTERS_BY_CHANNEL_ACCOUNT = new Map();
+export function registerSessionBindingAdapter(adapter) {
+    const key = toAdapterKey({
+        channel: adapter.channel,
+        accountId: adapter.accountId,
+    });
+    ADAPTERS_BY_CHANNEL_ACCOUNT.set(key, {
+        ...adapter,
+        channel: adapter.channel.trim().toLowerCase(),
+        accountId: normalizeAccountId(adapter.accountId),
+    });
+}
+export function unregisterSessionBindingAdapter(params) {
+    ADAPTERS_BY_CHANNEL_ACCOUNT.delete(toAdapterKey(params));
+}
+function resolveAdapterForConversation(ref) {
+    const normalized = normalizeConversationRef(ref);
+    const key = toAdapterKey({
+        channel: normalized.channel,
+        accountId: normalized.accountId,
+    });
+    return ADAPTERS_BY_CHANNEL_ACCOUNT.get(key) ?? null;
+}
+function dedupeBindings(records) {
+    const byId = new Map();
+    for (const record of records) {
+        if (!record?.bindingId) {
+            continue;
+        }
+        byId.set(record.bindingId, record);
+    }
+    return [...byId.values()];
+}
+function createDefaultSessionBindingService() {
+    return {
+        bind: async (input) => {
+            const normalizedConversation = normalizeConversationRef(input.conversation);
+            const adapter = resolveAdapterForConversation(normalizedConversation);
+            if (!adapter?.bind) {
+                throw new Error(`Session binding adapter unavailable for ${normalizedConversation.channel}:${normalizedConversation.accountId}`);
+            }
+            const bound = await adapter.bind({
+                ...input,
+                conversation: normalizedConversation,
+            });
+            if (!bound) {
+                throw new Error("Session binding adapter failed to bind target conversation");
+            }
+            return bound;
+        },
+        listBySession: (targetSessionKey) => {
+            const key = targetSessionKey.trim();
+            if (!key) {
+                return [];
+            }
+            const results = [];
+            for (const adapter of ADAPTERS_BY_CHANNEL_ACCOUNT.values()) {
+                const entries = adapter.listBySession(key);
+                if (entries.length > 0) {
+                    results.push(...entries);
+                }
+            }
+            return dedupeBindings(results);
+        },
+        resolveByConversation: (ref) => {
+            const normalized = normalizeConversationRef(ref);
+            if (!normalized.channel || !normalized.conversationId) {
+                return null;
+            }
+            const adapter = resolveAdapterForConversation(normalized);
+            if (!adapter) {
+                return null;
+            }
+            return adapter.resolveByConversation(normalized);
+        },
+        touch: (bindingId, at) => {
+            const normalizedBindingId = bindingId.trim();
+            if (!normalizedBindingId) {
+                return;
+            }
+            for (const adapter of ADAPTERS_BY_CHANNEL_ACCOUNT.values()) {
+                adapter.touch?.(normalizedBindingId, at);
+            }
+        },
+        unbind: async (input) => {
+            const removed = [];
+            for (const adapter of ADAPTERS_BY_CHANNEL_ACCOUNT.values()) {
+                if (!adapter.unbind) {
+                    continue;
+                }
+                const entries = await adapter.unbind(input);
+                if (entries.length > 0) {
+                    removed.push(...entries);
+                }
+            }
+            return dedupeBindings(removed);
+        },
+    };
+}
+const DEFAULT_SESSION_BINDING_SERVICE = createDefaultSessionBindingService();
+export function getSessionBindingService() {
+    return DEFAULT_SESSION_BINDING_SERVICE;
+}
+export const __testing = {
+    resetSessionBindingAdaptersForTests() {
+        ADAPTERS_BY_CHANNEL_ACCOUNT.clear();
+    },
+    getRegisteredAdapterKeys() {
+        return [...ADAPTERS_BY_CHANNEL_ACCOUNT.keys()];
+    },
+};

package/dist/infra/path-guards.js

@@ -0,0 +1,25 @@
+import path from "node:path";
+const NOT_FOUND_CODES = new Set(["ENOENT", "ENOTDIR"]);
+const SYMLINK_OPEN_CODES = new Set(["ELOOP", "EINVAL", "ENOTSUP"]);
+export function isNodeError(value) {
+    return Boolean(value && typeof value === "object" && "code" in value);
+}
+export function hasNodeErrorCode(value, code) {
+    return isNodeError(value) && value.code === code;
+}
+export function isNotFoundPathError(value) {
+    return isNodeError(value) && typeof value.code === "string" && NOT_FOUND_CODES.has(value.code);
+}
+export function isSymlinkOpenError(value) {
+    return isNodeError(value) && typeof value.code === "string" && SYMLINK_OPEN_CODES.has(value.code);
+}
+export function isPathInside(root, target) {
+    const resolvedRoot = path.resolve(root);
+    const resolvedTarget = path.resolve(target);
+    if (process.platform === "win32") {
+        const relative = path.win32.relative(resolvedRoot.toLowerCase(), resolvedTarget.toLowerCase());
+        return relative === "" || (!relative.startsWith("..") && !path.win32.isAbsolute(relative));
+    }
+    const relative = path.relative(resolvedRoot, resolvedTarget);
+    return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}

package/dist/infra/provider-usage.fetch.codex.js

@@ -1,4 +1,4 @@
-import { fetchJson } from "./provider-usage.fetch.shared.js";
+import { buildUsageHttpErrorSnapshot, fetchJson } from "./provider-usage.fetch.shared.js";
 import { clampPercent, PROVIDER_LABELS } from "./provider-usage.shared.js";
 export async function fetchCodexUsage(token, accountId, timeoutMs, fetchFn) {
     const headers = {
@@ -6,24 +6,16 @@ export async function fetchCodexUsage(token, accountId, timeoutMs, fetchFn) {
         "User-Agent": "CodexBar",
         Accept: "application/json",
     };
-    if (accountId)
+    if (accountId) {
         headers["ChatGPT-Account-Id"] = accountId;
-    const res = await fetchJson("https://chatgpt.com/backend-api/wham/usage", { method: "GET", headers }, timeoutMs, fetchFn);
-    if (res.status === 401 || res.status === 403) {
-        return {
-            provider: "openai-codex",
-            displayName: PROVIDER_LABELS["openai-codex"],
-            windows: [],
-            error: "Token expired",
-        };
     }
+    const res = await fetchJson("https://chatgpt.com/backend-api/wham/usage", { method: "GET", headers }, timeoutMs, fetchFn);
     if (!res.ok) {
-        return {
+        return buildUsageHttpErrorSnapshot({
             provider: "openai-codex",
-            displayName: PROVIDER_LABELS["openai-codex"],
-            windows: [],
-            error: `HTTP ${res.status}`,
-        };
+            status: res.status,
+            tokenExpiredStatuses: [401, 403],
+        });
     }
     const data = (await res.json());
     const windows = [];