copillm 0.2.8 → 0.3.0-beta.1

package/dist/models/discovery.js

@@ -1,6 +1,8 @@
 import fs from "node:fs";
+import { setTimeout as defaultSleep } from "node:timers/promises";
 import { z } from "zod";
-import { modelsCachePath, modelsCacheReadPath } from "../config/home.js";
+import { accountModelsCachePath, accountModelsCacheReadPath, modelsCachePath, modelsCacheReadPath } from "../config/home.js";
+import { assertValidAccountId } from "../config/accountId.js";
 import { writeFileSecureAtomic } from "../config/fsSecurity.js";
 import { copilotBaseUrl } from "../config/upstream.js";
 const ModelSchema = z
@@ -20,18 +22,47 @@ const MODEL_RESOLUTION_RULES = [
     { id: "separator-normalized", normalize: (value) => normalizeModelId(value) },
     { id: "snapshot-trimmed", normalize: (value) => trimDateSnapshot(normalizeModelId(value)) }
 ];
+/**
+ * Per-attempt timeout for the `/models` fetch. The catalog is typically
+ * <50ms on a healthy connection, so 15s leaves plenty of room for slow
+ * networks without freezing `copillm start` for a full minute.
+ */
+const DEFAULT_FETCH_TIMEOUT_MS = 15_000;
+/**
+ * Exponential backoff base for `listModelsUnion` retry loop. Mirrors the
+ * 200ms / 400ms / 800ms shape used by `src/server/upstream/copilotClient.ts`
+ * and the new `CopilotTokenManager.exchange()` retry path. Boundary rules
+ * (`eslint.config.js`) keep `models` from importing the shared
+ * `retryPolicy.ts`, so we re-declare the small handful of constants here
+ * rather than introduce a new architectural dependency.
+ */
+const DEFAULT_BACKOFF_BASE_MS = 200;
+/**
+ * Statuses worth retrying — same set as `retryPolicy.ts`. 401/403/404 are
+ * NOT here because they signal terminal credential / endpoint failures
+ * and retrying just delays the error the user needs to see.
+ *
+ * `canUseCacheFallback` (further down) is intentionally MORE permissive:
+ * it also includes 401/403/408 so that a misbehaving upstream serving 401
+ * to a perfectly-good token can degrade to the cached snapshot instead of
+ * surfacing a misleading auth error.
+ */
+const RETRYABLE_DISCOVERY_STATUSES = new Set([408, 409, 425, 429, 500, 502, 503, 504]);
 export function accountBaseUrl(accountType) {
     return copilotBaseUrl(accountType);
 }
-export async function listModels(accountType, bearerToken) {
+export async function listModels(accountType, bearerToken, deps, accountId) {
+    const fetchImpl = deps?.fetchImpl ?? ((input, init) => fetch(input, init));
+    const timeoutMs = deps?.timeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS;
     try {
-        const response = await fetch(`${accountBaseUrl(accountType)}/models`, {
+        const response = await fetchImpl(`${accountBaseUrl(accountType)}/models`, {
             method: "GET",
             headers: {
                 Authorization: `Bearer ${bearerToken}`,
                 "Content-Type": "application/json",
                 "User-Agent": "copillm/0.1.0"
-            }
+            },
+            signal: AbortSignal.timeout(timeoutMs)
         });
         if (!response.ok) {
             throw new ModelDiscoveryHttpError(response.status);
@@ -40,9 +71,9 @@ export async function listModels(accountType, bearerToken) {
         const candidateModels = extractModelArray(payload);
         const parsed = z.array(ModelSchema).safeParse(candidateModels);
         if (!parsed.success) {
-            throw new Error("Model discovery response is invalid.");
+            throw new ModelDiscoverySchemaError("Model discovery response is invalid.");
         }
-        saveModelCache(accountType, parsed.data);
+        saveModelCache(accountType, parsed.data, accountId);
         return {
             models: parsed.data,
             source: "live",
@@ -55,7 +86,7 @@ export async function listModels(accountType, bearerToken) {
         if (!canUseCacheFallback(error)) {
             throw error;
         }
-        const cached = readModelCache(accountType);
+        const cached = readModelCache(accountType, accountId);
         if (!cached) {
             const detail = error instanceof Error ? error.message : "unknown error";
             throw new Error(`Model discovery failed and no cache snapshot is available: ${detail}`);
@@ -69,14 +100,37 @@ export async function listModels(accountType, bearerToken) {
         };
     }
 }
-export async function listModelsUnion(accountType, bearerToken, attempts = 3) {
+/**
+ * Run multiple discovery attempts and union the results across them.
+ *
+ * Two changes from the previous version:
+ *
+ *   1. **Exponential backoff between attempts** — was a tight loop that
+ *      hammered Copilot 3× immediately on a 429 burst, extending the
+ *      rate-limit lockout. Now sleeps 200ms × 2^(attempt-1) between
+ *      iterations, matching the curve used in `copilotClient.ts` and the
+ *      token-exchange retry.
+ *   2. **Short-circuit on terminal failures** — a schema-invalid 200 or
+ *      a `Model discovery failed and no cache snapshot is available`
+ *      surface no longer retries; both are deterministic failures that
+ *      retrying can't fix and the misleading "across all attempts" error
+ *      hid the real cause.
+ *
+ * `attempts` keeps its previous default of 3 for callers that don't
+ * specify. Each attempt's own retry budget lives inside `listModels`'s
+ * cache-fallback path; this loop runs once per upstream call.
+ */
+export async function listModelsUnion(accountType, bearerToken, attempts = 3, deps, accountId) {
+    const sleepImpl = deps?.sleepImpl ?? ((ms) => defaultSleep(ms));
     const seen = new Map();
     let lastResult = null;
     let lastError;
+    let consecutiveFailures = 0;
     for (let i = 0; i < attempts; i += 1) {
         try {
-            const result = await listModels(accountType, bearerToken);
+            const result = await listModels(accountType, bearerToken, deps, accountId);
             lastResult = result;
+            consecutiveFailures = 0;
             for (const model of result.models) {
                 if (typeof model.id === "string" && !seen.has(model.id)) {
                     seen.set(model.id, model);
@@ -85,6 +139,26 @@ export async function listModelsUnion(accountType, bearerToken, attempts = 3) {
         }
         catch (error) {
             lastError = error;
+            consecutiveFailures += 1;
+            // Schema failures are deterministic — same response shape, same error.
+            // Don't burn the rest of the retry budget; surface the real cause now.
+            if (error instanceof ModelDiscoverySchemaError) {
+                throw error;
+            }
+            // HTTP failures that aren't on the retryable list (e.g. 401/403 with
+            // no cache, 404) are also deterministic. The cache-fallback path
+            // inside `listModels` has already had its chance to engage; if we got
+            // here it didn't.
+            if (error instanceof ModelDiscoveryHttpError && !RETRYABLE_DISCOVERY_STATUSES.has(error.status)) {
+                throw error;
+            }
+        }
+        // Only sleep between attempts if the most recent attempt FAILED. Sleeping
+        // between successful attempts would burn wall-clock for no benefit when
+        // the union is already populated. Sleep schedule mirrors the rest of the
+        // codebase: 200ms × 2^(failure-1), so 200 → 400 → 800 between failures.
+        if (i < attempts - 1 && consecutiveFailures > 0) {
+            await sleepImpl(DEFAULT_BACKOFF_BASE_MS * Math.pow(2, consecutiveFailures - 1));
         }
     }
     if (lastResult === null) {
@@ -157,30 +231,82 @@ export function resolveModelSelections(requestedModelIds, models) {
     }
     return { resolved, unresolved };
 }
-class ModelDiscoveryHttpError extends Error {
+export class ModelDiscoveryHttpError extends Error {
     status;
     constructor(status) {
         super(`Model discovery failed (${status}).`);
         this.status = status;
+        this.name = "ModelDiscoveryHttpError";
+    }
+}
+export class ModelDiscoverySchemaError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "ModelDiscoverySchemaError";
     }
 }
+/**
+ * Statuses + error types that allow degrading to the on-disk cache instead
+ * of failing the caller.
+ *
+ * Widened from the previous `429 || >= 500` to include 401, 403, 408 — the
+ * exact case the seed audit hit: a transient 401 from `api.github.com/...`
+ * or its proxy in front of `/models` would re-throw and tell the user
+ * `Model discovery failed and no cache snapshot is available.` even when
+ * a perfectly good cached catalog existed. With this widening, a fresh
+ * cache (typical for users who've run `copillm start` recently) hides the
+ * blip from agent surfaces.
+ *
+ * Schema errors are intentionally NOT cache-eligible: a 200 with a body
+ * shape we don't recognize is a deterministic failure that the cache
+ * can't paper over, and surfacing the real `Model discovery response is
+ * invalid.` error is more useful than silently serving stale data.
+ *
+ * Non-HTTP errors (transport / AbortError / generic) DO fall back — those
+ * are exactly the kinds of transient failures the cache exists for.
+ */
 function canUseCacheFallback(error) {
+    if (error instanceof ModelDiscoverySchemaError) {
+        return false;
+    }
     if (error instanceof ModelDiscoveryHttpError) {
-        return error.status === 429 || error.status >= 500;
+        return CACHE_FALLBACK_STATUSES.has(error.status) || error.status >= 500;
     }
     return true;
 }
-function saveModelCache(accountType, models) {
+const CACHE_FALLBACK_STATUSES = new Set([401, 403, 408, 409, 425, 429]);
+/**
+ * Resolve the model-cache file for an account. `undefined` → the shared
+ * `models.cache.json` used by the primary/legacy account and single-account
+ * installs; a string → the per-account `models.cache.<id>.json`. The caller
+ * (the daemon) decides which based on the account's storage scheme, so a
+ * default-account switch never makes two accounts share a catalog file.
+ */
+function modelsCacheWriteFile(accountId) {
+    if (accountId === undefined) {
+        return modelsCachePath();
+    }
+    assertValidAccountId(accountId);
+    return accountModelsCachePath(accountId);
+}
+function modelsCacheReadFile(accountId) {
+    if (accountId === undefined) {
+        return modelsCacheReadPath();
+    }
+    assertValidAccountId(accountId);
+    return accountModelsCacheReadPath(accountId);
+}
+function saveModelCache(accountType, models, accountId) {
     const payload = {
         version: 1,
         accountType,
         savedAtIso: new Date().toISOString(),
         models
     };
-    writeFileSecureAtomic(modelsCachePath(), JSON.stringify(payload, null, 2), 0o600);
+    writeFileSecureAtomic(modelsCacheWriteFile(accountId), JSON.stringify(payload, null, 2), 0o600);
 }
-function readModelCache(accountType) {
-    const filePath = modelsCacheReadPath();
+function readModelCache(accountType, accountId) {
+    const filePath = modelsCacheReadFile(accountId);
     if (!fs.existsSync(filePath)) {
         return null;
     }

package/dist/server/accountResolver.js

@@ -0,0 +1,85 @@
+import { CopilotTokenManager } from "../auth/copilotToken.js";
+import { loadStoredCredentialForAccount } from "../auth/credentials.js";
+import { findAccount } from "../auth/accounts.js";
+/**
+ * A resolver that knows only the default account. Used to preserve the exact
+ * single-account behaviour when the proxy is started without a multi-account
+ * resolver (e.g. test harnesses). A prefixed request for any other account
+ * resolves to `null` → the proxy returns `account_not_found`.
+ */
+export function singleAccountResolver(input) {
+    const def = {
+        accountId: input.accountId ?? null,
+        githubToken: input.githubToken,
+        tokenManager: input.tokenManager,
+        accountType: input.accountType,
+        cacheId: input.cacheId
+    };
+    return {
+        default: def,
+        async resolveById(accountId) {
+            if (def.accountId !== null && accountId === def.accountId) {
+                return def;
+            }
+            return null;
+        },
+        describe() {
+            return { defaultAccountId: def.accountId, activeAccountIds: [] };
+        },
+        clearAll() {
+            def.tokenManager.clear();
+        }
+    };
+}
+/**
+ * The production resolver. Wraps the eagerly-built default account and lazily
+ * builds a bearer manager per named account the first time a request for it
+ * arrives. Bearer managers are cached for the daemon's lifetime so repeated
+ * requests reuse the same (refresh-coalescing) manager.
+ */
+export class DaemonAccountResolver {
+    default;
+    cache = new Map();
+    createTokenManager;
+    constructor(input) {
+        this.default = input.default;
+        this.createTokenManager = input.createTokenManager ?? ((githubToken) => new CopilotTokenManager(githubToken));
+    }
+    async resolveById(accountId) {
+        if (this.default.accountId !== null && accountId === this.default.accountId) {
+            return this.default;
+        }
+        const cached = this.cache.get(accountId);
+        if (cached) {
+            return cached;
+        }
+        const credential = await loadStoredCredentialForAccount(accountId);
+        if (!credential) {
+            return null;
+        }
+        const record = findAccount(accountId);
+        // The cache file follows the account's storage scheme, mirroring the
+        // credential store: a legacy-storage account shares `models.cache.json`,
+        // a namespaced account gets its own `models.cache.<id>.json`.
+        const cacheId = record && record.storage === "legacy" ? undefined : accountId;
+        const resolved = {
+            accountId,
+            githubToken: credential.token,
+            tokenManager: this.createTokenManager(credential.token),
+            accountType: credential.accountType,
+            cacheId
+        };
+        this.cache.set(accountId, resolved);
+        return resolved;
+    }
+    describe() {
+        return { defaultAccountId: this.default.accountId, activeAccountIds: [...this.cache.keys()] };
+    }
+    clearAll() {
+        this.default.tokenManager.clear();
+        for (const resolved of this.cache.values()) {
+            resolved.tokenManager.clear();
+        }
+        this.cache.clear();
+    }
+}

package/dist/server/debugInfo.js

@@ -1,37 +1,82 @@
+import { setTimeout as defaultSleep } from "node:timers/promises";
 import { githubUserUrl } from "../config/upstream.js";
+import { isRetryableStatus, isRetryableTransportError, retryDelayMs } from "./upstream/retryPolicy.js";
 const CACHE_TTL_MS = 5 * 60 * 1_000;
+const DEFAULT_MAX_ATTEMPTS = 3;
 let cached = null;
+/**
+ * Fetch the GitHub user summary with bounded retries on transient failures.
+ *
+ * Was: single fetch, single attempt. A transient 502 from `api.github.com/user`
+ * caused `auth status` to hide the user's login and `/_debug` to report
+ * `user_error: github_user_lookup_failed_502` instead of the user object.
+ *
+ * Now: retries 5xx/429/408/409/425 + transient transport errors up to
+ * `maxAttempts` (default 3) with exponential backoff (200ms / 400ms). Does
+ * NOT retry 401/403/404 — those are terminal credential / endpoint signals
+ * and retrying just delays the error the caller needs to surface.
+ *
+ * Cache write only happens on success.
+ */
 export async function getGithubUserSummary(githubToken, options = {}) {
     const now = Date.now();
     if (cached && now - cached.fetchedAt < CACHE_TTL_MS) {
         return cached.summary;
     }
-    const response = await fetch(githubUserUrl(), {
-        headers: {
-            Authorization: `token ${githubToken}`,
-            Accept: "application/vnd.github+json",
-            "User-Agent": "copillm/0.1.0",
-            "X-GitHub-Api-Version": "2022-11-28"
-        },
-        signal: typeof options.timeoutMs === "number" ? AbortSignal.timeout(options.timeoutMs) : undefined
-    });
-    if (!response.ok) {
+    const fetchImpl = options.fetchImpl ?? ((input, init) => fetch(input, init));
+    const sleepImpl = options.sleepImpl ?? ((ms) => defaultSleep(ms));
+    const maxAttempts = options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS;
+    let lastError;
+    for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+        let response;
+        try {
+            response = await fetchImpl(githubUserUrl(), {
+                headers: {
+                    Authorization: `token ${githubToken}`,
+                    Accept: "application/vnd.github+json",
+                    "User-Agent": "copillm/0.1.0",
+                    "X-GitHub-Api-Version": "2022-11-28"
+                },
+                signal: typeof options.timeoutMs === "number" ? AbortSignal.timeout(options.timeoutMs) : undefined
+            });
+        }
+        catch (error) {
+            lastError = error;
+            if (isRetryableTransportError(error) && attempt < maxAttempts) {
+                await sleepImpl(retryDelayMs(attempt));
+                continue;
+            }
+            throw error;
+        }
+        if (response.ok) {
+            const payload = (await response.json());
+            const summary = {
+                login: typeof payload.login === "string" ? payload.login : "",
+                id: typeof payload.id === "number" ? payload.id : 0,
+                name: typeof payload.name === "string" ? payload.name : null,
+                email: typeof payload.email === "string" ? payload.email : null,
+                type: typeof payload.type === "string" ? payload.type : "User",
+                avatar_url: typeof payload.avatar_url === "string" ? payload.avatar_url : null,
+                html_url: typeof payload.html_url === "string" ? payload.html_url : null,
+                plan_name: typeof payload.plan?.name === "string" ? payload.plan.name : null
+            };
+            cached = { fetchedAt: Date.now(), summary };
+            return summary;
+        }
+        // Non-OK. 401/403/404 are terminal — fast-fail. Other retryable statuses
+        // (429, 5xx) drain the body and retry.
         const detail = await response.text();
-        throw new GithubUserFetchError(response.status, detail.slice(0, 256));
+        const snippet = detail.slice(0, 256);
+        lastError = new GithubUserFetchError(response.status, snippet);
+        if (isRetryableStatus(response.status) && attempt < maxAttempts) {
+            await sleepImpl(retryDelayMs(attempt));
+            continue;
+        }
+        throw lastError;
     }
-    const payload = (await response.json());
-    const summary = {
-        login: typeof payload.login === "string" ? payload.login : "",
-        id: typeof payload.id === "number" ? payload.id : 0,
-        name: typeof payload.name === "string" ? payload.name : null,
-        email: typeof payload.email === "string" ? payload.email : null,
-        type: typeof payload.type === "string" ? payload.type : "User",
-        avatar_url: typeof payload.avatar_url === "string" ? payload.avatar_url : null,
-        html_url: typeof payload.html_url === "string" ? payload.html_url : null,
-        plan_name: typeof payload.plan?.name === "string" ? payload.plan.name : null
-    };
-    cached = { fetchedAt: now, summary };
-    return summary;
+    // Unreachable: every loop iteration either returns, throws, or continues
+    // (and continue is gated on `attempt < maxAttempts`). Defend anyway.
+    throw lastError ?? new Error("GitHub user lookup exhausted retries without error context.");
 }
 export function clearGithubUserCache() {
     cached = null;

package/dist/server/errors.js

@@ -141,6 +141,24 @@ export function upstreamStatusCategory(status) {
     return "upstream_error";
 }
 export function healthFailure(error) {
+    return tokenErrorToHttpResponse(error);
+}
+/**
+ * Map a `CopilotTokenManagerError` (or any unknown error from the token
+ * exchange / refresh path) to an HTTP response. Single source of truth for
+ * the `/healthz`, `/models`, `/codex/v1/models`, and `/anthropic/v1/models`
+ * routes — previously `routes/models.ts` collapsed every token failure to a
+ * flat 503 `token_refresh_failed`, hiding the credential-vs-blip
+ * distinction that callers (codex, pi, claude) need to decide whether to
+ * retry. The discrimination logic now lives here.
+ *
+ * Maps:
+ *   - 401/403 from the upstream token endpoint   → HTTP 401 `github_auth_invalid`
+ *   - 5xx/429/other transient from upstream      → HTTP 503 `token_exchange_failed`
+ *   - other `CopilotTokenManagerError`           → HTTP 401 `token_refresh_failed`
+ *   - anything else                              → HTTP 503 `token_refresh_unavailable`
+ */
+export function tokenErrorToHttpResponse(error) {
     if (error instanceof CopilotTokenExchangeError) {
         if (error.statusCode === 401 || error.statusCode === 403) {
             return {

package/dist/server/proxy.js

@@ -1,5 +1,6 @@
 import { createServer } from "node:http";
 import { randomUUID } from "node:crypto";
+import { singleAccountResolver } from "./accountResolver.js";
 import { attachRequestLifecycle, isBenignSocketError, safeEnd, safeSendJson } from "./requestLifecycle.js";
 import { InvalidRequestShapeError, JsonRequestParseError } from "./errors.js";
 import { ProtocolTranslationError } from "../translation/openaiAnthropic.js";
@@ -10,6 +11,22 @@ import { handleProxyForward } from "./routes/proxyForward.js";
 import { isLocalRequest, resolveRoute, safePathname } from "./routes/shared.js";
 export async function startProxyServer(input) {
     const debugEnabled = input.debug === true;
+    const resolver = input.accountResolver ??
+        singleAccountResolver({
+            tokenManager: input.tokenManager,
+            githubToken: input.githubToken ?? "",
+            accountType: input.config.accountType
+        });
+    // Resolve the account a request targets. Returns the default account for an
+    // unprefixed request; for an `/<account>` prefix, looks up the named account
+    // and answers 404 `account_not_found` when no credential is stored for it.
+    const resolveAccountForRoute = async (route) => {
+        if (route.accountId === null) {
+            return resolver.default;
+        }
+        const account = await resolver.resolveById(route.accountId);
+        return account;
+    };
     const server = createServer(async (req, res) => {
         const requestId = randomUUID();
         const startedAt = Date.now();
@@ -43,13 +60,21 @@ export async function startProxyServer(input) {
                     handleLivez(res);
                     return;
                 case "healthz":
-                    await handleHealthz(res, input.tokenManager);
+                    await handleHealthz(res, resolver.default.tokenManager);
                     return;
                 case "models":
+                    await handleModels(res, route.kind, resolver.default);
+                    return;
                 case "codex_models":
-                case "anthropic_models":
-                    await handleModels(res, route.kind, input.config, input.tokenManager, input.githubToken);
+                case "anthropic_models": {
+                    const account = await resolveAccountForRoute(route);
+                    if (!account) {
+                        safeSendJson(res, 404, { error: "account_not_found", detail: `No stored credential for account "${route.accountId}".` });
+                        return;
+                    }
+                    await handleModels(res, route.kind, account);
                     return;
+                }
                 case "debug":
                     if (!debugEnabled) {
                         safeSendJson(res, 404, { error: "not_found" });
@@ -58,9 +83,10 @@ export async function startProxyServer(input) {
                     await handleDebug(res, {
                         config: input.config,
                         logger: input.logger,
-                        tokenManager: input.tokenManager,
-                        githubToken: input.githubToken,
-                        port: input.port
+                        tokenManager: resolver.default.tokenManager,
+                        githubToken: resolver.default.githubToken,
+                        port: input.port,
+                        accounts: resolver.describe()
                     });
                     return;
                 case "not_found":
@@ -68,18 +94,24 @@ export async function startProxyServer(input) {
                     return;
                 case "openai":
                 case "anthropic":
-                case "codex_responses":
+                case "codex_responses": {
+                    const account = await resolveAccountForRoute(route);
+                    if (!account) {
+                        safeSendJson(res, 404, { error: "account_not_found", detail: `No stored credential for account "${route.accountId}".` });
+                        return;
+                    }
                     await handleProxyForward({
                         req,
                         res,
                         route,
                         config: input.config,
-                        tokenManager: input.tokenManager,
+                        account,
                         logger: input.logger,
                         requestId,
                         signal: lifecycle.signal
                     });
                     return;
+                }
             }
         }
         catch (error) {

package/dist/server/routes/debug.js

@@ -8,7 +8,10 @@ export async function handleDebug(res, input) {
     let userError = null;
     if (input.githubToken) {
         try {
-            const summary = await getGithubUserSummary(input.githubToken);
+            // Bound the GitHub user lookup so a slow `api.github.com` cannot hang
+            // the `/_debug` handler indefinitely. Matches the bound used by the
+            // CLI's `auth status` path (`githubIdentity.ts:42-44`).
+            const summary = await getGithubUserSummary(input.githubToken, { timeoutMs: 4_000 });
             user = {
                 login: summary.login,
                 id: summary.id,
@@ -45,6 +48,13 @@ export async function handleDebug(res, input) {
             bearer_present: input.tokenManager.current !== null,
             bearer_expires_at_unix: input.tokenManager.current?.expiresAtUnix ?? null
         },
+        accounts: {
+            // Token is never included. Reports the default account id (null for a
+            // single-account install) and the named accounts that have served at
+            // least one request this daemon lifetime.
+            default: input.accounts?.defaultAccountId ?? null,
+            active: input.accounts?.activeAccountIds ?? []
+        },
         user,
         user_error: userError,
         routes: [

package/dist/server/routes/models.js

@@ -2,17 +2,18 @@ import { CopilotTokenManagerError } from "../../auth/copilotToken.js";
 import { listModels, listModelsUnion } from "../../models/discovery.js";
 import { buildCodexCatalog } from "../codexSchema.js";
 import { buildAnthropicModelsResponse } from "../anthropicModelsResponse.js";
+import { tokenErrorToHttpResponse } from "../errors.js";
 import { safeSendJson } from "../requestLifecycle.js";
-export async function handleModels(res, routeKind, config, tokenManager, githubToken) {
+export async function handleModels(res, routeKind, account) {
     try {
-        await tokenManager.ensureToken(false);
-        if (!githubToken) {
+        await account.tokenManager.ensureToken(false);
+        if (!account.githubToken) {
             safeSendJson(res, 503, { error: "github_token_unavailable" });
             return;
         }
         const result = routeKind === "codex_models" || routeKind === "anthropic_models"
-            ? await listModelsUnion(config.accountType, githubToken, 3)
-            : await listModels(config.accountType, githubToken);
+            ? await listModelsUnion(account.accountType, account.githubToken, 3, undefined, account.cacheId)
+            : await listModels(account.accountType, account.githubToken, undefined, account.cacheId);
         if (routeKind === "codex_models") {
             safeSendJson(res, 200, buildCodexCatalog(result.models));
             return;
@@ -33,7 +34,12 @@ export async function handleModels(res, routeKind, config, tokenManager, githubT
     }
     catch (error) {
         if (error instanceof CopilotTokenManagerError) {
-            safeSendJson(res, 503, { error: "token_refresh_failed" });
+            // Discriminate credential failure (401/403 from upstream — terminal)
+            // from transient blip (5xx/429 from upstream — retryable by caller).
+            // Was: flat `503 token_refresh_failed` for both, which made codex/pi/
+            // claude blindly retry on the permanent case.
+            const mapped = tokenErrorToHttpResponse(error);
+            safeSendJson(res, mapped.httpStatus, mapped.payload);
             return;
         }
         throw error;

package/dist/server/routes/proxyForward.js

@@ -22,7 +22,7 @@ function translateRequestBody(routeKind, body) {
     }
 }
 export async function handleProxyForward(input) {
-    const { req, res, route, config, tokenManager, logger, requestId, signal } = input;
+    const { req, res, route, config, account, logger, requestId, signal } = input;
     const requestBody = await readJson(req);
     const translatedBody = translateRequestBody(route.kind, requestBody);
     const requestedModel = readRequestedModel(translatedBody);
@@ -70,8 +70,8 @@ export async function handleProxyForward(input) {
     }, "prepared upstream request");
     try {
         const upstream = await postToCopilot({
-            tokenManager,
-            accountType: config.accountType,
+            tokenManager: account.tokenManager,
+            accountType: account.accountType,
             body: upstreamBody,
             requestId,
             logger,