lsd-pi 1.1.3 → 1.1.5

package/README.md

@@ -242,8 +242,9 @@ A few quality-of-life touches in the TUI:
 
 - the footer can show a live cache timer for the current prompt-cache window
 - `/hotkeys` gives you a full shortcut reference on demand
-- `/settings` now includes toggles for Codex rotate, the cache timer, RTK shell-command compression, and a configurable **Main accent** preset
+- `/settings` now includes toggles for Codex rotate, the cache timer, **Pin last prompt**, RTK shell-command compression, and a configurable **Main accent** preset
 - changing the main accent also updates accent-driven UI elements and the text input border across thinking levels
+- when **Pin last prompt** is enabled, LSD keeps your most recent non-command prompt visible above the editor as a lightweight reminder
 
 Some workflow/automation commands still use the legacy namespace:
 

package/dist/cli.js

@@ -58,6 +58,14 @@ function parseCliArgs(argv) {
         else if (arg === '--model' && i + 1 < args.length) {
             flags.model = args[++i];
         }
+        else if (arg === '--sandbox' && i + 1 < args.length) {
+            const value = args[++i];
+            if (value === 'none' || value === 'workspace-write' || value === 'auto')
+                flags.sandbox = value;
+        }
+        else if (arg === '--no-sandbox') {
+            flags.noSandbox = true;
+        }
         else if (arg === '--extension' && i + 1 < args.length) {
             flags.extensions.push(args[++i]);
         }
@@ -249,6 +257,12 @@ const modelRegistry = new ModelRegistry(authStorage, modelsJsonPath);
 markStartup('ModelRegistry');
 const settingsManager = SettingsManager.create(agentDir);
 markStartup('SettingsManager.create');
+if (cliFlags.noSandbox) {
+    process.env.PI_NO_SANDBOX = '1';
+}
+else if (cliFlags.sandbox) {
+    process.env.PI_SANDBOX = cliFlags.sandbox;
+}
 process.env.LUCENT_CODE_PERMISSION_MODE = settingsManager.getPermissionMode();
 const configuredClassifierModel = settingsManager.getClassifierModel();
 if (configuredClassifierModel) {

package/dist/headless.d.ts

@@ -18,6 +18,8 @@ export interface HeadlessOptions {
     json: boolean;
     outputFormat: OutputFormat;
     model?: string;
+    sandbox?: 'none' | 'workspace-write' | 'auto';
+    noSandbox?: boolean;
     command: string;
     commandArgs: string[];
     context?: string;

package/dist/headless.js

@@ -86,6 +86,15 @@ export function parseHeadlessArgs(argv) {
                 // --model can also be passed from the main CLI; headless-specific takes precedence
                 options.model = args[++i];
             }
+            else if (arg === '--sandbox' && i + 1 < args.length) {
+                const value = args[++i];
+                if (value === 'none' || value === 'workspace-write' || value === 'auto') {
+                    options.sandbox = value;
+                }
+            }
+            else if (arg === '--no-sandbox') {
+                options.noSandbox = true;
+            }
             else if (arg === '--context' && i + 1 < args.length) {
                 options.context = args[++i];
             }
@@ -189,6 +198,14 @@ async function runHeadlessOnce(options, restartCount) {
     if (isAutoMode && options.timeout === 300_000) {
         options.timeout = 0;
     }
+    if (!options.json) {
+        if (options.noSandbox) {
+            process.stderr.write('[headless] Sandbox: disabled by flag\n');
+        }
+        else if (options.sandbox) {
+            process.stderr.write(`[headless] Sandbox: ${options.sandbox}\n`);
+        }
+    }
     // Supervised mode cannot share stdin with --context -
     if (options.supervised && options.context === '-') {
         process.stderr.write('[headless] Error: --supervised cannot be used with --context - (both require stdin)\n');
@@ -271,6 +288,12 @@ async function runHeadlessOnce(options, restartCount) {
     if (injector) {
         clientOptions.env = injector.getSecretEnvVars();
     }
+    if (options.noSandbox) {
+        clientOptions.env = { ...(clientOptions.env || {}), PI_NO_SANDBOX: '1' };
+    }
+    else if (options.sandbox) {
+        clientOptions.env = { ...(clientOptions.env || {}), PI_SANDBOX: options.sandbox };
+    }
     // Signal headless mode to the GSD extension (skips UAT human pause, etc.)
     clientOptions.env = { ...(clientOptions.env || {}), GSD_HEADLESS: '1' };
     // Propagate --bare to the child process

package/dist/resources/extensions/async-jobs/async-bash-tool.js

@@ -6,6 +6,7 @@
  * with await_job.
  */
 import { getShellConfig, sanitizeCommand, DEFAULT_MAX_BYTES, DEFAULT_MAX_LINES, } from "@gsd/pi-coding-agent";
+import { Text } from "@gsd/pi-tui";
 import { Type } from "@sinclair/typebox";
 import { spawn, spawnSync } from "node:child_process";
 import { createWriteStream } from "node:fs";
@@ -70,6 +71,19 @@ export function createAsyncBashTool(getManager, getCwd) {
             "Check /jobs to see all running and recent background jobs.",
         ],
         parameters: schema,
+        renderCall(args, theme, options) {
+            const cmd = args.command ?? "";
+            const display = cmd.length > 80 ? cmd.slice(0, 77) + "..." : cmd;
+            const indicator = options?.statusIndicator ? `${options.statusIndicator} ` : "";
+            let text = indicator + theme.fg("toolTitle", theme.bold("async_bash "));
+            text += theme.fg("bashMode", "$ ");
+            text += theme.fg("accent", display || theme.fg("muted", "..."));
+            if (args.label)
+                text += theme.fg("muted", ` (${args.label})`);
+            if (args.timeout)
+                text += theme.fg("dim", ` timeout:${args.timeout}s`);
+            return new Text(text, 0, 0);
+        },
         async execute(_toolCallId, params, _signal, _onUpdate, _ctx) {
             const manager = getManager();
             const cwd = getCwd();

package/dist/resources/extensions/async-jobs/await-tool.js

@@ -4,6 +4,7 @@
  * If specific job IDs are provided, waits for those jobs.
  * If omitted, waits for any running job to complete.
  */
+import { Text } from "@gsd/pi-tui";
 import { Type } from "@sinclair/typebox";
 const DEFAULT_TIMEOUT_SECONDS = 120;
 const schema = Type.Object({
@@ -21,6 +22,19 @@ export function createAwaitTool(getManager) {
         label: "Await Background Job",
         description: "Wait for background jobs to complete. Provide specific job IDs or omit to wait for the next job that finishes. Returns results of completed jobs.",
         parameters: schema,
+        renderCall(args, theme, options) {
+            const indicator = options?.statusIndicator ? `${options.statusIndicator} ` : "";
+            let text = indicator + theme.fg("toolTitle", theme.bold("await_job"));
+            if (args.jobs && args.jobs.length > 0) {
+                text += " " + theme.fg("accent", args.jobs.join(", "));
+            }
+            else {
+                text += theme.fg("muted", " (any)");
+            }
+            if (args.timeout)
+                text += theme.fg("dim", ` timeout:${args.timeout}s`);
+            return new Text(text, 0, 0);
+        },
         async execute(_toolCallId, params, _signal, _onUpdate, _ctx) {
             const manager = getManager();
             const { jobs: jobIds, timeout } = params;

package/dist/resources/extensions/async-jobs/cancel-job-tool.js

@@ -1,6 +1,7 @@
 /**
  * cancel_job tool — cancel a running background job.
  */
+import { Text } from "@gsd/pi-tui";
 import { Type } from "@sinclair/typebox";
 const schema = Type.Object({
     job_id: Type.String({ description: "The background job ID to cancel (e.g. bg_a1b2c3d4)" }),
@@ -11,6 +12,12 @@ export function createCancelJobTool(getManager) {
         label: "Cancel Background Job",
         description: "Cancel a running background job by its ID.",
         parameters: schema,
+        renderCall(args, theme, options) {
+            const indicator = options?.statusIndicator ? `${options.statusIndicator} ` : "";
+            let text = indicator + theme.fg("toolTitle", theme.bold("cancel_job "));
+            text += theme.fg("accent", args.job_id);
+            return new Text(text, 0, 0);
+        },
         async execute(_toolCallId, params, _signal, _onUpdate, _ctx) {
             const manager = getManager();
             const result = manager.cancel(params.job_id);

package/dist/resources/extensions/cache-timer/index.js

@@ -14,6 +14,7 @@ import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { getAgentDir } from "@gsd/pi-coding-agent";
 const STATUS_KEY = "cache-timer";
+const IS_MEMORY_MAINTENANCE_WORKER = process.env.LSD_MEMORY_EXTRACT === "1" || process.env.LSD_MEMORY_DREAM === "1";
 // ANSI color codes for timer display
 const ANSI_RESET = "\x1b[0m";
 const ANSI_YELLOW = "\x1b[33m";
@@ -65,6 +66,9 @@ function formatElapsed(ms) {
     return `⏱ ${time}`;
 }
 export default function cacheTimerExtension(pi) {
+    if (IS_MEMORY_MAINTENANCE_WORKER) {
+        return;
+    }
     let timer = null;
     let startTime = null;
     let enabled = readEnabled();

package/dist/resources/extensions/codex-rotate/IMPLEMENTATION.md

@@ -18,6 +18,7 @@ Implemented a Codex OAuth rotation extension for LSD that manages multiple ChatG
    - Writes `openai-codex` credential array with `api_key` type
    - Avoids the `set()` method (which appends duplicates)
    - Maintains stable credential order for index-based backoff
+   - Followed by a live `AuthStorage.reload()` in the extension so the running process sees account changes immediately
 
 3. **Background Refresh Timer** (`index.ts`)
    - Runs every 10 minutes
@@ -42,11 +43,10 @@ Implemented a Codex OAuth rotation extension for LSD that manages multiple ChatG
    - `/codex import-cockpit` - Import from Cockpit
    - `/codex sync` - Force refresh all tokens
 
-6. **Error Detection** (`quota.ts`)
-   - Detects quota/rate limit errors
-   - Detects auth errors (401, expired tokens)
-   - Classifies errors by type
-   - Integrates with `AuthStorage.markUsageLimitReached()`
+6. **Error Detection / Rotation Path**
+   - Quota/rate-limit/auth classification lives in `quota.ts`
+   - Same-turn retry and per-credential backoff are performed by core `RetryHandler`
+   - The extension's responsibility is to keep `auth.json` and the live in-memory auth state in sync
 
 ## File Structure
 
@@ -87,6 +87,7 @@ Using `FileAuthStorageBackend.withLockAsync()`:
 - Prevents race conditions with multiple LSD instances
 - Replaces entire credential array (not just updating keys)
 - Maintains stable order for index-based backoff
+- Requires a follow-up live auth reload in the current process so retry rotation uses the updated credential set
 
 ### 4. Session-Sticky Credential Selection
 
@@ -105,15 +106,15 @@ LSD already uses session-sticky selection by default:
 
 ## Next Steps: Phase 2 (Resilience)
 
-The following features were planned but not yet implemented:
+Remaining improvements that could still be added:
 
-1. **Enhanced error detection in `agent_end`**
-   - Already implemented basic error detection
-   - Could add more sophisticated quota pattern matching
+1. **Richer `/codex status` diagnostics**
+   - Show live backoff / credential-availability state from `AuthStorage`
+   - Make it easier to verify when an account was rotated away after a usage-limit hit
 
-2. **Better credential change listener**
-   - Could listen for external auth.json modifications
-   - Would re-sync on change detection
+2. **External change detection**
+   - Could listen for external auth/account file modifications
+   - Would re-sync / reload on change detection
 
 3. **Migration helpers**
    - Could add `/codex migrate` to assist users moving from Cockpit
@@ -121,8 +122,12 @@ The following features were planned but not yet implemented:
 
 ## Testing
 
-To test the extension:
+Implemented regression coverage now includes:
+- `src/tests/codex-rotate-auth-reload.test.ts`
+- Verifies that codex-rotate syncs require a live auth reload for the running process to see the latest credentials
+- Verifies `quota_exhausted` backoff on one `openai-codex` credential causes the next retry to select the next credential
 
+Manual smoke test:
 1. Add an account: `/codex add`
 2. Check status: `/codex status`
 3. Add another account: `/codex add`

package/dist/resources/extensions/codex-rotate/README.md

@@ -97,14 +97,20 @@ Codex access tokens work identically to API keys:
 - Background timer runs every 10 minutes
 - Tokens are refreshed when expiring within 5 minutes
 - Refreshed tokens are atomically synced to auth.json
+- After every successful sync, the extension reloads live `AuthStorage` so retries and rotation see the latest credentials immediately
 - Failed refreshes disable the account with a reason
 
 ### Error Handling
 
-The extension hooks into `agent_end` events to detect:
+The extension now relies on LSD core retry/backoff handling rather than its own `agent_end` hook:
+- The Codex provider surfaces friendly usage-limit / rate-limit / auth errors
+- Core `RetryHandler` classifies those failures and calls `markUsageLimitReached(...)`
+- If another `openai-codex` credential is available, LSD automatically rotates and retries the same prompt
 - Rate limit errors (429) → 30s backoff
-- Quota exhausted errors → 30min backoff
-- Auth errors (401) → treated as rate limits for immediate rotation
+- Quota exhausted / usage limit errors → 30min backoff
+- Auth errors (401) → treated as immediate credential-rotation failures
+
+To make that work reliably, the extension reloads the live auth state after every successful sync so the retry handler sees the current credential pool immediately.
 
 ## Security
 

package/dist/resources/extensions/codex-rotate/commands.js

@@ -63,6 +63,13 @@ function displayAccounts(ctx, accounts) {
     });
     ctx.ui.notify(lines.join("\n"), "info");
 }
+async function syncAccountsToAuthAndReload(ctx) {
+    const synced = await syncAccountsToAuth(getAllAccounts());
+    if (synced) {
+        ctx.modelRegistry.authStorage.reload();
+    }
+    return synced;
+}
 /**
  * Register the /codex command
  */
@@ -104,7 +111,10 @@ export function registerCodexCommand(pi) {
                 switch (sub) {
                     case "add": {
                         ctx.ui.notify("Starting OAuth login flow...", "info");
-                        const accountData = await performOAuthLogin();
+                        const accountData = await performOAuthLogin(undefined, {
+                            onStatus: (msg) => ctx.ui.notify(msg, "info"),
+                            onManualCodeInput: async () => (await ctx.ui.input("Paste the redirect URL from your browser:", "http://localhost:...")) ?? "",
+                        });
                         // Prompt for email (optional)
                         const emailInput = await ctx.ui.input("Email for this account (optional, press Enter to skip)", "");
                         const email = emailInput || undefined;
@@ -115,7 +125,7 @@ export function registerCodexCommand(pi) {
                             disabled: false,
                         });
                         // Sync to auth.json
-                        const success = await syncAccountsToAuth(getAllAccounts());
+                        const success = await syncAccountsToAuthAndReload(ctx);
                         if (success) {
                             ctx.ui.notify(`Added account: ${email || account.accountId}. Synced to auth.json.`, "success");
                         }
@@ -173,7 +183,7 @@ export function registerCodexCommand(pi) {
                         const confirmed = await ctx.ui.select(`Remove account: ${account.email || account.accountId}?`, ["Yes, remove", "Cancel"], { signal: AbortSignal.timeout(30000) });
                         if (confirmed === "Yes, remove") {
                             removeAccount(account.id);
-                            await syncAccountsToAuth(getAllAccounts());
+                            await syncAccountsToAuthAndReload(ctx);
                             ctx.ui.notify(`Removed account: ${account.email || account.accountId}`, "success");
                         }
                         return;
@@ -197,7 +207,7 @@ export function registerCodexCommand(pi) {
                             return;
                         }
                         updateAccount(account.id, { disabled: false, disabledReason: undefined });
-                        await syncAccountsToAuth(getAllAccounts());
+                        await syncAccountsToAuthAndReload(ctx);
                         ctx.ui.notify(`Enabled account: ${account.email || account.accountId}`, "success");
                         return;
                     }
@@ -220,7 +230,7 @@ export function registerCodexCommand(pi) {
                             return;
                         }
                         updateAccount(account.id, { disabled: true, disabledReason: "manually disabled" });
-                        await syncAccountsToAuth(getAllAccounts());
+                        await syncAccountsToAuthAndReload(ctx);
                         ctx.ui.notify(`Disabled account: ${account.email || account.accountId}`, "success");
                         return;
                     }
@@ -231,7 +241,7 @@ export function registerCodexCommand(pi) {
                             ctx.ui.notify("No account found to import.", "warning");
                             return;
                         }
-                        const account = addAccount({
+                        addAccount({
                             email: imported.email,
                             accountId: imported.accountId,
                             refreshToken: imported.refreshToken,
@@ -240,7 +250,7 @@ export function registerCodexCommand(pi) {
                             lastUsed: undefined,
                             disabled: false,
                         });
-                        await syncAccountsToAuth(getAllAccounts());
+                        await syncAccountsToAuthAndReload(ctx);
                         ctx.ui.notify(`Imported account: ${imported.email || imported.accountId}`, "success");
                         return;
                     }
@@ -254,7 +264,7 @@ export function registerCodexCommand(pi) {
                         for (const acc of imported) {
                             addAccount(acc);
                         }
-                        await syncAccountsToAuth(getAllAccounts());
+                        await syncAccountsToAuthAndReload(ctx);
                         ctx.ui.notify(`Imported ${imported.length} account(s) from Cockpit Tools`, "success");
                         return;
                     }
@@ -275,7 +285,7 @@ export function registerCodexCommand(pi) {
                                 results.failed++;
                             }
                         }
-                        await syncAccountsToAuth(getAllAccounts());
+                        await syncAccountsToAuthAndReload(ctx);
                         if (results.failed === 0) {
                             ctx.ui.notify(`Synced ${results.success} account(s) to auth.json`, "success");
                         }

package/dist/resources/extensions/codex-rotate/index.js

@@ -7,14 +7,16 @@
 import { getAllAccounts, updateAccount, getAccountsNeedingRefresh } from "./accounts.js";
 import { syncAccountsToAuth } from "./sync.js";
 import { registerCodexCommand } from "./commands.js";
-import { classifyError, markCredentialBackoff, shouldBackoffCredential } from "./quota.js";
-import { REFRESH_INTERVAL_MS, PROVIDER_NAME } from "./config.js";
-import { logCodexRotateError, logCodexRotateSwitch } from "./logger.js";
+import { REFRESH_INTERVAL_MS } from "./config.js";
+import { logCodexRotateError } from "./logger.js";
 let refreshTimer = null;
+async function reloadLiveAuthState(ctx) {
+    ctx.modelRegistry.authStorage.reload();
+}
 /**
  * Refresh all accounts that need it
  */
-async function refreshExpiringAccounts() {
+async function refreshExpiringAccounts(ctx) {
     try {
         const accountsNeedingRefresh = getAccountsNeedingRefresh();
         if (accountsNeedingRefresh.length === 0) {
@@ -42,7 +44,10 @@ async function refreshExpiringAccounts() {
         if (successCount > 0) {
             // Sync refreshed accounts to auth.json
             const allAccounts = getAllAccounts();
-            await syncAccountsToAuth(allAccounts);
+            const synced = await syncAccountsToAuth(allAccounts);
+            if (synced) {
+                await reloadLiveAuthState(ctx);
+            }
         }
         if (failCount > 0 && successCount === 0) {
             logCodexRotateError(`Failed to refresh ${failCount} account(s)`);
@@ -55,12 +60,12 @@ async function refreshExpiringAccounts() {
 /**
  * Start the background refresh timer
  */
-function startRefreshTimer() {
+function startRefreshTimer(ctx) {
     if (refreshTimer) {
         clearInterval(refreshTimer);
     }
     refreshTimer = setInterval(() => {
-        void refreshExpiringAccounts();
+        void refreshExpiringAccounts(ctx);
     }, REFRESH_INTERVAL_MS);
 }
 /**
@@ -79,46 +84,26 @@ export default function CodexRotateExtension(pi) {
     // Register commands
     registerCodexCommand(pi);
     // Session start hook
-    pi.on("session_start", async (_event) => {
+    pi.on("session_start", async (_event, ctx) => {
         const accounts = getAllAccounts();
         if (accounts.length === 0) {
             return;
         }
         // Refresh any expiring accounts immediately
-        await refreshExpiringAccounts();
+        await refreshExpiringAccounts(ctx);
         // Sync to auth.json
-        await syncAccountsToAuth(getAllAccounts());
+        const synced = await syncAccountsToAuth(getAllAccounts());
+        if (synced) {
+            await reloadLiveAuthState(ctx);
+        }
         // Start background refresh timer
-        startRefreshTimer();
+        startRefreshTimer(ctx);
     });
     // Session shutdown hook
     pi.on("session_shutdown", () => {
         stopRefreshTimer();
     });
-    // Agent end hook - detect quota/auth errors and backoff credentials
-    pi.on("agent_end", async (event, ctx) => {
-        try {
-            const messages = event.messages;
-            const lastAssistant = [...messages].reverse().find((message) => message.role === "assistant");
-            if (!lastAssistant || !("errorMessage" in lastAssistant) || !lastAssistant.errorMessage)
-                return;
-            const errorMessage = lastAssistant.errorMessage;
-            if (!shouldBackoffCredential(errorMessage))
-                return;
-            const errorType = classifyError(errorMessage);
-            const sessionId = ctx.sessionManager.getSessionId();
-            const anotherAvailable = markCredentialBackoff(PROVIDER_NAME, sessionId, errorType);
-            if (anotherAvailable) {
-                logCodexRotateSwitch(`Auto-switched account after ${errorType} error`);
-                ctx.ui.notify("Codex credential backed off, rotating to next account", "info");
-            }
-            else {
-                logCodexRotateError(`All accounts backed off after ${errorType} error`);
-                ctx.ui.notify("All Codex credentials are backed off. Please wait before retrying.", "warning");
-            }
-        }
-        catch (error) {
-            logCodexRotateError("Error in agent_end handler:", error);
-        }
-    });
+    // Agent end hook intentionally omitted.
+    // Credential backoff + same-turn retry now lives in the core RetryHandler,
+    // which knows the actual credential index used for the current session.
 }

package/dist/resources/extensions/codex-rotate/oauth.js

@@ -1,7 +1,11 @@
 /**
- * OAuth flow wrapper for Codex account management
+ * OAuth flow wrapper for Codex account management.
+ *
+ * Uses authStorage.login('openai-codex', callbacks) — the exact same code
+ * path as the onboarding wizard — so the browser auto-redirect flow, PKCE
+ * exchange, and manual-paste fallback all work identically.
  */
-import { loginOpenAICodex, refreshOpenAICodexToken } from "@gsd/pi-ai/oauth";
+import { refreshOpenAICodexToken } from "@gsd/pi-ai/oauth";
 import { logCodexRotateError } from "./logger.js";
 function getAccountId(credentials) {
     if (typeof credentials.accountId !== "string" || credentials.accountId.length === 0) {
@@ -9,6 +13,14 @@ function getAccountId(credentials) {
     }
     return credentials.accountId;
 }
+/**
+ * Get the AuthStorage instance (same pattern as quota.ts)
+ */
+async function getAuthStorage() {
+    const specifier = "@gsd/pi-coding-agent/dist/core/auth-storage.js";
+    const mod = await import(/* webpackIgnore: true */ specifier);
+    return new mod.AuthStorage();
+}
 function asObject(value) {
     return value !== null && typeof value === "object" ? value : null;
 }
@@ -19,23 +31,68 @@ function getRequiredRefreshToken(data) {
     const refreshToken = data.refreshToken ?? data.refresh_token;
     return typeof refreshToken === "string" && refreshToken.length > 0 ? refreshToken : null;
 }
+/** Open a URL in the system browser (best-effort, non-blocking) */
+async function openBrowser(url) {
+    try {
+        const { execFile } = await import("node:child_process");
+        if (process.platform === "win32") {
+            execFile("powershell", ["-c", `Start-Process '${url.replace(/'/g, "''")}'`], () => { });
+        }
+        else {
+            const cmd = process.platform === "darwin" ? "open" : "xdg-open";
+            execFile(cmd, [url], () => { });
+        }
+    }
+    catch {
+        // Browser open failed — URL still shown via onStatus
+    }
+}
 /**
- * Perform OAuth login and return a new Codex account
+ * Perform OAuth login and return a new Codex account.
+ *
+ * Delegates to authStorage.login('openai-codex', callbacks) — the exact same
+ * code path used by the onboarding wizard. After login completes, reads back
+ * the stored OAuth credential to extract the tokens for the account store.
  */
-export async function performOAuthLogin(email) {
-    const credentials = await loginOpenAICodex({
-        onAuth: () => { },
-        onPrompt: async () => {
-            throw new Error("OAuth browser flow failed. Please try again.");
+export async function performOAuthLogin(email, callbacks) {
+    const { onStatus, onManualCodeInput } = callbacks ?? {};
+    const authStorage = await getAuthStorage();
+    // Use authStorage.login() — the exact same path as onboarding
+    await authStorage.login("openai-codex", {
+        onAuth: (info) => {
+            onStatus?.(`Opening browser for Codex OAuth...\nURL: ${info.url}`);
+            openBrowser(info.url);
+            if (info.instructions) {
+                onStatus?.(info.instructions);
+            }
+        },
+        onPrompt: async (prompt) => {
+            // Fallback: if onManualCodeInput is available, use it for the prompt too
+            if (onManualCodeInput) {
+                return onManualCodeInput();
+            }
+            throw new Error(`OAuth browser flow failed: ${prompt.message}`);
         },
-        onProgress: () => { },
+        onProgress: (message) => {
+            onStatus?.(message);
+        },
+        onManualCodeInput,
     });
+    // Read back the stored credential
+    const credential = authStorage.get("openai-codex");
+    if (!credential || credential.type !== "oauth") {
+        throw new Error("OAuth login succeeded but no credential was stored");
+    }
+    const { access, refresh, expires, accountId } = credential;
+    if (!access || !refresh || !accountId) {
+        throw new Error("Stored OAuth credential is missing required fields");
+    }
     return {
         email,
-        accountId: getAccountId(credentials),
-        refreshToken: credentials.refresh,
-        accessToken: credentials.access,
-        expiresAt: credentials.expires,
+        accountId: accountId,
+        refreshToken: refresh,
+        accessToken: access,
+        expiresAt: expires,
     };
 }
 /**

package/dist/resources/extensions/codex-rotate/quota.js

@@ -66,10 +66,11 @@ export function extractErrorFromResponse(response) {
 /**
  * Get the AuthStorage instance for marking usage limits
  */
-function getAuthStorage() {
-    // Dynamic import to avoid top-level dependencies
-    const { AuthStorage } = require("@gsd/pi-coding-agent/dist/core/auth-storage.js");
-    return new AuthStorage();
+async function getAuthStorage() {
+    // Dynamic import to avoid top-level dependencies (require not available in ESM context)
+    const specifier = "@gsd/pi-coding-agent/dist/core/auth-storage.js";
+    const mod = await import(/* webpackIgnore: true */ specifier);
+    return new mod.AuthStorage();
 }
 /**
  * Mark a credential as rate-limited/quota exhausted
@@ -77,9 +78,9 @@ function getAuthStorage() {
  * This should be called when we detect a quota/rate limit error in the agent response.
  * It will back off the credential and LSD will automatically rotate to the next one.
  */
-export function markCredentialBackoff(provider, sessionId, errorType) {
+export async function markCredentialBackoff(provider, sessionId, errorType) {
     try {
-        const authStorage = getAuthStorage();
+        const authStorage = await getAuthStorage();
         // Map CodexErrorType to AuthStorage error type
         const authErrorType = errorType === "rate_limit"
             ? "rate_limit"

package/dist/resources/extensions/codex-rotate/sync.js

@@ -30,6 +30,12 @@ export async function syncAccountsToAuth(accounts) {
             }
             const credentials = accounts
                 .filter((acc) => !acc.disabled)
+                .sort((a, b) => {
+                const lastUsedDiff = (b.lastUsed ?? 0) - (a.lastUsed ?? 0);
+                if (lastUsedDiff !== 0)
+                    return lastUsedDiff;
+                return b.addedAt - a.addedAt;
+            })
                 .map((acc) => ({
                 type: "api_key",
                 key: acc.accessToken,