opencode-codex-multi-account 0.2.2 → 0.2.4

package/dist/index.js

@@ -84,6 +84,23 @@ var PluginConfigSchema = v.object({
   quiet_mode: v.optional(v.boolean(), false),
   debug: v.optional(v.boolean(), false)
 });
+var TokenRefreshError = class _TokenRefreshError extends Error {
+  status;
+  permanent;
+  constructor(permanent, status) {
+    super(status === void 0 ? "Token refresh failed" : `Token refresh failed: ${status}`);
+    this.name = "TokenRefreshError";
+    this.status = status;
+    this.permanent = permanent;
+    Object.setPrototypeOf(this, _TokenRefreshError.prototype);
+  }
+};
+function isTokenRefreshError(error) {
+  if (error instanceof TokenRefreshError) return true;
+  if (!(error instanceof Error)) return false;
+  const candidate = error;
+  return candidate.name === "TokenRefreshError" && typeof candidate.permanent === "boolean" && (candidate.status === void 0 || typeof candidate.status === "number");
+}
 
 // ../multi-account-core/src/config.ts
 var DEFAULT_CONFIG_FILENAME = "multiauth-config.json";
@@ -224,6 +241,14 @@ function createMinimalClient() {
     }
   };
 }
+function getClearedOAuthBody() {
+  return {
+    type: "oauth",
+    refresh: "",
+    access: "",
+    expires: 0
+  };
+}
 
 // ../multi-account-core/src/claims.ts
 var CLAIMS_FILENAME = "multiauth-claims.json";
@@ -647,13 +672,7 @@ function createAccountManagerForProvider(dependencies) {
       });
     }
     async markRevoked(uuid) {
-      await this.store.mutateAccount(uuid, (account) => {
-        account.isAuthDisabled = true;
-        account.authDisabledReason = "OAuth token revoked (403)";
-        account.accessToken = void 0;
-        account.expiresAt = void 0;
-      });
-      this.runtimeFactory?.invalidate(uuid);
+      await this.removeAccountByUuid(uuid);
     }
     async markSuccess(uuid) {
       this.last429Map.delete(uuid);
@@ -676,15 +695,32 @@ function createAccountManagerForProvider(dependencies) {
       }).catch(() => {
       });
     }
+    async clearOpenCodeAuthIfNoAccountsRemain() {
+      if (!this.client) return;
+      const storage = await this.store.load();
+      if (storage.accounts.length > 0) return;
+      await this.client.auth.set({
+        path: { id: providerAuthId },
+        body: getClearedOAuthBody()
+      }).catch(() => {
+      });
+    }
+    async removeAccountByUuid(uuid) {
+      const removed = await this.store.removeAccount(uuid);
+      if (!removed) return;
+      this.last429Map.delete(uuid);
+      this.runtimeFactory?.invalidate(uuid);
+      await this.refresh();
+      await this.clearOpenCodeAuthIfNoAccountsRemain();
+    }
     async markAuthFailure(uuid, result) {
+      if (!result.ok && result.permanent) {
+        await this.removeAccountByUuid(uuid);
+        return;
+      }
       await this.store.mutateStorage((storage) => {
         const account = storage.accounts.find((entry) => entry.uuid === uuid);
         if (!account) return;
-        if (!result.ok && result.permanent) {
-          account.isAuthDisabled = true;
-          account.authDisabledReason = "Token permanently rejected (400/401/403)";
-          return;
-        }
         account.consecutiveAuthFailures = (account.consecutiveAuthFailures ?? 0) + 1;
         const maxFailures = getConfig().max_consecutive_auth_failures;
         const usableCount = storage.accounts.filter(
@@ -781,11 +817,21 @@ function createAccountManagerForProvider(dependencies) {
       this.cached = [];
       this.activeAccountUuid = void 0;
     }
-    async addAccount(auth) {
+    async addAccount(auth, email) {
       if (!auth.refresh) return;
-      const existing = this.cached.find((account) => account.refreshToken === auth.refresh);
-      if (existing) return;
+      const existingByToken = this.cached.find((account) => account.refreshToken === auth.refresh);
+      if (existingByToken) return;
+      if (email) {
+        const existingByEmail = this.cached.find(
+          (account) => account.email && account.email === email
+        );
+        if (existingByEmail?.uuid) {
+          await this.replaceAccountCredentials(existingByEmail.uuid, auth);
+          return;
+        }
+      }
       const newAccount = this.createNewAccount(auth, Date.now());
+      if (email) newAccount.email = email;
       await this.store.addAccount(newAccount);
       this.activeAccountUuid = newAccount.uuid;
       await this.store.setActiveUuid(newAccount.uuid);
@@ -1111,7 +1157,9 @@ var MAX_SERVER_RETRIES_PER_ATTEMPT = 2;
 var MAX_RESOLVE_ATTEMPTS = 10;
 var SERVER_RETRY_BASE_MS = 1e3;
 var SERVER_RETRY_MAX_MS = 4e3;
-var PERMANENT_AUTH_FAILURE_STATUSES = /* @__PURE__ */ new Set([400, 401, 403]);
+function isAbortError(error) {
+  return error instanceof Error && error.name === "AbortError";
+}
 function createExecutorForProvider(providerName, dependencies) {
   const {
     handleRateLimitResponse: handleRateLimitResponse2,
@@ -1122,77 +1170,49 @@ function createExecutorForProvider(providerName, dependencies) {
   } = dependencies;
   async function executeWithAccountRotation2(manager, runtimeFactory, client, input, init) {
     const maxRetries = Math.max(MIN_MAX_RETRIES, manager.getAccountCount() * RETRIES_PER_ACCOUNT);
-    let retries = 0;
     let previousAccountUuid;
-    while (true) {
-      if (++retries > maxRetries) {
-        throw new Error(
-          `Exhausted ${maxRetries} retries across all accounts. All attempts failed due to auth errors, rate limits, or token issues.`
-        );
-      }
-      await manager.refresh();
-      const account = await resolveAccount(manager, client);
-      const accountUuid = account.uuid;
-      if (!accountUuid) continue;
-      if (previousAccountUuid && accountUuid !== previousAccountUuid && manager.getAccountCount() > 1) {
-        void showToast2(client, `Switched to ${getAccountLabel2(account)}`, "info");
-      }
-      previousAccountUuid = accountUuid;
-      let runtime;
-      let response;
-      try {
-        runtime = await runtimeFactory.getRuntime(accountUuid);
-        response = await runtime.fetch(input, init);
-      } catch (error) {
-        if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
-          continue;
+    async function retryServerErrors(account, runtime) {
+      for (let attempt = 0; attempt < MAX_SERVER_RETRIES_PER_ATTEMPT; attempt++) {
+        const backoff = Math.min(SERVER_RETRY_BASE_MS * 2 ** attempt, SERVER_RETRY_MAX_MS);
+        const jitteredBackoff = backoff * (0.5 + Math.random() * 0.5);
+        await sleep2(jitteredBackoff);
+        let retryResponse;
+        try {
+          retryResponse = await runtime.fetch(input, init);
+        } catch (error) {
+          if (isAbortError(error)) throw error;
+          if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+            return null;
+          }
+          void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
+          return null;
         }
-        void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
-        continue;
+        if (retryResponse.status < 500) return retryResponse;
       }
+      return null;
+    }
+    const dispatchResponseStatus = async (account, accountUuid, runtime, response, allow401Retry, from401RefreshRetry) => {
       if (response.status >= 500) {
-        let serverResponse = response;
-        let networkErrorDuringServerRetry = false;
-        let authFailureDuringServerRetry = false;
-        for (let attempt = 0; attempt < MAX_SERVER_RETRIES_PER_ATTEMPT; attempt++) {
-          const backoff = Math.min(SERVER_RETRY_BASE_MS * 2 ** attempt, SERVER_RETRY_MAX_MS);
-          const jitteredBackoff = backoff * (0.5 + Math.random() * 0.5);
-          await sleep2(jitteredBackoff);
+        const recovered = await retryServerErrors(account, runtime);
+        if (recovered === null) {
+          return { type: "retryOuter" };
+        }
+        response = recovered;
+      }
+      if (response.status === 401) {
+        if (allow401Retry) {
+          runtimeFactory.invalidate(accountUuid);
           try {
-            serverResponse = await runtime.fetch(input, init);
+            const retryRuntime = await runtimeFactory.getRuntime(accountUuid);
+            const retryResponse = await retryRuntime.fetch(input, init);
+            return dispatchResponseStatus(account, accountUuid, retryRuntime, retryResponse, false, true);
           } catch (error) {
+            if (isAbortError(error)) throw error;
             if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
-              authFailureDuringServerRetry = true;
-              break;
+              return { type: "retryOuter" };
             }
-            networkErrorDuringServerRetry = true;
-            void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
-            break;
+            return { type: "retryOuter" };
           }
-          if (serverResponse.status < 500) break;
-        }
-        if (authFailureDuringServerRetry) {
-          continue;
-        }
-        if (networkErrorDuringServerRetry || serverResponse.status >= 500) {
-          continue;
-        }
-        response = serverResponse;
-      }
-      if (response.status === 401) {
-        runtimeFactory.invalidate(accountUuid);
-        try {
-          const retryRuntime = await runtimeFactory.getRuntime(accountUuid);
-          const retryResponse = await retryRuntime.fetch(input, init);
-          if (retryResponse.status !== 401) {
-            await manager.markSuccess(accountUuid);
-            return retryResponse;
-          }
-        } catch (error) {
-          if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
-            continue;
-          }
-          continue;
         }
         await manager.markAuthFailure(accountUuid, { ok: false, permanent: false });
         await manager.refresh();
@@ -1203,7 +1223,7 @@ function createExecutorForProvider(providerName, dependencies) {
           );
         }
         void showToast2(client, `${getAccountLabel2(account)} auth failed \u2014 switching to next account.`, "warning");
-        continue;
+        return { type: "retryOuter" };
       }
       if (response.status === 403) {
         const revoked = await isRevokedTokenResponse(response);
@@ -1220,26 +1240,62 @@ function createExecutorForProvider(providerName, dependencies) {
               `All ${providerName} accounts have been revoked or disabled. Re-authenticate with \`opencode auth login\`.`
             );
           }
-          continue;
+          return { type: "retryOuter" };
+        }
+        if (from401RefreshRetry) {
+          return { type: "handled", response };
         }
       }
       if (response.status === 429) {
         await handleRateLimitResponse2(manager, client, account, response);
+        return { type: "handled" };
+      }
+      return { type: "success", response };
+    };
+    for (let retries = 1; retries <= maxRetries; retries++) {
+      await manager.refresh();
+      const account = await resolveAccount(manager, client);
+      const accountUuid = account.uuid;
+      if (!accountUuid) continue;
+      if (previousAccountUuid && accountUuid !== previousAccountUuid && manager.getAccountCount() > 1) {
+        void showToast2(client, `Switched to ${getAccountLabel2(account)}`, "info");
+      }
+      previousAccountUuid = accountUuid;
+      let runtime;
+      let response;
+      try {
+        runtime = await runtimeFactory.getRuntime(accountUuid);
+        response = await runtime.fetch(input, init);
+      } catch (error) {
+        if (isAbortError(error)) throw error;
+        if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+          continue;
+        }
+        void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
+        continue;
+      }
+      const transition = await dispatchResponseStatus(account, accountUuid, runtime, response, true, false);
+      if (transition.type === "retryOuter" || transition.type === "handled") {
+        if (transition.type === "handled" && transition.response) {
+          return transition.response;
+        }
         continue;
       }
       await manager.markSuccess(accountUuid);
-      return response;
+      return transition.response;
     }
+    throw new Error(
+      `Exhausted ${maxRetries} retries across all accounts. All attempts failed due to auth errors, rate limits, or token issues.`
+    );
   }
   async function handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error) {
-    const refreshFailureStatus = getRefreshFailureStatus(error);
-    if (refreshFailureStatus === void 0) return false;
+    if (!isTokenRefreshError(error)) return false;
     if (!account.uuid) return false;
     const accountUuid = account.uuid;
     runtimeFactory.invalidate(accountUuid);
     await manager.markAuthFailure(accountUuid, {
       ok: false,
-      permanent: PERMANENT_AUTH_FAILURE_STATUSES.has(refreshFailureStatus)
+      permanent: error.permanent
     });
     await manager.refresh();
     if (!manager.hasAnyUsableAccount()) {
@@ -1284,13 +1340,6 @@ function createExecutorForProvider(providerName, dependencies) {
     executeWithAccountRotation: executeWithAccountRotation2
   };
 }
-function getRefreshFailureStatus(error) {
-  if (!(error instanceof Error)) return void 0;
-  const matched = error.message.match(/Token refresh failed:\s*(\d{3})/);
-  if (!matched) return void 0;
-  const status = Number(matched[1]);
-  return Number.isFinite(status) ? status : void 0;
-}
 async function isRevokedTokenResponse(response) {
   try {
     const cloned = response.clone();
@@ -1305,6 +1354,7 @@ async function isRevokedTokenResponse(response) {
 var INITIAL_DELAY_MS = 5e3;
 function createProactiveRefreshQueueForProvider(dependencies) {
   const {
+    providerAuthId,
     getConfig: getConfig2,
     refreshToken: refreshToken2,
     isTokenExpired: isTokenExpired2,
@@ -1323,6 +1373,10 @@ function createProactiveRefreshQueueForProvider(dependencies) {
       const config = getConfig2();
       if (!config.proactive_refresh) return;
       this.runToken++;
+      if (this.timeoutHandle) {
+        clearTimeout(this.timeoutHandle);
+        this.timeoutHandle = null;
+      }
       this.scheduleNext(this.runToken, INITIAL_DELAY_MS);
       debugLog2(this.client, "Proactive refresh started", {
         intervalSeconds: config.proactive_refresh_interval_seconds,
@@ -1397,23 +1451,41 @@ function createProactiveRefreshQueueForProvider(dependencies) {
     }
     async persistFailure(account, permanent) {
       try {
-        await this.store.mutateAccount(account.uuid, (target) => {
-          if (permanent) {
+        const accountUuid = account.uuid;
+        if (!accountUuid) return;
+        if (permanent) {
+          const removed = await this.store.removeAccount(accountUuid);
+          if (!removed) return;
+          this.onInvalidate?.(accountUuid);
+          await this.clearOpenCodeAuthIfNoAccountsRemain();
+          return;
+        }
+        await this.store.mutateStorage((storage) => {
+          const target = storage.accounts.find((entry) => entry.uuid === accountUuid);
+          if (!target) return;
+          target.consecutiveAuthFailures = (target.consecutiveAuthFailures ?? 0) + 1;
+          const maxFailures = getConfig2().max_consecutive_auth_failures;
+          const usableCount = storage.accounts.filter(
+            (entry) => entry.enabled && !entry.isAuthDisabled && entry.uuid !== accountUuid
+          ).length;
+          if (target.consecutiveAuthFailures >= maxFailures && usableCount > 0) {
             target.isAuthDisabled = true;
-            target.authDisabledReason = "Token permanently rejected (proactive refresh)";
-          } else {
-            target.consecutiveAuthFailures = (target.consecutiveAuthFailures ?? 0) + 1;
-            const maxFailures = getConfig2().max_consecutive_auth_failures;
-            if (target.consecutiveAuthFailures >= maxFailures) {
-              target.isAuthDisabled = true;
-              target.authDisabledReason = `${maxFailures} consecutive auth failures (proactive refresh)`;
-            }
+            target.authDisabledReason = `${maxFailures} consecutive auth failures (proactive refresh)`;
           }
         });
       } catch {
         debugLog2(this.client, `Failed to persist auth failure for ${account.uuid}`);
       }
     }
+    async clearOpenCodeAuthIfNoAccountsRemain() {
+      const storage = await this.store.load();
+      if (storage.accounts.length > 0) return;
+      await this.client.auth.set({
+        path: { id: providerAuthId },
+        body: getClearedOAuthBody()
+      }).catch(() => {
+      });
+    }
   };
 }
 
@@ -1763,6 +1835,8 @@ var openAIOAuthAdapter = {
   oauthBetaHeader: "",
   requestBetaHeader: "",
   cliUserAgent: "opencode/1.1.53",
+  cliVersion: "",
+  billingSalt: "",
   toolPrefix: "mcp_",
   accountStorageFilename: "openai-multi-account-accounts.json",
   transform: {
@@ -2353,11 +2427,11 @@ function getUsageSummary(account) {
   const parts = [];
   const { five_hour, seven_day } = parsed.output;
   if (five_hour) {
-    const reset = five_hour.utilization >= 100 && five_hour.resets_at ? ` (resets ${formatTimeRemaining(five_hour.resets_at)})` : "";
+    const reset = five_hour.resets_at ? ` (resets ${formatTimeRemaining(five_hour.resets_at)})` : "";
     parts.push(`5h: ${five_hour.utilization.toFixed(0)}%${reset}`);
   }
   if (seven_day) {
-    const reset = seven_day.utilization >= 100 && seven_day.resets_at ? ` (resets ${formatTimeRemaining(seven_day.resets_at)})` : "";
+    const reset = seven_day.resets_at ? ` (resets ${formatTimeRemaining(seven_day.resets_at)})` : "";
     parts.push(`7d: ${seven_day.utilization.toFixed(0)}%${reset}`);
   }
   return parts.length > 0 ? parts.join(", ") : "no usage data";
@@ -2987,6 +3061,7 @@ Retrying authentication for ${label}...
 
 // src/proactive-refresh.ts
 var ProactiveRefreshQueue = createProactiveRefreshQueueForProvider({
+  providerAuthId: "openai",
   getConfig,
   isTokenExpired,
   refreshToken,
@@ -3097,10 +3172,7 @@ var AccountRuntimeFactory = class {
       if (!accessToken || !expiresAt || isTokenExpired({ accessToken, expiresAt })) {
         const refreshed = await refreshToken(storedAccount.refreshToken, uuid, this.client);
         if (!refreshed.ok) {
-          if (typeof refreshed.status === "number") {
-            throw new Error(`Token refresh failed: ${refreshed.status}`);
-          }
-          throw new Error("Token refresh failed");
+          throw new TokenRefreshError(refreshed.permanent, refreshed.status);
         }
         accessToken = refreshed.patch.accessToken;
         expiresAt = refreshed.patch.expiresAt;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-codex-multi-account",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "description": "OpenCode plugin for Codex (OpenAI) multi-account management with automatic rate limit switching",
   "main": "./dist/index.js",
   "type": "module",
@@ -40,7 +40,7 @@
     "directory": "packages/codex-multi-account"
   },
   "dependencies": {
-    "opencode-multi-account-core": "^0.2.2",
+    "opencode-multi-account-core": "^0.2.4",
     "valibot": "^1.2.0"
   },
   "devDependencies": {