sidekick-shared 0.18.5 → 0.19.0

package/README.md

@@ -33,11 +33,11 @@ npm install sidekick-shared
 | **Provider Status** | API health checking via status.claude.com and status.openai.com (indicator, components, incidents) |
 | **Schemas** | Zod schemas for runtime JSONL event validation (`sessionEventSchema`, `messageUsageSchema`, `sessionMessageSchema`) |
 | **Extractors** | Pure functions for single-event processing: `extractTokenUsage()`, `extractToolCall()` (top-level `tool_use`), `extractToolCalls()` (assistant content blocks) |
-| **Model Info & Pricing** | Model family parsing (Anthropic / OpenAI / Google, including legacy `claude-3-opus-…` and `claude-3-5-sonnet-…` IDs), context-window lookup (including Opus 4.7 / Sonnet 4.7 1M and GPT-5.x variants), pricing tables with optional LiteLLM hydration, null-aware cost (`calculateCost()`), provenance-preserving cost (`calculateCostWithProvenance()`, `mergeCostSources()`), and display helpers (`shortModelName()`, `getModelDisplayInfo()`, `compareModelIds()`, `sortModelIds()`, `formatCost()`) |
+| **Model Info & Pricing** | Model family parsing (Anthropic / OpenAI / Google, including legacy `claude-3-opus-…` and `claude-3-5-sonnet-…` IDs), context-window lookup (including Fable 5 / Opus 4.8 / Opus 4.7 / Sonnet 4.7 1M and GPT-5.x variants), pricing tables with optional LiteLLM hydration, null-aware cost (`calculateCost()`), provenance-preserving cost (`calculateCostWithProvenance()`, `mergeCostSources()`), and display helpers (`shortModelName()`, `getModelDisplayInfo()`, `compareModelIds()`, `sortModelIds()`, `formatCost()`) |
 | **Quota Polling** | `QuotaPoller` class with exponential backoff, active/idle intervals, and cached fallback |
 | **Multi-Provider Quota** | `MultiProviderQuotaService` orchestrates Claude polling + peak-hours + account labels + Codex quota updates behind one typed `{ claude?, codex? }` event stream. `CodexQuotaWatcher` watches the active Codex rollout for live rate limits with snapshot fallback |
 | **Accounts** | Multi-provider account registry (v2) with per-provider active account, save/switch/remove, v1 migration, `ensureDefaultAccounts()` for first-run bootstrap of the active system Claude/Codex credentials as a "Default" saved account, and `getActiveAccountStatus()` for a single-pass active-account read across providers |
-| **Codex Profiles** | Codex account lifecycle — prepare, finalize, switch, remove — with isolated `CODEX_HOME` directories and multi-home monitoring support |
+| **Codex Profiles** | Codex account lifecycle — prepare, finalize, switch, remove — switching atomically swaps the profile's backed-up credentials into the system `~/.codex/auth.json`, with rotated-token staleness protection, one-time dual-home migration, and legacy multi-home session monitoring |
 | **Quota Snapshots** | Persistent quota caching per provider/account for offline fallback |
 | **Phrases** | Curated humorous phrases for loading/idle states, available as a flat `ALL_PHRASES` array or grouped via `PHRASE_CATEGORIES` for category-aware UI |
 

package/dist/accounts.d.ts

@@ -22,6 +22,7 @@ export interface ActiveAccountInfo {
 export interface AccountManagerResult {
     success: boolean;
     error?: string;
+    warning?: string;
     needsLogin?: boolean;
     profileId?: string;
     codexHome?: string;

package/dist/codexProfiles.d.ts

@@ -14,6 +14,7 @@ export declare function getActiveCodexAccount(): SavedAccountProfile | null;
 export declare function resolveSidekickCodexHome(): string;
 export declare function getCodexExecutionEnv(baseEnv?: NodeJS.ProcessEnv): NodeJS.ProcessEnv;
 export declare function prepareCodexAccount(label: string): CodexAccountManagerResult;
-export declare function finalizeCodexAccount(profileId: string): AccountManagerResult;
-export declare function switchToCodexAccount(profileId: string): AccountManagerResult;
+export declare function finalizeCodexAccount(profileId: string): CodexAccountManagerResult;
+export declare function switchToCodexAccount(profileId: string): CodexAccountManagerResult;
+export declare function reconcileCodexAuthState(): void;
 export declare function removeCodexAccount(profileId: string): AccountManagerResult;

package/dist/codexProfiles.js

@@ -44,6 +44,7 @@ exports.getCodexExecutionEnv = getCodexExecutionEnv;
 exports.prepareCodexAccount = prepareCodexAccount;
 exports.finalizeCodexAccount = finalizeCodexAccount;
 exports.switchToCodexAccount = switchToCodexAccount;
+exports.reconcileCodexAuthState = reconcileCodexAuthState;
 exports.removeCodexAccount = removeCodexAccount;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
@@ -51,6 +52,9 @@ const path = __importStar(require("path"));
 const child_process_1 = require("child_process");
 const crypto_1 = require("crypto");
 const accountRegistry_1 = require("./accountRegistry");
+// Codex refreshes OAuth tokens at most every 8 days; a stored refresh token
+// older than that may already be rejected by the auth server.
+const STALE_AUTH_THRESHOLD_MS = 8 * 24 * 60 * 60 * 1000;
 function getDefaultSystemCodexHome() {
     return path.join(os.homedir(), '.codex');
 }
@@ -77,12 +81,15 @@ function getCodexMonitoringHomes() {
     const explicitHome = getExplicitCodexHome();
     if (explicitHome)
         return [explicitHome];
-    const homes = [];
-    const active = getActiveCodexAccount();
-    if (active) {
-        homes.push(getCodexProfileHome(active.id));
+    // The system home is the single live home; profile homes only matter for
+    // sessions recorded back when they doubled as live CODEX_HOMEs.
+    const homes = [getDefaultSystemCodexHome()];
+    for (const profile of listCodexAccounts()) {
+        const profileHome = getCodexProfileHome(profile.id);
+        if (fs.existsSync(path.join(profileHome, 'sessions'))) {
+            homes.push(profileHome);
+        }
     }
-    homes.push(getDefaultSystemCodexHome());
     return dedupePaths(homes);
 }
 function getCodexProfilesDir() {
@@ -104,8 +111,43 @@ function atomicWriteJson(filePath, data, mode = 0o600) {
     const tmp = filePath + '.tmp';
     const json = JSON.stringify(data, null, 2);
     JSON.parse(json);
-    fs.writeFileSync(tmp, json, { encoding: 'utf8', mode });
-    fs.renameSync(tmp, filePath);
+    try {
+        fs.writeFileSync(tmp, json, { encoding: 'utf8', mode });
+        fs.renameSync(tmp, filePath);
+    }
+    catch (err) {
+        try {
+            fs.unlinkSync(tmp);
+        }
+        catch { /* nothing to clean up */ }
+        throw err;
+    }
+}
+// auth.json must be copied byte-for-byte: re-serializing would drop fields
+// added by newer codex versions, and the rotated refresh token inside is
+// only valid in its freshest form.
+function atomicWriteFile(filePath, content, mode = 0o600) {
+    fs.mkdirSync(path.dirname(filePath), { recursive: true, mode: 0o700 });
+    const tmp = filePath + '.tmp';
+    try {
+        fs.writeFileSync(tmp, content, { encoding: 'utf8', mode });
+        fs.renameSync(tmp, filePath);
+    }
+    catch (err) {
+        try {
+            fs.unlinkSync(tmp);
+        }
+        catch { /* nothing to clean up */ }
+        throw err;
+    }
+}
+function readFileOrNull(filePath) {
+    try {
+        return fs.readFileSync(filePath, 'utf8');
+    }
+    catch {
+        return null;
+    }
 }
 function readPendingProfile(profileId) {
     try {
@@ -146,40 +188,65 @@ function parseJwtPayload(jwt) {
         return null;
     }
 }
-function readMetadataFromAuthJson(codexHome) {
-    const authPath = path.join(codexHome, 'auth.json');
-    if (!fs.existsSync(authPath))
-        return {};
+function parseAuthJson(raw) {
+    if (!raw)
+        return null;
     try {
-        const parsed = JSON.parse(fs.readFileSync(authPath, 'utf8'));
-        const idToken = parsed.tokens?.id_token;
-        const claims = idToken ? parseJwtPayload(idToken) : null;
-        const profileClaims = claims?.['https://api.openai.com/profile'];
-        const authClaims = claims?.['https://api.openai.com/auth'];
-        const email = typeof claims?.email === 'string'
-            ? claims.email
-            : typeof profileClaims?.email === 'string'
-                ? profileClaims.email
-                : undefined;
-        const workspaceId = typeof authClaims?.chatgpt_account_id === 'string'
-            ? authClaims.chatgpt_account_id
-            : parsed.tokens?.account_id;
-        const planType = typeof authClaims?.chatgpt_plan_type === 'string'
-            ? authClaims.chatgpt_plan_type
-            : undefined;
-        const authMode = parsed.OPENAI_API_KEY || parsed.auth_mode === 'api_key'
-            ? 'api-key'
-            : 'chatgpt';
-        return {
-            email,
-            workspaceId,
-            planType,
-            authMode,
-        };
+        return JSON.parse(raw);
     }
     catch {
-        return {};
+        return null;
+    }
+}
+function readAuthIdentityFromRaw(raw) {
+    const parsed = parseAuthJson(raw);
+    if (!parsed)
+        return null;
+    const idToken = parsed.tokens?.id_token;
+    const claims = idToken ? parseJwtPayload(idToken) : null;
+    const profileClaims = claims?.['https://api.openai.com/profile'];
+    const authClaims = claims?.['https://api.openai.com/auth'];
+    const email = typeof claims?.email === 'string'
+        ? claims.email
+        : typeof profileClaims?.email === 'string'
+            ? profileClaims.email
+            : undefined;
+    const workspaceId = typeof authClaims?.chatgpt_account_id === 'string'
+        ? authClaims.chatgpt_account_id
+        : parsed.tokens?.account_id;
+    const planType = typeof authClaims?.chatgpt_plan_type === 'string'
+        ? authClaims.chatgpt_plan_type
+        : undefined;
+    const authMode = parsed.OPENAI_API_KEY || parsed.auth_mode === 'api_key'
+        ? 'api-key'
+        : 'chatgpt';
+    return { email, workspaceId, planType, authMode };
+}
+function readLastRefresh(raw, fallbackPath) {
+    const parsed = parseAuthJson(raw);
+    if (parsed?.last_refresh) {
+        const ts = Date.parse(parsed.last_refresh);
+        if (!Number.isNaN(ts))
+            return ts;
     }
+    if (fallbackPath) {
+        try {
+            return fs.statSync(fallbackPath).mtimeMs;
+        }
+        catch { /* fall through */ }
+    }
+    return null;
+}
+function readMetadataFromAuthJson(codexHome) {
+    const identity = readAuthIdentityFromRaw(readFileOrNull(path.join(codexHome, 'auth.json')));
+    if (!identity)
+        return {};
+    return {
+        email: identity.email,
+        workspaceId: identity.workspaceId,
+        planType: identity.planType,
+        authMode: identity.authMode,
+    };
 }
 function readMetadataFromLegacyCredentials(codexHome) {
     const legacyPath = path.join(codexHome, '.credentials.json');
@@ -219,6 +286,16 @@ function getCodexLoginStatus(codexHome) {
     }
     return { loggedIn: false };
 }
+function detectRunningCodexProcess() {
+    if (process.platform === 'win32')
+        return false;
+    try {
+        return (0, child_process_1.spawnSync)('pgrep', ['-x', 'codex'], { encoding: 'utf8' }).status === 0;
+    }
+    catch {
+        return false;
+    }
+}
 function readCodexAccountMetadata(codexHome) {
     const fromAuth = readMetadataFromAuthJson(codexHome);
     if (fromAuth.email || fromAuth.workspaceId || fromAuth.planType || fromAuth.authMode) {
@@ -256,15 +333,8 @@ function getActiveCodexAccount() {
     return (0, accountRegistry_1.getActiveSavedAccount)('codex');
 }
 function resolveSidekickCodexHome() {
-    const explicitHome = process.env.CODEX_HOME;
-    if (explicitHome)
-        return explicitHome;
-    const active = getActiveCodexAccount();
-    if (active) {
-        const managedHome = getCodexProfileHome(active.id);
-        if (fs.existsSync(managedHome))
-            return managedHome;
-    }
+    // Account switching swaps auth.json inside the system home, so the system
+    // home (or an explicit CODEX_HOME) is always the single live home.
     return getSystemCodexHome();
 }
 function getCodexExecutionEnv(baseEnv = process.env) {
@@ -318,24 +388,284 @@ function finalizeCodexAccount(profileId) {
         return { success: false, error: 'Codex profile is not authenticated yet.' };
     }
     const metadata = readCodexAccountMetadata(codexHome);
-    (0, accountRegistry_1.upsertSavedAccountProfile)({
+    const profile = {
         id: profileId,
         providerId: 'codex',
         label: pending.label,
         email: metadata.email,
         addedAt: pending.addedAt,
         metadata,
-    });
-    (0, accountRegistry_1.setActiveSavedAccount)('codex', profileId);
-    return { success: true };
+    };
+    (0, accountRegistry_1.upsertSavedAccountProfile)(profile);
+    const hasCredentialFiles = fs.existsSync(path.join(codexHome, 'auth.json')) ||
+        fs.existsSync(path.join(codexHome, '.credentials.json'));
+    if (!hasCredentialFiles) {
+        // Authenticated via the OS keyring — there are no credential files to
+        // swap, so the registry pointer is all we can update.
+        (0, accountRegistry_1.setActiveSavedAccount)('codex', profileId);
+        return {
+            success: true,
+            warning: 'Codex stores credentials in the OS keyring; sidekick cannot swap them per account, so `codex` keeps using the keyring credentials.',
+        };
+    }
+    return performCodexAuthSwap(profile);
+}
+function getCodexStashDir() {
+    return path.join((0, accountRegistry_1.getAccountsDir)(), 'codex', 'stash');
+}
+function stashLiveCodexAuth(liveAuthRaw, liveLegacyRaw) {
+    try {
+        const stamp = new Date().toISOString().replace(/[:.]/g, '-');
+        let stashPath = null;
+        if (liveAuthRaw) {
+            stashPath = path.join(getCodexStashDir(), `auth-${stamp}.json`);
+            atomicWriteFile(stashPath, liveAuthRaw);
+        }
+        if (liveLegacyRaw) {
+            const legacyStashPath = path.join(getCodexStashDir(), `credentials-${stamp}.json`);
+            atomicWriteFile(legacyStashPath, liveLegacyRaw);
+            stashPath = stashPath ?? legacyStashPath;
+        }
+        return stashPath;
+    }
+    catch {
+        return null;
+    }
+}
+function findProfileForIdentity(identity) {
+    const profiles = listCodexAccounts();
+    if (identity?.workspaceId) {
+        const byWorkspace = profiles.find(profile => profile.metadata?.workspaceId === identity.workspaceId);
+        if (byWorkspace)
+            return byWorkspace;
+    }
+    if (identity?.email) {
+        const byEmail = profiles.find(profile => (profile.email ?? profile.metadata?.email) === identity.email);
+        if (byEmail)
+            return byEmail;
+    }
+    if (!identity?.workspaceId && !identity?.email) {
+        // API-key auth or unparseable tokens carry no identity; assume the live
+        // file belongs to whichever account the registry says is active.
+        return getActiveCodexAccount();
+    }
+    return null;
+}
+// Codex rotates the refresh token whenever it refreshes auth.json, so the
+// live file is always the freshest copy of its account. Before replacing it,
+// preserve it in the matching profile's backup — or stash it if it belongs to
+// no saved account. Best-effort: never throws.
+function syncBackLiveCodexAuth(liveAuthRaw, liveLegacyRaw) {
+    if (!liveAuthRaw && !liveLegacyRaw)
+        return {};
+    try {
+        const identity = readAuthIdentityFromRaw(liveAuthRaw);
+        const profile = findProfileForIdentity(identity);
+        if (!profile) {
+            const stashPath = stashLiveCodexAuth(liveAuthRaw, liveLegacyRaw);
+            return {
+                stashPath: stashPath ?? undefined,
+                warning: stashPath
+                    ? `Live Codex credentials did not match any saved account; stashed at ${stashPath}.`
+                    : 'Live Codex credentials did not match any saved account and could not be stashed.',
+            };
+        }
+        const profileHome = getCodexProfileHome(profile.id);
+        if (liveAuthRaw)
+            atomicWriteFile(path.join(profileHome, 'auth.json'), liveAuthRaw);
+        if (liveLegacyRaw)
+            atomicWriteFile(path.join(profileHome, '.credentials.json'), liveLegacyRaw);
+        try {
+            const metadata = readCodexAccountMetadata(profileHome);
+            (0, accountRegistry_1.upsertSavedAccountProfile)({
+                ...profile,
+                email: metadata.email ?? profile.email,
+                metadata: { ...profile.metadata, ...metadata },
+            });
+        }
+        catch { /* metadata refresh is best-effort */ }
+        return { syncedProfileId: profile.id };
+    }
+    catch (err) {
+        return { warning: `Could not back up live Codex credentials: ${err}` };
+    }
+}
+function performCodexAuthSwap(target) {
+    const systemHome = getSystemCodexHome();
+    const liveAuthPath = path.join(systemHome, 'auth.json');
+    const liveLegacyPath = path.join(systemHome, '.credentials.json');
+    const liveAuthRaw = readFileOrNull(liveAuthPath);
+    const liveLegacyRaw = readFileOrNull(liveLegacyPath);
+    if (!liveAuthRaw && !liveLegacyRaw && getCodexLoginStatus(systemHome).loggedIn) {
+        return {
+            success: false,
+            error: 'Codex stores credentials in the OS keyring; file-based account switching is not supported. Set `cli_auth_credentials_store = "file"` in ~/.codex/config.toml and run `codex login` again.',
+        };
+    }
+    const profileHome = getCodexProfileHome(target.id);
+    const targetAuthPath = path.join(profileHome, 'auth.json');
+    const targetAuthRaw = readFileOrNull(targetAuthPath);
+    const targetLegacyRaw = readFileOrNull(path.join(profileHome, '.credentials.json'));
+    const targetName = target.label ?? target.email ?? target.id;
+    if (!targetAuthRaw && !targetLegacyRaw) {
+        return { success: false, error: `No stored credentials for "${targetName}". Remove and re-add this account.` };
+    }
+    if (targetAuthRaw && !parseAuthJson(targetAuthRaw)) {
+        return { success: false, error: `Stored credentials for "${targetName}" are corrupted. Remove and re-add this account.` };
+    }
+    const warnings = [];
+    if (detectRunningCodexProcess()) {
+        warnings.push('A codex process appears to be running; restart codex sessions so they pick up the switched account.');
+    }
+    // If the live file already belongs to the target account it is the freshest
+    // copy (rotated refresh token included) — never replace it with a staler
+    // backup, which would permanently invalidate the login. Just refresh the
+    // backup and the registry pointer.
+    const liveIdentity = readAuthIdentityFromRaw(liveAuthRaw);
+    const targetIdentity = readAuthIdentityFromRaw(targetAuthRaw);
+    const targetWorkspaceId = target.metadata?.workspaceId ?? targetIdentity?.workspaceId;
+    const targetEmail = target.email ?? target.metadata?.email ?? targetIdentity?.email;
+    const liveMatchesTarget = Boolean((liveIdentity?.workspaceId && targetWorkspaceId && liveIdentity.workspaceId === targetWorkspaceId) ||
+        (liveIdentity?.email && targetEmail && liveIdentity.email === targetEmail) ||
+        (liveAuthRaw !== null && liveAuthRaw === targetAuthRaw) ||
+        (!liveAuthRaw && !targetAuthRaw && liveLegacyRaw !== null && liveLegacyRaw === targetLegacyRaw));
+    if (liveMatchesTarget) {
+        try {
+            if (liveAuthRaw)
+                atomicWriteFile(targetAuthPath, liveAuthRaw);
+            if (liveLegacyRaw)
+                atomicWriteFile(path.join(profileHome, '.credentials.json'), liveLegacyRaw);
+            const metadata = readCodexAccountMetadata(profileHome);
+            (0, accountRegistry_1.upsertSavedAccountProfile)({
+                ...target,
+                email: metadata.email ?? target.email,
+                metadata: { ...target.metadata, ...metadata },
+            });
+        }
+        catch { /* backup refresh is best-effort */ }
+        (0, accountRegistry_1.setActiveSavedAccount)('codex', target.id);
+        return { success: true, warning: warnings.length ? warnings.join(' ') : undefined };
+    }
+    const targetLastRefresh = readLastRefresh(targetAuthRaw, targetAuthPath);
+    if (targetLastRefresh !== null && Date.now() - targetLastRefresh > STALE_AUTH_THRESHOLD_MS) {
+        warnings.push(`Stored credentials for "${targetName}" have not been refreshed in over 8 days; codex may ask you to log in again.`);
+    }
+    const syncBack = syncBackLiveCodexAuth(liveAuthRaw, liveLegacyRaw);
+    if (syncBack.warning)
+        warnings.push(syncBack.warning);
+    const restoreLiveFiles = () => {
+        try {
+            if (liveAuthRaw)
+                atomicWriteFile(liveAuthPath, liveAuthRaw);
+            else
+                fs.rmSync(liveAuthPath, { force: true });
+            if (liveLegacyRaw)
+                atomicWriteFile(liveLegacyPath, liveLegacyRaw);
+            else
+                fs.rmSync(liveLegacyPath, { force: true });
+        }
+        catch { /* rollback is best-effort */ }
+    };
+    try {
+        if (targetAuthRaw) {
+            atomicWriteFile(liveAuthPath, targetAuthRaw);
+            if (targetLegacyRaw)
+                atomicWriteFile(liveLegacyPath, targetLegacyRaw);
+            else if (liveLegacyRaw)
+                fs.rmSync(liveLegacyPath, { force: true });
+        }
+        else {
+            atomicWriteFile(liveLegacyPath, targetLegacyRaw);
+            if (liveAuthRaw)
+                fs.rmSync(liveAuthPath, { force: true });
+        }
+    }
+    catch (err) {
+        restoreLiveFiles();
+        return { success: false, error: `Failed to write Codex credentials: ${err}` };
+    }
+    try {
+        (0, accountRegistry_1.setActiveSavedAccount)('codex', target.id);
+    }
+    catch (err) {
+        restoreLiveFiles();
+        return { success: false, error: `Failed to update account registry: ${err}` };
+    }
+    return { success: true, warning: warnings.length ? warnings.join(' ') : undefined };
 }
 function switchToCodexAccount(profileId) {
     const target = listCodexAccounts().find(account => account.id === profileId);
     if (!target) {
         return { success: false, error: `Codex account ${profileId} not found.` };
     }
-    (0, accountRegistry_1.setActiveSavedAccount)('codex', profileId);
-    return { success: true };
+    return performCodexAuthSwap(target);
+}
+// One-time migration for installs created when profile homes doubled as live
+// CODEX_HOMEs: the active profile's auth.json may hold a fresher rotated
+// refresh token than the system home. Best-effort: never throws.
+function reconcileCodexAuthState() {
+    try {
+        const markerPath = path.join((0, accountRegistry_1.getAccountsDir)(), 'codex', '.live-auth-migrated-v1');
+        if (fs.existsSync(markerPath))
+            return;
+        const writeMarker = () => atomicWriteFile(markerPath, new Date().toISOString() + '\n');
+        const active = getActiveCodexAccount();
+        if (!active) {
+            writeMarker();
+            return;
+        }
+        const profileHome = getCodexProfileHome(active.id);
+        const profileAuthPath = path.join(profileHome, 'auth.json');
+        const profileAuthRaw = readFileOrNull(profileAuthPath);
+        if (!profileAuthRaw) {
+            writeMarker();
+            return;
+        }
+        const systemHome = getSystemCodexHome();
+        const liveAuthPath = path.join(systemHome, 'auth.json');
+        const liveAuthRaw = readFileOrNull(liveAuthPath);
+        if (!liveAuthRaw) {
+            // No live credentials (account was added via isolated login and never
+            // promoted). Promote the active profile's copy unless codex is logged
+            // in through the OS keyring.
+            if (!getCodexLoginStatus(systemHome).loggedIn) {
+                atomicWriteFile(liveAuthPath, profileAuthRaw);
+            }
+            writeMarker();
+            return;
+        }
+        const liveIdentity = readAuthIdentityFromRaw(liveAuthRaw);
+        const profileIdentity = readAuthIdentityFromRaw(profileAuthRaw);
+        const sameIdentity = Boolean((liveIdentity?.workspaceId && profileIdentity?.workspaceId && liveIdentity.workspaceId === profileIdentity.workspaceId) ||
+            (liveIdentity?.email && liveIdentity.email === profileIdentity?.email));
+        if (sameIdentity) {
+            const liveRefresh = readLastRefresh(liveAuthRaw, liveAuthPath);
+            const profileRefresh = readLastRefresh(profileAuthRaw, profileAuthPath);
+            if (profileRefresh !== null && (liveRefresh === null || profileRefresh > liveRefresh)) {
+                // The profile copy was the live home under the old model and holds
+                // the valid rotated refresh token — promote it.
+                stashLiveCodexAuth(liveAuthRaw, null);
+                atomicWriteFile(liveAuthPath, profileAuthRaw);
+            }
+            else {
+                atomicWriteFile(profileAuthPath, liveAuthRaw);
+            }
+        }
+        else {
+            // The live credentials belong to a different account; the live state
+            // wins — point the registry at the matching saved profile if there is
+            // one, and refresh its backup.
+            const matching = findProfileForIdentity(liveIdentity);
+            if (matching && matching.id !== active.id) {
+                atomicWriteFile(path.join(getCodexProfileHome(matching.id), 'auth.json'), liveAuthRaw);
+                (0, accountRegistry_1.setActiveSavedAccount)('codex', matching.id);
+            }
+        }
+        writeMarker();
+    }
+    catch {
+        // Reconciliation must never break startup.
+    }
 }
 function removeCodexAccount(profileId) {
     const removed = (0, accountRegistry_1.removeSavedAccountProfile)('codex', profileId);

package/dist/ensureDefaultAccounts.js

@@ -96,5 +96,11 @@ function ensureDefaultCodexAccount(options) {
 async function ensureDefaultAccounts(options) {
     const claude = await ensureDefaultClaudeAccount(options);
     const codex = ensureDefaultCodexAccount(options);
+    try {
+        (0, codexProfiles_1.reconcileCodexAuthState)();
+    }
+    catch (error) {
+        logFailure(options, 'Codex auth reconciliation failed.', error);
+    }
     return { claude, codex };
 }

package/dist/modelContext.js

@@ -8,7 +8,9 @@ exports.DEFAULT_CONTEXT_WINDOW = void 0;
 exports.getModelContextWindowSize = getModelContextWindowSize;
 /** Known model context window sizes (in tokens). */
 const MODEL_CONTEXT_SIZES = {
-    // Claude — native 1M context (Opus 4.6+, Sonnet 4.6+)
+    // Claude — native 1M context (Fable 5, Opus 4.6+, Sonnet 4.6+)
+    'claude-fable-5': 1_000_000,
+    'claude-opus-4-8': 1_000_000,
     'claude-opus-4-7': 1_000_000,
     'claude-opus-4-6': 1_000_000,
     'claude-sonnet-4-7': 1_000_000,

package/dist/modelInfo.js

@@ -44,10 +44,26 @@ const modelContext_1 = require("./modelContext");
  * Sources:
  *   - Anthropic: https://www.anthropic.com/pricing
  *   - OpenAI: https://openai.com/api/pricing/
- * Snapshot taken: 2026-04-17. Runtime LiteLLM hydration refreshes this.
+ * Snapshot taken: 2026-06-09. Runtime LiteLLM hydration refreshes this.
+ *
+ * Anthropic keys appear in both dashed (`claude-opus-4-8`, the real model-ID
+ * form) and dotted (`claude-opus-4.8`, the LiteLLM catalog form) spellings —
+ * prefix matching cannot bridge the two, so both are needed.
  */
 const PRICING_TABLE = {
     // ── Anthropic: Claude ──
+    'claude-fable-5': {
+        inputCostPerMillion: 10.0,
+        outputCostPerMillion: 50.0,
+        cacheWriteCostPerMillion: 12.5,
+        cacheReadCostPerMillion: 1.0,
+    },
+    'claude-haiku-4-5': {
+        inputCostPerMillion: 1.0,
+        outputCostPerMillion: 5.0,
+        cacheWriteCostPerMillion: 1.25,
+        cacheReadCostPerMillion: 0.1,
+    },
     'claude-haiku-4.5': {
         inputCostPerMillion: 1.0,
         outputCostPerMillion: 5.0,
@@ -60,12 +76,24 @@ const PRICING_TABLE = {
         cacheWriteCostPerMillion: 1.0,
         cacheReadCostPerMillion: 0.08,
     },
+    'claude-sonnet-4-6': {
+        inputCostPerMillion: 3.0,
+        outputCostPerMillion: 15.0,
+        cacheWriteCostPerMillion: 3.75,
+        cacheReadCostPerMillion: 0.3,
+    },
     'claude-sonnet-4.6': {
         inputCostPerMillion: 3.0,
         outputCostPerMillion: 15.0,
         cacheWriteCostPerMillion: 3.75,
         cacheReadCostPerMillion: 0.3,
     },
+    'claude-sonnet-4-5': {
+        inputCostPerMillion: 3.0,
+        outputCostPerMillion: 15.0,
+        cacheWriteCostPerMillion: 3.75,
+        cacheReadCostPerMillion: 0.3,
+    },
     'claude-sonnet-4.5': {
         inputCostPerMillion: 3.0,
         outputCostPerMillion: 15.0,
@@ -78,11 +106,41 @@ const PRICING_TABLE = {
         cacheWriteCostPerMillion: 3.75,
         cacheReadCostPerMillion: 0.3,
     },
+    'claude-opus-4-8': {
+        inputCostPerMillion: 5.0,
+        outputCostPerMillion: 25.0,
+        cacheWriteCostPerMillion: 6.25,
+        cacheReadCostPerMillion: 0.5,
+    },
+    'claude-opus-4.8': {
+        inputCostPerMillion: 5.0,
+        outputCostPerMillion: 25.0,
+        cacheWriteCostPerMillion: 6.25,
+        cacheReadCostPerMillion: 0.5,
+    },
+    'claude-opus-4-7': {
+        inputCostPerMillion: 5.0,
+        outputCostPerMillion: 25.0,
+        cacheWriteCostPerMillion: 6.25,
+        cacheReadCostPerMillion: 0.5,
+    },
+    'claude-opus-4.7': {
+        inputCostPerMillion: 5.0,
+        outputCostPerMillion: 25.0,
+        cacheWriteCostPerMillion: 6.25,
+        cacheReadCostPerMillion: 0.5,
+    },
+    'claude-opus-4-6': {
+        inputCostPerMillion: 5.0,
+        outputCostPerMillion: 25.0,
+        cacheWriteCostPerMillion: 6.25,
+        cacheReadCostPerMillion: 0.5,
+    },
     'claude-opus-4.6': {
-        inputCostPerMillion: 15.0,
-        outputCostPerMillion: 75.0,
-        cacheWriteCostPerMillion: 18.75,
-        cacheReadCostPerMillion: 1.5,
+        inputCostPerMillion: 5.0,
+        outputCostPerMillion: 25.0,
+        cacheWriteCostPerMillion: 6.25,
+        cacheReadCostPerMillion: 0.5,
     },
     'claude-opus-4.5': {
         inputCostPerMillion: 5.0,
@@ -90,6 +148,7 @@ const PRICING_TABLE = {
         cacheWriteCostPerMillion: 6.25,
         cacheReadCostPerMillion: 0.5,
     },
+    // Opus 4.0 / 4.1 — pre-4.5 pricing tier
     'claude-opus-4': {
         inputCostPerMillion: 15.0,
         outputCostPerMillion: 75.0,
@@ -199,7 +258,7 @@ function _clearPricingOverrides() {
     overrideSortedKeys = [];
 }
 // ── Model ID Parsing ──
-const CLAUDE_RE = /^claude-(haiku|sonnet|opus)-([0-9.]+)/i;
+const CLAUDE_RE = /^claude-(haiku|sonnet|opus|fable)-([0-9.]+)/i;
 const LEGACY_CLAUDE_RE = /^claude-([0-9]+(?:[-.][0-9]+)?)-(haiku|sonnet|opus)(?:-|$)/i;
 const GPT_RE = /^gpt-([0-9][0-9.A-Za-z-]*)/i;
 const O_SERIES_RE = /^o([0-9]+)(-mini|-pro)?/i;
@@ -390,9 +449,10 @@ function shortModelName(modelId) {
     return modelId;
 }
 const CLAUDE_FAMILY_RANK = {
-    opus: 0,
-    sonnet: 1,
-    haiku: 2,
+    fable: 0,
+    opus: 1,
+    sonnet: 2,
+    haiku: 3,
 };
 function versionRank(version) {
     if (!version)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sidekick-shared",
-  "version": "0.18.5",
+  "version": "0.19.0",
   "description": "Shared data access layer for Sidekick — readers, types, providers, credentials, quota",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",