sneakoscope 0.9.2 → 0.9.6

package/README.md

@@ -191,6 +191,33 @@ Bare `sks` can also prompt for codex-lb auth; SKS stores the base URL/key in `~/
 
 If codex-lb provider auth drifts after launch/reinstall, run `sks doctor --fix` or `sks codex-lb repair`; to replace it, run `sks codex-lb reconfigure --host <domain> --api-key <key>`.
 
+### Switching back to ChatGPT OAuth (releasing codex-lb)
+
+If you want to hand control back to your official ChatGPT account login after codex-lb has been reconciled, use `sks codex-lb release`:
+
+```sh
+sks codex-lb release
+```
+
+This restores `~/.codex/auth.chatgpt-backup.json` (written by the 0.9.3 auto-reconcile) to `~/.codex/auth.json` and unsets `model_provider = "codex-lb"` so Codex CLI/App falls back to ChatGPT OAuth. To re-engage codex-lb afterward, run `sks codex-lb repair`.
+
+Flags:
+
+- `--keep-provider` — restore `auth.json` only; leave `model_provider = "codex-lb"` selected (advanced use).
+- `--delete-backup` — remove `~/.codex/auth.chatgpt-backup.json` after a successful restore. Default is to keep it so a subsequent re-reconcile still has a source backup.
+- `--force` — restore even when the current `auth.json` does not look like the codex-lb apikey shape (e.g. if you hand-edited it after reconcile).
+- `--json` — machine-readable output with `status` ∈ {`released`, `no_backup`, `already_chatgpt`, `auth_in_use`, `failed`} plus `auth_path`, `backup_path`, `provider_unselected`, `backup_removed`.
+
+`sks codex-lb status` reports whether a ChatGPT OAuth backup is present and shows the `sks codex-lb release` hint when applicable. `sks doctor` surfaces the same hint.
+
+If you only want to stop routing through codex-lb without touching `auth.json`, use the lighter `sks codex-lb unselect` instead:
+
+```sh
+sks codex-lb unselect
+```
+
+This flips `model_provider` away from `codex-lb` in the top-level Codex App config while leaving your `sks-codex-lb.env` and `auth.json` untouched, so you can re-engage codex-lb later with `sks codex-lb repair` without re-running setup.
+
 ### MAD tmux Launch
 
 ```sh

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "0.9.2",
+  "version": "0.9.6",
   "description": "Sneakoscope Codex: database-safe Codex CLI/App harness with Team, Goal, AutoResearch, TriWiki, and Honest Mode.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",

package/src/cli/install-helpers.mjs

@@ -87,6 +87,14 @@ async function reportPostinstallCodexLbAuth() {
   else if (codexLbAuth.status === 'missing_env_key') console.log('codex-lb auth: stored key missing. Run `sks codex-lb setup --host <domain> --api-key <key>` to repair.');
   else if (codexLbAuth.status === 'missing_base_url') console.log('codex-lb auth: stored key has no recoverable base URL. Run `sks codex-lb reconfigure --host <domain> --api-key <key>` once.');
   else if (codexLbAuth.status && codexLbAuth.status !== 'not_configured') console.log(`codex-lb auth: repair skipped (${codexLbAuth.status}${codexLbAuth.error ? `: ${codexLbAuth.error}` : ''}).`);
+  const reconcile = codexLbAuth.auth_reconcile;
+  if (reconcile?.status === 'reconciled') {
+    console.log(`codex-lb auth: resolved ChatGPT OAuth conflict by switching auth.json to apikey mode (OAuth backup at ${reconcile.backup_path}). Set SKS_CODEX_LB_NO_AUTH_RECONCILE=1 to opt out.`);
+  } else if (reconcile?.status === 'backup_only') {
+    console.log(`codex-lb auth: detected ChatGPT OAuth tokens in auth.json. OAuth backup written to ${reconcile.backup_path}; auth.json left untouched because SKS_CODEX_LB_NO_AUTH_RECONCILE=1.`);
+  } else if (reconcile?.status === 'failed') {
+    console.log(`codex-lb auth: ChatGPT OAuth reconciliation could not complete (${reconcile.reason || 'unknown'}${reconcile.error ? `: ${reconcile.error}` : ''}). Run \`sks codex-lb repair\` to retry.`);
+  }
   return codexLbAuth;
 }
 
@@ -160,26 +168,65 @@ function codexAuthPath(home = process.env.HOME || os.homedir()) {
   return path.join(home, '.codex', 'auth.json');
 }
 
+function codexAuthChatgptBackupPath(home = process.env.HOME || os.homedir()) {
+  return path.join(home, '.codex', 'auth.chatgpt-backup.json');
+}
+
 async function capturePostinstallCodexLbConfigSnapshot(home = process.env.HOME || os.homedir()) {
   const configPath = codexLbConfigPath(home);
   const envPath = codexLbEnvPath(home);
+  const authPath = codexAuthPath(home);
   const config = await readText(configPath, '');
   const envText = await readText(envPath, '');
-  if (!parseCodexLbEnvKey(envText)) return null;
+  const authExisted = await exists(authPath);
+  const authText = authExisted ? await readText(authPath, '') : '';
+  const envKey = parseCodexLbEnvKey(envText);
+  const providerConfigured = /\[model_providers\.codex-lb\]/.test(config);
   const baseUrl = codexLbProviderBaseUrl(config) || parseCodexLbEnvBaseUrl(envText);
-  if (!baseUrl) return null;
-  return { config_path: configPath, env_path: envPath, base_url: normalizeCodexLbBaseUrl(baseUrl) };
+  // Snapshot any codex-lb-related state so the upgrade-time bootstrap can't silently undo it.
+  if (!envKey && !providerConfigured && !authExisted) return null;
+  return {
+    config_path: configPath,
+    env_path: envPath,
+    auth_path: authPath,
+    base_url: baseUrl ? normalizeCodexLbBaseUrl(baseUrl) : null,
+    auth_existed: authExisted,
+    auth_text: authText
+  };
 }
 
 async function restorePostinstallCodexLbConfigSnapshot(snapshot) {
-  if (!snapshot?.base_url) return { status: 'skipped', reason: 'no_snapshot' };
-  const current = await readText(snapshot.config_path, '');
-  const next = normalizeCodexFastModeUiConfig(upsertCodexLbConfig(current, snapshot.base_url));
-  if (next === ensureTrailingNewline(current) && codexLbProviderBaseUrl(current)) {
-    return { status: 'present', config_path: snapshot.config_path };
+  if (!snapshot) return { status: 'skipped', reason: 'no_snapshot' };
+  let configRestored = false;
+  if (snapshot.base_url) {
+    const current = await readText(snapshot.config_path, '');
+    const next = normalizeCodexFastModeUiConfig(upsertCodexLbConfig(current, snapshot.base_url));
+    const alreadyOk = next === ensureTrailingNewline(current) && codexLbProviderBaseUrl(current);
+    if (!alreadyOk) {
+      await writeTextAtomic(snapshot.config_path, next);
+      configRestored = true;
+    }
   }
-  await writeTextAtomic(snapshot.config_path, next);
-  return { status: 'restored', config_path: snapshot.config_path };
+  // Restore auth.json only if bootstrap accidentally wiped or emptied a pre-existing auth.json.
+  // We do NOT clobber a legitimately rewritten auth.json; we just heal the disappearing-auth regression.
+  let authRestored = false;
+  if (snapshot.auth_existed && snapshot.auth_text && snapshot.auth_text.trim()) {
+    const currentAuthExists = await exists(snapshot.auth_path);
+    const currentAuthText = currentAuthExists ? await readText(snapshot.auth_path, '') : '';
+    if (!currentAuthExists || !currentAuthText.trim()) {
+      await ensureDir(path.dirname(snapshot.auth_path));
+      await writeTextAtomic(snapshot.auth_path, snapshot.auth_text);
+      await fsp.chmod(snapshot.auth_path, 0o600).catch(() => {});
+      authRestored = true;
+    }
+  }
+  return {
+    status: configRestored || authRestored ? 'restored' : 'present',
+    config_path: snapshot.config_path,
+    auth_path: snapshot.auth_path,
+    config_restored: configRestored,
+    auth_restored: authRestored
+  };
 }
 
 export function normalizeCodexLbBaseUrl(input = '') {
@@ -413,6 +460,7 @@ export async function repairCodexLbAuth(opts = {}) {
   const codexEnvironment = await syncCodexLbProviderEnvironment(status, opts);
   const apiKey = parseCodexLbEnvKey(await readText(status.env_path, ''));
   const codexLogin = await maybeSyncCodexLbSharedLogin(apiKey, { ...opts, home: opts.home || process.env.HOME || os.homedir(), force: true });
+  const authReconcile = await reconcileCodexLbAuthConflict({ ...opts, status }).catch((err) => ({ status: 'failed', reason: 'exception', error: err.message }));
   const ok = Boolean(codexEnvironment.ok && codexLogin.ok);
   return {
     ok,
@@ -423,6 +471,7 @@ export async function repairCodexLbAuth(opts = {}) {
     config_repaired: configRepaired,
     legacy_auth_migrated: legacyAuthMigrated,
     legacy_auth_path: legacyAuthPath,
+    auth_reconcile: authReconcile,
     codex_lb: status,
     codex_environment: codexEnvironment,
     codex_login: codexLogin
@@ -441,6 +490,7 @@ export async function ensureCodexLbAuthDuringInstall(opts = {}) {
   const codexEnvironment = await syncCodexLbProviderEnvironment(status, opts);
   const apiKey = parseCodexLbEnvKey(await readText(status.env_path, ''));
   const codexLogin = await maybeSyncCodexLbSharedLogin(apiKey, { ...opts, home: opts.home || process.env.HOME || os.homedir(), force: true });
+  const authReconcile = await reconcileCodexLbAuthConflict({ ...opts, status }).catch((err) => ({ status: 'failed', reason: 'exception', error: err.message }));
   const ok = Boolean(codexEnvironment.ok && codexLogin.ok);
   return {
     ok,
@@ -451,6 +501,7 @@ export async function ensureCodexLbAuthDuringInstall(opts = {}) {
     codex_lb: status,
     codex_environment: codexEnvironment,
     codex_login: codexLogin,
+    auth_reconcile: authReconcile,
     error: codexEnvironment.error || codexLogin.error || null
   };
 }
@@ -470,6 +521,253 @@ async function restoreCodexLbEnvFromSharedLogin(status = {}, opts = {}) {
   return { ok: true, status: 'migrated_login_cache', auth_path: authPath, env_path: envPath, base_url: normalizeCodexLbBaseUrl(baseUrl) };
 }
 
+// Detects a real ChatGPT OAuth token blob in auth.json.
+// A bare {"auth_mode":"browser"} marker is NOT considered an OAuth token blob — we preserve it.
+function hasChatgptOAuthTokens(text = '') {
+  try {
+    const parsed = JSON.parse(String(text || ''));
+    if (!parsed || typeof parsed !== 'object') return false;
+    const authMode = String(parsed.auth_mode || parsed.authMode || parsed.mode || '').toLowerCase();
+    const tokens = parsed.tokens || parsed.oauth || parsed.oauth_tokens;
+    if (tokens && typeof tokens === 'object') {
+      if (tokens.id_token || tokens.access_token || tokens.refresh_token) return true;
+    }
+    if (authMode && /chatgpt|oauth|browser/.test(authMode)) {
+      // Only treat as an OAuth blob when real tokens or a refresh metadata trail are also present.
+      if (parsed.last_refresh || parsed.expires_at || parsed.refresh_token || parsed.access_token || parsed.id_token) return true;
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+
+function parseCodexAuthApiKey(text = '') {
+  try {
+    const parsed = JSON.parse(String(text || ''));
+    const key = parsed?.key || parsed?.api_key || parsed?.apiKey || parsed?.openai_api_key || parsed?.OPENAI_API_KEY;
+    return typeof key === 'string' ? key.trim() : '';
+  } catch {
+    return '';
+  }
+}
+
+// When codex-lb is selected with env_key auth AND auth.json also carries a real ChatGPT OAuth
+// token blob, Codex CLI/App can pick the OAuth bearer over the env_key bearer and fail against
+// the load balancer. We back the OAuth blob up to ~/.codex/auth.chatgpt-backup.json and replace
+// auth.json with an apikey-mode payload that matches the stored CODEX_LB_API_KEY.
+// Opt out with SKS_CODEX_LB_NO_AUTH_RECONCILE=1 (the backup is still produced so nothing is lost).
+export async function reconcileCodexLbAuthConflict(opts = {}) {
+  const home = opts.home || process.env.HOME || os.homedir();
+  const status = opts.status || await codexLbStatus({ ...opts, home });
+  const authPath = opts.authPath || codexAuthPath(home);
+  const backupPath = opts.backupPath || codexAuthChatgptBackupPath(home);
+  if (!status.env_key_configured || !status.base_url) {
+    return { status: 'skipped', reason: 'codex_lb_not_ready', auth_path: authPath };
+  }
+  if (!(await exists(authPath))) {
+    return { status: 'skipped', reason: 'auth_missing', auth_path: authPath };
+  }
+  const authText = await readText(authPath, '');
+  if (!authText.trim()) {
+    return { status: 'skipped', reason: 'auth_empty', auth_path: authPath };
+  }
+  if (!hasChatgptOAuthTokens(authText)) {
+    return { status: 'no_oauth_conflict', auth_path: authPath };
+  }
+  const envText = await readText(status.env_path, '');
+  const apiKey = parseCodexLbEnvKey(envText);
+  if (!apiKey) {
+    return { status: 'skipped', reason: 'missing_env_key', auth_path: authPath };
+  }
+  // Always back up the OAuth blob — even if reconciliation is opted out — so the data survives.
+  try {
+    await ensureDir(path.dirname(backupPath));
+    await writeTextAtomic(backupPath, authText);
+    await fsp.chmod(backupPath, 0o600).catch(() => {});
+  } catch (err) {
+    return { status: 'failed', reason: 'backup_failed', auth_path: authPath, backup_path: backupPath, error: err.message };
+  }
+  if (process.env.SKS_CODEX_LB_NO_AUTH_RECONCILE === '1' && !opts.force) {
+    return {
+      status: 'backup_only',
+      reason: 'SKS_CODEX_LB_NO_AUTH_RECONCILE=1',
+      auth_path: authPath,
+      backup_path: backupPath
+    };
+  }
+  try {
+    const replacement = `${JSON.stringify({ auth_mode: 'apikey', key: apiKey }, null, 2)}\n`;
+    await writeTextAtomic(authPath, replacement);
+    await fsp.chmod(authPath, 0o600).catch(() => {});
+  } catch (err) {
+    return { status: 'failed', reason: 'write_failed', auth_path: authPath, backup_path: backupPath, error: err.message };
+  }
+  return {
+    status: 'reconciled',
+    auth_path: authPath,
+    backup_path: backupPath
+  };
+}
+
+// Expose the ChatGPT OAuth backup path so the CLI can surface it in status / release output.
+export function codexLbChatgptBackupPath(home = process.env.HOME || os.homedir()) {
+  return codexAuthChatgptBackupPath(home);
+}
+
+// Remove a top-level TOML key (only above the first table header). Returns the original text
+// unchanged when the key isn't present.
+function removeTopLevelTomlString(text, key) {
+  const lines = String(text || '').split('\n');
+  const firstTable = lines.findIndex((x) => /^\s*\[.+\]\s*$/.test(x));
+  const end = firstTable === -1 ? lines.length : firstTable;
+  let removed = false;
+  for (let i = end - 1; i >= 0; i--) {
+    if (new RegExp(`^\\s*${escapeRegExp(key)}\\s*=`).test(lines[i])) {
+      lines.splice(i, 1);
+      removed = true;
+    }
+  }
+  if (!removed) return text;
+  return lines.join('\n').replace(/^\n+/, '').replace(/\n{3,}/g, '\n\n');
+}
+
+// Unselect codex-lb at the top-level model_provider setting. Leaves [model_providers.codex-lb]
+// and the env file alone so the user can re-engage with `sks codex-lb repair`.
+export async function unselectCodexLbProvider(opts = {}) {
+  const home = opts.home || process.env.HOME || os.homedir();
+  const configPath = opts.configPath || codexLbConfigPath(home);
+  const current = await readText(configPath, '');
+  if (!current.trim()) return { status: 'not_selected', reason: 'no_config', config_path: configPath };
+  if (!hasTopLevelCodexLbSelected(current)) return { status: 'not_selected', config_path: configPath };
+  try {
+    const next = ensureTrailingNewline(removeTopLevelTomlString(current, 'model_provider'));
+    await writeTextAtomic(configPath, next);
+    return { status: 'unselected', config_path: configPath };
+  } catch (err) {
+    return { status: 'failed', reason: 'write_failed', config_path: configPath, error: err.message };
+  }
+}
+
+// Reverse of reconcileCodexLbAuthConflict: restore the ChatGPT OAuth blob from the backup file
+// so the user can return to the official ChatGPT account login. Also deselects codex-lb at the
+// model_provider level by default so the restored OAuth blob actually wins; pass keepProvider
+// to skip that.
+//
+// Options:
+//   home          - HOME override (selftest)
+//   keepProvider  - leave `model_provider = "codex-lb"` selected (default: deselect)
+//   deleteBackup  - remove ~/.codex/auth.chatgpt-backup.json after a successful restore
+//                   (default: false; keeping it makes the next reconcile cycle a no-op clobber risk)
+//   force         - restore even if the current auth.json shape isn't recognized
+export async function releaseCodexLbAuthHold(opts = {}) {
+  const home = opts.home || process.env.HOME || os.homedir();
+  const authPath = opts.authPath || codexAuthPath(home);
+  const backupPath = opts.backupPath || codexAuthChatgptBackupPath(home);
+  const configPath = opts.configPath || codexLbConfigPath(home);
+
+  const backupExists = await exists(backupPath);
+  const backupText = backupExists ? await readText(backupPath, '') : '';
+  if (!backupExists || !backupText.trim()) {
+    return {
+      status: 'no_backup',
+      auth_path: authPath,
+      backup_path: backupPath,
+      provider_unselected: false
+    };
+  }
+  if (!hasChatgptOAuthTokens(backupText)) {
+    return {
+      status: 'no_backup',
+      reason: 'backup_not_oauth',
+      auth_path: authPath,
+      backup_path: backupPath,
+      provider_unselected: false
+    };
+  }
+
+  const currentAuthText = await readText(authPath, '');
+  const trimmedCurrent = currentAuthText.trim();
+
+  // If auth.json already looks like ChatGPT OAuth (user re-logged in some other way), don't
+  // clobber it — but still honor the deselect request so the OAuth blob takes effect.
+  if (trimmedCurrent && hasChatgptOAuthTokens(currentAuthText) && !opts.force) {
+    let providerUnselected = false;
+    let providerError = null;
+    if (!opts.keepProvider) {
+      const unselected = await unselectCodexLbProvider({ ...opts, home, configPath });
+      if (unselected.status === 'unselected') providerUnselected = true;
+      else if (unselected.status === 'failed') providerError = unselected.error || unselected.reason || 'unselect_failed';
+    }
+    return {
+      status: 'already_chatgpt',
+      auth_path: authPath,
+      backup_path: backupPath,
+      provider_unselected: providerUnselected,
+      provider_error: providerError
+    };
+  }
+
+  // Refuse to clobber unfamiliar auth.json shapes unless forced. We expect either an empty file,
+  // the apikey shape we wrote during reconcile, or a stray `{"auth_mode":"browser"}` marker.
+  if (!opts.force && trimmedCurrent) {
+    const looksApikey = /"auth_mode"\s*:\s*"apikey"/.test(currentAuthText) && Boolean(parseCodexAuthApiKey(currentAuthText));
+    const looksBrowserMarker = /^\{\s*"auth_mode"\s*:\s*"browser"\s*\}\s*$/.test(currentAuthText);
+    if (!looksApikey && !looksBrowserMarker) {
+      return {
+        status: 'auth_in_use',
+        reason: 'unfamiliar_auth_json',
+        auth_path: authPath,
+        backup_path: backupPath,
+        provider_unselected: false
+      };
+    }
+  }
+
+  try {
+    await ensureDir(path.dirname(authPath));
+    const restored = backupText.endsWith('\n') ? backupText : `${backupText}\n`;
+    await writeTextAtomic(authPath, restored);
+    await fsp.chmod(authPath, 0o600).catch(() => {});
+  } catch (err) {
+    return {
+      status: 'failed',
+      reason: 'restore_failed',
+      auth_path: authPath,
+      backup_path: backupPath,
+      error: err.message,
+      provider_unselected: false
+    };
+  }
+
+  let backupRemoved = false;
+  if (opts.deleteBackup) {
+    try {
+      await fsp.rm(backupPath, { force: true });
+      backupRemoved = true;
+    } catch {
+      // Non-fatal: the restore already landed.
+    }
+  }
+
+  let providerUnselected = false;
+  let providerError = null;
+  if (!opts.keepProvider) {
+    const unselected = await unselectCodexLbProvider({ ...opts, home, configPath });
+    if (unselected.status === 'unselected') providerUnselected = true;
+    else if (unselected.status === 'failed') providerError = unselected.error || unselected.reason || 'unselect_failed';
+  }
+
+  return {
+    status: 'released',
+    auth_path: authPath,
+    backup_path: backupPath,
+    backup_removed: backupRemoved,
+    provider_unselected: providerUnselected,
+    provider_error: providerError
+  };
+}
+
 export async function maybePromptCodexLbSetupForLaunch(args = [], opts = {}) {
   if (args.includes('--json') || args.includes('--skip-codex-lb') || process.env.SKS_SKIP_CODEX_LB_PROMPT === '1') return { status: 'skipped' };
   let status = await codexLbStatus(opts);
@@ -495,8 +793,34 @@ export async function maybePromptCodexLbSetupForLaunch(args = [], opts = {}) {
     if (codexLogin.status === 'synced') console.log('codex-lb auth synced with Codex CLI login cache.');
     const chainHealth = await checkCodexLbResponseChain(status, opts);
     if (!chainHealth.ok && chainHealth.chain_unhealthy) {
-      console.log(`codex-lb response chain check failed (${chainHealth.status}); bypassing codex-lb for this launch.`);
-      return { status: 'chain_unhealthy', ...status, ok: false, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth, bypass_codex_lb: true };
+      // `previous_response_not_found` is normal for stateless LB deployments that don't persist
+      // Responses across requests. The codex-lb provider still works fine — only the chained
+      // health probe fails. Keep codex-lb active and just warn.
+      if (chainHealth.status === 'previous_response_not_found') {
+        console.log('codex-lb response chain check: previous_response_id not persisted by the load balancer (this is normal for stateless deployments). Keeping codex-lb active.');
+        return { status: 'present', ...status, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth };
+      }
+      // Hard chain failure (auth rejected, timeout, missing base URL, etc.). Don't silently
+      // demote a configured codex-lb to ChatGPT OAuth — surface the failure and let the user
+      // decide. Default keeps codex-lb (just press Enter).
+      console.log(`codex-lb response chain check failed (${chainHealth.status}${chainHealth.error ? `: ${chainHealth.error}` : ''}).`);
+      if (process.env.SKS_CODEX_LB_AUTOBYPASS === '1') {
+        console.log('SKS_CODEX_LB_AUTOBYPASS=1 set; bypassing codex-lb to ChatGPT OAuth for this launch.');
+        return { status: 'chain_unhealthy', ...status, ok: false, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth, bypass_codex_lb: true };
+      }
+      if (canAskYesNo()) {
+        const answer = (await askPostinstallQuestion('Use codex-lb anyway, or fall back to ChatGPT OAuth? [LB/oauth] ')).trim().toLowerCase();
+        if (/^(oauth|o|chatgpt|fall ?back|n|no|아니|아니요|ㄴ)$/.test(answer)) {
+          console.log('Falling back to ChatGPT OAuth for this launch. Re-enable codex-lb anytime with `sks codex-lb repair`.');
+          return { status: 'chain_unhealthy', ...status, ok: false, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth, bypass_codex_lb: true };
+        }
+        console.log('Keeping codex-lb active. To switch back to ChatGPT OAuth: `sks codex-lb release`.');
+        return { status: 'present', ...status, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth };
+      }
+      // Non-interactive context with no opt-out env var. The user explicitly configured codex-lb,
+      // so default to keeping it active rather than silently swapping providers.
+      console.log('Non-interactive launch + chain check failure. Keeping codex-lb active. Set SKS_CODEX_LB_AUTOBYPASS=1 to auto-bypass to ChatGPT OAuth.');
+      return { status: 'present', ...status, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth };
     }
     return { status: 'present', ...status, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth };
   }
@@ -1240,7 +1564,10 @@ export async function selftestCodexLb(tmp) {
   const codexLbFakeBin = path.join(tmp, 'codex-lb-fake-bin');
   await ensureDir(codexLbFakeBin);
   const codexLbFakeCodex = path.join(codexLbFakeBin, 'codex');
-  await writeTextAtomic(codexLbFakeCodex, "#!/bin/sh\nif [ \"$1\" = \"--version\" ]; then echo \"codex-cli 99.0.0\"; exit 0; fi\nif [ \"$1\" = \"login\" ] && [ \"$2\" = \"status\" ]; then echo \"logged in with browser auth\"; exit 0; fi\nif [ \"$1\" = \"login\" ] && [ \"$2\" = \"--with-api-key\" ]; then read key; mkdir -p \"$HOME/.codex\"; printf '{\\\"auth_mode\\\":\\\"apikey\\\",\\\"key\\\":\\\"%s\\\"}\\n' \"$key\" > \"$HOME/.codex/auth.json\"; printf '%s\\n' \"$key\" >> \"$HOME/.codex/login-calls.log\"; exit 0; fi\necho \"fake codex unsupported\" >&2\nexit 1\n");
+  // NOTE: printf format uses literal double-quotes inside single-quoted shell strings so the
+  // fake login writes proper JSON in both bash and dash (where `\"` is a non-standard printf
+  // escape that dash emits literally and bash collapses to `"`).
+  await writeTextAtomic(codexLbFakeCodex, "#!/bin/sh\nif [ \"$1\" = \"--version\" ]; then echo \"codex-cli 99.0.0\"; exit 0; fi\nif [ \"$1\" = \"login\" ] && [ \"$2\" = \"status\" ]; then echo \"logged in with browser auth\"; exit 0; fi\nif [ \"$1\" = \"login\" ] && [ \"$2\" = \"--with-api-key\" ]; then read key; mkdir -p \"$HOME/.codex\"; printf '{\"auth_mode\":\"apikey\",\"key\":\"%s\"}\\n' \"$key\" > \"$HOME/.codex/auth.json\"; printf '%s\\n' \"$key\" >> \"$HOME/.codex/login-calls.log\"; exit 0; fi\necho \"fake codex unsupported\" >&2\nexit 1\n");
   await fsp.chmod(codexLbFakeCodex, 0o755);
   await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model = "gpt-5.5"\nmodel_reasoning_effort = "low"\nservice_tier = "fast"\n\n[profiles.custom]\nmodel_reasoning_effort = "low"\n\n[notice]\nfast_default_opt_out = true\n\n[features]\ncodex_hooks = true\n');
   const codexLbEnvForSelftest = { HOME: codexLbHome, SKS_GLOBAL_ROOT: path.join(tmp, 'codex-lb-global'), PATH: `${codexLbFakeBin}${path.delimiter}${process.env.PATH || ''}`, SKS_SKIP_CODEX_LB_LAUNCH_ENV: '1' };
@@ -1353,6 +1680,88 @@ export async function selftestCodexLb(tmp) {
   const codexLbDoctorConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
   if (!codexLbDoctorJson.repair?.codex_lb?.ok || !codexLbDoctorJson.repair.codex_lb.config_repaired || !codexLbDoctorJson.codex_lb?.ok || !codexLbDoctorAuth.includes('"auth_mode":"browser"') || codexLbDoctorAuth.includes('sk-test') || !hasTopLevelCodexLbSelected(codexLbDoctorConfig) || !codexLbDoctorConfig.includes('https://lb.example.test/backend-api/codex') || !hasCodexUnstableFeatureWarningSuppression(codexLbDoctorConfig)) throw new Error('selftest: doctor codex-lb');
   if (!codexLbDoctorConfig.includes('requires_openai_auth = true')) throw new Error('selftest: doctor codex-lb did not restore upstream-required requires_openai_auth');
+  // codex-lb auth: ChatGPT OAuth ↔ codex-lb env_key conflict reconciliation.
+  const oauthAuthJson = JSON.stringify({
+    auth_mode: 'chatgpt',
+    tokens: { id_token: 'oauth-id', access_token: 'oauth-access', refresh_token: 'oauth-refresh' },
+    last_refresh: '2026-01-01T00:00:00Z'
+  });
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), `${oauthAuthJson}\n`);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'sks-codex-lb.env'), "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n");
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = true\n');
+  await fsp.rm(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), { force: true });
+  const codexLbReconcileRepair = await runProcess(process.execPath, [path.join(packageRoot(), 'bin', 'sks.mjs'), 'auth', 'repair', '--json'], { cwd: tmp, env: codexLbEnvForSelftest, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
+  if (codexLbReconcileRepair.code !== 0) throw new Error(`selftest: codex-lb oauth reconcile repair exited ${codexLbReconcileRepair.code}: ${codexLbReconcileRepair.stderr}`);
+  const codexLbReconcileJson = JSON.parse(codexLbReconcileRepair.stdout);
+  const codexLbReconcileAuth = await safeReadText(path.join(codexLbHome, '.codex', 'auth.json'));
+  const codexLbReconcileBackup = await safeReadText(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'));
+  if (codexLbReconcileJson.auth_reconcile?.status !== 'reconciled' || !codexLbReconcileAuth.includes('"auth_mode": "apikey"') || !codexLbReconcileAuth.includes('sk-test') || codexLbReconcileAuth.includes('oauth-id') || !codexLbReconcileBackup.includes('oauth-id') || !codexLbReconcileBackup.includes('oauth-refresh')) throw new Error('selftest: codex-lb oauth reconcile did not back up ChatGPT tokens and switch auth.json to apikey mode');
+  // Opt-out path: SKS_CODEX_LB_NO_AUTH_RECONCILE=1 keeps auth.json untouched but still backs up the OAuth blob.
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), `${oauthAuthJson}\n`);
+  await fsp.rm(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), { force: true });
+  const codexLbReconcileOptOutRepair = await runProcess(process.execPath, [path.join(packageRoot(), 'bin', 'sks.mjs'), 'auth', 'repair', '--json'], { cwd: tmp, env: { ...codexLbEnvForSelftest, SKS_CODEX_LB_NO_AUTH_RECONCILE: '1' }, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
+  if (codexLbReconcileOptOutRepair.code !== 0) throw new Error(`selftest: codex-lb oauth reconcile opt-out repair exited ${codexLbReconcileOptOutRepair.code}: ${codexLbReconcileOptOutRepair.stderr}`);
+  const codexLbReconcileOptOutJson = JSON.parse(codexLbReconcileOptOutRepair.stdout);
+  const codexLbReconcileOptOutAuth = await safeReadText(path.join(codexLbHome, '.codex', 'auth.json'));
+  const codexLbReconcileOptOutBackup = await safeReadText(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'));
+  if (codexLbReconcileOptOutJson.auth_reconcile?.status !== 'backup_only' || !codexLbReconcileOptOutAuth.includes('oauth-id') || !codexLbReconcileOptOutBackup.includes('oauth-id')) throw new Error('selftest: codex-lb oauth reconcile opt-out should back up but not rewrite auth.json');
+  // codex-lb auth: release flow — restore ChatGPT OAuth from backup so the user can return to
+  // the official ChatGPT account login. Default deselects model_provider; flags control whether
+  // the provider stays selected and whether the backup file is removed after restore.
+  const codexLbReleaseConfig = 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = true\n';
+  const codexLbReleaseEnv = "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n";
+  const codexLbReleaseApikeyAuth = '{"auth_mode":"apikey","key":"sk-test"}\n';
+  const codexLbReleaseOauthBackup = `${oauthAuthJson}\n`;
+  // Happy path: deselect model_provider and preserve backup file.
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), codexLbReleaseApikeyAuth);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), codexLbReleaseOauthBackup);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'sks-codex-lb.env'), codexLbReleaseEnv);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), codexLbReleaseConfig);
+  const codexLbReleaseRun = await runProcess(process.execPath, [path.join(packageRoot(), 'bin', 'sks.mjs'), 'codex-lb', 'release', '--json'], { cwd: tmp, env: codexLbEnvForSelftest, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
+  if (codexLbReleaseRun.code !== 0) throw new Error(`selftest: codex-lb release exited ${codexLbReleaseRun.code}: ${codexLbReleaseRun.stderr}`);
+  const codexLbReleaseJson = JSON.parse(codexLbReleaseRun.stdout);
+  const codexLbReleaseAuth = await safeReadText(path.join(codexLbHome, '.codex', 'auth.json'));
+  const codexLbReleaseBackupAfter = await safeReadText(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'));
+  const codexLbReleaseConfigAfter = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
+  if (codexLbReleaseJson.status !== 'released' || codexLbReleaseJson.provider_unselected !== true || codexLbReleaseJson.backup_removed !== false || !codexLbReleaseAuth.includes('oauth-id') || !codexLbReleaseAuth.includes('oauth-refresh') || codexLbReleaseAuth.includes('apikey') || !codexLbReleaseBackupAfter.includes('oauth-id') || hasTopLevelCodexLbSelected(codexLbReleaseConfigAfter)) throw new Error('selftest: codex-lb release happy path did not restore OAuth, preserve backup, and deselect model_provider');
+  // --keep-provider: restore auth.json but leave model_provider = "codex-lb" alone.
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), codexLbReleaseApikeyAuth);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), codexLbReleaseOauthBackup);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), codexLbReleaseConfig);
+  const codexLbReleaseKeepRun = await runProcess(process.execPath, [path.join(packageRoot(), 'bin', 'sks.mjs'), 'codex-lb', 'release', '--keep-provider', '--json'], { cwd: tmp, env: codexLbEnvForSelftest, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
+  if (codexLbReleaseKeepRun.code !== 0) throw new Error(`selftest: codex-lb release --keep-provider exited ${codexLbReleaseKeepRun.code}: ${codexLbReleaseKeepRun.stderr}`);
+  const codexLbReleaseKeepJson = JSON.parse(codexLbReleaseKeepRun.stdout);
+  const codexLbReleaseKeepConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
+  if (codexLbReleaseKeepJson.status !== 'released' || codexLbReleaseKeepJson.provider_unselected !== false || !hasTopLevelCodexLbSelected(codexLbReleaseKeepConfig)) throw new Error('selftest: codex-lb release --keep-provider should leave model_provider = "codex-lb" intact');
+  // --delete-backup: restore auth.json and remove the backup file.
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), codexLbReleaseApikeyAuth);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), codexLbReleaseOauthBackup);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), codexLbReleaseConfig);
+  const codexLbReleaseDeleteRun = await runProcess(process.execPath, [path.join(packageRoot(), 'bin', 'sks.mjs'), 'codex-lb', 'release', '--delete-backup', '--json'], { cwd: tmp, env: codexLbEnvForSelftest, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
+  if (codexLbReleaseDeleteRun.code !== 0) throw new Error(`selftest: codex-lb release --delete-backup exited ${codexLbReleaseDeleteRun.code}: ${codexLbReleaseDeleteRun.stderr}`);
+  const codexLbReleaseDeleteJson = JSON.parse(codexLbReleaseDeleteRun.stdout);
+  const codexLbReleaseDeleteBackupExists = await exists(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'));
+  if (codexLbReleaseDeleteJson.status !== 'released' || codexLbReleaseDeleteJson.backup_removed !== true || codexLbReleaseDeleteBackupExists) throw new Error('selftest: codex-lb release --delete-backup should remove the backup file after restore');
+  // No backup: release should refuse and exit 1.
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), codexLbReleaseApikeyAuth);
+  await fsp.rm(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), { force: true });
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), codexLbReleaseConfig);
+  const codexLbReleaseMissingRun = await runProcess(process.execPath, [path.join(packageRoot(), 'bin', 'sks.mjs'), 'codex-lb', 'release', '--json'], { cwd: tmp, env: codexLbEnvForSelftest, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
+  const codexLbReleaseMissingJson = JSON.parse(codexLbReleaseMissingRun.stdout || '{}');
+  const codexLbReleaseMissingAuth = await safeReadText(path.join(codexLbHome, '.codex', 'auth.json'));
+  if (codexLbReleaseMissingRun.code === 0 || codexLbReleaseMissingJson.status !== 'no_backup' || !codexLbReleaseMissingAuth.includes('apikey')) throw new Error('selftest: codex-lb release with no backup should exit non-zero and report no_backup without touching auth.json');
+  // unselect: flip model_provider off without touching auth.json or env file.
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), codexLbReleaseApikeyAuth);
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), codexLbReleaseConfig);
+  const codexLbUnselectRun = await runProcess(process.execPath, [path.join(packageRoot(), 'bin', 'sks.mjs'), 'codex-lb', 'unselect', '--json'], { cwd: tmp, env: codexLbEnvForSelftest, timeoutMs: 15000, maxOutputBytes: 64 * 1024 });
+  if (codexLbUnselectRun.code !== 0) throw new Error(`selftest: codex-lb unselect exited ${codexLbUnselectRun.code}: ${codexLbUnselectRun.stderr}`);
+  const codexLbUnselectJson = JSON.parse(codexLbUnselectRun.stdout);
+  const codexLbUnselectConfig = await safeReadText(path.join(codexLbHome, '.codex', 'config.toml'));
+  const codexLbUnselectAuth = await safeReadText(path.join(codexLbHome, '.codex', 'auth.json'));
+  if (codexLbUnselectJson.status !== 'unselected' || hasTopLevelCodexLbSelected(codexLbUnselectConfig) || !codexLbUnselectConfig.includes('[model_providers.codex-lb]') || !codexLbUnselectAuth.includes('apikey')) throw new Error('selftest: codex-lb unselect should drop model_provider but preserve [model_providers.codex-lb] and auth.json');
+  // Restore the doctor-test auth.json shape so downstream selftest assertions still hold.
+  await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), '{"auth_mode":"browser"}\n');
+  await fsp.rm(path.join(codexLbHome, '.codex', 'auth.chatgpt-backup.json'), { force: true });
   const codexLbContext7Bin = path.join(tmp, 'codex-lb-context7-bin');
   await ensureDir(codexLbContext7Bin);
   await writeTextAtomic(path.join(codexLbContext7Bin, 'codex'), '#!/bin/sh\nif [ "$1" = "--version" ]; then echo "codex-cli 99.0.0"; exit 0; fi\nif [ "$CODEX_LB_API_KEY" ]; then echo "context7 leaked CODEX_LB_API_KEY" >&2; exit 77; fi\nif [ "$1" = "mcp" ] && [ "$2" = "list" ]; then echo ""; exit 0; fi\nif [ "$1" = "mcp" ] && [ "$2" = "add" ]; then echo "context7 added"; exit 0; fi\necho "unexpected codex $*" >&2\nexit 2\n');
@@ -1514,7 +1923,42 @@ export async function selftestCodexLb(tmp) {
       return new Response(JSON.stringify({ error: { type: 'invalid_request_error', code: 'previous_response_not_found', message: 'Previous response not found.', param: 'previous_response_id' } }), { status: 400, headers: { 'content-type': 'application/json' } });
     }
   });
-  if (nonInteractiveBrokenLaunch.status !== 'chain_unhealthy' || nonInteractiveBrokenLaunch.bypass_codex_lb !== true || nonInteractiveBrokenLaunch.chain_health?.status !== 'previous_response_not_found') throw new Error('selftest: non-interactive codex-lb launch path did not bypass on previous_response_not_found');
+  if (nonInteractiveBrokenLaunch.status !== 'present' || nonInteractiveBrokenLaunch.bypass_codex_lb === true || nonInteractiveBrokenLaunch.chain_health?.status !== 'previous_response_not_found') throw new Error('selftest: previous_response_not_found should keep codex-lb active (stateless LB is normal), not silently bypass to ChatGPT OAuth');
+  // Hard chain failure (e.g. 500) in non-interactive context should still keep codex-lb by default — the user explicitly configured it, so don't silently swap providers.
+  const hardBrokenLaunchCalls = [];
+  const hardBrokenLaunch = await maybePromptCodexLbSetupForLaunch([], {
+    home: codexLbHome,
+    apiKey: 'sk-test',
+    codexBin: path.join(codexLbFakeBin, 'codex'),
+    syncLaunchEnv: false,
+    timeoutMs: 1000,
+    fetch: async (_url, init) => {
+      hardBrokenLaunchCalls.push({ body: JSON.parse(init.body) });
+      if (!hardBrokenLaunchCalls[hardBrokenLaunchCalls.length - 1].body.previous_response_id) return new Response(JSON.stringify({ id: 'resp_hardbroken_first' }), { status: 200, headers: { 'content-type': 'application/json' } });
+      return new Response(JSON.stringify({ error: { type: 'server_error', code: 'internal_error', message: 'simulated upstream failure' } }), { status: 500, headers: { 'content-type': 'application/json' } });
+    }
+  });
+  if (hardBrokenLaunch.status !== 'present' || hardBrokenLaunch.bypass_codex_lb === true || hardBrokenLaunch.chain_health?.status !== 'second_request_failed') throw new Error('selftest: hard codex-lb chain failure in non-interactive launch should default to keeping codex-lb active, not silently bypass');
+  // SKS_CODEX_LB_AUTOBYPASS=1 restores the old silent-bypass behavior for CI/automation.
+  process.env.SKS_CODEX_LB_AUTOBYPASS = '1';
+  let autobypassLaunch;
+  try {
+    autobypassLaunch = await maybePromptCodexLbSetupForLaunch([], {
+      home: codexLbHome,
+      apiKey: 'sk-test',
+      codexBin: path.join(codexLbFakeBin, 'codex'),
+      syncLaunchEnv: false,
+      timeoutMs: 1000,
+      fetch: async (_url, init) => {
+        const body = JSON.parse(init.body);
+        if (!body.previous_response_id) return new Response(JSON.stringify({ id: 'resp_autobypass_first' }), { status: 200, headers: { 'content-type': 'application/json' } });
+        return new Response(JSON.stringify({ error: { type: 'server_error', code: 'internal_error', message: 'simulated upstream failure' } }), { status: 500, headers: { 'content-type': 'application/json' } });
+      }
+    });
+  } finally {
+    delete process.env.SKS_CODEX_LB_AUTOBYPASS;
+  }
+  if (autobypassLaunch.status !== 'chain_unhealthy' || autobypassLaunch.bypass_codex_lb !== true || autobypassLaunch.chain_health?.status !== 'second_request_failed') throw new Error('selftest: SKS_CODEX_LB_AUTOBYPASS=1 should bypass codex-lb on hard chain failure');
   await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model = "gpt-5.5"\nservice_tier = "fast"\n');
   await writeTextAtomic(path.join(codexLbHome, '.codex', 'sks-codex-lb.env'), "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n");
   const missingProviderLaunchCalls = [];

package/src/cli/main.mjs

@@ -79,7 +79,7 @@ import { OPENCLAW_SKILL_NAME, installOpenClawSkill } from '../core/openclaw.mjs'
 import { buildTmuxLaunchPlan, buildTmuxOpenArgs, codexLaunchCommand, createTmuxSession, defaultCodexLaunchArgs, isTmuxShellSession, runTmuxLaunchPlanSyntaxCheck, shouldAutoAttachTmux, sksAsciiLogo, tmuxReadiness, tmuxStatusKind, defaultTmuxSessionName, formatTmuxBanner, launchMadTmuxUi, launchTmuxTeamView, launchTmuxUi, platformTmuxInstallHint, reconcileTmuxTeamCockpit, runTmuxStatus, sanitizeTmuxSessionName, sweepCodexLbTmuxSessions, sweepTmuxTeamSurfaces, teamLaneStyle } from '../core/tmux-ui.mjs';
 import { autoReviewProfileName, autoReviewStatus, autoReviewSummary, enableAutoReview, disableAutoReview, enableMadHighProfile, madHighProfileName } from '../core/auto-review.mjs';
 import { context7Command } from './context7-command.mjs';
-import { askPostinstallQuestion, checkCodexLbResponseChain, checkContext7, checkRequiredSkills, codexLbStatus, configureCodexLb, ensureCodexCliTool, ensureGlobalCodexFastModeDuringInstall, ensureGlobalCodexSkillsDuringInstall, ensureProjectContext7Config, ensureRelatedCliTools, ensureSksCommandDuringInstall, ensureTmuxCliTool, globalCodexSkillsRoot, maybePromptCodexLbSetupForLaunch, maybePromptCodexUpdateForLaunch, postinstall, postinstallBootstrapDecision, repairCodexLbAuth, selftestCodexLb, shouldAutoApproveInstall } from './install-helpers.mjs';
+import { askPostinstallQuestion, checkCodexLbResponseChain, checkContext7, checkRequiredSkills, codexLbChatgptBackupPath, codexLbStatus, configureCodexLb, ensureCodexCliTool, ensureGlobalCodexFastModeDuringInstall, ensureGlobalCodexSkillsDuringInstall, ensureProjectContext7Config, ensureRelatedCliTools, ensureSksCommandDuringInstall, ensureTmuxCliTool, globalCodexSkillsRoot, maybePromptCodexLbSetupForLaunch, maybePromptCodexUpdateForLaunch, postinstall, postinstallBootstrapDecision, releaseCodexLbAuthHold, repairCodexLbAuth, selftestCodexLb, shouldAutoApproveInstall, unselectCodexLbProvider } from './install-helpers.mjs';
 import { buildTeamPlan, codeStructureCommand, dbCommand, defaultBeta, defaultVGraph, evalCommand, gcCommand, goalCommand, gxCommand, harnessCommand, hproofCommand, madHighCommand as runMadHighCommand, memoryCommand, migrateWikiContextPack, parseTeamCreateArgs, perfCommand, profileCommand, projectWikiClaims, proofFieldCommand, qaLoopCommand, quickstartCommand, researchCommand, skillDreamCommand, statsCommand, team, teamWorkflowMarkdown, validateArtifactsCommand, wikiCommand, wikiVoxelRowCount, writeWikiContextPack } from './maintenance-commands.mjs';
 import { openClawCommand } from './openclaw-command.mjs';
 import { recallPulseCommand } from './recallpulse-command.mjs';
@@ -188,8 +188,8 @@ Usage:
   sks bootstrap [--install-scope global|project] [--local-only] [--json]
   sks deps check|install [tmux|codex|context7|all] [--yes] [--json]
   sks codex-app
-  sks codex-lb status|health|repair|setup --host <domain> --api-key <key>
-  sks auth status|health|repair|setup --host <domain> --api-key <key>
+  sks codex-lb status|health|repair|release|unselect|setup --host <domain> --api-key <key>
+  sks auth status|health|repair|release|unselect|setup --host <domain> --api-key <key>
   sks openclaw install|path|print [--dir path] [--force] [--json]
   sks --mad [--high]
   sks auto-review status|enable|start [--high]
@@ -1141,7 +1141,9 @@ async function codexLbCommand(action = 'status', args = []) {
   const json = flag(args, '--json');
   if (sub === 'status' || sub === 'check') {
     const status = await codexLbStatus();
-    if (json) return console.log(JSON.stringify(status, null, 2));
+    const backupPath = codexLbChatgptBackupPath();
+    const backupPresent = await exists(backupPath);
+    if (json) return console.log(JSON.stringify({ ...status, chatgpt_backup_present: backupPresent, chatgpt_backup_path: backupPath }, null, 2));
     console.log('SKS codex-lb\n');
     console.log(`Configured: ${status.ok ? 'yes' : 'no'}`);
     console.log(`Selected:   ${status.selected ? 'yes' : 'no'}`);
@@ -1149,10 +1151,71 @@ async function codexLbCommand(action = 'status', args = []) {
     console.log(`Codex App auth: ${status.provider_requires_openai_auth ? 'yes' : 'missing'}`);
     console.log(`Env file:   ${status.env_file ? status.env_path : 'missing'}`);
     if (status.base_url) console.log(`Base URL:   ${status.base_url}`);
+    console.log(`ChatGPT backup: ${backupPresent ? `yes (${backupPath})` : 'no'}`);
     if (status.ok && !status.selected) console.log('\nRun: sks codex-lb repair to activate codex-lb for Codex App.');
     else if (!status.ok && status.base_url && status.env_key_configured) console.log('\nRun: sks codex-lb repair to restore the upstream codex-lb provider block.');
     else if (!status.ok) console.log('\nRun: sks codex-lb setup --host <domain> --api-key <key>');
     else console.log('\nRepair provider auth: sks codex-lb repair');
+    if (backupPresent) console.log('Switch back to ChatGPT OAuth login: sks codex-lb release');
+    return;
+  }
+  if (sub === 'release') {
+    const result = await releaseCodexLbAuthHold({
+      keepProvider: flag(args, '--keep-provider'),
+      deleteBackup: flag(args, '--delete-backup'),
+      force: flag(args, '--force')
+    });
+    if (result.status === 'no_backup' || result.status === 'auth_in_use' || result.status === 'failed') process.exitCode = 1;
+    if (json) return console.log(JSON.stringify(result, null, 2));
+    if (result.status === 'released') {
+      console.log('codex-lb auth released: ChatGPT OAuth blob restored.');
+      console.log(`Auth:   ${result.auth_path}`);
+      console.log(`Backup: ${result.backup_removed ? 'removed' : result.backup_path}`);
+      console.log(`Provider unselected: ${result.provider_unselected ? 'yes' : 'no'}`);
+      if (result.provider_error) console.log(`Provider unselect warning: ${result.provider_error}`);
+      console.log('\nLaunch Codex App / `codex` and complete the ChatGPT browser login if prompted.');
+      return;
+    }
+    if (result.status === 'already_chatgpt') {
+      console.log('codex-lb auth release: auth.json already carries ChatGPT OAuth tokens — nothing to restore.');
+      console.log(`Auth:   ${result.auth_path}`);
+      console.log(`Backup: ${result.backup_path}`);
+      console.log(`Provider unselected: ${result.provider_unselected ? 'yes' : 'no'}`);
+      if (result.provider_error) console.log(`Provider unselect warning: ${result.provider_error}`);
+      return;
+    }
+    if (result.status === 'no_backup') {
+      console.error(`codex-lb auth release: no ChatGPT OAuth backup found at ${result.backup_path}.`);
+      if (result.reason === 'backup_not_oauth') console.error('The backup file is present but does not contain a ChatGPT OAuth token blob — refusing to clobber auth.json.');
+      else console.error('Run `sks codex-lb repair` after a fresh ChatGPT login to recreate a backup, or `sks codex-lb unselect` to leave codex-lb off without touching auth.json.');
+      process.exitCode = 1;
+      return;
+    }
+    if (result.status === 'auth_in_use') {
+      console.error(`codex-lb auth release refused: ${result.auth_path} does not look like the codex-lb apikey shape. Re-run with --force to overwrite, or back up auth.json yourself first.`);
+      process.exitCode = 1;
+      return;
+    }
+    console.error(`codex-lb auth release failed: ${result.status}${result.error ? `: ${result.error}` : ''}`);
+    process.exitCode = 1;
+    return;
+  }
+  if (sub === 'unselect') {
+    const result = await unselectCodexLbProvider();
+    if (result.status === 'failed') process.exitCode = 1;
+    if (json) return console.log(JSON.stringify(result, null, 2));
+    if (result.status === 'unselected') {
+      console.log('codex-lb unselected. Codex CLI/App will fall back to the default OpenAI provider.');
+      console.log(`Config: ${result.config_path}`);
+      console.log('Re-engage codex-lb with: sks codex-lb repair');
+      return;
+    }
+    if (result.status === 'not_selected') {
+      console.log('codex-lb is not selected — nothing to do.');
+      return;
+    }
+    console.error(`codex-lb unselect failed: ${result.status}${result.error ? `: ${result.error}` : ''}`);
+    process.exitCode = 1;
     return;
   }
   if (sub === 'health' || sub === 'verify-chain' || sub === 'chain') {
@@ -1205,7 +1268,7 @@ async function codexLbCommand(action = 'status', args = []) {
     console.log(`Key env: ${result.env_path}`);
     return;
   }
-  console.error('Usage: sks codex-lb status|health|repair|setup --host <domain> --api-key <key> [--json]');
+  console.error('Usage: sks codex-lb status|health|repair|release [--keep-provider] [--delete-backup] [--force]|unselect|setup --host <domain> --api-key <key> [--json]');
   process.exitCode = 1;
 }
 
@@ -2007,6 +2070,11 @@ function readFlagValue(args, name, fallback) {
 }
 
 async function selftest() {
+  // Force non-interactive mode for the entire selftest so any in-process call that hits
+  // canAskYesNo() (codex-lb provider-restore prompt, chain-failure prompt, etc.) takes the
+  // non-interactive fallback path instead of bubbling a live readline prompt up to the
+  // user's terminal (e.g. during `npm publish` -> prepublishOnly -> release:check -> selftest).
+  process.env.CI = 'true';
   const tmp = tmpdir();
   process.chdir(tmp);
   await initProject(tmp, {});

package/src/core/fsx.mjs

@@ -5,7 +5,7 @@ import os from 'node:os';
 import crypto from 'node:crypto';
 import { spawn } from 'node:child_process';
 
-export const PACKAGE_VERSION = '0.9.2';
+export const PACKAGE_VERSION = '0.9.6';
 export const DEFAULT_PROCESS_TAIL_BYTES = 256 * 1024;
 export const DEFAULT_PROCESS_TIMEOUT_MS = 30 * 60 * 1000;