ndycode
diff --git a/‎README.md‎
Lines changed: 3 additions & 3 deletions b/‎README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/README.md‎
Lines changed: 5 additions & 4 deletions b/‎docs/README.md‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎docs/releases/v1.2.3.md‎
Lines changed: 53 additions & 0 deletions b/‎docs/releases/v1.2.3.md‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎index.ts‎
Lines changed: 5 additions & 0 deletions b/‎index.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎lib/preemptive-quota-scheduler.ts‎
Lines changed: 1 addition & 1 deletion b/‎lib/preemptive-quota-scheduler.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎package-lock.json‎
Lines changed: 2 additions & 2 deletions b/‎package-lock.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎scripts/codex.js‎
Lines changed: 70 additions & 23 deletions b/‎scripts/codex.js‎
Lines changed: 70 additions & 23 deletions
diff --git a/‎test/accounts.test.ts‎
Lines changed: 0 additions & 1 deletion b/‎test/accounts.test.ts‎
Lines changed: 0 additions & 1 deletion
@@ -308,9 +308,9 @@ codex auth doctor --json
 
 ## Release Notes
 
-- Current stable: [docs/releases/v1.2.2.md](docs/releases/v1.2.2.md)
-- Previous stable: [docs/releases/v1.2.1.md](docs/releases/v1.2.1.md)
-- Earlier stable: [docs/releases/v1.2.0.md](docs/releases/v1.2.0.md)
+- Current stable: [docs/releases/v1.2.3.md](docs/releases/v1.2.3.md)
+- Previous stable: [docs/releases/v1.2.2.md](docs/releases/v1.2.2.md)
+- Earlier stable: [docs/releases/v1.2.1.md](docs/releases/v1.2.1.md)
 - Archived prerelease: [docs/releases/v0.1.0-beta.0.md](docs/releases/v0.1.0-beta.0.md)
 
 ## License
 
@@ -23,9 +23,10 @@ Public documentation for `codex-multi-auth`.
 | [configuration.md](configuration.md) | Stable defaults, precedence, and environment overrides |
 | [architecture.md](architecture.md) | Public system overview of the wrapper, storage, and optional plugin runtime |
 | [privacy.md](privacy.md) | Data handling and local storage behavior |
-| [releases/v1.2.2.md](releases/v1.2.2.md) | Stable release notes |
-| [releases/v1.2.1.md](releases/v1.2.1.md) | Previous stable release notes |
-| [releases/v1.2.0.md](releases/v1.2.0.md) | Earlier stable release notes |
+| [releases/v1.2.3.md](releases/v1.2.3.md) | Stable release notes |
+| [releases/v1.2.2.md](releases/v1.2.2.md) | Previous stable release notes |
+| [releases/v1.2.1.md](releases/v1.2.1.md) | Earlier stable release notes |
+| [releases/v1.2.0.md](releases/v1.2.0.md) | Archived stable release notes |
 | [releases/v0.1.7.md](releases/v0.1.7.md) | Archived stable release notes |
 | [releases/v0.1.6.md](releases/v0.1.6.md) | Archived stable release notes |
 | [releases/v0.1.5.md](releases/v0.1.5.md) | Archived stable release notes |
@@ -51,7 +52,7 @@ Public documentation for `codex-multi-auth`.
 | [reference/storage-paths.md](reference/storage-paths.md) | Canonical and compatibility storage paths |
 | [reference/public-api.md](reference/public-api.md) | Public API stability and semver contract |
 | [reference/error-contracts.md](reference/error-contracts.md) | CLI, JSON, and helper error semantics |
-| [releases/v1.2.2.md](releases/v1.2.2.md) | Current stable release notes |
+| [releases/v1.2.3.md](releases/v1.2.3.md) | Current stable release notes |
 | [releases/v0.1.0-beta.0.md](releases/v0.1.0-beta.0.md) | Archived prerelease reference |
 | [Daily Use release notes](#daily-use) | Stable, previous, and archived release notes |
 | [releases/legacy-pre-0.1-history.md](releases/legacy-pre-0.1-history.md) | Archived pre-0.1 changelog history |
 
@@ -0,0 +1,53 @@
+# Release v1.2.3
+
+Release line: `stable`
+
+This release supersedes the open `main`-target PR wave with one rebuilt, validated integration branch.
+
+## Scope
+
+- Current package version in `package.json` is `1.2.3`.
+- Canonical command family remains `codex auth ...`.
+- Canonical package name remains `codex-multi-auth`.
+- The release branch rebuild starts from `origin/main` commit `cbce5f5c3c5588c08a388d600306366ccb95a6a7`.
+
+## What Changed
+
+- remediated the `audit:ci` dependency findings and refreshed the lockfile on current `main`
+- fixed ready-first account ordering, including the menu auto-refresh race that could re-skip a later refresh
+- hardened the Codex wrapper compatibility path so unsupported reasoning-effort config is rewritten correctly, staged auth state syncs back before cleanup, and cleanup-failure tests do not rely on source rewriting
+- fixed usage-limit cooldown persistence across account state, fallback 429 handling, and quota scheduling without dropping secondary quota state
+- carried forward the config validation, unified-settings backup recovery, and flagged-backup recovery hardening from the older config/storage PR lane
+
+## Included PR Lanes
+
+- `#351` `chore: remediate audit-ci dependency findings`
+- `#352` `fix ready-first account ordering regressions`
+- `#353` `fix codex wrapper compatibility handling`
+- `#354` `fix usage-limit cooldown persistence`
+- `#344` `fix config validation and flagged backup recovery`
+
+## Superseded PR Stack
+
+- `#344` `fix config validation and flagged backup recovery`
+- `#351` `chore: remediate audit-ci dependency findings`
+- `#352` `fix ready-first account ordering regressions`
+- `#353` `fix codex wrapper compatibility handling`
+- `#354` `fix usage-limit cooldown persistence`
+
+## Validation
+
+- `npm run lint`
+- `npm run typecheck`
+- `npm test -- --pool=threads --maxWorkers=1`
+- `npm run build`
+- `npm run clean:repo:check`
+- `npm run audit:ci`
+- Full suite passed: `222/222` files, `3292/3292` tests
+
+## Related
+
+- [../getting-started.md](../getting-started.md)
+- [../upgrade.md](../upgrade.md)
+- [../reference/commands.md](../reference/commands.md)
+- [../reference/public-api.md](../reference/public-api.md)
@@ -2148,6 +2148,11 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 																if (!fallbackResponse.ok) {
 																	const { response: handledFallbackResponse, rateLimit: fallbackRateLimit } =
 																		await handleErrorResponse(fallbackResponse);
+																	try {
+																		await fallbackResponse.body?.cancel();
+																	} catch {
+																		// Best-effort only; the error body has already been read.
+																	}
 																	if (handledFallbackResponse.status === 429) {
 																		const retryAfterMs =
 																			fallbackRateLimit?.retryAfterMs ?? 60_000;
 
@@ -224,7 +224,7 @@ export class PreemptiveQuotaScheduler {
 				usedPercent: 100,
 				resetAtMs: nextResetAtMs,
 			},
-			secondary: {},
+			secondary: existing?.secondary ? { ...existing.secondary } : {},
 			updatedAt: Math.max(existing?.updatedAt ?? 0, now),
 		});
 	}
 
@@ -1,6 +1,6 @@
 {
 	"name": "codex-multi-auth",
-	"version": "1.2.2",
+	"version": "1.2.3",
 	"description": "Multi-account OAuth manager and codex auth wrapper for the official @openai/codex CLI, with switching, health checks, and recovery tools",
 	"main": "./dist/index.js",
 	"types": "./dist/index.d.ts",
 
@@ -9,6 +9,7 @@ import {
 	mkdtempSync,
 	readFileSync,
 	rmSync,
+	statSync,
 	writeFileSync,
 } from "node:fs";
 import { createRequire } from "node:module";
@@ -21,6 +22,11 @@ import { normalizeAuthAlias, shouldHandleMultiAuthAuth } from "./codex-routing.j
 
 const RETRYABLE_SHADOW_HOME_CLEANUP_CODES = new Set(["EBUSY", "EPERM", "ENOTEMPTY"]);
 const SHADOW_HOME_CLEANUP_BACKOFF_MS = [20, 60, 120];
+const SHADOW_HOME_STATE_FILES = ["auth.json", "accounts.json", ".codex-global-state.json"];
+let shadowHomeCleanupBusyFailuresRemaining = Number.parseInt(
+	process.env.CODEX_MULTI_AUTH_TEST_SHADOW_CLEANUP_BUSY_FAILURES ?? "0",
+	10,
+);
 
 function isRetryableShadowHomeCleanupError(error) {
 	const code = error && typeof error === "object" && "code" in error ? error.code : undefined;
@@ -37,6 +43,12 @@ function sleepSync(ms) {
 function removeDirectoryWithRetry(targetPath) {
 	for (let attempt = 0; attempt <= SHADOW_HOME_CLEANUP_BACKOFF_MS.length; attempt += 1) {
 		try {
+			if (shadowHomeCleanupBusyFailuresRemaining > 0) {
+				shadowHomeCleanupBusyFailuresRemaining -= 1;
+				const error = new Error("simulated busy cleanup");
+				error.code = "EBUSY";
+				throw error;
+			}
 			rmSync(targetPath, { recursive: true, force: true });
 			return;
 		} catch (error) {
@@ -477,21 +489,19 @@ function resolveOriginalMultiAuthDir(env) {
 	return undefined;
 }
 
-function createCompatibilityCodexHome(rawArgs, baseEnv = process.env) {
-	const { args: nextArgs, requestedModel } = rewriteReasoningConfigArgs(rawArgs);
+function createCompatibilityCodexHome(
+	processedArgs,
+	requestedModel,
+	baseEnv = process.env,
+) {
 	if (!requestedModel) {
-		return { args: nextArgs, env: baseEnv, cleanup: undefined };
-	}
-
-	const xhighCompatEffort = coerceReasoningEffortForModel(requestedModel, "xhigh");
-	if (xhighCompatEffort === "xhigh") {
-		return { args: nextArgs, env: baseEnv, cleanup: undefined };
+		return { args: processedArgs, env: baseEnv, cleanup: undefined };
 	}
 
 	const originalCodexHome = resolveCodexHomeDir(baseEnv);
 	const configPath = join(originalCodexHome, "config.toml");
 	if (!existsSync(configPath)) {
-		return { args: nextArgs, env: baseEnv, cleanup: undefined };
+		return { args: processedArgs, env: baseEnv, cleanup: undefined };
 	}
 
 	const rawConfig = readFileSync(configPath, "utf8");
@@ -500,7 +510,7 @@ function createCompatibilityCodexHome(rawArgs, baseEnv = process.env) {
 		requestedModel,
 	);
 	if (compatConfig === rawConfig) {
-		return { args: nextArgs, env: baseEnv, cleanup: undefined };
+		return { args: processedArgs, env: baseEnv, cleanup: undefined };
 	}
 
 	const shadowCodexHome = mkdtempSync(join(tmpdir(), "codex-multi-auth-home-"));
@@ -518,11 +528,34 @@ function createCompatibilityCodexHome(rawArgs, baseEnv = process.env) {
 			// Best-effort only; permission semantics vary by platform.
 		}
 	};
+	const syncShadowHomeStateBack = () => {
+		for (const name of SHADOW_HOME_STATE_FILES) {
+			const shadowPath = join(shadowCodexHome, name);
+			if (!existsSync(shadowPath)) {
+				continue;
+			}
+
+			try {
+				const shadowStats = statSync(shadowPath);
+				const originalPath = join(originalCodexHome, name);
+				if (existsSync(originalPath)) {
+					const originalStats = statSync(originalPath);
+					if (originalStats.isFile() && originalStats.mtimeMs > shadowStats.mtimeMs) {
+						continue;
+					}
+				}
+				copyFileSync(shadowPath, originalPath);
+				tightenShadowHomePermissions(originalPath);
+			} catch {
+				// Best-effort only; runtime auth refreshes should not fail cleanup.
+			}
+		}
+	};
 	try {
 		const compatConfigPath = join(shadowCodexHome, "config.toml");
 		writeFileSync(compatConfigPath, compatConfig, "utf8");
 		tightenShadowHomePermissions(compatConfigPath);
-		for (const name of ["auth.json", "accounts.json", ".codex-global-state.json"]) {
+		for (const name of SHADOW_HOME_STATE_FILES) {
 			const sourcePath = join(originalCodexHome, name);
 			if (existsSync(sourcePath)) {
 				const destinationPath = join(shadowCodexHome, name);
@@ -534,6 +567,10 @@ function createCompatibilityCodexHome(rawArgs, baseEnv = process.env) {
 		cleanup();
 		throw error;
 	}
+	const cleanupWithSync = () => {
+		syncShadowHomeStateBack();
+		cleanup();
+	};
 
 	const forwardedEnv = {
 		...baseEnv,
@@ -545,23 +582,30 @@ function createCompatibilityCodexHome(rawArgs, baseEnv = process.env) {
 	}
 
 	return {
-		args: nextArgs,
+		args: processedArgs,
 		env: forwardedEnv,
-		cleanup,
+		cleanup: cleanupWithSync,
 	};
 }
 
 function buildForwardArgs(rawArgs) {
-	const { args: compatibilityArgs } = rewriteReasoningConfigArgs(rawArgs);
+	const { args: compatibilityArgs, requestedModel } = rewriteReasoningConfigArgs(rawArgs);
 	const forceFileAuthStore = (process.env.CODEX_MULTI_AUTH_FORCE_FILE_AUTH_STORE ?? "1").trim() !== "0";
-	if (!forceFileAuthStore) return compatibilityArgs;
-	if (hasCliAuthCredentialsStoreOverride(compatibilityArgs)) return compatibilityArgs;
+	if (!forceFileAuthStore) {
+		return { args: compatibilityArgs, requestedModel };
+	}
+	if (hasCliAuthCredentialsStoreOverride(compatibilityArgs)) {
+		return { args: compatibilityArgs, requestedModel };
+	}
 
-	return [
-		...compatibilityArgs,
-		"-c",
-		'cli_auth_credentials_store="file"',
-	];
+	return {
+		args: [
+			...compatibilityArgs,
+			"-c",
+			'cli_auth_credentials_store="file"',
+		],
+		requestedModel,
+	};
 }
 
 function normalizeExitCode(value) {
@@ -919,8 +963,11 @@ async function main() {
 	}
 
 	await autoSyncManagerActiveSelectionIfEnabled();
-	const forwardArgs = buildForwardArgs(rawArgs);
-	const compatibility = createCompatibilityCodexHome(forwardArgs);
+	const { args: forwardArgs, requestedModel } = buildForwardArgs(rawArgs);
+	const compatibility = createCompatibilityCodexHome(
+		forwardArgs,
+		requestedModel,
+	);
 	return forwardToRealCodex(
 		realCodexBin,
 		compatibility.args,
 
@@ -3221,7 +3221,6 @@ describe("AccountManager", () => {
           expires: now + 3600000,
         });
 
-<<<<<<< HEAD
         expect(account.accountId).toBe("account-enriched");
         expect(account.email).toBe("enriched@example.com");
         expect(getRuntimeAccountIdentityKey(account)).toBe(
Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,7 @@ export class PreemptiveQuotaScheduler {`
`224`	`224`	`usedPercent: 100,`
`225`	`225`	`resetAtMs: nextResetAtMs,`
`226`	`226`	`},`
`227`		`- secondary: {},`
	`227`	`+ secondary: existing?.secondary ? { ...existing.secondary } : {},`
`228`	`228`	`updatedAt: Math.max(existing?.updatedAt ?? 0, now),`
`229`	`229`	`});`
`230`	`230`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "codex-multi-auth",`
`3`		`- "version": "1.2.2",`
	`3`	`+ "version": "1.2.3",`
`4`	`4`	`"description": "Multi-account OAuth manager and codex auth wrapper for the official @openai/codex CLI, with switching, health checks, and recovery tools",`
`5`	`5`	`"main": "./dist/index.js",`
`6`	`6`	`"types": "./dist/index.d.ts",`