fix(accounts): key imported credentials by workspace

[Komzpa]

Summary

• key imported ChatGPT credentials by workspace when the upstream token exposes a workspace identity
• persist workspace label and seat type as account-slot metadata across import, OAuth, token refresh, and account summaries
• guard usage refresh so a payload from another workspace or an unknown conflicting plan cannot overwrite or deactivate the stored slot
• update account UI copy to show credential slots instead of implying one email equals one account

Validation

• make test-unit
• make frontend-test
• uv run pytest tests/unit/test_usage_updater.py tests/integration/test_accounts_api_extended.py tests/integration/test_oauth_flow.py tests/integration/test_accounts_api.py tests/integration/test_repositories.py tests/integration/test_migrations.py -q
• uv run ruff check app/core/auth app/core/usage app/db/alembic/versions/20260531_000000_add_account_workspace_identity.py app/modules/accounts app/modules/oauth app/modules/usage tests/unit/test_usage_updater.py tests/integration/test_accounts_api_extended.py
• uv run ty check app/core/auth app/core/usage app/modules/accounts app/modules/oauth app/modules/usage
• uv run openspec validate fix-account-workspace-identity --strict
• bun run test src/features/accounts/schemas.test.ts src/features/settings/components/routing-settings.test.tsx
• bun run typecheck
• git diff --check

Fixes #355

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a81c814b7b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c03317ba4b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4acd470e95

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7760f45c23

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 847d9263fc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: af2cd5ec4a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep them coming!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

Hermes owner-review blocker for PR #865:

1. AuthManager.refresh_account() can mutate an existing account row into a different workspace slot without re-keying or conflict checks. The new import/OAuth path keys credentials by (chatgpt_account_id, workspace_id) (app/modules/accounts/service.py, app/modules/oauth/service.py, AccountsRepository.upsert_account_slot()), but refresh writes result.workspace_id / workspace_label / seat_type back to the same account.id via update_tokens() (app/modules/accounts/auth_manager.py:223-241, app/modules/accounts/repository.py:290-326). If a refresh response reports another workspace, the row keeps the old primary key/history but now claims the new workspace; if another row already exists for that workspace there is no DB uniqueness guard to stop duplicate active slots. Please either only backfill workspace metadata when currently null, reject/log/no-op on non-null workspace mismatch, or route the change through an explicit slot migration/upsert with conflict/history policy and a regression test.

2. Merge-gate issue coverage is missing. The PR body/commit do not include Fixes #N / Closes #N, and GitHub reports no closing issue reference. Per this repo's merge gates, please add a valid linked issue/closure wording or have the maintainer explicitly waive that gate.

Non-blocking follow-up: the usage-refresh mismatch guard currently returns fetch_succeeded=False, so a deterministic workspace/plan mismatch may be retried every refresh pass instead of being cached/cooldowned as a non-transient identity mismatch (app/modules/usage/updater.py:347-361).

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 734455abdb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f6b74456fa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f5e5bf18b9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Hooray!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".