Skip to content

CHANGELOG.md

Latest commit

 

History

History
223 lines (152 loc) · 13.7 KB

CHANGELOG.md

File metadata and controls

223 lines (152 loc) · 13.7 KB

Changelog

All notable changes to this project are documented in this file. Dates use ISO format (YYYY-MM-DD).

This repository's current stable release line is 1.x. Current stable release notes live in docs/releases/. This top-level changelog preserves the foundational 0.x milestones and points older iteration history to docs/releases/legacy-pre-0.1-history.md.

[Unreleased]

1.3.0 - 2026-04-17

Phase 1 post-audit hardening: 20 focused PRs + 7 audit-fix commits + 1 follow-up PR (#413). 3527 tests (+182 from v1.2.7). Zero breaking changes, one opt-in flag (routingMutex). See docs/releases/v1.3.0.md for full details.

Added

  • routingMutex plugin config flag (PR-N / R4) with values "enabled" | "legacy" (default "legacy"). When "enabled", cursor-mutation sites in the account pool (markSwitchedLocked, markAccountCoolingDownLocked, setActiveIndexLocked) are serialized through a promise-chain async mutex in lib/routing-mutex.ts, closing the TOCTOU race described in design items D-02/D-09. The flag defaults to "legacy" for one full release cycle so existing deployments see zero behavior change; users can opt in via settings or the CODEX_AUTH_ROUTING_MUTEX=enabled environment variable. A new SelectionRecord type is threaded out of the rotation decision path so the fetch loop can hand structured selection metadata to observability, why-selected, and failure-policy consumers.
  • codex auth why-selected [--now|--last] [--json] diagnostic command surfacing per-candidate hybrid scoring breakdown (PR-P).
  • codex auth verify [--paths|--flagged|--all] [--json] self-test command walking the storage path resolution chain and exercising the resolvePath() sandbox (PR-P). verify-flagged retained as back-compat alias.
  • Zod safeParseJson<T>(raw, schema, context) helper; 12 storage-read sites migrated to schema-validated JSON parsing with AnyAccountStorageSchema as authoritative normalizer (PR-L / AUDIT-M20).
  • New types exported: SelectionRecord, HybridSelectionCandidateTrace, HybridSelectionTraceResult, FlaggedAccountStorageV1Schema, AccountsJournalEntrySchema.
  • docs/audits/MASTER_AUDIT.md + docs/audits/evidence/findings-index.json published (PR #393).
  • Phase 1 regression suite locking in audit invariants (PKCE S256, state entropy, SSE failover) (PR-S / AUDIT-L01).

Changed

  • resolvePath() now rejects lookalike-prefix paths (e.g. HomeX vs Home/) via path.relative() comparison, closing a sandbox-escape class (PR-A / AUDIT-C1 / AUDIT-H1).
  • OAuth URLs redacted in user-facing login output to prevent token leakage through clipboard or terminal scrollback (PR-B / AUDIT-H4).
  • OAuth callback host unified through AUTH_REDIRECT SSOT (127.0.0.1:1455) across bind, copy, and HTML; 4 duplicate hardcoded sites removed (PR-C / AUDIT-H5 / M14 / M30).
  • Hybrid selector now returns null when no accounts are available instead of a stale fallback (PR-D / AUDIT-H2).
  • Short-429 retry marks the account unavailable BEFORE the retry sleep, closing a TOCTOU race between two requests targeting the same rate-limited account (PR-E / AUDIT-H3).
  • Active-account pointer normalized on disable/remove; residual removeAccount last-in-family dangle resolved in follow-up #413 (PR-F / #413 / AUDIT-H10).
  • Recovery storage migrated to atomic write + retry-safe delete pattern; atomic write migration completed for injectTextPart / prependThinkingPart; renameSync retries on EBUSY/EPERM (PR-H / audit-fix f877c85 / AUDIT-M01).
  • Account-clear ordering writes the reset marker BEFORE deletion and retries EPERM on read (PR-I / AUDIT-M04 / M05).
  • Per-project vs CLI-sync config conflict surfaced to the user instead of silently bypassing project-scoped isolation (PR-J / AUDIT-M09).
  • Malformed SSE JSON chunks surface as structured warnings instead of silent buffer drops; 10MB buffer cap documented; deprecation/sunset headers logged uniformly across success and failure paths (PR-K / AUDIT-H9 / M16 / M18 / M34).
  • lib/codex-manager/settings-hub.ts (808 LOC) split into 5 focused sub-modules under lib/codex-manager/settings-hub/ (dashboard, backend, experimental, shared, index), each <500 LOC; original file retained as a 9-line re-export stub for test compatibility (PR-M / AUDIT-M24 / G-01 / JN-03).
  • getAccountHealth() now reads the tracker directly; field-name drift vs ManagedAccount documented (PR-O / AUDIT-M08 / D-04).
  • npm run pack:check builds first; tests migrated to os.tmpdir(); 6 stray tmp* directories removed from repo root (PR-G / AUDIT-H7 / M31).
  • Dual-linter scope documented: ESLint in lint-staged, Biome manual, CI enforcement via ci.yml + pr-ci.yml; husky prepare hook side effect documented (PR-T / audit-fix d9f7253 / AUDIT-M21 / M22 / M23 partial).
  • lib/AGENTS.md staleness fixed; docs/reference/storage-paths.md deriveProjectKey typo corrected (PR-Q / AUDIT-H8 / M32 / L04).

Rollout plan

  • v1.3.0: routingMutex shipped with default "legacy". Advanced users opt in via config or env.
  • v1.4.0: evaluate enablement based on telemetry and flip default to "enabled".

[0.1.8] - 2026-03-11

Fixed

  • Hardened flagged-account reset recovery so intentional clears remain authoritative even when the primary flagged file survives an initial delete failure.
  • Removed the fresh-worktree npm test dependency on prebuilt dist/ output by validating config precedence directly from source imports.
  • Tightened model-matrix smoke classification so unsupported account/runtime capabilities are reported as non-blocking skips instead of false release failures.
  • Restored backup metadata, restore assessment, and transaction-safe named backup export behavior after merging the experimental settings and backend primitive stacks.

Changed

  • Codex CLI sync remains mirror-only, preserving canonical multi-auth storage as the single source of truth while still allowing mirror-file selection updates.
  • Experimental settings flows, backend primitive extraction, and wrapper non-TTY docs now ship in the stable branch.
  • Release validation now includes broader merged-feature regression coverage spanning unified settings, flagged reset suppression, mirror-only Codex CLI sync, experimental sync, named backup export, and wrapper/docs behavior.

Added

  • Cross-feature regression coverage for merged release behavior in test/release-main-prs-regression.test.ts.
  • Preview-first oc-chatgpt-multi-auth sync orchestration, named backup export flows, and target-detection coverage promoted from the stacked settings/sync branches.

0.1.7 - 2026-03-03

Fixed

  • Hardened Windows global command routing so multi-auth survives stock Codex npm shim takeovers across codex.bat, codex.cmd, and codex.ps1.
  • Strengthened account recovery by promoting discovered real backups when the primary storage file is synthetic fixture data.
  • Hardened Codex auth sync writes by including complete token shape (access_token, refresh_token, id_token) in active account payloads.

Changed

  • Added invocation-path-first shim resolution and stock-shim signature replacement to reduce stale launcher routing on Windows.
  • Added PowerShell profile guard installation so new PowerShell sessions keep resolving codex to the multi-auth wrapper.

Added

  • Visible package version in the dashboard header (Accounts Dashboard (vX.Y.Z)).

0.1.6 - 2026-03-03

Fixed

  • Improved runtime path selection when account storage is available only through recovery artifacts.
  • Added backup discovery recovery so non-standard backup files can restore openai-codex-accounts.json automatically.
  • Aligned Codex CLI sync default paths with CODEX_HOME to prevent auth writes from going to a different profile directory.
  • Hardened switch-sync reporting so account switches fail fast when required Codex auth persistence does not complete.

Changed

  • Multi-auth now treats backup and WAL signals as valid storage indicators during runtime directory selection.

0.1.5 - 2026-03-03

Fixed

  • Removed forced process.exit(...) from wrapper entrypoints to prevent Windows libuv shutdown assertions after codex auth commands.
  • Updated model-matrix execution for current Codex CLI behavior (exec, non-interactive JSON mode, no deprecated run or --port flow).
  • Tightened model-matrix result classification to avoid false negatives from permissive output text matching.

Changed

  • Windows .cmd matrix execution now resolves to the Node script entry where possible, preventing shell argument flattening issues.

Added

  • Regression coverage for .cmd wrapper resolution and matrix script helper behavior under Windows path formats.

0.1.4 - 2026-03-03

Fixed

  • Stabilized codex auth switch <index> and host sync reporting so local multi-auth selection remains deterministic under sync failures.
  • Hardened refresh token normalization and refresh queue stale or timeout recovery paths.

Added

  • Expanded regression coverage across auth, refresh queue reliability, docs integrity, retry or backoff handling, and CLI routing.

0.1.3 - 2026-03-03

Fixed

  • codex auth switch <index> now succeeds locally even when Codex host-state sync is unavailable.
  • Removed false-negative switch failures in environments where Codex no longer exposes JSON sync files (accounts.json and auth.json).
  • Clarified switch output to explicitly state local multi-auth routing remains active when host sync cannot be completed.

Added

  • CLI regression coverage for local-switch success when Codex auth sync returns unavailable or failure.

0.1.2 - 2026-03-03

Fixed

  • Added staged rotating backup recovery and startup cleanup for stale *.bak(.N).rotate.*.tmp artifacts.
  • Added retry and backoff around staged backup rename commits to tolerate transient Windows locks.
  • Removed invalid filesystem retry codes and constrained backup-copy retries to real Node filesystem errors.
  • Hardened Windows home resolution order and HOMEPATH normalization to avoid drive-relative paths.
  • Fixed account storage identity handling across worktree branch changes and covered realpath fallback branches.

Changed

  • Backup rotation now stages candidate snapshots before commit, preserving historical chain integrity if latest-copy fails.
  • Recovery path now prioritizes WAL then backup candidates with deterministic .bak -> .bak.1 -> .bak.2 cascade.
  • Storage recovery paths and rotation tests expanded for parallel ordering and failure-mode determinism.

Added

  • Regression coverage for .bak.2 fallback when newer backups are unreadable.
  • Regression coverage for transient EPERM and EBUSY retry branches in backup copy and staged rename flows.
  • Startup cleanup path for orphaned rotating backup staging artifacts.

0.1.1 - 2026-03-01

Fixed

  • OAuth callback host canonicalized to 127.0.0.1:1455 across auth constants and user-facing guidance.
  • Account email dedup is now case-insensitive via normalizeEmailKey() (trim + lowercase).
  • codex bin wrapper lazy-loads auth runtime so clean global installs avoid early module-load failures.
  • Per-project account storage is shared across linked Git worktrees via resolveProjectStorageIdentityRoot.
  • Legacy worktree-keyed accounts auto-migrate to canonical repo-shared storage, while legacy files are retained on persist failure.
  • Windows filesystem safety: removeWithRetry with EBUSY, EPERM, and ENOTEMPTY backoff added to scripts/repo-hygiene.js and test cleanup.
  • Stream failover tests use fake timers for deterministic assertions.
  • Coverage gate stabilized by excluding integration-heavy files and adding targeted branch tests.

Changed

  • CLI settings hub extracted from lib/codex-manager.ts into lib/codex-manager/settings-hub.ts.
  • Settings panel Q hotkey changed from save-and-back to cancel without save; theme live-preview restores baseline on cancel.
  • Documentation architecture updated to dual-track navigation for operators and maintainers.
  • Command, settings, storage, privacy, and troubleshooting references aligned for stronger runtime parity.
  • Governance templates upgraded for production-grade issue and PR hygiene.
  • auth fix help text now shows --live and --model flags.

Added

  • scripts/repo-hygiene.js for deterministic repo cleanup and hygiene checks.
  • lib/storage/paths.ts for worktree identity resolution, commondir and gitdir validation, forged pointer rejection, and Windows UNC support.
  • Archived pre-0.1.0 historical changelog in docs/releases/legacy-pre-0.1-history.md.
  • docs/development/CLI_UI_DEEPSEARCH_AUDIT.md as the settings extraction audit trail.
  • PR template and modernized issue templates.
  • 87 test files and 2071 tests.

0.1.0 - 2026-02-27

Added

  • Stable Codex-first multi-account OAuth workflow.
  • Unified codex auth ... command family for login, switching, diagnostics, and reporting.
  • Dashboard settings hub and backend reliability controls.
  • Rotation and resilience modules for refresh, quota deferral, and failover.

Validation

  • npm run lint
  • npm run typecheck
  • npm test
  • npm run build

Legacy History

Historical entries from pre-0.1.0 internal iteration cycles are preserved in:

  • docs/releases/legacy-pre-0.1-history.md