fix(auth): align OpenCode import replay with current contracts

[ndycode]

Summary

• Stacked PR on fresh/17-health-summary-dashboard
• Reopens the preserved OpenCode import-adapter slice from archived PR #82

What Changed

• Replays the OpenCode import path on top of the cleaned health-summary base and aligns the login flow, import eligibility checks, and storage behavior with the current restore contracts.
• Keeps filesystem details redacted in assessment and import failure paths, blocks self-import against the active storage file, and preserves the non-fatal login loop when Windows filesystem races or locks interrupt import work.
• Adds coverage for the homedir-only detection fallback, the pre-redacted invalid-assessment shape used in production, and the user docs wording that now names OpenCode explicitly and documents CODEX_OPENCODE_POOL_PATH.

Validation

• cmd /c npm test -- test/storage.test.ts -t "opencode account pool detection"
• cmd /c npm test -- test/codex-manager-cli.test.ts -t "OpenCode"
• cmd /c npm test -- test/documentation.test.ts
• npm run lint
• npm run typecheck
• npm run build
• cmd /c npm test

Docs and Governance Checklist

• README updated (if user-visible behavior changed)
• docs/getting-started.md updated (if onboarding flow changed)
• docs/features.md updated (if capability surface changed)
• relevant docs/reference/* pages updated (if commands/settings/paths changed)
• docs/upgrade.md updated (if migration behavior changed)
• SECURITY.md and CONTRIBUTING.md reviewed for alignment

Risk and Rollback

• Risk level: medium
• Rollback plan: revert the PR merge commit or reset fresh/18-import-adapter-opencode back to fresh/17-health-summary-dashboard

Additional Notes

• This PR is intended to stay reviewable on top of fresh/17-health-summary-dashboard, not main.
• The import path is intentionally defensive against transient Windows filesystem locks: assessment is wrapped, import execution stays non-fatal to the login loop, and the failure path is covered by the EPERM import regression in test/codex-manager-cli.test.ts.
• Latest head: e6e235a.

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

this pr replays the opencode import-adapter slice on top of the health-summary base, wiring assessOpencodeAccountPool and importAccounts into the runAuthLogin loop as a new import-opencode mode. the core mechanics — detection fallback order, explicit CODEX_OPENCODE_POOL_PATH override that short-circuits auto-detection, self-import guard (present in both assessOpencodeAccountPool and importAccounts as defense-in-depth), basename path redaction in the ui, and non-fatal error handling via try/catch around both the assessment and the action panel — are all correctly implemented and align with the existing restore-backup patterns.

• most issues from the previous review threads are resolved: assessment throws are caught, assessment.error is pre-formatted in loadBackupCandidate, basename is used for the confirmation prompt and action subtitle, wouldExceedLimit has its own distinct message, the explicit env override now returns null instead of silently falling back, and the homedir test sets both HOME and USERPROFILE to cover posix and windows.
• assessment.error (already the output of formatRedactedFilesystemError as stored in loadBackupCandidate) is passed through formatRedactedFilesystemError a second time in codex-manager.ts:4452-4454 — this is idempotent for current fixtures but fragile by design; logging the value directly is safer.
• two vitest gaps remain: no test selects mode: "import-opencode" when the pool is absent (the "No OpenCode account pool was detected." path), and no test confirms the loop continues silently when the user declines the confirmation prompt — both are relevant to windows filesystem transient-lock scenarios.

Confidence Score: 3/5

• safe to merge with low risk once the double-format fragility is addressed and two coverage gaps are filled
• the core import flow is sound and the critical issues from previous review threads (uncaught throws, path leakage, silent env override fallback, generic limit message) are all resolved. the remaining concerns are a design inconsistency in error formatting that is currently idempotent but fragile, and two untested code paths relevant to windows filesystem race conditions — sufficient to warrant a small follow-up before merge
• lib/codex-manager.ts (double formatRedactedFilesystemError), test/codex-manager-cli.test.ts (missing null-pool and declined-confirmation coverage)

Important Files Changed

Filename	Overview
lib/codex-manager.ts	adds the import-opencode branch to runAuthLogin: assessment is try/caught, path leaks are redacted via basename, wouldExceedLimit has its own message, and import failures stay non-fatal. one design inconsistency: assessment.error (already formatted by formatRedactedFilesystemError in loadBackupCandidate) is passed through the formatter a second time.
lib/storage.ts	adds detectOpencodeAccountPoolPath (explicit env override short-circuits auto-detection and returns null when file is missing), assessOpencodeAccountPool, equalsResolvedStoragePath (case-insensitive on win32), self-import guard in importAccounts, and promotes formatRedactedFilesystemError to public export. all throw paths are now guarded in callers.
test/codex-manager-cli.test.ts	adds six new OpenCode import scenarios including EPERM regression, limit rejection, invalid assessment redaction, and assessment-throw recovery. missing coverage for the null-pool-detected path ("No OpenCode account pool was detected.") and the user-declining-confirmation path.
test/storage.test.ts	adds integration tests for detectOpencodeAccountPoolPath and assessOpencodeAccountPool: explicit override, missing explicit path, homedir fallback (sets both HOME and USERPROFILE — posix and windows covered), malformed source, and self-import rejection. self-import guard in importAccounts is also covered.

Sequence Diagram

sequenceDiagram
    participant U as User
    participant CM as codex-manager (runAuthLogin)
    participant S as storage.ts
    participant FS as Filesystem

    U->>CM: selects "import-opencode"
    CM->>S: assessOpencodeAccountPool({ currentStorage })
    S->>S: detectOpencodeAccountPoolPath()
    Note over S: checks CODEX_OPENCODE_POOL_PATH first,<br/>falls back to LOCALAPPDATA/APPDATA/homedir
    S->>FS: existsSync(candidatePath)
    FS-->>S: exists / not found
    S->>S: equalsResolvedStoragePath(path, activeStoragePath)
    alt path is active storage file
        S-->>CM: throws "Import source cannot be the active storage file."
        CM->>U: console.error(redacted label)
    else no pool found
        S-->>CM: null
        CM->>U: "No OpenCode account pool was detected."
    else pool found
        S->>FS: loadBackupCandidate(resolvedPath)
        FS-->>S: candidate (error already formatRedactedFilesystemError'd)
        S->>S: buildBackupFileMetadata + assessNamedBackupRestoreCandidate
        S-->>CM: BackupRestoreAssessment
        alt not valid / not eligible
            CM->>U: assessment.error or generic message
        else wouldExceedLimit
            CM->>U: limit message with counts
        else eligible
            CM->>U: confirm("Import OpenCode accounts from <basename>?")
            U-->>CM: confirmed true/false
            alt declined
                CM->>U: (returns to menu)
            else confirmed
                CM->>S: importAccounts(assessment.backup.path)
                S->>S: equalsResolvedStoragePath guard (second check)
                S->>FS: readFile + merge accounts
                FS-->>S: merged result
                S-->>CM: { imported, skipped, total }
                CM->>U: success log
            end
        end
    end

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: lib/codex-manager.ts
Line: 4452-4454

Comment:
**double `formatRedactedFilesystemError` on a pre-formatted string**

`assessment.error` is stored by `loadBackupCandidate` as the output of `formatRedactedFilesystemError(error)` (see `storage.ts:2828`). passing that already-formatted string back through `formatRedactedFilesystemError` here treats a `string` as a raw `unknown` error object — the code path `error instanceof Error ? error.message : String(error)` degrades to `String(assessment.error)`, then applies `redactFilesystemDetails` a second time.

it's idempotent for the current test fixtures (paths are already stripped to basename), but if a formatted message ever matches the filesystem regex pattern the redaction would fire twice and could corrupt the string. since the value is already safe, just log it directly:

```suggestion
				const assessmentErrorLabel = assessment.error
					? assessment.error
					: "OpenCode account pool is not importable.";
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: test/codex-manager-cli.test.ts
Line: 1018-1085

Comment:
**missing vitest coverage: null pool detection and declined confirmation**

two code paths in the `import-opencode` branch have no dedicated test case:

1. **null pool** (`codex-manager.ts:4447-4449`) — `assessOpencodeAccountPool` returns `null` when no file is found, producing `"No OpenCode account pool was detected."`. the global `beforeEach` default sets this mock to `null`, but no test selects `mode: "import-opencode"` with that default to assert the console message and `continue` behavior.

2. **confirmation declined** (`codex-manager.ts:4468-4469`) — when `confirmed === false` the flow silently continues back to the menu. no test calls `confirmMock.mockResolvedValueOnce(false)` after a valid assessment to verify `importAccountsMock` is not called and the loop continues.

both are windows-filesystem-risk surfaces (a locked file could cause null detection on the second attempt), so confirming the non-fatal loop behavior matters. recommend adding two tests alongside the existing block.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "test(auth): cover HO..."}

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[coderabbitai]

📝 Walkthrough

Walkthrough

adds opencode account pool detection and import capability to the login flow. users can now discover a companion app's account pool on the same machine, assess its contents, and import accounts via a new menu option instead of creating fresh oauth sessions.

Changes

Cohort / File(s)	Summary
Documentation docs/getting-started.md	clarifies recovery import option for users with companion app pools on the same machine.
CLI Mode Extension lib/cli.ts	adds "import-opencode" mode to LoginMode union and wires promptLoginMode switch to handle the new action type.
Storage Layer: Detection & Assessment lib/storage.ts	introduces detectOpencodeAccountPoolPath() to find pool via env (CODEX_OPENCODE_POOL_PATH), windows standard locations (LOCALAPPDATA/APPDATA), or home directory; adds assessOpencodeAccountPool(options) to validate and assess a detected pool for import eligibility. note: duplicate declaration of assessOpencodeAccountPool appears in file.
Manager: Type Aliases & Login Flow lib/codex-manager.ts	refactors public type aliases (NamedBackupAssessment, NamedBackupEntry, RotatingBackupEntry) to use storage-exported types; imports new storage functions (assessOpencodeAccountPool, importAccounts) and settings utilities; adds runAuthLogin handler for "import-opencode" mode with assessment, confirmation prompt, account import, and error logging.
UI: Menu & Copy lib/ui/auth-menu.ts, lib/ui/copy.ts	adds import-opencode action variant to AuthMenuAction union; wires authMenuFocusKey to resolve focus for new action; injects yellow-labeled menu item in Recovery section; adds "Import OpenCode Accounts" copy string to mainMenu.
Tests: Manager & Storage test/codex-manager-cli.test.ts, test/storage.test.ts	adds 224 lines covering opencode import flow (success/failure paths, prompt behavior); adds 83 lines testing detection and assessment (valid pool, malformed pool, env scaffolding). test mocks for assessOpencodeAccountPool and importAccounts wired in codex-manager test suite.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant AuthMenu as Auth Menu UI
    participant CLI as CLI Prompt
    participant Storage as Storage Layer
    participant Manager as Manager
    participant Settings as Settings Hub

    User->>AuthMenu: select "Import OpenCode Accounts"
    AuthMenu->>CLI: trigger import-opencode action
    CLI->>Manager: runAuthLogin(mode: "import-opencode")
    Manager->>Storage: detectOpencodeAccountPoolPath()
    Storage-->>Manager: pool path (or null)
    Manager->>Storage: assessOpencodeAccountPool(path)
    Storage-->>Manager: BackupRestoreAssessment
    Manager->>CLI: prompt for import confirmation
    CLI->>User: confirm import?
    User-->>CLI: yes/no
    alt Import Confirmed
        Manager->>Storage: importAccounts(path)
        Storage-->>Manager: import results
        Manager->>Settings: applyUiThemeFromDashboardSettings()
        Manager->>Settings: configureUnifiedSettings()
        Manager->>Settings: resolveMenuLayoutMode()
        Settings-->>Manager: settings applied
        Manager-->>User: accounts imported
    else Import Cancelled
        Manager-->>User: cancelled
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

notes for review:

• lib/storage.ts:detectOpencodeAccountPoolPath() relies on windows env vars (LOCALAPPDATA, APPDATA) and home directory fallback; verify this handles windows path normalization correctly and doesn't assume forward slashes on windows systems.
• lib/storage.ts declares assessOpencodeAccountPool twice; confirm this is intentional or consolidate the duplicate export.
• lib/codex-manager.ts:runAuthLogin() calls importAccounts without explicit verification that the pool assessment indicates import eligibility; trace the gating logic in the "import-opencode" case.
• test/codex-manager-cli.test.ts mocks storage layer but doesn't test concurrency (e.g., concurrent import calls or pool mutations during assessment); consider edge case if pool is modified between detectOpencodeAccountPoolPath and importAccounts.
• no regression tests visible for existing named/rotating backup paths; ensure type alias changes (NamedBackupEntry, RotatingBackupEntry) don't break existing backup flows.
• windows edge case: pool path detection via home directory may not align with standard opencode install paths on windows; verify LOCALAPPDATA/APPDATA checks cover all expected locations.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	title follows conventional commits format with fix type, auth scope, and lowercase imperative summary under 72 chars.
Description check	✅ Passed	PR description comprehensively covers summary, what changed, validation steps completed, docs checklist with explicit checkboxes, risk/rollback, and notes about branch stacking intent.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fresh/18-import-adapter-opencode

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fresh/18-import-adapter-opencode

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Reintroduces and aligns the OpenCode account-pool import flow with the current restore/import contracts, updating detection, CLI recovery menu wiring, tests, and onboarding docs.

Changes:

• Add OpenCode account pool path detection + restore-style assessment helpers in storage.
• Add a Recovery menu action to preview/confirm importing OpenCode accounts via CLI.
• Extend storage/CLI tests and update getting-started guidance for the recovery import path.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
test/storage.test.ts	Adds detection/assessment coverage for OpenCode pool sources and malformed inputs.
test/codex-manager-cli.test.ts	Adds CLI flow coverage for the “import-opencode” recovery path.
lib/ui/copy.ts	Adds UI copy label for the new recovery menu item.
lib/ui/auth-menu.ts	Adds a new AuthMenuAction and menu item for importing OpenCode accounts.
lib/storage.ts	Implements pool-path detection and assessment built on existing restore-candidate logic.
lib/codex-manager.ts	Wires the new recovery import action into the login dashboard flow.
lib/cli.ts	Extends LoginMode + prompt mapping to include “import-opencode”.
docs/getting-started.md	Documents the recovery import option for companion/OpenCode pools.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ndycode]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[ndycode]

@coderabbitai resolve

[coderabbitai]

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/getting-started.md`:
- Around line 85-86: Update the sentence in docs/getting-started.md to
explicitly name the dashboard item "Import OpenCode Accounts" (so users can find
it in the login dashboard), and add companion documentation changes:
create/modify upgrade notes documenting this behavior change and list any new or
changed npm scripts (if any were introduced) so README, SECURITY, and docs/**
remain consistent with the CLI flags and workflows; reference the dashboard item
"Import OpenCode Accounts" and the upgrade notes and npm scripts sections when
making the edits.

In `@lib/cli.ts`:
- Around line 65-66: The fallback flow is missing a branch to parse the new
"import-opencode" interactive option, so update promptLoginModeFallback in
lib/cli.ts to accept and map both "i" and "import-opencode" (and
full-word/short-letter variants like "I"/"import-opencode") to the same login
mode value used by the interactive menu; then add a vitest regression that calls
promptLoginModeFallback with inputs "i" and "import-opencode" (and optionally
"I") asserting the returned mode equals the expected import-opencode mode.
Ensure any other parsing helper used by promptLoginModeFallback is updated
consistently (e.g., the same enum/constant used by the interactive menu) so
fallback and interactive paths produce identical results.

In `@lib/codex-manager.ts`:
- Around line 4375-4383: After calling importAccounts inside the runActionPanel
callback (the block using runActionPanel and importAccounts with
assessment.backup.path), ensure the Codex auth/active account selection is
refreshed: after the import completes and before finishing the action, call the
module/method that updates Codex auth state (e.g., a function like
syncCodexActiveSelection, refreshCodexAuthState, or whatever existing Codex
manager method you have) so the active Codex account reflects newly imported
accounts and the UI/auth state is refreshed; if no such helper exists, add one
that reads current account storage and sets the active selection accordingly and
invoke it right after the imported result is logged.
- Around line 4374-4389: The import flow calls importAccounts from
lib/codex-manager.ts inside runActionPanel without handling transient filesystem
locks (EBUSY/EPERM) that can be raised by fs.readFile in lib/storage.ts; add
retry logic around the read in importAccounts (or wrap the importAccounts call
here) to retry on EBUSY/EPERM with a small backoff and limited attempts, and add
a vitest regression in test/codex-manager-cli.test.ts that simulates fs.readFile
throwing EBUSY/EPERM once (then succeeding) to assert the import still
completes; reference the importAccounts function and the fs.readFile behavior in
lib/storage.ts when implementing the retry and update tests accordingly.

In `@lib/storage.ts`:
- Around line 2072-2099: The detectOpencodeAccountPoolPath function adds
candidate paths from appDataBases and homedir without normalizing them, causing
cwd-dependent behavior for relative APPDATA/LOCALAPPDATA values; update
detectOpencodeAccountPoolPath to resolve each candidate before adding/probing
(use resolvePath on values passed to join for entries added from appDataBases
and the homedir entry that uses ACCOUNTS_FILE_NAME), keep the existing explicit
env resolution logic, and add a Vitest regression that sets relative
APPDATA/LOCALAPPDATA (and a relative homedir) to verify the function returns the
resolved absolute path when the target file exists; reference
detectOpencodeAccountPoolPath, ACCOUNTS_FILE_NAME, resolvePath, join, and
existsSync when updating code and tests.

In `@test/codex-manager-cli.test.ts`:
- Around line 1018-1146: Add two deterministic regression tests to
test/codex-manager-cli.test.ts targeting runCodexMultiAuthCli: one that mocks
importAccountsMock to throw filesystem errors with error.code set to "EBUSY" and
"EPERM" (use mockRejectedValueOnce(new Error("...")) then set the code property)
and assert the CLI handles them like other login paths (exit code 0,
importAccountsMock called, and an error message containing "Import failed" or
similar via console.error spy); and a second that reproduces the in-flight
concurrency race by making importAccountsMock return a promise that first
rejects with an "in-flight" error (or a rejection) and then resolves on retry
(e.g., mockRejectedValueOnce then mockResolvedValueOnce) and assert
runCodexMultiAuthCli returns to the dashboard (exit 0), promptLoginModeMock
called the expected number of times, and importAccountsMock was
retried—reference the existing mocks assessOpencodeAccountPoolMock,
importAccountsMock, promptLoginModeMock, confirmMock, and the
runCodexMultiAuthCli invocation to place these new tests consistent with the
surrounding tests.
- Around line 1169-1229: The parameterized test currently invokes "auth
restore-backup" instead of exercising the fresh/reset actions and then checking
that a subsequent "auth login" does not show the startup restore prompt; update
the test to call runCodexMultiAuthCli with the deliberate action under test (use
the existing action mocks deleteSavedAccountsMock or resetLocalStateMock via
runCodexMultiAuthCli(["auth", "<appropriate-action>"]) or call the helper that
triggers those code paths), then invoke runCodexMultiAuthCli(["auth", "login"])
in the same session and assert promptLoginModeMock was not called and
confirmMock was called once (instead of running
restore-backup/restoreNamedBackupMock). Reference runCodexMultiAuthCli,
deleteSavedAccountsMock, resetLocalStateMock, promptLoginModeMock, confirmMock
to locate and change the two-step flow in the test so it matches the test title.

In `@test/storage.test.ts`:
- Around line 4794-4840: Add a deterministic race-regression test that simulates
the file changing between detection and assessment: after writing a valid pool
JSON to poolPath and calling detectOpencodeAccountPoolPath() (to verify
detection still returns poolPath), immediately mutate the file (e.g., overwrite
poolPath with "not valid json" or unlink it) before calling
assessOpencodeAccountPool(), then assert assessOpencodeAccountPool() reports
backup.valid === false, eligibleForRestore === false, imported === null and that
loadAccounts() remains unchanged; use the same helpers
detectOpencodeAccountPoolPath, assessOpencodeAccountPool, poolPath and
loadAccounts, await fs promises to keep the test deterministic under vitest and
perform the atomic overwrite/unlink between detect and assess to reproduce the
race.
- Around line 4769-4818: Add deterministic Windows-specific regression tests:
add one test where process.env.LOCALAPPDATA is deleted (or set to undefined),
process.env.APPDATA is set to tempRoot and platform pinned to Windows if your
test harness supports it, then write the pool file and assert
detectOpencodeAccountPoolPath() returns the APPDATA-derived pool path and
assessOpencodeAccountPool() reports valid/eligible/imported; add another test
that sets process.env.CODEX_OPENCODE_POOL_PATH to an explicit custom path
(different from APPDATA/LOCALAPPDATA), write the pool file there, and assert
detectOpencodeAccountPoolPath() prefers that path and
assessOpencodeAccountPool() uses it. Reference symbols:
detectOpencodeAccountPoolPath, assessOpencodeAccountPool,
CODEX_OPENCODE_POOL_PATH, poolPath, tempRoot.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d19acb00-4c4d-427e-932a-354039727a90

📥 Commits

Reviewing files that changed from the base of the PR and between 6decea7 and a0602f2.

📒 Files selected for processing (8)

• docs/getting-started.md
• lib/cli.ts
• lib/codex-manager.ts
• lib/storage.ts
• lib/ui/auth-menu.ts
• lib/ui/copy.ts
• test/codex-manager-cli.test.ts
• test/storage.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (3)

docs/**

⚙️ CodeRabbit configuration file

keep README, SECURITY, and docs consistent with actual CLI flags and workflows. whenever behavior changes, require updated upgrade notes and mention new npm scripts.

Files:

• docs/getting-started.md

lib/**

⚙️ CodeRabbit configuration file

focus on auth rotation, windows filesystem IO, and concurrency. verify every change cites affected tests (vitest) and that new queues handle EBUSY/429 scenarios. check for logging that leaks tokens or emails.

Files:

• lib/cli.ts
• lib/ui/auth-menu.ts
• lib/ui/copy.ts
• lib/codex-manager.ts
• lib/storage.ts

test/**

⚙️ CodeRabbit configuration file

tests must stay deterministic and use vitest. demand regression cases that reproduce concurrency bugs, token refresh races, and windows filesystem behavior. reject changes that mock real secrets or skip assertions.

Files:

• test/storage.test.ts
• test/codex-manager-cli.test.ts

🔇 Additional comments (7)

lib/ui/copy.ts (1)

19-19: good menu copy addition

lib/ui/copy.ts:19 (line 19) cleanly adds the recovery label and matches the new action id used elsewhere.

lib/ui/auth-menu.ts (1)

73-73: action wiring is consistent

lib/ui/auth-menu.ts:73, lib/ui/auth-menu.ts:528, and lib/ui/auth-menu.ts:694 (line 73, line 528, line 694) correctly wire the new action through type union, focus identity, and recovery menu rendering.

Also applies to: 528-528, 694-698

lib/storage.ts (1)

2469-2496: assessment flow reuse looks solid

lib/storage.ts:2469 (line 2469) reuses loadBackupCandidate and assessNamedBackupRestoreCandidate, so dedupe/limit/preview behavior stays aligned with existing restore contracts. no new concurrency risk is introduced in this path.

test/storage.test.ts (1)

16-23: imports are aligned with the new storage api surface.

good update in test/storage.test.ts:16-23; the new tests consume both additions cleanly.

test/codex-manager-cli.test.ts (1)

17-19: nice wiring for the new storage api mocks.

the new assessOpencodeAccountPool and importAccounts mocks are exported and reset consistently, which keeps this suite isolated and deterministic. test/codex-manager-cli.test.ts:17-19, test/codex-manager-cli.test.ts:146-148, test/codex-manager-cli.test.ts:643-684

Also applies to: 146-148, 643-684

lib/codex-manager.ts (2)

65-91: import and type wiring looks consistent with current contracts.

lib/codex-manager.ts:65-91 and lib/codex-manager.ts:103-107 are clean: new storage/settings symbols are correctly imported and used.

Also applies to: 103-107

---

4759-4761: type alias migration is clean and keeps the local api stable.

lib/codex-manager.ts:4759-4761 correctly maps to storage metadata/assessment types without changing downstream usage.

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.