v6.3.1

What's Changed

Security

• Bump hono 4.12.18 → 4.12.23 (#168) to clear four moderate advisories (GHSA-f577-qrjj-4474, GHSA-3hrh-pfw6-9m5x, GHSA-xrhx-7g5j-rcj5, GHSA-2gcr-mfcq-wcc3), all fixed upstream in 4.12.21. hono is a transitive dependency of @openauthjs/openauth (peer ^4.0.0), pinned via overrides.
  • npm audit --omit=dev: 0 vulnerabilities (was 2 moderate).
  • No source change — hono is used only inside @openauthjs/openauth's OAuth flow.

Full test suite: 2487 passing. Build / typecheck / lint clean.

v6.3.0

What's Changed

Added

• Mask account emails across all display surfaces (#164) — maskEmail now applies to command output, the interactive auth menu, delete/refresh confirmations, the standalone login menu, the interactive account picker, and runtime rotation/auth-failure messages, not just the TUI quota status. Raw emails remain only in opt-in --includeSensitive JSON.

Fixed

• 16 deep-audit findings (#165) — data-loss, rotation, redaction, and concurrency bugs:
  • Transient refresh failures (network/5xx) no longer trigger permanent account removal.
  • Keychain load no longer swallows forward-compat (UNSUPPORTED_SCHEMA_VERSION / V2) errors.
  • Workspace-deactivation removes only the deactivated workspace, not refresh-token siblings.
  • Refresh-token rotation propagates to sibling org-variant accounts.
  • runAccountCheck / email hydration writes are transactional (no lost updates).
  • Health/token-bucket/backoff trackers remap on account removal (no misattributed rotation state).
  • Token-bucket depletion rotates instead of aborting the whole pool.
  • Empty-response retry actually retries (was a no-op 503 for single-account).
  • retry_after_ms vs retry_after scaled correctly.
  • Stream-stall/SSE exceptions refund the token and rotate.
  • codex-diff redaction is key-aware (opaque tokens no longer leak).
  • Flagged storage uses the keychain when CODEX_KEYCHAIN=1.
  • Logger masks emails domain-preserving and adds cookie headers to the sensitive set.

Internal

• Deep stress suite (#166) — property-based and concurrency tests for the audited subsystems, each mutation-verified.

Full test suite: 2487 passing.

v6.2.0

Minor release bundling two feature PRs plus review polish.

Added

• TUI email masking (#160) — opt-in masking of the active account email in the prompt quota status and the quota details dialog. Config keys: maskEmail, maskEmailInQuotaDetails. Env overrides: CODEX_TUI_MASK_EMAIL, CODEX_TUI_MASK_EMAIL_DETAILS. Both default to off, so existing output is unchanged.

Fixed

• Workspace-specific usage quotas (#161) — codex-limits and the TUI now deduplicate usage accounts by workspace identity (accountId + organizationId) before falling back to the refresh token, so multiple ChatGPT workspaces sharing a single login each show their own quota row. The freshest credential per workspace is queried; disabled and identity-less accounts are skipped; resolveCodexUsageActiveAccount no longer throws on sparse account slots.
• Test isolation (#161) — rotation integration tests flush and dispose their managers before teardown, so debounced saves can no longer leak fixture accounts into the real local account store.

Internal

• Corrected inverted dedupe-direction comments; the #161 marker-recovery test now genuinely exercises the deduped-out-active path; added explicit maskEmail: false coverage for formatPromptStatusText.
• Synced the stale .release-please-manifest.json (6.0.0 → 6.2.0).

Full Changelog: v6.1.10...v6.2.0

v6.1.10

v6.1.10

Added

• Added marketplace-ready plugin icon metadata via .codex-plugin/plugin.json interface.composerIcon.
• Added packaged assets/icon.svg for Codex marketplace display.
• Added standalone terminal diagnostics under the existing oc-codex-multi-auth bin:
  • doctor
  • status
  • list
  • limits
  • dashboard
  • health --json
  • diag

Fixed

• Fixed OAuth scope gating so normal OpenAI OAuth accounts only require baseline scopes: openid, profile, email, and offline_access.
• Stopped connector-specific scopes from disabling otherwise valid OAuth logins.
• Collapsed duplicate personal workspace/token account entries from the same login identity.
• Preserved safe installer behavior while making unknown standalone commands fail with help instead of silently installing.

Validation

• npm run typecheck
• npm run lint
• Focused Vitest suite: 302 tests passed
• Full Vitest suite: 85 files passed, 2381 passed, 1 skipped
• npm run build
• npm run audit:ci
• npm pack --dry-run
• npm publish --dry-run
• Packed tarball install smoke against real local account state
• Real OpenCode plugin session verified codex-status tool execution

npm

• Published: oc-codex-multi-auth@6.1.10
• Dist tag: latest

v6.1.9

v6.1.9 - 2026-05-11

Fixed

• Legacy Codex selectors such as gpt-5.2-codex, gpt-5.3-codex, and Spark now recover from entitlement-gated gpt-5-codex responses by falling back through the GPT-5.4 family.
• Default fallback now continues from gpt-5.4 to gpt-5.4-mini and gpt-5.4-nano only when the chain started from gpt-5.5 or canonical gpt-5-codex, preserving strict behavior for direct GPT-5.4 selections.
• Unsupported-model troubleshooting and configuration docs now document the canonical Codex fallback path and the CODEX_AUTH_DISABLE_CODEX_AUTO_FALLBACK=1 opt-out.
• Current dependency security alert follow-ups are resolved.

v6.1.8

v6.1.8 - 2026-04-29

Fixed

• Local npm link installs now run the CLI wrapper correctly by resolving symlinked bin paths before direct-execution detection.
• Current audit validation follow-ups are resolved, including refreshed docs parity coverage.
• Request filtering now defaults missing or null function_call.arguments values to {} before forwarding.

v6.1.7

v6.1.7 - 2026-04-25

Added

• OpenCode TUI prompt status plugin that shows the active Codex quota during sessions, including real response-header quota updates, account-aware display, color thresholds, and a quota details command.
• Daily npm update detection now clears the OpenCode-managed plugin cache on exit when a newer package version is available, so restarting OpenCode installs the latest plugin automatically.

Changed

• The installer now manages OpenCode tui.json alongside the main plugin config so the TUI status module is available from the published package.
• TUI startup keeps the home prompt clean and only shows quota status inside active sessions.
• Added an autoUpdate config option and CODEX_AUTH_AUTO_UPDATE=0 environment override for users who prefer manual update prompts.

Fixed

• Quota status cache writes no longer block the request response path and coalesce rapid duplicate writes.
• Account switching clears stale TUI quota state so the next session reflects the selected account.
• Multi-account quota status now follows the actual account used by the latest request, including non-codex model families, so real response-header quota snapshots are not filtered out as stale.

v6.1.3

Summary

• Published oc-codex-multi-auth@6.1.3 to npm with the latest dist-tag.
• Added explicit GPT-5.5 Fast aliases and scoped GPT-5.5 -> GPT-5.4 auto-fallback.
• Removed GPT-5.5 Pro routing/config entries because GPT-5.5 Pro is ChatGPT-only, not Codex.
• Fixed unsupported-model pool exhaustion messaging and the Auth import typecheck regression.

Verification

• npm run typecheck
• npm publish
• PR #142 merged
• PR #143 merged

v6.1.2

GPT-5.5 Compatibility Patch

This release publishes the GPT-5.5 2026-04-23 compatibility update as version 6.1.2.

• Adds GPT-5.5 2026-04-23 release presets in the shipped OpenCode config templates.
• Activates GPT-5.5 2026-04-23 across runtime model routing.
• Aligns runtime model mapping with the new release family.
• Falls back cleanly when GPT-5.5 is unavailable upstream.

v6.1.1

Minor Compatibility and Stability Release

This release carries retry-path hardening for non-5xx upstream failures plus the release metadata required to publish the patch cleanly. Read the summary below before upgrading or publishing.

• Retries structured service_unavailable_error and server_is_overloaded payloads as server faults instead of misclassifying them as rate limits.
• Preserves overload retry_after backoff when the account pool is exhausted, including single-account configurations.
• Retries live upstream server_error payloads on non-5xx responses.
• Stabilizes merged retry regression coverage and publishes the resulting patch as 6.1.1.

Commit Summary

• 536bc49 chore(release): prepare v6.1.1
• c151a21 test(retry): reset module state between server retry regression cases
• 512a4da Merge branch pr-139-open into release/pr137-pr139
• 2fafba6 Merge branch pr-137-open into release/pr137-pr139

Thank you to 1 community contributor:

• @sdip15fa:
  • original structured overload retry lane merged through #137