fix(cli): serialize Codex OAuth refresh across processes#10758
fix(cli): serialize Codex OAuth refresh across processes#10758cooper-oai wants to merge 3 commits into
Conversation
Code Review SummaryStatus: No Issues Found | Recommendation: Merge The new commit ( Both previously flagged issues are on files that were removed or had their Kilo-specific content extracted; they are effectively resolved by the relocation. Files Reviewed (8 files)
Reviewed by claude-sonnet-4.6 · 308,757 tokens Review guidance: REVIEW.md from base branch |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 14cc0e76c3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
Codex Review: Didn't find any major issues. 👍 ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Issue
Fixes #10757
Context
Kilo already coalesces simultaneous Codex OAuth refreshes inside one process and can recover from some cross-process 401 races after another process persists rotated credentials. Separate Kilo processes still had a window where both could submit the same single-use refresh token before either persisted the replacement.
Implementation
Serialize the Codex refresh transaction with Kilo's existing heartbeat-backed
Flockutility. The lock is acquired before re-reading stored auth and held through the token POST and rotated credential persistence, so waiters adopt the winner's valid credential without posting the old refresh token again.The refresh POST now sends
User-Agent: kilo/<version>for attribution. The existing in-process pending map and post-401 recovery remain in place as fast paths and defense in depth.Screenshots / Video
N/A: no visual changes.
How to Test
Manual/local verification
Executed by the agent:
bun install --frozen-lockfilecd packages/opencode && bun run typecheckcd packages/opencode && bun test ./test/kilocode/codex-auth-refresh.test.ts ./test/kilocode/oauth-branding.test.ts ./test/plugin/codex.test.tsUser-Agent: kilo/<version>on the OAuth refresh POST.cd packages/core && bun test ./test/util/flock.test.tsbun run script/check-opencode-annotations.tsbunx changeset status --output /tmp/kilo-changeset-status.jsonbun run lintReviewer test steps
cd packages/opencode && bun test ./test/kilocode/codex-auth-refresh.test.ts ./test/kilocode/oauth-branding.test.ts ./test/plugin/codex.test.ts.cd packages/core && bun test ./test/util/flock.test.ts.cd packages/opencode && bun run typecheck.Blocked checks and substitute verification
Checklist