v2.1.10

Runtime Rotation

Bugfixes

• Runtime pool exhaustion on no-account now resets volatile runtime trackers, reloads accounts from disk once, and retries selection even when stale in-memory circuit breakers are open. This prevents a long-lived proxy from staying wedged after disk state has recovered.
• Runtime proxy shutdown now flushes only the active account manager after a stale-state reload, avoiding stale-vs-fresh manager save races during close.
• Pinned-account hard-fail behavior remains preserved: unavailable pinned accounts still return the explicit pinned-account error instead of silently rotating.

Diagnostics

Improvements

• Pool-exhausted 503 responses include per-account runtime skip reasons and a targeted recovery hint.
• report and doctor now include persisted quota-cache inputs when computing forecast readiness, so quota-exhausted cache state cannot be reported as ready by those diagnostics.
• doctor keeps the forecast-runtime-alignment warning for disk/runtime divergence.
• rotation reset-runtime --json no longer clears runtime diagnostics if the app bind restart fails, preserving evidence needed for follow-up diagnosis.

Release Hygiene

Improvements

• The npm package now includes only runtime/install scripts instead of internal benchmark, audit, and maintenance scripts.
• Production dependency patch lines were refreshed (undici and zod) while keeping the published package on the current Node 18-compatible runtime line.
• Release index labels were corrected so older release-note rows are not shown as current stable.

Validation

• Published to npm as codex-multi-auth@2.1.10.
• npm run typecheck, npm run lint, npm test, npm run build, npm run pack:check, and production npm audit passed on the release checkout.
• Fresh npm install smoke verified codex-multi-auth@2.1.10 command/version/help/doctor/forecast/report/reset-runtime paths.

v2.1.9

CLI

Bugfixes

• codex-multi-auth login --device-auth no longer exits with Detected unsettled top-level await before the user can complete browser authorization. The polling sleep timer was being unref'd, which is correct for library/background callers but caused Node to exit during the foreground CLI flow. The CLI call site now opts in to a new keepAlive option on runDeviceAuthFlow so the event loop stays alive until polling resolves or the abort signal fires.
• codex-multi-auth login --device-auth, --manual, and --no-browser now run the requested transport even when the account pool already has entries. Previously the Accounts Dashboard menu intercepted login whenever any account was present, silently ignoring the explicit flag.
• Declining Add another account? after a successful explicit-mode add now exits cleanly. Previously the outer loginFlow loop would re-enter the same transport because the dashboard had been bypassed, trapping the user in a fresh sign-in prompt.
• Cancelling an explicit-mode sign-in (for example pressing Ctrl-C during browser/manual auth) now exits cleanly instead of falling back to a fresh transport invocation.
• Reaching ACCOUNT_LIMITS.MAX_ACCOUNTS (20) during an explicit-mode add now exits cleanly after printing the cap message. Previously the outer loop would silently start another sign-in session despite the cap.

Public API

Improvements

• DeviceAuthFlowOptions adds an optional keepAlive?: boolean field. Library and background consumers retain the previous behavior (sleep timers are unref'd so polling does not hold the event loop open). Foreground CLI callers can pass keepAlive: true to keep the loop alive while polling for completion. Abort handling stays correct in both modes: clearTimeout runs in the abort listener so the timer ref is always released on cancellation.

v2.1.8

CLI

Improvements

• Added codex-multi-auth unpin to clear the manual pin set by switch, bump affinityGeneration so the proxy invalidates session affinity on the next request, and resume hybrid rotation.
• codex-multi-auth status now surfaces the pinned account index and warns when the runtime is using a different account than the pin requests.
• codex-multi-auth switch <index> now writes pinnedAccountIndex that the proxy honors before session affinity, hybrid scoring, and pool fallback; best clears the pin.

Bugfixes

• status no longer prints Pinned: account NaN for corrupt pins; the guard tightens to Number.isInteger, shows the raw stored value, and points at unpin.

Runtime Rotation Proxy

Bugfixes

• Runtime rotation proxy now honors manual switch on the Codex Desktop app via a content-hash-keyed per-path read of the storage file; the pinned path is exempt from markSwitched/saveToDiskDebounced/syncCodexCliActiveSelectionForIndex.
• Session affinity no longer locks the desktop app to one account for 20 minutes; affinityGeneration bumps from switch/unpin/best trigger SessionAffinityStore.clearAll() before chooseAccount, including for the in-flight request.
• When the pinned account is unavailable, the proxy now returns HTTP 503 with error.code = codex_pinned_account_unavailable instead of silently rotating.
• AccountManager.buildStorageSnapshot no longer wipes pinnedAccountIndex/affinityGeneration on routine debounced saves; it refreshes from disk before serializing.
• Concurrent affinityGeneration increments across CLI processes are now atomic via Math.max(inMemory, disk) + 1.
• unpin now uses saveAccountsWithRetry so a transient Windows file lock cannot silently lose the user's intent.
• Replaced a synchronous busy-wait in readStorageMetaFromDisk with a single read plus per-path content-hash cache fallback that preserves the last snapshot on transient errors.
• Runtime rotation proxy storage cache is now a Map<string, StorageMetaSnapshot> keyed by absolute path, fixing cross-instance and cross-worker pin leakage.

2.1.7

Install / Uninstall

Improvements

• Added codex-multi-auth uninstall [--dry-run] [--json] [--clear-accounts] that reverses postinstall: unbinds Codex app rotation, removes OS launchers, strips the plugin entry from Codex.json, clears the node_modules cache, and conservatively deletes shared bun.lock only when no other Codex plugins remain.

Bugfixes

• Removed the dead preuninstall entry from package.json because npm@7+ no longer runs it; to uninstall fully, run codex-multi-auth uninstall then npm uninstall -g codex-multi-auth. scripts/preuninstall.js is preserved and still callable via node scripts/preuninstall.js.
• Dry-run uninstall now computes the bun.lock decision from the actual Codex.json plugin list.
• --clear-accounts warns and exits non-zero when no handler is wired.
• Dry-run uninstall preview no longer requires scripts/codex-app-launcher.js on disk.
• removePluginFromList pre-filters falsy entries with list.filter(Boolean).

Core

Bugfixes

• hydrateRuntimeEmails no longer collapses accounts sharing accountId === undefined into the same Map entry.
• restoreTopLevelModelProvider/restoreTopLevelResponseStorage now splice missing keys ahead of the first section header instead of producing invalid TOML.
• runFix, runHealthCheck, and forecast saveQuotaCache paths now downgrade transient EBUSY/EPERM to a partial-success warning via quotaCacheSaveError.
• withStorageLock now initializes releaseLock as a typed no-op.

Runtime Rotation Proxy

Bugfixes

• App-bind now requires router.state === "running" and a live PID before reusing existingState, so a dead router cannot trigger a config.toml rewrite.
• Stream-failover read promise is now hoisted before the soft/hard timeout split.

2.1.5

Core

Improvements

• Added manual-only update notices on startup for installed wrappers; no npm install or global package mutation.

Bugfixes

• Removed package-owned auto-update behavior and detached startup update checks from forwarded Codex launch paths.
• Stabilized update-notice package-root resolution across local Node versions and repo path layouts.

Runtime Rotation Proxy

Improvements

• Added runtime shadow-home isolation for Codex goal, log, and state SQLite files; user config, sessions, plugins, skills, and multi-auth state are preserved.

Bugfixes

• thread/goal/get proxy now returns { "goal": null } for recoverable upstream errors and exhausted account pools instead of noisy Codex TUI goal-read errors.
• Hardened runtime shadow-home startup around large or locked Codex logs_*.sqlite*/state_*.sqlite* files, stale generated dirs, Windows sidecars, casing, and atomic SQLite mirror cleanup.

2.1.4

Runtime Rotation Proxy

Bugfixes

• Codex TUI goal proxy now handles snake-case thread_id request bodies and local blocked-goal fallback responses.
• Workspace-disabled and deactivated accounts stay disabled and visible at runtime instead of being hidden by goal fallback.

2.1.3

Runtime Rotation Proxy

Bugfixes

• Wrapper-launched Codex sessions now repair session_index.jsonl after known thread-store write noise, with real session_meta evidence required and concurrent repairs serialized through the shadow-home lock.
• App-bind status warnings now resolve the active status path before printing history-visibility and model-speed guidance.

2.1.2

Install / Uninstall

Bugfixes

• Dropped the global codex bin to avoid npm bin collisions with official Codex npm, native, and Homebrew distributions.
• codex-multi-auth-codex remains the explicit forwarding wrapper; codex-multi-auth remains the account-management command family.

2.1.1

CLI

Bugfixes

• Restored routing for codex auth usage, account, budget, bridge, integrations, models, and monitor so they stay in the local multi-auth handler instead of falling through to official Codex.
• codex auth bridge token list --json now returns valid JSON when the token store is empty and keeps token hashes out of list output.

Core

Bugfixes

• Stabilized retry-suite timers after the routing repair.

2.1.0

Core

Improvements

• Added a local-only JSONL usage ledger, account policy metadata, routing profiles, and budget guards.
• Added model and account capability matrix views with runtime policy evaluation before account selection.
• Added an optional loopback-only bridge with /health, /v1/models, /v1/responses, and hashed client-token storage.

Bugfixes

• Wrapped remaining saveAccounts call sites with retry handling.
• Redacted proactive-refresh account emails through maskEmail.
• Plugin-config loading now handles non-Error throws.

Runtime Rotation Proxy

Improvements

• Added rotation reset-rate-limits to clear stale runtime pool timers.

CLI

Improvements

• Added codex auth usage and codex auth monitor for local usage governance.