v1.3.0

Minor Compatibility and Stability Release

This release carries the Phase 1 post-audit hardening pass: 20 focused PRs + follow-up #413 + audit-fix commits addressing 49 findings from the 2026-04-17 master repository audit. No breaking public-API changes. One opt-in feature flag (routingMutex) added with legacy default. Staging-merge validated end-to-end with 3529 tests passing, real-install test caught and fixed a filesystem-root sandbox probe bug before publish. Read the summary below before upgrading or publishing.

• Zero CRITICAL audit findings; all 13 in-scope HIGH findings fixed + verified
• Storage + OAuth + routing hardening: Zod at JSON parse boundaries, atomic writes with retry, routing mutex behind routingMutex flag (default legacy), SSOT for AUTH_REDIRECT, OAuth URL redaction in user-facing output
• New diagnostic commands: codex auth why-selected [--now|--last|--json] and codex auth verify [--paths|--flagged|--all|--json]
• lib/codex-manager/settings-hub.ts split into 5 sub-concern files under lib/codex-manager/settings-hub/, each under 500 LOC; stable public exports preserved

Commit Summary

• 3f1c1fe fix(cli): correct verify --paths sandbox probe semantics
• 8b6b27a chore(release): prepare v1.3.0
• f4d9bd3 staging: integrate PR #413 fix/remove-account-pointer-dangle
• a22da1e staging: fix selectHybridAccountTraced test to AUDIT-H2 null contract
• 77a56e6 staging: integrate PR #412 refactor/routing-mutex
• 351547b staging: integrate PR #411 refactor/settings-hub-split
• da3d38f staging: integrate PR #410 feat/cli-why-selected-and-verify-paths
• 7706cb9 staging: integrate PR #409 refactor/zod-storage-boundaries
• e647545 staging: integrate PR #408 refactor/health-unify
• 84ff458 staging: integrate PR #407 test/audit-regression-suite
• 54e7530 staging: integrate PR #406 chore/config-hygiene
• e1ea349 staging: integrate PR #405 docs/truthup
• d5245e9 staging: integrate PR #404 fix/request-observability
• 33a2d48 staging: integrate PR #403 fix/project-scope-no-silent-bypass
• 6759325 staging: integrate PR #402 fix/storage-clear-ordering
• 853fc2f staging: integrate PR #401 fix/recovery-atomic-writes
• 66f022b staging: integrate PR #400 fix/release-hygiene
• 368a492 staging: integrate PR #399 fix/active-pointer-normalization
• 96123db staging: integrate PR #398 fix/short-429-race
• bb97f7e staging: integrate PR #397 fix/hybrid-selector-null-contract
• 25c1a21 staging: integrate PR #396 refactor/redirect-uri-ssot
• abe782e staging: integrate PR #395 fix/oauth-url-redaction
• 3d9febd staging: integrate PR #394 fix/phase1-tests-green-and-resolvepath
• f4d8120 staging: integrate PR #393 docs/master-repository-audit-2026-04-17
• 421bb89 fix(accounts): harden removeAccount pointer normalization
• 475ea37 fix(test): add AUTH_REDIRECT to codex-manager-cli mock
• d7af34d fix(accounts): harden pointer normalization for all-disabled + cursorByFamily
• d9f7253 docs(config): correct dual-linter scope to match actual wiring
• b3c2945 fix(cli): harden verify --paths sandbox probe + document commands
• f18d721 fix(ui): route copy.ts through AUTH_REDIRECT SSOT
• f877c85 fix(recovery): complete atomic write migration + rename retry
• 21c466a test(routing-mutex): strengthen property tests with external concurrency observer
• e50d283 refactor(routing): routing mutex + SelectionRecord (R4, PR-N)
• 5a52a31 docs(lib): retire stale settings-hub LOC claim
• c7d66be refactor(settings-hub): compose via index.ts
• a28aa51 refactor(settings-hub): extract experimental panel
• 5d11f29 refactor(settings-hub): extract backend panel
• f38cb6e refactor(settings-hub): extract dashboard panels
• 66eb64c refactor(settings-hub): extract shared helpers
• c9437cb refactor(types): add Zod safeParseJson at storage JSON boundaries
• 0e914c2 feat(cli): add codex auth why-selected and verify --paths commands
• b47789a docs(health): document field-name drift vs ManagedAccount (AUDIT-M08 / D-04)
• 394896a test(audit): add Phase 1 regression suite locking in audit invariants
• 801ee58 chore(config): document dual-linter scope + husky prepare-hook side effect
• d6809ce docs: truthup AGENTS.md staleness + deriveProjectKey typo
• 936d1a4 fix(request): surface malformed SSE JSON chunks as structured warnings
• e6e1702 fix(routing): surface the per-project vs CLI-sync config conflict
• d1c312a fix(storage): write reset marker before deletions + retry EPERM on read
• 408bf8a fix(recovery): atomic writes + retry-safe deletes for recovery storage (R6)
• 250edfd fix(release): pack:check builds first + tests use os.tmpdir
• 306c87a fix(accounts): normalize active pointer when the active account is disabled
• 36a99c0 fix(routing): mark account unavailable before short-429 retry sleep
• 5c953e8 fix(routing): hybrid selector returns null when no accounts are available
• 58437e3 refactor(auth): introduce AUTH_REDIRECT single source of truth
• d94a4c8 fix(auth): redact OAuth URL in user-facing login output
• f59fa75 fix(codex-manager): show intentional-reset message when loadAccounts returns null
• 58c8751 fix(paths): reject lookalike-prefix paths in resolvePath
• 0eb1144 docs(audit): add master repository audit report and evidence

v1.2.7

Minor Compatibility and Stability Release

This release adds native official Codex CLI compatibility to the wrapper while keeping the existing codex auth ... runtime behavior stable. Read the summary below before upgrading or publishing.

• native official Codex installs on PATH now work alongside the existing @openai/codex npm launcher flow
• wrapper launch behavior now correctly distinguishes JavaScript launchers from native executables
• POSIX self-wrapper loop handling and Windows native path precedence are covered by regression tests
• release notes and stable-history docs are updated for v1.2.7

Commit Summary

• e275984 chore(release): bump version to 1.2.7 and publish notes
• f1f52aa Merge pull request #391 from ndycode/feat/native-codex-cli-support
• 776c594 cover windows codex precedence
• d2c3524 guard native path discovery test patch
• 10d03be inline wrapper test exit constant
• 6a63b9d fix resolver self-guard default
• 363305c tighten native codex path handling
• c6ef13f fix stale test expectations
• 0d9ae60 fix native CLI resolver edge cases
• 4264e0c broaden native CLI wrapper coverage
• baadcb3 support native Codex CLI installs

v1.2.6

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• fixed wrapped non-auth Codex commands so successful forwarded request traffic increments persisted runtime observability counters
• added a wrapper fallback path that records forwarded request metrics only when the child Codex process leaves the runtime snapshot unchanged, avoiding double-counting when plugin-side metrics are present
• preserved the existing codex auth observability behavior while making real codex exec smoke runs visible in codex auth status and codex auth report --json
• added regression coverage for both missing-child-update and already-updated snapshot cases in the wrapper test suite

Commit Summary

• a76b67c docs: clarify v1.2.5 observability wording
• e99d641 release: ship v1.2.6 forwarded observability fix

v1.2.5

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• added runtime counters, cooldown state, selection reason, and storage-health observability to codex auth status and codex auth report --json, with visible tracking for multi-auth probes and refresh activity
• added safer live report controls with --max-accounts, --max-probes, and --cached-only so operators can inspect state without probing the full pool
• disabled default whole-pool replay when every account is rate-limited and capped outbound request attempts per prompt to prevent runaway cross-account retries
• tightened retry and failover behavior for 429s, upstream 5xx bursts, empty responses, and stream replay so partial output is not re-emitted and aggressive rotation cools down sooner

Commit Summary

• 353de84 refactor: remove dead runtime metrics helper module
• 6e42f28 refactor: share forecast and report command helpers
• a17a58c refactor: remove unsafe overload casts in parallel probe
• 7a713ad fix: make account clear reset atomic
• 2ab9dd9 fix: persist report refreshes before mutating state
• 89bafc4 fix: prevent stale prompt cache session overwrites
• 2a4324a fix: serialize concurrent runtime cache writes
• 37d260b fix: recreate live account sync on config changes
• f71fd30 fix: check remapped errorResponse status for 404->429 usage_limit rotation
• c1223f4 test: add 4 broader scenarios for 404->429 rotation path
• 7026dfe fix: narrow 404 usage-limit remapping
• dd05d20 fix: stop quota scheduler cooldown drift

v1.2.4

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• added deterministic regressions for flagged-account backup and legacy read retries so transient Windows EBUSY locks stay covered
• pinned the persistRecoveredBackup -> false path so failed backup persistence does not report a false successful recovery
• tightened test cleanup so fs.readFile spies are restored from finally and cannot leak across later Vitest cases
• removed the dead inline return from the Codex wrapper mutator script used by the delayed-write retry regression

Commit Summary

• 080d046 fix-report-live-token-freshness-handling
• bafd2c8 fix-runtime-recovery-token-restore-safety
• cef0db1 "fix-storage-path-context-for-deferred-saves"
• 7dbf9b0 fix(wrapper): make windows shell guards opt-in
• acb932b docs(releases): align stable docs with 1.2.2
• 5c9efed ci: mirror release harness checks on push
• 72a115e test(accounts): deflake tracker stability assertion
• 3f3c0c6 Scope pool lastUsed preservation
• b9d7c2f Fix storage path state save race
• 115d8e8 Fix Windows profile guard opt-in
• 60597f8 Add runtime persistence failure coverage
• d3178f2 Wire runtime verify-flagged atomic persistence

v1.2.2

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• Hardened fast-expiry refresh persistence so refreshed token and account state survive account-pool writes.
• Realigned account-pool health handling across success healing, guardian penalties, circuit-breaker penalties, and reason-scoped rate limiting.
• Tightened stable identity reconciliation for guardian refresh outcomes and runtime tracker state.
• Persisted refreshed auth from forecast and report live probes and improved expired CLI cache hydration.

Commit Summary

• 53488ef Add Codex plugin manifest and setup skill
• 9cbc72a fix: harden fast-expiry token refresh persistence
• adbf49a fix: heal stale pool penalties after success
• 27a0d1e fix: reconcile guardian refresh outcomes by stable identity
• 66d2d63 fix: prefer fresh access tokens during account selection
• 45a7ee6 fix: hydrate newer refresh tokens from expired cli cache
• bfb6a33 fix: graduate refresh guardian failure penalties
• 7f512c3 fix: heal stale cooldown metadata on success
• 9b6b824 test: cover fresh family selection happy path
• 7cb4d4f fix: guard cli refresh token hydration by freshness
• 6e6781a fix: clear guardian auth streaks on non-auth outcomes
• c97350c fix: harden guardian identity reconciliation

v1.2.1

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• Added codex auth forecast --explain support and related regression coverage.
• Aligned GPT-5 model routing with current OpenAI defaults.
• Added package subpath exports and tightened shipped config/public API coverage.
• Added maintainer runbooks and refreshed onboarding and command guidance.

Commit Summary

• 7065009 test: cover runtime benchmark script
• 26cdb9e Use retry-safe cleanup in wrapper smoke test
• 7d44c75 Use retry-safe benchmark cleanup
• 75a6a6b Exercise target loader retry wiring
• c328fc7 Exercise sync target retry wiring
• 3e44d11 Preserve experimental settings entry types
• 3be4df4 Tighten named backups entry coverage
• 6de0144 Fail fast on benchmark test hangs
• 9e13a24 align gpt-5 model routing with current OpenAI defaults
• 173d64f add responses continuation request contract support
• 9968ba8 enhance responses parser for semantic SSE events
• 71d44c7 add response compaction fallback for fast sessions

v1.2.0

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• Added headless-friendly auth login with manual callback support for environments where browser launch or the local callback listener is unavailable.
• Preserved selected workspace routing across retries and fallback paths instead of collapsing back to mutable token-derived identity.
• Added proxy-compatible upstream transport, workspace-disabled auto-rotation, onboarding restore from the latest saved backup, and restored experimental settings hotkeys.

Commit Summary

• 57fd770 feat(cli): add 'codex auth best' command for automatic best account switching
• f82a748 add-manual-login-mode-for-headless-auth-flows
• f539e9e fix(runtime):preserve-selected-workspace-in-request-routing
• 7b40b05 feat(runtime): add proxy-compatible upstream transport
• b526074 chore(lockfile): normalize undici dependency entry
• 3953d5d fix(auth): skip callback wait in manual login mode
• 8f91ee3 fix(auth): skip callback wait in manual login mode
• 5972554 fix(auth): honor explicit no-browser env toggles
• 91ec5a9 fix(runtime): preserve fallback account source on snapshot updates
• aa88882 fix(proxy): drain shared dispatchers on shutdown
• 73e0811 fix(auth): honor explicit no-browser env toggles
• bbbf67a fix(runtime): preserve fallback account source on snapshot updates

v1.1.11

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• Fixed quota-cache key collisions for multi-workspace accounts that share the same email.
• Rebuilt live quota fallback state after auth check and auth fix refreshes change shared-workspace identity fields.
• Hardened live quota cache persistence so failed saves do not mutate the loaded cache object during forecast, check, or fix flows.

Commit Summary

• b918aac fix(quota): keep multi-workspace fallbacks distinct (#122)

v1.1.10

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• Added codex auth best for forecast-driven active-account switching from the CLI.
• Hardened live probe refresh handling so rotated access, refresh, and ID tokens stay aligned through the already-best and switch paths.
• Tightened auth best CLI validation and JSON output coverage for help, malformed flags, null storage, concurrency, and sync-state edge cases.

Commit Summary

• a823684 fix installation step causing EEXIST
• f3c06f8 Merge pull request #97 from zamadye/fix/readme-install-collision
• b329cf4 Initial plan
• db5758e Preserve workspace bindings across refresh flows
• 223bdc1 Fix storage typecheck regressions
• 4973a20 Fix remaining workspace binding review issues
• 9ab3669 Fix account support for mutable workspace after login (#117)
• 04c0151 feat(cli): add codex auth best account switching (#120)
• 1d404f9 chore(release): bump version to 1.1.10 and publish notes