Skip to content

fix: reload Codex daemon after account promotion#1218

Open
rendrag-git wants to merge 6 commits into
steipete:mainfrom
rendrag-git:codex/codex-account-switcher
Open

fix: reload Codex daemon after account promotion#1218
rendrag-git wants to merge 6 commits into
steipete:mainfrom
rendrag-git:codex/codex-account-switcher

Conversation

@rendrag-git

@rendrag-git rendrag-git commented May 29, 2026

Copy link
Copy Markdown

Summary

  • restart a managed, running Codex app-server daemon after System Account promotion
  • preserve persisted remote-control mode through the upstream daemon lifecycle command
  • finish the account switch but request a manual restart when the CLI is missing/unsupported or the running app-server is unmanaged
  • retry daemon reload when promotion is already converged, allowing recovery after partial restart failure
  • use separate 10-second probe and 120-second restart timeouts

Why

Promoting a managed account atomically replaces live auth.json, but an already-running app-server retains the previous identity until it is restarted.

The account switch is already committed before daemon reload. Reload failures therefore remain partial success: Codex CLI uses the new account, account-scoped state is refreshed, and the UI reports that the configured background service still needs attention.

Upstream lifecycle contract

Current Codex daemon restart behavior:

  • loads persisted daemon settings
  • stops the managed backend
  • starts the replacement backend with remote_control_enabled from those settings

Sources:

Current-main rewrite

The original branch predated the current managed-account architecture. This rewrite retains only the remaining daemon-reload behavior while preserving contributor credit.

Normal account selection remains display-only. Only the existing System Account submenu mutates live auth.

Failure behavior

  • missing or unsupported Codex CLI daemon command: auth promotion remains successful; request manual restart
  • missing/refused daemon socket: state is unconfirmed because managed startup can expose the same result; request manual restart
  • version response must explicitly report status: running; a missing backend is treated as unmanaged and is never restarted
  • unexpected probe failure or timeout: partial-success error
  • restart failure or timeout: partial-success error
  • retry after partial failure: converged promotion retries daemon reload
  • probe timeout: 10 seconds
  • restart timeout: 120 seconds

Proof

  • exact candidate: 44fc0903
  • swift test --filter 'Codex(AppServerDaemonReloader|AccountPromotionService|AccountPromotionExecution|SystemPromotionUI)Tests': 49 tests passed
  • make check: green; SwiftFormat clean; SwiftLint 0 violations
  • git diff --check: green
  • local follow-up autoreview: clean (0.87)
  • final lifecycle-aware whole-branch autoreview: clean (0.88)
  • make test: all 41 shards passed on the rebased exact candidate
  • public CI: pending exact-head run

Focused coverage includes:

  • real restart command selection
  • persisted remote-control preservation through the upstream lifecycle contract
  • missing/refused socket fails closed instead of being mistaken for a stopped daemon during managed startup
  • missing CLI, unsupported command, unmanaged backend, and non-running status handling
  • restart exit-code classification remains distinct from probe capability detection
  • fail-closed probe timeout
  • 10-second probe and 120-second restart bounds
  • partial-success state refresh
  • empty manual-restart diagnostics do not render an empty error block
  • successful retry through the converged promotion path

Live boundary

Runtime daemon commands are covered through the injected command runner. Exact-head validation did not mutate production auth or a live account-backed daemon.

Before merge, this still requires authorized redacted live proof with two actual accounts and a managed daemon. Until then, the PR remains held even if CI is green.

@clawsweeper

clawsweeper Bot commented May 29, 2026

Copy link
Copy Markdown

Codex review: needs real behavior proof before merge. Reviewed June 21, 2026, 10:34 AM ET / 14:34 UTC.

Summary
The PR adds a Codex app-server daemon reloader after system-account promotion, updates partial-success user copy/docs/localization, and adds focused promotion and daemon lifecycle tests.

Reproducibility: no. high-confidence live reproduction was established in this review. Source inspection shows current main swaps live auth and refreshes account state without reloading a running daemon, while AGENTS.md makes unrequested live auth/provider probes inappropriate.

Review metrics: 3 noteworthy metrics.

  • Changed files: 32 files; 619 added, 11 deleted. Most files are localization, but the behavioral surface spans auth promotion, daemon lifecycle, user alerts, docs, and tests.
  • Daemon command paths: 2 commands: version probe and restart. These installed Codex CLI commands define the compatibility surface maintainers need to validate before merge.
  • Timeout bounds: 10s probe, 120s restart. These limits determine how long a user-initiated system-account switch can wait on daemon lifecycle work.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🦞 diamond lobster
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P1] Add redacted terminal output, logs, or a recording from two actual accounts and a managed running Codex app-server daemon; redact API keys, private endpoints, account details, and other sensitive data.
  • Resolve the current GitHub conflict/dirty merge state and update the PR body so the next review evaluates the exact mergeable head.

Proof guidance:

  • [P1] Needs real behavior proof before merge: The PR body provides tests and checks but explicitly says exact-head validation did not exercise production auth or a live account-backed daemon, so redacted live proof is still required before merge; after adding proof, update the PR body for a fresh ClawSweeper review or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

  • [P1] The PR still lacks redacted live proof with two actual accounts and a managed running Codex app-server daemon; injected runner tests do not prove the installed daemon/account boundary.
  • [P1] GitHub currently reports the PR as conflicting/dirty against main, so it cannot merge until the branch is refreshed or conflicts are resolved.
  • [P1] Merging changes an auth-provider runtime path by invoking installed Codex CLI daemon lifecycle commands during system-account promotion.
  • [P1] Older, unsupported, unmanaged, non-running, or socket-unavailable Codex CLI daemon states intentionally become manual-restart or partial-success paths, so maintainers need to accept that compatibility behavior before merge.

Maintainer options:

  1. Require live daemon proof (recommended)
    Before merge, require redacted terminal output, logs, or a recording showing promotion between two real accounts restarts a managed daemon and preserves the intended daemon lifecycle behavior.
  2. Accept the manual-restart boundary
    Maintainers may explicitly accept that missing CLI, unsupported lifecycle support, unmanaged daemons, and ambiguous socket states complete the account switch but require user-visible manual recovery.
  3. Pause until lifecycle compatibility is settled
    If the installed Codex daemon contract is still too uncertain, pause this PR rather than landing a runtime restart path that depends on that CLI behavior.

Next step before merge

  • [P1] No automated repair is appropriate at the current head; the remaining gates are contributor live proof, conflict resolution, and maintainer acceptance of the daemon lifecycle compatibility boundary.

Security
Cleared: No concrete security or supply-chain defect was found; the auth-sensitive daemon restart remains tracked as merge risk rather than a discrete security finding.

Review details

Best possible solution:

Land the daemon-reload fix only after conflict resolution, redacted live proof confirms the managed daemon restarts under the promoted account, and maintainers accept the fallback behavior for unsupported or unmanaged installed CLI states.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live reproduction was established in this review. Source inspection shows current main swaps live auth and refreshes account state without reloading a running daemon, while AGENTS.md makes unrequested live auth/provider probes inappropriate.

Is this the best way to solve the issue?

Yes for the code direction, but not merge-ready yet. The rewrite uses the Codex CLI daemon lifecycle restart and fails closed for socket-unavailable, unsupported, unmanaged, and invalid probe states, but live proof and conflict resolution are still required.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 9e7a70a42dd2.

Label changes

Label justifications:

  • P1: The PR changes a real Codex system-account promotion path where a running app-server can keep serving the displaced identity.
  • merge-risk: 🚨 compatibility: The patch depends on installed Codex CLI daemon lifecycle support and changes behavior for unsupported, unmanaged, or ambiguous daemon states.
  • merge-risk: 🚨 auth-provider: The changed path mutates live Codex auth and refreshes a background service identity after account promotion.
  • merge-risk: 🚨 availability: The PR can restart a running app-server daemon and surface manual-restart failures during a user-initiated account switch.
  • rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦞 diamond lobster.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body provides tests and checks but explicitly says exact-head validation did not exercise production auth or a live account-backed daemon, so redacted live proof is still required before merge; after adding proof, update the PR body for a fresh ClawSweeper review or ask a maintainer to comment @clawsweeper re-review.
Evidence reviewed

What I checked:

  • Repository policy read: AGENTS.md was read fully and applied because this PR touches auth/provider behavior and the policy directs reviewers to avoid unrequested live account, provider, Keychain, or browser-cookie validation. (AGENTS.md:28, 9e7a70a42dd2)
  • Current main lacks daemon reload: Current main's promotion path writes the live system source and refreshes account-scoped state without any app-server daemon reload or restart call. (Sources/CodexBar/CodexAccountPromotionService.swift:244, 9e7a70a42dd2)
  • PR daemon reload implementation: The PR head adds a reloader that resolves the Codex binary, probes app-server daemon version with a 10s timeout, validates a running managed backend, and restarts with a 120s timeout. (Sources/CodexBar/CodexAppServerDaemonReloader.swift:53, 44fc0903811c)
  • PR promotion integration: The PR reloads the daemon on both converged and mutating promotion paths, refreshes account-scoped state, and maps unavailable, unmanaged, or failed reloads to partial-success manual attention. (Sources/CodexBar/CodexAccountPromotionService.swift:225, 44fc0903811c)
  • Focused test coverage: The PR adds tests for missing binary, missing/refused daemon socket, probe timeout, unsupported command, running restart, unmanaged and non-running states, invalid responses, bounded diagnostics, and restart exit-code classification. (Tests/CodexBarTests/CodexAppServerDaemonReloaderTests.swift:7, 44fc0903811c)
  • Proof boundary remains live-only: The PR body lists tests and checks but says exact-head validation did not mutate production auth or a live account-backed daemon, and requests authorized redacted proof with two actual accounts and a managed daemon before merge. (44fc0903811c)

Likely related people:

  • ratulsarna: Introduced managed Codex account promotion and the system-level account switching UI that this PR extends. (role: feature introducer; confidence: high; commits: 72e997ec66a6, 89c6ce806648; files: Sources/CodexBar/CodexAccountPromotionService.swift, Sources/CodexBar/StatusItemController+Actions.swift, Tests/CodexBarTests/CodexAccountPromotionServiceTests.swift)
  • steipete: Authored recent Codex account-adjacent work on main and the current daemon-reload rewrite commits on this PR branch. (role: recent area contributor and branch rewriter; confidence: high; commits: 857f4fa4aa59, 44fc0903811c; files: Sources/CodexBar/CodexAppServerDaemonReloader.swift, Sources/CodexBar/CodexAccountPromotionService.swift, Tests/CodexBarTests/CodexAppServerDaemonReloaderTests.swift)
  • kiranmagic7: Recently merged Codex profile-home account routing, adjacent to Codex account source and identity correctness. (role: recent adjacent contributor; confidence: medium; commits: d3551e736b55; files: Sources/CodexBarCore/Config/CodexActiveSource.swift, Sources/CodexBarCore/Providers/Codex/CodexAccountReconciliation.swift, docs/codex.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4bf57cf8c7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBar/CodexAppServerDaemonReloader.swift Outdated
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels May 29, 2026
@rendrag-git rendrag-git force-pushed the codex/codex-account-switcher branch from 4bf57cf to 2e68d71 Compare May 29, 2026 19:46
@clawsweeper clawsweeper Bot added P1 Urgent regression or broken agent/channel workflow affecting real users now. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. labels May 29, 2026
@rendrag-git rendrag-git force-pushed the codex/codex-account-switcher branch from 2e68d71 to 579b140 Compare May 29, 2026 20:26
@rendrag-git

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented May 29, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@rendrag-git rendrag-git force-pushed the codex/codex-account-switcher branch from 579b140 to 11fab4e Compare May 29, 2026 21:46
@rendrag-git

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented May 29, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added the merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. label May 29, 2026
@rendrag-git rendrag-git force-pushed the codex/codex-account-switcher branch from 11fab4e to c4a43c8 Compare May 29, 2026 22:48
@rendrag-git

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented May 29, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels May 29, 2026
@steipete steipete force-pushed the codex/codex-account-switcher branch from c4a43c8 to fe76c68 Compare June 19, 2026 15:08
@steipete steipete changed the title Add Codex account switcher promotion fix: reload Codex daemon after account promotion Jun 19, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fe76c68050

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBar/CodexAppServerDaemonReloader.swift Outdated
@clawsweeper clawsweeper Bot removed proof: sufficient Contributor real behavior proof is sufficient. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. labels Jun 19, 2026
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. and removed status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 19, 2026
@steipete steipete force-pushed the codex/codex-account-switcher branch from a900930 to 73c4738 Compare June 19, 2026 19:43

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 73c4738c83

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBar/CodexAppServerDaemonReloader.swift
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. labels Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P1 Urgent regression or broken agent/channel workflow affecting real users now. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants