Skip to content

fix: prioritize Codex credential profiles#2236

Merged
jolestar merged 2 commits into
mainfrom
fix-issue-2234-codex-credential-priority
Jul 13, 2026
Merged

fix: prioritize Codex credential profiles#2236
jolestar merged 2 commits into
mainfrom
fix-issue-2234-codex-credential-priority

Conversation

@jolestar

Copy link
Copy Markdown
Collaborator

概要

  • OpenAI Codex 同时存在 Holon credential profile 与 CLI 凭据时,始终优先 profile
  • profile 临近过期时先尝试 refresh;仅在 refresh 失败时回退已加载的 CLI file 凭据
  • 增加 profile 优先、refresh 成功及 refresh 失败回退真实 auth.json 的回归测试

验证

  • cargo fmt --all -- --check
  • RUSTFLAGS="-D warnings" cargo check --all-targets
  • cargo test --all-targets

Closes #2234

@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
holon Ready Ready Preview, Comment Jul 13, 2026 5:34pm

@holonbot holonbot Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test

Comment thread src/provider/transports/openai.rs Outdated
@holonbot

holonbot Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Holon Review: fix: prioritize Codex credential profiles

Summary

This PR correctly fixes the credential selection priority issue described in #2234. All three root causes are addressed:

  1. Profile-first selection: choose_openai_codex_credential now uses profile.or(cli) — profile always wins when available.
  2. Removed broken freshness ranking: The openai_codex_credential_freshness_key function and its source_rank logic are removed entirely.
  3. Expiry-aware refresh with CLI fallback: resolve_fresh_credential() now checks profile expiry, attempts refresh, and falls back to CLI only when profile is absent or refresh fails.

The changes are focused, the diff is clean, and the test coverage is good — both the renamed priority test and the new refresh-failure fallback test validate the core behavioral changes.

Findings

warn — Silent refresh error on CLI fallback path (see inline comment on line 603)

When profile refresh fails and a CLI credential is available, the refresh error is silently discarded. This hurts observability: if the profile's refresh token is permanently broken, the system will silently fall back to CLI credentials on every call with no diagnostic signal for operators.

Other transports in this codebase use tracing::warn (see anthropic.rs, fallback.rs). Adding a warning log here would be consistent and help detect broken profile configurations.

nitchoose_openai_codex_credential is now test-only

The function is simplified to profile.or(cli) and is only called from test code. Consider annotating it with #[cfg(test)] to make its test-only status explicit, or inlining it into the test.

Verdict

The core logic is correct and well-tested. One observability improvement recommended (logging the refresh failure), one minor cleanup suggestion. Safe to merge.

@holonbot

holonbot Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Holon Run Report

@jolestar

Copy link
Copy Markdown
Collaborator Author

已处理 review 的 observability warning:0cc300e7 在 profile refresh 失败并回退 CLI credential 前记录结构化 tracing::warn!。补充说明:choose_openai_codex_credential 并非 test-only,它仍由同步 load_openai_codex_credential 生产路径调用,因此不添加 #[cfg(test)]

@jolestar
jolestar merged commit 3f2535c into main Jul 13, 2026
5 checks passed
@jolestar
jolestar deleted the fix-issue-2234-codex-credential-priority branch July 13, 2026 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: OpenAI Codex credential selection prefers expired CLI file token over profile credential

1 participant