fix(storage): snapshot exact pre-mutation state

Author: ndycode

lib/destructive-actions.ts

@@ -7,10 +7,10 @@ import {
 	clearAccounts,
 	clearFlaggedAccounts,
 	type FlaggedAccountStorageV1,
+	getStoragePath,
 	loadFlaggedAccounts,
-	saveAccounts,
-	saveFlaggedAccounts,
 	snapshotAccountStorage,
+	withAccountAndFlaggedStorageTransaction,
 } from "./storage.js";
 
 export const DESTRUCTIVE_ACTION_COPY = {
@@ -99,74 +99,62 @@ export interface DestructiveActionResult {
 	quotaCacheCleared: boolean;
 }
 
-function asError(error: unknown, fallbackMessage: string): Error {
-	return error instanceof Error
-		? error
-		: new Error(`${fallbackMessage}: ${String(error)}`);
-}
-
 export async function deleteAccountAtIndex(options: {
 	storage: AccountStorageV3;
 	index: number;
 }): Promise<DeleteAccountResult | null> {
-	const target = options.storage.accounts.at(options.index);
-	if (!target) return null;
-	const flagged = await loadFlaggedAccounts();
-	await snapshotAccountStorage({ reason: "delete-account" });
-	const nextStorage: AccountStorageV3 = {
-		...options.storage,
-		accounts: options.storage.accounts.map((account) => ({ ...account })),
-		activeIndexByFamily: { ...(options.storage.activeIndexByFamily ?? {}) },
-	};
-	const previousStorage: AccountStorageV3 = {
-		...options.storage,
-		accounts: options.storage.accounts.map((account) => ({ ...account })),
-		activeIndexByFamily: { ...(options.storage.activeIndexByFamily ?? {}) },
-	};
+	const requestedTarget = options.storage.accounts.at(options.index);
+	if (!requestedTarget) return null;
 
-	nextStorage.accounts.splice(options.index, 1);
-	rebaseActiveIndicesAfterDelete(nextStorage, options.index);
-	clampActiveIndices(nextStorage);
-	await saveAccounts(nextStorage);
-
-	const remainingFlagged = flagged.accounts.filter(
-		(account) => account.refreshToken !== target.refreshToken,
-	);
-	const removedFlaggedCount = flagged.accounts.length - remainingFlagged.length;
-	let updatedFlagged = flagged;
-	if (removedFlaggedCount > 0) {
-		updatedFlagged = { ...flagged, accounts: remainingFlagged };
-		try {
-			await saveFlaggedAccounts(updatedFlagged);
-		} catch (error) {
-			const originalError = asError(
-				error,
-				"Failed to save flagged account storage after deleting an account",
-			);
-			try {
-				await saveAccounts(previousStorage);
-			} catch (rollbackError) {
-				throw new AggregateError(
-					[
-						originalError,
-						asError(
-							rollbackError,
-							"Failed to roll back account storage after flagged save failure",
-						),
-					],
-					"Deleting the account partially failed and rollback also failed.",
-				);
-			}
-			throw originalError;
+	return withAccountAndFlaggedStorageTransaction(async (current, persist) => {
+		const sourceStorage = current ?? options.storage;
+		const targetIndex = sourceStorage.accounts.findIndex(
+			(account) => account.refreshToken === requestedTarget.refreshToken,
+		);
+		if (targetIndex < 0) {
+			return null;
+		}
+		const target = sourceStorage.accounts[targetIndex];
+		if (!target) {
+			return null;
 		}
-	}
 
-	return {
-		storage: nextStorage,
-		flagged: updatedFlagged,
-		removedAccount: target,
-		removedFlaggedCount,
-	};
+		const flagged = await loadFlaggedAccounts();
+		await snapshotAccountStorage({
+			reason: "delete-account",
+			storage: sourceStorage,
+			storagePath: getStoragePath(),
+		});
+
+		const nextStorage: AccountStorageV3 = {
+			...sourceStorage,
+			accounts: sourceStorage.accounts.map((account) => ({ ...account })),
+			activeIndexByFamily: { ...(sourceStorage.activeIndexByFamily ?? {}) },
+		};
+
+		nextStorage.accounts.splice(targetIndex, 1);
+		rebaseActiveIndicesAfterDelete(nextStorage, targetIndex);
+		clampActiveIndices(nextStorage);
+
+		const remainingFlagged = flagged.accounts.filter(
+			(account) => account.refreshToken !== target.refreshToken,
+		);
+		const removedFlaggedCount =
+			flagged.accounts.length - remainingFlagged.length;
+		const updatedFlagged =
+			removedFlaggedCount > 0
+				? { ...flagged, accounts: remainingFlagged }
+				: flagged;
+
+		await persist(nextStorage, updatedFlagged);
+
+		return {
+			storage: nextStorage,
+			flagged: updatedFlagged,
+			removedAccount: target,
+			removedFlaggedCount,
+		};
+	});
 }
 
 /**

lib/storage.ts

@@ -219,6 +219,8 @@ export interface AccountSnapshotOptions {
 	force?: boolean;
 	failurePolicy?: AccountSnapshotFailurePolicy;
 	createBackup?: typeof createNamedBackup;
+	storage?: AccountStorageV3 | null;
+	storagePath?: string;
 }
 
 interface LoadedBackupCandidate {
@@ -2171,6 +2173,37 @@ export async function createNamedBackup(
 	);
 }
 
+async function writeNamedBackupFromStorage(
+	name: string,
+	storage: AccountStorageV3,
+	options: {
+		force?: boolean;
+		storagePath?: string;
+	} = {},
+): Promise<NamedBackupMetadata> {
+	const storagePath = options.storagePath ?? getStoragePath();
+	const backupPath = resolveNamedBackupPath(name, storagePath);
+	if (!options.force && existsSync(backupPath)) {
+		throw new Error(`File already exists: ${backupPath}`);
+	}
+	await fs.mkdir(dirname(backupPath), { recursive: true });
+	await fs.writeFile(
+		backupPath,
+		JSON.stringify(
+			{
+				version: storage.version,
+				accounts: storage.accounts,
+				activeIndex: storage.activeIndex,
+				activeIndexByFamily: storage.activeIndexByFamily,
+			},
+			null,
+			2,
+		),
+		{ encoding: "utf-8", mode: 0o600 },
+	);
+	return buildNamedBackupMetadata(name, backupPath);
+}
+
 function formatTimestampForSnapshot(timestamp: number): string {
 	const date = new Date(timestamp);
 	const pad = (value: number): string => value.toString().padStart(2, "0");
@@ -2226,14 +2259,22 @@ export async function snapshotAccountStorage(
 		force = true,
 		failurePolicy = "warn",
 		createBackup = createNamedBackup,
+		storagePath,
 	} = options;
-	const currentStorage = await loadAccounts();
+	const currentStorage =
+		options.storage !== undefined ? options.storage : await loadAccounts();
 	if (!currentStorage || currentStorage.accounts.length === 0) {
 		return null;
 	}
 
 	const backupName = buildAccountSnapshotName(reason, now);
 	try {
+		if (options.storage !== undefined) {
+			return await writeNamedBackupFromStorage(backupName, currentStorage, {
+				force,
+				storagePath,
+			});
+		}
 		return await createBackup(backupName, { force });
 	} catch (error) {
 		if (failurePolicy === "error") {
@@ -3631,15 +3672,16 @@ export async function importAccounts(
 		throw new Error("Invalid account storage format");
 	}
 
-	// Capture the current pool before merge/limit checks so failed imports still
-	// leave a rollback-ready checkpoint for the pre-import state.
-	await snapshotAccountStorage({ reason: "import-accounts" });
-
 	const {
 		imported: importedCount,
 		total,
 		skipped: skippedCount,
 	} = await withAccountStorageTransaction(async (existing, persist) => {
+		await snapshotAccountStorage({
+			reason: "import-accounts",
+			storage: existing,
+			storagePath: getStoragePath(),
+		});
 		const existingAccounts = existing?.accounts ?? [];
 		const existingActiveIndex = existing?.activeIndex ?? 0;
 

test/destructive-actions.test.ts

@@ -8,6 +8,9 @@ const loadFlaggedAccountsMock = vi.fn();
 const saveAccountsMock = vi.fn();
 const saveFlaggedAccountsMock = vi.fn();
 const snapshotAccountStorageMock = vi.fn();
+const withAccountAndFlaggedStorageTransactionMock = vi.fn();
+const getStoragePathMock = vi.fn(() => "/mock/openai-codex-accounts.json");
+let transactionCurrentStorage: unknown = null;
 
 vi.mock("../lib/codex-cli/state.js", () => ({
 	clearCodexCliStateCache: clearCodexCliStateCacheMock,
@@ -24,10 +27,13 @@ vi.mock("../lib/quota-cache.js", () => ({
 vi.mock("../lib/storage.js", () => ({
 	clearAccounts: clearAccountsMock,
 	clearFlaggedAccounts: clearFlaggedAccountsMock,
+	getStoragePath: getStoragePathMock,
 	loadFlaggedAccounts: loadFlaggedAccountsMock,
 	saveAccounts: saveAccountsMock,
 	saveFlaggedAccounts: saveFlaggedAccountsMock,
 	snapshotAccountStorage: snapshotAccountStorageMock,
+	withAccountAndFlaggedStorageTransaction:
+		withAccountAndFlaggedStorageTransactionMock,
 }));
 
 describe("destructive actions", () => {
@@ -41,6 +47,34 @@ describe("destructive actions", () => {
 		saveAccountsMock.mockResolvedValue(undefined);
 		saveFlaggedAccountsMock.mockResolvedValue(undefined);
 		snapshotAccountStorageMock.mockResolvedValue(null);
+		transactionCurrentStorage = null;
+		withAccountAndFlaggedStorageTransactionMock.mockImplementation(
+			async (handler) => {
+				const previousSnapshot = structuredClone(transactionCurrentStorage);
+				return handler(
+					transactionCurrentStorage,
+					async (accountStorage: unknown, flaggedStorage: unknown) => {
+						await saveAccountsMock(accountStorage);
+						try {
+							await saveFlaggedAccountsMock(flaggedStorage);
+							transactionCurrentStorage = structuredClone(accountStorage);
+						} catch (error) {
+							try {
+								await saveAccountsMock(previousSnapshot);
+								transactionCurrentStorage =
+									structuredClone(previousSnapshot);
+							} catch (rollbackError) {
+								throw new AggregateError(
+									[error, rollbackError],
+									"Deleting the account partially failed and rollback also failed.",
+								);
+							}
+							throw error;
+						}
+					},
+				);
+			},
+		);
 	});
 
 	it("returns delete-only results without pretending kept data was cleared", async () => {
@@ -135,12 +169,16 @@ describe("destructive actions", () => {
 				},
 			],
 		};
+		transactionCurrentStorage = structuredClone(storage);
 
 		const deleted = await deleteAccountAtIndex({ storage, index: 0 });
 
 		expect(deleted).not.toBeNull();
+		expect(withAccountAndFlaggedStorageTransactionMock).toHaveBeenCalledTimes(1);
 		expect(snapshotAccountStorageMock).toHaveBeenCalledWith({
 			reason: "delete-account",
+			storage,
+			storagePath: "/mock/openai-codex-accounts.json",
 		});
 		expect(
 			snapshotAccountStorageMock.mock.invocationCallOrder[0],
@@ -204,10 +242,12 @@ describe("destructive actions", () => {
 				},
 			],
 		};
+		transactionCurrentStorage = structuredClone(storage);
 
 		const deleted = await deleteAccountAtIndex({ storage, index: 1 });
 
 		expect(deleted).not.toBeNull();
+		expect(withAccountAndFlaggedStorageTransactionMock).toHaveBeenCalledTimes(1);
 		expect(deleted?.flagged.accounts).toEqual([
 			expect.objectContaining({ refreshToken: "refresh-newer" }),
 		]);
@@ -255,6 +295,7 @@ describe("destructive actions", () => {
 				},
 			],
 		};
+		transactionCurrentStorage = structuredClone(storage);
 
 		await expect(deleteAccountAtIndex({ storage, index: 1 })).rejects.toBe(
 			flaggedSaveError,
@@ -307,6 +348,7 @@ describe("destructive actions", () => {
 				},
 			],
 		};
+		transactionCurrentStorage = structuredClone(storage);
 
 		try {
 			await deleteAccountAtIndex({ storage, index: 1 });

test/storage.test.ts

@@ -2210,6 +2210,49 @@ describe("storage", () => {
 			).rejects.toThrow(/snapshot failed/);
 		});
 
+		it("writes the provided storage snapshot instead of re-reading live storage", async () => {
+			await saveAccounts({
+				version: 3,
+				activeIndex: 0,
+				accounts: [
+					{
+						accountId: "live",
+						refreshToken: "ref-live",
+						addedAt: 1,
+						lastUsed: 1,
+					},
+				],
+			});
+
+			const snapshot = await snapshotAccountStorage({
+				reason: "import-accounts",
+				storage: {
+					version: 3,
+					activeIndex: 0,
+					accounts: [
+						{
+							accountId: "provided",
+							refreshToken: "ref-provided",
+							addedAt: 2,
+							lastUsed: 2,
+						},
+					],
+				},
+				storagePath: testStoragePath,
+			});
+
+			expect(snapshot?.path && existsSync(snapshot.path)).toBe(true);
+			const snapshotContent = JSON.parse(
+				await fs.readFile(snapshot!.path, "utf-8"),
+			) as { accounts: Array<{ accountId?: string }> };
+			expect(snapshotContent.accounts).toEqual([
+				expect.objectContaining({ accountId: "provided" }),
+			]);
+			expect((await loadAccounts())?.accounts).toEqual([
+				expect.objectContaining({ accountId: "live" }),
+			]);
+		});
+
 		it("creates a named snapshot before deleteSavedAccounts", async () => {
 			await saveAccounts({
 				version: 3,