fix(storage): harden opencode import retention and redaction

ndycode · ndycode · commit e4073506e285 · 2026-03-19T23:55:01.000+08:00
diff --git a/lib/codex-manager.ts b/lib/codex-manager.ts
@@ -4468,8 +4468,9 @@ async function runAuthLogin(): Promise<number> {
 					continue;
 				}
 				if (!assessment.backup.valid || !assessment.eligibleForRestore) {
-					const assessmentErrorLabel =
-						assessment.error || "OpenCode account pool is not importable.";
+					const assessmentErrorLabel = formatRedactedFilesystemError(
+						assessment.error || "OpenCode account pool is not importable.",
+					);
 					console.log(assessmentErrorLabel);
 					continue;
 				}
diff --git a/lib/storage.ts b/lib/storage.ts
@@ -57,8 +57,10 @@ const ROTATING_BACKUP_STALE_ARTIFACT_MAX_AGE_MS = 60_000;
 export const NAMED_BACKUP_LIST_CONCURRENCY = 8;
 export const ACCOUNT_SNAPSHOT_RETENTION_PER_REASON = 3;
 const RESET_MARKER_SUFFIX = ".reset-intent";
+const AUTO_SNAPSHOT_MARKER_SUFFIX = ".snapshot-auto";
 let storageBackupEnabled = true;
 let lastAccountsSaveTimestamp = 0;
+const retentionEnforcementInFlight = new Set<string>();
 
 export interface FlaggedAccountMetadataV1 extends AccountMetadataV3 {
 	flaggedAt: number;
@@ -1880,8 +1882,9 @@ export async function getRestoreAssessment(): Promise<RestoreAssessment> {
 	};
 }
 
-async function scanNamedBackups(): Promise<NamedBackupScanResult> {
-	const backupRoot = getNamedBackupRoot(getStoragePath());
+async function scanNamedBackups(
+	backupRoot = getNamedBackupRoot(getStoragePath()),
+): Promise<NamedBackupScanResult> {
 	try {
 		const entries = await retryTransientFilesystemOperation(() =>
 			fs.readdir(backupRoot, { withFileTypes: true }),
@@ -1949,8 +1952,9 @@ async function scanNamedBackups(): Promise<NamedBackupScanResult> {
 	}
 }
 
-async function listNamedBackupsWithoutLoading(): Promise<NamedBackupMetadataListingResult> {
-	const backupRoot = getNamedBackupRoot(getStoragePath());
+async function listNamedBackupsWithoutLoading(
+	backupRoot = getNamedBackupRoot(getStoragePath()),
+): Promise<NamedBackupMetadataListingResult> {
 	try {
 		const entries = await retryTransientFilesystemOperation(() =>
 			fs.readdir(backupRoot, { withFileTypes: true }),
@@ -2088,7 +2092,12 @@ export function detectOpencodeAccountPoolPath(): string | null {
 	const explicit = process.env.CODEX_OPENCODE_POOL_PATH;
 	if (explicit?.trim()) {
 		const explicitPath = resolvePath(explicit.trim());
-		return existsSync(explicitPath) ? explicitPath : null;
+		if (!existsSync(explicitPath)) {
+			throw new Error(
+				`CODEX_OPENCODE_POOL_PATH points to a file that does not exist: ${basename(explicitPath)}`,
+			);
+		}
+		return explicitPath;
 	}
 
 	const appDataBases = [process.env.LOCALAPPDATA, process.env.APPDATA].filter(
@@ -2322,6 +2331,43 @@ export function isAccountSnapshotName(name: string): boolean {
 	);
 }
 
+function getAutoSnapshotMarkerPath(backupPath: string): string {
+	return `${backupPath}${AUTO_SNAPSHOT_MARKER_SUFFIX}`;
+}
+
+function normalizeStorageComparisonKey(pathValue: string): string {
+	const resolvedPath = resolvePath(pathValue);
+	return process.platform === "win32"
+		? resolvedPath.toLowerCase()
+		: resolvedPath;
+}
+
+async function writeAutoSnapshotMarker(
+	backupPath: string,
+	reason: AccountSnapshotReason,
+): Promise<void> {
+	const markerPath = getAutoSnapshotMarkerPath(backupPath);
+	await retryTransientFilesystemOperation(() =>
+		fs.writeFile(markerPath, reason, { encoding: "utf-8", mode: 0o600 }),
+	);
+}
+
+async function deleteAutoSnapshotMarker(backupPath: string): Promise<void> {
+	const markerPath = getAutoSnapshotMarkerPath(backupPath);
+	try {
+		await unlinkWithRetry(markerPath);
+	} catch (error) {
+		const code = (error as NodeJS.ErrnoException).code;
+		if (code !== "ENOENT") {
+			throw error;
+		}
+	}
+}
+
+function isMarkedAutoSnapshot(backupPath: string): boolean {
+	return existsSync(getAutoSnapshotMarkerPath(backupPath));
+}
+
 function getAccountSnapshotReason(name: string): string | null {
 	const match = name.match(
 		/^accounts-(?<reason>[a-z0-9-]+)-snapshot-\d{4}-\d{2}-\d{2}_\d{2}-\d{2}-\d{2}_\d{3}$/i,
@@ -2389,6 +2435,7 @@ export interface AutoSnapshotPruneOptions {
 	backups?: NamedBackupMetadata[];
 	preserveNames?: Iterable<string>;
 	keepLatestPerReason?: number;
+	storagePath?: string;
 }
 
 export interface AutoSnapshotPruneResult {
@@ -2399,7 +2446,13 @@ export interface AutoSnapshotPruneResult {
 export async function pruneAutoGeneratedSnapshots(
 	options: AutoSnapshotPruneOptions = {},
 ): Promise<AutoSnapshotPruneResult> {
-	const backups = options.backups ?? (await listNamedBackups());
+	const backups =
+		options.backups ??
+		(
+			await scanNamedBackups(
+				getNamedBackupRoot(options.storagePath ?? getStoragePath()),
+			)
+		).backups.map((entry) => entry.backup);
 	const keepLatestPerReason = Math.max(
 		1,
 		options.keepLatestPerReason ?? 1,
@@ -2410,7 +2463,12 @@ export async function pruneAutoGeneratedSnapshots(
 	}
 
 	const autoSnapshots = backups
-		.map((backup) => parseAutoSnapshot(backup))
+		.map((backup) => {
+			if (!isMarkedAutoSnapshot(backup.path)) {
+				return null;
+			}
+			return parseAutoSnapshot(backup);
+		})
 		.filter((snapshot): snapshot is AutoSnapshotDetails => snapshot !== null);
 	if (autoSnapshots.length === 0) {
 		return { pruned: [], kept: [] };
@@ -2439,6 +2497,7 @@ export async function pruneAutoGeneratedSnapshots(
 		}
 		try {
 			await unlinkWithRetry(snapshot.backup.path);
+			await deleteAutoSnapshotMarker(snapshot.backup.path);
 			pruned.push(snapshot.backup);
 		} catch (error) {
 			keptNames.add(snapshot.name);
@@ -2484,23 +2543,25 @@ export function formatRedactedFilesystemError(error: unknown): string {
 }
 
 function formatSnapshotErrorForLog(error: unknown): string {
-	const code =
-		typeof (error as NodeJS.ErrnoException | undefined)?.code === "string"
-			? (error as NodeJS.ErrnoException).code
-			: undefined;
-	const rawMessage =
-		error instanceof Error ? error.message : String(error ?? "unknown error");
-	const redactedMessage = redactFilesystemDetails(rawMessage);
-	if (code && !redactedMessage.includes(code)) {
-		return `${code}: ${redactedMessage}`;
-	}
-	return redactedMessage;
+	return formatRedactedFilesystemError(error);
 }
 
-async function enforceSnapshotRetention(): Promise<void> {
-	await pruneAutoGeneratedSnapshots({
-		keepLatestPerReason: ACCOUNT_SNAPSHOT_RETENTION_PER_REASON,
-	});
+async function enforceSnapshotRetention(storagePath?: string): Promise<void> {
+	const resolvedStoragePath = normalizeStorageComparisonKey(
+		storagePath ?? getStoragePath(),
+	);
+	if (retentionEnforcementInFlight.has(resolvedStoragePath)) {
+		return;
+	}
+	retentionEnforcementInFlight.add(resolvedStoragePath);
+	try {
+		await pruneAutoGeneratedSnapshots({
+			keepLatestPerReason: ACCOUNT_SNAPSHOT_RETENTION_PER_REASON,
+			storagePath: resolvedStoragePath,
+		});
+	} finally {
+		retentionEnforcementInFlight.delete(resolvedStoragePath);
+	}
 }
 
 export async function snapshotAccountStorage(
@@ -2545,7 +2606,17 @@ export async function snapshotAccountStorage(
 	}
 
 	try {
-		await enforceSnapshotRetention();
+		await writeAutoSnapshotMarker(snapshot.path, reason);
+	} catch (error) {
+		log.warn("Failed to mark account storage snapshot for retention", {
+			reason,
+			backupName,
+			error: formatSnapshotErrorForLog(error),
+		});
+	}
+
+	try {
+		await enforceSnapshotRetention(resolvedStoragePath);
 	} catch (error) {
 		log.warn("Failed to enforce account snapshot retention", {
 			reason,
@@ -3067,9 +3138,11 @@ function equalsNamedBackupEntry(left: string, right: string): boolean {
 }
 
 function equalsResolvedStoragePath(left: string, right: string): boolean {
+	const normalizedLeft = resolvePath(left);
+	const normalizedRight = resolvePath(right);
 	return process.platform === "win32"
-		? left.toLowerCase() === right.toLowerCase()
-		: left === right;
+		? normalizedLeft.toLowerCase() === normalizedRight.toLowerCase()
+		: normalizedLeft === normalizedRight;
 }
 
 function stripNamedBackupJsonExtension(name: string): string {
diff --git a/test/codex-manager-cli.test.ts b/test/codex-manager-cli.test.ts
@@ -1125,6 +1125,58 @@ describe("codex manager cli commands", () => {
 		);
 	});
 
+	it("skips OpenCode import when the detected pool resolves to the active storage file", async () => {
+		setInteractiveTTY(true);
+		loadAccountsMock.mockResolvedValue({
+			version: 3,
+			activeIndex: 0,
+			activeIndexByFamily: { codex: 0 },
+			accounts: [],
+		});
+		assessOpencodeAccountPoolMock.mockResolvedValue({
+			backup: {
+				name: "openai-codex-accounts.json",
+				path: "C:\\mock\\openai-codex-accounts.json",
+				createdAt: null,
+				updatedAt: Date.now(),
+				sizeBytes: 128,
+				version: 3,
+				accountCount: 1,
+				schemaErrors: [],
+				valid: true,
+				loadError: "",
+			},
+			currentAccountCount: 0,
+			mergedAccountCount: null,
+			imported: null,
+			skipped: null,
+			wouldExceedLimit: false,
+			eligibleForRestore: false,
+			nextActiveIndex: null,
+			nextActiveEmail: undefined,
+			nextActiveAccountId: undefined,
+			activeAccountChanged: false,
+			error: "Import source cannot be the active storage file.",
+		});
+		getStoragePathMock.mockReturnValue("c:/mock/openai-codex-accounts.json");
+		promptLoginModeMock
+			.mockResolvedValueOnce({ mode: "import-opencode" })
+			.mockResolvedValueOnce({ mode: "cancel" });
+		const logSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+		const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+
+		const exitCode = await runCodexMultiAuthCli(["auth", "login"]);
+
+		expect(exitCode).toBe(0);
+		expect(assessOpencodeAccountPoolMock).toHaveBeenCalledTimes(1);
+		expect(confirmMock).not.toHaveBeenCalled();
+		expect(importAccountsMock).not.toHaveBeenCalled();
+		expect(logSpy).toHaveBeenCalledWith(
+			"Import source cannot be the active storage file.",
+		);
+		logSpy.mockRestore();
+	});
+
 	it("returns a non-zero exit code when the direct restore-backup command fails", async () => {
 		setInteractiveTTY(true);
 		const now = Date.now();
@@ -1488,7 +1540,8 @@ describe("codex manager cli commands", () => {
 				accountCount: 0,
 				schemaErrors: ["invalid"],
 				valid: false,
-				loadError: "ENOENT: openai-codex-accounts.json",
+				loadError:
+					"ENOENT: C:\\Users\\alice\\AppData\\Local\\OpenCode\\openai-codex-accounts.json",
 			},
 			currentAccountCount: 0,
 			mergedAccountCount: null,
@@ -1500,7 +1553,8 @@ describe("codex manager cli commands", () => {
 			nextActiveEmail: undefined,
 			nextActiveAccountId: undefined,
 			activeAccountChanged: false,
-			error: "ENOENT: openai-codex-accounts.json",
+			error:
+				"ENOENT: C:\\Users\\alice\\AppData\\Local\\OpenCode\\openai-codex-accounts.json",
 		});
 		promptLoginModeMock
 			.mockResolvedValueOnce({ mode: "import-opencode" })
@@ -1516,6 +1570,11 @@ describe("codex manager cli commands", () => {
 		expect(logSpy).toHaveBeenCalledWith(
 			"ENOENT: openai-codex-accounts.json",
 		);
+		expect(
+			logSpy.mock.calls.some(([message]) =>
+				String(message).includes("C:\\Users\\alice\\AppData\\Local\\OpenCode"),
+			),
+		).toBe(false);
 		logSpy.mockRestore();
 	});
 	it("runs restore preview before applying a replace-only named backup", async () => {
diff --git a/test/storage.test.ts b/test/storage.test.ts

Original file line number	Diff line number	Diff line change
`@@ -4468,8 +4468,9 @@ async function runAuthLogin(): Promise<number> {`
`4468`	`4468`	`continue;`
`4469`	`4469`	`}`
`4470`	`4470`	`if (!assessment.backup.valid \|\| !assessment.eligibleForRestore) {`
`4471`		`- const assessmentErrorLabel =`
`4472`		`- assessment.error \|\| "OpenCode account pool is not importable.";`
	`4471`	`+ const assessmentErrorLabel = formatRedactedFilesystemError(`
	`4472`	`+ assessment.error \|\| "OpenCode account pool is not importable.",`
	`4473`	`+ );`
`4473`	`4474`	`console.log(assessmentErrorLabel);`
`4474`	`4475`	`continue;`
`4475`	`4476`	`}`