fix(sync): harden rollback checkpoint recovery

Author: ndycode

lib/codex-cli/sync.ts

@@ -6,6 +6,7 @@ import {
 	type AccountStorageV3,
 	findMatchingAccountIndex,
 	getLastAccountsSaveTimestamp,
+	getRedactedFilesystemErrorLabel,
 	getStoragePath,
 	type NamedBackupMetadata,
 	normalizeAccountStorage,
@@ -35,6 +36,8 @@ import {
 const log = createLogger("codex-cli-sync");
 const RETRYABLE_SELECTION_TIMESTAMP_CODES = new Set(["EBUSY", "EPERM"]);
 export const SELECTION_TIMESTAMP_READ_MAX_ATTEMPTS = 4;
+const RETRYABLE_ROLLBACK_SAVE_CODES = new Set(["EBUSY", "EAGAIN"]);
+const ROLLBACK_SAVE_MAX_ATTEMPTS = 5;
 
 function createEmptyStorage(): AccountStorageV3 {
 	return {
@@ -442,12 +445,11 @@ async function loadRollbackSnapshot(
 			storage: normalized,
 		};
 	} catch (error) {
+		const errorLabel = getRedactedFilesystemErrorLabel(error);
 		const reason =
 			(error as NodeJS.ErrnoException).code === "ENOENT"
-				? `Rollback checkpoint is missing at ${snapshot.path}.`
-				: `Failed to read rollback checkpoint: ${
-						error instanceof Error ? error.message : String(error)
-					}`;
+				? `Rollback checkpoint file not found (snapshot: ${snapshot.name}).`
+				: `Failed to read rollback checkpoint for snapshot ${snapshot.name} [${errorLabel}].`;
 		return {
 			status: "unavailable",
 			reason,
@@ -456,6 +458,34 @@ async function loadRollbackSnapshot(
 	}
 }
 
+function isRetryableRollbackSaveError(error: unknown): boolean {
+	const code = (error as NodeJS.ErrnoException).code;
+	if (typeof code !== "string") {
+		return false;
+	}
+	if (RETRYABLE_ROLLBACK_SAVE_CODES.has(code)) {
+		return true;
+	}
+	return code === "EPERM" && process.platform === "win32";
+}
+
+async function saveRollbackStorageWithRetry(storage: AccountStorageV3): Promise<void> {
+	for (let attempt = 0; attempt < ROLLBACK_SAVE_MAX_ATTEMPTS; attempt += 1) {
+		try {
+			await saveAccounts(storage);
+			return;
+		} catch (error) {
+			if (
+				!isRetryableRollbackSaveError(error) ||
+				attempt + 1 >= ROLLBACK_SAVE_MAX_ATTEMPTS
+			) {
+				throw error;
+			}
+			await sleep(10 * 2 ** attempt);
+		}
+	}
+}
+
 export async function getLatestCodexCliSyncRollbackPlan(): Promise<CodexCliSyncRollbackPlan> {
 	const lastManualRun = await findLatestManualRollbackRun();
 	if (!lastManualRun) {
@@ -484,7 +514,7 @@ export async function rollbackLatestCodexCliSync(
 	}
 
 	try {
-		await saveAccounts(resolvedPlan.storage);
+		await saveRollbackStorageWithRetry(resolvedPlan.storage);
 		return {
 			status: "restored",
 			reason: resolvedPlan.reason,

test/codex-cli-sync.test.ts

@@ -1699,10 +1699,15 @@ describe("codex-cli sync", () => {
 		const plan = await getLatestCodexCliSyncRollbackPlan();
 		expect(plan.status).toBe("unavailable");
 		expect(plan.reason).toContain("missing");
+		expect(plan.reason).toContain(missingRun.rollbackSnapshot?.name ?? "");
+		expect(plan.reason).not.toContain(missingRun.rollbackSnapshot?.path ?? "");
 
 		const rollbackResult = await rollbackLatestCodexCliSync(plan);
 		expect(rollbackResult.status).toBe("unavailable");
 		expect(rollbackResult.reason).toContain("missing");
+		expect(rollbackResult.reason).not.toContain(
+			missingRun.rollbackSnapshot?.path ?? "",
+		);
 	});
 
 	it.each([
@@ -1821,6 +1826,78 @@ describe("codex-cli sync", () => {
 		saveSpy.mockRestore();
 	});
 
+	it("retries transient rollback save failures before succeeding", async () => {
+		const snapshotPath = join(tempDir, "rollback-retry-snapshot.json");
+		await writeFile(
+			snapshotPath,
+			JSON.stringify(
+				{
+					version: 3,
+					accounts: [
+						{
+							accountId: "acc_old",
+							accountIdSource: "token",
+							email: "old@example.com",
+							refreshToken: "refresh-old",
+							accessToken: "access-old",
+							addedAt: 1,
+							lastUsed: 1,
+						},
+					],
+					activeIndex: 0,
+					activeIndexByFamily: { codex: 0 },
+				} satisfies AccountStorageV3,
+				null,
+				2,
+			),
+			"utf-8",
+		);
+
+		const recordedRun: CodexCliSyncRun = {
+			outcome: "changed",
+			runAt: 10,
+			sourcePath: accountsPath,
+			targetPath: targetStoragePath,
+			summary: {
+				sourceAccountCount: 1,
+				targetAccountCountBefore: 1,
+				targetAccountCountAfter: 1,
+				addedAccountCount: 0,
+				updatedAccountCount: 1,
+				unchangedAccountCount: 0,
+				destinationOnlyPreservedCount: 0,
+				selectionChanged: false,
+			},
+			trigger: "manual",
+			rollbackSnapshot: {
+				name: "accounts-codex-cli-sync-snapshot-retry",
+				path: snapshotPath,
+			},
+		};
+		await appendSyncHistoryEntry({
+			kind: "codex-cli-sync",
+			recordedAt: recordedRun.runAt,
+			run: recordedRun,
+		});
+
+		const transientError = Object.assign(new Error("save busy"), {
+			code: "EBUSY",
+		});
+		const saveSpy = vi
+			.spyOn(storageModule, "saveAccounts")
+			.mockRejectedValueOnce(transientError)
+			.mockResolvedValueOnce(undefined);
+
+		const plan = await getLatestCodexCliSyncRollbackPlan();
+		expect(plan.status).toBe("ready");
+
+		const rollbackResult = await rollbackLatestCodexCliSync(plan);
+		expect(rollbackResult.status).toBe("restored");
+		expect(saveSpy).toHaveBeenCalledTimes(2);
+
+		saveSpy.mockRestore();
+	});
+
 	it("re-reads Codex CLI state on apply when forceRefresh is requested", async () => {
 		await writeFile(
 			accountsPath,