Skip to content

fix: harden OAuth vault recovery#190

Merged
steipete merged 2 commits into
mainfrom
fix/oauth-vault-rename-recovery
May 26, 2026
Merged

fix: harden OAuth vault recovery#190
steipete merged 2 commits into
mainfrom
fix/oauth-vault-rename-recovery

Conversation

@steipete
Copy link
Copy Markdown
Collaborator

@steipete steipete commented May 26, 2026

Summary

  • recover renamed OAuth vault entries for the explicit <server>-oauth legacy path without reusing unrelated same-URL credentials
  • clear stale OAuth tokens/client registrations on structured permanent refresh failures while preserving valid concurrent refreshes
  • harden vault scans against malformed unrelated entries and add regression coverage for the recovery cases

Proof

  • pnpm vitest run tests/oauth-persistence.test.ts
  • pnpm typecheck
  • pnpm test -- --runInBand
  • /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode local

@clawsweeper
Copy link
Copy Markdown

clawsweeper Bot commented May 26, 2026

ClawSweeper status: review started.

I am starting a fresh review of this pull request: fix: harden OAuth vault recovery This is item 1/1 in the current shard. Shard 0/1.

This placeholder means the worker is alive and reading the current context. I will edit this same comment with the actual review when the claws are done clicking.

Crustacean status: shell secured, claws on keyboard, evidence pebbles being sorted.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cf78f4d28a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/oauth-vault.ts
Comment on lines +210 to 214
const existing = isVaultEntry(vault.entries[key]) ? vault.entries[key] : undefined;
const fallback = findSameUrlCredentials(vault, definition, key, existing);
const inheritedKeys = scope === 'all' ? legacyOAuthRenameKeys(vault, definition, key) : fallback.sourceKeys;
if (!existing && inheritedKeys.length === 0) {
if (needsRepair) {
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Delete malformed exact vault entries when clearing

clearVaultEntry now treats a key as missing unless it passes isVaultEntry, so an exact entry that is present but malformed (for example missing updatedAt) will hit the early-return path and remain in the vault. That regresses the previous behavior where any existing keyed entry could be removed with scope === 'all', and it means clearOAuthCaches can silently fail to clear broken credentials for that server unless the file is manually edited.

Useful? React with 👍 / 👎.

@steipete steipete merged commit 49dc62b into main May 26, 2026
5 checks passed
@steipete steipete deleted the fix/oauth-vault-rename-recovery branch May 26, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@steipete