feat(auth): add explicit opencode import adapter

[ndycode]

Summary

• Add an explicit OpenCode account-pool import adapter.
• Surface a user-facing import path and validation on top of the existing import contract.

---

Summary by cubic

Adds an explicit OpenCode import adapter so users can preview and import an existing OpenCode account pool into the auth manager from the login dashboard. Integrates a new “Import OpenCode Accounts” flow with validation and confirmation before import.

• New Features
  • New login action: Import OpenCode Accounts (CLI mode: import-opencode) in the Recovery section.
  • Auto-detects the pool file via CODEX_OPENCODE_POOL_PATH, %LOCALAPPDATA%/OpenCode or opencode, %APPDATA%/OpenCode or opencode, or ~/.opencode/openai-codex-accounts.json.
  • Preview and validation via assessOpencodeAccountPool with clear errors and limit checks; no changes on invalid sources.
  • Imports using importAccounts and prints a summary (imported, skipped, total).
  • Docs: updated getting-started to mention importing from an existing companion app pool.

^{Written for commit 9e04080. Summary will update on new commits.}

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

this pr adds an explicit opencode account-pool import adapter: a new import-opencode login mode, auto-detection via detectOpencodeAccountPoolPath, assessment via assessOpencodeAccountPool, and a menu action that previews and imports the pool into the auth manager. the storage refactor (assessBackupRestoreFromPath) is clean and the new exported types (NamedBackupMetadata, RotatingBackupMetadata, BackupRestoreAssessment) tighten the contract.

key gaps to address before merging:

• confirmation prompt omits account count — assessment.imported is available but not shown; users can't make an informed decision, and a zero-import case (all duplicates) still prompts and confuses.
• missing vitest coverage for error branches — the null, !valid, and wouldExceedLimit paths in the import-opencode handler are untested; these are the paths most likely to fire on windows due to antivirus locks and stale paths.
• menu item unconditionally visible — "Import OpenCode Accounts" always appears in the recovery section even on machines without opencode; detectOpencodeAccountPoolPath() is synchronous and could gate visibility cheaply.
• open threads from prior review (bare existsSync, stale currentStorage, TOCTOU between assessment and import) remain unresolved and are not addressed in this iteration.

Confidence Score: 3/5

• functional but has ux gaps and missing test coverage; open concurrency/windows threads from prior review still unresolved
• core logic is solid — detection, assessment, and import pipeline hang together correctly. however the confirmation dialog omits the account count (misleading on zero-import), vitest coverage for the three error branches in runAuthLogin is absent, and three pre-existing review threads (bare existsSync, stale currentStorage, TOCTOU) remain open. no token leakage or data-loss path introduced, but the pr description does not address windows concurrency or logging redaction strategy as required by the project's merge policy.
• lib/codex-manager.ts (import-opencode handler — confirm prompt and zero-import guard), test/codex-manager-cli.test.ts (missing error-branch coverage)

Important Files Changed

Filename	Overview
lib/storage.ts	adds detectOpencodeAccountPoolPath and assessOpencodeAccountPool; refactors assessBackupRestoreFromPath; logic is sound but existsSync in the candidate loop still bare (addressed in previous thread).
lib/codex-manager.ts	wires up import-opencode handler in runAuthLogin; confirmation prompt omits account count, zero-import case not short-circuited, stale currentStorage and TOCTOU concerns noted in previous threads remain open.
lib/ui/auth-menu.ts	adds import-opencode action type and unconditionally inserts menu item; item always shown even when no opencode pool is present on disk.
lib/ui/copy.ts	adds importOpencode copy string; straightforward, no issues.
lib/cli.ts	adds import-opencode to LoginMode union and promptLoginMode switch; clean, no issues.
test/codex-manager-cli.test.ts	adds happy-path test for import-opencode; null assessment, invalid, and wouldExceedLimit branches have no coverage — important on windows where those paths fire regularly.
test/storage.test.ts	adds detection and assessment tests with real temp files; covers valid and malformed pool; env teardown is correct.
docs/getting-started.md	one-line doc addition for the import recovery option; accurate and concise.

Sequence Diagram

sequenceDiagram
    participant U as User
    participant CM as codex-manager
    participant S as storage
    participant FS as Filesystem

    U->>CM: select import-opencode
    CM->>S: assessOpencodeAccountPool(currentStorage)
    S->>FS: existsSync candidates at T1
    FS-->>S: path found
    S->>FS: readFile pool JSON
    S-->>CM: BackupRestoreAssessment
    CM->>U: confirm prompt (no count shown)
    U-->>CM: confirmed
    CM->>S: importAccounts(backup.path)
    S->>FS: re-read at T2
    S->>S: withAccountStorageTransaction
    S-->>CM: imported skipped total
    CM->>U: summary message

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: lib/codex-manager.ts
Line: 4987-4989

Comment:
**confirmation prompt omits account count**

`assessment.imported` is already computed at this point but the confirm dialog doesn't surface it. a user sees a path and clicks yes without knowing whether they're importing 1 account or 20, or even 0 (all duplicates). include the count so the decision is informed:

```suggestion
					const confirmed = await confirm(
						`Import ${assessment.imported ?? 0} new account${assessment.imported === 1 ? "" : "s"} from ${assessment.backup.path}?`,
					);
```

if `assessment.imported` is 0 (all accounts already present), the flow should short-circuit with a message rather than prompting a confirmation that results in "Imported 0 accounts."

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: test/codex-manager-cli.test.ts
Line: 578-665

Comment:
**missing vitest coverage for error branches in import-opencode handler**

the new test only exercises the happy path. the `runAuthLogin` handler at `lib/codex-manager.ts:4977-4986` has three distinct early-exit branches that are completely untested:

- `assessOpencodeAccountPool` returns `null` → "No OpenCode account pool was detected."
- `assessment.valid === false` → prints `assessment.error`
- `assessment.wouldExceedLimit === true` → prints `assessment.error ?? "OpenCode account pool is not importable."`

on windows, antivirus lock outs and stale unc paths are common triggers for null/invalid assessments — these branches run in production regularly but have zero regression coverage. add at least one test per branch to guard them.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: lib/ui/auth-menu.ts
Line: 692-696

Comment:
**"Import OpenCode Accounts" always visible regardless of pool presence**

the menu item is unconditionally added for every user. on machines without opencode installed, selecting it immediately prints "No OpenCode account pool was detected." and loops back — a dead end that erodes trust. `detectOpencodeAccountPoolPath()` is synchronous and cheap; hiding or disabling the item when it returns `null` would match the behavior of other conditional recovery options and avoid confusing users without opencode.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 9e04080}

Context used:

• Rule used - What: Every code change must explain how it defend... (source)

[coderabbitai]

Warning

Rate limit exceeded

@ndycode has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7fa90a42-8145-44f8-b53a-1cbc882fc98c

📥 Commits

Reviewing files that changed from the base of the PR and between d2c84de and 9e04080.

📒 Files selected for processing (8)

• docs/getting-started.md
• lib/cli.ts
• lib/codex-manager.ts
• lib/storage.ts
• lib/ui/auth-menu.ts
• lib/ui/copy.ts
• test/codex-manager-cli.test.ts
• test/storage.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch git-plan/18-import-adapter-opencode

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

unhandled existsSync throw in candidate loop

existsSync can throw on windows when antivirus holds an exclusive lock on the file, or when the path is a stale unc/network mount. here the call is bare — a single locked candidate crashes the entire detection and bubbles an unhandled error up through assessOpencodeAccountPool into the login loop. wrap in a try/catch and treat any exception as "not found" so the loop continues to the next candidate.

Suggested change

	for (const candidate of candidates) {
	if (existsSync(candidate)) {
	return candidate;
	}
	}
	for (const candidate of candidates) {
	try {
	if (existsSync(candidate)) {
	return candidate;
	}
	} catch {
	// file locked or inaccessible (e.g. AV hold on Windows) — skip
	}
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: lib/storage.ts
Line: 1537-1541

Comment:
**unhandled `existsSync` throw in candidate loop**

`existsSync` can throw on windows when antivirus holds an exclusive lock on the file, or when the path is a stale unc/network mount. here the call is bare — a single locked candidate crashes the entire detection and bubbles an unhandled error up through `assessOpencodeAccountPool` into the login loop. wrap in a try/catch and treat any exception as "not found" so the loop continues to the next candidate.

```suggestion
	for (const candidate of candidates) {
		try {
			if (existsSync(candidate)) {
				return candidate;
			}
		} catch {
			// file locked or inaccessible (e.g. AV hold on Windows) — skip
		}
	}
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

TOCTOU race between assessment preview and actual import

assessOpencodeAccountPool reads the opencode pool file at time T₁ to build the preview shown to the user. the user can take seconds (or minutes) to confirm. importAccounts then re-reads the same file at time T₂. on a windows desktop, opencode may be running concurrently and can rotate/replace openai-codex-accounts.json between T₁ and T₂ — the user sees "import 2 accounts" but the actual mutation brings in a different set.

the fix is to snapshot the source before showing the confirmation, then pass the snapshotted path (or the already-parsed candidate.normalized data) directly to the write step, rather than re-resolving from disk. at minimum, re-assess after confirmation and bail if the account count has shifted. no regression test currently covers a mid-confirm file mutation.

Prompt To Fix With AI

This is a comment left during a code review.
Path: lib/codex-manager.ts
Line: 4973-5004

Comment:
**TOCTOU race between assessment preview and actual import**

`assessOpencodeAccountPool` reads the opencode pool file at time T₁ to build the preview shown to the user. the user can take seconds (or minutes) to confirm. `importAccounts` then re-reads the same file at time T₂. on a windows desktop, opencode may be running concurrently and can rotate/replace `openai-codex-accounts.json` between T₁ and T₂ — the user sees "import 2 accounts" but the actual mutation brings in a different set.

the fix is to snapshot the source before showing the confirmation, then pass the snapshotted path (or the already-parsed `candidate.normalized` data) directly to the write step, rather than re-resolving from disk. at minimum, re-assess after confirmation and bail if the account count has shifted. no regression test currently covers a mid-confirm file mutation.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

stale currentStorage makes preview misleading

currentStorage is loaded once at the top of the runAuthLogin loop iteration and reused across multiple menu actions. by the time import-opencode is reached the on-disk state may differ (another process added/removed accounts). the assessment preview ("would add N accounts") is shown based on stale data, while importAccounts internally calls withAccountStorageTransaction which re-reads the live storage. pass a freshly loaded storage to assessOpencodeAccountPool here so the preview matches what the transaction will actually do:

Suggested change

	const assessment = await assessOpencodeAccountPool({
	currentStorage,
	});
	const freshStorage = await loadAccounts();
	const assessment = await assessOpencodeAccountPool({
	currentStorage: freshStorage,
	});

Prompt To Fix With AI

This is a comment left during a code review.
Path: lib/codex-manager.ts
Line: 4974-4976

Comment:
**stale `currentStorage` makes preview misleading**

`currentStorage` is loaded once at the top of the `runAuthLogin` loop iteration and reused across multiple menu actions. by the time `import-opencode` is reached the on-disk state may differ (another process added/removed accounts). the assessment preview ("would add N accounts") is shown based on stale data, while `importAccounts` internally calls `withAccountStorageTransaction` which re-reads the live storage. pass a freshly loaded storage to `assessOpencodeAccountPool` here so the preview matches what the transaction will actually do:

```suggestion
				const freshStorage = await loadAccounts();
				const assessment = await assessOpencodeAccountPool({
					currentStorage: freshStorage,
				});
```

How can I resolve this? If you propose a fix, please make it concise.

[cubic-dev-ai]

1 issue found across 8 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/getting-started.md">

<violation number="1" location="docs/getting-started.md:85">
P2: This new doc line introduces "OpenCode"/"opencode" wording in a user doc, but documentation.test.ts explicitly forbids any "opencode" references in user docs, so CI will fail. Either rephrase to avoid the opencode string or update the test allowlist/policy to permit this reference.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}