Skip to content

Stability fixes#2

Merged
dkraemerwork merged 2 commits intodkraemerwork:mainfrom
DxTa:main
Feb 12, 2026
Merged

Stability fixes#2
dkraemerwork merged 2 commits intodkraemerwork:mainfrom
DxTa:main

Conversation

@DxTa
Copy link
Copy Markdown
Contributor

@DxTa DxTa commented Feb 12, 2026
edited
Loading

Hi, it seems that the switching of account sometimes leading to the session got interrupted in middle of the session as well as there are gibberish characters responded.

I tried to solve the issue by replicate (vibed the way out) what openai oauth is done now by default in opencode and this seems to fix. Please feel free to check if this makes sense.

What this fixes

  • Fixes session/account drift: the same prompt_cache_key could hop accounts on retries/rate limits, causing inconsistent context/account state. Sessions are now pinned to one account and persisted across restarts.
  • Fixes OpenCode header clobbering: when prompt_cache_key is absent, host-provided session_id/originator are preserved instead of being overwritten/cleared.
  • Fixes account-ID extraction failures from JWT variants (base64url, root/nested/org claims), which could produce 401 due to missing chatgpt-account-id.
  • Fixes OAuth callback validation gap by rejecting missing/mismatched state.
  • Fixes backend target validation gap by allowing only https://chatgpt.com/backend-api/codex/responses.
  • Fixes runtime parity mismatch by no longer forcing store/stream and passing SSE responses through unchanged.

Security improvements

  • Enforces owner-only permissions for persisted account/session/log files.
  • Redacts sensitive tokens/headers from request logs.

DxTa added 2 commits February 11, 2026 17:01
@DxTa
feat: bind prompt-cache sessions to accounts and align opencode headers
6e2802e
@DxTa
fix: harden codex fetch path and secure local persistence
9895c30 
- validate OAuth callback state and trusted backend URL before fetch
- preserve host-provided stream/store semantics for runtime parity
- enforce owner-only file permissions for account, session, and log data
- expand tests for security hardening and request/response parity
@DxTa DxTa requested a review from dkraemerwork as a code owner February 12, 2026 06:55
@dkraemerwork
Copy link
Copy Markdown
Owner

dkraemerwork commented Feb 12, 2026

I was trying to solve this too. Amazing, will check it out

@dkraemerwork dkraemerwork merged commit 916036c into dkraemerwork:main Feb 12, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkraemerwork dkraemerwork dkraemerwork approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DxTa @dkraemerwork