Investigate Every Code auth failure after separate Codex CLI login

[shiny-code-bot]

Summary

Every Code auto-review failed with refresh_token_reused immediately after I logged into a separate Codex CLI session. The timing is suspicious enough to track, even though local auth-file inspection shows Codex CLI and Every Code are using different auth files and different accounts.

This may be a stale Every Code auth token that happened to be exercised right after the Codex login, but it could also point to confusing cross-harness auth behavior, legacy auth fallback, or insufficient diagnostics/recovery when background jobs hold stale auth snapshots.

User-visible failure

Auto Review failed before producing findings:

Auto Review: failed during exec_run.
Auto review failed before producing findings. Detail: Command failed: 2026-05-31T17:23:52.383665Z ERROR code_core::codex::streaming: stream disconnected - retries exhausted retries=5 max_retries=5 auto_compact_attempted=false error=Authentication expired. refresh_token_reused: Your refresh token has already been used to generate a new access token. Please try signing in …
Hint: Re-run auto review once and capture logs if the failure repeats.
Worktree: /Users/cbusillo/.code/working/launchplane/branches/auto-review-732f9ed1

Timeline

All local times are America/New_York on 2026-05-31.

• 13:22:56 -0400: ~/.codex/auth.json modified after logging into Codex CLI.
• 13:23:17 -0400 through 13:23:52 -0400: Every Code logs repeated refresh_token_reused failures.
• 13:23:29 -0400: failing Every Code auto-review session created.
• 13:23:33 -0400: first model stream attempt for that auto-review failed immediately with refresh_token_reused.
• 13:23:52 -0400: Every Code exhausted 5 retries and exited review mode without findings.
• 13:33:57 -0400: ~/.code/auth.json modified later, after the failure window.
• 13:44 -0400: trying /logout then /login in Every Code updated ~/.code/auth.json and ~/.code/auth_accounts.json, but the active stored account still contained stale May 28 token claims.

Local evidence

The failing auto-review session:

Session: /Users/cbusillo/.code/sessions/2026/05/31/rollout-2026-05-31T13-23-29-41db2bda-e0ef-4b6e-b654-efe343fadeef.jsonl
Worktree: /Users/cbusillo/.code/working/launchplane/branches/auto-review-732f9ed1
Repo: git@github.com:cbusillo/launchplane.git
Commit under review: 732f9ed1067025898cb314d517034fd0509b7e26
Originator: code_cli_rs
CLI version: 0.6.113
Session source: exec

Every Code critical log entries around the failure:

2026-05-31T17:23:17.832248Z ERROR ... refresh_token_reused
2026-05-31T17:23:28.372742Z ERROR ... refresh_token_reused
2026-05-31T17:23:34.769338Z ERROR ... refresh_token_reused
2026-05-31T17:23:36.510040Z ERROR ... refresh_token_reused
2026-05-31T17:27:00.551990Z ERROR ... refresh_token_reused

Non-secret JWT claim inspection showed:

~/.code/auth.json
  auth_mode: chatgpt
  email: info@shinycomputers.com
  last_refresh: 2026-05-28T20:57:25.375064Z
  id_token exp: 2026-05-28T21:57:25Z

~/.codex/auth.json
  auth_mode: chatgpt
  email: cbusillo@icloud.com
  last_refresh: 2026-05-31T17:22:56.905065Z
  id_token exp: 2026-05-31T18:22:56Z

File mtimes at inspection time:

2026-05-31 13:33:57 -0400 /Users/cbusillo/.code/auth.json
2026-05-31 13:22:56 -0400 /Users/cbusillo/.codex/auth.json

cmp ~/.code/auth.json ~/.codex/auth.json reported the files are different.

Additional stored-account evidence after /logout then /login did not fix the problem:

~/.code/auth_accounts.json active_account_id: 9bdcf8d1-88a6-4d7c-9437-a5860a6b2d89

stored account 9bdcf8d1-88a6-4d7c-9437-a5860a6b2d89
  label/email: info@shinycomputers.com
  last_refresh: 2026-05-28T20:57:25.375064Z
  token exp: 2026-05-28T21:57:25Z
  last_used_at: 2026-05-31T17:44:58.564198Z

stored account e576e6aa-d6f0-4246-98f1-6e5fba44add2
  label/email: cbusillo@icloud.com
  last_refresh: 2026-05-28T21:00:38.603608Z
  token exp: 2026-05-28T22:00:38Z
  last_used_at: 2026-05-31T17:44:38.094020Z

This suggests /logout removes auth.json, but /login can reactivate a stale stored account from auth_accounts.json instead of forcing a fresh OAuth flow.

Why this is confusing

Every Code should have been logged into info@shinycomputers.com, while the Codex CLI session was logged into cbusillo@icloud.com. Since these are different accounts and different files, logging into Codex CLI should not directly invalidate Every Code's info@shinycomputers.com refresh token.

The suspicious part is that the Every Code auto-review failed exactly when the Codex CLI login happened. That may be coincidence caused by the next Every Code request exercising an already-stale token, but the product should make this clearer and ideally recover when safe.

Separately, the recovery UX is misleading: /logout + /login can restore stale credentials from auth_accounts.json, so the user thinks they reauthenticated but they are still using expired/rotated credentials.

Current interpretation

Most likely:

• ~/.code/auth.json already contained stale info@shinycomputers.com credentials.
• The access token had expired on May 28.
• The next Every Code background auto-review on May 31 had to refresh.
• The backend rejected the stored refresh token with refresh_token_reused.
• The Codex CLI login was temporally adjacent but did not overwrite ~/.code/auth.json.
• /logout + /login did not repair the state because the stored account cache also contained stale token data.

Still worth investigating:

• Whether any Every Code path reads legacy ~/.codex/auth.json unexpectedly for auth, account switching, or background exec.
• Whether background jobs cache auth snapshots too long across login/logout/account changes.
• Whether multiple Every Code processes using the same account can race rotating refresh tokens.
• Whether refresh_token_reused should trigger a reload-from-disk and one retry before failing.
• Whether /logout should clear or mark stale stored account tokens, or /login should force fresh OAuth when the stored account has a permanent refresh failure.

Desired behavior

• Every Code and Codex CLI should be able to stay logged into different accounts without confusing cross-harness failures.
• Multiple harnesses using the same account should either work safely or fail with clear guidance if token rotation makes that unsupported.
• Auto-review should not silently turn an auth failure into a generic review failure without enough account/file-path context to diagnose.
• /logout followed by /login should not silently reactivate stale stored credentials after a permanent refresh-token failure.

Proposed fixes

1. On refresh_token_reused, reload the relevant auth file from disk and retry once if the non-secret account id/email matches the attempted auth.
2. Log non-secret diagnostics for auth failures:
   • resolved auth file path
   • auth mode
   • account id/email claim if available
   • token iat / exp
   • whether legacy ~/.codex fallback was used
   • whether auth came from auth.json or auth_accounts.json
3. Add targeted tests for:
   • Every Code ~/.code auth and Codex ~/.codex auth existing with different accounts
   • stale in-memory auth where disk has a newer rotated token
   • background auto-review/exec reporting permanent auth failures with actionable details
   • /logout + /login not restoring a stored account with stale/permanently failed refresh credentials unless the user explicitly selects that account with a clear warning
4. Audit legacy compatibility reads for auth.json to ensure Every Code writes and background jobs consistently prefer ~/.code unless explicit compatibility fallback is intended.

Safety note

No token values should be logged or included in test fixtures. The details above use only file paths, timestamps, and non-secret JWT claims.