Summary
Every Code's logout behavior needs clearer account-scoped semantics now that it supports multiple stored accounts in ~/.code/auth_accounts.json.
When the user logs out, they expect to log out of the current account, not wipe or break every saved account. However, the current recovery discussion exposed confusing behavior around /logout, /login, auth.json, and auth_accounts.json:
/logout removes ~/.code/auth.json.- Stored accounts remain in
~/.code/auth_accounts.json.
/login can then reactivate a stored account, including one whose token is stale or permanently refresh-failed.- The UX does not clearly distinguish "log out active account", "remove this stored account", "switch account", and "force fresh OAuth for this account".
This should be handled separately from the auto-review refresh_token_reused issue in #279.
Desired Behavior
Logout should be account-scoped:
- Logging out of one account should not remove unrelated stored accounts.
- If multiple accounts are stored,
/logout should remove or deactivate only the active account unless the user explicitly chooses a broader action.
- Other stored accounts should remain available for account switching.
- If the active account has a permanent refresh-token failure, logout should clear that account's usable token state so
/login cannot silently reactivate the same broken credentials.
UX Questions To Decide
Possible semantics:
/logout: log out only the active account and return to an account picker if other accounts remain./logout --all or an explicit UI action: remove all stored accounts.- Account picker action: remove a specific stored account.
- Reauth action: force a fresh OAuth flow for the selected account, replacing stale stored tokens.
The important distinction is that a normal logout should not accidentally destroy or mutate every account.
Context From Investigation
During investigation of #279, ~/.code/auth_accounts.json contained multiple stored ChatGPT accounts:
active account: info@shinycomputers.com
stored account: info@shinycomputers.com
stored account: cbusillo@icloud.com
The active account's stored token claims were stale:
last_refresh: 2026-05-28T20:57:25.375064Z
token exp: 2026-05-28T21:57:25Z
The user tried /logout then /login, expecting a fresh login, but Every Code still appeared to be using stale stored-account credentials.
Proposed Fixes
- Define account-scoped logout semantics in the TUI and CLI.
- Ensure
/logout and code logout do not indiscriminately destroy unrelated stored accounts.
- Add an explicit
logout all / remove-all flow if broad cleanup is needed.
- When logging out the active account, clear or remove its stale token material from
auth_accounts.json so it cannot be immediately reactivated as if healthy.
- Add tests for:
- logging out active account with two stored accounts leaves the other account intact
- logging out does not reactivate stale credentials on the next
/login
- explicit remove-all behavior, if implemented
- account picker state after active account logout
Safety Note
Tests and logs should not include token values. Use synthetic token fixtures or non-secret claim summaries only.
Summary
Every Code's logout behavior needs clearer account-scoped semantics now that it supports multiple stored accounts in
~/.code/auth_accounts.json.When the user logs out, they expect to log out of the current account, not wipe or break every saved account. However, the current recovery discussion exposed confusing behavior around
/logout,/login,auth.json, andauth_accounts.json:/logoutremoves~/.code/auth.json.~/.code/auth_accounts.json./logincan then reactivate a stored account, including one whose token is stale or permanently refresh-failed.This should be handled separately from the auto-review
refresh_token_reusedissue in #279.Desired Behavior
Logout should be account-scoped:
/logoutshould remove or deactivate only the active account unless the user explicitly chooses a broader action./logincannot silently reactivate the same broken credentials.UX Questions To Decide
Possible semantics:
/logout: log out only the active account and return to an account picker if other accounts remain./logout --allor an explicit UI action: remove all stored accounts.The important distinction is that a normal logout should not accidentally destroy or mutate every account.
Context From Investigation
During investigation of #279,
~/.code/auth_accounts.jsoncontained multiple stored ChatGPT accounts:The active account's stored token claims were stale:
The user tried
/logoutthen/login, expecting a fresh login, but Every Code still appeared to be using stale stored-account credentials.Proposed Fixes
/logoutandcode logoutdo not indiscriminately destroy unrelated stored accounts.logout all/ remove-all flow if broad cleanup is needed.auth_accounts.jsonso it cannot be immediately reactivated as if healthy./loginSafety Note
Tests and logs should not include token values. Use synthetic token fixtures or non-secret claim summaries only.