Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="test/storage.test.ts">

<violation number="1" location="test/storage.test.ts:316">
P2: Use retry-based cleanup instead of bare `fs.rm` in test teardown to avoid Windows EBUSY/EPERM/ENOTEMPTY flakiness.</violation>
</file>

<file name="lib/storage.ts">

<violation number="1" location="lib/storage.ts:475">
P2: Backup name normalization in path resolution breaks restore for listed backup files whose filenames contain spaces or other non-normalized characters.</violation>
</file>

<file name="test/codex-manager-cli.test.ts">

<violation number="1" location="test/codex-manager-cli.test.ts:1609">
P3: `vi.doMock` here is never unmocked. `vi.resetModules()` does not clear the mock registry, so this confirm mock will leak into later tests and can change their behavior. Add a `vi.doUnmock`/`vi.unmock` cleanup (e.g., in `afterEach`) to keep tests isolated.</violation>
</file>

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="test/storage.test.ts">

<violation number="1" location="test/storage.test.ts:132">
P2: Replace the bare `fs.rm` in test cleanup with retry/backoff to avoid Windows CI flakes on transient file locks.</violation>
</file>

<file name="lib/storage.ts">

<violation number="1" location="lib/storage.ts:476">
P2: `resolveNamedBackupPath` allows path traversal via unsanitized backup names before directory confinement.</violation>
</file>

<file name="lib/cli.ts">

<violation number="1" location="lib/cli.ts:283">
P2: `restore-backup` is wired only in the TUI path; the fallback login prompt cannot select this new mode.</violation>
</file>

<file name="lib/codex-manager.ts">

<violation number="1" location="lib/codex-manager.ts:4171">
P2: Handle restoreNamedBackup errors so a missing/invalid backup or limit breach doesn’t crash the auth menu.</violation>
</file>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/reference/storage-paths.md`:
- Line 25: Update docs/reference/storage-paths.md to document the restore entry
point and user workflow for the new backup paths: add a short step-by-step
showing "codex auth login" → select recovery → choose 'restore from backup' and
point readers to the interactive restore implementation in lib/codex-manager.ts
(see the interactive flow around the blocks at ~3909-3919 and the restore logic
at ~4211-4291) so users know how to consume files under
~/.codex/multi-auth/backups/<name>.json; also add or link an upgrade note that
mentions the changed CLI workflow and any new npm scripts introduced so README,
SECURITY, and docs remain consistent with the shipped flags and behavior.

In `@lib/codex-manager.ts`:
- Around line 3909-3920: The recovery menu (restore-backup) is never reachable
because runAuthLogin() only enters the menu loop when
existingStorage.accounts.length > 0; hoist the recovery entry so
runBackupRestoreManager(...) can be invoked even when existingStorage.accounts
is empty: move the restore-backup handling (call to runBackupRestoreManager and
its try/catch) to execute before the non-empty accounts guard in runAuthLogin,
ensuring the menu can present the recovery path on fresh/reset/missing storage;
add a vitest that simulates zero-account storage and asserts the restore flow is
offered and that runBackupRestoreManager is called; update any affected tests
referenced in the auth/login suite and ensure new queue logic (if added) handles
EBUSY and 429 retries per concurrency guidelines.

In `@lib/storage.ts`:
- Around line 1712-1728: loadBackupCandidate currently converts any read error
into a permanent invalid-backup result; change it to detect transient Windows/IO
errors (EPERM, EBUSY, EAGAIN) and retry the read (call to loadAccountsFromPath)
with an exponential/backoff loop (same retry envelope used elsewhere in this
module) before returning an error, and apply the same retry logic to the paired
fs.stat call in this file that checks backup file metadata; add a vitest that
simulates a transient busy/EPERM/EBUSY/EAGAIN failure on the first N attempts
and succeeds thereafter to assert the retry path is exercised and cite/update
the affected tests.
- Around line 1580-1609: The function listNamedBackups currently swallows all
readdir errors except ENOENT by logging and returning an empty array; change the
catch in listNamedBackups so that only ENOENT returns [] while any other error
is re-thrown (preserve the original error object) so callers like
runBackupRestoreManager surface real filesystem errors (EPERM/EBUSY). Update
tests: add a vitest that simulates an unreadable backup directory (make readdir
throw EPERM/EBUSY) and assert that listNamedBackups rejects/throws rather than
returning an empty array. Keep references to getNamedBackupRoot/getStoragePath
for locating the path and ensure loadBackupCandidate/buildNamedBackupMetadata
logic is untouched.

In `@test/codex-manager-cli.test.ts`:
- Around line 2365-2428: Add a regression test that covers the confirm=false
path so restore is blocked: duplicate the existing "restores a named backup..."
test setup (use setInteractiveTTY, mock loadAccountsMock, listNamedBackupsMock,
assessNamedBackupRestoreMock, promptLoginModeMock and selectMock) but make
confirmMock resolve to false and then call
runCodexMultiAuthCli(["auth","login"]); assert exitCode is non-zero (or
indicates cancellation) and that restoreNamedBackupMock was not called; keep
other expectations similar (list/assess called once, select used) to ensure the
safety gate implemented by confirmMock is exercised.

In `@test/storage.test.ts`:
- Around line 1111-1185: The tests cover happy paths but lack regression cases
that ensure restoreNamedBackup and assessNamedBackupRestore properly surface
failures for invalid or missing backup payloads; add deterministic vitest tests
in test/storage.test.ts that (1) create a named backup file with invalid JSON
and assert assessNamedBackupRestore(...) and restoreNamedBackup(...) both
reject/throw, (2) create a backup JSON missing required fields (e.g., no
"accounts") and assert both functions reject with a clear error, and (3) assert
behavior is consistent when a backup file is empty or truncated; use the same
helper functions (createNamedBackup, listNamedBackups, assessNamedBackupRestore,
restoreNamedBackup, clearAccounts, loadAccounts) and filesystem writes to inject
the malformed payloads so the tests reproduce the error-path regressions
deterministically under vitest.

---

Outside diff comments:
In `@lib/cli.ts`:
- Around line 49-61: The fallback readline menu never exposes or parses the new
"restore-backup" LoginMode, so add it to promptLoginModeFallback() (ensure the
option label and value include "restore-backup") and update the fallback prompt
text in lib/ui/copy.ts to advertise the restore flow (matching how
runAuthLogin() in lib/codex-manager.ts handles "restore-backup"); add a vitest
that exercises the fallback branch to assert the prompt lists and correctly
parses "restore-backup", and update any affected tests to reference the new
behavior; while modifying prompts/tests, verify any updated auth rotation or
queue logic touched by this change properly retries or surfaces EBUSY/429 errors
per existing concurrency and Windows IO guidelines.

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="test/storage.test.ts">

<violation number="1" location="test/storage.test.ts:1208">
P3: Duplicate test case: this restore-after-deletion scenario is already covered earlier in the same file.</violation>
</file>

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="test/storage.test.ts">

<violation number="1" location="test/storage.test.ts:1351">
P2: Use `removeWithRetry` instead of bare `fs.rm` to avoid transient Windows file-lock failures in tests.</violation>
</file>

<file name="lib/storage.ts">

<violation number="1" location="lib/storage.ts:1807">
P2: Do not swallow non-ENOENT errors when scanning named backups; rethrow them so restore reports the real filesystem failure instead of a misleading “file not found.”</violation>
</file>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/codex-manager.ts`:
- Around line 4361-4365: Replace the direct call to
resolveNamedBackupRestorePath + importAccounts (the block using
latestAssessment.backup.name, resolveNamedBackupRestorePath, and importAccounts)
with the storage-level named-backup restore helper used earlier in the confirm
flow (i.e., call the same storage restore wrapper that produces a safe,
exclusive restore path instead of resolving and opening the file directly), so
the final import uses the storage restore path and its concurrency/lock
handling; ensure the new path handles EBUSY/EPERM and HTTP 429 retry semantics,
preserves auth-rotation (do not leak tokens/emails in logs), and add two vitest
regressions: one in test/storage.test.ts and one in
test/codex-manager-cli.test.ts that simulate "backup removed or locked after
confirm" to assert the code retries/fails safely and logs non-sensitive
diagnostics.
- Around line 4222-4224: Add a direct dispatch for the new restore-backup CLI
command and a unit test: in the runCodexMultiAuthCli function add a branch that
recognizes the ["auth","restore-backup"] args and calls
runBackupRestoreManager(displaySettings) (preserving existing interactive flow),
update printUsage to include the "auth restore-backup" entry so it appears in
help output, and add a vitest in test/codex-manager-cli.test.ts that calls
runCodexMultiAuthCli(["auth","restore-backup"]) (mock or spy
runBackupRestoreManager as needed) to assert the new path is exercised.

In `@lib/storage.ts`:
- Around line 2137-2169: Add a vitest in test/storage.test.ts that exercises
resolveNamedBackupRestorePath's fallback branch by simulating a plain filename
that causes buildNamedBackupPath to throw while findExistingNamedBackupPath
returns null; specifically, call resolveNamedBackupRestorePath with a name that
is a basename (no separators, no "..") whose baseName does not match
/^[A-Za-z0-9_-]+$/ so the catch path executes and the function should throw an
Error whose message equals the “Import file not found: …” string produced by
resolvePath(join(backupRoot, requestedWithExtension)). Mock or stub
buildNamedBackupPath to throw, stub findExistingNamedBackupPath to return null,
and ensure getNamedBackupRoot/getStoragePath produce a stable known backupRoot
(account for Windows path sep) and assert the thrown error message matches the
exact resolved path; add the test as a regression for race/lock scenarios around
resolveNamedBackupRestorePath, buildNamedBackupPath, and
assertNamedBackupRestorePath.

In `@test/codex-manager-cli.test.ts`:
- Around line 2659-2732: Add a deterministic regression test that simulates the
backup disappearing after selection by making
resolveNamedBackupRestorePathMock.reject with an ENOENT error (e.g., new Error
with code "ENOENT") when the user selects the named backup; then assert the CLI
returns to the login menu (promptLoginModeMock called again), that
importAccountsMock and assessNamedBackupRestoreMock were not called for the
final resolve, and that a restore-failure message containing "ENOENT" or
"Restore failed" was logged; use the existing test scaffolding (selectMock,
promptLoginModeMock, runCodexMultiAuthCli) and vitest mocks so the test remains
deterministic.

In `@test/storage.test.ts`:
- Around line 2430-2448: The test asserts readdirSpy was called 7 times (1
initial + 6 retries) which is unclear; update the assertion to derive the
expected call count from the retry policy (e.g., use the
retryTransientFilesystemOperation retry constant or export a MAX_RETRIES value)
or add a one-line comment above the expectation explaining "1 initial attempt +
N retries" so readers can see why 7 is expected; locate the assertion around
restoreNamedBackup and readdirSpy in the test and either compute expectedCalls =
1 + MAX_RETRIES for the toHaveBeenCalledTimes check or add the clarifying
comment referencing retryTransientFilesystemOperation.

---

Duplicate comments:
In `@test/codex-manager-cli.test.ts`:
- Around line 3468-3506: The test "shows epoch backup timestamps in restore
hints" currently asserts the opposite by checking
expect(backupItems?.[0]?.hint).not.toContain("updated "), so update the test
assertion to match the test name/intent: change that line to
expect(backupItems?.[0]?.hint).toContain("updated ") (or otherwise assert the
epoch-rendered timestamp substring you want) in the spec that calls
runCodexMultiAuthCli and inspects selectMock.mock.calls
(test/codex-manager-cli.test.ts), so the test verifies the epoch timestamp is
rendered when assessNamedBackupRestoreMock returns an assessment; keep the rest
of the setup (listNamedBackupsMock, promptLoginModeMock, selectMock) unchanged.

		const newStorage: AccountStorageV3 = {
			version: 3,
			accounts: deduplicatedAccounts,
			activeIndex: existingActiveIndex,

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/codex-manager.ts">

<violation number="1" location="lib/codex-manager.ts:4474">
P2: CLI `restore-backup` command falsely exits with a success code (0) when the restore fails.</violation>
</file>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/codex-manager.ts`:
- Around line 4477-4488: The restore-backup branch fails to clear a previously
set storage scope; call setStoragePath(null) before invoking
runBackupRestoreManager in the command === "restore-backup" block so lingering
storage scope won't point the restore at the wrong directory/account, and add a
vitest in test/codex-manager-cli.test.ts that seeds a scoped storage path then
invokes runCodexMultiAuthCli(["auth","restore-backup"]) to assert the restore
uses the cleared scope; reference runBackupRestoreManager, setStoragePath, and
runCodexMultiAuthCli when locating and updating the code and test.
- Around line 4255-4338: The loop that calls assessNamedBackupRestore can skip
all backups and leave assessments empty, which yields a back-only picker and
allows the restore command to incorrectly return success; after the
Promise.allSettled processing and before building items, detect if
assessments.length === 0, consolidate the non-containment rejection reasons from
settledAssessments (use collapseWhitespace to normalize messages and fall back
to a single "all assessments failed" message), log or surface that consolidated
error, and return false to indicate failure; reference the variables/idents
assessNamedBackupRestore, settledAssessments, isNamedBackupContainmentError,
collapseWhitespace, assessments, select and backupDir when locating where to add
this check, and update the corresponding test test/codex-manager-cli.test.ts to
cover the all-failed case.

In `@lib/storage.ts`:
- Around line 3079-3088: The code does a check-then-read race: after using
existsSync(resolvedPath) the file may be deleted before
retryTransientFilesystemOperation(() => fs.readFile(resolvedPath, "utf-8")),
causing a raw ENOENT to bubble up; wrap the read in a try/catch inside the retry
(or immediately around the awaited call) and if you see an ENOENT map/throw a
new Error(`Import file not found: ${resolvedPath}`) so the higher-level import
contract is preserved; update/ add vitest cases in test/storage.test.ts and
test/codex-manager-cli.test.ts that delete the file between existsSync and read
to assert the translated error, and ensure you reference resolvedPath,
existsSync, retryTransientFilesystemOperation, and fs.readFile when editing.

---

Duplicate comments:
In `@test/storage.test.ts`:
- Around line 1587-1596: Add a deterministic regression test that calls
restoreNamedBackup("  missing-backup  "), expects it to reject with /Import file
not found/, and verifies active storage was not modified; specifically, after
calling restoreNamedBackup("  missing-backup  ") assert it rejects
toThrow(/Import file not found/) and then confirm active storage remains the
same (e.g., compare a pre-call snapshot obtained via the same accessor used
elsewhere in tests such as listing or reading current accounts) — use
resolveNamedBackupRestorePath/requestedName trimming behavior and the existing
importAccounts/buildNamedBackupPath helpers to mirror the fallback-miss
scenario.