fix: stabilize codex websocket auth failover

Author: NGLSL

internal/runtime/executor/codex_websockets_executor.go

@@ -1284,7 +1284,27 @@ func (e *CodexWebsocketsExecutor) ensureUpstreamConn(ctx context.Context, auth *
 	sess.connMu.Lock()
 	conn := sess.conn
 	readerConn := sess.readerConn
-	sess.connMu.Unlock()
+	sessionAuthID := strings.TrimSpace(sess.authID)
+	sessionWSURL := strings.TrimSpace(sess.wsURL)
+	sessionID := sess.sessionID
+	if conn != nil && (sessionAuthID != strings.TrimSpace(authID) || sessionWSURL != strings.TrimSpace(wsURL)) {
+		oldConn := conn
+		oldAuthID := sess.authID
+		oldWSURL := sess.wsURL
+		sess.conn = nil
+		if sess.readerConn == oldConn {
+			sess.readerConn = nil
+		}
+		conn = nil
+		readerConn = nil
+		sess.connMu.Unlock()
+		logCodexWebsocketDisconnected(sessionID, oldAuthID, oldWSURL, "auth_or_endpoint_changed", nil)
+		if errClose := oldConn.Close(); errClose != nil {
+			log.Errorf("codex websockets executor: close websocket error: %v", errClose)
+		}
+	} else {
+		sess.connMu.Unlock()
+	}
 	if conn != nil {
 		if readerConn != conn {
 			sess.connMu.Lock()
@@ -1404,12 +1424,30 @@ func (e *CodexWebsocketsExecutor) invalidateUpstreamConn(sess *codexWebsocketSes
 	sess.connMu.Unlock()
 
 	logCodexWebsocketDisconnected(sessionID, authID, wsURL, reason, err)
-	sess.notifyUpstreamDisconnect(err)
+	if shouldNotifyCodexUpstreamDisconnect(err) {
+		sess.notifyUpstreamDisconnect(err)
+	}
 	if errClose := conn.Close(); errClose != nil {
 		log.Errorf("codex websockets executor: close websocket error: %v", errClose)
 	}
 }
 
+func shouldNotifyCodexUpstreamDisconnect(err error) bool {
+	if err == nil {
+		return true
+	}
+	statusProvider, ok := err.(interface{ StatusCode() int })
+	if !ok || statusProvider == nil {
+		return true
+	}
+	switch statusProvider.StatusCode() {
+	case http.StatusUnauthorized, http.StatusPaymentRequired, http.StatusForbidden, http.StatusTooManyRequests:
+		return false
+	default:
+		return true
+	}
+}
+
 func (e *CodexWebsocketsExecutor) CloseExecutionSession(sessionID string) {
 	sessionID = strings.TrimSpace(sessionID)
 	if e == nil {

internal/runtime/executor/codex_websockets_executor_test.go

@@ -3,6 +3,7 @@ package executor
 import (
 	"bytes"
 	"context"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -91,6 +92,97 @@ func TestCodexWebsocketsExecutePreservesPreviousResponseIDUpstream(t *testing.T)
 	}
 }
 
+func TestCodexWebsocketSessionRedialsWhenAuthChanges(t *testing.T) {
+	upgrader := websocket.Upgrader{CheckOrigin: func(*http.Request) bool { return true }}
+	authHeaders := make(chan string, 2)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			t.Errorf("upgrade websocket: %v", err)
+			return
+		}
+		defer func() { _ = conn.Close() }()
+
+		for {
+			msgType, _, errRead := conn.ReadMessage()
+			if errRead != nil {
+				return
+			}
+			if msgType != websocket.TextMessage {
+				continue
+			}
+			authHeaders <- r.Header.Get("Authorization")
+			completed := []byte(`{"type":"response.completed","response":{"id":"resp-1","output":[],"usage":{"input_tokens":0,"output_tokens":0,"total_tokens":0}}}`)
+			if errWrite := conn.WriteMessage(websocket.TextMessage, completed); errWrite != nil {
+				return
+			}
+		}
+	}))
+	defer server.Close()
+
+	exec := NewCodexWebsocketsExecutor(&config.Config{})
+	sessionID := "session-redial-auth"
+	defer exec.CloseExecutionSession(sessionID)
+
+	req := cliproxyexecutor.Request{
+		Model:   "gpt-5-codex",
+		Payload: []byte(`{"model":"gpt-5-codex","input":[]}`),
+	}
+	opts := cliproxyexecutor.Options{
+		SourceFormat: sdktranslator.FromString("openai-response"),
+		Metadata: map[string]any{
+			cliproxyexecutor.ExecutionSessionMetadataKey: sessionID,
+		},
+	}
+	auths := []struct {
+		auth *cliproxyauth.Auth
+		want string
+	}{
+		{
+			auth: &cliproxyauth.Auth{ID: "auth-a", Attributes: map[string]string{"api_key": "sk-a", "base_url": server.URL}},
+			want: "Bearer sk-a",
+		},
+		{
+			auth: &cliproxyauth.Auth{ID: "auth-b", Attributes: map[string]string{"api_key": "sk-b", "base_url": server.URL}},
+			want: "Bearer sk-b",
+		},
+	}
+
+	for i := range auths {
+		streamResult, err := exec.ExecuteStream(context.Background(), auths[i].auth, req, opts)
+		if err != nil {
+			t.Fatalf("ExecuteStream(%s) error = %v", auths[i].auth.ID, err)
+		}
+		for chunk := range streamResult.Chunks {
+			if chunk.Err != nil {
+				t.Fatalf("stream chunk error for %s: %v", auths[i].auth.ID, chunk.Err)
+			}
+		}
+
+		select {
+		case got := <-authHeaders:
+			if got != auths[i].want {
+				t.Fatalf("request %d Authorization = %q, want %q", i+1, got, auths[i].want)
+			}
+		case <-time.After(5 * time.Second):
+			t.Fatalf("timed out waiting for upstream auth header %d", i+1)
+		}
+	}
+}
+
+func TestShouldNotifyCodexUpstreamDisconnectSkipsRecoverableStatus(t *testing.T) {
+	err, ok := parseCodexWebsocketError([]byte(`{"type":"error","status":429,"error":{"message":"quota exhausted"}}`))
+	if !ok {
+		t.Fatalf("expected websocket status error")
+	}
+	if shouldNotifyCodexUpstreamDisconnect(err) {
+		t.Fatalf("recoverable websocket status should not force downstream disconnect")
+	}
+	if !shouldNotifyCodexUpstreamDisconnect(errors.New("network reset")) {
+		t.Fatalf("network disconnect should still close downstream")
+	}
+}
+
 func TestApplyCodexWebsocketHeadersDefaultsToCurrentResponsesBeta(t *testing.T) {
 	headers := applyCodexWebsocketHeaders(context.Background(), http.Header{}, nil, "", nil)
 

sdk/api/handlers/openai/openai_responses_websocket.go

@@ -210,6 +210,7 @@ func (h *OpenAIResponsesAPIHandler) ResponsesWebsocket(c *gin.Context) {
 		}
 
 		requestJSON = repairResponsesWebsocketToolCalls(downstreamSessionKey, requestJSON)
+		requestJSON = dedupeResponsesWebsocketRequestToolItems(requestJSON)
 		updatedLastRequest = bytes.Clone(requestJSON)
 		previousLastRequest := bytes.Clone(lastRequest)
 		previousLastResponseOutput := bytes.Clone(lastResponseOutput)
@@ -296,22 +297,50 @@ func normalizeResponsesWebsocketRequestWithMode(rawJSON []byte, lastRequest []by
 	}
 	rawJSON = normalizedJSON
 	requestType := strings.TrimSpace(gjson.GetBytes(rawJSON, "type").String())
+	var normalized []byte
+	var updatedLastRequest []byte
 	switch requestType {
 	case wsRequestTypeCreate:
 		// log.Infof("responses websocket: response.create request")
 		if len(lastRequest) == 0 {
-			return normalizeResponseCreateRequest(rawJSON)
+			normalized, updatedLastRequest, errMsg = normalizeResponseCreateRequest(rawJSON)
+		} else {
+			normalized, updatedLastRequest, errMsg = normalizeResponseSubsequentRequest(rawJSON, lastRequest, lastResponseOutput, allowIncrementalInputWithPreviousResponseID, allowCompactionReplayBypass)
 		}
-		return normalizeResponseSubsequentRequest(rawJSON, lastRequest, lastResponseOutput, allowIncrementalInputWithPreviousResponseID, allowCompactionReplayBypass)
 	case wsRequestTypeAppend:
 		// log.Infof("responses websocket: response.append request")
-		return normalizeResponseSubsequentRequest(rawJSON, lastRequest, lastResponseOutput, allowIncrementalInputWithPreviousResponseID, allowCompactionReplayBypass)
+		normalized, updatedLastRequest, errMsg = normalizeResponseSubsequentRequest(rawJSON, lastRequest, lastResponseOutput, allowIncrementalInputWithPreviousResponseID, allowCompactionReplayBypass)
 	default:
 		return nil, lastRequest, &interfaces.ErrorMessage{
 			StatusCode: http.StatusBadRequest,
 			Error:      fmt.Errorf("unsupported websocket request type: %s", requestType),
 		}
 	}
+	if errMsg != nil {
+		return nil, updatedLastRequest, errMsg
+	}
+	normalized = dedupeResponsesWebsocketRequestToolItems(normalized)
+	return normalized, bytes.Clone(normalized), nil
+}
+
+func dedupeResponsesWebsocketRequestToolItems(rawJSON []byte) []byte {
+	if len(rawJSON) == 0 {
+		return rawJSON
+	}
+	deduped := cliproxyexecutor.DedupeToolOutputs(rawJSON)
+	input := gjson.GetBytes(deduped, "input")
+	if !input.Exists() || !input.IsArray() {
+		return deduped
+	}
+	dedupedInput, errDedupe := dedupeFunctionCallsByCallID(input.Raw)
+	if errDedupe != nil || dedupedInput == input.Raw {
+		return deduped
+	}
+	updated, errSet := sjson.SetRawBytes(deduped, "input", []byte(dedupedInput))
+	if errSet != nil {
+		return deduped
+	}
+	return updated
 }
 
 func normalizeResponseCreateRequest(rawJSON []byte) ([]byte, []byte, *interfaces.ErrorMessage) {

sdk/api/handlers/openai/openai_responses_websocket_test.go

@@ -1421,6 +1421,51 @@ func TestNormalizeResponsesWebsocketRequestDropsDuplicateFunctionCallsByCallID(t
 	}
 }
 
+func TestNormalizeResponsesWebsocketRequestDropsDuplicateToolOutputsByCallID(t *testing.T) {
+	lastRequest := []byte(`{"model":"test-model","stream":true,"input":[{"type":"function_call","id":"fc-1","call_id":"call-1","name":"tool"},{"type":"function_call_output","id":"tool-out-old","call_id":"call-1","output":"old"}]}`)
+	lastResponseOutput := []byte(`[]`)
+	raw := []byte(`{"type":"response.create","input":[{"type":"function_call_output","id":"tool-out-new","call_id":"call-1","output":"new"},{"type":"message","id":"msg-2"}]}`)
+
+	normalized, _, errMsg := normalizeResponsesWebsocketRequest(raw, lastRequest, lastResponseOutput)
+	if errMsg != nil {
+		t.Fatalf("unexpected error: %v", errMsg.Error)
+	}
+
+	items := gjson.GetBytes(normalized, "input").Array()
+	if len(items) != 3 {
+		t.Fatalf("merged input len = %d, want 3: %s", len(items), normalized)
+	}
+	if items[0].Get("id").String() != "fc-1" ||
+		items[1].Get("id").String() != "tool-out-new" ||
+		items[2].Get("id").String() != "msg-2" {
+		t.Fatalf("unexpected deduped input order: %s", normalized)
+	}
+	if got := items[1].Get("output").String(); got != "new" {
+		t.Fatalf("tool output = %q, want new", got)
+	}
+}
+
+func TestNormalizeResponsesWebsocketRequestWithPreviousResponseIDDedupesIncrementalToolItems(t *testing.T) {
+	lastRequest := []byte(`{"model":"test-model","stream":true,"input":[{"type":"message","id":"msg-1"}]}`)
+	raw := []byte(`{"type":"response.create","previous_response_id":"resp-1","input":[{"type":"function_call","id":"fc-1","call_id":"call-1","name":"tool"},{"type":"function_call","id":"fc-dup","call_id":"call-1","name":"tool"},{"type":"function_call_output","id":"tool-out-old","call_id":"call-1","output":"old"},{"type":"function_call_output","id":"tool-out-new","call_id":"call-1","output":"new"}]}`)
+
+	normalized, _, errMsg := normalizeResponsesWebsocketRequestWithMode(raw, lastRequest, []byte(`[]`), true, true)
+	if errMsg != nil {
+		t.Fatalf("unexpected error: %v", errMsg.Error)
+	}
+	if got := gjson.GetBytes(normalized, "previous_response_id").String(); got != "resp-1" {
+		t.Fatalf("previous_response_id = %s, want resp-1", got)
+	}
+
+	items := gjson.GetBytes(normalized, "input").Array()
+	if len(items) != 2 {
+		t.Fatalf("incremental input len = %d, want 2: %s", len(items), normalized)
+	}
+	if items[0].Get("id").String() != "fc-1" || items[1].Get("id").String() != "tool-out-new" {
+		t.Fatalf("unexpected deduped incremental input: %s", normalized)
+	}
+}
+
 func TestNormalizeResponsesWebsocketRequestTreatsCustomToolTranscriptReplacementAsReset(t *testing.T) {
 	lastRequest := []byte(`{"model":"test-model","stream":true,"input":[{"type":"message","id":"msg-1"},{"type":"custom_tool_call","id":"ctc-1","call_id":"call-1","name":"apply_patch"},{"type":"custom_tool_call_output","id":"tool-out-1","call_id":"call-1"},{"type":"message","id":"assistant-1","role":"assistant"}]}`)
 	lastResponseOutput := []byte(`[