fix: require confirmation before ChatGPT direct uninstall

Author: gaoguobin

.codex/UNINSTALL.md

@@ -29,27 +29,37 @@ $uninstallJson = $null
 $uninstallResult = $null
 $status = $null
 $deferred = $false
+$confirmationRequired = $false
 
 if (Test-Path $repoRoot) {
     $env:PYTHONPATH = Join-Path $repoRoot 'src'
     $statusJson = python -m codex_fast_proxy status
     $status = $statusJson | ConvertFrom-Json
     if ($status.config_matches -eq $true) {
         $uninstallJson = python -m codex_fast_proxy uninstall --defer-stop
+        $uninstallResult = $uninstallJson | ConvertFrom-Json
         $uninstallJson
-        Write-Host 'restart_required_before_cleanup=true'
-        $deferred = $true
+        if ($uninstallResult.status -eq 'confirmation_required') {
+            Write-Host 'uninstall_confirmation_required=true'
+            $confirmationRequired = $true
+        } else {
+            Write-Host 'restart_required_before_cleanup=true'
+            $deferred = $true
+        }
     } else {
         $uninstallJson = python -m codex_fast_proxy uninstall
         $uninstallResult = $uninstallJson | ConvertFrom-Json
-        if ($uninstallResult.config_restore -eq 'skipped_config_changed') {
-            $uninstallJson
+        $uninstallJson
+        if ($uninstallResult.status -eq 'confirmation_required') {
+            Write-Host 'uninstall_confirmation_required=true'
+            $confirmationRequired = $true
+        } elseif ($uninstallResult.config_restore -eq 'skipped_config_changed') {
             throw 'Codex config changed after proxy install, and the selected provider no longer points to the recorded proxy. The proxy was not stopped and files were not removed. Review ~/.codex/config.toml or rerun uninstall with --force if you want to restore the recorded backup.'
         }
     }
 }
 
-if (-not $deferred) {
+if ((-not $deferred) -and (-not $confirmationRequired)) {
     python -m pip uninstall -y codex-fast-proxy
 
     if (Test-Path $skillNamespace) {
@@ -59,21 +69,23 @@ if (-not $deferred) {
     if (Test-Path $repoRoot) {
         Remove-Item -LiteralPath $repoRoot -Recurse -Force
     }
-
-    if ($uninstallJson) {
-        $uninstallJson
-    }
 }
 ```
 
 Report the uninstall JSON result when available.
 
-If the uninstall JSON includes `direct_upstream_auth_warning`, report it before telling the user to
-restart Codex. This means Codex config has been restored to the direct third-party upstream, but the
-current Codex auth state still looks like ChatGPT account login. Direct upstream mode no longer has
-the proxy auth override, so model requests may send ChatGPT auth to the third-party provider and
-fail with 401. Tell the user to switch Codex App back to API-key/third-party provider auth before
-restarting, or keep the proxy enabled if they want ChatGPT-login UI with a third-party provider.
+If the block printed `uninstall_confirmation_required=true`, no uninstall changes were applied.
+Report `direct_upstream_auth_warning`, then ask the user whether they want to keep the proxy enabled
+or explicitly continue uninstalling. Continue only after the user clearly accepts the ChatGPT-login
+direct-upstream 401 risk; then rerun the manager with `--confirm-chatgpt-direct-uninstall`.
+
+If the uninstall JSON has `status="uninstalled"` and includes `direct_upstream_auth_warning`, report
+it before telling the user to restart Codex. This means Codex config has been restored to the direct
+third-party upstream, but the current Codex auth state still looks like ChatGPT account login. Direct
+upstream mode no longer has the proxy auth override, so model requests may send ChatGPT auth to the
+third-party provider and fail with 401. Tell the user to switch Codex App back to
+API-key/third-party provider auth before restarting, or keep the proxy enabled if they want
+ChatGPT-login UI with a third-party provider.
 
 When cleanup completed without `restart_required_before_cleanup=true`, explicitly tell the user:
 
@@ -87,7 +99,14 @@ If the block printed `restart_required_before_cleanup=true`, explicitly tell the
 Codex config has been restored to direct upstream, and the proxy was left running temporarily to avoid interrupting the current process. Restart Codex App and return to this conversation, or open a new CLI process, then run uninstall again to finish cleanup.
 ```
 
-If `direct_upstream_auth_warning` is present, add this before the restart instruction:
+If the block printed `uninstall_confirmation_required=true`, explicitly tell the user:
+
+```text
+No uninstall changes were applied because ChatGPT login appears active and direct upstream mode may return 401. Keep the proxy enabled for ChatGPT-login UI with a third-party provider, switch Codex App back to API-key/third-party provider auth before uninstalling, or explicitly confirm that you want to continue uninstalling anyway.
+```
+
+If `status="uninstalled"` and `direct_upstream_auth_warning` is present, add this before the restart
+instruction:
 
 ```text
 Warning: ChatGPT login appears to be active. After uninstall restores direct upstream, requests no longer pass through the proxy upstream auth override. If Codex keeps using ChatGPT auth, the third-party provider may receive a ChatGPT token and return 401. Switch back to API-key/third-party provider auth before restarting, or keep the proxy enabled for ChatGPT-login UI with a third-party provider.

README.md

@@ -135,9 +135,10 @@ It does not show prompts, request bodies, response content, API keys, cookies, o
   and whether `service_tier` was injected.
 - Uninstall is two-phase when needed: restore config first, keep the proxy alive for the current
   session, then clean up after Codex restarts.
-- If uninstall restores direct upstream while ChatGPT login is still active, switch back to
-  API-key/third-party auth first or keep the proxy enabled; direct third-party providers may reject
-  ChatGPT auth with 401.
+- If ChatGPT login is active and uninstall would restore direct upstream, uninstall stops before
+  changing config and asks for explicit confirmation. Keep the proxy enabled, switch back to
+  API-key/third-party auth before uninstalling, or explicitly accept that direct third-party
+  providers may reject ChatGPT auth with 401.
 
 ## Agent Skill And Discovery
 

docs/advanced-usage.md

@@ -211,14 +211,26 @@ Fetch and follow instructions from https://raw.githubusercontent.com/gaoguobin/c
 
 Two-phase uninstall:
 
-1. First run restores Codex config to direct upstream and removes the startup hook.
-2. It may leave the proxy process alive so the current proxy-backed session can finish.
-3. Restart Codex App or open a new CLI process.
-4. Run uninstall again to stop the remaining proxy and remove files.
-
-If uninstall reports `direct_upstream_auth_warning`, Codex config has been restored to direct
-upstream while ChatGPT auth still appears active. Switch back to API-key/third-party auth before
-restarting, or keep the proxy enabled if you want ChatGPT-login UI with a third-party provider.
+1. If ChatGPT login is active and direct upstream may 401, the first run stops with
+   `status="confirmation_required"` before changing config, hooks, proxy process, or files.
+2. After explicit confirmation, or when no ChatGPT direct-upstream risk is detected, the first run
+   restores Codex config to direct upstream and removes the startup hook.
+3. It may leave the proxy process alive so the current proxy-backed session can finish.
+4. Restart Codex App or open a new CLI process.
+5. Run uninstall again to stop the remaining proxy and remove files.
+
+If uninstall reports `status="confirmation_required"`, no uninstall changes were applied. Keep the
+proxy enabled, switch Codex App back to API-key/third-party auth before uninstalling, or explicitly
+continue with:
+
+```powershell
+python -m codex_fast_proxy uninstall --defer-stop --confirm-chatgpt-direct-uninstall
+```
+
+If a confirmed uninstall reports `direct_upstream_auth_warning`, Codex config has been restored to
+direct upstream while ChatGPT auth still appears active. Switch back to API-key/third-party auth
+before restarting, or keep the proxy enabled if you want ChatGPT-login UI with a third-party
+provider.
 
 ## Terminal Recovery
 

docs/interaction-decisions.md

@@ -682,11 +682,15 @@ may send ChatGPT auth directly to the third-party provider and receive 401 becau
 
 Requirements:
 
-- When uninstall restores direct upstream and detects ChatGPT auth, include a structured
-  `direct_upstream_auth_warning` in the JSON output.
+- Before uninstall restores direct upstream, detect active ChatGPT auth. If the operation would newly
+  remove the proxy auth override from the model path, return `status="confirmation_required"` and a
+  structured `direct_upstream_auth_warning` without changing config, hooks, proxy process, or files.
+- Continue only after explicit confirmation, for example
+  `--confirm-chatgpt-direct-uninstall`.
 - The warning must not include secrets; it may include the upstream URL and upstream auth env name.
-- Before telling the user to restart, tell them to switch Codex App back to API-key/third-party
-  provider auth, or keep the proxy enabled if they want ChatGPT-login UI with a third-party provider.
+- Before telling the user to restart after a confirmed direct-upstream restore, tell them to switch
+  Codex App back to API-key/third-party provider auth, or keep the proxy enabled if they want
+  ChatGPT-login UI with a third-party provider.
 - Do not restore old `auth.json` automatically. A ChatGPT login state is user-owned auth state and
   requires explicit recovery instructions if the user wants to change it.
 

skills/codex-fast-proxy/SKILL.md

@@ -113,7 +113,12 @@ python -m codex_fast_proxy uninstall
   edited directly by the user or agent.
 - Running Codex processes do not hot-switch provider config. After enable, restart Codex App and resume the same conversation if desired, or open a new CLI process.
 - If the current process is already using the proxy, stopping the proxy can interrupt the conversation. Disable with `uninstall --defer-stop`, tell the user to restart Codex App or open a new CLI process, then run uninstall again to finish cleanup.
-- If uninstall output includes `direct_upstream_auth_warning`, report it before any restart
+- If uninstall output has `status="confirmation_required"`, no uninstall changes were applied.
+  Report `direct_upstream_auth_warning` first. Ask whether the user wants to keep the proxy enabled,
+  switch Codex App back to API-key/third-party provider auth before uninstalling, or explicitly
+  continue despite the ChatGPT-login direct-upstream 401 risk. Only after explicit confirmation,
+  rerun with `--confirm-chatgpt-direct-uninstall`.
+- If confirmed uninstall output includes `direct_upstream_auth_warning`, report it before any restart
   instruction. Restored direct upstream mode no longer has the proxy auth override; if Codex App
   remains signed in with ChatGPT, a third-party provider may receive ChatGPT auth and return 401.
   Tell the user to switch back to API-key/third-party provider auth before restarting, or keep the
@@ -164,8 +169,18 @@ python -m codex_fast_proxy uninstall
 - After a successful `install --start`, explicitly tell the user that Fast proxy is enabled, but the current Codex process will not hot-switch; they should restart Codex App and return to the conversation, or open a new CLI process.
 - After a successful `install --start`, always append this optional ChatGPT-login UI note even if
   the status summary is already long: the user may keep API-key mode for third-party API plus global Fast. If they want richer Codex App UI such as plugin marketplace, GitHub/Apps/connectors, manual Fast controls, status hints, and voice input, they should run `prepare-chatgpt-login` before switching Codex App to ChatGPT login; switching directly may cause 401.
-- After `uninstall --defer-stop`, explicitly tell the user that Codex config has been restored to direct upstream, and the proxy was left running temporarily to avoid interrupting the current process. They should restart Codex App and return to the conversation, or open a new CLI process, then run uninstall again to finish cleanup.
-- If `direct_upstream_auth_warning` is present after uninstall, first warn that ChatGPT login appears active. After direct upstream restore, requests no longer pass through the proxy upstream auth override. Keeping ChatGPT login may send ChatGPT auth to the third-party provider and return 401. The user should switch back to API-key/third-party provider auth before restarting, or keep the proxy enabled for ChatGPT-login UI with a third-party provider.
+- After `uninstall --defer-stop` returns `status="confirmation_required"`, explicitly tell the user
+  no uninstall changes were applied because ChatGPT login appears active and direct upstream may
+  return 401. Do not tell the user to restart yet.
+- After `uninstall --defer-stop` returns `status="uninstalled"`, explicitly tell the user that Codex
+  config has been restored to direct upstream, and the proxy was left running temporarily to avoid
+  interrupting the current process. They should restart Codex App and return to the conversation, or
+  open a new CLI process, then run uninstall again to finish cleanup.
+- If `direct_upstream_auth_warning` is present after a confirmed uninstall, first warn that ChatGPT
+  login appears active. After direct upstream restore, requests no longer pass through the proxy
+  upstream auth override. Keeping ChatGPT login may send ChatGPT auth to the third-party provider
+  and return 401. The user should switch back to API-key/third-party provider auth before
+  restarting, or keep the proxy enabled for ChatGPT-login UI with a third-party provider.
 
 Use `--provider <name>` only when the user names a provider or when `doctor` reports that no active provider can be selected.
 
@@ -235,4 +250,7 @@ For upstream URL changes after enable, prefer `set-upstream --upstream-base <url
   latest saved benchmark summary and never starts benchmark runs.
 - `uninstall` restores the full backup when the current config still matches the installed state.
 - If the config changed but the selected provider still points to the local proxy, `uninstall` restores only that provider's `base_url` to `upstream_base` and preserves other config changes.
+- If ChatGPT login is active and uninstall would newly restore direct upstream, `uninstall` returns
+  `status="confirmation_required"` before changing config, hooks, proxy process, or files unless
+  `--confirm-chatgpt-direct-uninstall` is explicit.
 - If `uninstall` reports `config_restore="skipped_config_changed"`, do not delete the package or repo; the selected provider no longer points to the recorded proxy, so ask the user before using `--force`.

src/codex_fast_proxy/manager.py

@@ -152,6 +152,13 @@ def direct_upstream_auth_warning(
 ) -> dict[str, Any] | None:
     if restore_status not in DIRECT_UPSTREAM_RESTORE_STATUSES:
         return None
+    return direct_upstream_auth_risk(paths, settings)
+
+
+def direct_upstream_auth_risk(
+    paths: ProxyPaths,
+    settings: ProxySettings | None,
+) -> dict[str, Any] | None:
     login = detect_login_mode(paths.codex_home)
     if not login.chatgpt_auth:
         return None
@@ -176,6 +183,32 @@ def direct_upstream_auth_warning(
     }
 
 
+def uninstall_needs_chatgpt_direct_confirmation(
+    paths: ProxyPaths,
+    manifest: dict[str, Any] | None,
+    settings: ProxySettings | None,
+    force: bool,
+) -> dict[str, Any] | None:
+    warning = direct_upstream_auth_risk(paths, settings)
+    if not warning or not manifest or not settings:
+        return None
+
+    config_path = Path(manifest["config_path"])
+    current_hash = sha256_file(config_path)
+    if current_hash == manifest.get("config_hash_before"):
+        return None
+    if current_hash == manifest.get("config_hash_after"):
+        return warning
+
+    config = load_toml_config(config_path)
+    config_base_url = provider_base_url(config, settings.provider)
+    if config_base_url == settings.base_url:
+        return warning
+    if force and config_base_url != settings.upstream_base:
+        return warning
+    return None
+
+
 def runtime_status(paths: ProxyPaths, health: dict[str, Any] | None) -> dict[str, Any]:
     proxy_runtime = health.get("runtime") if isinstance(health, dict) else None
     manager_runtime = {**runtime_details(), "manager_module_file": str(Path(__file__).resolve())}
@@ -2502,6 +2535,34 @@ def command_uninstall(args: argparse.Namespace) -> int:
     paths = paths_for(args.codex_home)
     manifest = read_json(paths.manifest_path)
     manifest_settings = settings_from_dict(manifest["settings"]) if manifest else None
+    confirmation = uninstall_needs_chatgpt_direct_confirmation(
+        paths,
+        manifest,
+        manifest_settings,
+        getattr(args, "force", False),
+    )
+    if confirmation and not getattr(args, "confirm_chatgpt_direct_uninstall", False):
+        print(json_line({
+            "status": "confirmation_required",
+            "code": "chatgpt_auth_direct_upstream_uninstall_requires_confirmation",
+            "message": (
+                "ChatGPT login appears to be active. Uninstall would restore Codex config to the direct "
+                "third-party upstream before the proxy auth override is in the path, so future model "
+                "requests may fail with 401."
+            ),
+            "direct_upstream_auth_warning": confirmation,
+            "config_changed": False,
+            "config_restore": "not_attempted",
+            "startup_hook": {"status": "unchanged"},
+            "stop_result": {"status": "not_attempted"},
+            "files": "kept",
+            "next_user_action": (
+                "Keep the proxy enabled for ChatGPT-login UI with a third-party provider, switch Codex App "
+                "back to API-key/third-party provider auth before uninstalling, or explicitly confirm "
+                "uninstall with --confirm-chatgpt-direct-uninstall."
+            ),
+        }))
+        return 4
     stop_result: dict[str, Any] = {"status": "not_attempted", "reason": "config_not_restored"}
     restore_status = "no_manifest"
     backup_path = None
@@ -2686,6 +2747,7 @@ def build_parser() -> argparse.ArgumentParser:
     uninstall.add_argument("--force", action="store_true")
     uninstall.add_argument("--keep-state", action="store_true")
     uninstall.add_argument("--defer-stop", action="store_true")
+    uninstall.add_argument("--confirm-chatgpt-direct-uninstall", action="store_true")
 
     return parser