feat(auth): add retention and recovery doctor

Author: ndycode

lib/codex-manager.ts

@@ -66,6 +66,7 @@ import {
 	getActionableNamedBackupRestores,
 	getRedactedFilesystemErrorLabel,
 	getNamedBackupsDirectoryPath,
+	listAccountSnapshots,
 	listNamedBackups,
 	listRotatingBackups,
 	NAMED_BACKUP_LIST_CONCURRENCY,
@@ -89,6 +90,7 @@ import {
 	getCodexCliConfigPath,
 	loadCodexCliState,
 } from "./codex-cli/state.js";
+import { getLatestCodexCliSyncRollbackPlan } from "./codex-cli/sync.js";
 import { setCodexCliActiveSelection } from "./codex-cli/writer.js";
 import { ANSI } from "./ui/ansi.js";
 import { confirm } from "./ui/confirm.js";
@@ -3348,21 +3350,24 @@ async function runDoctor(args: string[]): Promise<number> {
 
 	setStoragePath(null);
 	const storagePath = getStoragePath();
+	const walPath = `${storagePath}.wal`;
+	const storageExists = existsSync(storagePath);
+	const walExists = existsSync(walPath);
 	const checks: DoctorCheck[] = [];
 	const addCheck = (check: DoctorCheck): void => {
 		checks.push(check);
 	};
 
 	addCheck({
 		key: "storage-file",
-		severity: existsSync(storagePath) ? "ok" : "warn",
-		message: existsSync(storagePath)
+		severity: storageExists ? "ok" : "warn",
+		message: storageExists
 			? "Account storage file found"
 			: "Account storage file does not exist yet (first login pending)",
 		details: storagePath,
 	});
 
-	if (existsSync(storagePath)) {
+	if (storageExists) {
 		try {
 			const stat = await fs.stat(storagePath);
 			addCheck({
@@ -3381,6 +3386,82 @@ async function runDoctor(args: string[]): Promise<number> {
 		}
 	}
 
+	addCheck({
+		key: "storage-journal",
+		severity: walExists ? "ok" : "warn",
+		message: walExists
+			? "Write-ahead journal found"
+			: "Write-ahead journal missing; recovery will rely on backups",
+		details: walPath,
+	});
+
+	const rotatingBackups = await listRotatingBackups();
+	const validRotatingBackups = rotatingBackups.filter((backup) => backup.valid);
+	const invalidRotatingBackups = rotatingBackups.filter(
+		(backup) => !backup.valid,
+	);
+	addCheck({
+		key: "rotating-backups",
+		severity:
+			validRotatingBackups.length > 0
+				? "ok"
+				: rotatingBackups.length > 0
+					? "error"
+					: "warn",
+		message:
+			validRotatingBackups.length > 0
+				? `${validRotatingBackups.length} rotating backup(s) available`
+				: rotatingBackups.length > 0
+					? "Rotating backups are unreadable"
+					: "No rotating backups found yet",
+		details:
+			invalidRotatingBackups.length > 0
+				? `${invalidRotatingBackups.length} invalid backup(s); recreate by saving accounts`
+				: dirname(storagePath),
+	});
+
+	const snapshotBackups = await listAccountSnapshots();
+	const validSnapshots = snapshotBackups.filter((snapshot) => snapshot.valid);
+	const invalidSnapshots = snapshotBackups.filter((snapshot) => !snapshot.valid);
+	addCheck({
+		key: "snapshot-backups",
+		severity:
+			validSnapshots.length > 0
+				? "ok"
+				: snapshotBackups.length > 0
+					? "error"
+					: "warn",
+		message:
+			validSnapshots.length > 0
+				? `${validSnapshots.length} recovery snapshot(s) available`
+				: snapshotBackups.length > 0
+					? "Snapshot backups are unreadable"
+					: "No recovery snapshots found",
+		details:
+			invalidSnapshots.length > 0
+				? `${invalidSnapshots.length} invalid snapshot(s); create a fresh snapshot before destructive actions`
+				: getNamedBackupsDirectoryPath(),
+	});
+
+	addCheck({
+		key: "recovery-chain",
+		severity:
+			storageExists ||
+			walExists ||
+			validRotatingBackups.length > 0 ||
+			validSnapshots.length > 0
+				? "ok"
+				: "warn",
+		message:
+			storageExists ||
+			walExists ||
+			validRotatingBackups.length > 0 ||
+			validSnapshots.length > 0
+				? "Recovery artifacts present"
+				: "No recovery artifacts found; create a snapshot or backup before destructive actions",
+		details: `storage=${storageExists}, wal=${walExists}, rotating=${validRotatingBackups.length}, snapshots=${validSnapshots.length}`,
+	});
+
 	const codexAuthPath = getCodexCliAuthPath();
 	const codexConfigPath = getCodexCliConfigPath();
 	let codexAuthEmail: string | undefined;
@@ -3485,6 +3566,56 @@ async function runDoctor(args: string[]): Promise<number> {
 	});
 
 	const storage = await loadAccounts();
+	const rollbackPlan = await getLatestCodexCliSyncRollbackPlan();
+	if (rollbackPlan.status === "ready") {
+		const accountCount =
+			rollbackPlan.accountCount ?? rollbackPlan.storage?.accounts.length;
+		addCheck({
+			key: "codex-cli-rollback-checkpoint",
+			severity: "ok",
+			message: `Latest manual Codex CLI rollback checkpoint ready (${accountCount ?? "?"} account${accountCount === 1 ? "" : "s"})`,
+			details: rollbackPlan.snapshot?.path,
+		});
+	} else {
+		const isBlocked = Boolean(rollbackPlan.snapshot);
+		addCheck({
+			key: "codex-cli-rollback-checkpoint",
+			severity: isBlocked ? "error" : "warn",
+			message: isBlocked
+				? "Latest manual Codex CLI rollback checkpoint cannot be restored"
+				: "No manual Codex CLI rollback checkpoint has been recorded yet",
+			details: [
+				rollbackPlan.snapshot?.path ?? rollbackPlan.snapshot?.name,
+				rollbackPlan.reason,
+				isBlocked
+					? "Action: Recreate the rollback checkpoint with a fresh manual Codex CLI sync before attempting rollback."
+					: "Action: Run a manual Codex CLI sync with backups enabled to capture a rollback checkpoint before applying changes.",
+			]
+				.filter(Boolean)
+				.join(" | "),
+		});
+	}
+
+	const actionableNamedBackupRestores = await getActionableNamedBackupRestores({
+		currentStorage: storage,
+	});
+	const actionableBackupCount = actionableNamedBackupRestores.assessments.length;
+	addCheck({
+		key: "named-backup-restores",
+		severity: actionableBackupCount > 0 ? "ok" : "warn",
+		message:
+			actionableBackupCount > 0
+				? `Found ${actionableBackupCount} actionable named backup restore${actionableBackupCount === 1 ? "" : "s"}`
+				: "No actionable named backup restores available",
+		details: [
+			`total backups: ${actionableNamedBackupRestores.totalBackups}`,
+			actionableBackupCount > 0
+				? undefined
+				: `Action: Add or copy a named backup into ${getNamedBackupsDirectoryPath()} before attempting recovery.`,
+		]
+			.filter(Boolean)
+			.join(" | "),
+	});
 	let fixChanged = false;
 	let fixActions: DoctorFixAction[] = [];
 	if (options.fix && storage && storage.accounts.length > 0) {

lib/storage.ts

@@ -48,6 +48,9 @@ const ACCOUNTS_BACKUP_HISTORY_DEPTH = 3;
 const BACKUP_COPY_MAX_ATTEMPTS = 5;
 const BACKUP_COPY_BASE_DELAY_MS = 10;
 export const NAMED_BACKUP_LIST_CONCURRENCY = 8;
+export const ACCOUNT_SNAPSHOT_RETENTION_PER_REASON = 3;
+const AUTO_SNAPSHOT_NAME_PATTERN =
+	/^accounts-(?<reason>[a-z0-9-]+)-snapshot-\d{4}-\d{2}-\d{2}_\d{2}-\d{2}-\d{2}_\d{3}$/i;
 const RESET_MARKER_SUFFIX = ".reset-intent";
 let storageBackupEnabled = true;
 let lastAccountsSaveTimestamp = 0;
@@ -1989,6 +1992,11 @@ export async function listNamedBackups(): Promise<NamedBackupMetadata[]> {
 	return scanResult.backups.map((entry) => entry.backup);
 }
 
+export async function listAccountSnapshots(): Promise<NamedBackupMetadata[]> {
+	const backups = await listNamedBackups();
+	return backups.filter((backup) => isAccountSnapshotName(backup.name));
+}
+
 export async function listRotatingBackups(): Promise<RotatingBackupMetadata[]> {
 	let storagePath: string | null = null;
 	try {
@@ -2192,6 +2200,149 @@ function buildAccountSnapshotName(
 	return `accounts-${reason}-snapshot-${formatTimestampForSnapshot(timestamp)}`;
 }
 
+export function isAccountSnapshotName(name: string): boolean {
+	return AUTO_SNAPSHOT_NAME_PATTERN.test(name);
+}
+
+function getAccountSnapshotReason(name: string): string | null {
+	const match = name.match(AUTO_SNAPSHOT_NAME_PATTERN);
+	return match?.groups?.reason?.toLowerCase() ?? null;
+}
+
+type AutoSnapshotDetails = {
+	backup: NamedBackupMetadata;
+	name: string;
+	reason: string;
+	sortTimestamp: number;
+};
+
+function parseAutoSnapshot(
+	backup: NamedBackupMetadata,
+): AutoSnapshotDetails | null {
+	const reason = getAccountSnapshotReason(backup.name);
+	if (!reason) {
+		return null;
+	}
+	return {
+		backup,
+		name: backup.name,
+		reason,
+		sortTimestamp: backup.updatedAt ?? backup.createdAt ?? 0,
+	};
+}
+
+async function getLatestManualCodexCliRollbackSnapshotNames(): Promise<
+	Set<string>
+> {
+	try {
+		const syncHistoryModule = await import("./sync-history.js");
+		if (typeof syncHistoryModule.readSyncHistory !== "function") {
+			return new Set();
+		}
+		const history = await syncHistoryModule.readSyncHistory({
+			kind: "codex-cli-sync",
+		});
+		for (let index = history.length - 1; index >= 0; index -= 1) {
+			const entry = history[index];
+			if (!entry || entry.kind !== "codex-cli-sync") {
+				continue;
+			}
+			const run = entry.run;
+			if (run?.trigger !== "manual" || run.outcome !== "changed") {
+				continue;
+			}
+			const snapshotName = run.rollbackSnapshot?.name?.trim();
+			if (!snapshotName) {
+				break;
+			}
+			return new Set([snapshotName]);
+		}
+	} catch (error) {
+		log.debug("Failed to load rollback snapshot names for retention", {
+			error: String(error),
+		});
+	}
+	return new Set();
+}
+
+export interface AutoSnapshotPruneOptions {
+	backups?: NamedBackupMetadata[];
+	preserveNames?: Iterable<string>;
+	keepLatestPerReason?: number;
+}
+
+export interface AutoSnapshotPruneResult {
+	pruned: NamedBackupMetadata[];
+	kept: NamedBackupMetadata[];
+}
+
+export async function pruneAutoGeneratedSnapshots(
+	options: AutoSnapshotPruneOptions = {},
+): Promise<AutoSnapshotPruneResult> {
+	const backups = options.backups ?? (await listNamedBackups());
+	const keepLatestPerReason = Math.max(
+		1,
+		options.keepLatestPerReason ?? 1,
+	);
+	const preserveNames = new Set(options.preserveNames ?? []);
+	for (const rollbackName of await getLatestManualCodexCliRollbackSnapshotNames()) {
+		preserveNames.add(rollbackName);
+	}
+
+	const autoSnapshots = backups
+		.map((backup) => parseAutoSnapshot(backup))
+		.filter((snapshot): snapshot is AutoSnapshotDetails => snapshot !== null);
+	if (autoSnapshots.length === 0) {
+		return { pruned: [], kept: [] };
+	}
+
+	const keepSet = new Set<string>(preserveNames);
+	const snapshotsByReason = new Map<string, AutoSnapshotDetails[]>();
+	for (const snapshot of autoSnapshots) {
+		const bucket = snapshotsByReason.get(snapshot.reason) ?? [];
+		bucket.push(snapshot);
+		snapshotsByReason.set(snapshot.reason, bucket);
+	}
+
+	for (const snapshots of snapshotsByReason.values()) {
+		snapshots.sort((left, right) => right.sortTimestamp - left.sortTimestamp);
+		for (const snapshot of snapshots.slice(0, keepLatestPerReason)) {
+			keepSet.add(snapshot.name);
+		}
+	}
+
+	const keptNames = new Set<string>(keepSet);
+	const pruned: NamedBackupMetadata[] = [];
+	for (const snapshot of autoSnapshots) {
+		if (keepSet.has(snapshot.name)) {
+			continue;
+		}
+		try {
+			await unlinkWithRetry(snapshot.backup.path);
+			pruned.push(snapshot.backup);
+		} catch (error) {
+			keptNames.add(snapshot.name);
+			log.warn("Failed to prune auto-generated snapshot", {
+				name: snapshot.name,
+				path: snapshot.backup.path,
+				error: String(error),
+			});
+		}
+	}
+
+	const kept = autoSnapshots
+		.filter((snapshot) => keptNames.has(snapshot.name))
+		.map((snapshot) => snapshot.backup);
+
+	return { pruned, kept };
+}
+
+async function enforceSnapshotRetention(): Promise<void> {
+	await pruneAutoGeneratedSnapshots({
+		keepLatestPerReason: ACCOUNT_SNAPSHOT_RETENTION_PER_REASON,
+	});
+}
+
 function extractPathTail(pathValue: string): string {
 	const segments = pathValue.split(/[\\/]+/).filter(Boolean);
 	return segments.at(-1) ?? pathValue;
@@ -2234,8 +2385,9 @@ export async function snapshotAccountStorage(
 	}
 
 	const backupName = buildAccountSnapshotName(reason, now);
+	let snapshot: NamedBackupMetadata;
 	try {
-		return await createBackup(backupName, { force });
+		snapshot = await createBackup(backupName, { force });
 	} catch (error) {
 		if (failurePolicy === "error") {
 			throw error;
@@ -2247,6 +2399,18 @@ export async function snapshotAccountStorage(
 		});
 		return null;
 	}
+
+	try {
+		await enforceSnapshotRetention();
+	} catch (error) {
+		log.warn("Failed to enforce account snapshot retention", {
+			reason,
+			backupName,
+			error: formatSnapshotErrorForLog(error),
+		});
+	}
+
+	return snapshot;
 }
 
 export async function assessNamedBackupRestore(