feat: add multi-account rotation for automatic account switching on rate limits

- Add AccountCredentials and MultiAccountConfig types
- Create account-manager.ts for managing multiple OAuth accounts
- Modify fetch to detect rate limits and auto-switch accounts
- Support sequential, random, and least-used rotation strategies
- Add documentation for multi-account feature
- All 229 existing tests pass

Author: dhammavipassi

docs/multi-account.md

@@ -0,0 +1,121 @@
+# Multi-Account Rotation
+
+This feature allows you to configure multiple Codex accounts and automatically rotate between them when one reaches its usage limit.
+
+## Quick Start
+
+### 1. Login with multiple accounts
+
+Run the `/connect` command multiple times with different accounts:
+
+```bash
+# Login with first account
+opencode
+/connect  # Select OpenAI OAuth, login with [email protected]
+
+# Login with second account (will be added to rotation)
+/connect  # Select OpenAI OAuth, login with [email protected]
+```
+
+Each successful login automatically adds the account to the rotation pool.
+
+### 2. Manual Configuration (Optional)
+
+Create or edit `~/.opencode/codex-accounts.json`:
+
+```json
+{
+  "enabled": true,
+  "accounts": [],
+  "currentAccountIndex": 0,
+  "rotationStrategy": "sequential",
+  "autoRotateOnRateLimit": true,
+  "allAccountsLimitedBehavior": "error"
+}
+```
+
+## Configuration Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enabled` | boolean | `false` | Enable multi-account rotation |
+| `accounts` | array | `[]` | List of account credentials (auto-populated) |
+| `currentAccountIndex` | number | `0` | Current active account index |
+| `rotationStrategy` | string | `"sequential"` | How to select next account |
+| `autoRotateOnRateLimit` | boolean | `true` | Auto-switch on rate limit |
+| `allAccountsLimitedBehavior` | string | `"error"` | What to do when all accounts are limited |
+
+### Rotation Strategies
+
+- `sequential`: Round-robin through accounts in order
+- `random`: Randomly select an available account
+- `least-used`: Prefer accounts that were used least recently
+
+### All Accounts Limited Behavior
+
+- `error`: Return an error immediately
+- `wait`: Return info about when the earliest account will be available
+
+## How It Works
+
+1. When a request hits a rate limit (HTTP 429), the plugin:
+   - Marks the current account as rate-limited
+   - Extracts the reset time from response headers
+   - Switches to the next available account
+   - Retries the request (up to 5 times)
+
+2. Rate-limited accounts automatically become available again after their reset time.
+
+3. The plugin logs all account switches for debugging:
+   ```
+   [openai-codex-plugin] Rate limit hit, switching to account: xxx
+   [openai-codex-plugin] Retrying with account xxx (attempt 1/5)
+   ```
+
+## Security Notes
+
+- Account credentials are stored locally in `~/.opencode/codex-accounts.json`
+- This file contains OAuth tokens - keep it secure
+- Do not share or commit this file to version control
+
+## Troubleshooting
+
+### Accounts not rotating
+
+1. Check if multi-account is enabled:
+   ```bash
+   cat ~/.opencode/codex-accounts.json | grep enabled
+   ```
+
+2. Verify you have multiple accounts:
+   ```bash
+   cat ~/.opencode/codex-accounts.json | grep -c "accessToken"
+   ```
+
+### All accounts show as rate-limited
+
+The plugin respects the reset times from Codex. Check:
+```bash
+cat ~/.opencode/codex-accounts.json | grep rateLimitResetsAt
+```
+
+To manually reset all accounts:
+```bash
+# Delete the file to start fresh
+rm ~/.opencode/codex-accounts.json
+```
+
+## API Reference
+
+The plugin exports these functions for programmatic use:
+
+```typescript
+import { 
+  addAccount,
+  getCurrentAccount,
+  switchToNextAccount,
+  markAccountRateLimited,
+  isMultiAccountEnabled,
+  getAccountCount,
+} from "opencode-openai-codex-auth/lib/auth/account-manager.js";
+```

index.ts

@@ -56,7 +56,15 @@ import {
 	rewriteUrlForCodex,
 	shouldRefreshToken,
 	transformRequestForCodex,
+	handleRateLimitWithRotation,
+	getActiveAccountCredentials,
+	isRateLimitError,
 } from "./lib/request/fetch-helpers.js";
+import {
+	isMultiAccountEnabled,
+	addAccount,
+	getCurrentAccount,
+} from "./lib/auth/account-manager.js";
 import type { UserConfig } from "./lib/types.js";
 
 /**
@@ -164,64 +172,108 @@ export const OpenAIAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 						input: Request | string | URL,
 						init?: RequestInit,
 					): Promise<Response> {
-						// Step 1: Check and refresh token if needed
-						let currentAuth = await getAuth();
-						if (shouldRefreshToken(currentAuth)) {
-							currentAuth = await refreshAndUpdateToken(currentAuth, client);
-						}
+						const MAX_RETRY_ATTEMPTS = 5;
+						let retryCount = 0;
+						let currentAccountId = accountId;
+						let currentAccessToken = "";
 
-						// Step 2: Extract and rewrite URL for Codex backend
-						const originalUrl = extractRequestUrl(input);
-						const url = rewriteUrlForCodex(originalUrl);
+						while (retryCount < MAX_RETRY_ATTEMPTS) {
+							let authToUse = await getAuth();
 
-						// Step 3: Transform request body with model-specific Codex instructions
-						// Instructions are fetched per model family (codex-max, codex, gpt-5.1)
-						// Capture original stream value before transformation
-						// generateText() sends no stream field, streamText() sends stream=true
-						const originalBody = init?.body ? JSON.parse(init.body as string) : {};
-						const isStreaming = originalBody.stream === true;
+							if (isMultiAccountEnabled()) {
+								const multiAccountCreds = await getActiveAccountCredentials();
+								if (multiAccountCreds) {
+									currentAccessToken = multiAccountCreds.accessToken;
+									currentAccountId = multiAccountCreds.accountId;
+								} else {
+									if (shouldRefreshToken(authToUse)) {
+										authToUse = await refreshAndUpdateToken(authToUse, client);
+									}
+									currentAccessToken = authToUse.type === "oauth" ? authToUse.access : "";
+									currentAccountId = accountId;
+								}
+							} else {
+								if (shouldRefreshToken(authToUse)) {
+									authToUse = await refreshAndUpdateToken(authToUse, client);
+								}
+								currentAccessToken = authToUse.type === "oauth" ? authToUse.access : "";
+								currentAccountId = accountId;
+							}
 
-						const transformation = await transformRequestForCodex(
-							init,
-							url,
-							userConfig,
-							codexMode,
-						);
-						const requestInit = transformation?.updatedInit ?? init;
+							const originalUrl = extractRequestUrl(input);
+							const url = rewriteUrlForCodex(originalUrl);
 
-						// Step 4: Create headers with OAuth and ChatGPT account info
-						const accessToken =
-							currentAuth.type === "oauth" ? currentAuth.access : "";
-						const headers = createCodexHeaders(
-							requestInit,
-							accountId,
-							accessToken,
-							{
-								model: transformation?.body.model,
-								promptCacheKey: (transformation?.body as any)?.prompt_cache_key,
-							},
-						);
+							const originalBody = init?.body ? JSON.parse(init.body as string) : {};
+							const isStreaming = originalBody.stream === true;
+
+							const transformation = await transformRequestForCodex(
+								init,
+								url,
+								userConfig,
+								codexMode,
+							);
+							const requestInit = transformation?.updatedInit ?? init;
 
-						// Step 5: Make request to Codex API
-						const response = await fetch(url, {
-							...requestInit,
-							headers,
-						});
+							const headers = createCodexHeaders(
+								requestInit,
+								currentAccountId,
+								currentAccessToken,
+								{
+									model: transformation?.body.model,
+									promptCacheKey: (transformation?.body as any)?.prompt_cache_key,
+								},
+							);
 
-						// Step 6: Log response
-						logRequest(LOG_STAGES.RESPONSE, {
-							status: response.status,
-							ok: response.ok,
-							statusText: response.statusText,
-							headers: Object.fromEntries(response.headers.entries()),
-						});
+							const response = await fetch(url, {
+								...requestInit,
+								headers,
+							});
 
-						// Step 7: Handle error or success response
-						if (!response.ok) {
-							return await handleErrorResponse(response);
+							logRequest(LOG_STAGES.RESPONSE, {
+								status: response.status,
+								ok: response.ok,
+								statusText: response.statusText,
+								headers: Object.fromEntries(response.headers.entries()),
+								retryCount,
+								accountId: currentAccountId,
+							});
+
+							if (!response.ok) {
+								const errorResponse = await handleErrorResponse(response);
+
+								if (isRateLimitError(errorResponse) && isMultiAccountEnabled()) {
+									const rotationResult = await handleRateLimitWithRotation(
+										errorResponse,
+										currentAccountId,
+									);
+
+									if (rotationResult.shouldRetry && rotationResult.newAccount) {
+										retryCount++;
+										console.log(
+											`[${PLUGIN_NAME}] Retrying with account ${rotationResult.newAccount.id} (attempt ${retryCount}/${MAX_RETRY_ATTEMPTS})`,
+										);
+										continue;
+									}
+								}
+
+								return errorResponse;
+							}
+
+							return await handleSuccessResponse(response, isStreaming);
 						}
 
-						return await handleSuccessResponse(response, isStreaming);
+						return new Response(
+							JSON.stringify({
+								error: {
+									message: ERROR_MESSAGES.ALL_ACCOUNTS_RATE_LIMITED,
+									type: "rate_limit_exceeded",
+								},
+							}),
+							{
+								status: 429,
+								headers: { "content-type": "application/json" },
+							},
+						);
 					},
 				};
 			},