Add multi-account support for Codex via OAuth token accounts

[niklassaers]

Summary

• Add Codex to the token accounts system using OAuth access tokens from auth.json, following the existing Zai environment-variable injection pattern
• New CodexSettingsReader reads CODEX_OAUTH_ACCESS_TOKEN from the environment (mirrors ZaiSettingsReader)
• CodexOAuthFetchStrategy resolves credentials from env override first, falling back to ~/.codex/auth.json
• "Import from auth.json" button in Providers settings extracts the email from the JWT id_token for labeling
• "Add Account..." menu action opens Settings > Providers directly
• Fix keyboard focus in Settings window for LSUIElement menu bar apps (retry activation with modern NSApp.activate() API on macOS 14+)

Approach

This uses .environment(key:) injection and routes through the OAuth fetch strategy (API-based), complementing #461 which uses .cookieHeader injection through the web dashboard strategy. The two approaches handle different auth flows and could coexist.

Files changed

File	Change
TokenAccountSupportCatalog+Data.swift	Add .codex catalog entry with env injection
CodexSettingsReader.swift	New — env var reader for CODEX_OAUTH_ACCESS_TOKEN
ProviderTokenResolver.swift	Add codexOAuthToken() / codexOAuthResolution()
CodexProviderDescriptor.swift	Modify CodexOAuthFetchStrategy for env-first resolution
CodexProviderImplementation.swift	Add loginMenuAction override ("Add Account...")
MenuDescriptor.swift / MenuContent.swift	Add .settingsProvider action
StatusItemController+Actions.swift / +Menu.swift	Wire up showSettingsProviders()
PreferencesProvidersPane.swift	Wire up "Import from auth.json" with JWT email extraction
PreferencesProviderSettingsRows.swift	Add "Import from auth.json" button
ProviderSettingsDescriptors.swift	Add importFromFile to token accounts descriptor
HiddenWindowView.swift	Fix keyboard focus with multi-retry activation

Test plan

• Build: swift build compiles without errors
• Existing tests: swift test passes
• Open Preferences > Providers > Codex — verify "OAuth tokens" section appears
• Click "Import from auth.json" — verify token is imported with email label
• Add 2+ tokens, switch between them — verify usage fetches correctly
• Enable "Show all token accounts" in Display — verify all accounts appear in menu
• Click "Add Account..." in menu — verify it opens Settings > Providers
• Verify keyboard input works in Settings text fields (Label, Token)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e6acc3d0f1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore accessory activation policy after focusing settings

Calling NSApp.setActivationPolicy(.regular) here permanently promotes this LSUIElement app to a regular app, and this commit never switches it back to .accessory; after opening Settings once, users can be left with a persistent Dock icon/app-switcher presence instead of menu-bar-only behavior. This side effect is triggered on the new settings-focus path and is likely unintended for a “no Dock icon” app.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Carry account identity into env-based Codex OAuth fetches

When a token-account override is active, this path synthesizes CodexOAuthCredentials with idToken/accountId set to nil, so mapUsage cannot derive account email/plan from credentials. In the default single-account refresh flow (showAllTokenAccountsInMenu is false), we also skip the label-injection path, so switching Codex token accounts can show fallback/stale account identity in the menu even though usage is fetched with a different token.

Useful? React with 👍 / 👎.

[ratulsarna]

Sharing a few questions I had while reading these changes.

[ratulsarna]

Could we walk through the first-time-user path here? If someone has no ~/.codex/auth.json yet, where in this flow do they actually run codex login?

[niklassaers]

Great question :-) I was coming to this from "CodexBar works great, let me add another subscription to monitor" where that subscription was a second OpenAI subscription. I'm not sure I'd put that as part of a first-time onboarding flow.

[ratulsarna]

In Usage source = Auto, how do we ensure the selected Codex token account cannot end up showing usage fetched from a fallback CLI account when this OAuth token is stale or invalid?

[niklassaers]

Good catch, I expect that can happen now you point it out. Let me look into it and get back to you.

[ratulsarna]

Can we double-check what auth behavior we want after import if we only store accessToken here? Where do refresh and account/workspace identity come from in that case?

[niklassaers]

Yes, I was wondering about that myself, but thinking if I manually add oauth tokens then I've really signed up to refresh them manually. But if there are ways to support refreshing them, then let's explore that as it would remove that burden from the user