@@ -13,6 +13,7 @@ import (
1313 "runtime"
1414 "strings"
1515 "syscall"
16+ "time"
1617
1718 "github.com/onecli/onecli-cli/internal/api"
1819 "github.com/onecli/onecli-cli/internal/config"
@@ -420,11 +421,14 @@ func installUniversalGatewaySkill(out *output.Writer, content string) string {
420421 return fullPath
421422}
422423
423- // codexAuthStub is the auth.json stub written to ~/.codex/auth.json when the
424+ // codexAuthStub builds the auth.json stub written to ~/.codex/auth.json when the
424425// file does not exist. The id_token is a structurally valid JWT with email and
425- // plan_type claims so Codex's local validation passes. Real credentials are
426- // injected at the gateway proxy level.
427- const codexAuthStub = `{
426+ // plan_type claims so Codex's local validation passes. last_refresh is stamped
427+ // with the current time so Codex does not treat the onecli-managed tokens as
428+ // stale and try to self-refresh them; real credentials are injected at the
429+ // gateway proxy level.
430+ func codexAuthStub () string {
431+ return fmt .Sprintf (`{
428432 "auth_mode": "chatgpt",
429433 "OPENAI_API_KEY": null,
430434 "tokens": {
@@ -433,9 +437,10 @@ const codexAuthStub = `{
433437 "refresh_token": "onecli-managed",
434438 "account_id": "onecli-managed"
435439 },
436- "last_refresh": "2025-01-01T00:00:00Z"
440+ "last_refresh": %q
441+ }
442+ ` , time .Now ().UTC ().Format (time .RFC3339 ))
437443}
438- `
439444
440445// maybeCreateCodexAuthStub creates ~/.codex/auth.json with onecli-managed
441446// placeholder values if the file does not already exist. Fetches the latest
@@ -450,7 +455,7 @@ func maybeCreateCodexAuthStub(out *output.Writer, client *api.Client) {
450455 return
451456 }
452457
453- content := codexAuthStub
458+ content := codexAuthStub ()
454459 if stub , err := client .GetCredentialStub (newContext (), "codex" ); err == nil && stub .Content != "" {
455460 content = stub .Content
456461 }
0 commit comments