fix(openai): self-heal stale Codex used% snapshots + lock semantics (#2994)#2
Closed
StarryKira wants to merge 1 commit into
Closed
fix(openai): self-heal stale Codex used% snapshots + lock semantics (#2994)#2StarryKira wants to merge 1 commit into
StarryKira wants to merge 1 commit into
Conversation
…ei-Shaw#2994) The OpenAI/Codex 5h "used %" inversion that caused fresh accounts to show ~96-99% used (PR Wei-Shaw#2918, commit b65dde6) was already reverted in Wei-Shaw#2993, so the stored value is now the correct "used %" again. This commit hardens that fix: 1. Regression test locking in direct "used %" semantics. The semantics have flip-flopped twice (Wei-Shaw#2918 -> Wei-Shaw#2993) with no value-level guard — a fresh account (secondary_used_percent=1, 5h window) must store codex_5h_used_percent=1, not 99. 2. Stale-bounded self-heal in resolveOpenAIQuotaUtilization (the single auto-pause chokepoint). An account poisoned with an inflated used% gets excluded from scheduling, and a paused account never receives traffic to refresh its snapshot — so it stayed stuck until the window's reset_at passed (up to 5h/7d). When codex_usage_updated_at is older than 2h, the account is no longer auto-paused on that snapshot; it gets one request whose response headers refresh the snapshot and self-heal it. A missing timestamp is treated as fresh (stays paused), and an actively-served exhausted account refreshes the timestamp every response so it never crosses the bound — it cannot escape auto-pause. No change to Normalize(); no 100-x reintroduced; no new dependency wiring. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR hardens OpenAI/Codex quota auto-pause behavior by ensuring “used %” semantics remain stable (no inversion regressions) and by allowing accounts with stale usage snapshots to receive a probe request so they can self-heal via refreshed upstream headers, avoiding indefinite exclusion from scheduling.
Changes:
- Add a stale-snapshot guard (
codex_usage_updated_atolder than 2h) so auto-pause won’t be enforced on long-idle, potentially poisoned snapshots. - Add a regression unit test to lock in direct “used %” storage semantics for Codex 5h/7d windows (issue Wei-Shaw#2994).
- Add scheduler selection tests covering stale-snapshot skip behavior and a fresh-exhausted guardrail.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| backend/internal/service/openai_gateway_service.go | Adds stale snapshot threshold/logic to bypass quota auto-pause when the stored Codex snapshot is too old to trust. |
| backend/internal/service/openai_gateway_service_codex_snapshot_test.go | Adds regression test ensuring codex_5h_used_percent / codex_7d_used_percent are stored as direct used percentages (not inverted). |
| backend/internal/service/openai_account_scheduler_test.go | Adds selection tests verifying stale snapshots don’t pause accounts, while fresh exhausted snapshots still do. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1491
to
+1494
| // 快照过于陈旧(账号长期未收到流量刷新)时,不再据此暂停。放行后下一次响应头 | ||
| // 会刷新快照实现自愈,避免账号在错误/过期的 used% 上被永久跳过(issue #2994)。 | ||
| if openAICodexSnapshotStaleForPause(extra, now) { | ||
| return 0, false |
Owner
Author
|
Superseded by upstream PR Wei-Shaw#3039. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem (Wei-Shaw#2994)
Newly-imported OpenAI/Codex OAuth accounts showed ~96–99% used in the 5h window even when nearly unused (a few cents). The inflated value also tripped
shouldAutoPauseOpenAIAccountByQuota, so the account was excluded from scheduling ("导致后续请求无法调度到这个账号").Root cause was a
100 - usedPercentinversion inNormalize()(commitb65dde63, PR Wei-Shaw#2918). For a fresh account whosex-codex-secondary-used-percent≈ 1, it stored100 - 1 = 99intocodex_5h_used_percent. That inversion was already reverted inmain(PR Wei-Shaw#2993). The stored value is now the correct "used %".What this PR adds (hardening, not a re-fix)
Regression test locking in the direct "used %" semantics. They have flip-flopped twice (fix(usage): 修正 OpenAI 5h 用量窗口 used%/remaining% 颠倒 Wei-Shaw/sub2api#2918 → fix(usage): revert OpenAI 5h used_percent inversion (#2918 regression) Wei-Shaw/sub2api#2993) with no value-level guard: a fresh account (
secondary_used_percent=1, 5h window) must storecodex_5h_used_percent=1, not 99.Stale-bounded self-heal in
resolveOpenAIQuotaUtilization— the single auto-pause chokepoint feeding the scheduler, WS forwarder, and gateway. An account already poisoned with an inflated used% gets excluded from scheduling, and a paused account never receives traffic to refresh its snapshot, so today it only recovers when the window'sreset_atpasses (≤5h/≤7d) or an admin opens its usage page (no background refresher exists). Now, whencodex_usage_updated_atis older than 2h, the account is no longer auto-paused on that snapshot; it gets one request whose response headers refresh the snapshot via the existingUpdateCodexUsageSnapshotFromHeaderspath and self-heal it.Safety
codex_usage_updated_atis treated as fresh (account stays paused) — no timestamp-less snapshot can silently escape auto-pause. Real poisoned snapshots always carry the timestamp.codex_usage_updated_aton every response, so it never crosses the 2h bound and stays paused. Guarded by a dedicated test.No change to
Normalize(); no100-xreintroduced; no new dependency wiring or mocks.Tests
TestBuildCodexUsageExtraUpdates_FreshAccountUsedPercentNotInverted_Issue2994TestOpenAIGatewayService_SelectAccountForModelWithExclusions_StaleUsageSnapshotSkipsPause_Issue2994TestOpenAIGatewayService_SelectAccountForModelWithExclusions_FreshExhaustedSnapshotStillPauses_Issue2994(guardrail)go test -tags=unit ./internal/service/...andgolangci-lint run ./internal/service/...pass.Fixes Wei-Shaw#2994
🤖 Generated with Claude Code