fix(auth): restore cli bootstrap split on rebase

src/agents/auth-profiles.external-cli-sync.test.ts

@@ -279,7 +279,7 @@ describe("external cli oauth resolution", () => {
     expect(profiles).toEqual([]);
   });
 
-  it("overlays fresher external cli oauth over an older still-usable local credential", () => {
+  it("does not overlay fresh external cli oauth over a still-usable local credential", () => {
     mocks.readCodexCliCredentialsCached.mockReturnValue(
       makeOAuthCredential({
         provider: "openai-codex",
@@ -301,14 +301,6 @@ describe("external cli oauth resolution", () => {
       ),
     );
 
-    expect(profiles).toEqual([
-      expect.objectContaining({
-        profileId: OPENAI_CODEX_DEFAULT_PROFILE_ID,
-        credential: expect.objectContaining({
-          access: "fresh-cli-access",
-          refresh: "fresh-cli-refresh",
-        }),
-      }),
-    ]);
+    expect(profiles).toEqual([]);
   });
 });

src/agents/auth-profiles/external-cli-sync.ts

@@ -7,6 +7,7 @@ import {
   MINIMAX_CLI_PROFILE_ID,
   OPENAI_CODEX_DEFAULT_PROFILE_ID,
 } from "./constants.js";
+import { log } from "./constants.js";
 import { resolveTokenExpiryState } from "./credential-state.js";
 import type { AuthProfileStore, OAuthCredential } from "./types.js";
 
@@ -46,9 +47,9 @@ function hasNewerStoredOAuthCredential(
 ): boolean {
   return Boolean(
     existing &&
-      existing.provider === incoming.provider &&
-      Number.isFinite(existing.expires) &&
-      (!Number.isFinite(incoming.expires) || existing.expires > incoming.expires),
+    existing.provider === incoming.provider &&
+    Number.isFinite(existing.expires) &&
+    (!Number.isFinite(incoming.expires) || existing.expires > incoming.expires),
   );
 }
 
@@ -119,7 +120,7 @@ function resolveExternalCliSyncProvider(params: {
   return provider;
 }
 
-export function readManagedExternalCliCredential(params: {
+export function readExternalCliBootstrapCredential(params: {
   profileId: string;
   credential: OAuthCredential;
 }): OAuthCredential | null {
@@ -130,6 +131,8 @@ export function readManagedExternalCliCredential(params: {
   return provider.readCredentials();
 }
 
+export const readManagedExternalCliCredential = readExternalCliBootstrapCredential;
+
 export function resolveExternalCliAuthProfiles(
   store: AuthProfileStore,
 ): ExternalCliResolvedProfile[] {
@@ -142,18 +145,29 @@ export function resolveExternalCliAuthProfiles(
     }
     const existing = store.profiles[providerConfig.profileId];
     const existingOAuth = existing?.type === "oauth" ? existing : undefined;
-    const shouldOverlay =
-      shouldBootstrapFromExternalCliCredential({
+    if (
+      !shouldBootstrapFromExternalCliCredential({
         existing: existingOAuth,
         imported: creds,
         now,
-      }) ||
-      !existingOAuth ||
-      shouldReplaceStoredOAuthCredential(existingOAuth, creds) ||
-      areOAuthCredentialsEquivalent(existingOAuth, creds);
-    if (!shouldOverlay) {
+      })
+    ) {
+      if (existingOAuth) {
+        log.debug("kept usable local oauth over external cli bootstrap", {
+          profileId: providerConfig.profileId,
+          provider: providerConfig.provider,
+          localExpires: existingOAuth.expires,
+          externalExpires: creds.expires,
+        });
+      }
       continue;
     }
+    log.debug("used external cli oauth bootstrap because local oauth was missing or unusable", {
+      profileId: providerConfig.profileId,
+      provider: providerConfig.provider,
+      localExpires: existingOAuth?.expires,
+      externalExpires: creds.expires,
+    });
     profiles.push({
       profileId: providerConfig.profileId,
       credential: creds,