feat(api): harden Codex provider and unbreak Codex /fast

BunsDev · claude · BunsDev · commit cab43d11f9d8 · 2026-06-08T07:46:09.000-05:00
Two correctness fixes for the OAuth-only Codex provider.

1. Replace 5x `self.tokens.lock().unwrap()` in providers/codex.rs with
   parking_lot::Mutex, which has no poison semantics. The std Mutex
   variants would panic-cascade if any holder panicked mid-refresh
   (e.g. on a malformed token response), permanently bricking the
   provider for the rest of the session. parking_lot guarantees the
   lock keeps working through panics.

2. Teach ModelRegistry that Codex is OAuth-only and absent from the
   bundled models.dev snapshot. `best_model_for_provider("codex")` and
   `best_small_model_for_provider("codex")` previously returned None,
   which broke the `/model` default resolution and the `/fast` toggle
   for any Codex session. They now fall back to
   claurst_core::codex_oauth::DEFAULT_CODEX_MODEL and the first `*-mini`
   entry in CODEX_MODELS, respectively. Same path is taken for the
   `openai-codex` alias.

cargo test claurst-api: 4/4 codex tests pass (1 new). Full workspace:
1520 passing, 0 failing.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src-rust/crates/api/src/model_registry.rs b/src-rust/crates/api/src/model_registry.rs
@@ -739,7 +739,11 @@ impl ModelRegistry {
             models = self.list_by_provider(provider_id);
         }
         if models.is_empty() {
-            return None;
+            // Codex models are not on models.dev (OAuth-only), so the bundled
+            // snapshot has no entries for them. Fall back to the canonical
+            // constant in claurst_core::codex_oauth so `/model` and the
+            // effective-model resolver still pick a real id for Codex users.
+            return codex_models_fallback(provider_id, /* small = */ false);
         }
 
         let priority_patterns = flagship_patterns_for(provider_id);
@@ -785,7 +789,8 @@ impl ModelRegistry {
             models = self.list_by_provider(provider_id);
         }
         if models.is_empty() {
-            return None;
+            // See best_model_for_provider for the Codex rationale.
+            return codex_models_fallback(provider_id, /* small = */ true);
         }
 
         let small_priority = small_patterns_for(provider_id);
@@ -1039,6 +1044,28 @@ fn flagship_patterns_for(provider_id: &str) -> &'static [&'static str] {
 }
 
 /// Substring patterns marking a model as the lightweight/cheap default.
+/// Codex is OAuth-only and absent from the models.dev bundled snapshot, so
+/// `list_by_provider("codex")` always returns empty. This fallback returns
+/// the canonical default / small ids from
+/// `claurst_core::codex_oauth::CODEX_MODELS` so `/model` and `/fast` keep
+/// working for Codex users.
+fn codex_models_fallback(provider_id: &str, small: bool) -> Option<String> {
+    if !matches!(provider_id, "codex" | "openai-codex") {
+        return None;
+    }
+    if small {
+        // Prefer the documented "mini" entry; fall through to the default
+        // model id if the constant is ever pruned.
+        claurst_core::codex_oauth::CODEX_MODELS
+            .iter()
+            .find(|(id, _)| id.contains("mini"))
+            .map(|(id, _)| (*id).to_string())
+            .or_else(|| Some(claurst_core::codex_oauth::DEFAULT_CODEX_MODEL.to_string()))
+    } else {
+        Some(claurst_core::codex_oauth::DEFAULT_CODEX_MODEL.to_string())
+    }
+}
+
 fn small_patterns_for(provider_id: &str) -> &'static [&'static str] {
     match provider_id {
         "anthropic" | "amazon-bedrock" | "github-copilot" | "azure" => {
@@ -1188,6 +1215,39 @@ mod tests {
         assert!(anthropic.env.iter().any(|e| e == "ANTHROPIC_API_KEY"));
     }
 
+    #[test]
+    fn codex_best_models_return_real_ids_without_snapshot() {
+        // Codex is OAuth-only and intentionally absent from the bundled
+        // models.dev snapshot. Before the fallback in codex_models_fallback,
+        // best_model_for_provider("codex") returned None, which broke
+        // `/model` defaults and the `/fast` toggle for Codex users.
+        let reg = ModelRegistry::new();
+        // Sanity: snapshot really has no codex entries.
+        assert!(reg.list_by_provider("codex").is_empty());
+
+        let best = reg
+            .best_model_for_provider("codex")
+            .expect("codex best model must fall back to CODEX_MODELS default");
+        assert!(
+            best.contains("codex"),
+            "best codex model should look like a codex id, got {best:?}"
+        );
+        let small = reg
+            .best_small_model_for_provider("codex")
+            .expect("codex small model must fall back to a mini/default id");
+        assert!(
+            small.contains("codex"),
+            "small codex model should look like a codex id, got {small:?}"
+        );
+        // The alias `openai-codex` must take the same path.
+        assert!(reg.best_model_for_provider("openai-codex").is_some());
+        assert!(reg.best_small_model_for_provider("openai-codex").is_some());
+        // Unrelated providers continue to return None when absent.
+        assert!(reg
+            .best_model_for_provider("definitely-not-a-provider")
+            .is_none());
+    }
+
     #[test]
     fn opencode_remapped_to_opencode_zen() {
         // models.dev uses "opencode" as the top-level key; we must normalize it
diff --git a/src-rust/crates/api/src/providers/codex.rs b/src-rust/crates/api/src/providers/codex.rs
@@ -12,8 +12,9 @@
 // Model list: static — the Codex endpoint does not expose a /models route,
 //   so we use the `CODEX_MODELS` constant from `claurst-core`.
 
+use parking_lot::Mutex;
 use std::pin::Pin;
-use std::sync::{Arc, Mutex};
+use std::sync::Arc;
 use std::time::{SystemTime, UNIX_EPOCH};
 
 use async_stream::stream;
@@ -93,7 +94,7 @@ impl CodexProvider {
     async fn access_token(&self) -> Result<String, ProviderError> {
         // Check expiry under the lock; clone what we need; release.
         let (token, needs_refresh, refresh_token) = {
-            let guard = self.tokens.lock().unwrap();
+            let guard = self.tokens.lock();
             let expired = Self::is_expired(&guard);
             (
                 guard.access_token.clone(),
@@ -193,7 +194,7 @@ impl CodexProvider {
 
         // Persist and cache the refreshed tokens.
         let mut updated = {
-            let guard = self.tokens.lock().unwrap();
+            let guard = self.tokens.lock();
             guard.clone()
         };
         updated.access_token = new_access.clone();
@@ -207,7 +208,7 @@ impl CodexProvider {
         }
 
         {
-            let mut guard = self.tokens.lock().unwrap();
+            let mut guard = self.tokens.lock();
             *guard = updated;
         }
 
@@ -237,7 +238,7 @@ impl CodexProvider {
     }
 
     fn account_id(&self) -> Option<String> {
-        self.tokens.lock().unwrap().account_id.clone()
+        self.tokens.lock().account_id.clone()
     }
 
     fn system_prompt_to_text(request: &ProviderRequest) -> String {
@@ -913,7 +914,7 @@ impl LlmProvider for CodexProvider {
 
     async fn health_check(&self) -> Result<ProviderStatus, ProviderError> {
         // Validate that a non-expired token exists without making a network call.
-        let guard = self.tokens.lock().unwrap();
+        let guard = self.tokens.lock();
         if guard.access_token.is_empty() {
             return Ok(ProviderStatus::Unavailable {
                 reason: "no Codex access token — run /connect to authenticate".to_string(),
