fix readme install instructions causing EEXIST error

[zamadye]

hey, saw issue #95 and the problem is pretty clear.

the readme says to install @openai/codex first, but codex-multi-auth also publishes a codex binary so npm throws EEXIST.

also fixed the auth commands - the official codex cli uses auth status now, not auth list.

changes:

• removed npm i -g @openai/codex from installation (codex-multi-auth bundles it)
• updated verification commands to use auth status instead of auth list
• cleaned up the llm agents section too

tested locally and install works without collision now. let me know if you need anything else!

---

Summary by cubic

Fix README install steps to avoid npm EEXIST by removing the global @openai/codex install, since codex-multi-auth already provides the codex binary. Updated command examples to use codex auth status instead of auth list and simplified verification steps.

^{Written for commit a823684. Summary will update on new commits.}

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

this pr fixes the EEXIST install collision (issue #95) by removing the redundant npm i -g @openai/codex step and updates several verification commands from codex auth list to codex auth status across the readme. the core fix is correct — codex-multi-auth bundles its own codex binary, so installing @openai/codex separately causes a binary path conflict.

key points:

• the eexist fix is correct and needed; the single-package install is the right approach
• codex auth list → codex auth status swap in verification flows is consistent with how the command toolkit table already distinguishes the two commands
• policy gap: per the org merge policy, every change to oc-chatgpt-multi-auth must explicitly address windows filesystem concurrency risks and token leakage. removing a competing global install has direct implications for how the binary lands on windows (eliminates the binary-path race), but neither the pr description nor the docs mention this — this must be addressed before merge
• codex auth list remains in the command toolkit table (line 119) without a note explaining why it was removed from verification steps — worth a clarifying comment so users don't confuse the two commands
• no vitest coverage exists for the eexist regression scenario

Confidence Score: 3/5

• safe to merge after addressing the missing windows filesystem / token safety policy statement required by org rules
• the code change itself is a simple, correct docs fix with no runtime risk, but it fails the org's mandatory windows concurrency and token safety documentation requirement, which blocks merge by policy
• README.md — policy compliance gap around windows binary-path concurrency reasoning

Important Files Changed

Filename	Overview
README.md	removes duplicate @openai/codex install step and replaces auth list with auth status in verification flows; changes are directionally correct but the pr is missing required windows filesystem / token safety reasoning per org policy, and codex auth list remains in the command toolkit table without clarification of its relationship to auth status

Sequence Diagram

sequenceDiagram
    participant U as User
    participant NPM as npm
    participant CMA as codex-multi-auth (binary)
    participant FS as ~/.codex/

    Note over U,FS: Before this PR (caused EEXIST)
    U->>NPM: npm i -g @openai/codex
    NPM->>FS: writes codex binary
    U->>NPM: npm i -g codex-multi-auth
    NPM-->>FS: EEXIST — codex binary already exists

    Note over U,FS: After this PR (single install)
    U->>NPM: npm i -g codex-multi-auth
    NPM->>FS: writes codex binary (bundled)
    U->>CMA: codex auth login
    CMA->>FS: writes token files
    U->>CMA: codex auth status
    CMA-->>U: runtime summary
    U->>CMA: codex auth check
    CMA-->>U: health check result

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: README.md
Line: 119-120

Comment:
**`auth list` still present in command toolkit table**

the pr removes `codex auth list` from verification flows and replaces it with `codex auth status`, but line 119 in the command toolkit table still describes `codex auth list` as a first-class command. if `auth list` is deprecated or removed from the cli, this entry will confuse users who try it after following the new install steps. if it's still a valid command (distinct from `auth status`), worth adding a clarifying note that `auth list` is for account enumeration, not runtime health — so users know why the verification steps now use `auth status` instead.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: README.md
Line: 50-54

Comment:
**no windows filesystem / token safety context — org policy violation**

per our merge policy, every change to oc-chatgpt-multi-auth must explain how it defends against windows filesystem concurrency bugs and token leakage. this pr removes the separate `@openai/codex` install step, which directly affects how the `codex` binary lands on disk. on windows, having two npm globals race to write the same binary path is exactly the kind of concurrency footgun we track — the eexist fix is correct, but the pr description and docs should explicitly state:

- bundling removes the binary race on windows (no concurrent `npm i` workers writing the same path)
- no token files are created or moved by this install change
- no regression test covers the eexist scenario under windows file locking

please add a sentence in the pr body (or a code comment in the relevant install script) covering these points before merge.

**Rule Used:** What: Every code change must explain how it defend... ([source](https://app.greptile.com/review/custom-context?memory=637a42e6-7a78-40d6-9ef8-6a45e02e73b6))

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: a823684}

Greptile also left 1 inline comment on this PR.

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}

Context used:

• Rule used - What: Every code change must explain how it defend... (source)

[coderabbitai]

📝 Walkthrough

Walkthrough

readme.md updated to replace openai codex cli package references with codex-multi-auth. installation steps and command examples changed from @openai/codex to codex-multi-auth. auth list commands replaced with auth status throughout documentation sections.

Changes

Cohort / File(s)	Summary
Documentation Updates README.md	Replaced @openai/codex package references with codex-multi-auth. Changed codex auth list to codex auth status across multiple sections (step-by-step, verification, quick start, day-1 commands). Updated grammar from "packages" to "package." Minor wording adjustments in verification-related blocks.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

bug

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	pull request description addresses the core issue (eexist collision) and explains the fix, but fails to document required windows filesystem concurrency and token safety context mandated by org policy.	add explicit statement to pr description covering: (1) how bundling eliminates binary race on windows, (2) confirmation no token files affected by install change, (3) note that eexist regression test coverage is missing.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	title follows conventional commits format with fix type and concise lowercase imperative summary under 72 chars, accurately describing the core change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

no windows filesystem / token safety context — org policy violation

per our merge policy, every change to oc-chatgpt-multi-auth must explain how it defends against windows filesystem concurrency bugs and token leakage. this pr removes the separate @openai/codex install step, which directly affects how the codex binary lands on disk. on windows, having two npm globals race to write the same binary path is exactly the kind of concurrency footgun we track — the eexist fix is correct, but the pr description and docs should explicitly state:

• bundling removes the binary race on windows (no concurrent npm i workers writing the same path)
• no token files are created or moved by this install change
• no regression test covers the eexist scenario under windows file locking

please add a sentence in the pr body (or a code comment in the relevant install script) covering these points before merge.

Rule Used: What: Every code change must explain how it defend... (source)

Prompt To Fix With AI

This is a comment left during a code review.
Path: README.md
Line: 50-54

Comment:
**no windows filesystem / token safety context — org policy violation**

per our merge policy, every change to oc-chatgpt-multi-auth must explain how it defends against windows filesystem concurrency bugs and token leakage. this pr removes the separate `@openai/codex` install step, which directly affects how the `codex` binary lands on disk. on windows, having two npm globals race to write the same binary path is exactly the kind of concurrency footgun we track — the eexist fix is correct, but the pr description and docs should explicitly state:

- bundling removes the binary race on windows (no concurrent `npm i` workers writing the same path)
- no token files are created or moved by this install change
- no regression test covers the eexist scenario under windows file locking

please add a sentence in the pr body (or a code comment in the relevant install script) covering these points before merge.

**Rule Used:** What: Every code change must explain how it defend... ([source](https://app.greptile.com/review/custom-context?memory=637a42e6-7a78-40d6-9ef8-6a45e02e73b6))

How can I resolve this? If you propose a fix, please make it concise.

[cubic-dev-ai]

No issues found across 1 file

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 77-81: Add a docs regression test that parses the README command
snippets and asserts they match the CLI usage output from printUsage in
lib/codex-manager.ts (call printUsage/programmatic usage generator and compare
expected tokens like "codex auth login", "codex auth status", "codex auth
check", "codex auth forecast --live"); place the test under the docs/tests suite
and fail CI when mismatches occur. Also update the README install flow around
the global install steps to include a short Windows stale-shim note explaining
how to run where codex, remove stale global shims from PATH, and re-run npm i -g
to avoid path collisions. Ensure the test references printUsage() explicitly and
the README update points to the same command strings validated by the test.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ca0ebb9d-197b-493c-ad63-b0414b347416

📥 Commits

Reviewing files that changed from the base of the PR and between 57b2591 and a823684.

📒 Files selected for processing (1)

• README.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Greptile Review

🔇 Additional comments (1)

README.md (1)

77-81: good switch to codex auth status and package install guidance.

this matches the actual cli command routing and help text in lib/codex-manager.ts:1-50 and lib/codex-manager.ts:1-30. concurrency risk: none here because this is docs-only.

Also applies to: 96-100

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

add a small docs regression guard and a windows stale-shim note.

please add a regression test that validates README command snippets against the CLI usage surface (for example against printUsage output in lib/codex-manager.ts:1-30). also add a windows edge-case note for stale global shims/path collisions (e.g., where codex and cleanup guidance) near this install flow. this avoids recurrence of install-command drift.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 77 - 81, Add a docs regression test that parses the
README command snippets and asserts they match the CLI usage output from
printUsage in lib/codex-manager.ts (call printUsage/programmatic usage generator
and compare expected tokens like "codex auth login", "codex auth status", "codex
auth check", "codex auth forecast --live"); place the test under the docs/tests
suite and fail CI when mismatches occur. Also update the README install flow
around the global install steps to include a short Windows stale-shim note
explaining how to run where codex, remove stale global shims from PATH, and
re-run npm i -g to avoid path collisions. Ensure the test references
printUsage() explicitly and the README update points to the same command strings
validated by the test.