Add Codex Auth workbench

PR_DESCRIPTION.md

@@ -1,46 +1,53 @@
-# PR 说明（codex-console2 -> codex-console）
-
-## 结论摘要
-本次 PR 基于 `K:\github\codex-console2` 对比原仓库 `K:\github\codex-console`，当前实际代码差异为 **1 项**：
-- 删除 GitHub Actions 工作流文件：`.github/workflows/docker-publish.yml`
-
-除上述文件外，其余同名文件内容一致（按全量哈希比对）。
-
-## 修改方案
-### 目标
-- 清理不需要的镜像发布流水线配置，保持当前仓库 CI 行为可控。
-
-### 实施内容
-- 移除：`.github/workflows/docker-publish.yml`
-
-## 涉及文件
-- 删除文件：`.github/workflows/docker-publish.yml`
-
-## 影响范围
-### 直接影响
-- 仓库将不再触发该文件定义的 Docker 发布工作流。
-
-### 间接影响
-- 如果团队仍依赖该 workflow 进行镜像发布，发布链路会中断；需改由其它 workflow 或手动流程执行。
-
-## 验证结果
-- 已完成目录级全量比对（`K:\github\codex-console2` vs `K:\github\codex-console`）：
-  - 同名文件：108
-  - 同名文件内容差异：0
-  - 新增文件：0
-  - 删除文件：1（即上述 workflow 文件）
-
-## 回滚方案
-如需回滚本次变更：
-1. 从原仓库 `K:\github\codex-console` 恢复 `.github/workflows/docker-publish.yml`。
-2. 提交回滚 commit 并重新触发 CI 验证。
-
-## 风险评估
-- 风险等级：低（仅 CI 配置变更）
-- 关注点：确认团队当前是否仍需要该 Docker 发布流水线。
-
-## 建议的 PR 标题
-- `chore(ci): remove docker-publish workflow`
-
-## 建议的 Commit Message
-- `chore(ci): remove .github/workflows/docker-publish.yml`
+# PR Description
+
+## Summary
+
+- add async account-management task routes for token refresh, token validation, subscription checks, and overview refresh
+- add a dedicated Codex Auth workbench with batch audit, repair, generate, and export flows
+- keep the three existing batch action buttons stable in idle state and document their hover help behavior
+- fix local CodeRabbit review findings around domain-slot cleanup, DB rollback/session scope, mailbox binding, and review-doc secret handling
+
+## User-Facing Changes
+
+- the accounts page now exposes a separate `Codex Auth` entry button that opens a dedicated workbench modal
+- the accounts table includes a `Codex Auth` state column
+- Codex Auth workbench actions now support:
+  - batch audit
+  - batch repair
+  - batch artifact generation
+  - batch ZIP export
+- async account operations now report task progress through dedicated task endpoints
+
+## Verification
+
+```bash
+python3 -m py_compile src/web/routes/accounts.py src/web/routes/payment.py src/core/openai/codex_auth_workbench.py
+node --check static/js/accounts.js
+uv run python -m pytest -q tests/test_codex_auth_workbench.py tests/test_security_and_task_routes.py
+```
+
+Result:
+
+```text
+12 passed in 6.15s
+```
+
+## Real Dev Evidence
+
+- isolated dev container: `codex-console-codex-auth-dev`
+- dev web URL: `http://127.0.0.1:16668`
+- copied 4 abnormal accounts into `data-dev` only: `53`, `64`, `65`, `71`
+- batch audit result: `1 repairable`, `3 blocked by add-phone`
+- batch repair result: account `53` repaired successfully; `64`, `65`, `71` remained blocked
+- batch export returned a standard managed `auth.json` ZIP containing only the repaired account artifact
+
+## Local CodeRabbit
+
+- first pass produced actionable findings on:
+  - domain-slot cleanup
+  - pause timeout handling
+  - SQLAlchemy rollback/session reuse
+  - mailbox-to-service binding
+  - review doc secret exposure
+- all findings were fixed locally
+- second pass result: `0 comments`

README.md

@@ -181,12 +181,28 @@
 
 - Web UI 管理注册任务、账号、支付、自检、邮箱服务、卡池、Auto Team 和日志数据
 - 支持单任务、批量任务、自动补货、计划任务、任务暂停 / 继续 / 取消 / 重试
+- 账号管理页支持异步批量刷新 Token、批量验证、批量检测订阅、账号总览刷新和任务状态轮询
+- 账号管理页提供独立的 `Codex Auth` 工作台，可对残缺账号执行审计、严格修复、标准 `auth.json` 生成和 ZIP 导出
 - 支持多种邮箱服务接码和自部署邮箱接入
 - 支持 CPA、Sub2API、Team Manager、New-API 等上传链路
 - 支持 SQLite 和远程 PostgreSQL
 - 支持打包为 Windows / Linux / macOS 可执行文件
 - 更适配当前 OpenAI 注册与登录链路
 
+## 账号管理页补充说明
+
+当前 `账号管理` 页除了基础账号表，还包含几组已经落地的运维能力：
+
+- `刷新Token`、`验证Token`、`检测订阅`、`总览刷新` 均已改为异步任务模式，支持进度、暂停、继续、取消和结果轮询。
+- 三个批量动作按钮使用悬浮说明气泡，按钮空闲文案保持稳定，不再随勾选数量来回变更。
+- 账号表新增 `Codex Auth` 状态列，可直接看到 `健康`、`可修复`、`受阻`、`缺条件` 等状态。
+- 工具栏中的 `Codex Auth` 会打开独立工作台，而不是把修复动作和日常账号运维按钮混在一起。
+- 工作台内支持四个动作：
+  - `批量审计`：严格探测账号是否还能走完整 Codex Auth 链路。
+  - `批量修复`：只在拿到完整 token bundle 后才判定修复成功。
+  - `批量生成`：为已完整账号生成标准 managed `auth.json`。
+  - `批量导出`：导出兼容官方 Codex 和 `codex-auth` 的 ZIP。
+
 ## 环境要求
 
 - Python 3.10+
@@ -195,13 +211,18 @@
 ## 安装依赖
 
 ```bash
-# 使用 uv（推荐）
-uv sync
-
-# 或使用 pip
+# 运行环境建议直接安装 requirements.txt
 pip install -r requirements.txt
+
+# 使用 uv 做本地开发 / 测试
+uv sync --extra dev
 ```
 
+说明：
+
+- `requirements.txt` 目前覆盖运行所需完整依赖，适合直接启动服务。
+- `uv sync --extra dev` 适合本地维护、测试和补充开发依赖。
+
 ## 环境变量配置
 
 可选。复制 `.env.example` 为 `.env` 后按需修改：
@@ -258,6 +279,19 @@ codex-console.exe --access-password mypassword
 
 [http://127.0.0.1:8000](http://127.0.0.1:8000)
 
+## 最小验证命令
+
+```bash
+# Python 路由与核心模块语法检查
+python3 -m py_compile src/web/routes/accounts.py src/web/routes/payment.py src/core/openai/codex_auth_workbench.py
+
+# 前端脚本语法检查
+node --check static/js/accounts.js
+
+# 账号管理与 Codex Auth 相关测试
+uv run python -m pytest -q tests/test_codex_auth_workbench.py tests/test_security_and_task_routes.py
+```
+
 ## Docker 部署
 
 ### 使用 docker-compose

docs/reviews/CR-ACCOUNT-BATCH-ACTIONS-2026-04-02.md

@@ -0,0 +1,99 @@
+# Account Batch Actions Review
+
+## Scope
+
+- Branch: `feature/account-batch-action-tooltips`
+- Base: `upstream/main`
+- Goal:
+  - fix the three broken batch action routes on the accounts page
+  - keep button labels stable in idle state
+  - replace native `title` hints with hover bubbles shown below the buttons
+
+## Verification
+
+### Static Check
+
+Command:
+
+```bash
+python3 -m py_compile src/web/routes/accounts.py src/web/routes/payment.py
+```
+
+Result:
+
+```text
+exit code 0
+```
+
+### Runtime Check
+
+Isolated instance:
+
+- URL: `http://127.0.0.1:16667`
+- Access password: set `REVIEW_LOGIN_PASSWORD` in the local shell before running the script
+
+Command:
+
+```bash
+python3 - <<'PY'
+import urllib.parse, urllib.request, http.cookiejar, json
+import os
+jar = http.cookiejar.CookieJar()
+opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(jar))
+password = os.environ.get('REVIEW_LOGIN_PASSWORD', '').strip()
+if not password:
+    raise SystemExit('REVIEW_LOGIN_PASSWORD is required')
+login_data = urllib.parse.urlencode({'password': password}).encode()
+login_req = urllib.request.Request('http://127.0.0.1:16667/login', data=login_data, method='POST')
+login_req.add_header('Content-Type', 'application/x-www-form-urlencoded')
+login_resp = opener.open(login_req, timeout=10)
+print('login_status', login_resp.status)
+accounts_resp = opener.open('http://127.0.0.1:16667/accounts', timeout=10)
+print('accounts_status', accounts_resp.status)
+for path, poll_prefix in [
+    ('/api/accounts/batch-refresh/async', '/api/accounts/tasks/'),
+    ('/api/accounts/batch-validate/async', '/api/accounts/tasks/'),
+    ('/api/payment/accounts/batch-check-subscription/async', '/api/payment/ops/tasks/'),
+]:
+    req = urllib.request.Request(
+        f'http://127.0.0.1:16667{path}',
+        data=json.dumps({'ids': [], 'select_all': True}).encode(),
+        method='POST',
+        headers={'Content-Type': 'application/json'},
+    )
+    resp = opener.open(req, timeout=20)
+    payload = json.loads(resp.read().decode() or '{}')
+    task_id = payload.get('id') or payload.get('task_id')
+    print(path, resp.status, task_id)
+    if task_id:
+        poll = opener.open(f'http://127.0.0.1:16667{poll_prefix}{task_id}', timeout=20)
+        poll_payload = json.loads(poll.read().decode() or '{}')
+        print(poll_prefix, poll.status, poll_payload.get('status'))
+PY
+```
+
+Result:
+
+```text
+login_status 200
+accounts_status 200
+/api/accounts/batch-refresh/async 200 accounts-batch-refresh-f0b2d40566ba
+/api/accounts/tasks/ 200 running
+/api/accounts/batch-validate/async 200 accounts-batch-validate-1d5627590eb7
+/api/accounts/tasks/ 200 completed
+/api/payment/accounts/batch-check-subscription/async 200 payment-batch-check-subscription-227ec45d862f
+/api/payment/ops/tasks/ 200 completed
+```
+
+### UI Check
+
+- Hovering `刷新Token` shows a custom bubble below the button
+- Hovering `验证Token` shows a custom bubble below the button
+- Hovering `检测订阅` shows a custom bubble below the button
+- When selection count changes, these three buttons keep stable idle labels
+
+## Conclusion
+
+- The broken batch action routes are fixed on this branch
+- Hover help now matches the requested interaction model
+- No formal environment deployment was required for this review

docs/reviews/CR-CODEX-AUTH-WORKBENCH-2026-04-03.md

@@ -0,0 +1,59 @@
+# Codex Auth Workbench Review
+
+## Scope
+
+- Branch: `feature/codex-auth-workbench`
+- Base: `upstream/main`
+- Goal:
+  - 补齐账号管理页异步批处理和 Codex Auth 工作台文档口径
+  - 记录当前分支的真实验证证据
+  - 记录本地 CodeRabbit 复核结果
+
+## Delivered Behavior
+
+- 账号管理页的 `刷新Token`、`验证Token`、`检测订阅`、`总览刷新` 使用异步任务模型。
+- `Codex Auth` 通过独立工作台入口打开，不再和常规账号运维按钮混排。
+- 工作台支持 `批量审计`、`批量修复`、`批量生成`、`批量导出` 四个动作。
+- 导出结果为标准 managed `auth.json` ZIP，兼容官方 Codex 和 `codex-auth`。
+
+## Verification
+
+### Static Check
+
+```bash
+python3 -m py_compile src/web/routes/accounts.py src/web/routes/payment.py src/core/openai/codex_auth_workbench.py
+node --check static/js/accounts.js
+```
+
+Result:
+
+```text
+exit code 0
+```
+
+### Targeted Tests
+
+```bash
+uv run python -m pytest -q tests/test_codex_auth_workbench.py tests/test_security_and_task_routes.py
+```
+
+Result:
+
+```text
+12 passed in 6.15s
+```
+
+### Real Dev Evidence
+
+- Isolated dev service: `http://127.0.0.1:16668`
+- Dev database only: copied 4 abnormal accounts `53 / 64 / 65 / 71`
+- Batch audit result: `1 repairable`, `3 blocked by add-phone`
+- Batch repair result: account `53` repaired successfully; `64 / 65 / 71` stayed blocked
+- Batch export result: ZIP only contained the repaired account artifact
+
+## Local CodeRabbit
+
+- First pass: found actionable issues around domain slot release, pause timeout, DB rollback, long-held DB session, mailbox binding, and review doc secret exposure
+- Fix status: all findings addressed on branch
+- Second pass result: `0 comments`
+- Reviewed repository path: `/Volumes/Work/code/codex-console`

src/config/constants.py

@@ -132,6 +132,9 @@ def account_label_to_role_tag(account_label: str) -> str:
 OAUTH_TOKEN_URL = "https://auth.openai.com/oauth/token"
 OAUTH_REDIRECT_URI = "http://localhost:1455/auth/callback"
 OAUTH_SCOPE = "openid email profile offline_access"
+CODEX_OAUTH_REDIRECT_URI = "http://localhost:1455/auth/callback"
+CODEX_OAUTH_SCOPE = "openid profile email offline_access api.connectors.read api.connectors.invoke"
+CODEX_OAUTH_ORIGINATOR = "codex_cli_rs"
 
 # OpenAI API 端点
 OPENAI_API_ENDPOINTS = {