Support multiple accounts

[saneroen]

Related GitHub Issue
Closes: #11094

Description
This PR implements profile-scoped OAuth credentials for the OpenAI Codex (ChatGPT Plus/Pro) provider. Previously, Roo Code used a single global session for all OpenAI Codex profiles, making it impossible to use multiple ChatGPT accounts (e.g., personal and work) without manual logout.

Key Implementation Details:

Stable, Profile-Scoped Storage: Modified OpenAiCodexOAuthManager to use storage keys based on internal profile IDs (openai-codex-oauth-credentials-{id}). This ensures that renaming a profile does not invalidate the authorized session.
Profile-Aware API Handling: Updated OpenAiCodexHandler and the buildApiHandler factory to propagate the active profile name, ensuring each request uses the correct account's tokens.
Dynamic UI Updates: Added openAiCodexEmail to the extension state. The settings UI now dynamically displays the authorized email for the currently active profile, providing clear feedback on which account is being used.
Isolated Sign-out: Updated webview message handlers so that signing out of one profile only clears credentials for that specific profile.
Test Procedure
Unit Tests:

Added src/integrations/openai-codex/tests/oauth.spec.ts to verify:
Different profiles use unique storage keys.
Renaming/switching profiles correctly loads associated credentials.
Sign-out is isolated to the target profile.
Manual Verification:

Open Roo Code settings and create two provider profiles (e.g., "Personal" and "Work").
Set both to use the "OpenAI - ChatGPT Plus/Pro" provider.
Select "Personal", click "Sign in to OpenAI Codex", and authorize with Account A. Verify the UI shows "Authenticated as [Account A]".
Switch to "Work". Verify it shows as not authenticated.
Click "Sign in" and authorize with Account B. Verify the UI shows "Authenticated as [Account B]".
Switch back to "Personal". Verify the UI immediately updates to show Account A.
Perform a task in each profile and verify (via logs or behavior) that the correct account is used.
Pre-Submission Checklist
Issue Linked: This PR is linked to an approved GitHub Issue #11094.
Scope: My changes are focused on the linked issue.
Self-Review: I have performed a thorough self-review of my code.
Testing: New unit tests have been added.
Documentation Impact: No user-facing documentation updates required.
Contribution Guidelines: I have read and agree to the Contributor Guidelines.
Screenshots / Videos
The OpenAI Codex settings now include an "Authenticated as [email]" status indicator and a profile-specific Sign Out button.

Documentation Updates
No documentation updates are required.

[roomote]

PR Review Summary

Reviewer: Automated Code Review

Overview

This PR implements profile-scoped OAuth credentials for the OpenAI Codex (ChatGPT Plus/Pro) provider, allowing users to use multiple ChatGPT accounts without manual logout.

Changes Reviewed

• src/integrations/openai-codex/oauth.ts - Core OAuth manager with profile-scoped credential storage
• src/integrations/openai-codex/__tests__/oauth.spec.ts - Unit tests for profile-scoped functionality
• src/api/index.ts - Modified to inject currentApiConfigName into handler options
• src/api/providers/openai-codex.ts - Handler uses profile-scoped OAuth calls
• src/shared/api.ts - Added currentApiConfigName to ApiHandlerOptions type
• src/core/webview/webviewMessageHandler.ts - Sign-in/sign-out handlers pass profile ID
• webview-ui/src/components/settings/providers/OpenAICodex.tsx - UI displays authenticated email
• packages/types/src/vscode-extension-host.ts - Added openAiCodexEmail to ExtensionState

Assessment

Strengths:

1. Clean implementation of profile-scoped credential storage using keys like openai-codex-oauth-credentials-{id}
2. In-memory caching with Map<string, OpenAiCodexCredentials> for proper profile isolation
3. Concurrent token refresh de-duplication via refreshPromises Map
4. Backward compatibility - falls back to default credentials when no profileId is provided
5. Good test coverage for profile-scoped scenarios

Minor Observation:

• The type cast (configuration as any).currentApiConfigName in src/api/index.ts is a code smell but does not affect correctness. The fallback behavior in the OAuth manager gracefully handles undefined values.

Issues Found

No blocking issues identified.

Recommendation

APPROVE - The implementation is clean, well-tested, and correctly implements the feature.

[roomote]

Approving this PR. The implementation of profile-scoped OAuth credentials for the OpenAI Codex provider is clean, well-tested, and correctly implements the feature. The credential storage is properly isolated per profile with appropriate fallback behavior for backward compatibility.