feat: model-aware multi-plan account routing (#57)

* feat: model-aware multi-plan account routing

Different ChatGPT plans have different model access (e.g. Team has
gpt-5.4, Free has gpt-oss-*). This adds plan→model mapping discovery
and intelligent request routing to prevent model-not-supported errors.

- model-store: track which plans can access each model via planMap
- model-fetcher: query backend per distinct plan type in parallel
- account-pool: model-aware acquire() prefers matching planType accounts
- proxy-handler: auto-retry with different account on model-not-supported 4xx

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: patch model-aware routing bugs from PR review

- Fix double release when model retry has no available account
- Tighten isModelNotSupportedError: add 4xx status guard, drop broad "invalid" keyword
- Reuse selectByStrategy() in getDistinctPlanAccounts() instead of duplicated sort
- Remove redundant triedEntryIds push

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: icebear0828 <icebear0828@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

src/auth/account-pool.ts

@@ -21,6 +21,7 @@ import {
   extractUserProfile,
   isTokenExpired,
 } from "./jwt-utils.js";
+import { getModelPlanTypes } from "../models/model-store.js";
 import type {
   AccountEntry,
   AccountInfo,
@@ -65,9 +66,11 @@ export class AccountPool {
   /**
    * Acquire the best available account for a request.
    * Returns null if no accounts are available.
+   *
+   * @param options.model - Prefer accounts whose planType matches this model's known plans
+   * @param options.excludeIds - Entry IDs to exclude (e.g. already tried)
    */
-  acquire(): AcquiredAccount | null {
-    const config = getConfig();
+  acquire(options?: { model?: string; excludeIds?: string[] }): AcquiredAccount | null {
     const now = new Date();
     const nowMs = now.getTime();
 
@@ -84,30 +87,30 @@ export class AccountPool {
       }
     }
 
+    const excludeSet = new Set(options?.excludeIds ?? []);
+
     // Filter available accounts
     const available = [...this.accounts.values()].filter(
-      (a) => a.status === "active" && !this.acquireLocks.has(a.id),
+      (a) => a.status === "active" && !this.acquireLocks.has(a.id) && !excludeSet.has(a.id),
     );
 
     if (available.length === 0) return null;
 
-    let selected: AccountEntry;
-    if (config.auth.rotation_strategy === "round_robin") {
-      this.roundRobinIndex = this.roundRobinIndex % available.length;
-      selected = available[this.roundRobinIndex];
-      this.roundRobinIndex++;
-    } else {
-      // least_used: sort by request_count asc, then by last_used asc (LRU)
-      available.sort((a, b) => {
-        const diff = a.usage.request_count - b.usage.request_count;
-        if (diff !== 0) return diff;
-        const aTime = a.usage.last_used ? new Date(a.usage.last_used).getTime() : 0;
-        const bTime = b.usage.last_used ? new Date(b.usage.last_used).getTime() : 0;
-        return aTime - bTime;
-      });
-      selected = available[0];
+    // Model-aware selection: prefer accounts whose planType matches the model's known plans
+    let candidates = available;
+    if (options?.model) {
+      const preferredPlans = getModelPlanTypes(options.model);
+      if (preferredPlans.length > 0) {
+        const planSet = new Set(preferredPlans);
+        const matched = available.filter((a) => a.planType && planSet.has(a.planType));
+        if (matched.length > 0) {
+          candidates = matched;
+        }
+        // else: fallback to all available (graceful degradation)
+      }
     }
 
+    const selected = this.selectByStrategy(candidates);
     this.acquireLocks.set(selected.id, Date.now());
     return {
       entryId: selected.id,
@@ -116,6 +119,69 @@ export class AccountPool {
     };
   }
 
+  /**
+   * Select an account from candidates using the configured rotation strategy.
+   */
+  private selectByStrategy(candidates: AccountEntry[]): AccountEntry {
+    const config = getConfig();
+    if (config.auth.rotation_strategy === "round_robin") {
+      this.roundRobinIndex = this.roundRobinIndex % candidates.length;
+      const selected = candidates[this.roundRobinIndex];
+      this.roundRobinIndex++;
+      return selected;
+    }
+    // least_used: sort by request_count asc, then by last_used asc (LRU)
+    candidates.sort((a, b) => {
+      const diff = a.usage.request_count - b.usage.request_count;
+      if (diff !== 0) return diff;
+      const aTime = a.usage.last_used ? new Date(a.usage.last_used).getTime() : 0;
+      const bTime = b.usage.last_used ? new Date(b.usage.last_used).getTime() : 0;
+      return aTime - bTime;
+    });
+    return candidates[0];
+  }
+
+  /**
+   * Get one account per distinct planType for model discovery.
+   * Each returned account is locked (caller must release).
+   */
+  getDistinctPlanAccounts(): Array<{ planType: string; entryId: string; token: string; accountId: string | null }> {
+    const now = new Date();
+    for (const entry of this.accounts.values()) {
+      this.refreshStatus(entry, now);
+    }
+
+    const available = [...this.accounts.values()].filter(
+      (a) => a.status === "active" && !this.acquireLocks.has(a.id) && a.planType,
+    );
+
+    // Group by planType, pick least-used from each group
+    const byPlan = new Map<string, AccountEntry[]>();
+    for (const a of available) {
+      const plan = a.planType!;
+      let group = byPlan.get(plan);
+      if (!group) {
+        group = [];
+        byPlan.set(plan, group);
+      }
+      group.push(a);
+    }
+
+    const result: Array<{ planType: string; entryId: string; token: string; accountId: string | null }> = [];
+    for (const [plan, group] of byPlan) {
+      const selected = this.selectByStrategy(group);
+      this.acquireLocks.set(selected.id, Date.now());
+      result.push({
+        planType: plan,
+        entryId: selected.id,
+        token: selected.token,
+        accountId: selected.accountId,
+      });
+    }
+
+    return result;
+  }
+
   /**
    * Release an account after a request completes.
    */

src/models/model-fetcher.ts

@@ -7,7 +7,7 @@
  */
 
 import { CodexApi } from "../proxy/codex-api.js";
-import { applyBackendModels, type BackendModelEntry } from "./model-store.js";
+import { applyBackendModelsForPlan } from "./model-store.js";
 import type { AccountPool } from "../auth/account-pool.js";
 import type { CookieJar } from "../proxy/cookie-jar.js";
 import type { ProxyPool } from "../proxy/proxy-pool.js";
@@ -22,7 +22,8 @@ let _cookieJar: CookieJar | null = null;
 let _proxyPool: ProxyPool | null = null;
 
 /**
- * Fetch models from the Codex backend using an available account.
+ * Fetch models from the Codex backend, one query per distinct plan type.
+ * This discovers plan-specific model availability (e.g. Team has gpt-5.4, Free has gpt-oss-*).
  */
 async function fetchModelsFromBackend(
   accountPool: AccountPool,
@@ -31,34 +32,37 @@ async function fetchModelsFromBackend(
 ): Promise<void> {
   if (!accountPool.isAuthenticated()) return; // silently skip when no accounts
 
-  const acquired = accountPool.acquire();
-  if (!acquired) {
-    console.warn("[ModelFetcher] No available account — skipping model fetch");
+  const planAccounts = accountPool.getDistinctPlanAccounts();
+  if (planAccounts.length === 0) {
+    console.warn("[ModelFetcher] No available accounts — skipping model fetch");
     return;
   }
 
-  try {
-    const proxyUrl = proxyPool?.resolveProxyUrl(acquired.entryId);
-    const api = new CodexApi(
-      acquired.token,
-      acquired.accountId,
-      cookieJar,
-      acquired.entryId,
-      proxyUrl,
-    );
+  console.log(`[ModelFetcher] Fetching models for ${planAccounts.length} plan(s): ${planAccounts.map((p) => p.planType).join(", ")}`);
 
-    const models = await api.getModels();
-    if (models && models.length > 0) {
-      applyBackendModels(models);
-      console.log(`[ModelFetcher] Fetched ${models.length} models from backend`);
-    } else {
-      console.log("[ModelFetcher] Backend returned empty model list — keeping static models");
+  const results = await Promise.allSettled(
+    planAccounts.map(async (pa) => {
+      try {
+        const proxyUrl = proxyPool?.resolveProxyUrl(pa.entryId);
+        const api = new CodexApi(pa.token, pa.accountId, cookieJar, pa.entryId, proxyUrl);
+        const models = await api.getModels();
+        if (models && models.length > 0) {
+          applyBackendModelsForPlan(pa.planType, models);
+          console.log(`[ModelFetcher] Plan "${pa.planType}": ${models.length} models`);
+        } else {
+          console.log(`[ModelFetcher] Plan "${pa.planType}": empty model list — keeping existing`);
+        }
+      } finally {
+        accountPool.release(pa.entryId);
+      }
+    }),
+  );
+
+  for (const r of results) {
+    if (r.status === "rejected") {
+      const msg = r.reason instanceof Error ? r.reason.message : String(r.reason);
+      console.warn(`[ModelFetcher] Plan fetch failed: ${msg}`);
     }
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    console.warn(`[ModelFetcher] Backend fetch failed: ${msg}`);
-  } finally {
-    accountPool.release(acquired.entryId);
   }
 }
 

src/models/model-store.ts

@@ -39,6 +39,8 @@ interface ModelsConfig {
 let _catalog: CodexModelInfo[] = [];
 let _aliases: Record<string, string> = {};
 let _lastFetchTime: string | null = null;
+/** modelId → Set<planType> — tracks which plans can access each model */
+let _modelPlanMap: Map<string, Set<string>> = new Map();
 
 // ── Static loading ─────────────────────────────────────────────────
 
@@ -53,6 +55,7 @@ export function loadStaticModels(configDir?: string): void {
 
   _catalog = (raw.models ?? []).map((m) => ({ ...m, source: "static" as const }));
   _aliases = raw.aliases ?? {};
+  _modelPlanMap = new Map(); // Reset plan map on reload
   console.log(`[ModelStore] Loaded ${_catalog.length} static models, ${Object.keys(_aliases).length} aliases`);
 }
 
@@ -206,6 +209,45 @@ export function applyBackendModels(backendModels: BackendModelEntry[]): void {
   );
 }
 
+/**
+ * Merge backend models for a specific plan type.
+ * Clears old records for this planType, applies merge, then records plan→model mappings.
+ */
+export function applyBackendModelsForPlan(planType: string, backendModels: BackendModelEntry[]): void {
+  // Clear old planType records
+  for (const [modelId, plans] of _modelPlanMap) {
+    plans.delete(planType);
+    if (plans.size === 0) _modelPlanMap.delete(modelId);
+  }
+
+  // Merge into catalog (existing logic)
+  applyBackendModels(backendModels);
+
+  // Record which models this plan can access (only admitted models)
+  const staticIds = new Set(_catalog.map((m) => m.id));
+  for (const raw of backendModels) {
+    const id = raw.slug ?? raw.id ?? raw.name ?? "";
+    if (staticIds.has(id) || isCodexCompatibleId(id)) {
+      let plans = _modelPlanMap.get(id);
+      if (!plans) {
+        plans = new Set();
+        _modelPlanMap.set(id, plans);
+      }
+      plans.add(planType);
+    }
+  }
+
+  console.log(`[ModelStore] Plan "${planType}" has ${backendModels.length} backend models, ${_modelPlanMap.size} models tracked across plans`);
+}
+
+/**
+ * Get which plan types are known to support a given model.
+ * Empty array means unknown (static-only or not yet fetched).
+ */
+export function getModelPlanTypes(modelId: string): string[] {
+  return [...(_modelPlanMap.get(modelId) ?? [])];
+}
+
 // ── Model name suffix parsing ───────────────────────────────────────
 
 export interface ParsedModelName {
@@ -314,8 +356,13 @@ export function getModelStoreDebug(): {
   aliasCount: number;
   lastFetchTime: string | null;
   models: Array<{ id: string; source: string }>;
+  planMap: Record<string, string[]>;
 } {
   const backendCount = _catalog.filter((m) => m.source === "backend").length;
+  const planMap: Record<string, string[]> = {};
+  for (const [modelId, plans] of _modelPlanMap) {
+    planMap[modelId] = [...plans];
+  }
   return {
     totalModels: _catalog.length,
     backendModels: backendCount,
@@ -323,5 +370,6 @@ export function getModelStoreDebug(): {
     aliasCount: Object.keys(_aliases).length,
     lastFetchTime: _lastFetchTime,
     models: _catalog.map((m) => ({ id: m.id, source: m.source ?? "static" })),
+    planMap,
   };
 }

src/routes/shared/proxy-handler.ts

@@ -54,6 +54,17 @@ export interface FormatAdapter {
  *
  * Handles: acquire, session lookup, retry, stream/collect, release, error formatting.
  */
+/** Check if a CodexApiError indicates the model is not supported on the account's plan. */
+function isModelNotSupportedError(err: CodexApiError): boolean {
+  // Only 4xx client errors (exclude 429 rate-limit)
+  if (err.status < 400 || err.status >= 500 || err.status === 429) return false;
+  const lower = err.message.toLowerCase();
+  // Must contain "model" to avoid false positives like "feature not supported"
+  if (!lower.includes("model")) return false;
+  return lower.includes("not supported") || lower.includes("not_supported")
+    || lower.includes("not available") || lower.includes("not_available");
+}
+
 export async function handleProxyRequest(
   c: Context,
   accountPool: AccountPool,
@@ -62,8 +73,8 @@ export async function handleProxyRequest(
   fmt: FormatAdapter,
   proxyPool?: ProxyPool,
 ): Promise<Response> {
-  // 1. Acquire account
-  const acquired = accountPool.acquire();
+  // 1. Acquire account (model-aware)
+  const acquired = accountPool.acquire({ model: req.codexRequest.model });
   if (!acquired) {
     c.status(fmt.noAccountStatus);
     return c.json(fmt.formatNoAccount());
@@ -71,9 +82,12 @@ export async function handleProxyRequest(
 
   const { entryId, token, accountId } = acquired;
   const proxyUrl = proxyPool?.resolveProxyUrl(entryId);
-  const codexApi = new CodexApi(token, accountId, cookieJar, entryId, proxyUrl);
+  let codexApi = new CodexApi(token, accountId, cookieJar, entryId, proxyUrl);
   // Tracks which account the outer catch should release (updated by retry loop)
   let activeEntryId = entryId;
+  // Track tried accounts for model retry exclusion
+  const triedEntryIds: string[] = [entryId];
+  let modelRetried = false;
 
   console.log(
     `[${fmt.tag}] Account ${entryId} | Codex request:`,
@@ -86,138 +100,173 @@ export async function handleProxyRequest(
   const abortController = new AbortController();
   c.req.raw.signal.addEventListener("abort", () => abortController.abort(), { once: true });
 
-  try {
-    // 3. Retry + send to Codex
-    const rawResponse = await withRetry(
-      () => codexApi.createResponse(req.codexRequest, abortController.signal),
-      { tag: fmt.tag },
-    );
-
-    // 4. Stream or collect
-    if (req.isStreaming) {
-      c.header("Content-Type", "text/event-stream");
-      c.header("Cache-Control", "no-cache");
-      c.header("Connection", "keep-alive");
-
-      return stream(c, async (s) => {
-        s.onAbort(() => abortController.abort());
-        try {
-          for await (const chunk of fmt.streamTranslator(
-            codexApi,
-            rawResponse,
-            req.model,
-            (u) => {
-              usageInfo = u;
-            },
-            () => {},
-          )) {
-            await s.write(chunk);
+  for (;;) { // model retry loop (max 1 retry)
+    try {
+      // 3. Retry + send to Codex
+      const rawResponse = await withRetry(
+        () => codexApi.createResponse(req.codexRequest, abortController.signal),
+        { tag: fmt.tag },
+      );
+
+      // 4. Stream or collect
+      if (req.isStreaming) {
+        c.header("Content-Type", "text/event-stream");
+        c.header("Cache-Control", "no-cache");
+        c.header("Connection", "keep-alive");
+
+        return stream(c, async (s) => {
+          s.onAbort(() => abortController.abort());
+          try {
+            for await (const chunk of fmt.streamTranslator(
+              codexApi,
+              rawResponse,
+              req.model,
+              (u) => {
+                usageInfo = u;
+              },
+              () => {},
+            )) {
+              await s.write(chunk);
+            }
+          } catch (err) {
+            // P2-8: Send error SSE event to client before closing
+            try {
+              const errMsg = err instanceof Error ? err.message : "Stream interrupted";
+              await s.write(`data: ${JSON.stringify({ error: { message: errMsg, type: "stream_error" } })}\n\n`);
+            } catch { /* client already gone */ }
+            throw err;
+          } finally {
+            // P0-2: Kill curl subprocess if still running
+            abortController.abort();
+            accountPool.release(activeEntryId, usageInfo);
           }
-        } catch (err) {
-          // P2-8: Send error SSE event to client before closing
+        });
+      } else {
+        // Non-streaming: retry loop for empty responses (switch accounts)
+        const MAX_EMPTY_RETRIES = 2;
+        let currentEntryId = activeEntryId;
+        let currentCodexApi = codexApi;
+        let currentRawResponse = rawResponse;
+
+        for (let attempt = 1; ; attempt++) {
           try {
-            const errMsg = err instanceof Error ? err.message : "Stream interrupted";
-            await s.write(`data: ${JSON.stringify({ error: { message: errMsg, type: "stream_error" } })}\n\n`);
-          } catch { /* client already gone */ }
-          throw err;
-        } finally {
-          // P0-2: Kill curl subprocess if still running
-          abortController.abort();
-          accountPool.release(entryId, usageInfo);
-        }
-      });
-    } else {
-      // Non-streaming: retry loop for empty responses (switch accounts)
-      const MAX_EMPTY_RETRIES = 2;
-      let currentEntryId = entryId;
-      let currentCodexApi = codexApi;
-      let currentRawResponse = rawResponse;
-
-      for (let attempt = 1; ; attempt++) {
-        try {
-          const result = await fmt.collectTranslator(
-            currentCodexApi,
-            currentRawResponse,
-            req.model,
-          );
-          accountPool.release(currentEntryId, result.usage);
-          return c.json(result.response);
-        } catch (collectErr) {
-          if (collectErr instanceof EmptyResponseError && attempt <= MAX_EMPTY_RETRIES) {
-            const emptyEmail = accountPool.getEntry(currentEntryId)?.email ?? "?";
-            console.warn(
-              `[${fmt.tag}] Account ${currentEntryId} (${emptyEmail}) | Empty response (attempt ${attempt}/${MAX_EMPTY_RETRIES + 1}), switching account...`,
+            const result = await fmt.collectTranslator(
+              currentCodexApi,
+              currentRawResponse,
+              req.model,
             );
-            accountPool.recordEmptyResponse(currentEntryId);
-            accountPool.release(currentEntryId, collectErr.usage);
+            accountPool.release(currentEntryId, result.usage);
+            return c.json(result.response);
+          } catch (collectErr) {
+            if (collectErr instanceof EmptyResponseError && attempt <= MAX_EMPTY_RETRIES) {
+              const emptyEmail = accountPool.getEntry(currentEntryId)?.email ?? "?";
+              console.warn(
+                `[${fmt.tag}] Account ${currentEntryId} (${emptyEmail}) | Empty response (attempt ${attempt}/${MAX_EMPTY_RETRIES + 1}), switching account...`,
+              );
+              accountPool.recordEmptyResponse(currentEntryId);
+              accountPool.release(currentEntryId, collectErr.usage);
 
-            // Acquire a new account
-            const newAcquired = accountPool.acquire();
-            if (!newAcquired) {
-              console.warn(`[${fmt.tag}] No available account for retry`);
-              c.status(502);
-              return c.json(fmt.formatError(502, "Codex returned an empty response and no other accounts are available for retry"));
-            }
+              // Acquire a new account (model-aware)
+              const newAcquired = accountPool.acquire({ model: req.codexRequest.model });
+              if (!newAcquired) {
+                console.warn(`[${fmt.tag}] No available account for retry`);
+                c.status(502);
+                return c.json(fmt.formatError(502, "Codex returned an empty response and no other accounts are available for retry"));
+              }
 
-            currentEntryId = newAcquired.entryId;
-            activeEntryId = currentEntryId;
-            const retryProxyUrl = proxyPool?.resolveProxyUrl(newAcquired.entryId);
-            currentCodexApi = new CodexApi(newAcquired.token, newAcquired.accountId, cookieJar, newAcquired.entryId, retryProxyUrl);
-            try {
-              currentRawResponse = await withRetry(
-                () => currentCodexApi.createResponse(req.codexRequest, abortController.signal),
-                { tag: fmt.tag },
-              );
-            } catch (retryErr) {
-              accountPool.release(currentEntryId);
-              if (retryErr instanceof CodexApiError) {
-                const code = (retryErr.status >= 400 && retryErr.status < 600 ? retryErr.status : 502) as StatusCode;
-                c.status(code);
-                return c.json(fmt.formatError(code, retryErr.message));
+              currentEntryId = newAcquired.entryId;
+              activeEntryId = currentEntryId;
+              const retryProxyUrl = proxyPool?.resolveProxyUrl(newAcquired.entryId);
+              currentCodexApi = new CodexApi(newAcquired.token, newAcquired.accountId, cookieJar, newAcquired.entryId, retryProxyUrl);
+              try {
+                currentRawResponse = await withRetry(
+                  () => currentCodexApi.createResponse(req.codexRequest, abortController.signal),
+                  { tag: fmt.tag },
+                );
+              } catch (retryErr) {
+                accountPool.release(currentEntryId);
+                if (retryErr instanceof CodexApiError) {
+                  const code = (retryErr.status >= 400 && retryErr.status < 600 ? retryErr.status : 502) as StatusCode;
+                  c.status(code);
+                  return c.json(fmt.formatError(code, retryErr.message));
+                }
+                throw retryErr;
               }
-              throw retryErr;
+              continue;
             }
-            continue;
-          }
 
-          // Not an empty response error, or retries exhausted
-          accountPool.release(currentEntryId);
-          if (collectErr instanceof EmptyResponseError) {
-            const exhaustedEmail = accountPool.getEntry(currentEntryId)?.email ?? "?";
-            console.warn(
-              `[${fmt.tag}] Account ${currentEntryId} (${exhaustedEmail}) | Empty response (attempt ${attempt}/${MAX_EMPTY_RETRIES + 1}), all retries exhausted`,
-            );
-            accountPool.recordEmptyResponse(currentEntryId);
+            // Not an empty response error, or retries exhausted
+            accountPool.release(currentEntryId);
+            if (collectErr instanceof EmptyResponseError) {
+              const exhaustedEmail = accountPool.getEntry(currentEntryId)?.email ?? "?";
+              console.warn(
+                `[${fmt.tag}] Account ${currentEntryId} (${exhaustedEmail}) | Empty response (attempt ${attempt}/${MAX_EMPTY_RETRIES + 1}), all retries exhausted`,
+              );
+              accountPool.recordEmptyResponse(currentEntryId);
+              c.status(502);
+              return c.json(fmt.formatError(502, "Codex returned empty responses across all available accounts"));
+            }
+            const msg = collectErr instanceof Error ? collectErr.message : "Unknown error";
             c.status(502);
-            return c.json(fmt.formatError(502, "Codex returned empty responses across all available accounts"));
+            return c.json(fmt.formatError(502, msg));
           }
-          const msg = collectErr instanceof Error ? collectErr.message : "Unknown error";
-          c.status(502);
-          return c.json(fmt.formatError(502, msg));
         }
       }
-    }
-  } catch (err) {
-    // 5. Error handling with format-specific responses
-    if (err instanceof CodexApiError) {
-      console.error(
-        `[${fmt.tag}] Account ${activeEntryId} | Codex API error:`,
-        err.message,
-      );
-      if (err.status === 429) {
-        // P1-6: Count 429s as requests via encapsulated API (no direct entry mutation)
-        accountPool.markRateLimited(activeEntryId, { countRequest: true });
-        c.status(429);
-        return c.json(fmt.format429(err.message));
+    } catch (err) {
+      // 5. Error handling with format-specific responses
+      if (err instanceof CodexApiError) {
+        // Model not supported on this account's plan → try a different account
+        if (!modelRetried && isModelNotSupportedError(err)) {
+          modelRetried = true;
+          const failedEmail = accountPool.getEntry(activeEntryId)?.email ?? "?";
+          console.warn(
+            `[${fmt.tag}] Account ${activeEntryId} (${failedEmail}) | Model "${req.codexRequest.model}" not supported, trying different account...`,
+          );
+          accountPool.release(activeEntryId);
+
+          const retry = accountPool.acquire({
+            model: req.codexRequest.model,
+            excludeIds: triedEntryIds,
+          });
+          if (retry) {
+            activeEntryId = retry.entryId;
+            triedEntryIds.push(retry.entryId);
+            const retryProxyUrl = proxyPool?.resolveProxyUrl(retry.entryId);
+            codexApi = new CodexApi(retry.token, retry.accountId, cookieJar, retry.entryId, retryProxyUrl);
+            console.log(`[${fmt.tag}] Retrying with account ${retry.entryId}`);
+            continue; // re-enter model retry loop
+          }
+          // No other account available — return error (already released above)
+          const code = (err.status >= 400 && err.status < 600 ? err.status : 502) as StatusCode;
+          c.status(code);
+          return c.json(fmt.formatError(code, err.message));
+        }
+
+        console.error(
+          `[${fmt.tag}] Account ${activeEntryId} | Codex API error:`,
+          err.message,
+        );
+        if (err.status === 429) {
+          // P1-6: Count 429s as requests via encapsulated API (no direct entry mutation)
+          accountPool.markRateLimited(activeEntryId, { countRequest: true });
+          c.status(429);
+          return c.json(fmt.format429(err.message));
+        }
+        accountPool.release(activeEntryId);
+        const code = (
+          err.status >= 400 && err.status < 600 ? err.status : 502
+        ) as StatusCode;
+        c.status(code);
+        return c.json(fmt.formatError(code, err.message));
       }
       accountPool.release(activeEntryId);
-      const code = (
-        err.status >= 400 && err.status < 600 ? err.status : 502
-      ) as StatusCode;
-      c.status(code);
-      return c.json(fmt.formatError(code, err.message));
+      throw err;
     }
-    accountPool.release(activeEntryId);
-    throw err;
+
+    break; // normal exit from model retry loop
   }
+
+  // Should never reach here, but TypeScript needs a return
+  c.status(500);
+  return c.json(fmt.formatError(500, "Unexpected proxy handler exit"));
 }