router-for-me · excelwang · Mar 8, 2026 · Mar 9, 2026 · chatgpt-codex-connector · Mar 8, 2026
diff --git a/sdk/api/handlers/openai/openai_responses_websocket.go b/sdk/api/handlers/openai/openai_responses_websocket.go
@@ -79,6 +79,7 @@ func (h *OpenAIResponsesAPIHandler) ResponsesWebsocket(c *gin.Context) {
 	var lastRequest []byte
 	lastResponseOutput := []byte("[]")
 	pinnedAuthID := ""
+	resetPinnedAuthDisablesIncrementalInput := false
 
 	for {
 		msgType, payload, errReadMessage := conn.ReadMessage()
@@ -104,6 +105,7 @@ func (h *OpenAIResponsesAPIHandler) ResponsesWebsocket(c *gin.Context) {
 		// )
 		appendWebsocketEvent(&wsBodyLog, "request", payload)
 
+		disableIncrementalForThisTurn := resetPinnedAuthDisablesIncrementalInput
 		allowIncrementalInputWithPreviousResponseID := false
 		if pinnedAuthID != "" && h != nil && h.AuthManager != nil {
 			if pinnedAuth, ok := h.AuthManager.GetByID(pinnedAuthID); ok && pinnedAuth != nil {
@@ -116,6 +118,9 @@ func (h *OpenAIResponsesAPIHandler) ResponsesWebsocket(c *gin.Context) {
 			}
 			allowIncrementalInputWithPreviousResponseID = h.websocketUpstreamSupportsIncrementalInputForModel(requestModelName)
 		}
+		if disableIncrementalForThisTurn {
+			allowIncrementalInputWithPreviousResponseID = false
+		}
 
 		var requestJSON []byte
 		var updatedLastRequest []byte
@@ -180,14 +185,28 @@ func (h *OpenAIResponsesAPIHandler) ResponsesWebsocket(c *gin.Context) {
 		}
 		dataChan, _, errChan := h.ExecuteStreamWithAuthManager(cliCtx, h.HandlerType(), modelName, requestJSON, "")
 
-		completedOutput, errForward := h.forwardResponsesWebsocket(c, conn, cliCancel, dataChan, errChan, &wsBodyLog, passthroughSessionID)
+		completedOutput, errForward, resetPinnedAuth := h.forwardResponsesWebsocket(c, conn, cliCancel, dataChan, errChan, &wsBodyLog, passthroughSessionID)
+		if resetPinnedAuth {
+			if strings.TrimSpace(pinnedAuthID) != "" {
+				log.Infof("responses websocket: reset pinned auth id=%s auth=%s", passthroughSessionID, strings.TrimSpace(pinnedAuthID))
+			}
+			pinnedAuthID = ""
+			resetPinnedAuthDisablesIncrementalInput = true
+			if h != nil && h.AuthManager != nil {
+				h.AuthManager.CloseExecutionSession(passthroughSessionID)
+				log.Infof("responses websocket: upstream execution session reset id=%s", passthroughSessionID)
+			}
+		}
 		if errForward != nil {
 			wsTerminateErr = errForward
 			appendWebsocketEvent(&wsBodyLog, "disconnect", []byte(errForward.Error()))
 			log.Warnf("responses websocket: forward failed id=%s error=%v", passthroughSessionID, errForward)
 			return
 		}
 		lastResponseOutput = completedOutput
+		if disableIncrementalForThisTurn && !resetPinnedAuth {
+			resetPinnedAuthDisablesIncrementalInput = false
+		}
 	}
 }
 
@@ -598,20 +617,21 @@ func (h *OpenAIResponsesAPIHandler) forwardResponsesWebsocket(
 	errs <-chan *interfaces.ErrorMessage,
 	wsBodyLog *strings.Builder,
 	sessionID string,
-) ([]byte, error) {
+) ([]byte, error, bool) {
 	completed := false
 	completedOutput := []byte("[]")
 
 	for {
 		select {
 		case <-c.Request.Context().Done():
 			cancel(c.Request.Context().Err())
-			return completedOutput, c.Request.Context().Err()
+			return completedOutput, c.Request.Context().Err(), false
 		case errMsg, ok := <-errs:
 			if !ok {
 				errs = nil
 				continue
 			}
+			resetPinnedAuth := shouldResetPinnedAuthForWebsocketError(errMsg)
 			if errMsg != nil {
 				h.LoggingAPIResponseError(context.WithValue(context.Background(), "gin", c), errMsg)
 				markAPIResponseTimestamp(c)
@@ -632,15 +652,15 @@ func (h *OpenAIResponsesAPIHandler) forwardResponsesWebsocket(
 					// 	errWrite,
 					// )
 					cancel(errMsg.Error)
-					return completedOutput, errWrite
+					return completedOutput, errWrite, resetPinnedAuth
 				}
 			}
 			if errMsg != nil {
 				cancel(errMsg.Error)
 			} else {
 				cancel(nil)
 			}
-			return completedOutput, nil
+			return completedOutput, nil, resetPinnedAuth
 		case chunk, ok := <-data:
 			if !ok {
 				if !completed {
@@ -667,13 +687,13 @@ func (h *OpenAIResponsesAPIHandler) forwardResponsesWebsocket(
 							errWrite,
 						)
 						cancel(errMsg.Error)
-						return completedOutput, errWrite
+						return completedOutput, errWrite, false
 					}
 					cancel(errMsg.Error)
-					return completedOutput, nil
+					return completedOutput, nil, false
 				}
 				cancel(nil)
-				return completedOutput, nil
+				return completedOutput, nil, false
 			}
 
 			payloads := websocketJSONPayloadsFromChunk(chunk)
@@ -700,13 +720,36 @@ func (h *OpenAIResponsesAPIHandler) forwardResponsesWebsocket(
 						errWrite,
 					)
 					cancel(errWrite)
-					return completedOutput, errWrite
+					return completedOutput, errWrite, false
 				}
 			}
 		}
 	}
 }
 
+func shouldResetPinnedAuthForWebsocketError(errMsg *interfaces.ErrorMessage) bool {
+	if errMsg == nil {
+		return false
+	}
+	switch errMsg.StatusCode {
+	case http.StatusUnauthorized, http.StatusPaymentRequired, http.StatusForbidden, http.StatusNotFound, http.StatusTooManyRequests:
+		return true
+	}
+	if errMsg.Error == nil {
+		return false
+	}
+	text := strings.ToLower(strings.TrimSpace(errMsg.Error.Error()))
+	if text == "" {
+		return false
+	}
+	return strings.Contains(text, "usage_limit_reached") ||
+		strings.Contains(text, "insufficient_quota") ||
+		strings.Contains(text, "quota exceeded") ||
+		strings.Contains(text, "quota exhausted") ||
+		strings.Contains(text, "token_invalidated") ||
+		strings.Contains(text, "authentication token has been invalidated")
+}
+
 func responseCompletedOutputFromPayload(payload []byte) []byte {
 	output := gjson.GetBytes(payload, "response.output")
 	if output.Exists() && output.IsArray() {