From c54e3f0d6347d3436fe270c11e49e363eae73d19 Mon Sep 17 00:00:00 2001
From: hoangduy0308 <hoangduyntt04@gmail.com>
Date: Wed, 13 May 2026 02:42:26 +0700
Subject: [PATCH 1/2] fix(auth-files): harden auth JSON import

Add the auth JSON paste/import flow with converter hardening, provider-aware CPA validation, upload failure handling, duplicate-save guards, hidden Unicode checks, and focused regression coverage.
---
 package-lock.json                             |   89 +-
 package.json                                  |    3 +
 .../components/AuthJsonPasteModal.module.scss |   60 +
 .../components/AuthJsonPasteModal.test.tsx    |  232 ++++
 .../components/AuthJsonPasteModal.tsx         |  205 ++++
 .../authFiles/hooks/useAuthFilesData.test.ts  |  411 +++++++
 .../authFiles/hooks/useAuthFilesData.ts       |   78 +-
 .../authFiles/sessionAuthConverter.test.ts    | 1079 +++++++++++++++++
 .../authFiles/sessionAuthConverter.ts         |  787 ++++++++++++
 src/i18n/locales/en.json                      |   18 +
 src/i18n/locales/ru.json                      |   18 +
 src/i18n/locales/zh-CN.json                   |   18 +
 src/i18n/locales/zh-TW.json                   |   18 +
 .../AuthFilesPage.authJsonPaste.test.tsx      |  287 +++++
 src/pages/AuthFilesPage.module.scss           |    2 -
 .../AuthFilesPage.pasteIntegration.test.tsx   |  339 ++++++
 src/pages/AuthFilesPage.tsx                   |   64 +-
 src/services/api/authFiles.test.ts            |  156 +++
 src/services/api/authFiles.ts                 |   93 +-
 tests/repoSourceIntegrity.test.mjs            |  165 +++
 tsconfig.json                                 |    1 +
 tsconfig.node.json                            |    3 +
 22 files changed, 4041 insertions(+), 85 deletions(-)
 create mode 100644 src/features/authFiles/components/AuthJsonPasteModal.module.scss
 create mode 100644 src/features/authFiles/components/AuthJsonPasteModal.test.tsx
 create mode 100644 src/features/authFiles/components/AuthJsonPasteModal.tsx
 create mode 100644 src/features/authFiles/hooks/useAuthFilesData.test.ts
 create mode 100644 src/features/authFiles/sessionAuthConverter.test.ts
 create mode 100644 src/features/authFiles/sessionAuthConverter.ts
 create mode 100644 src/pages/AuthFilesPage.authJsonPaste.test.tsx
 create mode 100644 src/pages/AuthFilesPage.pasteIntegration.test.tsx
 create mode 100644 src/services/api/authFiles.test.ts
 create mode 100644 tests/repoSourceIntegrity.test.mjs

diff --git a/package-lock.json b/package-lock.json
index e9cea2898..b4ce76eb7 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -23,8 +23,10 @@
       },
       "devDependencies": {
         "@eslint/js": "^9.39.1",
+        "@types/node": "^25.7.0",
         "@types/react": "^19.2.7",
         "@types/react-dom": "^19.2.3",
+        "@types/react-test-renderer": "^19.1.0",
         "@typescript-eslint/eslint-plugin": "^8.48.1",
         "@typescript-eslint/parser": "^8.48.1",
         "@vitejs/plugin-react": "^6.0.1",
@@ -33,6 +35,7 @@
         "eslint-plugin-react-refresh": "^0.4.24",
         "globals": "^16.5.0",
         "prettier": "^3.7.4",
+        "react-test-renderer": "^19.2.1",
         "sass": "^1.94.2",
         "typescript": "^5.9.3",
         "typescript-eslint": "^8.48.1",
@@ -72,6 +75,7 @@
       "integrity": "sha512-e7jT4DxYvIDLk1ZHmU/m/mB19rex9sv0c2ftBtjSBv+kVM/902eh0fINUzD7UwLLNR+jU585GxUJ8/EBfAM5fw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.27.1",
         "@babel/generator": "^7.28.5",
@@ -437,6 +441,7 @@
       "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.38.8.tgz",
       "integrity": "sha512-XcE9fcnkHCbWkjeKyi0lllwXmBLtyYb5dt89dJyx23I9+LSh5vZDIuk7OLG4VM1lgrXZQcY6cxyZyk5WVPRv/A==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@codemirror/state": "^6.5.0",
         "crelt": "^1.0.6",
@@ -444,29 +449,6 @@
         "w3c-keyname": "^2.2.4"
       }
     },
-    "node_modules/@emnapi/core": {
-      "version": "1.10.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
-      "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "@emnapi/wasi-threads": "1.2.1",
-        "tslib": "^2.4.0"
-      }
-    },
-    "node_modules/@emnapi/runtime": {
-      "version": "1.10.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
-      "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "tslib": "^2.4.0"
-      }
-    },
     "node_modules/@emnapi/wasi-threads": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.1.tgz",
@@ -1451,12 +1433,24 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@types/node": {
+      "version": "25.7.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.7.0.tgz",
+      "integrity": "sha512-z+pdZyxE+RTQE9AcboAZCb4otwcrvgHD+GlBpPgn0emDVt0ohrTMhAwlr2Wd9nZ+nihhYFxO2pThz3C5qSu2Eg==",
+      "dev": true,
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "undici-types": "~7.21.0"
+      }
+    },
     "node_modules/@types/react": {
       "version": "19.2.7",
       "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.7.tgz",
       "integrity": "sha512-MWtvHrGZLFttgeEj28VXHxpmwYbor/ATPYbBfSFZEIRK0ecCFLl2Qo55z52Hss+UV9CRN7trSeq1zbgx7YDWWg==",
       "devOptional": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "csstype": "^3.2.2"
       }
@@ -1471,6 +1465,16 @@
         "@types/react": "^19.2.0"
       }
     },
+    "node_modules/@types/react-test-renderer": {
+      "version": "19.1.0",
+      "resolved": "https://registry.npmjs.org/@types/react-test-renderer/-/react-test-renderer-19.1.0.tgz",
+      "integrity": "sha512-XD0WZrHqjNrxA/MaR9O22w/RNidWR9YZmBdRGI7wcnWGrv/3dA8wKCJ8m63Sn+tLJhcjmuhOi629N66W6kgWzQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/react": "*"
+      }
+    },
     "node_modules/@types/react/node_modules/csstype": {
       "version": "3.2.3",
       "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
@@ -1544,6 +1548,7 @@
       "integrity": "sha512-PC0PDZfJg8sP7cmKe6L3QIL8GZwU5aRvUFedqSIpw3B+QjRSUZeeITC2M5XKeMXEzL6wccN196iy3JLwKNvDVA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.48.1",
         "@typescript-eslint/types": "8.48.1",
@@ -1979,6 +1984,7 @@
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -2429,6 +2435,7 @@
       "integrity": "sha512-BhHmn2yNOFA9H9JmmIVKJmd288g9hrVRDkdoIgRCRuSySRUHH7r/DI6aAXW9T1WwUuY3DFgrcaqB+deURBLR5g==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -2950,6 +2957,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/runtime": "^7.28.4"
       },
@@ -3621,6 +3629,7 @@
       "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -3732,6 +3741,7 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.2.1.tgz",
       "integrity": "sha512-DGrYcCWK7tvYMnWh79yrPHt+vdx9tY+1gPZa7nJQtO/p8bLTDaHp4dzwEhQB7pZ4Xe3ok4XKuEPrVuc+wlpkmw==",
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -3741,6 +3751,7 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.1.tgz",
       "integrity": "sha512-ibrK8llX2a4eOskq1mXKu/TGZj9qzomO+sNfO98M6d9zIPOEhlBkMkBUBLd1vgS0gQsLDBzA+8jJBVXDnfHmJg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "scheduler": "^0.27.0"
       },
@@ -3775,6 +3786,13 @@
         }
       }
     },
+    "node_modules/react-is": {
+      "version": "19.2.6",
+      "resolved": "https://registry.npmjs.org/react-is/-/react-is-19.2.6.tgz",
+      "integrity": "sha512-XjBR15BhXuylgWGuslhDKqlSayuqvqBX91BP8pauG8kd1zY8kotkNWbXksTCNRarse4kuGbe2kIY05ARtwNIvw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/react-router": {
       "version": "7.12.0",
       "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.12.0.tgz",
@@ -3813,6 +3831,20 @@
         "react-dom": ">=18"
       }
     },
+    "node_modules/react-test-renderer": {
+      "version": "19.2.1",
+      "resolved": "https://registry.npmjs.org/react-test-renderer/-/react-test-renderer-19.2.1.tgz",
+      "integrity": "sha512-xsyf515ij+d8Rs/tsDZSJYXn+GdYO/IOw9BVFtjJbrrFR+dL1yZQQN1ChxY6otYAsCeAHhU0XsKyJUzP6omyvQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "react-is": "^19.2.1",
+        "scheduler": "^0.27.0"
+      },
+      "peerDependencies": {
+        "react": "^19.2.1"
+      }
+    },
     "node_modules/readdirp": {
       "version": "4.1.2",
       "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz",
@@ -4078,6 +4110,7 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "devOptional": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -4110,6 +4143,13 @@
         "typescript": ">=4.8.4 <6.0.0"
       }
     },
+    "node_modules/undici-types": {
+      "version": "7.21.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.21.0.tgz",
+      "integrity": "sha512-w9IMgQrz4O0YN1LtB7K5P63vhlIOvC7opSmouCJ+ZywlPAlO9gIkJ+otk6LvGpAs2wg4econaCz3TvQ9xPoyuQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/update-browserslist-db": {
       "version": "1.2.2",
       "dev": true,
@@ -4154,6 +4194,7 @@
       "integrity": "sha512-rZuUu9j6J5uotLDs+cAA4O5H4K1SfPliUlQwqa6YEwSrWDZzP4rhm00oJR5snMewjxF5V/K3D4kctsUTsIU9Mw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "lightningcss": "^1.32.0",
         "picomatch": "^4.0.4",
@@ -4398,6 +4439,7 @@
       "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
       "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
       "license": "ISC",
+      "peer": true,
       "bin": {
         "yaml": "bin.mjs"
       },
@@ -4425,6 +4467,7 @@
       "integrity": "sha512-AvvthqfqrAhNH9dnfmrfKzX5upOdjUVJYFqNSlkmGf64gRaTzlPwz99IHYnVs28qYAybvAlBV+H7pn0saFY4Ig==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }
diff --git a/package.json b/package.json
index 80c7ce20e..4ba870dd7 100644
--- a/package.json
+++ b/package.json
@@ -28,8 +28,10 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.39.1",
+    "@types/node": "^25.7.0",
     "@types/react": "^19.2.7",
     "@types/react-dom": "^19.2.3",
+    "@types/react-test-renderer": "^19.1.0",
     "@typescript-eslint/eslint-plugin": "^8.48.1",
     "@typescript-eslint/parser": "^8.48.1",
     "@vitejs/plugin-react": "^6.0.1",
@@ -38,6 +40,7 @@
     "eslint-plugin-react-refresh": "^0.4.24",
     "globals": "^16.5.0",
     "prettier": "^3.7.4",
+    "react-test-renderer": "^19.2.1",
     "sass": "^1.94.2",
     "typescript": "^5.9.3",
     "typescript-eslint": "^8.48.1",
diff --git a/src/features/authFiles/components/AuthJsonPasteModal.module.scss b/src/features/authFiles/components/AuthJsonPasteModal.module.scss
new file mode 100644
index 000000000..173443950
--- /dev/null
+++ b/src/features/authFiles/components/AuthJsonPasteModal.module.scss
@@ -0,0 +1,60 @@
+@use '../../../styles/variables' as *;
+
+.authJsonPasteModal {
+  display: flex;
+  flex-direction: column;
+  gap: $spacing-md;
+}
+
+.prefixProxyError {
+  padding: $spacing-sm $spacing-md;
+  border-radius: $radius-md;
+  border: 1px solid var(--danger-color);
+  background-color: rgba($error-color, 0.1);
+  color: var(--danger-color);
+  font-size: 12px;
+}
+
+.formGroup {
+  display: flex;
+  flex-direction: column;
+  gap: $spacing-xs;
+  margin-top: $spacing-md;
+
+  label {
+    font-size: 14px;
+    font-weight: 500;
+    color: var(--text-primary);
+  }
+}
+
+.authJsonPasteTextarea {
+  width: 100%;
+  min-height: 300px;
+  box-sizing: border-box;
+  padding: $spacing-sm $spacing-md;
+  border: 1px solid var(--border-color);
+  border-radius: $radius-md;
+  background-color: var(--bg-secondary);
+  color: var(--text-primary);
+  font-family: monospace;
+  font-size: 12px;
+  line-height: 1.6;
+  resize: vertical;
+
+  &:focus {
+    outline: none;
+    border-color: var(--primary-color);
+  }
+
+  &::placeholder {
+    color: var(--text-tertiary);
+  }
+}
+
+.authJsonPasteHint {
+  margin: 0;
+  color: var(--text-secondary);
+  font-size: 12px;
+  line-height: 1.5;
+}
diff --git a/src/features/authFiles/components/AuthJsonPasteModal.test.tsx b/src/features/authFiles/components/AuthJsonPasteModal.test.tsx
new file mode 100644
index 000000000..b8b1e5569
--- /dev/null
+++ b/src/features/authFiles/components/AuthJsonPasteModal.test.tsx
@@ -0,0 +1,232 @@
+import { act, type ReactNode } from 'react';
+import { create, type ReactTestRenderer } from 'react-test-renderer';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { Button } from '@/components/ui/Button';
+import { Input } from '@/components/ui/Input';
+import { Select } from '@/components/ui/Select';
+import { AuthJsonPasteModal } from './AuthJsonPasteModal';
+
+vi.mock('react-i18next', () => ({
+  useTranslation: () => ({
+    t: (key: string) => key,
+  }),
+}));
+
+vi.mock('@/components/ui/Modal', () => ({
+  Modal: (props: { children: ReactNode; footer?: ReactNode }) => (
+    <div>
+      <div>{props.children}</div>
+      <div>{props.footer}</div>
+    </div>
+  ),
+}));
+
+type ModalHarness = {
+  renderer: ReactTestRenderer;
+  clickSave: () => Promise<void>;
+  setFileName: (value: string) => void;
+  setJsonText: (value: string) => void;
+  setType: (value: 'session' | 'cpa') => void;
+  getText: () => string;
+};
+
+  const mountModal = (
+    onSave: (type: 'session' | 'cpa', fileName: string, jsonText: string) => Promise<void>,
+    saving = false,
+    disabled = false
+  ): ModalHarness => {
+    let renderer: ReactTestRenderer;
+    act(() => {
+      renderer = create(
+        <AuthJsonPasteModal
+          open
+          saving={saving}
+          disabled={disabled}
+          onClose={() => {}}
+          onSave={onSave}
+        />
+      );
+  });
+
+  const setFileName = (value: string) => {
+    const input = renderer!.root.findByType(Input);
+    act(() => {
+      input.props.onChange({ target: { value } });
+    });
+  };
+
+  const setJsonText = (value: string) => {
+    const textarea = renderer!.root.findByProps({ id: 'auth-json-paste-content' });
+    act(() => {
+      textarea.props.onChange({ target: { value } });
+    });
+  };
+
+  const setType = (value: 'session' | 'cpa') => {
+    const select = renderer!.root.findByType(Select);
+    act(() => {
+      select.props.onChange(value);
+    });
+  };
+
+  const clickSave = async () => {
+    const saveButton = renderer!.root
+      .findAllByType(Button)
+      .find((node) => node.props.children === 'auth_files.paste_save_button');
+    if (!saveButton) throw new Error('Save button not found');
+    await act(async () => {
+      await saveButton.props.onClick();
+    });
+  };
+
+  const getText = () => JSON.stringify(renderer!.toJSON());
+
+  return {
+    renderer: renderer!,
+    clickSave,
+    setFileName,
+    setJsonText,
+    setType,
+    getText,
+  };
+};
+
+describe('AuthJsonPasteModal', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('rejects invalid file names without calling save', async () => {
+    const onSave = vi.fn().mockResolvedValue(undefined);
+    const modal = mountModal(onSave);
+
+    modal.setFileName('invalid/name.json');
+    modal.setJsonText('{"type":"codex"}');
+
+    await modal.clickSave();
+
+    expect(onSave).not.toHaveBeenCalled();
+    expect(modal.getText()).toContain('auth_files.paste_error_file_name_invalid');
+    modal.renderer.unmount();
+  });
+
+  it.each([
+    'CON.json',
+    'CON.codex.json',
+    'AUX.json',
+    'NUL.json',
+    '.json',
+    '.codex.json',
+    '.hidden.json',
+    'LPT1.json',
+    'LPT1.backup.json',
+    'name .json',
+    'name..json',
+  ])(
+    'rejects Windows-unsafe file name %s without calling save',
+    async (fileName) => {
+      const onSave = vi.fn().mockResolvedValue(undefined);
+      const modal = mountModal(onSave);
+
+      modal.setFileName(fileName);
+      modal.setJsonText('{"type":"codex"}');
+
+      await modal.clickSave();
+
+      expect(onSave).not.toHaveBeenCalled();
+      expect(modal.getText()).toContain('auth_files.paste_error_file_name_invalid');
+      modal.renderer.unmount();
+    }
+  );
+
+  it.each([
+    'codex-\u202Egpj.json',
+    'codex-\u2066account.json',
+    'codex-\u200Baccount.json',
+  ])('rejects visually misleading file name %s without calling save', async (fileName) => {
+    const onSave = vi.fn().mockResolvedValue(undefined);
+    const modal = mountModal(onSave);
+
+    modal.setFileName(fileName);
+    modal.setJsonText('{"type":"codex"}');
+
+    await modal.clickSave();
+
+    expect(onSave).not.toHaveBeenCalled();
+    expect(modal.getText()).toContain('auth_files.paste_error_file_name_invalid');
+    modal.renderer.unmount();
+  });
+
+  it('rejects empty json text without calling save', async () => {
+    const onSave = vi.fn().mockResolvedValue(undefined);
+    const modal = mountModal(onSave);
+
+    modal.setFileName('valid.json');
+    modal.setJsonText('   ');
+
+    await modal.clickSave();
+
+    expect(onSave).not.toHaveBeenCalled();
+    expect(modal.getText()).toContain('auth_files.paste_error_json_required');
+    modal.renderer.unmount();
+  });
+
+  it('passes selected type, file name, and json text to save', async () => {
+    const onSave = vi.fn().mockResolvedValue(undefined);
+    const modal = mountModal(onSave);
+
+    modal.setType('cpa');
+    modal.setFileName('custom-auth.json');
+    modal.setJsonText('{"type":"codex","email":"user@example.com"}');
+
+    await modal.clickSave();
+
+    expect(onSave).toHaveBeenCalledTimes(1);
+    expect(onSave).toHaveBeenCalledWith(
+      'cpa',
+      'custom-auth.json',
+      '{"type":"codex","email":"user@example.com"}'
+    );
+    modal.renderer.unmount();
+  });
+
+  it('does not save again while a save is already in progress', async () => {
+    const onSave = vi.fn().mockResolvedValue(undefined);
+    const modal = mountModal(onSave, true);
+
+    modal.setFileName('custom-auth.json');
+    modal.setJsonText('{"type":"codex","email":"user@example.com"}');
+
+    await modal.clickSave();
+
+    expect(onSave).not.toHaveBeenCalled();
+    modal.renderer.unmount();
+  });
+
+  it('does not save while disabled', async () => {
+    const onSave = vi.fn().mockResolvedValue(undefined);
+    const modal = mountModal(onSave, false, true);
+
+    modal.setFileName('custom-auth.json');
+    modal.setJsonText('{"type":"codex","email":"user@example.com"}');
+
+    await modal.clickSave();
+
+    expect(onSave).not.toHaveBeenCalled();
+    modal.renderer.unmount();
+  });
+
+  it('renders save error returned by onSave', async () => {
+    const onSave = vi.fn().mockRejectedValue(new Error('upload failed'));
+    const modal = mountModal(onSave);
+
+    modal.setFileName('custom-auth.json');
+    modal.setJsonText('{"type":"codex"}');
+
+    await modal.clickSave();
+
+    expect(onSave).toHaveBeenCalledTimes(1);
+    expect(modal.getText()).toContain('upload failed');
+    modal.renderer.unmount();
+  });
+});
diff --git a/src/features/authFiles/components/AuthJsonPasteModal.tsx b/src/features/authFiles/components/AuthJsonPasteModal.tsx
new file mode 100644
index 000000000..a151d01ed
--- /dev/null
+++ b/src/features/authFiles/components/AuthJsonPasteModal.tsx
@@ -0,0 +1,205 @@
+import { useMemo, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+import { Modal } from '@/components/ui/Modal';
+import { Button } from '@/components/ui/Button';
+import { Input } from '@/components/ui/Input';
+import { Select } from '@/components/ui/Select';
+import type { AuthJsonInputType } from '@/features/authFiles/sessionAuthConverter';
+import styles from './AuthJsonPasteModal.module.scss';
+
+type AuthJsonPasteModalProps = {
+  open: boolean;
+  saving: boolean;
+  disabled?: boolean;
+  onClose: () => void;
+  onSave: (type: AuthJsonInputType, fileName: string, jsonText: string) => Promise<void>;
+};
+
+const DEFAULT_FILE_NAME = 'codex-account.json';
+const INVALID_BASE_FILE_NAME_PATTERN = /[\\/:*?"<>|]/;
+const FORBIDDEN_INVISIBLE_CODE_POINTS = new Set([
+  0x200b,
+  0x200c,
+  0x200d,
+  0x200e,
+  0x200f,
+  0x202a,
+  0x202b,
+  0x202c,
+  0x202d,
+  0x202e,
+  0x2060,
+  0x2066,
+  0x2067,
+  0x2068,
+  0x2069,
+  0xfeff,
+]);
+const WINDOWS_RESERVED_BASE_NAMES = new Set([
+  'con',
+  'prn',
+  'aux',
+  'nul',
+  'com1',
+  'com2',
+  'com3',
+  'com4',
+  'com5',
+  'com6',
+  'com7',
+  'com8',
+  'com9',
+  'lpt1',
+  'lpt2',
+  'lpt3',
+  'lpt4',
+  'lpt5',
+  'lpt6',
+  'lpt7',
+  'lpt8',
+  'lpt9',
+]);
+
+const isValidBaseJsonFileName = (value: string) => {
+  const lowerValue = value.toLowerCase();
+  const baseName = value.slice(0, -'.json'.length);
+  const windowsDeviceName = baseName.split('.')[0]?.toLowerCase() ?? '';
+
+  return (
+    lowerValue.endsWith('.json') &&
+    baseName !== '' &&
+    baseName.trim() === baseName &&
+    !baseName.startsWith('.') &&
+    !baseName.endsWith('.') &&
+    !WINDOWS_RESERVED_BASE_NAMES.has(windowsDeviceName) &&
+    !INVALID_BASE_FILE_NAME_PATTERN.test(value) &&
+    !Array.from(value).some((char) => {
+      const codePoint = char.codePointAt(0);
+      return (
+        codePoint === undefined ||
+        codePoint < 32 ||
+        FORBIDDEN_INVISIBLE_CODE_POINTS.has(codePoint)
+      );
+    })
+  );
+};
+
+export function AuthJsonPasteModal({
+  open,
+  saving,
+  disabled = false,
+  onClose,
+  onSave,
+}: AuthJsonPasteModalProps) {
+  const { t } = useTranslation();
+  const [type, setType] = useState<AuthJsonInputType>('session');
+  const [fileName, setFileName] = useState(DEFAULT_FILE_NAME);
+  const [jsonText, setJsonText] = useState('');
+  const [error, setError] = useState('');
+
+  const resetForm = () => {
+    setType('session');
+    setFileName(DEFAULT_FILE_NAME);
+    setJsonText('');
+    setError('');
+  };
+
+  const handleClose = () => {
+    resetForm();
+    onClose();
+  };
+
+  const options = useMemo(
+    () => [
+      { value: 'cpa', label: t('auth_files.paste_type_cpa') },
+      { value: 'session', label: t('auth_files.paste_type_session') },
+    ],
+    [t]
+  );
+
+  const handleSave = async () => {
+    if (saving || disabled) return;
+
+    const trimmedName = fileName.trim();
+    if (!trimmedName) {
+      setError(t('auth_files.paste_error_file_name'));
+      return;
+    }
+    if (!isValidBaseJsonFileName(trimmedName)) {
+      setError(t('auth_files.paste_error_file_name_invalid'));
+      return;
+    }
+    if (!jsonText.trim()) {
+      setError(t('auth_files.paste_error_json_required'));
+      return;
+    }
+
+    setError('');
+    try {
+      await onSave(type, trimmedName, jsonText);
+      resetForm();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : t('notification.save_failed'));
+    }
+  };
+
+  return (
+    <Modal
+      open={open}
+      onClose={handleClose}
+      title={t('auth_files.paste_title')}
+      width={640}
+      closeDisabled={saving}
+      footer={
+        <>
+          <Button variant="secondary" onClick={handleClose} disabled={saving}>
+            {t('common.cancel')}
+          </Button>
+          <Button onClick={handleSave} loading={saving} disabled={disabled}>
+            {t('auth_files.paste_save_button')}
+          </Button>
+        </>
+      }
+    >
+      <div className={styles.authJsonPasteModal}>
+        {error && <div className={styles.prefixProxyError}>{error}</div>}
+        <div className={styles.formGroup}>
+          <label>{t('auth_files.paste_type_label')}</label>
+          <Select
+            value={type}
+            options={options}
+            onChange={(value) => setType(value as AuthJsonInputType)}
+            ariaLabel={t('auth_files.paste_type_label')}
+            disabled={saving || disabled}
+          />
+        </div>
+        <Input
+          label={t('auth_files.paste_file_name_label')}
+          value={fileName}
+          onChange={(event) => setFileName(event.target.value)}
+          disabled={saving || disabled}
+          placeholder={DEFAULT_FILE_NAME}
+        />
+        <div className={styles.formGroup}>
+          <label htmlFor="auth-json-paste-content">{t('auth_files.paste_json_label')}</label>
+          <textarea
+            id="auth-json-paste-content"
+            className={styles.authJsonPasteTextarea}
+            value={jsonText}
+            onChange={(event) => setJsonText(event.target.value)}
+            disabled={saving || disabled}
+            spellCheck={false}
+            placeholder={t(
+              type === 'session'
+                ? 'auth_files.paste_session_placeholder'
+                : 'auth_files.paste_cpa_placeholder'
+            )}
+          />
+        </div>
+        <p className={styles.authJsonPasteHint}>
+          {t(type === 'session' ? 'auth_files.paste_session_hint' : 'auth_files.paste_cpa_hint')}
+        </p>
+      </div>
+    </Modal>
+  );
+}
diff --git a/src/features/authFiles/hooks/useAuthFilesData.test.ts b/src/features/authFiles/hooks/useAuthFilesData.test.ts
new file mode 100644
index 000000000..893fffb3d
--- /dev/null
+++ b/src/features/authFiles/hooks/useAuthFilesData.test.ts
@@ -0,0 +1,411 @@
+import { act, createElement } from 'react';
+import { create, type ReactTestRenderer } from 'react-test-renderer';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+const { mocks } = vi.hoisted(() => {
+  return {
+    mocks: {
+      list: vi.fn(),
+      saveJsonObject: vi.fn(),
+      showNotification: vi.fn(),
+      showConfirmation: vi.fn(),
+    },
+  };
+});
+
+vi.mock('react-i18next', () => ({
+  useTranslation: () => ({
+    t: (key: string, options?: Record<string, unknown>) => {
+      if (options && typeof options.name === 'string') {
+        return `${key}:${options.name}`;
+      }
+      return key;
+    },
+  }),
+}));
+
+vi.mock('@/stores', () => ({
+  useNotificationStore: () => ({
+    showNotification: mocks.showNotification,
+    showConfirmation: mocks.showConfirmation,
+  }),
+}));
+
+vi.mock('@/services/api', () => ({
+  authFilesApi: {
+    list: mocks.list,
+    saveJsonObject: mocks.saveJsonObject,
+  },
+}));
+
+import { buildPastedAuthJsonPayload, useAuthFilesData } from './useAuthFilesData';
+
+type UseAuthFilesDataHarness = {
+  getCurrent: () => ReturnType<typeof useAuthFilesData>;
+  getSavingHistory: () => boolean[];
+  unmount: () => void;
+};
+
+const mountUseAuthFilesData = (): UseAuthFilesDataHarness => {
+  let hook: ReturnType<typeof useAuthFilesData> | null = null;
+  let lastSavingState: boolean | undefined;
+  const savingHistory: boolean[] = [];
+  let renderer: ReactTestRenderer | null = null;
+
+  const captureHook = (value: ReturnType<typeof useAuthFilesData>) => {
+    hook = value;
+    if (value.authJsonPasteSaving !== lastSavingState) {
+      lastSavingState = value.authJsonPasteSaving;
+      savingHistory.push(value.authJsonPasteSaving);
+    }
+  };
+
+  function HookHarness() {
+    captureHook(useAuthFilesData());
+    return null;
+  }
+
+  act(() => {
+    renderer = create(createElement(HookHarness));
+  });
+
+  return {
+    getCurrent: () => {
+      if (!hook) {
+        throw new Error('Failed to mount useAuthFilesData test harness');
+      }
+      return hook;
+    },
+    getSavingHistory: () => [...savingHistory],
+    unmount: () => {
+      if (!renderer) return;
+      act(() => {
+        renderer?.unmount();
+      });
+    },
+  };
+};
+
+beforeEach(() => {
+  mocks.list.mockReset();
+  mocks.saveJsonObject.mockReset();
+  mocks.showNotification.mockReset();
+  mocks.showConfirmation.mockReset();
+
+  mocks.list.mockResolvedValue({ files: [] });
+  mocks.saveJsonObject.mockResolvedValue(undefined);
+});
+
+describe('buildPastedAuthJsonPayload', () => {
+  it('keeps explicit file names for pasted CPA auth JSON', () => {
+    const input = {
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    };
+
+    const result = buildPastedAuthJsonPayload('cpa', 'custom-auth.json', JSON.stringify(input));
+
+    expect(result.resolvedFileName).toBe('custom-auth.json');
+    expect(result.authJson).toEqual(input);
+  });
+
+  it('keeps explicit file names for pasted session auth JSON when a custom name is provided', () => {
+    const result = buildPastedAuthJsonPayload(
+      'session',
+      'my-work-account.json',
+      JSON.stringify({
+        user: { email: 'Session.User+tag@example.com' },
+        account: { id: 'session-account' },
+        accessToken: 'plain-access-token',
+      })
+    );
+
+    expect(result.resolvedFileName).toBe('my-work-account.json');
+  });
+
+  it('derives a default codex file name for pasted session auth JSON', () => {
+    const result = buildPastedAuthJsonPayload(
+      'session',
+      'codex-account.json',
+      JSON.stringify({
+        user: { email: 'Session.User+tag@example.com' },
+        account: { id: 'session-account' },
+        accessToken: 'plain-access-token',
+      })
+    );
+
+    expect(result.resolvedFileName).toBe('session-user-tag-example-com.codex.json');
+    expect(result.authJson).toMatchObject({
+      type: 'codex',
+      email: 'Session.User+tag@example.com',
+      account_id: 'session-account',
+      access_token: 'plain-access-token',
+    });
+  });
+});
+
+describe('useAuthFilesData savePastedAuthJson', () => {
+  it('saves converted session JSON with derived default file name and reloads files', async () => {
+    const hook = mountUseAuthFilesData();
+    const sessionInput = JSON.stringify({
+      user: { email: 'Session.User+tag@example.com' },
+      account: { id: 'session-account' },
+      accessToken: 'plain-access-token',
+    });
+
+    const savedName = await hook
+      .getCurrent()
+      .savePastedAuthJson('session', 'codex-account.json', sessionInput);
+
+    expect(savedName).toBe('session-user-tag-example-com.codex.json');
+    expect(mocks.saveJsonObject).toHaveBeenCalledWith(
+      'session-user-tag-example-com.codex.json',
+      expect.objectContaining({
+        type: 'codex',
+        email: 'Session.User+tag@example.com',
+        account_id: 'session-account',
+        access_token: 'plain-access-token',
+      })
+    );
+    expect(mocks.showNotification).toHaveBeenCalledWith(
+      'auth_files.paste_success:session-user-tag-example-com.codex.json',
+      'success'
+    );
+    expect(mocks.list).toHaveBeenCalledTimes(1);
+    hook.unmount();
+  });
+
+  it('saves CPA JSON unchanged with explicit file name', async () => {
+    const hook = mountUseAuthFilesData();
+    const cpaInput = {
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    };
+
+    const savedName = await hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', JSON.stringify(cpaInput));
+
+    expect(savedName).toBe('custom-auth.json');
+    expect(mocks.saveJsonObject).toHaveBeenCalledWith('custom-auth.json', cpaInput);
+    expect(mocks.list).toHaveBeenCalledTimes(1);
+    hook.unmount();
+  });
+
+  it('waits for file reload completion before resolving pasted save success', async () => {
+    const hook = mountUseAuthFilesData();
+    const validInput = JSON.stringify({
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    });
+    let resolveList: (() => void) | undefined;
+    mocks.list.mockImplementationOnce(
+      () =>
+        new Promise<{ files: [] }>((resolve) => {
+          resolveList = () => resolve({ files: [] });
+        })
+    );
+
+    const settled = vi.fn();
+    const savePromise = hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput);
+    void savePromise.then(settled);
+
+    await Promise.resolve();
+    await Promise.resolve();
+
+    expect(settled).not.toHaveBeenCalled();
+    expect(mocks.showNotification).not.toHaveBeenCalled();
+
+    expect(resolveList).toBeTypeOf('function');
+    resolveList?.();
+    await savePromise;
+    expect(settled).toHaveBeenCalledWith('custom-auth.json');
+    expect(mocks.showNotification).toHaveBeenCalledWith(
+      'auth_files.paste_success:custom-auth.json',
+      'success'
+    );
+    hook.unmount();
+  });
+
+  it('sets authJsonPasteSaving true during save and resets false after success', async () => {
+    const hook = mountUseAuthFilesData();
+    const validInput = JSON.stringify({
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    });
+    let resolveUpload: (() => void) | undefined;
+    mocks.saveJsonObject.mockImplementationOnce(
+      () =>
+        new Promise<void>((resolve) => {
+          resolveUpload = resolve;
+        })
+    );
+
+    const savePromise = hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput);
+    await act(async () => {
+      await Promise.resolve();
+    });
+    expect(hook.getCurrent().authJsonPasteSaving).toBe(true);
+
+    expect(resolveUpload).toBeTypeOf('function');
+    resolveUpload?.();
+    await expect(savePromise).resolves.toBe('custom-auth.json');
+    await act(async () => {
+      await Promise.resolve();
+    });
+
+    expect(hook.getCurrent().authJsonPasteSaving).toBe(false);
+    const savingHistory = hook.getSavingHistory();
+    expect(savingHistory).toContain(true);
+    expect(savingHistory[savingHistory.length - 1]).toBe(false);
+    hook.unmount();
+  });
+
+  it('rejects a concurrent pasted save before starting a duplicate upload', async () => {
+    const hook = mountUseAuthFilesData();
+    const validInput = JSON.stringify({
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    });
+    let resolveUpload: (() => void) | undefined;
+    mocks.saveJsonObject.mockImplementationOnce(
+      () =>
+        new Promise<void>((resolve) => {
+          resolveUpload = resolve;
+        })
+    );
+
+    const firstSave = hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput);
+    await expect(
+      hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput)
+    ).rejects.toThrow('auth_files.paste_error_save_in_progress');
+
+    expect(mocks.saveJsonObject).toHaveBeenCalledTimes(1);
+    expect(resolveUpload).toBeTypeOf('function');
+    resolveUpload?.();
+    await expect(firstSave).resolves.toBe('custom-auth.json');
+    hook.unmount();
+  });
+
+  it('throws on invalid conversion and does not upload or show success notification', async () => {
+    const hook = mountUseAuthFilesData();
+    const invalidInput = JSON.stringify({ foo: 'bar' });
+
+    await expect(hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', invalidInput)).rejects.toThrow();
+
+    expect(mocks.saveJsonObject).not.toHaveBeenCalled();
+    expect(mocks.showNotification).not.toHaveBeenCalled();
+    expect(mocks.list).not.toHaveBeenCalled();
+    hook.unmount();
+  });
+
+  it('throws a generic save failure on upload failure and does not show success notification or reload files', async () => {
+    const hook = mountUseAuthFilesData();
+    const validInput = JSON.stringify({
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    });
+    mocks.saveJsonObject.mockRejectedValueOnce(
+      new Error('upload failed for token sk-secret-value')
+    );
+
+    await expect(hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput)).rejects.toThrow(
+      'notification.save_failed'
+    );
+
+    expect(mocks.showNotification).not.toHaveBeenCalled();
+    expect(mocks.list).not.toHaveBeenCalled();
+    hook.unmount();
+  });
+
+  it('resolves saved file name when reload fails after upload and shows refresh warning', async () => {
+    const hook = mountUseAuthFilesData();
+    const validInput = JSON.stringify({
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    });
+    mocks.list.mockClear();
+    mocks.list.mockRejectedValueOnce(new Error('reload failed'));
+
+    await expect(
+      hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput)
+    ).resolves.toBe('custom-auth.json');
+
+    expect(mocks.saveJsonObject).toHaveBeenCalledTimes(1);
+    expect(mocks.list).toHaveBeenCalledTimes(1);
+    expect(mocks.showNotification).toHaveBeenCalledWith(
+      'auth_files.paste_success:custom-auth.json',
+      'success'
+    );
+    expect(mocks.showNotification).toHaveBeenCalledWith(
+      'notification.refresh_failed: reload failed',
+      'warning'
+    );
+    hook.unmount();
+  });
+
+  it('sets authJsonPasteSaving true during save and resets false after failure', async () => {
+    const hook = mountUseAuthFilesData();
+    const validInput = JSON.stringify({
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    });
+    let rejectUpload: ((reason?: unknown) => void) | undefined;
+    mocks.saveJsonObject.mockImplementationOnce(
+      () =>
+        new Promise<void>((_, reject) => {
+          rejectUpload = reject;
+        })
+    );
+
+    const savePromise = hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput);
+    await act(async () => {
+      await Promise.resolve();
+    });
+    expect(hook.getCurrent().authJsonPasteSaving).toBe(true);
+
+    expect(rejectUpload).toBeTypeOf('function');
+    rejectUpload?.(new Error('upload failed'));
+    await expect(savePromise).rejects.toThrow('notification.save_failed');
+    await act(async () => {
+      await Promise.resolve();
+    });
+
+    expect(hook.getCurrent().authJsonPasteSaving).toBe(false);
+    const savingHistory = hook.getSavingHistory();
+    expect(savingHistory).toContain(true);
+    expect(savingHistory[savingHistory.length - 1]).toBe(false);
+    hook.unmount();
+  });
+
+  it('allows retrying pasted save after an upload failure', async () => {
+    const hook = mountUseAuthFilesData();
+    const validInput = JSON.stringify({
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    });
+    mocks.saveJsonObject.mockRejectedValueOnce(new Error('upload failed'));
+
+    await expect(hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput)).rejects.toThrow(
+      'notification.save_failed'
+    );
+    await expect(hook.getCurrent().savePastedAuthJson('cpa', 'custom-auth.json', validInput)).resolves.toBe(
+      'custom-auth.json'
+    );
+
+    expect(mocks.saveJsonObject).toHaveBeenCalledTimes(2);
+    expect(mocks.list).toHaveBeenCalledTimes(1);
+    expect(mocks.showNotification).toHaveBeenCalledWith(
+      'auth_files.paste_success:custom-auth.json',
+      'success'
+    );
+    hook.unmount();
+  });
+});
diff --git a/src/features/authFiles/hooks/useAuthFilesData.ts b/src/features/authFiles/hooks/useAuthFilesData.ts
index 0453ec455..13a167f4f 100644
--- a/src/features/authFiles/hooks/useAuthFilesData.ts
+++ b/src/features/authFiles/hooks/useAuthFilesData.ts
@@ -7,6 +7,11 @@ import type { AuthFileItem } from '@/types';
 import { formatFileSize } from '@/utils/format';
 import { MAX_AUTH_FILE_SIZE } from '@/utils/constants';
 import { downloadBlob } from '@/utils/download';
+import {
+  convertAuthJsonInput,
+  getDefaultSessionAuthFileName,
+  type AuthJsonInputType,
+} from '@/features/authFiles/sessionAuthConverter';
 import {
   getTypeLabel,
   hasAuthFileStatusMessage,
@@ -32,14 +37,20 @@ export type UseAuthFilesDataResult = {
   loading: boolean;
   error: string;
   uploading: boolean;
+  authJsonPasteSaving: boolean;
   deleting: string | null;
   deletingAll: boolean;
   statusUpdating: Record<string, boolean>;
   batchStatusUpdating: boolean;
   fileInputRef: RefObject<HTMLInputElement | null>;
-  loadFiles: () => Promise<void>;
+  loadFiles: (options?: { throwOnError?: boolean }) => Promise<void>;
   handleUploadClick: () => void;
   handleFileChange: (event: ChangeEvent<HTMLInputElement>) => Promise<void>;
+  savePastedAuthJson: (
+    type: AuthJsonInputType,
+    fileName: string,
+    jsonText: string
+  ) => Promise<string>;
   handleDelete: (name: string) => void;
   handleDeleteAll: (options: DeleteAllOptions) => void;
   handleDownload: (name: string) => Promise<void>;
@@ -53,6 +64,27 @@ export type UseAuthFilesDataResult = {
   batchDelete: (names: string[]) => void;
 };
 
+type PastedAuthJsonPayload = {
+  authJson: Record<string, unknown>;
+  resolvedFileName: string;
+};
+
+export const buildPastedAuthJsonPayload = (
+  type: AuthJsonInputType,
+  fileName: string,
+  jsonText: string
+): PastedAuthJsonPayload => {
+  const authJson = convertAuthJsonInput(jsonText, type);
+  const resolvedFileName =
+    type === 'session' && fileName === 'codex-account.json'
+      ? getDefaultSessionAuthFileName(authJson)
+      : fileName;
+  return {
+    authJson,
+    resolvedFileName,
+  };
+};
+
 export function useAuthFilesData(): UseAuthFilesDataResult {
   const { t } = useTranslation();
   const { showNotification, showConfirmation } = useNotificationStore();
@@ -61,6 +93,8 @@ export function useAuthFilesData(): UseAuthFilesDataResult {
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState('');
   const [uploading, setUploading] = useState(false);
+  const [authJsonPasteSaving, setAuthJsonPasteSaving] = useState(false);
+  const authJsonPasteSavingRef = useRef(false);
   const [deleting, setDeleting] = useState<string | null>(null);
   const [deletingAll, setDeletingAll] = useState(false);
   const [statusUpdating, setStatusUpdating] = useState<Record<string, boolean>>({});
@@ -161,7 +195,7 @@ export function useAuthFilesData(): UseAuthFilesDataResult {
     });
   }, [files, selectedFiles.size]);
 
-  const loadFiles = useCallback(async () => {
+  const loadFiles = useCallback(async (options?: { throwOnError?: boolean }) => {
     setLoading(true);
     setError('');
     try {
@@ -170,6 +204,9 @@ export function useAuthFilesData(): UseAuthFilesDataResult {
     } catch (err: unknown) {
       const errorMessage = err instanceof Error ? err.message : t('notification.refresh_failed');
       setError(errorMessage);
+      if (options?.throwOnError) {
+        throw (err instanceof Error ? err : new Error(errorMessage));
+      }
     } finally {
       setLoading(false);
     }
@@ -247,6 +284,41 @@ export function useAuthFilesData(): UseAuthFilesDataResult {
     [loadFiles, showNotification, t]
   );
 
+  const savePastedAuthJson = useCallback(
+    async (type: AuthJsonInputType, fileName: string, jsonText: string) => {
+      if (authJsonPasteSavingRef.current) {
+        throw new Error(t('auth_files.paste_error_save_in_progress'));
+      }
+      authJsonPasteSavingRef.current = true;
+      setAuthJsonPasteSaving(true);
+      try {
+        const { authJson, resolvedFileName } = buildPastedAuthJsonPayload(type, fileName, jsonText);
+        try {
+          await authFilesApi.saveJsonObject(resolvedFileName, authJson);
+        } catch {
+          throw new Error(t('notification.save_failed'));
+        }
+        try {
+          await loadFiles({ throwOnError: true });
+        } catch (reloadError) {
+          const reloadMessage =
+            reloadError instanceof Error ? reloadError.message : t('notification.refresh_failed');
+          showNotification(t('auth_files.paste_success', { name: resolvedFileName }), 'success');
+          showNotification(`${t('notification.refresh_failed')}: ${reloadMessage}`, 'warning');
+          return resolvedFileName;
+        }
+        showNotification(t('auth_files.paste_success', { name: resolvedFileName }), 'success');
+        return resolvedFileName;
+      } catch (err) {
+        throw new Error(err instanceof Error ? err.message : t('notification.save_failed'));
+      } finally {
+        authJsonPasteSavingRef.current = false;
+        setAuthJsonPasteSaving(false);
+      }
+    },
+    [loadFiles, showNotification, t]
+  );
+
   const handleDelete = useCallback(
     (name: string) => {
       showConfirmation({
@@ -645,6 +717,7 @@ export function useAuthFilesData(): UseAuthFilesDataResult {
     loading,
     error,
     uploading,
+    authJsonPasteSaving,
     deleting,
     deletingAll,
     statusUpdating,
@@ -653,6 +726,7 @@ export function useAuthFilesData(): UseAuthFilesDataResult {
     loadFiles,
     handleUploadClick,
     handleFileChange,
+    savePastedAuthJson,
     handleDelete,
     handleDeleteAll,
     handleDownload,
diff --git a/src/features/authFiles/sessionAuthConverter.test.ts b/src/features/authFiles/sessionAuthConverter.test.ts
new file mode 100644
index 000000000..74e0fd953
--- /dev/null
+++ b/src/features/authFiles/sessionAuthConverter.test.ts
@@ -0,0 +1,1079 @@
+import { describe, expect, it } from 'vitest';
+import {
+  convertAuthJsonInput,
+  getDefaultSessionAuthFileName,
+} from '@/features/authFiles/sessionAuthConverter';
+
+const encodeBase64UrlJson = (value: unknown) =>
+  btoa(JSON.stringify(value)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+
+const buildJwt = (
+  payload: Record<string, unknown>,
+  header: Record<string, unknown> = { alg: 'none', typ: 'JWT' }
+) => `${encodeBase64UrlJson(header)}.${encodeBase64UrlJson(payload)}.`;
+
+const buildSignedJwt = (
+  payload: Record<string, unknown>,
+  header: Record<string, unknown> = { alg: 'HS256', typ: 'JWT' },
+  signature = 'signature'
+) => `${encodeBase64UrlJson(header)}.${encodeBase64UrlJson(payload)}.${signature}`;
+
+describe('convertAuthJsonInput', () => {
+  it('keeps a CPA auth JSON object unchanged', () => {
+    const input = {
+      type: 'codex',
+      email: 'user@example.com',
+      access_token: 'existing-access-token',
+    };
+
+    const result = convertAuthJsonInput(JSON.stringify(input), 'cpa');
+
+    expect(result).toEqual(input);
+  });
+
+  it('converts a ChatGPT session object to CPA Codex auth JSON', () => {
+    const accessToken = buildJwt({
+      exp: 1_800_000_000,
+      email: 'token@example.com',
+      'https://api.openai.com/auth': {
+        chatgpt_account_id: 'acc-from-token',
+        chatgpt_plan_type: 'plus',
+        chatgpt_user_id: 'user-from-token',
+      },
+    });
+
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: { email: 'session@example.com', id: 'session-user' },
+        account: { id: 'session-account', planType: 'pro' },
+        accessToken,
+        sessionToken: 'session-token',
+      }),
+      'session',
+      new Date('2026-05-11T08:00:00.000Z')
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      account_id: 'session-account',
+      chatgpt_account_id: 'session-account',
+      email: 'session@example.com',
+      name: 'session@example.com',
+      plan_type: 'pro',
+      chatgpt_plan_type: 'pro',
+      access_token: accessToken,
+      session_token: 'session-token',
+      last_refresh: '2026-05-11T08:00:00.000Z',
+      expired: '2027-01-15T08:00:00.000Z',
+    });
+  });
+
+  it('omits id_token instead of synthesizing an unsigned token when idToken is missing', () => {
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: { email: 'session@example.com' },
+        account: { id: 'session-account' },
+        accessToken: 'access-token',
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'session@example.com',
+      account_id: 'session-account',
+      access_token: 'access-token',
+    });
+    expect(result).not.toHaveProperty('id_token');
+    expect(result).not.toHaveProperty('id_token_synthetic');
+  });
+
+  it('uses access-token exp as fallback but does not treat token identity claims as canonical metadata', () => {
+    const forgedAccessToken = buildJwt(
+      {
+        exp: 1_900_000_000,
+        email: 'attacker@example.com',
+        'https://api.openai.com/auth': {
+          chatgpt_account_id: 'attacker-account',
+          chatgpt_plan_type: 'enterprise',
+        },
+      },
+      { alg: 'none' }
+    );
+
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: {},
+        accessToken: forgedAccessToken,
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      access_token: forgedAccessToken,
+      name: 'ChatGPT Account',
+      expired: '2030-03-17T17:46:40.000Z',
+    });
+    expect(result).not.toHaveProperty('email');
+    expect(result).not.toHaveProperty('account_id');
+    expect(result).not.toHaveProperty('chatgpt_account_id');
+    expect(result).not.toHaveProperty('plan_type');
+    expect(result).not.toHaveProperty('chatgpt_plan_type');
+  });
+
+    it('omits unsigned idToken values and does not treat forged idToken payload claims as canonical metadata', () => {
+    const forgedIdToken = buildJwt(
+      {
+        email: 'attacker-id@example.com',
+        'https://api.openai.com/auth': {
+          chatgpt_account_id: 'attacker-id-account',
+          chatgpt_plan_type: 'enterprise',
+        },
+      },
+      { alg: 'none' }
+    );
+
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: {},
+        accessToken: 'access-token',
+        idToken: forgedIdToken,
+      }),
+      'session'
+    );
+
+      expect(result).toMatchObject({
+        type: 'codex',
+        access_token: 'access-token',
+        name: 'ChatGPT Account',
+      });
+      expect(result).not.toHaveProperty('id_token');
+      expect(result).not.toHaveProperty('email');
+      expect(result).not.toHaveProperty('account_id');
+      expect(result).not.toHaveProperty('chatgpt_account_id');
+      expect(result).not.toHaveProperty('plan_type');
+      expect(result).not.toHaveProperty('chatgpt_plan_type');
+    });
+
+    it('omits JWT-shaped idToken values when the signature segment is empty', () => {
+      const emptySignatureIdToken = buildJwt(
+        {
+          email: 'untrusted-id@example.com',
+        },
+        { alg: 'HS256', typ: 'JWT' }
+      );
+
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+          user: {},
+          accessToken: 'access-token',
+          idToken: emptySignatureIdToken,
+        }),
+        'session'
+      );
+
+      expect(result).toMatchObject({
+        type: 'codex',
+        access_token: 'access-token',
+      });
+      expect(result).not.toHaveProperty('id_token');
+    });
+
+    it('preserves a non-none idToken JWT string when the signature segment is present', () => {
+      const signedLikeIdToken = buildSignedJwt(
+        {
+          email: 'trusted-id@example.com',
+        },
+        { alg: 'HS256', typ: 'JWT' }
+      );
+
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+          user: {},
+          accessToken: 'access-token',
+          idToken: signedLikeIdToken,
+        }),
+        'session'
+      );
+
+      expect(result).toMatchObject({
+        type: 'codex',
+        access_token: 'access-token',
+        id_token: signedLikeIdToken,
+      });
+    });
+
+    it.each([
+    {
+      alias: 'expires',
+      sessionValue: '2026-06-01T00:00:00.000Z',
+    },
+    {
+      alias: 'expired',
+      sessionValue: '2026-07-01T00:00:00.000Z',
+    },
+    {
+      alias: 'expires_at',
+      sessionValue: '2026-08-01T00:00:00.000Z',
+    },
+  ])(
+    'prefers explicit session expiration alias "$alias" over access token exp',
+    ({ alias, sessionValue }) => {
+      const accessToken = buildJwt({
+        exp: 1_800_000_000,
+      });
+
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+          user: { email: 'session@example.com' },
+          account: { id: 'session-account' },
+          accessToken,
+          [alias]: sessionValue,
+        }),
+        'session'
+      );
+
+      expect(result.expired).toBe(sessionValue);
+    }
+  );
+
+  it('converts session JSON with token and user data split across nested objects', () => {
+      const idToken = buildSignedJwt(
+        {
+          email: 'id-token@example.com',
+          'https://api.openai.com/auth': {
+            chatgpt_account_id: 'account-from-id-token',
+            chatgpt_plan_type: 'team',
+            chatgpt_user_id: 'user-from-id-token',
+          },
+        },
+        { alg: 'HS256', typ: 'JWT' }
+      );
+
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        session: {
+          tokens: {
+            accessToken: 'access-token',
+            idToken,
+            sessionToken: 'session-token',
+          },
+        },
+        profile: {
+          user: { email: 'profile@example.com', id: 'profile-user' },
+          account: { id: 'profile-account', planType: 'pro' },
+        },
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'profile@example.com',
+      account_id: 'profile-account',
+      chatgpt_account_id: 'profile-account',
+      plan_type: 'pro',
+      chatgpt_plan_type: 'pro',
+      access_token: 'access-token',
+      id_token: idToken,
+      session_token: 'session-token',
+    });
+  });
+
+  it('converts a one-item array-wrapped split session object', () => {
+    const result = convertAuthJsonInput(
+      JSON.stringify([
+        {
+          session: {
+            tokens: {
+              accessToken: 'array-access-token',
+            },
+          },
+          profile: {
+            user: { email: 'array@example.com' },
+            account: { id: 'array-account', planType: 'plus' },
+          },
+        },
+      ]),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'array@example.com',
+      account_id: 'array-account',
+      chatgpt_account_id: 'array-account',
+      plan_type: 'plus',
+      chatgpt_plan_type: 'plus',
+      access_token: 'array-access-token',
+    });
+  });
+
+  it('rejects array-wrapped input when it contains multiple split session objects', () => {
+    const input = [
+      {
+        session: { tokens: { accessToken: 'array-access-token-a' } },
+        profile: {
+          user: { email: 'array-a@example.com' },
+          account: { id: 'array-account-a' },
+        },
+      },
+      {
+        session: { tokens: { accessToken: 'array-access-token-b' } },
+        profile: {
+          user: { email: 'array-b@example.com' },
+          account: { id: 'array-account-b' },
+        },
+      },
+    ];
+
+    expect(() => convertAuthJsonInput(JSON.stringify(input), 'session')).toThrow(
+      'Multiple ChatGPT session objects found; paste one session only'
+    );
+  });
+
+    it('preserves nested explicit expiration when split-session data is aggregated', () => {
+      const nestedExpiry = '2026-08-01T00:00:00.000Z';
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+        session: {
+          tokens: {
+            accessToken: 'access-token',
+          },
+          expires_at: nestedExpiry,
+        },
+        profile: {
+          user: { email: 'profile@example.com' },
+          account: { id: 'profile-account' },
+        },
+      }),
+      'session'
+    );
+
+      expect(result).toMatchObject({
+        access_token: 'access-token',
+        expired: nestedExpiry,
+      });
+    });
+
+    it('prefers explicit session expires_at over nested token-container expires_at during aggregation', () => {
+      const explicitSessionExpiry = '2026-08-01T00:00:00.000Z';
+      const nestedTokenExpiry = '2026-01-01T00:00:00.000Z';
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+          session: {
+            tokens: {
+              accessToken: 'access-token',
+              expires_at: nestedTokenExpiry,
+            },
+            expires_at: explicitSessionExpiry,
+          },
+          profile: {
+            user: { email: 'profile@example.com' },
+            account: { id: 'profile-account' },
+          },
+        }),
+        'session'
+      );
+
+      expect(result).toMatchObject({
+        access_token: 'access-token',
+        expired: explicitSessionExpiry,
+      });
+    });
+
+    it('prefers numeric-string expires_at over access-token exp fallback', () => {
+      const accessToken = buildJwt({ exp: 1_700_000_000 });
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+          user: { email: 'profile@example.com' },
+          account: { id: 'profile-account' },
+          accessToken,
+          expires_at: '1800000000',
+        }),
+        'session'
+      );
+
+      expect(result).toMatchObject({
+        access_token: accessToken,
+        expired: '2027-01-15T08:00:00.000Z',
+      });
+    });
+
+  it('uses a nested access token even when a parent session object has only session metadata', () => {
+        const result = convertAuthJsonInput(
+          JSON.stringify({
+        session: {
+          sessionToken: 'parent-session-token',
+          token: {
+            accessToken: 'nested-access-token',
+          },
+        },
+        profile: {
+          user: { email: 'profile@example.com' },
+          account: { id: 'profile-account' },
+        },
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'profile@example.com',
+      account_id: 'profile-account',
+      access_token: 'nested-access-token',
+      session_token: 'parent-session-token',
+        });
+      });
+
+  it('preserves nested user identity when aggregated data.session provides accessToken directly', () => {
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        data: {
+          session: {
+            accessToken: 'wrapped-access-token',
+            user: { email: 'wrapped@example.com' },
+            account: { id: 'wrapped-account' },
+          },
+        },
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'wrapped@example.com',
+      account_id: 'wrapped-account',
+      chatgpt_account_id: 'wrapped-account',
+      access_token: 'wrapped-access-token',
+    });
+  });
+
+  it('preserves nested user identity when aggregated data.session token container uses access_token', () => {
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        data: {
+          session: {
+            token: { access_token: 'wrapped-token-access-token' },
+            user: { email: 'wrapped-token@example.com' },
+            account: { id: 'wrapped-token-account' },
+          },
+        },
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'wrapped-token@example.com',
+      account_id: 'wrapped-token-account',
+      chatgpt_account_id: 'wrapped-token-account',
+      access_token: 'wrapped-token-access-token',
+    });
+  });
+
+  it('merges sibling profile account data when a nested session already has token and user fields', () => {
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+          session: {
+            accessToken: 'nested-access-token',
+            user: { email: 'nested@example.com' },
+          },
+          profile: {
+            account: { id: 'profile-account', planType: 'pro' },
+          },
+        }),
+        'session'
+      );
+
+      expect(result).toMatchObject({
+        type: 'codex',
+        email: 'nested@example.com',
+        account_id: 'profile-account',
+        chatgpt_account_id: 'profile-account',
+        plan_type: 'pro',
+        chatgpt_plan_type: 'pro',
+        access_token: 'nested-access-token',
+      });
+    });
+
+    it('merges sibling profile account data for one-item array-wrapped direct session inputs', () => {
+      const result = convertAuthJsonInput(
+        JSON.stringify([
+          {
+            session: {
+              accessToken: 'nested-access-token',
+              user: { email: 'nested@example.com' },
+            },
+            profile: {
+              account: { id: 'profile-account', planType: 'pro' },
+            },
+          },
+        ]),
+        'session'
+      );
+
+      expect(result).toMatchObject({
+        type: 'codex',
+        email: 'nested@example.com',
+        account_id: 'profile-account',
+        chatgpt_account_id: 'profile-account',
+        plan_type: 'pro',
+        chatgpt_plan_type: 'pro',
+        access_token: 'nested-access-token',
+      });
+    });
+
+    it('merges nested profile account data when root user and token fields are present', () => {
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+        user: { email: 'root@example.com' },
+        token: { accessToken: 'root-access-token' },
+        profile: {
+          account: { id: 'profile-account', planType: 'pro' },
+        },
+      }),
+      'session'
+    );
+
+      expect(result).toMatchObject({
+        type: 'codex',
+        email: 'root@example.com',
+        account_id: 'profile-account',
+        chatgpt_account_id: 'profile-account',
+        plan_type: 'pro',
+        chatgpt_plan_type: 'pro',
+        access_token: 'root-access-token',
+      });
+    });
+
+    it('preserves nested account.account_id and account.chatgpt_plan_type aliases', () => {
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+          session: {
+            token: {
+              accessToken: 'root-access-token',
+            },
+          },
+          user: { email: 'root@example.com' },
+          account: {
+            account_id: 'root-account-id-alias',
+            chatgpt_plan_type: 'team',
+          },
+        }),
+        'session'
+      );
+
+      expect(result).toMatchObject({
+        type: 'codex',
+        email: 'root@example.com',
+        account_id: 'root-account-id-alias',
+        chatgpt_account_id: 'root-account-id-alias',
+        plan_type: 'team',
+        chatgpt_plan_type: 'team',
+        access_token: 'root-access-token',
+      });
+    });
+
+    it('preserves nested account and profile.account chatgpt aliases when id fields are absent', () => {
+      const result = convertAuthJsonInput(
+        JSON.stringify({
+          session: {
+            tokens: {
+              accessToken: 'profile-access-token',
+            },
+          },
+          profile: {
+            user: { email: 'profile@example.com' },
+            account: {
+              chatgpt_account_id: 'profile-account-alias',
+              chatgpt_plan_type: 'pro',
+            },
+          },
+          account: {
+            chatgpt_account_id: 'root-account-alias',
+            chatgpt_plan_type: 'team',
+          },
+        }),
+        'session'
+      );
+
+      expect(result).toMatchObject({
+        type: 'codex',
+        email: 'profile@example.com',
+        account_id: 'root-account-alias',
+        chatgpt_account_id: 'root-account-alias',
+        plan_type: 'team',
+        chatgpt_plan_type: 'team',
+        access_token: 'profile-access-token',
+      });
+    });
+
+    it('rejects split session JSON when multiple token branches could be aggregated', () => {
+      const input = {
+      profile: {
+        user: { email: 'profile@example.com' },
+        account: { id: 'profile-account' },
+      },
+      tokenA: {
+        accessToken: 'access-token-a',
+      },
+      tokenB: {
+        accessToken: 'access-token-b',
+      },
+    };
+
+    expect(() => convertAuthJsonInput(JSON.stringify(input), 'session')).toThrow(
+      'Multiple token candidates found in split session JSON; paste one account/session only'
+    );
+  });
+
+  it('rejects pasted JSON that exceeds the input size limit', () => {
+    const oversized = JSON.stringify({
+      type: 'codex',
+      access_token: 'existing-access-token',
+      padding: 'x'.repeat(3_000_000),
+    });
+
+    expect(() => convertAuthJsonInput(oversized, 'cpa')).toThrow(
+      'Auth JSON input exceeds size limit'
+    );
+  });
+
+  it('rejects session JSON that exceeds traversal depth limits', () => {
+    const root: Record<string, unknown> = {};
+    let cursor = root;
+    for (let index = 0; index < 80; index += 1) {
+      cursor.next = {};
+      cursor = cursor.next as Record<string, unknown>;
+    }
+    cursor.user = { email: 'deep@example.com' };
+    cursor.accessToken = 'deep-access-token';
+
+    expect(() => convertAuthJsonInput(JSON.stringify(root), 'session')).toThrow(
+      'Auth JSON nesting exceeds depth limit'
+    );
+  });
+
+  it('rejects session JSON that exceeds traversal record limits', () => {
+    const items = Array.from({ length: 6_000 }, (_, index) => ({
+      id: `record-${index}`,
+      value: `v${index}`,
+    }));
+    const input = JSON.stringify({
+      nodes: items,
+      session: {
+        user: { email: 'records@example.com' },
+        accessToken: 'record-access-token',
+      },
+    });
+
+    expect(() => convertAuthJsonInput(input, 'session')).toThrow(
+      'Auth JSON traversal exceeds record limit'
+    );
+  });
+
+  it('rejects CPA auth JSON without a minimal auth-file shape', () => {
+    expect(() => convertAuthJsonInput(JSON.stringify({ foo: 'bar' }), 'cpa')).toThrow(
+      'CPA auth JSON is missing required auth fields'
+    );
+  });
+
+  it('rejects Codex CPA auth JSON when credential containers are empty', () => {
+    const invalidInputs = [
+      { type: 'codex', credentials: {} },
+      { type: 'codex', auth: {} },
+      { type: 'codex', cookies: {} },
+    ];
+
+    invalidInputs.forEach((input) => {
+      expect(() => convertAuthJsonInput(JSON.stringify(input), 'cpa')).toThrow(
+        'CPA auth JSON is missing required auth fields'
+      );
+    });
+  });
+
+  it('keeps Codex CPA auth JSON unchanged when nested credentials include a real token', () => {
+    const input = {
+      type: 'codex',
+      credentials: {
+        access_token: 'nested-access-token',
+      },
+    };
+
+    const result = convertAuthJsonInput(JSON.stringify(input), 'cpa');
+
+    expect(result).toEqual(input);
+  });
+
+  it('keeps unknown-provider CPA auth JSON unchanged when credentials include provider-specific keys', () => {
+    const input = {
+      type: 'custom-provider',
+      credentials: {
+        sessionSecret: 'provider-secret',
+      },
+    };
+
+    const result = convertAuthJsonInput(JSON.stringify(input), 'cpa');
+
+    expect(result).toEqual(input);
+  });
+
+  it('keeps unknown-provider CPA auth JSON unchanged when top-level credential-like fields are present', () => {
+    const validInputs = [
+      { type: 'custom-provider', token: 'provider-secret' },
+      { type: 'custom-provider', apiKey: 'provider-api-key' },
+      { type: 'custom-provider', sessionSecret: 'provider-session-secret' },
+    ];
+
+    validInputs.forEach((input) => {
+      const result = convertAuthJsonInput(JSON.stringify(input), 'cpa');
+      expect(result).toEqual(input);
+    });
+  });
+
+  it('keeps known-provider CPA auth JSON unchanged when top-level auth header or cookie credentials are present', () => {
+    const validInputs = [
+      { type: 'openai', authorization: 'Bearer provider-token' },
+      { type: 'openai', bearer: 'provider-token' },
+      { type: 'chatgpt', cookie: '__Secure-next-auth.session-token=token' },
+      { type: 'chatgpt', cookies: '__Secure-next-auth.session-token=token' },
+    ];
+
+    validInputs.forEach((input) => {
+      const result = convertAuthJsonInput(JSON.stringify(input), 'cpa');
+      expect(result).toEqual(input);
+    });
+  });
+
+  it('keeps Vertex service-account CPA auth JSON unchanged', () => {
+    const input = {
+      type: 'service_account',
+      project_id: 'vertex-project',
+      private_key: '-----BEGIN PRIVATE KEY-----\nabc\n-----END PRIVATE KEY-----\n',
+      client_email: 'vertex-service@vertex-project.iam.gserviceaccount.com',
+    };
+
+    const result = convertAuthJsonInput(JSON.stringify(input), 'cpa');
+
+    expect(result).toEqual(input);
+  });
+
+  it('rejects unknown-provider CPA auth JSON when top-level fields are not credential-like', () => {
+    const input = {
+      type: 'custom-provider',
+      note: 'provider-secret',
+    };
+
+    expect(() => convertAuthJsonInput(JSON.stringify(input), 'cpa')).toThrow(
+      'CPA auth JSON is missing required auth fields'
+    );
+  });
+
+  it('rejects unknown-provider CPA auth JSON when credential-like fields only appear in unrelated nested metadata', () => {
+    const invalidInputs = [
+      { type: 'custom-provider', token: { note: 'browser export' } },
+      { type: 'custom-provider', apiKey: { value: 'metadata-api-key' } },
+      { type: 'custom-provider', profile: { password: 'metadata-password' } },
+      { type: 'custom-provider', metadata: { clientSecret: 'metadata-secret' } },
+      { type: 'custom-provider', account: { token: 'metadata-token' } },
+    ];
+
+    invalidInputs.forEach((input) => {
+      expect(() => convertAuthJsonInput(JSON.stringify(input), 'cpa')).toThrow(
+        'CPA auth JSON is missing required auth fields'
+      );
+    });
+  });
+
+  it('rejects unknown-provider CPA auth JSON when only broad secret fields are present', () => {
+    const invalidInputs = [
+      { type: 'custom-provider', password: 'personal-password' },
+      { type: 'custom-provider', passphrase: 'personal-passphrase' },
+      { type: 'custom-provider', secret: 'personal-secret' },
+    ];
+
+    invalidInputs.forEach((input) => {
+      expect(() => convertAuthJsonInput(JSON.stringify(input), 'cpa')).toThrow(
+        'CPA auth JSON is missing required auth fields'
+      );
+    });
+  });
+
+  it('rejects pasted CPA JSON content with invisible control characters', () => {
+    expect(() =>
+      convertAuthJsonInput(
+        JSON.stringify({
+          type: 'codex',
+          access_token: 'existing-access-token',
+          note: 'safe\u202Egnp.exe',
+        }),
+        'cpa'
+      )
+    ).toThrow('Auth JSON contains unsupported invisible characters');
+  });
+
+  it('rejects pasted CPA JSON keys with invisible control characters', () => {
+    expect(() =>
+      convertAuthJsonInput(
+        JSON.stringify({
+          type: 'codex',
+          access_token: 'existing-access-token',
+          'display\u202Ename': 'misleading-key',
+        }),
+        'cpa'
+      )
+    ).toThrow('Auth JSON contains unsupported invisible characters');
+  });
+
+  it('rejects pasted session JSON content with invisible control characters', () => {
+    expect(() =>
+      convertAuthJsonInput(
+        JSON.stringify({
+          user: { email: 'session@example.com' },
+          account: { id: 'session-account' },
+          accessToken: 'access-token',
+          note: 'zero\u200Bwidth',
+        }),
+        'session'
+      )
+    ).toThrow('Auth JSON contains unsupported invisible characters');
+  });
+
+  it('keeps CPA auth JSON unchanged for auth/cookies containers across provider families', () => {
+    const validInputs = [
+      {
+        provider: 'openai',
+        auth: { access_token: 'provider-auth-token' },
+      },
+      {
+        provider: 'chatgpt',
+        cookies: { session_token: 'provider-cookie-token' },
+      },
+      {
+        type: 'openai',
+        auth: { refresh_token: 'openai-refresh-token' },
+      },
+      {
+        type: 'chatgpt',
+        cookies: { id_token: 'chatgpt-id-token' },
+      },
+      {
+        type: 'custom-provider',
+        auth: { refresh_token: 'custom-refresh-token' },
+      },
+      {
+        type: 'custom-provider',
+        cookies: { session_token: 'custom-session-token' },
+      },
+    ];
+
+    validInputs.forEach((input) => {
+      const result = convertAuthJsonInput(JSON.stringify(input), 'cpa');
+      expect(result).toEqual(input);
+    });
+  });
+
+  it('rejects known-provider auth containers when credential keys do not match provider contract', () => {
+    const invalidInputs = [
+      { provider: 'openai', auth: { token: 'ambiguous-openai-token' } },
+      { provider: 'chatgpt', cookies: { api_key: 'unexpected-chatgpt-api-key' } },
+      { provider: 'openai', auth: { nested: [{ id_token: 'unexpected-openai-id-token' }] } },
+      { provider: 'chatgpt', cookies: { nested: [{ api_key: 'unexpected-chatgpt-api-key' }] } },
+    ];
+
+    invalidInputs.forEach((input) => {
+      expect(() => convertAuthJsonInput(JSON.stringify(input), 'cpa')).toThrow(
+        'CPA auth JSON is missing required auth fields'
+      );
+    });
+  });
+
+  it('rejects nested auth/cookies containers without usable credential keys', () => {
+    const invalidInputs = [
+      { provider: 'openai', auth: {} },
+      { provider: 'chatgpt', cookies: {} },
+      { type: 'custom-provider', auth: {} },
+      { type: 'custom-provider', cookies: {} },
+      { type: 'openai', auth: { access_token: '   ' } },
+      { type: 'openai', auth: { access_token: { note: 'browser export' } } },
+      { type: 'chatgpt', cookies: { id_token: '\n\t' } },
+      { provider: 'openai', auth: { nested: { foo: 'bar' } } },
+      { type: 'chatgpt', cookies: { nested: [{ x: 'y' }] } },
+      { type: 'custom-provider', auth: { note: 'hello' } },
+      { type: 'custom-provider', credentials: { sessionSecret: { value: 'metadata-secret' } } },
+      { type: 'custom-provider', credentials: { nested: [{ note: 'hello' }] } },
+    ];
+
+    invalidInputs.forEach((input) => {
+      expect(() => convertAuthJsonInput(JSON.stringify(input), 'cpa')).toThrow(
+        'CPA auth JSON is missing required auth fields'
+      );
+    });
+  });
+
+  it('rejects CPA auth JSON with unsigned or empty-signature id_token values', () => {
+    const invalidInputs = [
+      {
+        type: 'codex',
+        access_token: 'existing-access-token',
+        id_token: buildJwt({ sub: 'user' }),
+      },
+      {
+        type: 'codex',
+        access_token: 'existing-access-token',
+        credentials: {
+          idToken: buildJwt({ sub: 'user' }, { alg: 'HS256', typ: 'JWT' }),
+        },
+      },
+    ];
+
+    invalidInputs.forEach((input) => {
+      expect(() => convertAuthJsonInput(JSON.stringify(input), 'cpa')).toThrow(
+        'CPA auth JSON contains unsupported id_token'
+      );
+    });
+  });
+
+  it('converts explicit session fields when JWT-shaped payloads are malformed', () => {
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: { email: 'session@example.com', id: 'session-user' },
+        account: { id: 'session-account', planType: 'plus' },
+        accessToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.%%%bad%%%.sig',
+        idToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.bm90LWpzb24.sig',
+        expires_at: '2026-06-01T00:00:00.000Z',
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'session@example.com',
+      account_id: 'session-account',
+      access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.%%%bad%%%.sig',
+      id_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.bm90LWpzb24.sig',
+      expired: '2026-06-01T00:00:00.000Z',
+    });
+  });
+
+  it('omits expired when malformed JWT-shaped access token is the only expiration source', () => {
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: { email: 'session@example.com', id: 'session-user' },
+        account: { id: 'session-account', planType: 'plus' },
+        accessToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.%%%bad%%%.sig',
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'session@example.com',
+      account_id: 'session-account',
+      access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.%%%bad%%%.sig',
+    });
+    expect(result).not.toHaveProperty('expired');
+  });
+
+  it('ignores oversized JWT payload segments without crashing conversion', () => {
+    const header = encodeBase64UrlJson({ alg: 'HS256', typ: 'JWT' });
+    const oversizedPayload = 'a'.repeat(25_000);
+    const tokenWithHugePayload = `${header}.${oversizedPayload}.sig`;
+
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: { email: 'session@example.com' },
+        account: { id: 'session-account', planType: 'plus' },
+        accessToken: tokenWithHugePayload,
+        expires_at: '2026-06-01T00:00:00.000Z',
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      email: 'session@example.com',
+      account_id: 'session-account',
+      plan_type: 'plus',
+      access_token: tokenWithHugePayload,
+      expired: '2026-06-01T00:00:00.000Z',
+    });
+  });
+
+  it('omits optional token fields when their values are not strings', () => {
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: { email: 'session@example.com' },
+        account: { id: 'session-account' },
+        accessToken: 'access-token',
+        sessionToken: true,
+        refreshToken: 123,
+        idToken: false,
+      }),
+      'session'
+    );
+
+    expect(result).not.toHaveProperty('session_token');
+    expect(result).not.toHaveProperty('refresh_token');
+    expect(result).not.toHaveProperty('id_token');
+  });
+
+  it('preserves optional token fields when string values are present', () => {
+    const result = convertAuthJsonInput(
+      JSON.stringify({
+        user: { email: 'session@example.com' },
+        account: { id: 'session-account' },
+        accessToken: 'access-token',
+        sessionToken: 'session-token',
+        refreshToken: 'refresh-token',
+        idToken: 'id-token',
+      }),
+      'session'
+    );
+
+    expect(result).toMatchObject({
+      type: 'codex',
+      access_token: 'access-token',
+      session_token: 'session-token',
+      refresh_token: 'refresh-token',
+      id_token: 'id-token',
+    });
+  });
+
+  it('rejects a session object with a non-string access token', () => {
+    expect(() =>
+      convertAuthJsonInput(
+        JSON.stringify({
+          user: { email: 'session@example.com' },
+          accessToken: true,
+        }),
+        'session'
+      )
+    ).toThrow('No ChatGPT session object with accessToken was found');
+  });
+
+  it('builds a safe default file name from converted account identity', () => {
+    const authJson = {
+      type: 'codex',
+      email: 'User.Name+tag@example.com',
+    };
+
+    expect(getDefaultSessionAuthFileName(authJson)).toBe('user-name-tag-example-com.codex.json');
+  });
+
+  it.each(['con', 'AUX', 'lpt1'])(
+    'does not build a Windows reserved default file name from %s',
+    (identity) => {
+      const authJson = {
+        type: 'codex',
+        email: identity,
+      };
+
+      expect(getDefaultSessionAuthFileName(authJson)).toBe(
+        `${identity.toLowerCase()}-account.codex.json`
+      );
+    }
+  );
+});
diff --git a/src/features/authFiles/sessionAuthConverter.ts b/src/features/authFiles/sessionAuthConverter.ts
new file mode 100644
index 000000000..2a976f77d
--- /dev/null
+++ b/src/features/authFiles/sessionAuthConverter.ts
@@ -0,0 +1,787 @@
+export type AuthJsonInputType = 'cpa' | 'session';
+
+type JsonRecord = Record<string, unknown>;
+type TraversalState = {
+  visited: WeakSet<object>;
+  visitedRecords: number;
+};
+
+export class AuthJsonConversionError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'AuthJsonConversionError';
+  }
+}
+
+const isRecord = (value: unknown): value is JsonRecord =>
+  Boolean(value) && typeof value === 'object' && !Array.isArray(value);
+
+const firstNonEmpty = (...values: unknown[]) => {
+  for (const value of values) {
+    if (typeof value === 'string' && value.trim() !== '') return value.trim();
+    if (typeof value === 'number' && Number.isFinite(value)) return value;
+    if (typeof value === 'boolean') return value;
+  }
+  return undefined;
+};
+
+const firstNonEmptyString = (...values: unknown[]) => {
+  for (const value of values) {
+    if (typeof value === 'string' && value.trim() !== '') return value.trim();
+  }
+  return undefined;
+};
+
+const firstRecord = (...values: unknown[]) => {
+  for (const value of values) {
+    if (isRecord(value)) return value;
+  }
+  return undefined;
+};
+
+const KNOWN_CREDENTIAL_KEYS = new Set([
+  'access_token',
+  'accesstoken',
+  'id_token',
+  'idtoken',
+  'refresh_token',
+  'refreshtoken',
+  'session_token',
+  'sessiontoken',
+  'api_key',
+  'apikey',
+  'key',
+  'token',
+  'cookie',
+  'cookies',
+  'authorization',
+  'bearer',
+]);
+
+const GENERIC_CREDENTIAL_KEYS = new Set([
+  ...KNOWN_CREDENTIAL_KEYS,
+  'session_secret',
+  'sessionsecret',
+  'client_secret',
+  'clientsecret',
+]);
+
+const SERVICE_ACCOUNT_CREDENTIAL_KEYS = new Set(['private_key', 'privatekey']);
+
+const OPENAI_CREDENTIAL_KEYS = new Set([
+  'access_token',
+  'accesstoken',
+  'refresh_token',
+  'refreshtoken',
+  'api_key',
+  'apikey',
+  'authorization',
+  'bearer',
+]);
+
+const CHATGPT_CREDENTIAL_KEYS = new Set([
+  'access_token',
+  'accesstoken',
+  'id_token',
+  'idtoken',
+  'refresh_token',
+  'refreshtoken',
+  'session_token',
+  'sessiontoken',
+  'cookie',
+  'cookies',
+]);
+
+const PROVIDER_CREDENTIAL_KEYSETS: Record<string, Set<string>> = {
+  codex: KNOWN_CREDENTIAL_KEYS,
+  openai: OPENAI_CREDENTIAL_KEYS,
+  chatgpt: CHATGPT_CREDENTIAL_KEYS,
+  service_account: SERVICE_ACCOUNT_CREDENTIAL_KEYS,
+};
+
+const WINDOWS_RESERVED_BASE_NAMES = new Set([
+  'con',
+  'prn',
+  'aux',
+  'nul',
+  'com1',
+  'com2',
+  'com3',
+  'com4',
+  'com5',
+  'com6',
+  'com7',
+  'com8',
+  'com9',
+  'lpt1',
+  'lpt2',
+  'lpt3',
+  'lpt4',
+  'lpt5',
+  'lpt6',
+  'lpt7',
+  'lpt8',
+  'lpt9',
+]);
+
+const FORBIDDEN_INVISIBLE_CODE_POINTS = new Set([
+  0x200b,
+  0x200c,
+  0x200d,
+  0x200e,
+  0x200f,
+  0x202a,
+  0x202b,
+  0x202c,
+  0x202d,
+  0x202e,
+  0x2060,
+  0x2066,
+  0x2067,
+  0x2068,
+  0x2069,
+  0xfeff,
+]);
+
+const CREDENTIAL_CONTAINER_KEYS = ['credentials', 'auth', 'cookies'] as const;
+
+const MAX_AUTH_JSON_INPUT_CHARS = 1_000_000;
+const MAX_JSON_TRAVERSAL_DEPTH = 64;
+const MAX_JSON_RECORDS = 5_000;
+const MAX_JWT_SEGMENT_CHARS = 16_384;
+
+const createTraversalState = (): TraversalState => ({
+  visited: new WeakSet<object>(),
+  visitedRecords: 0,
+});
+
+const assertTraversalDepth = (depth: number) => {
+  if (depth > MAX_JSON_TRAVERSAL_DEPTH) {
+    throw new AuthJsonConversionError('Auth JSON nesting exceeds depth limit');
+  }
+};
+
+const markTraversalRecord = (value: object, state: TraversalState) => {
+  if (state.visited.has(value)) return false;
+
+  state.visited.add(value);
+  state.visitedRecords += 1;
+  if (state.visitedRecords > MAX_JSON_RECORDS) {
+    throw new AuthJsonConversionError('Auth JSON traversal exceeds record limit');
+  }
+
+  return true;
+};
+
+const hasCredentialValueForKeySet = (
+  value: unknown,
+  keySet: Set<string>,
+  depth = 0,
+  state: TraversalState = createTraversalState()
+): boolean => {
+  assertTraversalDepth(depth);
+
+  if (Array.isArray(value)) {
+    if (!markTraversalRecord(value, state)) return false;
+    return value.some((item) => hasCredentialValueForKeySet(item, keySet, depth + 1, state));
+  }
+  if (!isRecord(value)) return false;
+  if (!markTraversalRecord(value, state)) return false;
+
+  for (const [key, item] of Object.entries(value)) {
+    const normalizedKey = key.toLowerCase();
+    if (keySet.has(normalizedKey) && typeof item === 'string' && item.trim() !== '') {
+      return true;
+    }
+
+    if (hasCredentialValueForKeySet(item, keySet, depth + 1, state)) {
+      return true;
+    }
+  }
+
+  return false;
+};
+
+const stripUnavailable = (value: unknown): unknown => {
+  if (Array.isArray(value)) {
+    const next = value.map(stripUnavailable).filter((item) => item !== undefined);
+    return next.length ? next : undefined;
+  }
+
+  if (isRecord(value)) {
+    const entries = Object.entries(value)
+      .map(([key, item]) => [key, stripUnavailable(item)] as const)
+      .filter(([, item]) => item !== undefined);
+    return entries.length ? Object.fromEntries(entries) : undefined;
+  }
+
+  if (value === undefined || value === null || value === '') return undefined;
+  return value;
+};
+
+const decodeBase64Url = (value: string) => {
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, '=');
+  const binary = atob(padded);
+  const bytes = Uint8Array.from(binary, (char) => char.charCodeAt(0));
+  return new TextDecoder().decode(bytes);
+};
+
+const parseJwtSegment = (token: unknown, segmentIndex: number): JsonRecord | undefined => {
+  if (typeof token !== 'string' || token.trim() === '') return undefined;
+  const segments = token.split('.');
+  if (segments.length <= segmentIndex) return undefined;
+  if (segments[segmentIndex].length > MAX_JWT_SEGMENT_CHARS) return undefined;
+
+  try {
+    const decoded = JSON.parse(decodeBase64Url(segments[segmentIndex])) as unknown;
+    return isRecord(decoded) ? decoded : undefined;
+  } catch {
+    return undefined;
+  }
+};
+
+const parseJwtPayload = (token: unknown): JsonRecord | undefined => parseJwtSegment(token, 1);
+
+const parseJwtHeader = (token: unknown): JsonRecord | undefined => parseJwtSegment(token, 0);
+
+const isUnsignedJwtToken = (token: unknown): boolean => {
+  const header = parseJwtHeader(token);
+  if (!header) return false;
+
+  return typeof header.alg === 'string' && header.alg.trim().toLowerCase() === 'none';
+};
+
+const hasEmptyJwtSignatureSegment = (token: unknown): boolean => {
+  if (typeof token !== 'string' || token.trim() === '') return false;
+  const segments = token.split('.');
+  if (segments.length !== 3) return false;
+  return segments[0].trim() !== '' && segments[1].trim() !== '' && segments[2].trim() === '';
+};
+
+const isUnsafeIdToken = (token: unknown): boolean =>
+  isUnsignedJwtToken(token) || hasEmptyJwtSignatureSegment(token);
+
+const normalizeTimestamp = (value: unknown) => {
+  const fromEpochLike = (epochValue: number) => {
+    const milliseconds = epochValue > 1e11 ? epochValue : epochValue * 1000;
+    const date = new Date(milliseconds);
+    return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
+  };
+
+  if (value instanceof Date && !Number.isNaN(value.getTime())) return value.toISOString();
+
+  if (typeof value === 'number' && Number.isFinite(value)) {
+    return fromEpochLike(value);
+  }
+
+  if (typeof value !== 'string' || value.trim() === '') return undefined;
+  const normalizedValue = value.trim();
+  if (/^-?\d+(?:\.\d+)?$/.test(normalizedValue)) {
+    const epochValue = Number(normalizedValue);
+    if (Number.isFinite(epochValue)) return fromEpochLike(epochValue);
+  }
+
+  const date = new Date(normalizedValue);
+  return Number.isNaN(date.getTime()) ? undefined : date.toISOString();
+};
+
+const parseJsonObject = (text: string, allowArray = false): JsonRecord | unknown[] => {
+  if (text.length > MAX_AUTH_JSON_INPUT_CHARS) {
+    throw new AuthJsonConversionError('Auth JSON input exceeds size limit');
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(text);
+  } catch (error) {
+    throw new AuthJsonConversionError(error instanceof Error ? error.message : 'Invalid JSON');
+  }
+
+  if (!isRecord(parsed) && !(allowArray && Array.isArray(parsed))) {
+    throw new AuthJsonConversionError('JSON content must be an object');
+  }
+
+  return parsed as JsonRecord | unknown[];
+};
+
+type SessionCandidate = {
+  value: JsonRecord;
+  path: string;
+};
+
+const collectRecords = (value: unknown) => {
+  const found: JsonRecord[] = [];
+  const state = createTraversalState();
+
+  const visit = (item: unknown, depth: number) => {
+    assertTraversalDepth(depth);
+
+    if (Array.isArray(item)) {
+      if (!markTraversalRecord(item, state)) return;
+      item.forEach((child) => visit(child, depth + 1));
+      return;
+    }
+
+    if (!isRecord(item)) return;
+    if (!markTraversalRecord(item, state)) return;
+    found.push(item);
+    Object.values(item).forEach((child) => visit(child, depth + 1));
+  };
+
+  visit(value, 0);
+  return found;
+};
+
+const hasAccessTokenFields = (record: JsonRecord) =>
+  Boolean(firstNonEmptyString(record.accessToken, record.access_token));
+
+const hasUserFields = (record: JsonRecord) =>
+  Boolean(firstNonEmpty(record.email, record.name) || isRecord(record.user));
+
+const resolveUserRecord = (value: unknown): JsonRecord | undefined => {
+  if (!isRecord(value)) return undefined;
+  if (firstNonEmpty(value.email, value.name)) return value;
+  return resolveUserRecord(value.user);
+};
+
+const hasAccountFields = (record: JsonRecord) =>
+  Boolean(
+    firstNonEmpty(
+      record.id,
+      record.account_id,
+      record.chatgpt_account_id,
+      record.planType,
+      record.plan_type,
+      record.chatgpt_plan_type
+    )
+  );
+
+const buildAggregatedSessionObject = (record: JsonRecord): JsonRecord | undefined => {
+  const profile = isRecord(record.profile) ? record.profile : undefined;
+  const session = isRecord(record.session) ? record.session : undefined;
+  const records = collectRecords(record);
+  const tokenCandidates = [
+    hasAccessTokenFields(record) ? record : undefined,
+    isRecord(record.token) && hasAccessTokenFields(record.token) ? record.token : undefined,
+    isRecord(record.tokens) && hasAccessTokenFields(record.tokens) ? record.tokens : undefined,
+      isRecord(record.credentials) && hasAccessTokenFields(record.credentials)
+        ? record.credentials
+        : undefined,
+      session && hasAccessTokenFields(session) ? session : undefined,
+      isRecord(session?.token) && hasAccessTokenFields(session.token) ? session.token : undefined,
+      isRecord(session?.tokens) && hasAccessTokenFields(session.tokens)
+        ? session.tokens
+        : undefined,
+    ...records.filter(hasAccessTokenFields),
+  ].filter((candidate): candidate is JsonRecord => Boolean(candidate));
+  const uniqueTokenCandidates = tokenCandidates.filter(
+    (candidate, index, list) => list.findIndex((item) => item === candidate) === index
+  );
+  const tokenValues = Array.from(
+    new Set(
+      uniqueTokenCandidates
+        .map((candidate) => firstNonEmptyString(candidate.accessToken, candidate.access_token))
+        .filter((value): value is string => typeof value === 'string')
+    )
+  );
+  if (tokenValues.length > 1) {
+    throw new AuthJsonConversionError(
+      'Multiple token candidates found in split session JSON; paste one account/session only'
+    );
+  }
+  const tokenLike = uniqueTokenCandidates[0];
+  const userLike = firstRecord(
+    resolveUserRecord(record.user),
+    resolveUserRecord(session?.user),
+    resolveUserRecord(profile?.user),
+    resolveUserRecord(profile),
+    resolveUserRecord(records.find((item) => item !== tokenLike && hasUserFields(item)))
+  );
+  const accountLike = firstRecord(
+    record.account,
+    profile?.account,
+    records.find((item) => item !== tokenLike && item !== userLike && hasAccountFields(item))
+  );
+
+  const accessToken = firstNonEmptyString(tokenLike?.accessToken, tokenLike?.access_token);
+  const hasIdentity = Boolean(userLike || accountLike || firstNonEmpty(record.email, record.name));
+  if (!accessToken || !hasIdentity) return undefined;
+
+    return stripUnavailable({
+      ...record,
+      accessToken,
+      access_token: tokenLike?.access_token,
+      expires: firstNonEmpty(session?.expires, record.expires, tokenLike?.expires),
+      expired: firstNonEmpty(session?.expired, record.expired, tokenLike?.expired),
+      expires_at: firstNonEmpty(session?.expires_at, record.expires_at, tokenLike?.expires_at),
+      sessionToken: firstNonEmptyString(
+        tokenLike?.sessionToken,
+        tokenLike?.session_token,
+        record.sessionToken,
+        record.session_token,
+        session?.sessionToken,
+        session?.session_token
+      ),
+    refreshToken: firstNonEmptyString(tokenLike?.refreshToken, tokenLike?.refresh_token),
+    idToken: firstNonEmptyString(tokenLike?.idToken, tokenLike?.id_token),
+    user: userLike,
+    account: accountLike,
+  }) as JsonRecord;
+};
+
+const collectSessionLikeObjects = (value: unknown) => {
+  const found: SessionCandidate[] = [];
+  const state = createTraversalState();
+  const getCandidateAccessToken = (record: JsonRecord) =>
+    firstNonEmptyString(
+      record.accessToken,
+      record.access_token,
+      isRecord(record.token) ? record.token.accessToken : undefined,
+      isRecord(record.token) ? record.token.access_token : undefined,
+      isRecord(record.credentials) ? record.credentials.access_token : undefined
+    );
+
+  const visit = (item: unknown, path: string, depth: number) => {
+    assertTraversalDepth(depth);
+
+    if (Array.isArray(item)) {
+      if (!markTraversalRecord(item, state)) return;
+      item.forEach((child, index) => visit(child, `${path}[${index}]`, depth + 1));
+      return;
+    }
+
+    if (!isRecord(item)) return;
+    if (!markTraversalRecord(item, state)) return;
+
+    const token = firstNonEmptyString(
+      item.accessToken,
+      item.access_token,
+      isRecord(item.token) ? item.token.accessToken : undefined,
+      isRecord(item.credentials) ? item.credentials.access_token : undefined
+    );
+    const hasUser = isRecord(item.user) || firstNonEmpty(item.email, item.name);
+    if (token && hasUser) {
+      found.push({ value: item, path });
+      return;
+    }
+
+    Object.entries(item).forEach(([key, child]) => {
+      if (key === 'accessToken' || key === 'access_token' || key === 'sessionToken') return;
+      visit(child, `${path}.${key}`, depth + 1);
+    });
+  };
+
+  visit(value, '$', 0);
+  if (isRecord(value)) {
+    const aggregated = buildAggregatedSessionObject(value);
+    if (found.length === 0) {
+      if (aggregated) found.push({ value: aggregated, path: '$' });
+    } else if (found.length === 1 && aggregated) {
+      const directToken = getCandidateAccessToken(found[0].value);
+      const aggregatedToken = getCandidateAccessToken(aggregated);
+      if (directToken && aggregatedToken && directToken === aggregatedToken) {
+        found[0] = { value: aggregated, path: '$' };
+      }
+    }
+  } else if (Array.isArray(value)) {
+    value.forEach((item, index) => {
+      if (!isRecord(item)) return;
+      const aggregated = buildAggregatedSessionObject(item);
+      if (!aggregated) return;
+
+      const arrayPath = `$[${index}]`;
+      if (found.length === 0) {
+        found.push({ value: aggregated, path: arrayPath });
+        return;
+      }
+
+      if (found.length === 1 && found[0].path.startsWith(`${arrayPath}.`)) {
+        const directToken = getCandidateAccessToken(found[0].value);
+        const aggregatedToken = getCandidateAccessToken(aggregated);
+        if (directToken && aggregatedToken && directToken === aggregatedToken) {
+          found[0] = { value: aggregated, path: arrayPath };
+          return;
+        }
+      }
+
+      found.push({ value: aggregated, path: arrayPath });
+    });
+  }
+  return found;
+};
+
+const hasCpaAuthFileShape = (record: JsonRecord) => {
+  const provider = firstNonEmptyString(record.type, record.provider)?.toLowerCase();
+  if (!provider) return false;
+
+  const providerCredentialKeys = PROVIDER_CREDENTIAL_KEYSETS[provider];
+  const topLevelCredentialRecord = {
+    access_token: record.access_token,
+    id_token: record.id_token,
+    refresh_token: record.refresh_token,
+    session_token: record.session_token,
+    api_key: record.api_key,
+    key: record.key,
+    private_key: record.private_key,
+    authorization: record.authorization,
+    bearer: record.bearer,
+    cookie: record.cookie,
+    cookies: record.cookies,
+    token: record.token,
+    accessToken: record.accessToken,
+    idToken: record.idToken,
+    refreshToken: record.refreshToken,
+    sessionToken: record.sessionToken,
+    apiKey: record.apiKey,
+    privateKey: record.privateKey,
+    secret: record.secret,
+    session_secret: record.session_secret,
+    sessionSecret: record.sessionSecret,
+    client_secret: record.client_secret,
+    clientSecret: record.clientSecret,
+    password: record.password,
+    passphrase: record.passphrase,
+  } satisfies JsonRecord;
+  const hasTopLevelKnownCredentials = Boolean(
+    firstNonEmptyString(
+      record.access_token,
+      record.id_token,
+      record.refresh_token,
+      record.session_token,
+      record.api_key,
+      record.key,
+      record.private_key,
+      record.authorization,
+      record.bearer,
+      record.cookie,
+      record.cookies,
+      record.token,
+      record.accessToken,
+      record.idToken,
+      record.refreshToken,
+      record.sessionToken,
+      record.apiKey,
+      record.privateKey
+    )
+  );
+
+  if (providerCredentialKeys) {
+    if (hasTopLevelKnownCredentials) {
+      if (hasCredentialValueForKeySet(topLevelCredentialRecord, providerCredentialKeys)) {
+        return true;
+      }
+    }
+
+    return CREDENTIAL_CONTAINER_KEYS.some((containerKey) =>
+      hasCredentialValueForKeySet(record[containerKey], providerCredentialKeys)
+    );
+  }
+
+  return (
+    hasCredentialValueForKeySet(topLevelCredentialRecord, GENERIC_CREDENTIAL_KEYS) ||
+    CREDENTIAL_CONTAINER_KEYS.some((containerKey) =>
+      hasCredentialValueForKeySet(record[containerKey], GENERIC_CREDENTIAL_KEYS)
+    )
+  );
+};
+
+const hasForbiddenInvisibleCharacter = (
+  value: unknown,
+  depth = 0,
+  state: TraversalState = createTraversalState()
+): boolean => {
+  assertTraversalDepth(depth);
+
+  if (typeof value === 'string') {
+    return Array.from(value).some((char) => {
+      const codePoint = char.codePointAt(0);
+      return codePoint !== undefined && FORBIDDEN_INVISIBLE_CODE_POINTS.has(codePoint);
+    });
+  }
+  if (Array.isArray(value)) {
+    if (!markTraversalRecord(value, state)) return false;
+    return value.some((item) => hasForbiddenInvisibleCharacter(item, depth + 1, state));
+  }
+  if (!isRecord(value)) return false;
+  if (!markTraversalRecord(value, state)) return false;
+
+  return Object.entries(value).some(([key, item]) =>
+    hasForbiddenInvisibleCharacter(key, depth + 1, state) ||
+    hasForbiddenInvisibleCharacter(item, depth + 1, state)
+  );
+};
+
+const hasUnsafeCpaIdToken = (
+  value: unknown,
+  depth = 0,
+  state: TraversalState = createTraversalState()
+): boolean => {
+  assertTraversalDepth(depth);
+
+  if (Array.isArray(value)) {
+    if (!markTraversalRecord(value, state)) return false;
+    return value.some((item) => hasUnsafeCpaIdToken(item, depth + 1, state));
+  }
+  if (!isRecord(value)) return false;
+  if (!markTraversalRecord(value, state)) return false;
+
+  return Object.entries(value).some(([key, item]) => {
+    const normalizedKey = key.toLowerCase();
+    if ((normalizedKey === 'id_token' || normalizedKey === 'idtoken') && isUnsafeIdToken(item)) {
+      return true;
+    }
+    return hasUnsafeCpaIdToken(item, depth + 1, state);
+  });
+};
+
+const convertSessionToCpaAuthJson = (record: JsonRecord, now: Date): JsonRecord => {
+  const token = isRecord(record.token) ? record.token : undefined;
+  const credentials = isRecord(record.credentials) ? record.credentials : undefined;
+  const user = isRecord(record.user) ? record.user : undefined;
+  const account = isRecord(record.account) ? record.account : undefined;
+  const profileRecord = isRecord(record.profile) ? record.profile : undefined;
+  const profileAccount = isRecord(profileRecord?.account) ? profileRecord.account : undefined;
+
+  const accessToken = firstNonEmptyString(
+    record.accessToken,
+    record.access_token,
+    token?.accessToken,
+    token?.access_token,
+    credentials?.access_token
+  );
+  if (!accessToken) throw new AuthJsonConversionError('Missing accessToken');
+
+  const sessionToken = firstNonEmptyString(
+    record.sessionToken,
+    record.session_token,
+    token?.sessionToken,
+    token?.session_token,
+    credentials?.session_token
+  );
+  const refreshToken = firstNonEmptyString(
+    record.refreshToken,
+    record.refresh_token,
+    token?.refreshToken,
+    token?.refresh_token,
+    credentials?.refresh_token
+  );
+  const inputIdToken = firstNonEmptyString(
+    record.idToken,
+    record.id_token,
+    token?.idToken,
+    token?.id_token,
+    credentials?.id_token
+  );
+
+  // Parse token payloads defensively for malformed/oversized-token safety.
+  // Explicit session expiration fields remain canonical; JWT exp is fallback only.
+  const accessTokenPayload = parseJwtPayload(accessToken);
+  parseJwtPayload(inputIdToken);
+  const expiresAt = firstNonEmpty(
+    normalizeTimestamp(record.expires),
+    normalizeTimestamp(record.expired),
+    normalizeTimestamp(record.expires_at),
+    normalizeTimestamp(accessTokenPayload?.exp)
+  );
+  const email = firstNonEmpty(
+    user?.email,
+    record.email,
+    credentials?.email
+  );
+  const accountId = firstNonEmpty(
+    account?.id,
+    account?.account_id,
+    account?.chatgpt_account_id,
+    profileAccount?.id,
+    profileAccount?.account_id,
+    profileAccount?.chatgpt_account_id,
+    record.account_id,
+    record.chatgpt_account_id,
+    credentials?.chatgpt_account_id
+  );
+  const planType = firstNonEmpty(
+    account?.planType,
+    account?.plan_type,
+    account?.chatgpt_plan_type,
+    profileAccount?.planType,
+    profileAccount?.plan_type,
+    profileAccount?.chatgpt_plan_type,
+    record.plan_type,
+    record.chatgpt_plan_type,
+    credentials?.plan_type,
+    credentials?.chatgpt_plan_type
+  );
+  const idToken =
+    isUnsafeIdToken(inputIdToken) ? undefined : firstNonEmptyString(inputIdToken);
+  const name = firstNonEmpty(email, record.name, 'ChatGPT Account');
+
+  return stripUnavailable({
+    type: 'codex',
+    account_id: accountId,
+    chatgpt_account_id: accountId,
+    email,
+    name,
+    plan_type: planType,
+    chatgpt_plan_type: planType,
+    id_token: idToken,
+    access_token: accessToken,
+    refresh_token: refreshToken,
+    session_token: sessionToken,
+    last_refresh: normalizeTimestamp(now),
+    expired: expiresAt,
+    disabled: Boolean(record.disabled) || undefined,
+  }) as JsonRecord;
+};
+
+export const convertAuthJsonInput = (
+  text: string,
+  type: AuthJsonInputType,
+  now = new Date()
+): JsonRecord => {
+  const parsed = parseJsonObject(text, type === 'session');
+  if (hasForbiddenInvisibleCharacter(parsed)) {
+    throw new AuthJsonConversionError('Auth JSON contains unsupported invisible characters');
+  }
+  if (type === 'cpa') {
+    if (hasUnsafeCpaIdToken(parsed)) {
+      throw new AuthJsonConversionError('CPA auth JSON contains unsupported id_token');
+    }
+    if (!isRecord(parsed) || !hasCpaAuthFileShape(parsed)) {
+      throw new AuthJsonConversionError('CPA auth JSON is missing required auth fields');
+    }
+    return parsed;
+  }
+
+  const sessions = collectSessionLikeObjects(parsed);
+  if (sessions.length === 0) {
+    throw new AuthJsonConversionError('No ChatGPT session object with accessToken was found');
+  }
+  if (sessions.length > 1) {
+    throw new AuthJsonConversionError(
+      'Multiple ChatGPT session objects found; paste one session only'
+    );
+  }
+
+  return convertSessionToCpaAuthJson(sessions[0].value, now);
+};
+
+export const getDefaultSessionAuthFileName = (authJson: JsonRecord) => {
+  const rawName = firstNonEmpty(
+    authJson.email,
+    authJson.name,
+    authJson.account_id,
+    'codex-account'
+  );
+  const safeName = String(rawName)
+    .replace(/\.json$/iu, '')
+    .replace(/[\\/:*?"<>|]+/g, '-')
+    .replace(/[^a-z0-9]+/gi, '-')
+    .replace(/-+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .toLowerCase()
+    .slice(0, 80);
+  const safeBaseName = WINDOWS_RESERVED_BASE_NAMES.has(safeName) ? `${safeName}-account` : safeName;
+
+  return `${safeBaseName || 'codex-account'}.codex.json`;
+};
diff --git a/src/i18n/locales/en.json b/src/i18n/locales/en.json
index 3953bbabc..b0b4a8256 100644
--- a/src/i18n/locales/en.json
+++ b/src/i18n/locales/en.json
@@ -493,6 +493,24 @@
     "title_section": "Auth Files",
     "description": "Manage all CLI Proxy JSON auth files here (e.g. Qwen, Gemini, Vertex). Uploading a credential immediately enables the corresponding AI integration.",
     "upload_button": "Upload File",
+    "paste_button": "Paste JSON",
+    "paste_title": "Paste Auth JSON",
+    "paste_type_label": "Auth JSON type",
+    "paste_type_cpa": "CPA auth JSON",
+    "paste_type_session": "Session auth JSON",
+    "paste_file_name_label": "File name",
+    "paste_json_label": "JSON content",
+    "paste_save_button": "Save Auth File",
+    "paste_cpa_placeholder": "{\n  \"type\": \"codex\",\n  \"access_token\": \"...\"\n}",
+    "paste_session_placeholder": "{\n  \"user\": { \"email\": \"...\" },\n  \"account\": { \"id\": \"...\" },\n  \"accessToken\": \"...\",\n  \"sessionToken\": \"...\"\n}",
+    "paste_cpa_hint": "The JSON will be stored as-is after validating it is a JSON object.",
+    "paste_session_hint": "ChatGPT Web session JSON is converted to a CPA Codex auth file before upload. Tokens are sensitive credentials.",
+    "paste_error_file_name": "File name is required",
+      "paste_error_file_extension": "File name must end with .json",
+      "paste_error_file_name_invalid": "Use a .json file name without path separators or reserved characters",
+      "paste_error_json_required": "JSON content is required",
+      "paste_error_save_in_progress": "Auth JSON paste save is already in progress",
+      "paste_success": "Saved auth file {{name}}",
     "delete_all_button": "Delete All",
     "empty_title": "No Auth Files",
     "empty_desc": "Click the button above to upload the first file",
diff --git a/src/i18n/locales/ru.json b/src/i18n/locales/ru.json
index a67d9a0f2..0255dea9a 100644
--- a/src/i18n/locales/ru.json
+++ b/src/i18n/locales/ru.json
@@ -492,6 +492,24 @@
     "title_section": "Файлы авторизации",
     "description": "Управляйте всеми JSON-файлами авторизации CLI Proxy (например, Qwen, Gemini, Vertex). Загрузка учётных данных сразу включает соответствующую интеграцию AI.",
     "upload_button": "Загрузить файл",
+    "paste_button": "Вставить JSON",
+    "paste_title": "Вставить JSON авторизации",
+    "paste_type_label": "Тип JSON авторизации",
+    "paste_type_cpa": "CPA auth JSON",
+    "paste_type_session": "Session auth JSON",
+    "paste_file_name_label": "Имя файла",
+    "paste_json_label": "Содержимое JSON",
+    "paste_save_button": "Сохранить файл авторизации",
+    "paste_cpa_placeholder": "{\n  \"type\": \"codex\",\n  \"access_token\": \"...\"\n}",
+    "paste_session_placeholder": "{\n  \"user\": { \"email\": \"...\" },\n  \"account\": { \"id\": \"...\" },\n  \"accessToken\": \"...\",\n  \"sessionToken\": \"...\"\n}",
+    "paste_cpa_hint": "JSON будет сохранён как есть после проверки, что это объект JSON.",
+    "paste_session_hint": "ChatGPT Web session JSON преобразуется в файл CPA Codex auth перед загрузкой. Токены являются чувствительными учётными данными.",
+    "paste_error_file_name": "Имя файла обязательно",
+      "paste_error_file_extension": "Имя файла должно заканчиваться на .json",
+      "paste_error_file_name_invalid": "Укажите имя файла .json без разделителей пути и служебных символов",
+      "paste_error_json_required": "Содержимое JSON обязательно",
+      "paste_error_save_in_progress": "Сохранение JSON авторизации уже выполняется",
+      "paste_success": "Файл авторизации {{name}} сохранён",
     "delete_all_button": "Удалить всё",
     "empty_title": "Файлы авторизации отсутствуют",
     "empty_desc": "Нажмите кнопку выше, чтобы загрузить первый файл",
diff --git a/src/i18n/locales/zh-CN.json b/src/i18n/locales/zh-CN.json
index a256d83ff..f59415484 100644
--- a/src/i18n/locales/zh-CN.json
+++ b/src/i18n/locales/zh-CN.json
@@ -493,6 +493,24 @@
     "title_section": "认证文件",
     "description": "这里集中管理 CLI Proxy 支持的所有 JSON 认证文件（如 Qwen、Gemini、Vertex 等），上传后即可在运行时启用相应的 AI 服务。",
     "upload_button": "上传文件",
+    "paste_button": "粘贴 JSON",
+    "paste_title": "粘贴认证 JSON",
+    "paste_type_label": "认证 JSON 类型",
+    "paste_type_cpa": "CPA 认证 JSON",
+    "paste_type_session": "Session 认证 JSON",
+    "paste_file_name_label": "文件名",
+    "paste_json_label": "JSON 内容",
+    "paste_save_button": "保存认证文件",
+    "paste_cpa_placeholder": "{\n  \"type\": \"codex\",\n  \"access_token\": \"...\"\n}",
+    "paste_session_placeholder": "{\n  \"user\": { \"email\": \"...\" },\n  \"account\": { \"id\": \"...\" },\n  \"accessToken\": \"...\",\n  \"sessionToken\": \"...\"\n}",
+    "paste_cpa_hint": "验证为 JSON 对象后会原样保存。",
+    "paste_session_hint": "ChatGPT Web session JSON 会先转换为 CPA Codex 认证文件再上传。Token 属于敏感登录凭证。",
+    "paste_error_file_name": "文件名不能为空",
+      "paste_error_file_extension": "文件名必须以 .json 结尾",
+      "paste_error_file_name_invalid": "请使用不包含路径分隔符或保留字符的 .json 文件名",
+      "paste_error_json_required": "JSON 内容不能为空",
+      "paste_error_save_in_progress": "认证 JSON 正在保存，请稍候",
+      "paste_success": "已保存认证文件 {{name}}",
     "delete_all_button": "删除全部",
     "empty_title": "暂无认证文件",
     "empty_desc": "点击上方按钮上传第一个文件",
diff --git a/src/i18n/locales/zh-TW.json b/src/i18n/locales/zh-TW.json
index 7d7bbd4b6..2cb84c6d7 100644
--- a/src/i18n/locales/zh-TW.json
+++ b/src/i18n/locales/zh-TW.json
@@ -492,6 +492,24 @@
     "title_section": "驗證檔案",
     "description": "這裡集中管理 CLI Proxy 支援的所有 JSON 驗證檔案（如 Qwen、Gemini、Vertex 等），上傳後即可在執行時啟用對應的 AI 服務。",
     "upload_button": "上傳檔案",
+    "paste_button": "貼上 JSON",
+    "paste_title": "貼上驗證 JSON",
+    "paste_type_label": "驗證 JSON 類型",
+    "paste_type_cpa": "CPA 驗證 JSON",
+    "paste_type_session": "Session 驗證 JSON",
+    "paste_file_name_label": "檔案名稱",
+    "paste_json_label": "JSON 內容",
+    "paste_save_button": "儲存驗證檔案",
+    "paste_cpa_placeholder": "{\n  \"type\": \"codex\",\n  \"access_token\": \"...\"\n}",
+    "paste_session_placeholder": "{\n  \"user\": { \"email\": \"...\" },\n  \"account\": { \"id\": \"...\" },\n  \"accessToken\": \"...\",\n  \"sessionToken\": \"...\"\n}",
+    "paste_cpa_hint": "驗證為 JSON 物件後會原樣儲存。",
+    "paste_session_hint": "ChatGPT Web session JSON 會先轉換為 CPA Codex 驗證檔案再上傳。Token 屬於敏感登入憑證。",
+    "paste_error_file_name": "檔案名稱不可為空",
+      "paste_error_file_extension": "檔案名稱必須以 .json 結尾",
+      "paste_error_file_name_invalid": "請使用不含路徑分隔符或保留字元的 .json 檔案名稱",
+      "paste_error_json_required": "JSON 內容不可為空",
+      "paste_error_save_in_progress": "驗證 JSON 正在儲存，請稍候",
+      "paste_success": "已儲存驗證檔案 {{name}}",
     "delete_all_button": "刪除全部",
     "empty_title": "暫無驗證檔案",
     "empty_desc": "點擊上方按鈕上傳第一個檔案",
diff --git a/src/pages/AuthFilesPage.authJsonPaste.test.tsx b/src/pages/AuthFilesPage.authJsonPaste.test.tsx
new file mode 100644
index 000000000..c24130b50
--- /dev/null
+++ b/src/pages/AuthFilesPage.authJsonPaste.test.tsx
@@ -0,0 +1,287 @@
+import { act } from 'react';
+import { create, type ReactTestRenderer } from 'react-test-renderer';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { Button } from '@/components/ui/Button';
+import { AuthFilesPage } from './AuthFilesPage';
+
+const { mocks } = vi.hoisted(() => {
+  return {
+    mocks: {
+      authJsonPasteSaving: false,
+      savePastedAuthJson: vi.fn(async () => 'saved.json'),
+      showNotification: vi.fn(),
+      navigate: vi.fn(),
+      lastModalProps: null as
+        | {
+            open: boolean;
+            saving: boolean;
+            onClose: () => void;
+            onSave: (type: 'session' | 'cpa', fileName: string, jsonText: string) => Promise<void>;
+          }
+        | null,
+    },
+  };
+});
+
+vi.mock('react-i18next', () => ({
+  useTranslation: () => ({
+    t: (key: string) => key,
+  }),
+}));
+
+vi.mock('react-router-dom', () => ({
+  useNavigate: () => mocks.navigate,
+}));
+
+vi.mock('motion/mini', () => ({
+  animate: () => ({ stop: () => {} }),
+}));
+
+vi.mock('@/hooks/useInterval', () => ({
+  useInterval: () => {},
+}));
+
+vi.mock('@/hooks/useHeaderRefresh', () => ({
+  useHeaderRefresh: () => {},
+}));
+
+vi.mock('@/components/common/PageTransitionLayer', () => ({
+  usePageTransitionLayer: () => ({ status: 'current' }),
+}));
+
+vi.mock('@/utils/clipboard', () => ({
+  copyToClipboard: vi.fn(async () => undefined),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesData', () => ({
+  useAuthFilesData: () => ({
+    files: [],
+    selectedFiles: new Set<string>(),
+    selectionCount: 0,
+    loading: false,
+    error: '',
+    uploading: false,
+    authJsonPasteSaving: mocks.authJsonPasteSaving,
+    deleting: false,
+    deletingAll: false,
+    statusUpdating: false,
+    batchStatusUpdating: false,
+    fileInputRef: { current: null },
+    loadFiles: vi.fn(async () => undefined),
+    handleUploadClick: vi.fn(),
+    handleFileChange: vi.fn(),
+    savePastedAuthJson: mocks.savePastedAuthJson,
+    handleDelete: vi.fn(),
+    handleDeleteAll: vi.fn(),
+    handleDownload: vi.fn(),
+    handleStatusToggle: vi.fn(),
+    toggleSelect: vi.fn(),
+    selectAllVisible: vi.fn(),
+    invertVisibleSelection: vi.fn(),
+    deselectAll: vi.fn(),
+    batchDownload: vi.fn(),
+    batchSetStatus: vi.fn(),
+    batchDelete: vi.fn(),
+  }),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesOauth', () => ({
+  useAuthFilesOauth: () => ({
+    excluded: [],
+    excludedError: '',
+    modelAlias: [],
+    modelAliasError: '',
+    allProviderModels: {},
+    loadExcluded: vi.fn(async () => undefined),
+    loadModelAlias: vi.fn(async () => undefined),
+    deleteExcluded: vi.fn(async () => undefined),
+    deleteModelAlias: vi.fn(async () => undefined),
+    handleMappingUpdate: vi.fn(async () => undefined),
+    handleDeleteLink: vi.fn(async () => undefined),
+    handleToggleFork: vi.fn(async () => undefined),
+    handleRenameAlias: vi.fn(async () => undefined),
+    handleDeleteAlias: vi.fn(async () => undefined),
+  }),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesModels', () => ({
+  useAuthFilesModels: () => ({
+    modelsModalOpen: false,
+    modelsLoading: false,
+    modelsList: [],
+    modelsFileName: '',
+    modelsFileType: '',
+    modelsError: '',
+    showModels: vi.fn(),
+    closeModelsModal: vi.fn(),
+  }),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesPrefixProxyEditor', () => ({
+  useAuthFilesPrefixProxyEditor: () => ({
+    prefixProxyEditor: null,
+    prefixProxyUpdatedText: '',
+    prefixProxyDirty: false,
+    openPrefixProxyEditor: vi.fn(),
+    closePrefixProxyEditor: vi.fn(),
+    handlePrefixProxyChange: vi.fn(),
+    handlePrefixProxySave: vi.fn(async () => undefined),
+  }),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesStatusBarCache', () => ({
+  useAuthFilesStatusBarCache: () => new Map(),
+}));
+
+vi.mock('@/features/authFiles/uiState', () => ({
+  normalizeAuthFilesSortMode: (value: string) => (value === 'default' ? 'default' : null),
+  readAuthFilesUiState: () => null,
+  readPersistedAuthFilesCompactMode: () => null,
+  writeAuthFilesUiState: vi.fn(),
+  writePersistedAuthFilesCompactMode: vi.fn(),
+}));
+
+vi.mock('@/stores', () => ({
+  useNotificationStore: (selector: (state: { showNotification: typeof mocks.showNotification }) => unknown) =>
+    selector({ showNotification: mocks.showNotification }),
+  useAuthStore: (selector: (state: { connectionStatus: 'connected' }) => unknown) =>
+    selector({ connectionStatus: 'connected' }),
+  useThemeStore: (selector: (state: { resolvedTheme: 'dark' }) => unknown) =>
+    selector({ resolvedTheme: 'dark' }),
+  useQuotaStore: (selector: (state: { codexQuota: null }) => unknown) => selector({ codexQuota: null }),
+}));
+
+vi.mock('@/features/authFiles/components/AuthFileCard', () => ({
+  AuthFileCard: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/AuthFileModelsModal', () => ({
+  AuthFileModelsModal: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/AuthFilesPrefixProxyEditorModal', () => ({
+  AuthFilesPrefixProxyEditorModal: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/OAuthExcludedCard', () => ({
+  OAuthExcludedCard: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/OAuthModelAliasCard', () => ({
+  OAuthModelAliasCard: () => null,
+}));
+
+vi.mock('@/components/ui/EmptyState', () => ({
+  EmptyState: () => null,
+}));
+
+vi.mock('@/components/ui/ToggleSwitch', () => ({
+  ToggleSwitch: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/AuthJsonPasteModal', () => ({
+  AuthJsonPasteModal: (props: {
+    open: boolean;
+    saving: boolean;
+    onClose: () => void;
+    onSave: (type: 'session' | 'cpa', fileName: string, jsonText: string) => Promise<void>;
+  }) => {
+    mocks.lastModalProps = props;
+    return (
+      <div>
+        <button id="modal-close-trigger" onClick={props.onClose}>
+          close
+        </button>
+        <button
+          id="modal-save-trigger"
+          onClick={() => props.onSave('cpa', 'custom-auth.json', '{"type":"codex"}')}
+        >
+          save
+        </button>
+      </div>
+    );
+  },
+}));
+
+const findButtonByText = (renderer: ReactTestRenderer, text: string) => {
+  const button = renderer.root.findAllByType(Button).find((node) => node.props.children === text);
+  if (!button) throw new Error(`Button not found: ${text}`);
+  return button;
+};
+
+describe('AuthFilesPage auth JSON paste flow', () => {
+  beforeEach(() => {
+    mocks.authJsonPasteSaving = false;
+    mocks.savePastedAuthJson.mockClear();
+    mocks.lastModalProps = null;
+  });
+
+  it('opens the paste modal from header action and closes after successful save', async () => {
+    let renderer: ReactTestRenderer;
+    await act(async () => {
+      renderer = create(<AuthFilesPage />);
+    });
+
+    expect(mocks.lastModalProps?.open).toBe(false);
+
+    await act(async () => {
+      findButtonByText(renderer!, 'auth_files.paste_button').props.onClick();
+    });
+    expect(mocks.lastModalProps?.open).toBe(true);
+
+    await act(async () => {
+      renderer!.root.findByProps({ id: 'modal-save-trigger' }).props.onClick();
+    });
+
+    expect(mocks.savePastedAuthJson).toHaveBeenCalledWith('cpa', 'custom-auth.json', '{"type":"codex"}');
+    expect(mocks.lastModalProps?.open).toBe(false);
+
+    renderer!.unmount();
+  });
+
+  it('does not close the modal from onClose while save is in progress', async () => {
+    let renderer: ReactTestRenderer;
+    await act(async () => {
+      renderer = create(<AuthFilesPage />);
+    });
+
+    await act(async () => {
+      findButtonByText(renderer!, 'auth_files.paste_button').props.onClick();
+    });
+    expect(mocks.lastModalProps?.open).toBe(true);
+
+    mocks.authJsonPasteSaving = true;
+    await act(async () => {
+      renderer!.update(<AuthFilesPage />);
+    });
+    expect(mocks.lastModalProps?.saving).toBe(true);
+
+    await act(async () => {
+      renderer!.root.findByProps({ id: 'modal-close-trigger' }).props.onClick();
+    });
+
+    expect(mocks.lastModalProps?.open).toBe(true);
+
+    renderer!.unmount();
+  });
+
+  it('keeps the modal open when pasted save fails', async () => {
+    let renderer: ReactTestRenderer;
+    await act(async () => {
+      renderer = create(<AuthFilesPage />);
+    });
+
+    await act(async () => {
+      findButtonByText(renderer!, 'auth_files.paste_button').props.onClick();
+    });
+    expect(mocks.lastModalProps?.open).toBe(true);
+
+    mocks.savePastedAuthJson.mockRejectedValueOnce(new Error('reload failed'));
+    await expect(mocks.lastModalProps!.onSave('cpa', 'custom-auth.json', '{"type":"codex"}')).rejects.toThrow(
+      'reload failed'
+    );
+
+    expect(mocks.lastModalProps?.open).toBe(true);
+    renderer!.unmount();
+  });
+});
diff --git a/src/pages/AuthFilesPage.module.scss b/src/pages/AuthFilesPage.module.scss
index 89656a141..dadc6b3b0 100644
--- a/src/pages/AuthFilesPage.module.scss
+++ b/src/pages/AuthFilesPage.module.scss
@@ -140,7 +140,6 @@
   }
 }
 
-
 .filterAllIconWrap {
   position: relative;
   border-color: var(--color-primary-light-7);
@@ -155,7 +154,6 @@
   color: var(--primary-color);
 }
 
-
 .filterContent {
   display: flex;
   flex-direction: column;
diff --git a/src/pages/AuthFilesPage.pasteIntegration.test.tsx b/src/pages/AuthFilesPage.pasteIntegration.test.tsx
new file mode 100644
index 000000000..26a93e2db
--- /dev/null
+++ b/src/pages/AuthFilesPage.pasteIntegration.test.tsx
@@ -0,0 +1,339 @@
+import { type ReactNode } from 'react';
+import { act, create, type ReactTestRenderer } from 'react-test-renderer';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { Button } from '@/components/ui/Button';
+import { Select } from '@/components/ui/Select';
+import { AuthFilesPage } from './AuthFilesPage';
+
+const { mocks } = vi.hoisted(() => {
+  (globalThis as typeof globalThis & { IS_REACT_ACT_ENVIRONMENT?: boolean }).IS_REACT_ACT_ENVIRONMENT =
+    true;
+  return {
+      mocks: {
+        connectionStatus: 'connected' as 'connected' | 'disconnected',
+        list: vi.fn(),
+      saveJsonObject: vi.fn(),
+      showNotification: vi.fn(),
+      showConfirmation: vi.fn(),
+      navigate: vi.fn(),
+      loadExcluded: vi.fn(async () => undefined),
+      loadModelAlias: vi.fn(async () => undefined),
+      deleteExcluded: vi.fn(async () => undefined),
+      deleteModelAlias: vi.fn(async () => undefined),
+      handleMappingUpdate: vi.fn(async () => undefined),
+      handleDeleteLink: vi.fn(async () => undefined),
+      handleToggleFork: vi.fn(async () => undefined),
+      handleRenameAlias: vi.fn(async () => undefined),
+      handleDeleteAlias: vi.fn(async () => undefined),
+      showModels: vi.fn(),
+      closeModelsModal: vi.fn(),
+      openPrefixProxyEditor: vi.fn(),
+      closePrefixProxyEditor: vi.fn(),
+      handlePrefixProxyChange: vi.fn(),
+      handlePrefixProxySave: vi.fn(async () => undefined),
+      t: (key: string, options?: Record<string, unknown>) => {
+        if (options && typeof options.name === 'string') {
+          return `${key}:${options.name}`;
+        }
+        return key;
+      },
+    },
+  };
+});
+
+vi.mock('react-i18next', () => ({
+  useTranslation: () => ({
+    t: mocks.t,
+  }),
+}));
+
+vi.mock('react-router-dom', () => ({
+  useNavigate: () => mocks.navigate,
+}));
+
+vi.mock('motion/mini', () => ({
+  animate: () => ({ stop: () => {} }),
+}));
+
+vi.mock('@/hooks/useInterval', () => ({
+  useInterval: () => {},
+}));
+
+vi.mock('@/hooks/useHeaderRefresh', () => ({
+  useHeaderRefresh: () => {},
+}));
+
+vi.mock('@/components/common/PageTransitionLayer', () => ({
+  usePageTransitionLayer: () => ({ status: 'current' }),
+}));
+
+vi.mock('@/utils/clipboard', () => ({
+  copyToClipboard: vi.fn(async () => undefined),
+}));
+
+vi.mock('@/services/api', () => ({
+  authFilesApi: {
+    list: mocks.list,
+    saveJsonObject: mocks.saveJsonObject,
+  },
+}));
+
+vi.mock('@/stores', () => ({
+  useNotificationStore: (selector?: (state: { showNotification: typeof mocks.showNotification; showConfirmation: typeof mocks.showConfirmation }) => unknown) => {
+    const state = {
+      showNotification: mocks.showNotification,
+      showConfirmation: mocks.showConfirmation,
+    };
+    return selector ? selector(state) : state;
+  },
+    useAuthStore: (selector: (state: { connectionStatus: 'connected' | 'disconnected' }) => unknown) =>
+      selector({ connectionStatus: mocks.connectionStatus }),
+  useThemeStore: (selector: (state: { resolvedTheme: 'dark' }) => unknown) =>
+    selector({ resolvedTheme: 'dark' }),
+  useQuotaStore: (selector: (state: { codexQuota: null }) => unknown) => selector({ codexQuota: null }),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesOauth', () => ({
+  useAuthFilesOauth: () => ({
+    excluded: [],
+    excludedError: '',
+    modelAlias: [],
+    modelAliasError: '',
+    allProviderModels: {},
+    loadExcluded: mocks.loadExcluded,
+    loadModelAlias: mocks.loadModelAlias,
+    deleteExcluded: mocks.deleteExcluded,
+    deleteModelAlias: mocks.deleteModelAlias,
+    handleMappingUpdate: mocks.handleMappingUpdate,
+    handleDeleteLink: mocks.handleDeleteLink,
+    handleToggleFork: mocks.handleToggleFork,
+    handleRenameAlias: mocks.handleRenameAlias,
+    handleDeleteAlias: mocks.handleDeleteAlias,
+  }),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesModels', () => ({
+  useAuthFilesModels: () => ({
+    modelsModalOpen: false,
+    modelsLoading: false,
+    modelsList: [],
+    modelsFileName: '',
+    modelsFileType: '',
+    modelsError: '',
+    showModels: mocks.showModels,
+    closeModelsModal: mocks.closeModelsModal,
+  }),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesPrefixProxyEditor', () => ({
+  useAuthFilesPrefixProxyEditor: () => ({
+    prefixProxyEditor: null,
+    prefixProxyUpdatedText: '',
+    prefixProxyDirty: false,
+    openPrefixProxyEditor: mocks.openPrefixProxyEditor,
+    closePrefixProxyEditor: mocks.closePrefixProxyEditor,
+    handlePrefixProxyChange: mocks.handlePrefixProxyChange,
+    handlePrefixProxySave: mocks.handlePrefixProxySave,
+  }),
+}));
+
+vi.mock('@/features/authFiles/hooks/useAuthFilesStatusBarCache', () => ({
+  useAuthFilesStatusBarCache: () => new Map(),
+}));
+
+vi.mock('@/features/authFiles/uiState', () => ({
+  normalizeAuthFilesSortMode: (value: string) => (value === 'default' ? 'default' : null),
+  readAuthFilesUiState: () => null,
+  readPersistedAuthFilesCompactMode: () => null,
+  writeAuthFilesUiState: vi.fn(),
+  writePersistedAuthFilesCompactMode: vi.fn(),
+}));
+
+vi.mock('@/features/authFiles/components/AuthFileCard', () => ({
+  AuthFileCard: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/AuthFileModelsModal', () => ({
+  AuthFileModelsModal: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/AuthFilesPrefixProxyEditorModal', () => ({
+  AuthFilesPrefixProxyEditorModal: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/OAuthExcludedCard', () => ({
+  OAuthExcludedCard: () => null,
+}));
+
+vi.mock('@/features/authFiles/components/OAuthModelAliasCard', () => ({
+  OAuthModelAliasCard: () => null,
+}));
+
+vi.mock('@/components/ui/EmptyState', () => ({
+  EmptyState: () => null,
+}));
+
+vi.mock('@/components/ui/ToggleSwitch', () => ({
+  ToggleSwitch: () => null,
+}));
+
+vi.mock('@/components/ui/Modal', () => ({
+  Modal: (props: { open: boolean; children: ReactNode; footer?: ReactNode }) => {
+    if (!props.open) return null;
+    return (
+      <div>
+        <div>{props.children}</div>
+        <div>{props.footer}</div>
+      </div>
+    );
+  },
+}));
+
+const findButtonByText = (renderer: ReactTestRenderer, text: string) => {
+  const button = renderer.root.findAllByType(Button).find((node) => node.props.children === text);
+  if (!button) throw new Error(`Button not found: ${text}`);
+  return button;
+};
+
+describe('AuthFilesPage real auth JSON paste flow', () => {
+  beforeEach(() => {
+    mocks.list.mockReset();
+    mocks.saveJsonObject.mockReset();
+      mocks.showNotification.mockReset();
+      mocks.showConfirmation.mockReset();
+      mocks.loadExcluded.mockReset();
+      mocks.loadModelAlias.mockReset();
+      mocks.connectionStatus = 'connected';
+
+    mocks.list.mockResolvedValue({ files: [] });
+    mocks.saveJsonObject.mockResolvedValue(undefined);
+    mocks.loadExcluded.mockResolvedValue(undefined);
+    mocks.loadModelAlias.mockResolvedValue(undefined);
+  });
+
+  it('submits default session paste through modal and uploads converted codex payload', async () => {
+    const sessionInput = JSON.stringify({
+      user: { email: 'Session.User+tag@example.com' },
+      account: { id: 'session-account' },
+      accessToken: 'plain-access-token',
+    });
+
+    let renderer: ReactTestRenderer;
+    act(() => {
+      renderer = create(<AuthFilesPage />);
+    });
+
+    expect(renderer!.root.findAllByProps({ id: 'auth-json-paste-content' })).toHaveLength(0);
+
+    act(() => {
+      findButtonByText(renderer!, 'auth_files.paste_button').props.onClick?.();
+    });
+
+    const textarea = renderer!.root.findByProps({ id: 'auth-json-paste-content' });
+    act(() => {
+      textarea.props.onChange({ target: { value: sessionInput } });
+    });
+
+    await act(async () => {
+      await findButtonByText(renderer!, 'auth_files.paste_save_button').props.onClick?.();
+    });
+
+    await vi.waitFor(() => {
+      expect(mocks.saveJsonObject).toHaveBeenCalledWith(
+        'session-user-tag-example-com.codex.json',
+        expect.objectContaining({
+          type: 'codex',
+          email: 'Session.User+tag@example.com',
+          account_id: 'session-account',
+          access_token: 'plain-access-token',
+        })
+      );
+    });
+    await vi.waitFor(() => {
+      expect(mocks.showNotification).toHaveBeenCalledWith(
+        'auth_files.paste_success:session-user-tag-example-com.codex.json',
+        'success'
+      );
+      expect(renderer!.root.findAllByProps({ id: 'auth-json-paste-content' })).toHaveLength(0);
+    });
+
+    await act(async () => {
+      renderer!.unmount();
+    });
+  });
+
+  it('keeps the paste modal open and does not upload invalid CPA JSON', async () => {
+    let renderer: ReactTestRenderer;
+    act(() => {
+      renderer = create(<AuthFilesPage />);
+    });
+
+    act(() => {
+      findButtonByText(renderer!, 'auth_files.paste_button').props.onClick?.();
+    });
+
+    const select = renderer!.root
+      .findAllByType(Select)
+      .find((node) => node.props.ariaLabel === 'auth_files.paste_type_label');
+    if (!select) throw new Error('Paste type select not found');
+    act(() => {
+      select.props.onChange('cpa');
+    });
+
+    const textarea = renderer!.root.findByProps({ id: 'auth-json-paste-content' });
+    act(() => {
+      textarea.props.onChange({ target: { value: '{"type":"codex"}' } });
+    });
+
+    await act(async () => {
+      await findButtonByText(renderer!, 'auth_files.paste_save_button').props.onClick?.();
+    });
+
+    expect(mocks.saveJsonObject).not.toHaveBeenCalled();
+    expect(JSON.stringify(renderer!.toJSON())).toContain(
+      'CPA auth JSON is missing required auth fields'
+    );
+    expect(renderer!.root.findAllByProps({ id: 'auth-json-paste-content' })).toHaveLength(1);
+
+    await act(async () => {
+      renderer!.unmount();
+    });
+  });
+
+  it('does not submit an open paste modal after connection is lost', async () => {
+    const sessionInput = JSON.stringify({
+      user: { email: 'Session.User+tag@example.com' },
+      account: { id: 'session-account' },
+      accessToken: 'plain-access-token',
+    });
+    let renderer: ReactTestRenderer;
+    act(() => {
+      renderer = create(<AuthFilesPage />);
+    });
+
+    act(() => {
+      findButtonByText(renderer!, 'auth_files.paste_button').props.onClick?.();
+    });
+
+    const textarea = renderer!.root.findByProps({ id: 'auth-json-paste-content' });
+    act(() => {
+      textarea.props.onChange({ target: { value: sessionInput } });
+    });
+
+    mocks.connectionStatus = 'disconnected';
+    act(() => {
+      renderer!.update(<AuthFilesPage />);
+    });
+
+    await act(async () => {
+      await findButtonByText(renderer!, 'auth_files.paste_save_button').props.onClick?.();
+    });
+
+    expect(mocks.saveJsonObject).not.toHaveBeenCalled();
+    expect(renderer!.root.findAllByProps({ id: 'auth-json-paste-content' })).toHaveLength(1);
+
+    await act(async () => {
+      renderer!.unmount();
+    });
+  });
+});
diff --git a/src/pages/AuthFilesPage.tsx b/src/pages/AuthFilesPage.tsx
index 849a37a68..c4930548d 100644
--- a/src/pages/AuthFilesPage.tsx
+++ b/src/pages/AuthFilesPage.tsx
@@ -47,6 +47,7 @@ import {
   type ResolvedTheme,
 } from '@/features/authFiles/constants';
 import { AuthFileCard } from '@/features/authFiles/components/AuthFileCard';
+import { AuthJsonPasteModal } from '@/features/authFiles/components/AuthJsonPasteModal';
 import { AuthFileModelsModal } from '@/features/authFiles/components/AuthFileModelsModal';
 import { AuthFilesPrefixProxyEditorModal } from '@/features/authFiles/components/AuthFilesPrefixProxyEditorModal';
 import { OAuthExcludedCard } from '@/features/authFiles/components/OAuthExcludedCard';
@@ -64,6 +65,7 @@ import {
   writePersistedAuthFilesCompactMode,
   type AuthFilesSortMode,
 } from '@/features/authFiles/uiState';
+import type { AuthJsonInputType } from '@/features/authFiles/sessionAuthConverter';
 import { useAuthStore, useNotificationStore, useQuotaStore, useThemeStore } from '@/stores';
 import styles from './AuthFilesPage.module.scss';
 
@@ -74,8 +76,7 @@ const BATCH_BAR_HIDDEN_TRANSFORM = 'translateX(-50%) translateY(56px)';
 const DEFAULT_REGULAR_PAGE_SIZE = 9;
 const DEFAULT_COMPACT_PAGE_SIZE = 12;
 
-const escapeWildcardSearchSegment = (value: string) =>
-  value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+const escapeWildcardSearchSegment = (value: string) => value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 
 const buildWildcardSearch = (value: string): RegExp | null => {
   if (!value.includes('*')) return null;
@@ -150,10 +151,7 @@ const stringifySearchValue = (value: unknown): string[] => {
   return [];
 };
 
-const getCodexPlanLabel = (
-  planType: string | null | undefined,
-  t: TFunction
-): string | null => {
+const getCodexPlanLabel = (planType: string | null | undefined, t: TFunction): string | null => {
   const normalized = normalizePlanType(planType);
   if (!normalized) return null;
   if (normalized === 'pro') return t('codex_quota.plan_pro');
@@ -166,15 +164,10 @@ const getCodexPlanLabel = (
   return planType || normalized;
 };
 
-const getAuthFilePlanType = (
-  file: AuthFileItem,
-  quota?: CodexQuotaState
-): string | null => resolveCodexPlanType(file) ?? quota?.planType ?? null;
+const getAuthFilePlanType = (file: AuthFileItem, quota?: CodexQuotaState): string | null =>
+  resolveCodexPlanType(file) ?? quota?.planType ?? null;
 
-const getAuthFilePlanSortRank = (
-  file: AuthFileItem,
-  quota?: CodexQuotaState
-): number | null => {
+const getAuthFilePlanSortRank = (file: AuthFileItem, quota?: CodexQuotaState): number | null => {
   const normalized = normalizePlanType(getAuthFilePlanType(file, quota));
   if (!normalized) return null;
   if (normalized === 'pro') return 50;
@@ -185,11 +178,7 @@ const getAuthFilePlanSortRank = (
   return 0;
 };
 
-const getAuthFileSearchValues = (
-  file: AuthFileItem,
-  t: TFunction,
-  quota?: CodexQuotaState
-) => {
+const getAuthFileSearchValues = (file: AuthFileItem, t: TFunction, quota?: CodexQuotaState) => {
   const planType = getAuthFilePlanType(file, quota);
   const planLabel = getCodexPlanLabel(planType, t);
   const accountId = resolveCodexChatgptAccountId(file);
@@ -244,6 +233,7 @@ export function AuthFilesPage() {
   const [sortMode, setSortMode] = useState<AuthFilesSortMode>('default');
   const [batchActionBarVisible, setBatchActionBarVisible] = useState(false);
   const [uiStateHydrated, setUiStateHydrated] = useState(false);
+  const [authJsonPasteOpen, setAuthJsonPasteOpen] = useState(false);
   const floatingBatchActionsRef = useRef<HTMLDivElement>(null);
   const batchActionAnimationRef = useRef<AnimationPlaybackControlsWithThen | null>(null);
   const previousSelectionCountRef = useRef(0);
@@ -256,6 +246,7 @@ export function AuthFilesPage() {
     loading,
     error,
     uploading,
+    authJsonPasteSaving,
     deleting,
     deletingAll,
     statusUpdating,
@@ -264,6 +255,7 @@ export function AuthFilesPage() {
     loadFiles,
     handleUploadClick,
     handleFileChange,
+    savePastedAuthJson,
     handleDelete,
     handleDeleteAll,
     handleDownload,
@@ -368,11 +360,11 @@ export function AuthFilesPage() {
       const regularPageSize =
         typeof persisted.regularPageSize === 'number' && Number.isFinite(persisted.regularPageSize)
           ? clampCardPageSize(persisted.regularPageSize)
-          : legacyPageSize ?? DEFAULT_REGULAR_PAGE_SIZE;
+          : (legacyPageSize ?? DEFAULT_REGULAR_PAGE_SIZE);
       const compactPageSize =
         typeof persisted.compactPageSize === 'number' && Number.isFinite(persisted.compactPageSize)
           ? clampCardPageSize(persisted.compactPageSize)
-          : legacyPageSize ?? DEFAULT_COMPACT_PAGE_SIZE;
+          : (legacyPageSize ?? DEFAULT_COMPACT_PAGE_SIZE);
       setPageSizeByMode({
         regular: regularPageSize,
         compact: compactPageSize,
@@ -477,6 +469,14 @@ export function AuthFilesPage() {
     [loadFiles, sortMode]
   );
 
+  const handleSavePastedAuthJson = useCallback(
+    async (type: AuthJsonInputType, fileName: string, jsonText: string) => {
+      await savePastedAuthJson(type, fileName, jsonText);
+      setAuthJsonPasteOpen(false);
+    },
+    [savePastedAuthJson]
+  );
+
   const handleHeaderRefresh = useCallback(async () => {
     await Promise.all([loadFiles(), loadExcluded(), loadModelAlias()]);
   }, [loadFiles, loadExcluded, loadModelAlias]);
@@ -593,8 +593,7 @@ export function AuthFilesPage() {
         if (leftKnown || rightKnown) {
           if (!leftKnown) return 1;
           if (!rightKnown) return -1;
-          const rankDiff =
-            sortMode === 'plan-desc' ? rightRank - leftRank : leftRank - rightRank;
+          const rankDiff = sortMode === 'plan-desc' ? rightRank - leftRank : leftRank - rightRank;
           if (rankDiff !== 0) return rankDiff;
         }
 
@@ -845,6 +844,15 @@ export function AuthFilesPage() {
             <Button variant="secondary" size="sm" onClick={handleHeaderRefresh} disabled={loading}>
               {t('common.refresh')}
             </Button>
+            <Button
+              variant="secondary"
+              size="sm"
+              onClick={() => setAuthJsonPasteOpen(true)}
+              disabled={disableControls || authJsonPasteSaving}
+              loading={authJsonPasteSaving}
+            >
+              {t('auth_files.paste_button')}
+            </Button>
             <Button
               size="sm"
               onClick={handleUploadClick}
@@ -1120,6 +1128,16 @@ export function AuthFilesPage() {
         onChange={handlePrefixProxyChange}
       />
 
+      <AuthJsonPasteModal
+        open={authJsonPasteOpen}
+        saving={authJsonPasteSaving}
+        disabled={disableControls}
+        onClose={() => {
+          if (!authJsonPasteSaving) setAuthJsonPasteOpen(false);
+        }}
+        onSave={handleSavePastedAuthJson}
+      />
+
       {batchActionBarVisible && typeof document !== 'undefined'
         ? createPortal(
             <div className={styles.batchActionContainer} ref={floatingBatchActionsRef}>
diff --git a/src/services/api/authFiles.test.ts b/src/services/api/authFiles.test.ts
new file mode 100644
index 000000000..524f61449
--- /dev/null
+++ b/src/services/api/authFiles.test.ts
@@ -0,0 +1,156 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+const { mocks } = vi.hoisted(() => ({
+  mocks: {
+    postForm: vi.fn(),
+  },
+}));
+
+vi.mock('./client', () => ({
+  apiClient: {
+    postForm: mocks.postForm,
+  },
+}));
+
+import { authFilesApi } from './authFiles';
+
+beforeEach(() => {
+  mocks.postForm.mockReset();
+});
+
+describe('authFilesApi save auth file upload contracts', () => {
+  const getUploadedFile = () => {
+    const formData = mocks.postForm.mock.calls[0]?.[1];
+    expect(formData).toBeInstanceOf(FormData);
+    const file = (formData as FormData).get('file');
+    expect(file).toBeInstanceOf(File);
+    return file as File;
+  };
+
+  it('saveText resolves when upload reports one uploaded file', async () => {
+    // Arrange
+    mocks.postForm.mockResolvedValue({
+      status: 'ok',
+      uploaded: 1,
+      files: ['direct-auth.json'],
+      failed: [],
+    });
+
+    // Act / Assert
+    await expect(
+      authFilesApi.saveText('direct-auth.json', '{"type":"codex","access_token":"token"}')
+    ).resolves.toBeUndefined();
+    expect(mocks.postForm).toHaveBeenCalledWith('/auth-files', expect.any(FormData));
+    const file = getUploadedFile();
+    expect(file.name).toBe('direct-auth.json');
+    await expect(file.text()).resolves.toBe('{"type":"codex","access_token":"token"}');
+  });
+
+  it('saveJsonObject resolves when upload succeeds', async () => {
+    // Arrange
+    mocks.postForm.mockResolvedValue({
+      status: 'ok',
+      uploaded: 1,
+      files: ['converted-auth.json'],
+      failed: [],
+    });
+
+    // Act / Assert
+    await expect(
+      authFilesApi.saveJsonObject('converted-auth.json', {
+        type: 'codex',
+        access_token: 'token',
+      })
+    ).resolves.toBeUndefined();
+    expect(mocks.postForm).toHaveBeenCalledWith('/auth-files', expect.any(FormData));
+    const file = getUploadedFile();
+    expect(file.name).toBe('converted-auth.json');
+    await expect(file.text()).resolves.toBe('{"type":"codex","access_token":"token"}');
+  });
+
+  it('saveJsonObject throws Upload failed when backend reports zero uploaded files without explicit failures', async () => {
+    // Arrange
+    mocks.postForm.mockResolvedValue({
+      status: 'ok',
+      uploaded: 0,
+      files: [],
+      failed: [],
+    });
+
+    // Act / Assert
+    await expect(
+      authFilesApi.saveJsonObject('failed-converted-auth.json', {
+        type: 'codex',
+        access_token: 'token',
+      })
+    ).rejects.toThrow('Upload failed');
+  });
+
+  it('saveText throws Upload failed when backend reports zero uploaded files without explicit failures', async () => {
+    // Arrange
+    mocks.postForm.mockResolvedValue({
+      status: 'ok',
+      uploaded: 0,
+      files: [],
+      failed: [],
+    });
+
+    // Act / Assert
+    await expect(authFilesApi.saveText('failed-auth.json', '{"type":"codex"}')).rejects.toThrow(
+      'Upload failed'
+    );
+  });
+
+  it('saveJsonObject surfaces backend failure error text', async () => {
+    // Arrange
+    mocks.postForm.mockResolvedValue({
+      status: 'partial',
+      uploaded: 0,
+      files: [],
+      failed: [{ name: 'converted-auth.json', error: 'Storage quota exceeded' }],
+    });
+
+    // Act / Assert
+    await expect(
+      authFilesApi.saveJsonObject('converted-auth.json', {
+        type: 'codex',
+        access_token: 'token',
+      })
+    ).rejects.toThrow('Storage quota exceeded');
+  });
+
+  it('saveJsonObject throws when backend reports partial failure despite uploaded files', async () => {
+    // Arrange
+    mocks.postForm.mockResolvedValue({
+      status: 'partial',
+      uploaded: 1,
+      files: ['converted-auth.json'],
+      failed: [{ name: 'secondary-auth.json', error: 'Invalid auth payload' }],
+    });
+
+    // Act / Assert
+    await expect(
+      authFilesApi.saveJsonObject('converted-auth.json', {
+        type: 'codex',
+        access_token: 'token',
+      })
+      ).rejects.toThrow('Invalid auth payload');
+  });
+
+  it('saveJsonObject throws when backend reports explicit error status without upload counters', async () => {
+    // Arrange
+    mocks.postForm.mockResolvedValue({
+      status: 'error',
+      files: [],
+      failed: [],
+    });
+
+    // Act / Assert
+    await expect(
+      authFilesApi.saveJsonObject('failed-status-auth.json', {
+        type: 'codex',
+        access_token: 'token',
+      })
+    ).rejects.toThrow('Upload failed');
+  });
+});
diff --git a/src/services/api/authFiles.ts b/src/services/api/authFiles.ts
index 35ee47027..8493c824d 100644
--- a/src/services/api/authFiles.ts
+++ b/src/services/api/authFiles.ts
@@ -91,12 +91,11 @@ const normalizeBatchFailures = (value: unknown): AuthFileBatchFailure[] => {
   }, []);
 };
 
-const deriveSuccessfulFileNames = (requestedNames: string[], failed: AuthFileBatchFailure[]): string[] => {
-  const failedNames = new Set(
-    failed
-      .map((entry) => entry.name.trim())
-      .filter(Boolean)
-  );
+const deriveSuccessfulFileNames = (
+  requestedNames: string[],
+  failed: AuthFileBatchFailure[]
+): string[] => {
+  const failedNames = new Set(failed.map((entry) => entry.name.trim()).filter(Boolean));
 
   if (failedNames.size === 0) {
     return [...requestedNames];
@@ -133,7 +132,8 @@ const normalizeBatchUploadResponse = (
   }
 
   return {
-    status: typeof payload?.status === 'string' ? payload.status : failed.length > 0 ? 'partial' : 'ok',
+    status:
+      typeof payload?.status === 'string' ? payload.status : failed.length > 0 ? 'partial' : 'ok',
     uploaded,
     files: uploadedFiles,
     failed,
@@ -168,7 +168,8 @@ const normalizeBatchDeleteResponse = (
   }
 
   return {
-    status: typeof payload?.status === 'string' ? payload.status : failed.length > 0 ? 'partial' : 'ok',
+    status:
+      typeof payload?.status === 'string' ? payload.status : failed.length > 0 ? 'partial' : 'ok',
     deleted,
     files: deletedFiles,
     failed,
@@ -310,7 +311,14 @@ const parseAuthFileJsonObject = (rawText: string): Record<string, unknown> => {
 
 const saveAuthFileText = async (name: string, text: string) => {
   const file = new File([text], name, { type: 'application/json' });
-  await authFilesApi.upload(file);
+  const result = await authFilesApi.upload(file);
+  const normalizedStatus = result.status.trim().toLowerCase();
+  const hasExplicitFailureStatus =
+    normalizedStatus === 'error' || normalizedStatus === 'failed' || normalizedStatus === 'partial';
+  if (hasExplicitFailureStatus || result.failed.length > 0 || result.uploaded === 0) {
+    const failure = result.failed[0];
+    throw new Error(failure?.error || 'Upload failed');
+  }
 };
 
 export const isAuthFileInvalidJsonObjectError = (err: unknown): boolean =>
@@ -358,10 +366,7 @@ const normalizeOauthModelAlias = (payload: unknown): Record<string, OAuthModelAl
   if (!payload || typeof payload !== 'object') return {};
 
   const record = payload as Record<string, unknown>;
-  const source =
-    record['oauth-model-alias'] ??
-    record.items ??
-    payload;
+  const source = record['oauth-model-alias'] ?? record.items ?? payload;
   if (!source || typeof source !== 'object') return {};
 
   const result: Record<string, OAuthModelAliasEntry[]> = {};
@@ -373,17 +378,17 @@ const normalizeOauthModelAlias = (payload: unknown): Record<string, OAuthModelAl
     if (!key) return;
     if (!Array.isArray(mappings)) return;
 
-	    const seen = new Set<string>();
-	    const normalized = mappings
-	      .map((item) => {
-	        if (!item || typeof item !== 'object') return null;
-	        const entry = item as Record<string, unknown>;
-	        const name = String(entry.name ?? entry.id ?? entry.model ?? '').trim();
-	        const alias = String(entry.alias ?? '').trim();
-	        if (!name || !alias) return null;
-	        const fork = entry.fork === true;
-	        return fork ? { name, alias, fork } : { name, alias };
-	      })
+    const seen = new Set<string>();
+    const normalized = mappings
+      .map((item) => {
+        if (!item || typeof item !== 'object') return null;
+        const entry = item as Record<string, unknown>;
+        const name = String(entry.name ?? entry.id ?? entry.model ?? '').trim();
+        const alias = String(entry.alias ?? '').trim();
+        if (!name || !alias) return null;
+        const fork = entry.fork === true;
+        return fork ? { name, alias, fork } : { name, alias };
+      })
       .filter(Boolean)
       .filter((entry) => {
         const aliasEntry = entry as OAuthModelAliasEntry;
@@ -468,9 +473,12 @@ export const authFilesApi = {
   deleteAll: () => apiClient.delete('/auth-files', { params: { all: true } }),
 
   downloadText: async (name: string): Promise<string> => {
-    const response = await apiClient.getRaw(`/auth-files/download?name=${encodeURIComponent(name)}`, {
-      responseType: 'blob'
-    });
+    const response = await apiClient.getRaw(
+      `/auth-files/download?name=${encodeURIComponent(name)}`,
+      {
+        responseType: 'blob',
+      }
+    );
     const blob = response.data as Blob;
     return blob.text();
   },
@@ -510,8 +518,12 @@ export const authFilesApi = {
     const normalizedChannel = String(channel ?? '')
       .trim()
       .toLowerCase();
-    const normalizedAliases = normalizeOauthModelAlias({ [normalizedChannel]: aliases })[normalizedChannel] ?? [];
-    await apiClient.patch(OAUTH_MODEL_ALIAS_ENDPOINT, { channel: normalizedChannel, aliases: normalizedAliases });
+    const normalizedAliases =
+      normalizeOauthModelAlias({ [normalizedChannel]: aliases })[normalizedChannel] ?? [];
+    await apiClient.patch(OAUTH_MODEL_ALIAS_ENDPOINT, {
+      channel: normalizedChannel,
+      aliases: normalizedAliases,
+    });
   },
 
   deleteOauthModelAlias: async (channel: string) => {
@@ -520,16 +532,23 @@ export const authFilesApi = {
       .toLowerCase();
 
     try {
-      await apiClient.patch(OAUTH_MODEL_ALIAS_ENDPOINT, { channel: normalizedChannel, aliases: [] });
+      await apiClient.patch(OAUTH_MODEL_ALIAS_ENDPOINT, {
+        channel: normalizedChannel,
+        aliases: [],
+      });
     } catch (err: unknown) {
       const status = getStatusCode(err);
       if (status !== 405) throw err;
-      await apiClient.delete(`${OAUTH_MODEL_ALIAS_ENDPOINT}?channel=${encodeURIComponent(normalizedChannel)}`);
+      await apiClient.delete(
+        `${OAUTH_MODEL_ALIAS_ENDPOINT}?channel=${encodeURIComponent(normalizedChannel)}`
+      );
     }
   },
 
   // 获取认证凭证支持的模型
-  async getModelsForAuthFile(name: string): Promise<{ id: string; display_name?: string; type?: string; owned_by?: string }[]> {
+  async getModelsForAuthFile(
+    name: string
+  ): Promise<{ id: string; display_name?: string; type?: string; owned_by?: string }[]> {
     const data = await apiClient.get<Record<string, unknown>>(
       `/auth-files/models?name=${encodeURIComponent(name)}`
     );
@@ -540,8 +559,12 @@ export const authFilesApi = {
   },
 
   // 获取指定 channel 的模型定义
-  async getModelDefinitions(channel: string): Promise<{ id: string; display_name?: string; type?: string; owned_by?: string }[]> {
-    const normalizedChannel = String(channel ?? '').trim().toLowerCase();
+  async getModelDefinitions(
+    channel: string
+  ): Promise<{ id: string; display_name?: string; type?: string; owned_by?: string }[]> {
+    const normalizedChannel = String(channel ?? '')
+      .trim()
+      .toLowerCase();
     if (!normalizedChannel) return [];
     const data = await apiClient.get<Record<string, unknown>>(
       `/model-definitions/${encodeURIComponent(normalizedChannel)}`
@@ -550,5 +573,5 @@ export const authFilesApi = {
     return Array.isArray(models)
       ? (models as { id: string; display_name?: string; type?: string; owned_by?: string }[])
       : [];
-  }
+  },
 };
diff --git a/tests/repoSourceIntegrity.test.mjs b/tests/repoSourceIntegrity.test.mjs
new file mode 100644
index 000000000..bc7262b30
--- /dev/null
+++ b/tests/repoSourceIntegrity.test.mjs
@@ -0,0 +1,165 @@
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { describe, expect, it } from 'vitest';
+
+const FORBIDDEN_INVISIBLE_CODE_POINTS = new Set([
+  0x200b,
+  0x200c,
+  0x200d,
+  0x200e,
+  0x200f,
+  0x202a,
+  0x202b,
+  0x202c,
+  0x202d,
+  0x202e,
+  0x2060,
+  0x2066,
+  0x2067,
+  0x2068,
+  0x2069,
+  0xfeff,
+]);
+
+const DEFAULT_CHANGED_FILES_BASE = 'origin/main...HEAD';
+const repoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+
+const toLineColumn = (text, index) => {
+  const prior = text.slice(0, index);
+  const lines = prior.split('\n');
+  return {
+    line: lines.length,
+    column: lines[lines.length - 1].length + 1,
+  };
+};
+
+const findForbiddenUnicode = (text) => {
+  const hits = [];
+
+  for (let index = 0; index < text.length; index += 1) {
+    const codePoint = text.codePointAt(index);
+    if (codePoint === undefined) continue;
+
+    if (!FORBIDDEN_INVISIBLE_CODE_POINTS.has(codePoint)) {
+      if (codePoint > 0xffff) index += 1;
+      continue;
+    }
+
+    const char = String.fromCodePoint(codePoint);
+    const formattedCodePoint = codePoint.toString(16).toUpperCase().padStart(4, '0');
+    const { line, column } = toLineColumn(text, index);
+    hits.push({ char, codePoint: formattedCodePoint, line, column });
+
+    if (codePoint > 0xffff) index += 1;
+  }
+
+  return hits;
+};
+
+const isChangedTextPath = (relativePath) => {
+  const absolutePath = path.resolve(repoRoot, relativePath);
+  if (!existsSync(absolutePath)) return false;
+
+  try {
+    const fileBuffer = readFileSync(absolutePath);
+    return !fileBuffer.includes(0);
+  } catch {
+    return false;
+  }
+};
+
+const getChangedFilesBase = () =>
+  process.env.CPA_MANAGER_CHANGED_FILES_BASE?.trim() || DEFAULT_CHANGED_FILES_BASE;
+
+const hasGitDiffBase = (diffBase) => {
+  const refs = diffBase.split('...');
+  if (refs.length === 0 || refs.some((ref) => ref.trim() === '')) return false;
+
+  return refs.every((ref) => {
+    try {
+      execFileSync('git', ['rev-parse', '--verify', ref.trim()], {
+        cwd: repoRoot,
+        encoding: 'utf8',
+        stdio: ['ignore', 'ignore', 'ignore'],
+      });
+      return true;
+    } catch {
+      return false;
+    }
+  });
+};
+
+const listChangedTextFiles = (changedFilesOutput, diffBase = getChangedFilesBase()) => {
+  const output = changedFilesOutput ?? (() => {
+    if (!hasGitDiffBase(diffBase)) {
+      throw new Error(`Changed-file diff base is unavailable: ${diffBase}`);
+    }
+
+    return execFileSync('git', ['diff', '--name-only', diffBase], {
+      cwd: repoRoot,
+      encoding: 'utf8',
+    });
+  })();
+
+  return output
+    .split('\n')
+    .map((line) => line.trim())
+    .filter(Boolean)
+    .filter(isChangedTextPath);
+};
+
+describe('repo source integrity', () => {
+  it('uses the merge-base PR diff range for changed-file scanning', () => {
+    expect(DEFAULT_CHANGED_FILES_BASE).toBe('origin/main...HEAD');
+  });
+
+  it('detects bidi override and zero-width characters', () => {
+    const source = `safe\u202Etext and hidden\u200Bspace`;
+
+    const hits = findForbiddenUnicode(source);
+
+    expect(hits.map((hit) => hit.codePoint)).toEqual(['202E', '200B']);
+  });
+
+  it('keeps changed text files free of hidden control unicode', () => {
+    const changedTextFiles = listChangedTextFiles();
+    expect(changedTextFiles.length).toBeGreaterThan(0);
+
+    const violations = changedTextFiles.flatMap((relativePath) => {
+      const absolutePath = path.resolve(repoRoot, relativePath);
+      const fileText = readFileSync(absolutePath, 'utf8');
+      const hits = findForbiddenUnicode(fileText);
+
+      return hits.map(
+        (hit) => `${relativePath}:${hit.line}:${hit.column} contains U+${hit.codePoint} (${JSON.stringify(hit.char)})`
+      );
+    });
+
+    expect(violations).toEqual([]);
+  }, 15_000);
+
+  it('fails closed when the diff base is unavailable', () => {
+    expect(() => listChangedTextFiles(undefined, 'missing-base-ref...HEAD')).toThrow(
+      'Changed-file diff base is unavailable'
+    );
+  });
+
+  it('scans changed markdown and shell files when they are text files', () => {
+    const changedTextFiles = listChangedTextFiles([
+      'tests/repoSourceIntegrity.test.mjs',
+      'package.json',
+      'README.md',
+      'bin/release/package-native.sh',
+      'missing-file.md',
+      '',
+    ].join('\n'));
+
+    expect(changedTextFiles).toContain('tests/repoSourceIntegrity.test.mjs');
+    expect(changedTextFiles).toContain('package.json');
+    expect(changedTextFiles).toContain('README.md');
+    expect(changedTextFiles).toContain('bin/release/package-native.sh');
+    expect(changedTextFiles).not.toContain('missing-file.md');
+  });
+});
diff --git a/tsconfig.json b/tsconfig.json
index f91e30131..99d44d4f3 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -4,6 +4,7 @@
     "useDefineForClassFields": true,
     "lib": ["ES2020", "DOM", "DOM.Iterable"],
     "module": "ESNext",
+    "types": ["vite/client"],
     "skipLibCheck": true,
 
     /* Bundler mode */
diff --git a/tsconfig.node.json b/tsconfig.node.json
index df0785ba3..759356531 100644
--- a/tsconfig.node.json
+++ b/tsconfig.node.json
@@ -7,6 +7,9 @@
     "module": "ESNext",
     "types": ["node"],
     "skipLibCheck": true,
+    "declaration": true,
+    "emitDeclarationOnly": true,
+    "declarationDir": "./node_modules/.tmp/tsconfig.node",
 
     /* Bundler mode */
     "moduleResolution": "bundler",

From 56552a791250df0611c711c42ce72bdea66ba4f9 Mon Sep 17 00:00:00 2001
From: hoangduy0308 <hoangduyntt04@gmail.com>
Date: Wed, 13 May 2026 17:53:46 +0700
Subject: [PATCH 2/2] fix(ci): sync lockfile and allow empty diff scan

---
 package-lock.json                  | 23 +++++++++++++++++++++++
 tests/repoSourceIntegrity.test.mjs |  5 ++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index b4ce76eb7..20b41022d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -449,6 +449,29 @@
         "w3c-keyname": "^2.2.4"
       }
     },
+    "node_modules/@emnapi/core": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/wasi-threads": "1.2.1",
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/runtime": {
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+      "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
     "node_modules/@emnapi/wasi-threads": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.1.tgz",
diff --git a/tests/repoSourceIntegrity.test.mjs b/tests/repoSourceIntegrity.test.mjs
index bc7262b30..cbf7dd0e2 100644
--- a/tests/repoSourceIntegrity.test.mjs
+++ b/tests/repoSourceIntegrity.test.mjs
@@ -125,7 +125,6 @@ describe('repo source integrity', () => {
 
   it('keeps changed text files free of hidden control unicode', () => {
     const changedTextFiles = listChangedTextFiles();
-    expect(changedTextFiles.length).toBeGreaterThan(0);
 
     const violations = changedTextFiles.flatMap((relativePath) => {
       const absolutePath = path.resolve(repoRoot, relativePath);
@@ -140,6 +139,10 @@ describe('repo source integrity', () => {
     expect(violations).toEqual([]);
   }, 15_000);
 
+  it('allows an empty changed-file list after the PR branch is merged', () => {
+    expect(listChangedTextFiles('')).toEqual([]);
+  });
+
   it('fails closed when the diff base is unavailable', () => {
     expect(() => listChangedTextFiles(undefined, 'missing-base-ref...HEAD')).toThrow(
       'Changed-file diff base is unavailable'