The login hook restores the pinned session before running Codex. When auth.json was still a symlink to the saved snapshot and the pinned snapshot already matched, restore skipped activation and left the symlink in place. Official codex login could then write through the symlink and replace the saved admin snapshot with the newly logged-in account.

Materialize auth.json during restore before the identity-match early return so Codex writes only to the working auth file. The regression keeps the snapshot symlink case and simulates an official login writing Odin credentials after restore.

Constraint: Existing installations may still have symlinked auth.json from older versions.

Rejected: Only rely on syncExternalAuthSnapshotIfNeeded after Codex exits | the snapshot is already overwritten by then.

Confidence: high

Scope-risk: narrow

Directive: Restore-session must keep auth.json as a regular file before launching Codex.

Tested: npm test

Tested: npm test -- --test-name-pattern 'restoreSessionSnapshotIfNeeded materializes matching auth symlink'

Tested: openspec validate --specs