From 34a4ecb746846e61f0ece93020969c631cf36801 Mon Sep 17 00:00:00 2001
From: Yvette Carlisle <y@acg.box>
Date: Tue, 12 May 2026 13:52:57 +0800
Subject: [PATCH 1/2] {"schema":"decodex/commit/1","summary":"Add fixed Codex
 account selection","authority":"manual"}

---
 README.md                                     |   4 +-
 apps/decodex/src/agent/codex_accounts.rs      | 340 +++++++++++++-----
 apps/decodex/src/config.rs                    |  12 +
 apps/decodex/src/orchestrator.rs              |   2 +-
 apps/decodex/src/orchestrator/entrypoints.rs  |   4 +
 .../src/orchestrator/operator_dashboard.html  | 153 +++++++-
 .../decodex/src/orchestrator/operator_http.rs | 151 ++++++++
 apps/decodex/src/orchestrator/status.rs       |  15 +
 apps/decodex/src/orchestrator/tests.rs        |   4 +-
 .../tests/operator/status/agent_evidence.rs   |   4 +
 .../tests/operator/status/dashboard.rs        |  12 +-
 .../tests/operator/status/http.rs             |  42 +++
 .../tests/operator/status/text.rs             |  24 ++
 apps/decodex/src/orchestrator/types.rs        |   7 +
 decodex.example.toml                          |   1 +
 docs/reference/operator-control-plane.md      |   2 +-
 docs/runbook/self-dogfood-pilot.md            |   4 +-
 docs/spec/app-server.md                       |  20 +-
 18 files changed, 694 insertions(+), 107 deletions(-)

diff --git a/README.md b/README.md
index d5c399ea..53417a0b 100644
--- a/README.md
+++ b/README.md
@@ -112,7 +112,9 @@ Project contracts are managed outside checkouts under
 The redacted template for a project config lives at `decodex.example.toml`.
 When a project enables `[codex.accounts]`, the shared ChatGPT account pool is
 `~/.codex/decodex/accounts.jsonl`; it is global Decodex state, not a project-local
-file, and project configs do not own an account-pool path override.
+file, and project configs do not own an account-pool path override. Set
+`[codex.accounts].fixed_account` to pin runs to one account; the operator dashboard can
+write the same project config field from the Accounts UI.
 
 `decodex diagnose --json` writes the local agent evidence index under
 `~/.codex/decodex/agent-evidence/<service-id>/` and prints the same handoff index for
diff --git a/apps/decodex/src/agent/codex_accounts.rs b/apps/decodex/src/agent/codex_accounts.rs
index 05b95b7c..55d9d9f4 100644
--- a/apps/decodex/src/agent/codex_accounts.rs
+++ b/apps/decodex/src/agent/codex_accounts.rs
@@ -37,22 +37,25 @@ pub(crate) struct CodexAccountPool {
 	path: PathBuf,
 	usage_endpoint: String,
 	refresh_endpoint: String,
+	fixed_account: Option<String>,
 	client: Client,
 	selected_account_id: Mutex<Option<String>>,
 }
 impl CodexAccountPool {
 	pub(crate) fn from_config(config: &ProjectCodexAccountsConfig) -> crate::prelude::Result<Self> {
-		Self::new(
+		Self::new_with_fixed_account(
 			runtime::accounts_path()?,
 			config.usage_endpoint().unwrap_or(DEFAULT_USAGE_ENDPOINT),
 			config.refresh_endpoint().unwrap_or(DEFAULT_REFRESH_ENDPOINT),
+			config.fixed_account(),
 		)
 	}
 
-	pub(crate) fn new(
+	fn new_with_fixed_account(
 		path: impl AsRef<Path>,
 		usage_endpoint: impl Into<String>,
 		refresh_endpoint: impl Into<String>,
+		fixed_account: Option<&str>,
 	) -> crate::prelude::Result<Self> {
 		let client = Client::builder().timeout(HTTP_TIMEOUT).build()?;
 
@@ -60,6 +63,10 @@ impl CodexAccountPool {
 			path: path.as_ref().to_path_buf(),
 			usage_endpoint: usage_endpoint.into(),
 			refresh_endpoint: refresh_endpoint.into(),
+			fixed_account: fixed_account
+				.map(str::trim)
+				.filter(|selector| !selector.is_empty())
+				.map(str::to_owned),
 			client,
 			selected_account_id: Mutex::new(None),
 		})
@@ -111,80 +118,24 @@ impl CodexAccountPool {
 		&self,
 		records: &mut [AccountPoolRecord],
 	) -> crate::prelude::Result<CodexAccountLogin> {
+		if let Some(selector) = self.fixed_account.as_deref() {
+			return self.select_fixed_from_records(records, selector);
+		}
+
 		let now = OffsetDateTime::now_utc().unix_timestamp();
 		let mut candidates = Vec::new();
 		let mut skipped = Vec::new();
 		let mut records_changed = false;
 
 		for (index, record) in records.iter_mut().enumerate() {
-			if record.disabled {
-				skipped.push(format!("line {} disabled", index + 1));
-
-				continue;
-			}
-			if record.cooldown_until_unix_epoch.is_some_and(|cooldown| cooldown > now) {
-				skipped.push(format!("line {} cooling down", index + 1));
-
-				continue;
-			}
-			if record.account_id().is_none() {
-				skipped.push(format!("line {} missing account id", index + 1));
-
-				continue;
-			}
-			if record.access_token().is_none() {
-				skipped.push(format!("line {} missing access token", index + 1));
-
-				continue;
-			}
-
-			let refresh_status = match self.proactive_refresh_record(record, now) {
-				Ok(status) => {
-					if status == RefreshStatus::Succeeded {
-						records_changed = true;
-					}
-
-					status.as_str()
-				},
-				Err(error) if error.requires_skip => {
-					skipped.push(format!(
-						"{} proactive refresh failed: {}",
-						record.display_name(),
-						error.source
-					));
-
-					continue;
-				},
-				Err(error) => {
-					skipped.push(format!(
-						"{} proactive refresh failed; probing existing token: {}",
-						record.display_name(),
-						error.source
-					));
-
-					RefreshStatus::Failed.as_str()
-				},
-			};
-
-			match self.probe_record_usage(record) {
-				Ok(usage) => candidates.push(record.login_from_usage(usage, refresh_status)?),
-				Err(error) if error.unauthorized && record.refresh_token().is_some() => {
-					self.refresh_record(record)?;
-
-					records_changed = true;
-
-					let usage = self.probe_record_usage(record).map_err(|retry_error| {
-						eyre::eyre!(
-							"Codex account `{}` refreshed but usage probe still failed: {retry_error}",
-							record.display_name()
-						)
-					})?;
-
-					candidates.push(record.login_from_usage(usage, "succeeded")?);
-				},
-				Err(error) => {
-					skipped.push(format!("{} usage probe failed: {error}", record.display_name()));
-				},
+			match self.account_candidate_from_record(
+				record,
+				index + 1,
+				now,
+				&mut records_changed,
+			)? {
+				Ok(candidate) => candidates.push(candidate),
+				Err(reason) => skipped.push(reason),
 			}
 		}
 
@@ -224,6 +175,103 @@ impl CodexAccountPool {
 		Ok(selected)
 	}
 
+	fn select_fixed_from_records(
+		&self,
+		records: &mut [AccountPoolRecord],
+		selector: &str,
+	) -> crate::prelude::Result<CodexAccountLogin> {
+		let record_index = self.fixed_record_index(records, selector)?;
+		let now = OffsetDateTime::now_utc().unix_timestamp();
+		let mut records_changed = false;
+		let mut selected = match self.account_candidate_from_record(
+			&mut records[record_index],
+			record_index + 1,
+			now,
+			&mut records_changed,
+		)? {
+			Ok(candidate) => candidate,
+			Err(reason) => {
+				eyre::bail!(
+					"Configured Codex fixed account `{selector}` from `{}` is not usable: {reason}",
+					self.path.display()
+				);
+			},
+		};
+
+		selected.mark_selected(now);
+		records[record_index].last_selected_at_unix_epoch = Some(now);
+		records_changed = true;
+
+		let account_summaries = account_summaries(&selected, &[]);
+		let selected = selected.with_account_summaries(account_summaries);
+
+		if records_changed {
+			self.save_records(records)?;
+		}
+
+		self.remember_selected_account(&selected.account_id)?;
+
+		Ok(selected)
+	}
+
+	fn account_candidate_from_record(
+		&self,
+		record: &mut AccountPoolRecord,
+		line_number: usize,
+		now: i64,
+		records_changed: &mut bool,
+	) -> crate::prelude::Result<std::result::Result<CodexAccountLogin, String>> {
+		if record.disabled {
+			return Ok(Err(format!("line {line_number} disabled")));
+		}
+		if record.cooldown_until_unix_epoch.is_some_and(|cooldown| cooldown > now) {
+			return Ok(Err(format!("line {line_number} cooling down")));
+		}
+		if record.account_id().is_none() {
+			return Ok(Err(format!("line {line_number} missing account id")));
+		}
+		if record.access_token().is_none() {
+			return Ok(Err(format!("line {line_number} missing access token")));
+		}
+
+		let refresh_status = match self.proactive_refresh_record(record, now) {
+			Ok(status) => {
+				if status == RefreshStatus::Succeeded {
+					*records_changed = true;
+				}
+
+				status.as_str()
+			},
+			Err(error) if error.requires_skip => {
+				return Ok(Err(format!(
+					"{} proactive refresh failed: {}",
+					record.display_name(),
+					error.source
+				)));
+			},
+			Err(_error) => RefreshStatus::Failed.as_str(),
+		};
+
+		match self.probe_record_usage(record) {
+			Ok(usage) => Ok(Ok(record.login_from_usage(usage, refresh_status)?)),
+			Err(error) if error.unauthorized && record.refresh_token().is_some() => {
+				self.refresh_record(record)?;
+
+				*records_changed = true;
+
+				let usage = self.probe_record_usage(record).map_err(|retry_error| {
+					eyre::eyre!(
+						"Codex account `{}` refreshed but usage probe still failed: {retry_error}",
+						record.display_name()
+					)
+				})?;
+
+				Ok(Ok(record.login_from_usage(usage, "succeeded")?))
+			},
+			Err(error) => Ok(Err(format!("{} usage probe failed: {error}", record.display_name()))),
+		}
+	}
+
 	fn probe_account_activity_summaries(
 		&self,
 		records: &mut [AccountPoolRecord],
@@ -342,16 +390,23 @@ impl CodexAccountPool {
 		records: &mut [AccountPoolRecord],
 		previous_account_id: Option<&str>,
 	) -> crate::prelude::Result<CodexAccountLogin> {
-		let selected_account_id = self.selected_account_id()?;
-		let target_account_id = previous_account_id.or(selected_account_id.as_deref());
-		let Some(record_index) = records.iter().position(|record| {
-			target_account_id.is_none_or(|target| record.account_id() == Some(target))
-		}) else {
-			eyre::bail!(
-				"Codex account refresh requested an account that is not in the configured accounts."
-			);
+		let record_index = if let Some(selector) = self.fixed_account.as_deref() {
+			self.fixed_record_index(records, selector)?
+		} else {
+			let selected_account_id = self.selected_account_id()?;
+			let target_account_id = previous_account_id.or(selected_account_id.as_deref());
+
+			records
+				.iter()
+				.position(|record| {
+					target_account_id.is_none_or(|target| record.account_id() == Some(target))
+				})
+				.ok_or_else(|| {
+					eyre::eyre!(
+						"Codex account refresh requested an account that is not in the configured accounts."
+					)
+				})?
 		};
-
 		self.refresh_record(&mut records[record_index])?;
 
 		let usage = self.probe_record_usage(&records[record_index])?;
@@ -371,6 +426,32 @@ impl CodexAccountPool {
 		Ok(selected)
 	}
 
+	fn fixed_record_index(
+		&self,
+		records: &[AccountPoolRecord],
+		selector: &str,
+	) -> crate::prelude::Result<usize> {
+		let matches = records
+			.iter()
+			.enumerate()
+			.filter_map(|(index, record)| {
+				record.matches_account_selector(selector).then_some(index)
+			})
+			.collect::<Vec<_>>();
+
+		match matches.as_slice() {
+			[] => eyre::bail!(
+				"Configured Codex fixed account `{selector}` does not match any account in `{}`.",
+				self.path.display()
+			),
+			[index] => Ok(*index),
+			_ => eyre::bail!(
+				"Configured Codex fixed account `{selector}` matched multiple accounts in `{}`.",
+				self.path.display()
+			),
+		}
+	}
+
 	fn probe_record_usage(
 		&self,
 		record: &AccountPoolRecord,
@@ -631,6 +712,14 @@ impl AccountPoolRecord {
 			.unwrap_or_else(|| String::from("unnamed account"))
 	}
 
+	fn matches_account_selector(&self, selector: &str) -> bool {
+		let selector = selector.trim();
+
+		self.email().as_deref() == Some(selector)
+			|| self.account_id() == Some(selector)
+			|| self.account_id().map(redact_account_id).as_deref() == Some(selector)
+	}
+
 	fn access_token(&self) -> Option<&str> {
 		self.tokens
 			.as_ref()
@@ -1157,9 +1246,19 @@ const fn is_false(value: &bool) -> bool {
 
 #[cfg(test)]
 mod tests {
+	use std::{
+		fs,
+		io::{Read, Write},
+		net::TcpListener,
+		thread,
+	};
+
+	use tempfile::TempDir;
+
 	use crate::agent::codex_accounts::{
-		self, AccountPoolRecord, CodexAccountActivitySummary, CodexAccountLogin, CodexTokenData,
-		CreditsSnapshot, Path, ProactiveRefreshReason, UsageWindow, compare_account_candidates,
+		self, AccountPoolRecord, CodexAccountActivitySummary, CodexAccountLogin, CodexAccountPool,
+		CodexAccountProvider, CodexTokenData, CreditsSnapshot, DEFAULT_REFRESH_ENDPOINT, Path,
+		ProactiveRefreshReason, UsageWindow, compare_account_candidates,
 	};
 
 	#[test]
@@ -1179,6 +1278,62 @@ mod tests {
 		assert_eq!(records[1].email().as_deref(), Some("wrapped@example.com"));
 	}
 
+	#[test]
+	fn account_selector_matches_email_full_id_and_fingerprint() {
+		let record = AccountPoolRecord {
+			email: Some(String::from("selected@example.com")),
+			disabled: false,
+			cooldown_until_unix_epoch: None,
+			cooldown_until: None,
+			last_selected_at_unix_epoch: None,
+			auth_mode: Some(String::from("chatgpt")),
+			openai_api_key: None,
+			tokens: Some(CodexTokenData {
+				email: None,
+				id_token: None,
+				access_token: String::from("access"),
+				refresh_token: String::from("refresh"),
+				account_id: Some(String::from("acct_fixed_123456")),
+			}),
+			last_refresh: None,
+		};
+
+		assert!(record.matches_account_selector("selected@example.com"));
+		assert!(record.matches_account_selector("acct_fixed_123456"));
+		assert!(record.matches_account_selector("...123456"));
+		assert!(!record.matches_account_selector("other@example.com"));
+	}
+
+	#[test]
+	fn fixed_account_selection_uses_configured_account_without_balancing() {
+		let temp_dir = TempDir::new().expect("temp dir should exist");
+		let accounts_path = temp_dir.path().join("accounts.jsonl");
+		let usage_endpoint = start_codex_usage_fixture_server(vec![
+			r#"{"plan_type":"plus","rate_limit":{"primary_window":{"used_percent":85},"secondary_window":{"used_percent":90}}}"#,
+		]);
+
+		fs::write(
+			&accounts_path,
+			r#"{"email":"default@example.com","auth_mode":"chatgpt","tokens":{"access_token":"access-default","refresh_token":"refresh-default","account_id":"acct_default"}}
+{"email":"copy@example.com","auth_mode":"chatgpt","tokens":{"access_token":"access-copy","refresh_token":"refresh-copy","account_id":"acct_copy"}}
+"#,
+		)
+		.expect("accounts fixture should write");
+
+		let pool = CodexAccountPool::new_with_fixed_account(
+			&accounts_path,
+			usage_endpoint,
+			DEFAULT_REFRESH_ENDPOINT,
+			Some("copy@example.com"),
+		)
+		.expect("account pool should initialize");
+		let account = pool.select_account().expect("fixed account should select");
+
+		assert_eq!(account.account_id(), "acct_copy");
+		assert_eq!(account.summary().email.as_deref(), Some("copy@example.com"));
+		assert_eq!(account.account_summaries().len(), 1);
+	}
+
 	#[test]
 	fn usage_summary_parses_codex_rate_limit_payload() {
 		let payload = serde_json::json!({
@@ -1470,4 +1625,27 @@ mod tests {
 
 		assert_eq!(candidates[0].account_id(), "acct_b");
 	}
+
+	fn start_codex_usage_fixture_server(responses: Vec<&'static str>) -> String {
+		let listener = TcpListener::bind("127.0.0.1:0").expect("usage fixture server should bind");
+		let address = listener.local_addr().expect("usage fixture address should resolve");
+
+		thread::spawn(move || {
+			for body in responses {
+				let (mut stream, _peer) =
+					listener.accept().expect("usage fixture should accept request");
+				let mut buffer = [0_u8; 4096];
+				let _bytes_read = stream.read(&mut buffer).expect("request should read");
+				let response = format!(
+					"HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
+					body.len(),
+					body
+				);
+
+				stream.write_all(response.as_bytes()).expect("usage response should write");
+			}
+		});
+
+		format!("http://{address}/usage")
+	}
 }
diff --git a/apps/decodex/src/config.rs b/apps/decodex/src/config.rs
index c0f0b6f6..c7364762 100644
--- a/apps/decodex/src/config.rs
+++ b/apps/decodex/src/config.rs
@@ -215,6 +215,7 @@ impl Default for ProjectCodexConfig {
 pub struct ProjectCodexAccountsConfig {
 	usage_endpoint: Option<String>,
 	refresh_endpoint: Option<String>,
+	fixed_account: Option<String>,
 }
 impl ProjectCodexAccountsConfig {
 	/// Override for ChatGPT usage probes. Defaults to the Codex `/wham/usage` endpoint.
@@ -227,6 +228,11 @@ impl ProjectCodexAccountsConfig {
 		self.refresh_endpoint.as_deref()
 	}
 
+	/// Fixed account selector for runs. Matches an account email, id, or displayed fingerprint.
+	pub fn fixed_account(&self) -> Option<&str> {
+		self.fixed_account.as_deref()
+	}
+
 	fn validate(&self) -> Result<()> {
 		validate_optional_nonempty_string(
 			"codex.accounts.usage_endpoint",
@@ -236,6 +242,10 @@ impl ProjectCodexAccountsConfig {
 			"codex.accounts.refresh_endpoint",
 			self.refresh_endpoint.as_deref(),
 		)?;
+		validate_optional_nonempty_string(
+			"codex.accounts.fixed_account",
+			self.fixed_account.as_deref(),
+		)?;
 
 		Ok(())
 	}
@@ -1089,6 +1099,7 @@ mod tests {
 					[codex.accounts]
 					usage_endpoint = "http://127.0.0.1:1234/wham/usage"
 					refresh_endpoint = "http://127.0.0.1:1234/oauth/token"
+					fixed_account = "primary@example.com"
 				"#,
 		);
 		let config = ServiceConfig::from_path(&config_path).expect("accounts should parse");
@@ -1096,6 +1107,7 @@ mod tests {
 
 		assert_eq!(accounts.usage_endpoint(), Some("http://127.0.0.1:1234/wham/usage"));
 		assert_eq!(accounts.refresh_endpoint(), Some("http://127.0.0.1:1234/oauth/token"));
+		assert_eq!(accounts.fixed_account(), Some("primary@example.com"));
 	}
 
 	#[test]
diff --git a/apps/decodex/src/orchestrator.rs b/apps/decodex/src/orchestrator.rs
index 893ac5f5..df3db304 100644
--- a/apps/decodex/src/orchestrator.rs
+++ b/apps/decodex/src/orchestrator.rs
@@ -27,7 +27,7 @@ use time::{OffsetDateTime, format_description::well_known::Rfc3339};
 
 use crate::{agent, default_branch_sync, git_credentials, state};
 #[rustfmt::skip]
-use crate::{agent::{ACTIVE_RUN_IDLE_TIMEOUT, AppServerCapabilityPreflightFailure, AppServerDynamicToolFailure, AppServerHomePreflightFailure, AppServerProcessEnv, AppServerRunRequest, AppServerRunResult, AppServerTransportFailure, AppServerTurnFailure, ISSUE_DELIVERY_CLOSEOUT_COMPLETE_TOOL_NAME, ISSUE_LABEL_ADD_TOOL_NAME, ISSUE_PROGRESS_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_HANDOFF_TOOL_NAME, ISSUE_REVIEW_REPAIR_COMPLETE_TOOL_NAME, ISSUE_TERMINAL_FINALIZE_TOOL_NAME, ISSUE_TRANSITION_TOOL_NAME, DecodexRunContext, DecodexToolBridge, ReviewExecutionMode, ReviewHandoffContext, ReviewHandoffWritebackFailed, ReviewPolicyStopReason, ReviewPolicyStopRequested, RunCompletionDisposition, TrackerToolBridge, TurnContinuationGuard}, config::{InternalReviewMode, ServiceConfig}, git_credentials::GitCredentialSource, github, prelude::{Result, eyre}, state::{ChildAgentActivityBucket, ChildAgentActivitySummary, CodexAccountActivitySummary, ProjectRegistration, ProjectRunStatus, ProtocolActivitySummary, RUN_OPERATION_AGENT_RUN, RUN_OPERATION_APP_SERVER_PREFLIGHT, RUN_OPERATION_GIT_CREDENTIALS, RUN_OPERATION_IDLE, RUN_OPERATION_RECONCILIATION, RUN_OPERATION_REPO_GATE, RUN_OPERATION_REVIEW_WRITEBACK, RUN_OPERATION_WAITING_EXTERNAL, ReviewHandoffMarker, ReviewOrchestrationMarker, RunActivityMarker, RunAttempt, StateStore, WorktreeMapping}, tracker::{IssueTracker, TrackerComment, TrackerIssue, linear::LinearClient, records}, workflow::{WorkflowDocument, WorkflowExecution}, worktree::{WorktreeManager, WorktreeSpec}};
+use crate::{agent::{ACTIVE_RUN_IDLE_TIMEOUT, AppServerCapabilityPreflightFailure, AppServerDynamicToolFailure, AppServerHomePreflightFailure, AppServerProcessEnv, AppServerRunRequest, AppServerRunResult, AppServerTransportFailure, AppServerTurnFailure, ISSUE_DELIVERY_CLOSEOUT_COMPLETE_TOOL_NAME, ISSUE_LABEL_ADD_TOOL_NAME, ISSUE_PROGRESS_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_HANDOFF_TOOL_NAME, ISSUE_REVIEW_REPAIR_COMPLETE_TOOL_NAME, ISSUE_TERMINAL_FINALIZE_TOOL_NAME, ISSUE_TRANSITION_TOOL_NAME, DecodexRunContext, DecodexToolBridge, ReviewExecutionMode, ReviewHandoffContext, ReviewHandoffWritebackFailed, ReviewPolicyStopReason, ReviewPolicyStopRequested, RunCompletionDisposition, TrackerToolBridge, TurnContinuationGuard}, config::{InternalReviewMode, ProjectCodexAccountsConfig, ServiceConfig}, git_credentials::GitCredentialSource, github, prelude::{Result, eyre}, state::{ChildAgentActivityBucket, ChildAgentActivitySummary, CodexAccountActivitySummary, ProjectRegistration, ProjectRunStatus, ProtocolActivitySummary, RUN_OPERATION_AGENT_RUN, RUN_OPERATION_APP_SERVER_PREFLIGHT, RUN_OPERATION_GIT_CREDENTIALS, RUN_OPERATION_IDLE, RUN_OPERATION_RECONCILIATION, RUN_OPERATION_REPO_GATE, RUN_OPERATION_REVIEW_WRITEBACK, RUN_OPERATION_WAITING_EXTERNAL, ReviewHandoffMarker, ReviewOrchestrationMarker, RunActivityMarker, RunAttempt, StateStore, WorktreeMapping}, tracker::{IssueTracker, TrackerComment, TrackerIssue, linear::LinearClient, records}, workflow::{WorkflowDocument, WorkflowExecution}, worktree::{WorktreeManager, WorktreeSpec}};
 
 include!("orchestrator/types.rs");
 
diff --git a/apps/decodex/src/orchestrator/entrypoints.rs b/apps/decodex/src/orchestrator/entrypoints.rs
index b1dc7856..5ad84c81 100644
--- a/apps/decodex/src/orchestrator/entrypoints.rs
+++ b/apps/decodex/src/orchestrator/entrypoints.rs
@@ -696,6 +696,10 @@ fn empty_control_plane_snapshot(limit: usize) -> OperatorStatusSnapshot {
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: Vec::new(),
 		recent_runs: Vec::new(),
diff --git a/apps/decodex/src/orchestrator/operator_dashboard.html b/apps/decodex/src/orchestrator/operator_dashboard.html
index 3e06191f..d00b6975 100644
--- a/apps/decodex/src/orchestrator/operator_dashboard.html
+++ b/apps/decodex/src/orchestrator/operator_dashboard.html
@@ -1961,15 +1961,21 @@
 				--account-accent: var(--success);
 			}
 
+			.account-row.is-fixed {
+				--account-accent: var(--success);
+			}
+
 			.account-row.is-ready {
 				--account-accent: var(--success);
 			}
 
-			.account-row.is-selected::before {
+			.account-row.is-selected::before,
+			.account-row.is-fixed::before {
 				box-shadow: 0 0 10px color-mix(in srgb, var(--account-accent) 22%, transparent);
 			}
 
-			.account-row.is-selected::after {
+			.account-row.is-selected::after,
+			.account-row.is-fixed::after {
 				opacity: 0.45;
 				transform: scaleX(1);
 			}
@@ -2065,6 +2071,48 @@
 				outline-offset: 2px;
 			}
 
+			.account-select-button {
+				display: inline-flex;
+				align-items: center;
+				justify-content: center;
+				flex: 0 0 auto;
+				width: 18px;
+				height: 18px;
+				padding: 0;
+				border: 1px solid color-mix(in srgb, var(--line-strong) 70%, transparent);
+				border-radius: 999px;
+				background: color-mix(in srgb, var(--surface-muted) 74%, transparent);
+				color: var(--muted);
+				cursor: pointer;
+				transition:
+					background-color var(--fast) var(--ease),
+					border-color var(--fast) var(--ease),
+					color var(--fast) var(--ease),
+					transform var(--fast) var(--ease);
+			}
+
+			.account-select-button svg {
+				display: block;
+				width: 12px;
+				height: 12px;
+				stroke-width: 2.2;
+			}
+
+			.account-select-button:hover,
+			.account-select-button.is-fixed {
+				border-color: color-mix(in srgb, var(--success) 58%, var(--line-strong));
+				color: var(--success);
+			}
+
+			.account-select-button:hover {
+				transform: translateY(-1px);
+			}
+
+			.account-select-button:focus-visible {
+				outline: 2px solid var(--info);
+				outline-offset: 2px;
+			}
+
 			.account-row-plan {
 				grid-area: plan;
 				justify-self: center;
@@ -5523,8 +5571,12 @@ <h2 id="recent-title">Run History</h2>
 				return [selected, ...accounts];
 			}
 
+				function codexAccountFingerprint(account) {
+					return String(account?.account_fingerprint || "").trim();
+				}
+
 				function codexAccountIdentity(account) {
-					const fingerprint = account?.account_fingerprint || "";
+					const fingerprint = codexAccountFingerprint(account);
 					if (fingerprint) {
 						return fingerprint;
 					}
@@ -5532,6 +5584,39 @@ <h2 id="recent-title">Run History</h2>
 					return account?.plan_type || "";
 				}
 
+				function codexAccountControlProjectId(snapshot) {
+					const snapshotProjectId = String(snapshot?.project_id || "").trim();
+					if (snapshotProjectId && snapshotProjectId !== "all") {
+						return snapshotProjectId;
+					}
+
+					const projects = Array.isArray(snapshot?.projects)
+						? snapshot.projects.filter((project) => project?.project_id)
+						: [];
+
+					return projects.length === 1 ? String(projects[0].project_id) : "";
+				}
+
+				function codexAccountControlSelector(account) {
+					return codexAccountEmail(account) || codexAccountFingerprint(account);
+				}
+
+				function codexAccountConfiguredSelector(snapshot) {
+					return String(snapshot?.account_control?.account_selector || "").trim();
+				}
+
+				function codexAccountMatchesConfiguredSelector(account, snapshot) {
+					const selector = codexAccountConfiguredSelector(snapshot);
+					if (!selector) {
+						return false;
+					}
+
+					return (
+						selector === codexAccountEmail(account) ||
+						selector === codexAccountFingerprint(account)
+					);
+				}
+
 				function codexAccountEmail(account) {
 					return String(account?.account_email || account?.email || "").trim();
 				}
@@ -5639,6 +5724,33 @@ <h2 id="recent-title">Run History</h2>
 					`;
 				}
 
+				function renderCodexAccountSelectButton(account, snapshot) {
+					const projectId = codexAccountControlProjectId(snapshot);
+					const selector = codexAccountControlSelector(account);
+					if (!projectId || !selector) {
+						return "";
+					}
+
+					const fixed = codexAccountMatchesConfiguredSelector(account, snapshot);
+					const action = fixed ? "clearAccountSelection" : "selectAccount";
+					const title = fixed
+						? "Return this project to balanced account selection"
+						: "Use this account for new runs";
+					const fixedClass = fixed ? " is-fixed" : "";
+
+					return `
+						<button class="account-select-button${fixedClass}" type="button" data-account-select="${escapeHtml(action)}" data-project-id="${escapeHtml(projectId)}" data-account-selector="${escapeHtml(selector)}" aria-label="${escapeHtml(title)}" title="${escapeHtml(title)}">
+							<svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round">
+								${
+									fixed
+										? '<path d="M6 18 18 6"></path><path d="m6 6 12 12"></path>'
+										: '<path d="M20 6 9 17l-5-5"></path>'
+								}
+							</svg>
+						</button>
+					`;
+				}
+
 				function codexAccountDisplayName(account) {
 					const email = codexAccountEmail(account);
 					return codexAccountShowsEmail(account) ? email : codexAccountRandomName(account);
@@ -6010,12 +6122,15 @@ <h2 id="recent-title">Run History</h2>
 					`;
 				}
 
-				function renderCodexAccountPoolRow(account) {
+				function renderCodexAccountPoolRow(account, snapshot) {
 					const displayTitle = codexAccountDisplayTitle(account);
 					const visibleName = codexAccountVisibleName(account);
 					const plan = codexAccountPlanLabel(account);
 					const statusTone = codexAccountStatusTone(account);
 					const toneClass = statusTone ? ` is-${statusTone}` : "";
+					const fixedClass = codexAccountMatchesConfiguredSelector(account, snapshot)
+						? " is-fixed"
+						: "";
 					const selectedClass =
 						String(account.status || "").toLowerCase() === "selected" ? " is-selected" : "";
 				const metaFacts = codexAccountMetaFacts(account);
@@ -6025,10 +6140,11 @@ <h2 id="recent-title">Run History</h2>
 				const identityClass = codexAccountShowsEmail(account) ? " is-machine" : "";
 
 				return `
-						<div class="account-row${selectedClass}${toneClass}">
+						<div class="account-row${selectedClass}${fixedClass}${toneClass}">
 							<div class="account-row-id${identityClass}">
 								<strong class="account-name" title="${escapeHtml(displayTitle)}">${escapeHtml(visibleName)}</strong>
 								${renderCodexAccountRandomNameButton(account)}
+								${renderCodexAccountSelectButton(account, snapshot)}
 							</div>
 							<div class="account-row-plan">${escapeHtml(plan)}</div>
 							${renderCodexAccountPoolWindow(account, "primary")}
@@ -6084,7 +6200,7 @@ <h2 id="recent-title">Run History</h2>
 					return `<span class="account-pool-heading">${sortButton}${accountPrivacyToggleMarkup()}</span>`;
 				}
 
-				function renderCodexAccountPool(accounts) {
+				function renderCodexAccountPool(accounts, snapshot) {
 					if (!accounts.length) {
 						return renderEmptyState(
 							"No accounts",
@@ -6097,7 +6213,7 @@ <h2 id="recent-title">Run History</h2>
 							<div class="account-pool-guide">
 								${ACCOUNT_POOL_SORT_COLUMNS.map(renderCodexAccountPoolGuideCell).join("")}
 							</div>
-							${accounts.map(renderCodexAccountPoolRow).join("")}
+							${accounts.map((account) => renderCodexAccountPoolRow(account, snapshot)).join("")}
 						</div>
 					`;
 				}
@@ -6308,7 +6424,7 @@ <h2 id="recent-title">Run History</h2>
 
 				function renderAccountPool(snapshot) {
 					const accounts = codexAccountPoolAccounts(snapshot);
-					nodes.accountPool.innerHTML = renderCodexAccountPool(accounts);
+					nodes.accountPool.innerHTML = renderCodexAccountPool(accounts, snapshot);
 					renderAccountPrivacyToggle();
 				}
 
@@ -8894,6 +9010,12 @@ <h4>${escapeHtml(worktree.branch_name)}</h4>
 					return;
 				}
 				recordDashboardControlEvent(payload || {});
+				if (
+					payload?.accepted &&
+					["selectAccount", "clearAccountSelection"].includes(payload.action)
+				) {
+					refreshDashboard();
+				}
 			}
 
 			function applyDashboardControlReady(payload) {
@@ -9132,6 +9254,21 @@ <h4>${escapeHtml(worktree.branch_name)}</h4>
 					return;
 				}
 
+				const selectButton = event.target.closest("[data-account-select]");
+				if (selectButton) {
+					event.preventDefault();
+					const action = selectButton.dataset.accountSelect;
+					const projectId = selectButton.dataset.projectId || null;
+					const accountSelector = selectButton.dataset.accountSelector || null;
+
+					if (action === "selectAccount") {
+						sendDashboardControl(action, { projectId, accountSelector });
+					} else if (action === "clearAccountSelection") {
+						sendDashboardControl(action, { projectId });
+					}
+					return;
+				}
+
 				const button = event.target.closest("[data-account-name-reroll]");
 				if (!button) {
 					return;
diff --git a/apps/decodex/src/orchestrator/operator_http.rs b/apps/decodex/src/orchestrator/operator_http.rs
index 4043a7ac..3b50f1a8 100644
--- a/apps/decodex/src/orchestrator/operator_http.rs
+++ b/apps/decodex/src/orchestrator/operator_http.rs
@@ -119,6 +119,8 @@ struct DashboardClientMessage {
 	issue_id: Option<String>,
 	#[serde(rename = "runId")]
 	run_id: Option<String>,
+	#[serde(rename = "accountSelector")]
+	account_selector: Option<String>,
 }
 
 struct DashboardControlAck<'a> {
@@ -613,6 +615,8 @@ fn dashboard_control_ready_payload(subscription: &DashboardClientSubscription) -
 			"pauseProject",
 			"resumeProject",
 			"interruptRun",
+			"selectAccount",
+			"clearAccountSelection",
 			"ack"
 		],
 		"subscription": dashboard_subscription_payload(subscription),
@@ -689,6 +693,10 @@ fn handle_dashboard_control_action(
 			dashboard_project_enabled_control_ack(session, state_store, message, action, true),
 		"interrupt" | "interruptRun" =>
 			dashboard_interrupt_control_ack(session, state_store, message, action),
+		"selectAccount" =>
+			dashboard_account_selection_control_ack(session, state_store, message, action, true),
+		"clearAccountSelection" =>
+			dashboard_account_selection_control_ack(session, state_store, message, action, false),
 		"ack" | "ackNotice" => dashboard_control_ack_for_message(
 			session,
 			message,
@@ -772,6 +780,64 @@ fn dashboard_project_enabled_control_ack(
 	})
 }
 
+fn dashboard_account_selection_control_ack(
+	session: &DashboardWebSocketSession,
+	state_store: &StateStore,
+	message: &DashboardClientMessage,
+	action: &str,
+	set_fixed: bool,
+) -> Value {
+	let Some(project_id) = dashboard_required_project_id(message) else {
+		return dashboard_missing_project_control_ack(session, message, action);
+	};
+	let selector = if set_fixed {
+		match dashboard_required_account_selector(message) {
+			Some(selector) => Some(selector),
+			None => {
+				return dashboard_control_ack_value(DashboardControlAck {
+					request_id: message.request_id.as_deref(),
+					action,
+					accepted: false,
+					status: "missing_account",
+					message: "Account selection requires an account selector.",
+					project_id: Some(project_id),
+					issue_id: message.issue_id.as_deref(),
+					run_id: message.run_id.as_deref(),
+					subscription: Some(&session.subscription),
+				});
+			},
+		}
+	} else {
+		None
+	};
+	let result = update_project_codex_account_selection(state_store, project_id, selector);
+	let (accepted, status, copy) = match (set_fixed, result) {
+		(true, Ok(())) => (
+			true,
+			"fixed",
+			String::from("Project config now pins new Codex runs to the selected account."),
+		),
+		(false, Ok(())) => (
+			true,
+			"balanced",
+			String::from("Project config now uses balanced Codex account selection."),
+		),
+		(_, Err(error)) => (false, "failed", error.to_string()),
+	};
+
+	dashboard_control_ack_value(DashboardControlAck {
+		request_id: message.request_id.as_deref(),
+		action,
+		accepted,
+		status,
+		message: &copy,
+		project_id: Some(project_id),
+		issue_id: message.issue_id.as_deref(),
+		run_id: message.run_id.as_deref(),
+		subscription: Some(&session.subscription),
+	})
+}
+
 fn dashboard_interrupt_control_ack(
 	session: &DashboardWebSocketSession,
 	state_store: &StateStore,
@@ -929,6 +995,91 @@ fn dashboard_required_run_id(message: &DashboardClientMessage) -> Option<&str> {
 	message.run_id.as_deref().map(str::trim).filter(|value| !value.is_empty())
 }
 
+fn dashboard_required_account_selector(message: &DashboardClientMessage) -> Option<&str> {
+	message
+		.account_selector
+		.as_deref()
+		.map(str::trim)
+		.filter(|value| !value.is_empty())
+}
+
+fn update_project_codex_account_selection(
+	state_store: &StateStore,
+	project_id: &str,
+	selector: Option<&str>,
+) -> Result<()> {
+	let registration = state_store
+		.list_projects()?
+		.into_iter()
+		.find(|project| project.service_id() == project_id)
+		.ok_or_else(|| eyre::eyre!("Decodex project `{project_id}` is not registered."))?;
+
+	write_project_codex_account_selection(registration.config_path(), selector)?;
+	crate::runtime::register_project_config(
+		state_store,
+		registration.config_path(),
+		registration.enabled(),
+	)?;
+
+	Ok(())
+}
+
+fn write_project_codex_account_selection(
+	config_path: &Path,
+	selector: Option<&str>,
+) -> Result<()> {
+	let config_path = ServiceConfig::resolve_project_config_path(config_path)?;
+	let input = fs::read_to_string(&config_path)?;
+	let mut document = toml::from_str::<toml::Table>(&input)?;
+
+	match selector.map(str::trim).filter(|value| !value.is_empty()) {
+		Some(selector) => {
+			let accounts = ensure_toml_table(ensure_toml_table(&mut document, "codex")?, "accounts")?;
+
+			accounts.insert(String::from("fixed_account"), toml::Value::String(selector.to_owned()));
+		},
+		None => {
+			if let Some(toml::Value::Table(codex)) = document.get_mut("codex")
+				&& let Some(toml::Value::Table(accounts)) = codex.get_mut("accounts")
+			{
+				accounts.remove("fixed_account");
+			}
+		},
+	}
+
+	let output = toml::to_string_pretty(&document)?;
+	let temp_path = dashboard_project_config_temp_path(&config_path)?;
+
+	fs::write(&temp_path, output)?;
+	fs::rename(temp_path, &config_path)?;
+	ServiceConfig::from_path(&config_path)?;
+
+	Ok(())
+}
+
+fn ensure_toml_table<'a>(table: &'a mut toml::Table, key: &str) -> Result<&'a mut toml::Table> {
+	if !table.contains_key(key) {
+		table.insert(String::from(key), toml::Value::Table(toml::Table::new()));
+	}
+
+	match table.get_mut(key) {
+		Some(toml::Value::Table(table)) => Ok(table),
+		_ => eyre::bail!("Project config `{key}` must be a TOML table."),
+	}
+}
+
+fn dashboard_project_config_temp_path(config_path: &Path) -> Result<PathBuf> {
+	let parent = config_path.parent().ok_or_else(|| {
+		eyre::eyre!("Project config `{}` must have a parent directory.", config_path.display())
+	})?;
+	let file_name = config_path
+		.file_name()
+		.and_then(|name| name.to_str())
+		.ok_or_else(|| eyre::eyre!("Project config path must end in a valid file name."))?;
+
+	Ok(parent.join(format!(".{file_name}.tmp-{}", process::id())))
+}
+
 fn dashboard_clean_scope_value(value: Option<&str>) -> Option<String> {
 	value
 		.map(str::trim)
diff --git a/apps/decodex/src/orchestrator/status.rs b/apps/decodex/src/orchestrator/status.rs
index e6ab8ea9..007b5aac 100644
--- a/apps/decodex/src/orchestrator/status.rs
+++ b/apps/decodex/src/orchestrator/status.rs
@@ -182,6 +182,7 @@ fn build_operator_status_snapshot(
 			last_activity_at: None,
 			warning_count: 0,
 		}],
+		account_control: codex_account_control_status(project),
 		accounts,
 		active_runs,
 		recent_runs,
@@ -197,6 +198,20 @@ fn build_operator_status_snapshot(
 	Ok(snapshot)
 }
 
+fn codex_account_control_status(project: &ServiceConfig) -> OperatorCodexAccountControlStatus {
+	let account_selector = project
+		.codex()
+		.accounts()
+		.and_then(ProjectCodexAccountsConfig::fixed_account)
+		.map(str::to_owned);
+	let mode = if account_selector.is_some() { "fixed" } else { "balanced" };
+
+	OperatorCodexAccountControlStatus {
+		mode: String::from(mode),
+		account_selector,
+	}
+}
+
 fn build_live_operator_status_snapshot<T>(
 	tracker: &T,
 	project: &ServiceConfig,
diff --git a/apps/decodex/src/orchestrator/tests.rs b/apps/decodex/src/orchestrator/tests.rs
index 95315ace..263252fa 100644
--- a/apps/decodex/src/orchestrator/tests.rs
+++ b/apps/decodex/src/orchestrator/tests.rs
@@ -28,11 +28,11 @@ use crate::tracker::records;
 		TurnContinuationGuard,
 	};
 #[rustfmt::skip]
-use crate::config::{InternalReviewMode, ServiceConfig};
+use crate::config::{InternalReviewMode, ProjectCodexAccountsConfig, ServiceConfig};
 #[rustfmt::skip]
 use crate::github;
 #[rustfmt::skip]
-use crate::orchestrator::{self, ActiveChildRunContext, ActiveRunDisposition, ActiveRunReconciliation, ActiveWorkflowOverride, AgentEvidenceSource, ChildExitRetryContext, ChildRunRef, ControlPlaneProjectTick, CONTINUATION_PENDING_RUN_STATUS, DaemonRunChild, DaemonTickRuntimeContext, DashboardEventHub, GhPullRequestReviewStateInspector, ISSUE_DELIVERY_CLOSEOUT_COMPLETE_TOOL_NAME, ISSUE_LABEL_ADD_TOOL_NAME, ISSUE_PROGRESS_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_HANDOFF_TOOL_NAME, ISSUE_REVIEW_REPAIR_COMPLETE_TOOL_NAME, ISSUE_TERMINAL_FINALIZE_TOOL_NAME, ISSUE_TRANSITION_TOOL_NAME, IssueDispatchMode, IssueRunPlan, IssueTurnContinuationGuard, ManualAttentionRequested, OPERATOR_DASHBOARD_ALIAS_ENDPOINT_PATH, OPERATOR_DASHBOARD_ENDPOINT_PATH, OperatorStatusSnapshot, PostReviewLaneClassification, PostReviewLaneDecision, PostReviewLaneSnapshot, PreferredRunIdentity, PrepareIssueRunContext, PublishedOperatorSnapshot, PullRequestCommitConnection, PullRequestCommitNode, PullRequestCommitPayload, PullRequestIssueCommentConnection, PullRequestIssueCommentState, PullRequestIssueCommentsNode, PullRequestPageInfo, PullRequestReactionGroup, PullRequestReactionUsersConnection, PullRequestActor, PullRequestRepository, PullRequestRepositoryOwner, PullRequestReviewConnection, PullRequestIssueCommentNode, PullRequestReviewNode, PullRequestReviewRequestConnection, PullRequestReviewState, PullRequestReviewStateInspector, PullRequestReviewStateNode, PullRequestReviewStateRepository, PullRequestReviewSummaryState, PullRequestReviewThreadConnection, PullRequestReviewThreadNode, PullRequestStatusCheckRollup, RecoveredRuntimeState, RetainedPartialProgress, RetainedReviewRunIdentity, RetryComment, RetryDispatchDecision, RetryEntry, RetryKind, RetryQueue, RunCompletionDisposition, RunSummary, RepoGateFailure, TERMINAL_GUARD_MARKER_FILE, TERMINAL_GUARDED_RUN_STATUS, TRACKER_RATE_LIMIT_WARNING, TargetIssueRunContext, EXTERNAL_REVIEW_ACTOR_LOGIN, EXTERNAL_REVIEW_PASS_PHRASE, EXTERNAL_REVIEW_REQUEST_BODY};
+use crate::orchestrator::{self, ActiveChildRunContext, ActiveRunDisposition, ActiveRunReconciliation, ActiveWorkflowOverride, AgentEvidenceSource, ChildExitRetryContext, ChildRunRef, ControlPlaneProjectTick, CONTINUATION_PENDING_RUN_STATUS, DaemonRunChild, DaemonTickRuntimeContext, DashboardEventHub, GhPullRequestReviewStateInspector, ISSUE_DELIVERY_CLOSEOUT_COMPLETE_TOOL_NAME, ISSUE_LABEL_ADD_TOOL_NAME, ISSUE_PROGRESS_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_HANDOFF_TOOL_NAME, ISSUE_REVIEW_REPAIR_COMPLETE_TOOL_NAME, ISSUE_TERMINAL_FINALIZE_TOOL_NAME, ISSUE_TRANSITION_TOOL_NAME, IssueDispatchMode, IssueRunPlan, IssueTurnContinuationGuard, ManualAttentionRequested, OPERATOR_DASHBOARD_ALIAS_ENDPOINT_PATH, OPERATOR_DASHBOARD_ENDPOINT_PATH, OperatorCodexAccountControlStatus, OperatorStatusSnapshot, PostReviewLaneClassification, PostReviewLaneDecision, PostReviewLaneSnapshot, PreferredRunIdentity, PrepareIssueRunContext, PublishedOperatorSnapshot, PullRequestCommitConnection, PullRequestCommitNode, PullRequestCommitPayload, PullRequestIssueCommentConnection, PullRequestIssueCommentState, PullRequestIssueCommentsNode, PullRequestPageInfo, PullRequestReactionGroup, PullRequestReactionUsersConnection, PullRequestActor, PullRequestRepository, PullRequestRepositoryOwner, PullRequestReviewConnection, PullRequestIssueCommentNode, PullRequestReviewNode, PullRequestReviewRequestConnection, PullRequestReviewState, PullRequestReviewStateInspector, PullRequestReviewStateNode, PullRequestReviewStateRepository, PullRequestReviewSummaryState, PullRequestReviewThreadConnection, PullRequestReviewThreadNode, PullRequestStatusCheckRollup, RecoveredRuntimeState, RetainedPartialProgress, RetainedReviewRunIdentity, RetryComment, RetryDispatchDecision, RetryEntry, RetryKind, RetryQueue, RunCompletionDisposition, RunSummary, RepoGateFailure, TERMINAL_GUARD_MARKER_FILE, TERMINAL_GUARDED_RUN_STATUS, TRACKER_RATE_LIMIT_WARNING, TargetIssueRunContext, EXTERNAL_REVIEW_ACTOR_LOGIN, EXTERNAL_REVIEW_PASS_PHRASE, EXTERNAL_REVIEW_REQUEST_BODY};
 #[rustfmt::skip]
 use crate::prelude::Result;
 #[rustfmt::skip]
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/agent_evidence.rs b/apps/decodex/src/orchestrator/tests/operator/status/agent_evidence.rs
index b349ac78..44d782e6 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/agent_evidence.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/agent_evidence.rs
@@ -29,6 +29,10 @@ fn agent_evidence_snapshot_writes_index_blockers_capsules_and_event_stream() {
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: vec![active_run.clone()],
 		recent_runs: vec![active_run],
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/dashboard.rs b/apps/decodex/src/orchestrator/tests/operator/status/dashboard.rs
index ab9e9e23..3ce5a543 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/dashboard.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/dashboard.rs
@@ -424,9 +424,14 @@ fn operator_dashboard_renders_account_usage_controls() {
 	assert!(response.contains("function codexAccountPoolAccounts(snapshot)"));
 	assert!(response.contains("function codexAccountPoolRank(account)"));
 	assert!(response.contains("function codexAccountPoolSortKey(account)"));
-	assert!(response.contains("function renderCodexAccountPool(accounts)"));
+	assert!(response.contains("function renderCodexAccountPool(accounts, snapshot)"));
 	assert!(!response.contains("function renderCodexAccountPoolHeader(accounts)"));
-	assert!(response.contains("function renderCodexAccountPoolRow(account)"));
+	assert!(response.contains("function renderCodexAccountPoolRow(account, snapshot)"));
+	assert!(response.contains("function renderCodexAccountSelectButton(account, snapshot)"));
+	assert!(response.contains("data-account-select=\"${escapeHtml(action)}\""));
+	assert!(response.contains("sendDashboardControl(action, { projectId, accountSelector });"));
+	assert!(response.contains("clearAccountSelection"));
+	assert!(response.contains("selectAccount"));
 	assert!(response.contains("function codexAccountDebugSummary(account)"));
 	assert!(!response.contains("function codexAccountPoolDebugSummary(accounts)"));
 	assert!(response.contains("return \"not captured\";"));
@@ -859,7 +864,8 @@ fn operator_dashboard_accounts_keeps_debug_credit_and_reset_copy_compact() {
 	assert!(!response.contains("lowestRemaining <= 20"));
 	assert!(!response.contains("account-meter"));
 	assert!(!response.contains("lowestRemaining}%"));
-	assert!(response.contains("nodes.accountPool.innerHTML = renderCodexAccountPool(accounts)"));
+	assert!(response
+		.contains("nodes.accountPool.innerHTML = renderCodexAccountPool(accounts, snapshot)"));
 	assert!(response.contains("renderAccountPrivacyToggle();"));
 	assert!(!response.contains("setPanelMeta(nodes.accountPoolMeta"));
 	assert!(!response.contains("nodes.accountPoolMeta.textContent = snapshot"));
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/http.rs b/apps/decodex/src/orchestrator/tests/operator/status/http.rs
index 6c2fd9ed..6b55348d 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/http.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/http.rs
@@ -113,6 +113,10 @@ fn operator_state_endpoint_serializes_closed_queue_classification() {
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: vec![],
 		recent_runs: vec![],
@@ -534,6 +538,44 @@ fn operator_dashboard_websocket_accepts_subscription_and_project_pause_control()
 			.enabled()
 	);
 
+	client
+		.write_all(&websocket_client_text_frame(
+			r#"{"type":"control","requestId":"account-1","action":"selectAccount","projectId":"pubfi","accountSelector":"copy@example.com"}"#,
+		))
+		.expect("client should send account selection");
+
+	let account_ack = read_websocket_json_until(&mut client, &mut frame, |payload| {
+		payload["type"] == "controlAck" && payload["payload"]["requestId"] == "account-1"
+	});
+
+	assert_eq!(account_ack["payload"]["accepted"], true);
+	assert_eq!(account_ack["payload"]["status"], "fixed");
+
+	let updated_config = load_service_config(config.repo_root());
+	let accounts = updated_config.codex().accounts().expect("accounts should be configured");
+
+	assert_eq!(accounts.fixed_account(), Some("copy@example.com"));
+
+	client
+		.write_all(&websocket_client_text_frame(
+			r#"{"type":"control","requestId":"account-clear","action":"clearAccountSelection","projectId":"pubfi"}"#,
+		))
+		.expect("client should send account clear");
+
+	let account_clear_ack = read_websocket_json_until(&mut client, &mut frame, |payload| {
+		payload["type"] == "controlAck" && payload["payload"]["requestId"] == "account-clear"
+	});
+
+	assert_eq!(account_clear_ack["payload"]["accepted"], true);
+	assert_eq!(account_clear_ack["payload"]["status"], "balanced");
+	assert_eq!(
+		load_service_config(config.repo_root())
+			.codex()
+			.accounts()
+			.and_then(ProjectCodexAccountsConfig::fixed_account),
+		None
+	);
+
 	drop(client);
 
 	dashboard_events.close_clients_for_test();
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/text.rs b/apps/decodex/src/orchestrator/tests/operator/status/text.rs
index 1c259159..0267095a 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/text.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/text.rs
@@ -7,6 +7,10 @@ fn operator_status_text_renders_human_readable_sections() {
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: vec![active_run.clone()],
 		queued_candidates: operator_status_text_queued_candidates(),
@@ -96,6 +100,10 @@ fn operator_status_text_explains_empty_backlog_checks() {
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: Vec::new(),
 		queued_candidates: Vec::new(),
@@ -126,6 +134,10 @@ fn operator_status_text_surfaces_cleanup_blocker_pr_url() {
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: Vec::new(),
 		queued_candidates: Vec::new(),
@@ -184,6 +196,10 @@ fn operator_status_text_terminal_run_freshness_uses_terminal_update() {
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: Vec::new(),
 		queued_candidates: Vec::new(),
@@ -217,6 +233,10 @@ fn operator_status_text_active_run_without_live_activity_does_not_promote_update
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: vec![active_run.clone()],
 		queued_candidates: Vec::new(),
@@ -245,6 +265,10 @@ fn operator_status_text_explains_unleased_live_running_lane() {
 		warnings: Vec::new(),
 		connector_backoffs: Vec::new(),
 		projects: Vec::new(),
+		account_control: OperatorCodexAccountControlStatus {
+			mode: String::from("balanced"),
+			account_selector: None,
+		},
 		accounts: Vec::new(),
 		active_runs: vec![active_run.clone()],
 		queued_candidates: Vec::new(),
diff --git a/apps/decodex/src/orchestrator/types.rs b/apps/decodex/src/orchestrator/types.rs
index fe20e201..7feeca45 100644
--- a/apps/decodex/src/orchestrator/types.rs
+++ b/apps/decodex/src/orchestrator/types.rs
@@ -672,6 +672,7 @@ struct OperatorStatusSnapshot {
 	warnings: Vec<String>,
 	connector_backoffs: Vec<OperatorConnectorBackoffStatus>,
 	projects: Vec<OperatorProjectStatus>,
+	account_control: OperatorCodexAccountControlStatus,
 	accounts: Vec<CodexAccountActivitySummary>,
 	active_runs: Vec<OperatorRunStatus>,
 	recent_runs: Vec<OperatorRunStatus>,
@@ -712,6 +713,12 @@ struct OperatorProjectStatus {
 	warning_count: usize,
 }
 
+#[derive(Clone, Debug, Eq, PartialEq, Serialize)]
+struct OperatorCodexAccountControlStatus {
+	mode: String,
+	account_selector: Option<String>,
+}
+
 #[derive(Clone, Debug, Eq, PartialEq, Serialize)]
 struct OperatorHistoryLaneStatus {
 	project_id: String,
diff --git a/decodex.example.toml b/decodex.example.toml
index ba1b5c4b..b73eed37 100644
--- a/decodex.example.toml
+++ b/decodex.example.toml
@@ -15,6 +15,7 @@ internal_review_mode    = "loop"
 # Optional shared Codex account pool.
 # Uncomment the block to use the global `~/.codex/decodex/accounts.jsonl` pool.
 # [codex.accounts]
+# fixed_account = "account@example.com"
 
 # Required project paths. Project configs are managed outside checkouts, for example under
 # `~/.codex/decodex/projects/<service-id>/project.toml`.
diff --git a/docs/reference/operator-control-plane.md b/docs/reference/operator-control-plane.md
index dcec569c..3a934e98 100644
--- a/docs/reference/operator-control-plane.md
+++ b/docs/reference/operator-control-plane.md
@@ -112,7 +112,7 @@ durable outside the local operator surface.
 
 | Section | Meaning |
 | --- | --- |
-| `Accounts` | Shared Codex account pool and usage table from `~/.codex/decodex/accounts.jsonl` when `[codex.accounts]` is enabled for a project. Account identity can be obscured from the `Account` column header eye without changing the underlying snapshot. |
+| `Accounts` | Shared Codex account pool and usage table from `~/.codex/decodex/accounts.jsonl` when `[codex.accounts]` is enabled for a project. Account identity can be obscured from the `Account` column header eye without changing the underlying snapshot. Selecting an account writes `[codex.accounts].fixed_account` in the registered project config; clearing it returns new runs to balanced account selection. |
 | `Projects` | Fleet-level project table. The section-level filter toggles between active project work and the full registry. Location is its own compact path column and can be obscured from the location header eye. `Activity` shows a relative timestamp or `-`; `Work` is `running/waiting/attention`. It should not duplicate per-lane details already shown below. |
 | `Running Lanes` | Active leased or live-executing issue lanes. A lane here is currently owned by this local control plane, or a live process/thread/protocol marker still explains active execution even when the queue lease is not held. It shows issue identity, phase, operation, attempt, queue lease state, execution liveness, thread/protocol status, child-agent activity when captured, timing, branch, and worktree. |
 | `Intake Queue` | Queued tracker issues before execution. Candidates are classified as `ready`, capacity-waiting, claimed without a matching local lane, blocked, or closed/stale. A blocked queued candidate can still show an attached `.worktrees/XY-*` path when the queue owns the attention state; if that worktree has tracked changes after retries, the candidate is partial retained progress and not just a generic retry-budget hold. Running lanes are not repeated as normal intake work. |
diff --git a/docs/runbook/self-dogfood-pilot.md b/docs/runbook/self-dogfood-pilot.md
index de37e078..2225ab4f 100644
--- a/docs/runbook/self-dogfood-pilot.md
+++ b/docs/runbook/self-dogfood-pilot.md
@@ -73,7 +73,9 @@ projects.
 If the project uses managed ChatGPT accounts, enable `[codex.accounts]` in
 `project.toml` and keep the JSONL pool at `~/.codex/decodex/accounts.jsonl`. Do not
 store the shared pool under a project directory or configure a project-local account
-path.
+path. To keep every new run on one account, set
+`[codex.accounts].fixed_account = "<email-or-fingerprint>"`; the operator dashboard
+Accounts UI writes that same field when selecting or clearing a fixed account.
 
 After restarting `decodex serve`, verify the registry still points at the centralized
 project directory:
diff --git a/docs/spec/app-server.md b/docs/spec/app-server.md
index 2b1bbfd5..d94a2f15 100644
--- a/docs/spec/app-server.md
+++ b/docs/spec/app-server.md
@@ -117,20 +117,22 @@ When `[codex.accounts]` is enabled, the account pool is a global Decodex file at
 `~/.codex/decodex/accounts.jsonl`; project configs do not own an account-pool path
 override. The pool accepts flat `auth.json`-style JSONL records or records wrapped as
 `{ "auth": ... }`.
-Before login, Decodex probes configured accounts through the ChatGPT usage endpoint,
-skips disabled, cooling-down, and incomplete records, penalizes usage-limited records,
-prefers the highest remaining usage, and uses the least-recently selected account to
-break equal usage scores. Successful selection writes
-`last_selected_at_unix_epoch` back to the JSONL file so later runs can rotate tied
-accounts across process restarts.
+Before login, Decodex probes configured accounts through the ChatGPT usage endpoint.
+By default, it skips disabled, cooling-down, and incomplete records, penalizes
+usage-limited records, prefers the highest remaining usage, and uses the
+least-recently selected account to break equal usage scores. If
+`[codex.accounts].fixed_account` is set, Decodex only considers the matching account
+instead of balancing across the pool. The selector matches an account email, full
+account id, or redacted account fingerprint as displayed in the operator UI.
+Successful selection writes `last_selected_at_unix_epoch` back to the JSONL file.
 
 Decodex owns token freshness for injected `chatgptAuthTokens`. It proactively refreshes
 an account before probing when the access-token JWT `exp` is expired. If no expiration
 claim is available, it refreshes when `last_refresh` is more than eight days old. If
 the app-server later sends `account/chatgptAuthTokens/refresh`, Decodex refreshes the
-previous account id supplied by the request, updates the JSONL record with returned
-tokens and `last_refresh`, records a redacted local protocol event, and responds with
-fresh `chatgptAuthTokens`.
+fixed account when configured, otherwise the previous account id supplied by the
+request. It updates the JSONL record with returned tokens and `last_refresh`, records
+a redacted local protocol event, and responds with fresh `chatgptAuthTokens`.
 
 ## `initialize`
 

From 780cd2acbc4a4d5a6116f51353d57b836ded1175 Mon Sep 17 00:00:00 2001
From: Yvette Carlisle <y@acg.box>
Date: Tue, 12 May 2026 14:32:57 +0800
Subject: [PATCH 2/2] {"schema":"decodex/commit/1","summary":"Fix fixed account
 selection style","authority":"manual"}

---
 apps/decodex/src/agent/codex_accounts.rs      |  6 +++--
 .../decodex/src/orchestrator/operator_http.rs | 19 +++++++-------
 .../tests/operator/status/http.rs             | 25 ++++++++++++-------
 3 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/apps/decodex/src/agent/codex_accounts.rs b/apps/decodex/src/agent/codex_accounts.rs
index 55d9d9f4..733b15ba 100644
--- a/apps/decodex/src/agent/codex_accounts.rs
+++ b/apps/decodex/src/agent/codex_accounts.rs
@@ -199,6 +199,7 @@ impl CodexAccountPool {
 		};
 
 		selected.mark_selected(now);
+
 		records[record_index].last_selected_at_unix_epoch = Some(now);
 		records_changed = true;
 
@@ -407,6 +408,7 @@ impl CodexAccountPool {
 					)
 				})?
 		};
+
 		self.refresh_record(&mut records[record_index])?;
 
 		let usage = self.probe_record_usage(&records[record_index])?;
@@ -1248,7 +1250,7 @@ const fn is_false(value: &bool) -> bool {
 mod tests {
 	use std::{
 		fs,
-		io::{Read, Write},
+		io::{Read as _, Write as _},
 		net::TcpListener,
 		thread,
 	};
@@ -1634,7 +1636,7 @@ mod tests {
 			for body in responses {
 				let (mut stream, _peer) =
 					listener.accept().expect("usage fixture should accept request");
-				let mut buffer = [0_u8; 4096];
+				let mut buffer = [0_u8; 4_096];
 				let _bytes_read = stream.read(&mut buffer).expect("request should read");
 				let response = format!(
 					"HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
diff --git a/apps/decodex/src/orchestrator/operator_http.rs b/apps/decodex/src/orchestrator/operator_http.rs
index 3b50f1a8..39e7a7fa 100644
--- a/apps/decodex/src/orchestrator/operator_http.rs
+++ b/apps/decodex/src/orchestrator/operator_http.rs
@@ -1015,7 +1015,8 @@ fn update_project_codex_account_selection(
 		.ok_or_else(|| eyre::eyre!("Decodex project `{project_id}` is not registered."))?;
 
 	write_project_codex_account_selection(registration.config_path(), selector)?;
-	crate::runtime::register_project_config(
+
+	runtime::register_project_config(
 		state_store,
 		registration.config_path(),
 		registration.enabled(),
@@ -1036,11 +1037,11 @@ fn write_project_codex_account_selection(
 		Some(selector) => {
 			let accounts = ensure_toml_table(ensure_toml_table(&mut document, "codex")?, "accounts")?;
 
-			accounts.insert(String::from("fixed_account"), toml::Value::String(selector.to_owned()));
+			accounts.insert(String::from("fixed_account"), selector.to_owned().into());
 		},
 		None => {
-			if let Some(toml::Value::Table(codex)) = document.get_mut("codex")
-				&& let Some(toml::Value::Table(accounts)) = codex.get_mut("accounts")
+			if let Some(codex) = document.get_mut("codex").and_then(|value| value.as_table_mut())
+				&& let Some(accounts) = codex.get_mut("accounts").and_then(|value| value.as_table_mut())
 			{
 				accounts.remove("fixed_account");
 			}
@@ -1059,13 +1060,13 @@ fn write_project_codex_account_selection(
 
 fn ensure_toml_table<'a>(table: &'a mut toml::Table, key: &str) -> Result<&'a mut toml::Table> {
 	if !table.contains_key(key) {
-		table.insert(String::from(key), toml::Value::Table(toml::Table::new()));
+		table.insert(String::from(key), toml::Table::new().into());
 	}
 
-	match table.get_mut(key) {
-		Some(toml::Value::Table(table)) => Ok(table),
-		_ => eyre::bail!("Project config `{key}` must be a TOML table."),
-	}
+	table
+		.get_mut(key)
+		.and_then(|value| value.as_table_mut())
+		.ok_or_else(|| eyre::eyre!("Project config `{key}` must be a TOML table."))
 }
 
 fn dashboard_project_config_temp_path(config_path: &Path) -> Result<PathBuf> {
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/http.rs b/apps/decodex/src/orchestrator/tests/operator/status/http.rs
index 6b55348d..d9b1de96 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/http.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/http.rs
@@ -538,20 +538,32 @@ fn operator_dashboard_websocket_accepts_subscription_and_project_pause_control()
 			.enabled()
 	);
 
+	assert_dashboard_account_selection_controls(&mut client, &mut frame, config.repo_root());
+	drop(client);
+
+	dashboard_events.close_clients_for_test();
+	server.join().expect("server thread should complete");
+}
+
+fn assert_dashboard_account_selection_controls(
+	client: &mut TcpStream,
+	frame: &mut Vec<u8>,
+	repo_root: &Path,
+) {
 	client
 		.write_all(&websocket_client_text_frame(
 			r#"{"type":"control","requestId":"account-1","action":"selectAccount","projectId":"pubfi","accountSelector":"copy@example.com"}"#,
 		))
 		.expect("client should send account selection");
 
-	let account_ack = read_websocket_json_until(&mut client, &mut frame, |payload| {
+	let account_ack = read_websocket_json_until(client, frame, |payload| {
 		payload["type"] == "controlAck" && payload["payload"]["requestId"] == "account-1"
 	});
 
 	assert_eq!(account_ack["payload"]["accepted"], true);
 	assert_eq!(account_ack["payload"]["status"], "fixed");
 
-	let updated_config = load_service_config(config.repo_root());
+	let updated_config = load_service_config(repo_root);
 	let accounts = updated_config.codex().accounts().expect("accounts should be configured");
 
 	assert_eq!(accounts.fixed_account(), Some("copy@example.com"));
@@ -562,24 +574,19 @@ fn operator_dashboard_websocket_accepts_subscription_and_project_pause_control()
 		))
 		.expect("client should send account clear");
 
-	let account_clear_ack = read_websocket_json_until(&mut client, &mut frame, |payload| {
+	let account_clear_ack = read_websocket_json_until(client, frame, |payload| {
 		payload["type"] == "controlAck" && payload["payload"]["requestId"] == "account-clear"
 	});
 
 	assert_eq!(account_clear_ack["payload"]["accepted"], true);
 	assert_eq!(account_clear_ack["payload"]["status"], "balanced");
 	assert_eq!(
-		load_service_config(config.repo_root())
+		load_service_config(repo_root)
 			.codex()
 			.accounts()
 			.and_then(ProjectCodexAccountsConfig::fixed_account),
 		None
 	);
-
-	drop(client);
-
-	dashboard_events.close_clients_for_test();
-	server.join().expect("server thread should complete");
 }
 
 #[test]