codebase-cli 2.0.0-pre.40 → 2.0.0-pre.41

package/dist/auth/token-manager.js

@@ -1,22 +1,34 @@
+import { mkdirSync } from "node:fs";
+import { dirname } from "node:path";
+import * as lockfile from "proper-lockfile";
 import { refreshAccessToken } from "./flow.js";
 /**
  * Read-through, refresh-aware accessor for the OAuth access token.
  *
- * Pi-mono's `getApiKey` runs on every API call, so we have to be fast in
- * the common case (token still valid). Slow path: refresh + persist before
- * returning the new token. A single in-flight promise (`pending`) prevents
- * a burst of concurrent calls from firing parallel refreshes at the same
- * moment — they all await the one refresh that's already running.
+ * Two coordination layers:
+ *   1. In-memory single-flight (`pending`) — multiple awaits within ONE
+ *      process collapse into one refresh round-trip.
+ *   2. Filesystem lockfile on the credentials directory — multiple
+ *      `codebase` processes on the same machine coordinate so only one
+ *      refreshes at a time. The others wait, re-read the rotated token,
+ *      and skip their own refresh. Necessary because refresh tokens are
+ *      often one-time-use: two parallel refreshes burn the shared refresh
+ *      token and one process gets logged out.
+ *
+ * Pi-mono's `getApiKey` runs on every API call, so the cached-token fast
+ * path stays branch-free; the slow path only fires near expiry.
  */
 export class TokenManager {
     store;
     oauthConfig;
     refreshSkewMs;
+    lockTimeoutMs;
     pending = null;
     constructor(options) {
         this.store = options.store;
         this.oauthConfig = options.oauthConfig;
-        this.refreshSkewMs = options.refreshSkewMs ?? 60_000;
+        this.refreshSkewMs = options.refreshSkewMs ?? 5 * 60_000;
+        this.lockTimeoutMs = options.lockTimeoutMs ?? 30_000;
     }
     /**
      * Return a valid access token, refreshing if the stored one is within
@@ -33,35 +45,19 @@ export class TokenManager {
         if (!creds.refreshToken) {
             throw new Error("access token expired and no refresh token saved — run `codebase auth login`");
         }
-        return this.refresh(creds.refreshToken);
+        return this.refresh();
     }
     needsRefresh(creds) {
         if (!creds.expiresAt)
             return false;
         return creds.expiresAt - this.refreshSkewMs <= Date.now();
     }
-    refresh(refreshToken) {
+    refresh() {
         if (this.pending)
             return this.pending;
         this.pending = (async () => {
             try {
-                const next = await refreshAccessToken(this.oauthConfig, refreshToken);
-                // Preserve fields the refresh response doesn't echo back (source,
-                // email, userId) so they survive every rotation. The refresh
-                // response is authoritative for tokens + expiry; we layer the
-                // stable metadata back on top.
-                const existing = this.store.load();
-                this.store.save({
-                    accessToken: next.accessToken,
-                    refreshToken: next.refreshToken ?? existing?.refreshToken ?? refreshToken,
-                    expiresAt: next.expiresAt,
-                    scopes: next.scopes,
-                    source: existing?.source ?? next.source,
-                    userId: existing?.userId ?? next.userId,
-                    email: existing?.email ?? next.email,
-                    provider: existing?.provider ?? next.provider,
-                });
-                return next.accessToken;
+                return await this.refreshWithLock();
             }
             finally {
                 this.pending = null;
@@ -69,5 +65,58 @@ export class TokenManager {
         })();
         return this.pending;
     }
+    /**
+     * Acquire a cross-process lock, then re-check (another process may have
+     * already refreshed by the time we get the lock), then refresh + save.
+     * The double-check is the whole point of taking the lock — it converts
+     * N parallel refreshes into 1 refresh + N-1 reads of the fresh token.
+     */
+    async refreshWithLock() {
+        const lockDir = dirname(this.store.filePath);
+        mkdirSync(lockDir, { recursive: true });
+        const release = await lockfile.lock(lockDir, {
+            retries: {
+                retries: Math.max(1, Math.ceil(this.lockTimeoutMs / 500)),
+                minTimeout: 250,
+                maxTimeout: 1000,
+                factor: 1.5,
+                randomize: true,
+            },
+            // 30s — stale-lock window. Survives a normal refresh; releases
+            // quickly enough that a crashed peer doesn't wedge us for long.
+            stale: 30_000,
+        });
+        try {
+            const reread = this.store.load();
+            if (reread && !this.needsRefresh(reread))
+                return reread.accessToken;
+            if (!reread?.refreshToken) {
+                throw new Error("access token expired and no refresh token saved — run `codebase auth login`");
+            }
+            const next = await refreshAccessToken(this.oauthConfig, reread.refreshToken);
+            // Preserve fields the refresh response doesn't echo back (source,
+            // email, userId) so they survive every rotation. The refresh
+            // response is authoritative for tokens + expiry; we layer the
+            // stable metadata back on top.
+            this.store.save({
+                accessToken: next.accessToken,
+                refreshToken: next.refreshToken ?? reread.refreshToken,
+                expiresAt: next.expiresAt,
+                scopes: next.scopes,
+                source: reread.source ?? next.source,
+                userId: reread.userId ?? next.userId,
+                email: reread.email ?? next.email,
+                provider: reread.provider ?? next.provider,
+            });
+            return next.accessToken;
+        }
+        finally {
+            await release().catch(() => {
+                // Release can fail if the lock was stale-released by another
+                // process while we held it. The credentials are already saved
+                // at that point — there's nothing useful to do here.
+            });
+        }
+    }
 }
 //# sourceMappingURL=token-manager.js.map

package/dist/auth/token-manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../src/auth/token-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAoB,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAcjE;;;;;;;;GAQG;AACH,MAAM,OAAO,YAAY;IACP,KAAK,CAAmB;IACxB,WAAW,CAAc;IACzB,aAAa,CAAS;IAC/B,OAAO,GAA2B,IAAI,CAAC;IAE/C,YAAY,OAA4B;QACvC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,MAAM,CAAC;IACtD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QACzE,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,WAAW,CAAC;QACxD,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC;QAChG,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACzC,CAAC;IAEO,YAAY,CAAC,KAAkB;QACtC,IAAI,CAAC,KAAK,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QACnC,OAAO,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAC3D,CAAC;IAEO,OAAO,CAAC,YAAoB;QACnC,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,OAAO,CAAC;QACtC,IAAI,CAAC,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;YAC1B,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;gBACtE,kEAAkE;gBAClE,6DAA6D;gBAC7D,8DAA8D;gBAC9D,+BAA+B;gBAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;gBACnC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;oBACf,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,YAAY,EAAE,IAAI,CAAC,YAAY,IAAI,QAAQ,EAAE,YAAY,IAAI,YAAY;oBACzE,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,MAAM,EAAE,QAAQ,EAAE,MAAM,IAAI,IAAI,CAAC,MAAM;oBACvC,MAAM,EAAE,QAAQ,EAAE,MAAM,IAAI,IAAI,CAAC,MAAM;oBACvC,KAAK,EAAE,QAAQ,EAAE,KAAK,IAAI,IAAI,CAAC,KAAK;oBACpC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC,QAAQ;iBAC7C,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC,WAAW,CAAC;YACzB,CAAC;oBAAS,CAAC;gBACV,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;YACrB,CAAC;QACF,CAAC,CAAC,EAAE,CAAC;QACL,OAAO,IAAI,CAAC,OAAO,CAAC;IACrB,CAAC;CACD"}
+{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../src/auth/token-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,QAAQ,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAoB,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAqBjE;;;;;;;;;;;;;;;GAeG;AACH,MAAM,OAAO,YAAY;IACP,KAAK,CAAmB;IACxB,WAAW,CAAc;IACzB,aAAa,CAAS;IACtB,aAAa,CAAS;IAC/B,OAAO,GAA2B,IAAI,CAAC;IAE/C,YAAY,OAA4B;QACvC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,CAAC,GAAG,MAAM,CAAC;QACzD,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,MAAM,CAAC;IACtD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QACzE,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,WAAW,CAAC;QACxD,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC;QAChG,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;IACvB,CAAC;IAEO,YAAY,CAAC,KAAkB;QACtC,IAAI,CAAC,KAAK,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QACnC,OAAO,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAC3D,CAAC;IAEO,OAAO;QACd,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,OAAO,CAAC;QACtC,IAAI,CAAC,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;YAC1B,IAAI,CAAC;gBACJ,OAAO,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;YACrC,CAAC;oBAAS,CAAC;gBACV,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;YACrB,CAAC;QACF,CAAC,CAAC,EAAE,CAAC;QACL,OAAO,IAAI,CAAC,OAAO,CAAC;IACrB,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,eAAe;QAC5B,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7C,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACxC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE;YAC5C,OAAO,EAAE;gBACR,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,GAAG,GAAG,CAAC,CAAC;gBACzD,UAAU,EAAE,GAAG;gBACf,UAAU,EAAE,IAAI;gBAChB,MAAM,EAAE,GAAG;gBACX,SAAS,EAAE,IAAI;aACf;YACD,+DAA+D;YAC/D,gEAAgE;YAChE,KAAK,EAAE,MAAM;SACb,CAAC,CAAC;QACH,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACjC,IAAI,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC;gBAAE,OAAO,MAAM,CAAC,WAAW,CAAC;YACpE,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC;YAChG,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;YAC7E,kEAAkE;YAClE,6DAA6D;YAC7D,8DAA8D;YAC9D,+BAA+B;YAC/B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;gBACf,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,YAAY,EAAE,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC,YAAY;gBACtD,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM;gBACpC,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM;gBACpC,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK;gBACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ;aAC1C,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,WAAW,CAAC;QACzB,CAAC;gBAAS,CAAC;YACV,MAAM,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;gBAC1B,6DAA6D;gBAC7D,8DAA8D;gBAC9D,qDAAqD;YACtD,CAAC,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;CACD"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "codebase-cli",
-	"version": "2.0.0-pre.40",
+	"version": "2.0.0-pre.41",
 	"description": "Codebase CLI — a TypeScript coding agent on the pi-mono runtime. OAuth-aware, any LLM provider, single install.",
 	"keywords": [
 		"ai",
@@ -62,10 +62,12 @@
 		"@earendil-works/pi-agent-core": "0.74.0",
 		"@earendil-works/pi-ai": "0.74.0",
 		"@types/diff": "^7.0.2",
+		"@types/proper-lockfile": "^4.1.4",
 		"diff": "^9.0.0",
 		"glob": "^13.0.1",
 		"ignore": "^7.0.0",
 		"ink": "^5.2.1",
+		"proper-lockfile": "^4.1.2",
 		"react": "^18.3.1",
 		"typebox": "^1.1.24"
 	},