gipity 1.0.395 → 1.0.396

package/dist/auth.js

@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync, chmodSync } from 'fs';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync, chmodSync, openSync, closeSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { decodeJwtExp } from './utils.js';
@@ -8,6 +8,7 @@ import { decodeJwtExp } from './utils.js';
 // so the `claude` subprocess and git/npm still use the real home.
 const AUTH_DIR = process.env.GIPITY_DIR || join(homedir(), '.gipity');
 const AUTH_FILE = join(AUTH_DIR, 'auth.json');
+const AUTH_LOCK_FILE = join(AUTH_DIR, 'auth.lock');
 let cached = null;
 export function getAuth() {
     if (cached)
@@ -70,16 +71,65 @@ export function sessionExpired() {
     return Date.now() > exp * 1000;
 }
 const delay = (ms) => new Promise(r => setTimeout(r, ms));
+// ─── Cross-process refresh lock ────────────────────────────────
+// Serializes token refreshes across every `gipity` process that shares this
+// ~/.gipity/auth.json (foreground commands, the file-sync hook, the relay
+// daemon). Without it, siblings race to refresh the SINGLE-USE refresh token:
+// the first wins and rotates it, the rest submit the now-dead token and 401.
+// Retry-and-re-read alone left a window (a sibling could 401 before the winner
+// finished writing the file). Holding the lock closes that window — siblings
+// wait, then re-read and ADOPT the freshly-rotated token instead of refreshing.
+const LOCK_WAIT_MS = 10_000; // refresh is one quick round-trip; cap the wait
+const LOCK_POLL_MS = 100;
+/** Acquire the global auth-refresh lock. Returns a release fn, or null if we
+ *  couldn't get it within the wait window (caller then proceeds best-effort —
+ *  refresh must never block a command indefinitely). Mirrors sync.ts's advisory
+ *  lock: O_EXCL create, PID payload, stale-holder reclaim. Exported for tests. */
+export async function acquireRefreshLock() {
+    mkdirSync(AUTH_DIR, { recursive: true, mode: 0o700 });
+    const start = Date.now();
+    while (true) {
+        try {
+            const fd = openSync(AUTH_LOCK_FILE, 'wx'); // fails if the file exists
+            writeFileSync(fd, String(process.pid));
+            closeSync(fd);
+            return () => { try {
+                unlinkSync(AUTH_LOCK_FILE);
+            }
+            catch { /* already gone */ } };
+        }
+        catch {
+            // Lock held (or a transient create error). Reclaim it if the holder PID is dead.
+            try {
+                const pid = parseInt(readFileSync(AUTH_LOCK_FILE, 'utf-8').trim(), 10);
+                if (pid && !isNaN(pid)) {
+                    try {
+                        process.kill(pid, 0);
+                    }
+                    catch {
+                        try {
+                            unlinkSync(AUTH_LOCK_FILE);
+                        }
+                        catch { /* race */ }
+                        continue;
+                    }
+                }
+            }
+            catch { /* unreadable - retry */ }
+            if (Date.now() - start > LOCK_WAIT_MS)
+                return null; // give up waiting, proceed best-effort
+            await delay(LOCK_POLL_MS);
+        }
+    }
+}
 /** Renew the access token (5-min buffer) before an authenticated call, surviving
  *  the case that broke overnight fix-mode runs: MANY concurrent `gipity` processes
  *  (relay daemon, file-sync hook, parallel commands) sharing one ~/.gipity/auth.json.
  *  Refresh tokens are SINGLE-USE — the server rotates them, so when several siblings
- *  race to refresh the same token, the first wins and the rest get a 401. The old
- *  code trusted a stale in-process cache and, on that race, let the 401 reach the
- *  caller, whose handler called clearAuth() and DELETED the shared file — locking
- *  every sibling out mid-run ("Not logged in"). Fix: always read the file fresh, and
- *  retry the race/transient failures, re-reading each attempt so we ADOPT whatever
- *  token a sibling just rotated in rather than resubmitting the rotated-away one.
+ *  race to refresh the same token, the first wins and the rest get a 401. We guard
+ *  the refresh with a cross-process lock so only one sibling refreshes at a time; the
+ *  others wait, re-read the file, and ADOPT the freshly-rotated token. If the lock
+ *  can't be had in time we still try (re-reading first), so this never hangs a command.
  *  Stays void / never throws / never clears auth: a genuine dead token still flows to
  *  the caller's existing 401 path (which messages "run: gipity login"). */
 export async function refreshTokenIfNeeded() {
@@ -90,57 +140,71 @@ export async function refreshTokenIfNeeded() {
     const buffer = 5 * 60 * 1000; // refresh 5 min before the access token lapses
     const fresh = (a) => Date.now() <= new Date(a.expiresAt).getTime() - buffer;
     if (fresh(auth))
-        return;
+        return; // fast path: token still good, no lock needed
     // If the refresh token itself has expired, re-login is genuinely required; leave the
     // expired auth in place so the caller's existing 401 path prompts `gipity login`.
     const refreshExp = decodeJwtExp(auth.refreshToken);
     if (refreshExp && Date.now() > refreshExp * 1000)
         return;
-    const { resolveApiBase } = await import('./config.js');
-    const apiBase = resolveApiBase();
-    for (let attempt = 1; attempt <= 3; attempt++) {
-        const cur = readAuthFresh(); // a sibling may have just refreshed for us
-        if (cur && fresh(cur)) {
-            cached = cur;
+    // Serialize with sibling processes so we don't race the single-use refresh token.
+    const release = await acquireRefreshLock();
+    try {
+        // Re-check under the lock: a sibling may have refreshed while we waited.
+        const held = readAuthFresh();
+        if (held && fresh(held)) {
+            cached = held;
             return;
         }
-        const refreshToken = cur?.refreshToken ?? auth.refreshToken;
-        let res;
-        try {
-            res = await fetch(`${apiBase}/auth/refresh`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ refreshToken }),
-            });
-        }
-        catch {
-            await delay(attempt * 300);
-            continue; // network blip - retry
-        }
-        if (res.ok) {
-            const json = await res.json().catch(() => null);
-            const exp = json && decodeJwtExp(json.accessToken);
-            if (!json || !exp) {
+        const { resolveApiBase } = await import('./config.js');
+        const apiBase = resolveApiBase();
+        for (let attempt = 1; attempt <= 3; attempt++) {
+            const cur = readAuthFresh(); // a sibling may have just refreshed for us
+            if (cur && fresh(cur)) {
+                cached = cur;
+                return;
+            }
+            const refreshToken = cur?.refreshToken ?? auth.refreshToken;
+            let res;
+            try {
+                res = await fetch(`${apiBase}/auth/refresh`, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ refreshToken }),
+                });
+            }
+            catch {
                 await delay(attempt * 300);
-                continue;
+                continue; // network blip - retry
             }
-            saveAuth({ accessToken: json.accessToken, refreshToken: json.refreshToken, email: auth.email, expiresAt: new Date(exp * 1000).toISOString() });
-            return;
-        }
-        // 401/403 → the refresh token was rejected outright (it was rotated away by a
-        // sibling, or genuinely expired). Re-read once more in case a sibling's fresh
-        // token just landed; otherwise stop and let the caller's 401 path re-login.
-        if (res.status === 401 || res.status === 403) {
-            const after = readAuthFresh();
-            if (after && fresh(after)) {
-                cached = after;
+            if (res.ok) {
+                const json = await res.json().catch(() => null);
+                const exp = json && decodeJwtExp(json.accessToken);
+                if (!json || !exp) {
+                    await delay(attempt * 300);
+                    continue;
+                }
+                saveAuth({ accessToken: json.accessToken, refreshToken: json.refreshToken, email: auth.email, expiresAt: new Date(exp * 1000).toISOString() });
                 return;
             }
-            return;
+            // 401/403 → the refresh token was rejected outright (rotated away by a sibling
+            // that beat us to the lock, or genuinely expired). Re-read once more in case a
+            // sibling's fresh token just landed; otherwise stop and let the caller re-login.
+            if (res.status === 401 || res.status === 403) {
+                const after = readAuthFresh();
+                if (after && fresh(after)) {
+                    cached = after;
+                    return;
+                }
+                return;
+            }
+            await delay(attempt * 300); // 5xx / unexpected → transient, retry
         }
-        await delay(attempt * 300); // 5xx / unexpected → transient, retry
+        // Retries exhausted: leave the existing token. The caller's request will 401 and the
+        // existing handler messages the user — we never delete the shared auth.json here.
+    }
+    finally {
+        if (release)
+            release();
     }
-    // Retries exhausted: leave the existing token. The caller's request will 401 and the
-    // existing handler messages the user — we never delete the shared auth.json here.
 }
 //# sourceMappingURL=auth.js.map

package/dist/commands/claude.js

@@ -17,7 +17,7 @@ function resolveCommand(cmd) {
         return `${cmd}.cmd`;
     }
 }
-import { getAuth, saveAuth, clearAuth } from '../auth.js';
+import { getAuth, saveAuth } from '../auth.js';
 import { get, post, publicPost, ApiError, getAccountSlug } from '../api.js';
 import { getConfig, saveConfigAt, clearConfigCache, getApiBaseOverride, DEFAULT_API_BASE, getConfigPath } from '../config.js';
 import { sync } from '../sync.js';
@@ -339,7 +339,9 @@ export const claudeCommand = new Command('claude')
             }
             catch (err) {
                 if (err instanceof ApiError && err.statusCode === 401) {
-                    clearAuth();
+                    // Don't clearAuth() — the file is shared with concurrent gipity
+                    // processes (sync hook, relay); deleting it logs them all out. A
+                    // re-login overwrites it anyway. Leave it and just point the user.
                     console.error(`  ${clrError('Your session expired.')} ${muted('Run: gipity login')}`);
                 }
                 else {
@@ -480,7 +482,9 @@ export const claudeCommand = new Command('claude')
                         process.exit(1);
                     }
                     if (err instanceof ApiError && err.statusCode === 401 && !reauthed && !nonInteractive) {
-                        clearAuth();
+                        // No clearAuth(): interactiveLogin() saves fresh tokens over the
+                        // file. Deleting it first would log out any sibling process (sync
+                        // hook, relay) sharing this ~/.gipity/auth.json mid-run.
                         console.log(`  ${muted('Your session expired. Let\'s sign you back in.')}\n`);
                         auth = await interactiveLogin();
                         console.log('');
@@ -488,7 +492,7 @@ export const claudeCommand = new Command('claude')
                         continue;
                     }
                     if (err instanceof ApiError && err.statusCode === 401) {
-                        clearAuth();
+                        // Leave the shared auth.json in place (see above) — just message.
                         console.error(`  ${clrError('Your session expired.')}`);
                         console.error(`  ${muted('Run: gipity login')}`);
                         process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gipity",
-  "version": "1.0.395",
+  "version": "1.0.396",
   "description": "The full-stack platform tuned for AI agents. Database, storage, auth, functions, deploy, and drop-in kits - all agent-tuned. Pair with Claude Code or use standalone.",
   "bin": {
     "gipity": "dist/updater/shim.js",
@@ -12,7 +12,7 @@
     "build": "tsc && chmod +x dist/index.js dist/gipcc.js dist/gipccd.js dist/updater/shim.js dist/updater/check.js",
     "dev": "tsc --watch",
     "test": "npm run test:smoke",
-    "test:smoke": "tsc && node --test dist/__tests__/utils.test.js dist/__tests__/colors.test.js dist/__tests__/config.test.js dist/__tests__/sync.test.js dist/__tests__/sync-apply.test.js dist/__tests__/sync-lock.test.js dist/__tests__/push-cas.test.js dist/__tests__/upload.test.js dist/__tests__/progress.test.js dist/__tests__/updater.test.js dist/__tests__/cli-smoke.test.js dist/__tests__/claude-noninteractive.test.js dist/__tests__/claude-trust.test.js dist/__tests__/relay-state.test.js dist/__tests__/relay-daemon.test.js dist/__tests__/relay-installers.test.js dist/__tests__/relay-bridge-abort.test.js dist/__tests__/relay-redact.test.js dist/__tests__/relay-machine-id.test.js dist/__tests__/stream-json.test.js dist/__tests__/relay-ingest-contract.test.js dist/__tests__/prompts.test.js dist/__tests__/capture-transcript.test.js dist/__tests__/flag-aliases.test.js dist/__tests__/adopt-cwd.test.js dist/__tests__/cli-cmd-agent.test.js dist/__tests__/cli-cmd-approval.test.js dist/__tests__/cli-cmd-audit.test.js dist/__tests__/cli-cmd-chat.test.js dist/__tests__/cli-cmd-credits.test.js dist/__tests__/cli-cmd-db.test.js dist/__tests__/cli-cmd-deploy.test.js dist/__tests__/cli-cmd-domain.test.js dist/__tests__/cli-cmd-email.test.js dist/__tests__/cli-cmd-file.test.js dist/__tests__/cli-cmd-fn.test.js dist/__tests__/cli-cmd-service.test.js dist/__tests__/cli-cmd-job.test.js dist/__tests__/cli-cmd-generate.test.js dist/__tests__/cli-cmd-gmail.test.js dist/__tests__/cli-cmd-info.test.js dist/__tests__/cli-cmd-init.test.js dist/__tests__/cli-cmd-location.test.js dist/__tests__/cli-cmd-text.test.js dist/__tests__/cli-cmd-login.test.js dist/__tests__/cli-cmd-logout.test.js dist/__tests__/cli-cmd-token.test.js dist/__tests__/cli-cmd-logs.test.js dist/__tests__/cli-cmd-memory.test.js dist/__tests__/cli-cmd-page.test.js dist/__tests__/cli-cmd-plan.test.js dist/__tests__/cli-cmd-project.test.js dist/__tests__/cli-cmd-rbac.test.js dist/__tests__/cli-cmd-realtime.test.js dist/__tests__/cli-cmd-records.test.js dist/__tests__/cli-cmd-relay.test.js dist/__tests__/cli-cmd-sandbox.test.js dist/__tests__/cli-cmd-add.test.js dist/__tests__/cli-cmd-remove.test.js dist/__tests__/cli-cmd-skill.test.js dist/__tests__/cli-cmd-test.test.js dist/__tests__/cli-cmd-workflow.test.js dist/__tests__/setup-skills-block.test.js dist/__tests__/setup-hooks.test.js",
+    "test:smoke": "tsc && node --test dist/__tests__/utils.test.js dist/__tests__/colors.test.js dist/__tests__/config.test.js dist/__tests__/sync.test.js dist/__tests__/sync-apply.test.js dist/__tests__/sync-lock.test.js dist/__tests__/auth-lock.test.js dist/__tests__/push-cas.test.js dist/__tests__/upload.test.js dist/__tests__/progress.test.js dist/__tests__/updater.test.js dist/__tests__/cli-smoke.test.js dist/__tests__/claude-noninteractive.test.js dist/__tests__/claude-trust.test.js dist/__tests__/relay-state.test.js dist/__tests__/relay-daemon.test.js dist/__tests__/relay-installers.test.js dist/__tests__/relay-bridge-abort.test.js dist/__tests__/relay-redact.test.js dist/__tests__/relay-machine-id.test.js dist/__tests__/stream-json.test.js dist/__tests__/relay-ingest-contract.test.js dist/__tests__/prompts.test.js dist/__tests__/capture-transcript.test.js dist/__tests__/flag-aliases.test.js dist/__tests__/adopt-cwd.test.js dist/__tests__/cli-cmd-agent.test.js dist/__tests__/cli-cmd-approval.test.js dist/__tests__/cli-cmd-audit.test.js dist/__tests__/cli-cmd-chat.test.js dist/__tests__/cli-cmd-credits.test.js dist/__tests__/cli-cmd-db.test.js dist/__tests__/cli-cmd-deploy.test.js dist/__tests__/cli-cmd-domain.test.js dist/__tests__/cli-cmd-email.test.js dist/__tests__/cli-cmd-file.test.js dist/__tests__/cli-cmd-fn.test.js dist/__tests__/cli-cmd-service.test.js dist/__tests__/cli-cmd-job.test.js dist/__tests__/cli-cmd-generate.test.js dist/__tests__/cli-cmd-gmail.test.js dist/__tests__/cli-cmd-info.test.js dist/__tests__/cli-cmd-init.test.js dist/__tests__/cli-cmd-location.test.js dist/__tests__/cli-cmd-text.test.js dist/__tests__/cli-cmd-login.test.js dist/__tests__/cli-cmd-logout.test.js dist/__tests__/cli-cmd-token.test.js dist/__tests__/cli-cmd-logs.test.js dist/__tests__/cli-cmd-memory.test.js dist/__tests__/cli-cmd-page.test.js dist/__tests__/cli-cmd-plan.test.js dist/__tests__/cli-cmd-project.test.js dist/__tests__/cli-cmd-rbac.test.js dist/__tests__/cli-cmd-realtime.test.js dist/__tests__/cli-cmd-records.test.js dist/__tests__/cli-cmd-relay.test.js dist/__tests__/cli-cmd-sandbox.test.js dist/__tests__/cli-cmd-add.test.js dist/__tests__/cli-cmd-remove.test.js dist/__tests__/cli-cmd-skill.test.js dist/__tests__/cli-cmd-test.test.js dist/__tests__/cli-cmd-workflow.test.js dist/__tests__/setup-skills-block.test.js dist/__tests__/setup-hooks.test.js",
     "test:e2e": "tsc && GIPITY_E2E=1 node --test --test-timeout=180000 dist/__tests__/cli-e2e-live.test.js dist/__tests__/cli-e2e-services-media-live.test.js dist/__tests__/cli-e2e-workflow-live.test.js dist/__tests__/cli-e2e-sandbox-live.test.js dist/__tests__/cli-e2e-page-fetch-live.test.js dist/__tests__/cli-e2e-page-test-live.test.js",
     "test:e2e:sandbox": "tsc && GIPITY_E2E=1 node --test --test-timeout=180000 dist/__tests__/cli-e2e-sandbox-live.test.js"
   },