langsmith 0.7.4 → 0.7.6

package/dist/evaluation/evaluate_comparative.cjs

@@ -224,5 +224,5 @@ async function evaluateComparative(experiments, options) {
     });
     const results = await Promise.all(promises);
     await client.awaitPendingTraceBatches();
-    return { experimentName, results };
+    return { experimentName, results, url: viewUrl, comparativeExperiment };
 }

package/dist/evaluation/evaluate_comparative.d.ts

@@ -1,5 +1,5 @@
 import { Client } from "../index.js";
-import { ComparisonEvaluationResult as ComparisonEvaluationResultRow, Example, Run } from "../schemas.js";
+import { ComparativeExperiment, ComparisonEvaluationResult as ComparisonEvaluationResultRow, Example, Run } from "../schemas.js";
 import { evaluate } from "./index.js";
 type ExperimentResults = Awaited<ReturnType<typeof evaluate>>;
 /** @deprecated Use ComparativeEvaluatorNew instead: (args: { runs, example, inputs, outputs, referenceOutputs }) => ... */
@@ -54,8 +54,14 @@ export interface EvaluateComparativeOptions {
     maxConcurrency?: number;
 }
 export interface ComparisonEvaluationResults {
+    /** The name of the comparative experiment. */
     experimentName: string;
+    /** The per-example comparison results. */
     results: ComparisonEvaluationResultRow[];
+    /** URL of the pairwise comparison view in the LangSmith UI, if available. */
+    url: string | null;
+    /** The comparative experiment, exposing its id, dataset, and metadata. */
+    comparativeExperiment: ComparativeExperiment;
 }
 /** @deprecated Use `evaluate` and pass two experiments as targets. */
 export declare function evaluateComparative(experiments: Array<string> | Array<Promise<ExperimentResults> | ExperimentResults>, options: EvaluateComparativeOptions): Promise<ComparisonEvaluationResults>;

package/dist/evaluation/evaluate_comparative.js

@@ -218,5 +218,5 @@ export async function evaluateComparative(experiments, options) {
     });
     const results = await Promise.all(promises);
     await client.awaitPendingTraceBatches();
-    return { experimentName, results };
+    return { experimentName, results, url: viewUrl, comparativeExperiment };
 }

package/dist/index.cjs

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.__version__ = exports.promptCacheSingleton = exports.configureGlobalPromptCache = exports.PromptCache = exports.Cache = exports.uuid7FromTime = exports.uuid7 = exports.getDefaultProjectName = exports.overrideFetchImplementation = exports.RunTree = exports.Client = void 0;
+exports.LS_MESSAGE_VIEW_EXCLUDE = exports.__version__ = exports.promptCacheSingleton = exports.configureGlobalPromptCache = exports.PromptCache = exports.Cache = exports.uuid7FromTime = exports.uuid7 = exports.getDefaultProjectName = exports.overrideFetchImplementation = exports.RunTree = exports.Client = void 0;
 var client_js_1 = require("./client.cjs");
 Object.defineProperty(exports, "Client", { enumerable: true, get: function () { return client_js_1.Client; } });
 var run_trees_js_1 = require("./run_trees.cjs");
@@ -18,4 +18,6 @@ Object.defineProperty(exports, "PromptCache", { enumerable: true, get: function
 Object.defineProperty(exports, "configureGlobalPromptCache", { enumerable: true, get: function () { return index_js_1.configureGlobalPromptCache; } });
 Object.defineProperty(exports, "promptCacheSingleton", { enumerable: true, get: function () { return index_js_1.promptCacheSingleton; } });
 // Update using pnpm bump-version
-exports.__version__ = "0.7.4";
+exports.__version__ = "0.7.6";
+// Metadata key to hide a traced run from LangSmith's Messages View.
+exports.LS_MESSAGE_VIEW_EXCLUDE = "ls_message_view_exclude";

package/dist/index.d.ts

@@ -5,4 +5,5 @@ export { overrideFetchImplementation } from "./singletons/fetch.js";
 export { getDefaultProjectName } from "./utils/project.js";
 export { uuid7, uuid7FromTime } from "./uuid.js";
 export { Cache, PromptCache, type CacheConfig, type CacheMetrics, configureGlobalPromptCache, promptCacheSingleton, } from "./utils/prompt_cache/index.js";
-export declare const __version__ = "0.7.4";
+export declare const __version__ = "0.7.6";
+export declare const LS_MESSAGE_VIEW_EXCLUDE: "ls_message_view_exclude";

package/dist/index.js

@@ -5,4 +5,6 @@ export { getDefaultProjectName } from "./utils/project.js";
 export { uuid7, uuid7FromTime } from "./uuid.js";
 export { Cache, PromptCache, configureGlobalPromptCache, promptCacheSingleton, } from "./utils/prompt_cache/index.js";
 // Update using pnpm bump-version
-export const __version__ = "0.7.4";
+export const __version__ = "0.7.6";
+// Metadata key to hide a traced run from LangSmith's Messages View.
+export const LS_MESSAGE_VIEW_EXCLUDE = "ls_message_view_exclude";

package/dist/sandbox/index.cjs

@@ -29,7 +29,7 @@
  * @packageDocumentation
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.LangSmithDataplaneNotConfiguredError = exports.LangSmithCommandTimeoutError = exports.LangSmithSandboxOperationError = exports.LangSmithSandboxNotReadyError = exports.LangSmithSandboxCreationError = exports.LangSmithResourceCreationError = exports.LangSmithQuotaExceededError = exports.LangSmithValidationError = exports.LangSmithResourceNameConflictError = exports.LangSmithResourceAlreadyExistsError = exports.LangSmithResourceInUseError = exports.LangSmithResourceTimeoutError = exports.LangSmithResourceNotFoundError = exports.LangSmithSandboxServerReloadError = exports.LangSmithSandboxConnectionError = exports.LangSmithSandboxAuthenticationError = exports.LangSmithSandboxAPIError = exports.LangSmithSandboxError = exports.CommandHandle = exports.Sandbox = exports.SandboxClient = void 0;
+exports.LangSmithDataplaneNotConfiguredError = exports.LangSmithCommandTimeoutError = exports.LangSmithSandboxOperationError = exports.LangSmithSandboxNotReadyError = exports.LangSmithSandboxCreationError = exports.LangSmithResourceCreationError = exports.LangSmithQuotaExceededError = exports.LangSmithValidationError = exports.LangSmithResourceNameConflictError = exports.LangSmithResourceAlreadyExistsError = exports.LangSmithResourceInUseError = exports.LangSmithResourceTimeoutError = exports.LangSmithResourceNotFoundError = exports.LangSmithSandboxServerReloadError = exports.LangSmithSandboxConnectionError = exports.LangSmithSandboxAuthenticationError = exports.LangSmithSandboxAPIError = exports.LangSmithSandboxError = exports.workspaceSecret = exports.opaqueSecret = exports.awsAuthProxyConfig = exports.CommandHandle = exports.Sandbox = exports.SandboxClient = void 0;
 // Main classes
 var client_js_1 = require("./client.cjs");
 Object.defineProperty(exports, "SandboxClient", { enumerable: true, get: function () { return client_js_1.SandboxClient; } });
@@ -37,6 +37,10 @@ var sandbox_js_1 = require("./sandbox.cjs");
 Object.defineProperty(exports, "Sandbox", { enumerable: true, get: function () { return sandbox_js_1.Sandbox; } });
 var command_handle_js_1 = require("./command_handle.cjs");
 Object.defineProperty(exports, "CommandHandle", { enumerable: true, get: function () { return command_handle_js_1.CommandHandle; } });
+var proxy_config_js_1 = require("./proxy_config.cjs");
+Object.defineProperty(exports, "awsAuthProxyConfig", { enumerable: true, get: function () { return proxy_config_js_1.awsAuthProxyConfig; } });
+Object.defineProperty(exports, "opaqueSecret", { enumerable: true, get: function () { return proxy_config_js_1.opaqueSecret; } });
+Object.defineProperty(exports, "workspaceSecret", { enumerable: true, get: function () { return proxy_config_js_1.workspaceSecret; } });
 // Errors
 var errors_js_1 = require("./errors.cjs");
 // Base and connection errors

package/dist/sandbox/index.d.ts

@@ -30,5 +30,6 @@
 export { SandboxClient } from "./client.js";
 export { Sandbox } from "./sandbox.js";
 export { CommandHandle } from "./command_handle.js";
-export type { ExecutionResult, OutputChunk, WsMessage, WsRunOptions, ResourceStatus, Snapshot, SandboxData, SandboxClientConfig, RunOptions, CreateSandboxOptions, SandboxAccessControl, SandboxProxyConfig, CreateSnapshotOptions, CreateDockerfileSnapshotOptions, CaptureSnapshotOptions, ListSnapshotsOptions, WaitForSnapshotOptions, StartSandboxOptions, UpdateSandboxOptions, WaitForSandboxOptions, } from "./types.js";
+export { awsAuthProxyConfig, opaqueSecret, workspaceSecret, } from "./proxy_config.js";
+export type { ExecutionResult, OutputChunk, WsMessage, WsRunOptions, ResourceStatus, Snapshot, SandboxData, SandboxClientConfig, RunOptions, CreateSandboxOptions, SandboxAccessControl, SandboxAwsAuthRule, SandboxProxyConfig, SandboxProxySecret, CreateSnapshotOptions, CreateDockerfileSnapshotOptions, CaptureSnapshotOptions, ListSnapshotsOptions, WaitForSnapshotOptions, StartSandboxOptions, UpdateSandboxOptions, WaitForSandboxOptions, } from "./types.js";
 export { LangSmithSandboxError, LangSmithSandboxAPIError, LangSmithSandboxAuthenticationError, LangSmithSandboxConnectionError, LangSmithSandboxServerReloadError, LangSmithResourceNotFoundError, LangSmithResourceTimeoutError, LangSmithResourceInUseError, LangSmithResourceAlreadyExistsError, LangSmithResourceNameConflictError, LangSmithValidationError, LangSmithQuotaExceededError, LangSmithResourceCreationError, LangSmithSandboxCreationError, LangSmithSandboxNotReadyError, LangSmithSandboxOperationError, LangSmithCommandTimeoutError, LangSmithDataplaneNotConfiguredError, } from "./errors.js";

package/dist/sandbox/index.js

@@ -31,6 +31,7 @@
 export { SandboxClient } from "./client.js";
 export { Sandbox } from "./sandbox.js";
 export { CommandHandle } from "./command_handle.js";
+export { awsAuthProxyConfig, opaqueSecret, workspaceSecret, } from "./proxy_config.js";
 // Errors
 export { 
 // Base and connection errors

package/dist/sandbox/proxy_config.cjs

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.workspaceSecret = workspaceSecret;
+exports.opaqueSecret = opaqueSecret;
+exports.awsAuthProxyConfig = awsAuthProxyConfig;
+function requireNonEmptyString(value, field) {
+    if (typeof value !== "string" || value.trim() === "") {
+        throw new Error(`${field} must be a non-empty string`);
+    }
+    return value.trim();
+}
+/** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
+function workspaceSecret(name) {
+    const normalized = requireNonEmptyString(name, "name");
+    const startsWithBrace = normalized.startsWith("{");
+    const endsWithBrace = normalized.endsWith("}");
+    if (startsWithBrace !== endsWithBrace) {
+        throw new Error("workspace secret must be a name or a {NAME} reference");
+    }
+    if (startsWithBrace && normalized.slice(1, -1).trim() === "") {
+        throw new Error("workspace secret reference must contain a name");
+    }
+    return {
+        type: "workspace_secret",
+        value: startsWithBrace ? normalized : `{${normalized}}`,
+    };
+}
+/** Provide a write-only secret value for a sandbox proxy configuration. */
+function opaqueSecret(value) {
+    return {
+        type: "opaque",
+        value: requireNonEmptyString(value, "value"),
+    };
+}
+/** Build a sandbox proxy config that signs AWS HTTPS requests with SigV4. */
+function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name = "aws", enabled = true, }) {
+    const rule = {
+        name: requireNonEmptyString(name, "name"),
+        type: "aws",
+        enabled,
+        aws: {
+            access_key_id: accessKeyId,
+            secret_access_key: secretAccessKey,
+        },
+    };
+    return { rules: [rule] };
+}

package/dist/sandbox/proxy_config.d.ts

@@ -0,0 +1,12 @@
+import type { SandboxProxyConfig, SandboxProxySecret } from "./types.js";
+/** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
+export declare function workspaceSecret(name: string): SandboxProxySecret;
+/** Provide a write-only secret value for a sandbox proxy configuration. */
+export declare function opaqueSecret(value: string): SandboxProxySecret;
+/** Build a sandbox proxy config that signs AWS HTTPS requests with SigV4. */
+export declare function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name, enabled, }: {
+    accessKeyId: SandboxProxySecret;
+    secretAccessKey: SandboxProxySecret;
+    name?: string;
+    enabled?: boolean;
+}): SandboxProxyConfig;

package/dist/sandbox/proxy_config.js

@@ -0,0 +1,42 @@
+function requireNonEmptyString(value, field) {
+    if (typeof value !== "string" || value.trim() === "") {
+        throw new Error(`${field} must be a non-empty string`);
+    }
+    return value.trim();
+}
+/** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
+export function workspaceSecret(name) {
+    const normalized = requireNonEmptyString(name, "name");
+    const startsWithBrace = normalized.startsWith("{");
+    const endsWithBrace = normalized.endsWith("}");
+    if (startsWithBrace !== endsWithBrace) {
+        throw new Error("workspace secret must be a name or a {NAME} reference");
+    }
+    if (startsWithBrace && normalized.slice(1, -1).trim() === "") {
+        throw new Error("workspace secret reference must contain a name");
+    }
+    return {
+        type: "workspace_secret",
+        value: startsWithBrace ? normalized : `{${normalized}}`,
+    };
+}
+/** Provide a write-only secret value for a sandbox proxy configuration. */
+export function opaqueSecret(value) {
+    return {
+        type: "opaque",
+        value: requireNonEmptyString(value, "value"),
+    };
+}
+/** Build a sandbox proxy config that signs AWS HTTPS requests with SigV4. */
+export function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name = "aws", enabled = true, }) {
+    const rule = {
+        name: requireNonEmptyString(name, "name"),
+        type: "aws",
+        enabled,
+        aws: {
+            access_key_id: accessKeyId,
+            secret_access_key: secretAccessKey,
+        },
+    };
+    return { rules: [rule] };
+}

package/dist/sandbox/types.d.ts

@@ -249,6 +249,27 @@ export interface SandboxAccessControl {
     /** Hosts the sandbox is blocked from reaching. */
     deny_list?: string[];
 }
+/** Secret value reference for sandbox proxy rules. */
+export interface SandboxProxySecret {
+    /** `workspace_secret` references a workspace secret; `opaque` is write-only. */
+    type: "workspace_secret" | "opaque";
+    /** Workspace secret reference or opaque secret value. */
+    value: string;
+}
+/** AWS auth rule for sandbox proxy SigV4 signing. */
+export interface SandboxAwsAuthRule {
+    /** Rule name. */
+    name: string;
+    /** AWS auth rules are matched by the sandbox proxy's AWS endpoint matcher. */
+    type: "aws";
+    /** Whether the rule is enabled. */
+    enabled?: boolean;
+    /** AWS credentials used by the proxy signer. */
+    aws: {
+        access_key_id: SandboxProxySecret;
+        secret_access_key: SandboxProxySecret;
+    };
+}
 /**
  * Full proxy configuration forwarded to the sandbox server as-is (snake_case
  * so it's wire-compatible with the backend). Mirrors the server's
@@ -312,7 +333,8 @@ export interface CreateSandboxOptions {
      * Per-sandbox proxy configuration. Use
      * `{ access_control: { allow_list: ["github.com", "*.example.com"] } }`
      * to restrict outbound HTTPS to a set of host patterns. Forwarded to the
-     * server as-is on the wire.
+     * server as-is on the wire. Use `awsAuthProxyConfig` to let the proxy sign
+     * supported AWS HTTPS requests on the sandbox's behalf.
      */
     proxyConfig?: SandboxProxyConfig;
 }

package/dist/utils/fs.browser.cjs

@@ -20,6 +20,9 @@ exports.writeFileSync = writeFileSync;
 exports.renameSync = renameSync;
 exports.unlinkSync = unlinkSync;
 exports.readFileSync = readFileSync;
+exports.mkdirExclusive = mkdirExclusive;
+exports.statMtimeMs = statMtimeMs;
+exports.rmRecursive = rmRecursive;
 exports.path = {
     join: (...parts) => parts.join("/"),
     dirname: (p) => p.split("/").slice(0, -1).join("/"),
@@ -49,3 +52,11 @@ function unlinkSync(_filePath) { }
 function readFileSync(_filePath) {
     return "";
 }
+// ---------------------------------------------------------------------------
+// Lock primitives – no-op / safe defaults in browser
+// ---------------------------------------------------------------------------
+async function mkdirExclusive(_dir) { }
+function statMtimeMs(_filePath) {
+    return undefined;
+}
+async function rmRecursive(_filePath) { }

package/dist/utils/fs.browser.d.ts

@@ -23,3 +23,6 @@ export declare function writeFileSync(_filePath: string, _content: string): void
 export declare function renameSync(_oldPath: string, _newPath: string): void;
 export declare function unlinkSync(_filePath: string): void;
 export declare function readFileSync(_filePath: string): string;
+export declare function mkdirExclusive(_dir: string): Promise<void>;
+export declare function statMtimeMs(_filePath: string): number | undefined;
+export declare function rmRecursive(_filePath: string): Promise<void>;

package/dist/utils/fs.browser.js

@@ -35,3 +35,11 @@ export function unlinkSync(_filePath) { }
 export function readFileSync(_filePath) {
     return "";
 }
+// ---------------------------------------------------------------------------
+// Lock primitives – no-op / safe defaults in browser
+// ---------------------------------------------------------------------------
+export async function mkdirExclusive(_dir) { }
+export function statMtimeMs(_filePath) {
+    return undefined;
+}
+export async function rmRecursive(_filePath) { }

package/dist/utils/fs.cjs

@@ -51,6 +51,9 @@ exports.writeFileSync = writeFileSync;
 exports.renameSync = renameSync;
 exports.unlinkSync = unlinkSync;
 exports.readFileSync = readFileSync;
+exports.mkdirExclusive = mkdirExclusive;
+exports.statMtimeMs = statMtimeMs;
+exports.rmRecursive = rmRecursive;
 const nodeFs = __importStar(require("node:fs"));
 const nodeFsPromises = __importStar(require("node:fs/promises"));
 const nodePath = __importStar(require("node:path"));
@@ -99,3 +102,22 @@ function unlinkSync(filePath) {
 function readFileSync(filePath) {
     return nodeFs.readFileSync(filePath, "utf-8");
 }
+// ---------------------------------------------------------------------------
+// Lock primitives (used by the OAuth refresh directory lock)
+// ---------------------------------------------------------------------------
+async function mkdirExclusive(dir) {
+    // Non-recursive mkdir throws EEXIST if the directory already exists, which
+    // is the atomic test-and-set the cross-process lock relies on.
+    await nodeFsPromises.mkdir(dir, { mode: 0o700 });
+}
+function statMtimeMs(filePath) {
+    try {
+        return nodeFs.statSync(filePath).mtimeMs;
+    }
+    catch {
+        return undefined;
+    }
+}
+async function rmRecursive(filePath) {
+    await nodeFsPromises.rm(filePath, { recursive: true, force: true });
+}

package/dist/utils/fs.d.ts

@@ -19,3 +19,6 @@ export declare function writeFileSync(filePath: string, content: string): void;
 export declare function renameSync(oldPath: string, newPath: string): void;
 export declare function unlinkSync(filePath: string): void;
 export declare function readFileSync(filePath: string): string;
+export declare function mkdirExclusive(dir: string): Promise<void>;
+export declare function statMtimeMs(filePath: string): number | undefined;
+export declare function rmRecursive(filePath: string): Promise<void>;

package/dist/utils/fs.js

@@ -52,3 +52,22 @@ export function unlinkSync(filePath) {
 export function readFileSync(filePath) {
     return nodeFs.readFileSync(filePath, "utf-8");
 }
+// ---------------------------------------------------------------------------
+// Lock primitives (used by the OAuth refresh directory lock)
+// ---------------------------------------------------------------------------
+export async function mkdirExclusive(dir) {
+    // Non-recursive mkdir throws EEXIST if the directory already exists, which
+    // is the atomic test-and-set the cross-process lock relies on.
+    await nodeFsPromises.mkdir(dir, { mode: 0o700 });
+}
+export function statMtimeMs(filePath) {
+    try {
+        return nodeFs.statSync(filePath).mtimeMs;
+    }
+    catch {
+        return undefined;
+    }
+}
+export async function rmRecursive(filePath) {
+    await nodeFsPromises.rm(filePath, { recursive: true, force: true });
+}

package/dist/utils/profile-lock.cjs

@@ -0,0 +1,140 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._internal = void 0;
+exports.acquireOAuthRefreshLock = acquireOAuthRefreshLock;
+const fsUtils = __importStar(require("./fs.cjs"));
+const LOCK_POLL_INTERVAL_MS = 10;
+const LOCK_STALE_AFTER_MS = 10_000;
+const LOCK_METADATA_FILE = "created_at";
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isEEXIST(err) {
+    return (typeof err === "object" &&
+        err !== null &&
+        err.code === "EEXIST");
+}
+function lockMetadataLines(lockDir) {
+    try {
+        return fsUtils
+            .readFileSync(fsUtils.path.join(lockDir, LOCK_METADATA_FILE))
+            .split("\n");
+    }
+    catch {
+        return undefined;
+    }
+}
+function lockCreatedAtMs(lockDir) {
+    const lines = lockMetadataLines(lockDir);
+    if (lines && lines[0] && lines[0].trim()) {
+        const parsed = Date.parse(lines[0].trim());
+        if (!Number.isNaN(parsed)) {
+            return parsed;
+        }
+    }
+    return fsUtils.statMtimeMs(lockDir);
+}
+function lockOwner(lockDir) {
+    const lines = lockMetadataLines(lockDir);
+    if (lines && lines.length >= 2 && lines[1].trim()) {
+        return lines[1].trim();
+    }
+    return undefined;
+}
+async function removeStaleLock(lockDir) {
+    const createdAt = lockCreatedAtMs(lockDir);
+    if (createdAt === undefined ||
+        Date.now() - createdAt <= LOCK_STALE_AFTER_MS) {
+        return false;
+    }
+    await fsUtils.rmRecursive(lockDir);
+    return true;
+}
+/**
+ * Acquire an exclusive cross-process lock for refreshing OAuth tokens.
+ *
+ * Uses an atomic-`mkdir` directory lock at `<configPath>.oauth.lock.lock` with a
+ * stale-break heuristic and owner-checked release, mirroring langsmith-go's
+ * non-POSIX path. `deadline` is a `Date.now()`-based timestamp; acquisition
+ * rejects once it passes. Callers treat any rejection as "skip refresh, use the
+ * current token".
+ */
+async function acquireOAuthRefreshLock(configPath, deadline) {
+    const lockDir = `${configPath}.oauth.lock.lock`;
+    const parent = fsUtils.path.dirname(lockDir);
+    if (parent) {
+        await fsUtils.mkdir(parent);
+    }
+    const owner = globalThis.crypto.randomUUID();
+    for (;;) {
+        try {
+            await fsUtils.mkdirExclusive(lockDir);
+        }
+        catch (err) {
+            if (!isEEXIST(err)) {
+                throw err;
+            }
+            if (!(await removeStaleLock(lockDir))) {
+                if (Date.now() >= deadline) {
+                    throw new Error("timed out acquiring OAuth refresh lock");
+                }
+                await sleep(Math.min(LOCK_POLL_INTERVAL_MS, Math.max(0, deadline - Date.now())));
+            }
+            continue;
+        }
+        try {
+            await fsUtils.writeFileAtomic(fsUtils.path.join(lockDir, LOCK_METADATA_FILE), `${new Date().toISOString()}\n${owner}\n`);
+        }
+        catch (err) {
+            await fsUtils.rmRecursive(lockDir);
+            throw err;
+        }
+        break;
+    }
+    return {
+        async release() {
+            if (lockOwner(lockDir) === owner) {
+                await fsUtils.rmRecursive(lockDir);
+            }
+        },
+    };
+}
+// Exposed for tests only.
+exports._internal = {
+    LOCK_METADATA_FILE,
+    LOCK_STALE_AFTER_MS,
+    lockOwner,
+};

package/dist/utils/profile-lock.d.ts

@@ -0,0 +1,20 @@
+export interface OAuthRefreshLock {
+    release(): Promise<void>;
+}
+declare function lockOwner(lockDir: string): string | undefined;
+/**
+ * Acquire an exclusive cross-process lock for refreshing OAuth tokens.
+ *
+ * Uses an atomic-`mkdir` directory lock at `<configPath>.oauth.lock.lock` with a
+ * stale-break heuristic and owner-checked release, mirroring langsmith-go's
+ * non-POSIX path. `deadline` is a `Date.now()`-based timestamp; acquisition
+ * rejects once it passes. Callers treat any rejection as "skip refresh, use the
+ * current token".
+ */
+export declare function acquireOAuthRefreshLock(configPath: string, deadline: number): Promise<OAuthRefreshLock>;
+export declare const _internal: {
+    LOCK_METADATA_FILE: string;
+    LOCK_STALE_AFTER_MS: number;
+    lockOwner: typeof lockOwner;
+};
+export {};

package/dist/utils/profile-lock.js

@@ -0,0 +1,103 @@
+import * as fsUtils from "./fs.js";
+const LOCK_POLL_INTERVAL_MS = 10;
+const LOCK_STALE_AFTER_MS = 10_000;
+const LOCK_METADATA_FILE = "created_at";
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isEEXIST(err) {
+    return (typeof err === "object" &&
+        err !== null &&
+        err.code === "EEXIST");
+}
+function lockMetadataLines(lockDir) {
+    try {
+        return fsUtils
+            .readFileSync(fsUtils.path.join(lockDir, LOCK_METADATA_FILE))
+            .split("\n");
+    }
+    catch {
+        return undefined;
+    }
+}
+function lockCreatedAtMs(lockDir) {
+    const lines = lockMetadataLines(lockDir);
+    if (lines && lines[0] && lines[0].trim()) {
+        const parsed = Date.parse(lines[0].trim());
+        if (!Number.isNaN(parsed)) {
+            return parsed;
+        }
+    }
+    return fsUtils.statMtimeMs(lockDir);
+}
+function lockOwner(lockDir) {
+    const lines = lockMetadataLines(lockDir);
+    if (lines && lines.length >= 2 && lines[1].trim()) {
+        return lines[1].trim();
+    }
+    return undefined;
+}
+async function removeStaleLock(lockDir) {
+    const createdAt = lockCreatedAtMs(lockDir);
+    if (createdAt === undefined ||
+        Date.now() - createdAt <= LOCK_STALE_AFTER_MS) {
+        return false;
+    }
+    await fsUtils.rmRecursive(lockDir);
+    return true;
+}
+/**
+ * Acquire an exclusive cross-process lock for refreshing OAuth tokens.
+ *
+ * Uses an atomic-`mkdir` directory lock at `<configPath>.oauth.lock.lock` with a
+ * stale-break heuristic and owner-checked release, mirroring langsmith-go's
+ * non-POSIX path. `deadline` is a `Date.now()`-based timestamp; acquisition
+ * rejects once it passes. Callers treat any rejection as "skip refresh, use the
+ * current token".
+ */
+export async function acquireOAuthRefreshLock(configPath, deadline) {
+    const lockDir = `${configPath}.oauth.lock.lock`;
+    const parent = fsUtils.path.dirname(lockDir);
+    if (parent) {
+        await fsUtils.mkdir(parent);
+    }
+    const owner = globalThis.crypto.randomUUID();
+    for (;;) {
+        try {
+            await fsUtils.mkdirExclusive(lockDir);
+        }
+        catch (err) {
+            if (!isEEXIST(err)) {
+                throw err;
+            }
+            if (!(await removeStaleLock(lockDir))) {
+                if (Date.now() >= deadline) {
+                    throw new Error("timed out acquiring OAuth refresh lock");
+                }
+                await sleep(Math.min(LOCK_POLL_INTERVAL_MS, Math.max(0, deadline - Date.now())));
+            }
+            continue;
+        }
+        try {
+            await fsUtils.writeFileAtomic(fsUtils.path.join(lockDir, LOCK_METADATA_FILE), `${new Date().toISOString()}\n${owner}\n`);
+        }
+        catch (err) {
+            await fsUtils.rmRecursive(lockDir);
+            throw err;
+        }
+        break;
+    }
+    return {
+        async release() {
+            if (lockOwner(lockDir) === owner) {
+                await fsUtils.rmRecursive(lockDir);
+            }
+        },
+    };
+}
+// Exposed for tests only.
+export const _internal = {
+    LOCK_METADATA_FILE,
+    LOCK_STALE_AFTER_MS,
+    lockOwner,
+};