langsmith 0.7.5 → 0.7.7

package/dist/sandbox/proxy_config.cjs

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.workspaceSecret = workspaceSecret;
+exports.opaqueSecret = opaqueSecret;
+exports.awsAuthProxyConfig = awsAuthProxyConfig;
+function requireNonEmptyString(value, field) {
+    if (typeof value !== "string" || value.trim() === "") {
+        throw new Error(`${field} must be a non-empty string`);
+    }
+    return value.trim();
+}
+/** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
+function workspaceSecret(name) {
+    const normalized = requireNonEmptyString(name, "name");
+    const startsWithBrace = normalized.startsWith("{");
+    const endsWithBrace = normalized.endsWith("}");
+    if (startsWithBrace !== endsWithBrace) {
+        throw new Error("workspace secret must be a name or a {NAME} reference");
+    }
+    if (startsWithBrace && normalized.slice(1, -1).trim() === "") {
+        throw new Error("workspace secret reference must contain a name");
+    }
+    return {
+        type: "workspace_secret",
+        value: startsWithBrace ? normalized : `{${normalized}}`,
+    };
+}
+/** Provide a write-only secret value for a sandbox proxy configuration. */
+function opaqueSecret(value) {
+    return {
+        type: "opaque",
+        value: requireNonEmptyString(value, "value"),
+    };
+}
+/** Build a sandbox proxy config that signs AWS HTTPS requests with SigV4. */
+function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name = "aws", enabled = true, }) {
+    const rule = {
+        name: requireNonEmptyString(name, "name"),
+        type: "aws",
+        enabled,
+        aws: {
+            access_key_id: accessKeyId,
+            secret_access_key: secretAccessKey,
+        },
+    };
+    return { rules: [rule] };
+}

package/dist/sandbox/proxy_config.d.ts

@@ -0,0 +1,12 @@
+import type { SandboxProxyConfig, SandboxProxySecret } from "./types.js";
+/** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
+export declare function workspaceSecret(name: string): SandboxProxySecret;
+/** Provide a write-only secret value for a sandbox proxy configuration. */
+export declare function opaqueSecret(value: string): SandboxProxySecret;
+/** Build a sandbox proxy config that signs AWS HTTPS requests with SigV4. */
+export declare function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name, enabled, }: {
+    accessKeyId: SandboxProxySecret;
+    secretAccessKey: SandboxProxySecret;
+    name?: string;
+    enabled?: boolean;
+}): SandboxProxyConfig;

package/dist/sandbox/proxy_config.js

@@ -0,0 +1,42 @@
+function requireNonEmptyString(value, field) {
+    if (typeof value !== "string" || value.trim() === "") {
+        throw new Error(`${field} must be a non-empty string`);
+    }
+    return value.trim();
+}
+/** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
+export function workspaceSecret(name) {
+    const normalized = requireNonEmptyString(name, "name");
+    const startsWithBrace = normalized.startsWith("{");
+    const endsWithBrace = normalized.endsWith("}");
+    if (startsWithBrace !== endsWithBrace) {
+        throw new Error("workspace secret must be a name or a {NAME} reference");
+    }
+    if (startsWithBrace && normalized.slice(1, -1).trim() === "") {
+        throw new Error("workspace secret reference must contain a name");
+    }
+    return {
+        type: "workspace_secret",
+        value: startsWithBrace ? normalized : `{${normalized}}`,
+    };
+}
+/** Provide a write-only secret value for a sandbox proxy configuration. */
+export function opaqueSecret(value) {
+    return {
+        type: "opaque",
+        value: requireNonEmptyString(value, "value"),
+    };
+}
+/** Build a sandbox proxy config that signs AWS HTTPS requests with SigV4. */
+export function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name = "aws", enabled = true, }) {
+    const rule = {
+        name: requireNonEmptyString(name, "name"),
+        type: "aws",
+        enabled,
+        aws: {
+            access_key_id: accessKeyId,
+            secret_access_key: secretAccessKey,
+        },
+    };
+    return { rules: [rule] };
+}

package/dist/sandbox/sandbox.cjs

@@ -225,7 +225,7 @@ class Sandbox {
      * @internal
      */
     async _runWs(command, options = {}) {
-        const { timeout = 60, env, cwd, shell = "/bin/bash", onStdout, onStderr, idleTimeout, killOnDisconnect, ttlSeconds, pty, } = options;
+        const { timeout = 60, env, cwd, shell = "/bin/bash", onStdout, onStderr, commandId, idleTimeout, killOnDisconnect, ttlSeconds, pty, } = options;
         const dataplaneUrl = this.requireDataplaneUrl();
         const clientHeaders = this._client.getDefaultHeaders();
         const [stream, control] = await (0, ws_execute_js_1.runWsStream)(dataplaneUrl, this._client.getApiKey(), command, {
@@ -233,8 +233,7 @@ class Sandbox {
             env,
             cwd,
             shell,
-            onStdout,
-            onStderr,
+            commandId,
             idleTimeout,
             killOnDisconnect,
             ttlSeconds,
@@ -243,7 +242,10 @@ class Sandbox {
                 ? { headers: clientHeaders }
                 : {}),
         });
-        const handle = new command_handle_js_1.CommandHandle(stream, control, this);
+        const handle = new command_handle_js_1.CommandHandle(stream, control, this, {
+            onStdout,
+            onStderr,
+        });
         await handle._ensureStarted();
         return handle;
     }

package/dist/sandbox/sandbox.js

@@ -222,7 +222,7 @@ export class Sandbox {
      * @internal
      */
     async _runWs(command, options = {}) {
-        const { timeout = 60, env, cwd, shell = "/bin/bash", onStdout, onStderr, idleTimeout, killOnDisconnect, ttlSeconds, pty, } = options;
+        const { timeout = 60, env, cwd, shell = "/bin/bash", onStdout, onStderr, commandId, idleTimeout, killOnDisconnect, ttlSeconds, pty, } = options;
         const dataplaneUrl = this.requireDataplaneUrl();
         const clientHeaders = this._client.getDefaultHeaders();
         const [stream, control] = await runWsStream(dataplaneUrl, this._client.getApiKey(), command, {
@@ -230,8 +230,7 @@ export class Sandbox {
             env,
             cwd,
             shell,
-            onStdout,
-            onStderr,
+            commandId,
             idleTimeout,
             killOnDisconnect,
             ttlSeconds,
@@ -240,7 +239,10 @@ export class Sandbox {
                 ? { headers: clientHeaders }
                 : {}),
         });
-        const handle = new CommandHandle(stream, control, this);
+        const handle = new CommandHandle(stream, control, this, {
+            onStdout,
+            onStderr,
+        });
         await handle._ensureStarted();
         return handle;
     }

package/dist/sandbox/types.d.ts

@@ -202,6 +202,12 @@ export interface RunOptions {
      * When false, returns a CommandHandle for streaming output.
      */
     wait?: boolean;
+    /**
+     * Client-assigned command ID. Executing with an existing command ID
+     * re-attaches to that command (get-or-create) instead of starting a
+     * new one. Only used by the WebSocket path.
+     */
+    commandId?: string;
     /**
      * Callback invoked with each stdout chunk during streaming execution.
      * When provided, WebSocket streaming is used.
@@ -249,6 +255,27 @@ export interface SandboxAccessControl {
     /** Hosts the sandbox is blocked from reaching. */
     deny_list?: string[];
 }
+/** Secret value reference for sandbox proxy rules. */
+export interface SandboxProxySecret {
+    /** `workspace_secret` references a workspace secret; `opaque` is write-only. */
+    type: "workspace_secret" | "opaque";
+    /** Workspace secret reference or opaque secret value. */
+    value: string;
+}
+/** AWS auth rule for sandbox proxy SigV4 signing. */
+export interface SandboxAwsAuthRule {
+    /** Rule name. */
+    name: string;
+    /** AWS auth rules are matched by the sandbox proxy's AWS endpoint matcher. */
+    type: "aws";
+    /** Whether the rule is enabled. */
+    enabled?: boolean;
+    /** AWS credentials used by the proxy signer. */
+    aws: {
+        access_key_id: SandboxProxySecret;
+        secret_access_key: SandboxProxySecret;
+    };
+}
 /**
  * Full proxy configuration forwarded to the sandbox server as-is (snake_case
  * so it's wire-compatible with the backend). Mirrors the server's
@@ -312,7 +339,8 @@ export interface CreateSandboxOptions {
      * Per-sandbox proxy configuration. Use
      * `{ access_control: { allow_list: ["github.com", "*.example.com"] } }`
      * to restrict outbound HTTPS to a set of host patterns. Forwarded to the
-     * server as-is on the wire.
+     * server as-is on the wire. Use `awsAuthProxyConfig` to let the proxy sign
+     * supported AWS HTTPS requests on the sandbox's behalf.
      */
     proxyConfig?: SandboxProxyConfig;
 }

package/dist/utils/fs.browser.cjs

@@ -20,6 +20,9 @@ exports.writeFileSync = writeFileSync;
 exports.renameSync = renameSync;
 exports.unlinkSync = unlinkSync;
 exports.readFileSync = readFileSync;
+exports.mkdirExclusive = mkdirExclusive;
+exports.statMtimeMs = statMtimeMs;
+exports.rmRecursive = rmRecursive;
 exports.path = {
     join: (...parts) => parts.join("/"),
     dirname: (p) => p.split("/").slice(0, -1).join("/"),
@@ -49,3 +52,11 @@ function unlinkSync(_filePath) { }
 function readFileSync(_filePath) {
     return "";
 }
+// ---------------------------------------------------------------------------
+// Lock primitives – no-op / safe defaults in browser
+// ---------------------------------------------------------------------------
+async function mkdirExclusive(_dir) { }
+function statMtimeMs(_filePath) {
+    return undefined;
+}
+async function rmRecursive(_filePath) { }

package/dist/utils/fs.browser.d.ts

@@ -23,3 +23,6 @@ export declare function writeFileSync(_filePath: string, _content: string): void
 export declare function renameSync(_oldPath: string, _newPath: string): void;
 export declare function unlinkSync(_filePath: string): void;
 export declare function readFileSync(_filePath: string): string;
+export declare function mkdirExclusive(_dir: string): Promise<void>;
+export declare function statMtimeMs(_filePath: string): number | undefined;
+export declare function rmRecursive(_filePath: string): Promise<void>;

package/dist/utils/fs.browser.js

@@ -35,3 +35,11 @@ export function unlinkSync(_filePath) { }
 export function readFileSync(_filePath) {
     return "";
 }
+// ---------------------------------------------------------------------------
+// Lock primitives – no-op / safe defaults in browser
+// ---------------------------------------------------------------------------
+export async function mkdirExclusive(_dir) { }
+export function statMtimeMs(_filePath) {
+    return undefined;
+}
+export async function rmRecursive(_filePath) { }

package/dist/utils/fs.cjs

@@ -51,6 +51,9 @@ exports.writeFileSync = writeFileSync;
 exports.renameSync = renameSync;
 exports.unlinkSync = unlinkSync;
 exports.readFileSync = readFileSync;
+exports.mkdirExclusive = mkdirExclusive;
+exports.statMtimeMs = statMtimeMs;
+exports.rmRecursive = rmRecursive;
 const nodeFs = __importStar(require("node:fs"));
 const nodeFsPromises = __importStar(require("node:fs/promises"));
 const nodePath = __importStar(require("node:path"));
@@ -99,3 +102,22 @@ function unlinkSync(filePath) {
 function readFileSync(filePath) {
     return nodeFs.readFileSync(filePath, "utf-8");
 }
+// ---------------------------------------------------------------------------
+// Lock primitives (used by the OAuth refresh directory lock)
+// ---------------------------------------------------------------------------
+async function mkdirExclusive(dir) {
+    // Non-recursive mkdir throws EEXIST if the directory already exists, which
+    // is the atomic test-and-set the cross-process lock relies on.
+    await nodeFsPromises.mkdir(dir, { mode: 0o700 });
+}
+function statMtimeMs(filePath) {
+    try {
+        return nodeFs.statSync(filePath).mtimeMs;
+    }
+    catch {
+        return undefined;
+    }
+}
+async function rmRecursive(filePath) {
+    await nodeFsPromises.rm(filePath, { recursive: true, force: true });
+}

package/dist/utils/fs.d.ts

@@ -19,3 +19,6 @@ export declare function writeFileSync(filePath: string, content: string): void;
 export declare function renameSync(oldPath: string, newPath: string): void;
 export declare function unlinkSync(filePath: string): void;
 export declare function readFileSync(filePath: string): string;
+export declare function mkdirExclusive(dir: string): Promise<void>;
+export declare function statMtimeMs(filePath: string): number | undefined;
+export declare function rmRecursive(filePath: string): Promise<void>;

package/dist/utils/fs.js

@@ -52,3 +52,22 @@ export function unlinkSync(filePath) {
 export function readFileSync(filePath) {
     return nodeFs.readFileSync(filePath, "utf-8");
 }
+// ---------------------------------------------------------------------------
+// Lock primitives (used by the OAuth refresh directory lock)
+// ---------------------------------------------------------------------------
+export async function mkdirExclusive(dir) {
+    // Non-recursive mkdir throws EEXIST if the directory already exists, which
+    // is the atomic test-and-set the cross-process lock relies on.
+    await nodeFsPromises.mkdir(dir, { mode: 0o700 });
+}
+export function statMtimeMs(filePath) {
+    try {
+        return nodeFs.statSync(filePath).mtimeMs;
+    }
+    catch {
+        return undefined;
+    }
+}
+export async function rmRecursive(filePath) {
+    await nodeFsPromises.rm(filePath, { recursive: true, force: true });
+}

package/dist/utils/profile-lock.cjs

@@ -0,0 +1,140 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._internal = void 0;
+exports.acquireOAuthRefreshLock = acquireOAuthRefreshLock;
+const fsUtils = __importStar(require("./fs.cjs"));
+const LOCK_POLL_INTERVAL_MS = 10;
+const LOCK_STALE_AFTER_MS = 10_000;
+const LOCK_METADATA_FILE = "created_at";
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isEEXIST(err) {
+    return (typeof err === "object" &&
+        err !== null &&
+        err.code === "EEXIST");
+}
+function lockMetadataLines(lockDir) {
+    try {
+        return fsUtils
+            .readFileSync(fsUtils.path.join(lockDir, LOCK_METADATA_FILE))
+            .split("\n");
+    }
+    catch {
+        return undefined;
+    }
+}
+function lockCreatedAtMs(lockDir) {
+    const lines = lockMetadataLines(lockDir);
+    if (lines && lines[0] && lines[0].trim()) {
+        const parsed = Date.parse(lines[0].trim());
+        if (!Number.isNaN(parsed)) {
+            return parsed;
+        }
+    }
+    return fsUtils.statMtimeMs(lockDir);
+}
+function lockOwner(lockDir) {
+    const lines = lockMetadataLines(lockDir);
+    if (lines && lines.length >= 2 && lines[1].trim()) {
+        return lines[1].trim();
+    }
+    return undefined;
+}
+async function removeStaleLock(lockDir) {
+    const createdAt = lockCreatedAtMs(lockDir);
+    if (createdAt === undefined ||
+        Date.now() - createdAt <= LOCK_STALE_AFTER_MS) {
+        return false;
+    }
+    await fsUtils.rmRecursive(lockDir);
+    return true;
+}
+/**
+ * Acquire an exclusive cross-process lock for refreshing OAuth tokens.
+ *
+ * Uses an atomic-`mkdir` directory lock at `<configPath>.oauth.lock.lock` with a
+ * stale-break heuristic and owner-checked release, mirroring langsmith-go's
+ * non-POSIX path. `deadline` is a `Date.now()`-based timestamp; acquisition
+ * rejects once it passes. Callers treat any rejection as "skip refresh, use the
+ * current token".
+ */
+async function acquireOAuthRefreshLock(configPath, deadline) {
+    const lockDir = `${configPath}.oauth.lock.lock`;
+    const parent = fsUtils.path.dirname(lockDir);
+    if (parent) {
+        await fsUtils.mkdir(parent);
+    }
+    const owner = globalThis.crypto.randomUUID();
+    for (;;) {
+        try {
+            await fsUtils.mkdirExclusive(lockDir);
+        }
+        catch (err) {
+            if (!isEEXIST(err)) {
+                throw err;
+            }
+            if (!(await removeStaleLock(lockDir))) {
+                if (Date.now() >= deadline) {
+                    throw new Error("timed out acquiring OAuth refresh lock");
+                }
+                await sleep(Math.min(LOCK_POLL_INTERVAL_MS, Math.max(0, deadline - Date.now())));
+            }
+            continue;
+        }
+        try {
+            await fsUtils.writeFileAtomic(fsUtils.path.join(lockDir, LOCK_METADATA_FILE), `${new Date().toISOString()}\n${owner}\n`);
+        }
+        catch (err) {
+            await fsUtils.rmRecursive(lockDir);
+            throw err;
+        }
+        break;
+    }
+    return {
+        async release() {
+            if (lockOwner(lockDir) === owner) {
+                await fsUtils.rmRecursive(lockDir);
+            }
+        },
+    };
+}
+// Exposed for tests only.
+exports._internal = {
+    LOCK_METADATA_FILE,
+    LOCK_STALE_AFTER_MS,
+    lockOwner,
+};

package/dist/utils/profile-lock.d.ts

@@ -0,0 +1,20 @@
+export interface OAuthRefreshLock {
+    release(): Promise<void>;
+}
+declare function lockOwner(lockDir: string): string | undefined;
+/**
+ * Acquire an exclusive cross-process lock for refreshing OAuth tokens.
+ *
+ * Uses an atomic-`mkdir` directory lock at `<configPath>.oauth.lock.lock` with a
+ * stale-break heuristic and owner-checked release, mirroring langsmith-go's
+ * non-POSIX path. `deadline` is a `Date.now()`-based timestamp; acquisition
+ * rejects once it passes. Callers treat any rejection as "skip refresh, use the
+ * current token".
+ */
+export declare function acquireOAuthRefreshLock(configPath: string, deadline: number): Promise<OAuthRefreshLock>;
+export declare const _internal: {
+    LOCK_METADATA_FILE: string;
+    LOCK_STALE_AFTER_MS: number;
+    lockOwner: typeof lockOwner;
+};
+export {};

package/dist/utils/profile-lock.js

@@ -0,0 +1,103 @@
+import * as fsUtils from "./fs.js";
+const LOCK_POLL_INTERVAL_MS = 10;
+const LOCK_STALE_AFTER_MS = 10_000;
+const LOCK_METADATA_FILE = "created_at";
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isEEXIST(err) {
+    return (typeof err === "object" &&
+        err !== null &&
+        err.code === "EEXIST");
+}
+function lockMetadataLines(lockDir) {
+    try {
+        return fsUtils
+            .readFileSync(fsUtils.path.join(lockDir, LOCK_METADATA_FILE))
+            .split("\n");
+    }
+    catch {
+        return undefined;
+    }
+}
+function lockCreatedAtMs(lockDir) {
+    const lines = lockMetadataLines(lockDir);
+    if (lines && lines[0] && lines[0].trim()) {
+        const parsed = Date.parse(lines[0].trim());
+        if (!Number.isNaN(parsed)) {
+            return parsed;
+        }
+    }
+    return fsUtils.statMtimeMs(lockDir);
+}
+function lockOwner(lockDir) {
+    const lines = lockMetadataLines(lockDir);
+    if (lines && lines.length >= 2 && lines[1].trim()) {
+        return lines[1].trim();
+    }
+    return undefined;
+}
+async function removeStaleLock(lockDir) {
+    const createdAt = lockCreatedAtMs(lockDir);
+    if (createdAt === undefined ||
+        Date.now() - createdAt <= LOCK_STALE_AFTER_MS) {
+        return false;
+    }
+    await fsUtils.rmRecursive(lockDir);
+    return true;
+}
+/**
+ * Acquire an exclusive cross-process lock for refreshing OAuth tokens.
+ *
+ * Uses an atomic-`mkdir` directory lock at `<configPath>.oauth.lock.lock` with a
+ * stale-break heuristic and owner-checked release, mirroring langsmith-go's
+ * non-POSIX path. `deadline` is a `Date.now()`-based timestamp; acquisition
+ * rejects once it passes. Callers treat any rejection as "skip refresh, use the
+ * current token".
+ */
+export async function acquireOAuthRefreshLock(configPath, deadline) {
+    const lockDir = `${configPath}.oauth.lock.lock`;
+    const parent = fsUtils.path.dirname(lockDir);
+    if (parent) {
+        await fsUtils.mkdir(parent);
+    }
+    const owner = globalThis.crypto.randomUUID();
+    for (;;) {
+        try {
+            await fsUtils.mkdirExclusive(lockDir);
+        }
+        catch (err) {
+            if (!isEEXIST(err)) {
+                throw err;
+            }
+            if (!(await removeStaleLock(lockDir))) {
+                if (Date.now() >= deadline) {
+                    throw new Error("timed out acquiring OAuth refresh lock");
+                }
+                await sleep(Math.min(LOCK_POLL_INTERVAL_MS, Math.max(0, deadline - Date.now())));
+            }
+            continue;
+        }
+        try {
+            await fsUtils.writeFileAtomic(fsUtils.path.join(lockDir, LOCK_METADATA_FILE), `${new Date().toISOString()}\n${owner}\n`);
+        }
+        catch (err) {
+            await fsUtils.rmRecursive(lockDir);
+            throw err;
+        }
+        break;
+    }
+    return {
+        async release() {
+            if (lockOwner(lockDir) === owner) {
+                await fsUtils.rmRecursive(lockDir);
+            }
+        },
+    };
+}
+// Exposed for tests only.
+export const _internal = {
+    LOCK_METADATA_FILE,
+    LOCK_STALE_AFTER_MS,
+    lockOwner,
+};

package/dist/utils/profiles.cjs

@@ -38,6 +38,7 @@ exports.hasValue = hasValue;
 exports.loadProfileClientConfig = loadProfileClientConfig;
 const env_js_1 = require("./env.cjs");
 const fsUtils = __importStar(require("./fs.cjs"));
+const profile_lock_js_1 = require("./profile-lock.cjs");
 exports.DEFAULT_API_URL = "https://api.smith.langchain.com";
 const OAUTH_CLIENT_ID = "langsmith-cli";
 const TOKEN_REFRESH_LEEWAY_MS = 60_000;
@@ -227,17 +228,39 @@ class ProfileAuth {
     isProfileAuthorizationHeader(value) {
         return value === this.managedAuthorizationValue;
     }
+    reloadProfile() {
+        try {
+            const config = JSON.parse(fsUtils.readFileSync(this.state.configPath));
+            const profile = config.profiles?.[this.state.profileName];
+            if (!profile) {
+                return undefined;
+            }
+            this.state.config = config;
+            this.state.profile = profile;
+            return profile;
+        }
+        catch {
+            return undefined;
+        }
+    }
     async refreshOAuthToken(fetchImplementation) {
         const refreshToken = this.state.profile.oauth?.refresh_token;
         if (!refreshToken) {
             return;
         }
         const refreshApiUrl = trimConfigValue(this.state.profile.api_url) ?? exports.DEFAULT_API_URL;
+        const deadline = Date.now() + TOKEN_REFRESH_TIMEOUT_MS;
+        let lock;
         try {
+            lock = await (0, profile_lock_js_1.acquireOAuthRefreshLock)(this.state.configPath, deadline);
+            const fresh = this.reloadProfile();
+            if (fresh && !shouldRefreshProfileToken(this.state.profile)) {
+                return;
+            }
             const body = new URLSearchParams({
                 grant_type: "refresh_token",
                 client_id: OAUTH_CLIENT_ID,
-                refresh_token: refreshToken,
+                refresh_token: this.state.profile.oauth?.refresh_token ?? refreshToken,
             });
             const response = await fetchImplementation(`${normalizeConfigUrl(refreshApiUrl)}/oauth/token`, {
                 method: "POST",
@@ -245,7 +268,7 @@ class ProfileAuth {
                     "Content-Type": "application/x-www-form-urlencoded",
                 },
                 body: body.toString(),
-                signal: AbortSignal.timeout(TOKEN_REFRESH_TIMEOUT_MS),
+                signal: AbortSignal.timeout(Math.max(0, deadline - Date.now())),
             });
             if (!response.ok) {
                 return;
@@ -262,6 +285,9 @@ class ProfileAuth {
         catch {
             return;
         }
+        finally {
+            await lock?.release();
+        }
     }
     rememberProfileAuthHeader(header) {
         this.managedAuthorizationValue =

package/dist/utils/profiles.d.ts

@@ -42,6 +42,7 @@ export declare class ProfileAuth {
     currentAuthHeader(): ProfileAuthHeader | undefined;
     getAuthHeader(fetchImplementation: typeof fetch, signal?: AbortSignal | null): Promise<ProfileAuthHeader | undefined>;
     isProfileAuthorizationHeader(value: string): boolean;
+    private reloadProfile;
     private refreshOAuthToken;
     private rememberProfileAuthHeader;
 }