opencode-multi-account-core 0.2.32 → 0.2.34

package/dist/index.js

@@ -40,11 +40,15 @@ var CredentialRefreshPatchSchema = v.object({
   refreshToken: v.optional(v.string()),
   uuid: v.optional(v.string()),
   accountId: v.optional(v.string()),
+  accountUuid: v.optional(v.string()),
+  deviceId: v.optional(v.string()),
   email: v.optional(v.string())
 });
 var StoredAccountSchema = v.object({
   uuid: v.optional(v.string()),
   accountId: v.optional(v.string()),
+  accountUuid: v.optional(v.string()),
+  deviceId: v.optional(v.string()),
   label: v.optional(v.string()),
   email: v.optional(v.string()),
   planTier: v.optional(v.string(), ""),
@@ -259,6 +263,7 @@ function getClearedOAuthBody() {
 // src/claims.ts
 var CLAIMS_FILENAME = "multiauth-claims.json";
 var CLAIM_EXPIRY_MS = 6e4;
+var CLAIM_LOCK_STALE_MS = 15e3;
 function getClaimsPath(filename) {
   return join3(getConfigDir2(), filename);
 }
@@ -321,17 +326,67 @@ async function writeClaimsFile(path, claims) {
     throw error;
   }
 }
+async function readClaimsFile(path) {
+  try {
+    const data = await fs2.readFile(path, "utf-8");
+    return parseClaims(data);
+  } catch {
+    return {};
+  }
+}
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function acquireClaimsLock(path) {
+  const lockPath = `${path}.lock`;
+  await fs2.mkdir(dirname2(path), { recursive: true });
+  for (; ; ) {
+    try {
+      await fs2.mkdir(lockPath, { mode: 448 });
+      return async () => {
+        try {
+          await fs2.rm(lockPath, { recursive: true, force: true });
+        } catch {
+        }
+      };
+    } catch (error) {
+      const code = error.code;
+      if (code !== "EEXIST") throw error;
+      try {
+        const stat = await fs2.stat(lockPath);
+        if (Date.now() - stat.mtimeMs > CLAIM_LOCK_STALE_MS) {
+          await fs2.rm(lockPath, { recursive: true, force: true });
+        }
+      } catch {
+      }
+      await sleep2(10 + Math.floor(Math.random() * 20));
+    }
+  }
+}
+async function withClaimsLock(path, fn) {
+  const release = await acquireClaimsLock(path);
+  try {
+    return await fn();
+  } finally {
+    await release();
+  }
+}
 function createClaimsManager(filename = CLAIMS_FILENAME) {
   async function readClaims2() {
     const claimsPath = getClaimsPath(filename);
     try {
-      const data = await fs2.readFile(claimsPath, "utf-8");
-      const parsed = parseClaims(data);
+      const parsed = await readClaimsFile(claimsPath);
       const now = Date.now();
       const { cleaned, changed } = cleanClaims(parsed, now);
       if (changed) {
         try {
-          await writeClaimsFile(claimsPath, cleaned);
+          await withClaimsLock(claimsPath, async () => {
+            const current = await readClaimsFile(claimsPath);
+            const latest = cleanClaims(current, Date.now());
+            if (latest.changed) {
+              await writeClaimsFile(claimsPath, latest.cleaned);
+            }
+          });
         } catch {
         }
       }
@@ -342,27 +397,31 @@ function createClaimsManager(filename = CLAIMS_FILENAME) {
   }
   async function writeClaim2(accountId) {
     const claimsPath = getClaimsPath(filename);
-    const now = Date.now();
-    const claims = await readClaims2();
-    const { cleaned } = cleanClaims(claims, now);
-    cleaned[accountId] = { pid: process.pid, at: now };
     try {
-      await writeClaimsFile(claimsPath, cleaned);
+      await withClaimsLock(claimsPath, async () => {
+        const now = Date.now();
+        const claims = await readClaimsFile(claimsPath);
+        const { cleaned } = cleanClaims(claims, now);
+        cleaned[accountId] = { pid: process.pid, at: now };
+        await writeClaimsFile(claimsPath, cleaned);
+      });
     } catch {
     }
   }
   async function releaseClaim2(accountId) {
     const claimsPath = getClaimsPath(filename);
-    const now = Date.now();
-    const claims = await readClaims2();
-    const { cleaned } = cleanClaims(claims, now);
-    const currentClaim = cleaned[accountId];
-    if (!currentClaim || currentClaim.pid !== process.pid) {
-      return;
-    }
-    delete cleaned[accountId];
     try {
-      await writeClaimsFile(claimsPath, cleaned);
+      await withClaimsLock(claimsPath, async () => {
+        const now = Date.now();
+        const claims = await readClaimsFile(claimsPath);
+        const { cleaned } = cleanClaims(claims, now);
+        const currentClaim = cleaned[accountId];
+        if (!currentClaim || currentClaim.pid !== process.pid) {
+          return;
+        }
+        delete cleaned[accountId];
+        await writeClaimsFile(claimsPath, cleaned);
+      });
     } catch {
     }
   }
@@ -459,6 +518,8 @@ function createAccountManagerForProvider(dependencies) {
         index,
         uuid: storedAccount.uuid,
         accountId: storedAccount.accountId,
+        accountUuid: storedAccount.accountUuid,
+        deviceId: storedAccount.deviceId,
         label: storedAccount.label,
         email: storedAccount.email,
         planTier: storedAccount.planTier,
@@ -477,8 +538,22 @@ function createAccountManagerForProvider(dependencies) {
         last429At: storedAccount.uuid ? this.last429Map.get(storedAccount.uuid) : void 0
       };
     }
-    createNewAccount(auth, now) {
-      return {
+    applyAccountMetadata(account, metadata) {
+      if (!metadata) return;
+      if (metadata.accountId) account.accountId = metadata.accountId;
+      if (metadata.accountUuid) account.accountUuid = metadata.accountUuid;
+      if (metadata.deviceId) account.deviceId = metadata.deviceId;
+      if (metadata.email) account.email = metadata.email;
+      if (metadata.label) account.label = metadata.label;
+      if (metadata.planTier !== void 0) account.planTier = metadata.planTier;
+    }
+    applyRefreshIdentityPatch(account, result) {
+      if (result.patch.accountId) account.accountId = result.patch.accountId;
+      if (result.patch.accountUuid && !account.accountUuid) account.accountUuid = result.patch.accountUuid;
+      if (result.patch.deviceId && !account.deviceId) account.deviceId = result.patch.deviceId;
+    }
+    createNewAccount(auth, now, metadata) {
+      const account = {
         uuid: randomUUID(),
         refreshToken: auth.refresh,
         accessToken: auth.access,
@@ -490,6 +565,8 @@ function createAccountManagerForProvider(dependencies) {
         consecutiveAuthFailures: 0,
         isAuthDisabled: false
       };
+      this.applyAccountMetadata(account, metadata);
+      return account;
     }
     getAccountCount() {
       return this.getEligibleAccounts().length;
@@ -903,7 +980,7 @@ function createAccountManagerForProvider(dependencies) {
         account.expiresAt = result.patch.expiresAt;
         if (result.patch.refreshToken) account.refreshToken = result.patch.refreshToken;
         if (result.patch.uuid && result.patch.uuid !== uuid) account.uuid = result.patch.uuid;
-        if (result.patch.accountId) account.accountId = result.patch.accountId;
+        this.applyRefreshIdentityPatch(account, result);
         if (result.patch.email) account.email = result.patch.email;
         account.consecutiveAuthFailures = 0;
         account.isAuthDisabled = false;
@@ -957,7 +1034,7 @@ function createAccountManagerForProvider(dependencies) {
       this.activeAccountUuid = void 0;
       this.stickyBindings.clear();
     }
-    async addAccount(auth, email) {
+    async addAccount(auth, email, metadata) {
       if (!auth.refresh) return;
       const existingByToken = this.cached.find((account) => account.refreshToken === auth.refresh);
       if (existingByToken) return;
@@ -966,11 +1043,11 @@ function createAccountManagerForProvider(dependencies) {
           (account) => account.email && account.email === email
         );
         if (existingByEmail?.uuid) {
-          await this.replaceAccountCredentials(existingByEmail.uuid, auth);
+          await this.replaceAccountCredentials(existingByEmail.uuid, auth, metadata);
           return;
         }
       }
-      const newAccount = this.createNewAccount(auth, Date.now());
+      const newAccount = this.createNewAccount(auth, Date.now(), metadata);
       if (email) newAccount.email = email;
       await this.store.addAccount(newAccount);
       this.activeAccountUuid = newAccount.uuid;
@@ -987,11 +1064,12 @@ function createAccountManagerForProvider(dependencies) {
         }
       });
     }
-    async replaceAccountCredentials(uuid, auth) {
+    async replaceAccountCredentials(uuid, auth, metadata) {
       const updated = await this.store.mutateAccount(uuid, (account) => {
         account.refreshToken = auth.refresh;
         account.accessToken = auth.access;
         account.expiresAt = auth.expires;
+        this.applyAccountMetadata(account, metadata);
         account.lastUsed = Date.now();
         account.enabled = true;
         account.isAuthDisabled = false;
@@ -1020,7 +1098,7 @@ function createAccountManagerForProvider(dependencies) {
           account.expiresAt = result.patch.expiresAt;
           if (result.patch.refreshToken) account.refreshToken = result.patch.refreshToken;
           if (result.patch.uuid) account.uuid = result.patch.uuid;
-          if (result.patch.accountId) account.accountId = result.patch.accountId;
+          this.applyRefreshIdentityPatch(account, result);
           if (result.patch.email) account.email = result.patch.email;
           account.enabled = true;
           account.consecutiveAuthFailures = 0;
@@ -1160,7 +1238,7 @@ import { dirname as dirname4 } from "path";
 var DEFAULT_STALE_MS = 1e4;
 var DEFAULT_RETRY_DELAY_MS = 50;
 var DEFAULT_MAX_RETRIES = 10;
-function sleep2(ms) {
+function sleep3(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 async function removeIfStale(lockPath, staleMs) {
@@ -1191,7 +1269,7 @@ async function withDirectoryLock(targetPath, fn, options) {
       if (attempt >= retries) {
         throw new Error(`Failed to acquire lock for ${targetPath}`);
       }
-      await sleep2(retryDelayMs * (attempt + 1));
+      await sleep3(retryDelayMs * (attempt + 1));
     }
   }
   try {
@@ -1269,7 +1347,9 @@ var AccountStore = class {
       refreshToken: account.refreshToken,
       accessToken: account.accessToken,
       expiresAt: account.expiresAt,
-      accountId: account.accountId
+      accountId: account.accountId,
+      accountUuid: account.accountUuid,
+      deviceId: account.deviceId
     };
   }
   async mutateAccount(uuid, fn) {
@@ -1405,7 +1485,7 @@ function createExecutorForProvider(providerName, dependencies) {
   const {
     handleRateLimitResponse,
     formatWaitTime: formatWaitTime2,
-    sleep: sleep3,
+    sleep: sleep4,
     showToast: showToast2,
     getAccountLabel: getAccountLabel2
   } = dependencies;
@@ -1417,7 +1497,7 @@ function createExecutorForProvider(providerName, dependencies) {
       for (let attempt = 0; attempt < MAX_SERVER_RETRIES_PER_ATTEMPT; attempt++) {
         const backoff = Math.min(SERVER_RETRY_BASE_MS * 2 ** attempt, SERVER_RETRY_MAX_MS);
         const jitteredBackoff = backoff * (0.5 + Math.random() * 0.5);
-        await sleep3(jitteredBackoff);
+        await sleep4(jitteredBackoff);
         let retryResponse;
         try {
           retryResponse = await runtime.fetch(input, init);
@@ -1573,7 +1653,7 @@ function createExecutorForProvider(providerName, dependencies) {
         `All ${manager.getAccountCount()} account(s) rate-limited. Waiting ${formatWaitTime2(waitMs)}...`,
         "warning"
       );
-      await sleep3(waitMs);
+      await sleep4(waitMs);
     }
   }
   return {
@@ -1674,6 +1754,8 @@ function createProactiveRefreshQueueForProvider(dependencies) {
               if (result.patch.uuid) target.uuid = result.patch.uuid;
               if (result.patch.email) target.email = result.patch.email;
               if (result.patch.accountId) target.accountId = result.patch.accountId;
+              if (result.patch.accountUuid && !target.accountUuid) target.accountUuid = result.patch.accountUuid;
+              if (result.patch.deviceId && !target.deviceId) target.deviceId = result.patch.deviceId;
               target.consecutiveAuthFailures = 0;
               target.isAuthDisabled = false;
               target.authDisabledReason = void 0;
@@ -2073,7 +2155,6 @@ var anthropicOAuthAdapter = {
   id: "anthropic",
   authProviderId: "anthropic",
   modelDisplayName: "Claude",
-  statusToolName: "claude_multiauth_status",
   authMethodLabel: "Claude Pro/Max (Multi-Auth)",
   serviceLogName: "claude-multiauth",
   oauthClientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
@@ -2107,7 +2188,6 @@ var openAIOAuthAdapter = {
   id: "openai",
   authProviderId: "openai",
   modelDisplayName: "ChatGPT",
-  statusToolName: "chatgpt_multiauth_status",
   authMethodLabel: "ChatGPT Plus/Pro (Multi-Auth)",
   serviceLogName: "chatgpt-multiauth",
   oauthClientId: "app_EMoamEEZ73f0CkXaXp7hrann",
@@ -2510,6 +2590,293 @@ var CascadeStateManager = class {
     };
   }
 };
+
+// src/native-plugin-lifecycle.ts
+var EMPTY_OAUTH_CREDENTIALS = {
+  type: "oauth",
+  refresh: "",
+  access: "",
+  expires: 0
+};
+function zeroProviderModelCosts(provider) {
+  const models = provider?.models;
+  if (!models || typeof models !== "object") {
+    return;
+  }
+  for (const model of Object.values(models)) {
+    if (model) {
+      model.cost = { input: 0, output: 0, cache: { read: 0, write: 0 } };
+    }
+  }
+}
+function createOpenCodeNativePluginLifecycle(options) {
+  let manager = null;
+  let runtimeFactory = null;
+  let refreshQueue = null;
+  const defaultFetch = async (input, init) => {
+    if (!manager || !runtimeFactory) {
+      return fetch(input, init);
+    }
+    if (manager.getAccountCount() === 0) {
+      throw new Error(options.noAccountsMessage);
+    }
+    return options.executeWithAccountRotation(manager, runtimeFactory, options.client, input, init);
+  };
+  async function createLoaderResult() {
+    const fetchHandler = options.createFetch?.({
+      getManager: () => manager,
+      getRuntimeFactory: () => runtimeFactory,
+      defaultFetch
+    }) ?? defaultFetch;
+    const extras = await options.createLoaderExtras?.(manager);
+    return {
+      apiKey: options.oauthApiKey,
+      fetch: fetchHandler,
+      ...extras
+    };
+  }
+  async function createPassthroughResult() {
+    return {
+      apiKey: "",
+      fetch
+    };
+  }
+  async function initializeRuntimeFactory() {
+    if (!manager || !runtimeFactory) {
+      return;
+    }
+    manager.setRuntimeFactory(runtimeFactory);
+    await options.afterManagerInitialized?.(manager, runtimeFactory);
+  }
+  async function startRefreshQueueIfNeeded() {
+    if (!options.createRefreshQueue || !manager || !runtimeFactory || manager.getAccountCount() === 0) {
+      return;
+    }
+    if (refreshQueue) {
+      return;
+    }
+    refreshQueue = options.createRefreshQueue(
+      options.client,
+      options.store,
+      (uuid) => runtimeFactory?.invalidate(uuid)
+    );
+    refreshQueue.start();
+  }
+  async function initializeManagerFromStore() {
+    if (manager) {
+      return manager.getAccountCount() > 0;
+    }
+    const storage = await options.store.load();
+    if (storage.accounts.length === 0) {
+      return false;
+    }
+    manager = await options.managerClass.create(options.store, EMPTY_OAUTH_CREDENTIALS, options.client);
+    runtimeFactory = options.createRuntimeFactory(options.store, options.client);
+    await initializeRuntimeFactory();
+    await startRefreshQueueIfNeeded();
+    return manager.getAccountCount() > 0;
+  }
+  async function initializeManagerFromAuth(credentials) {
+    manager = await options.managerClass.create(options.store, credentials, options.client);
+    runtimeFactory = options.createRuntimeFactory(options.store, options.client);
+    await initializeRuntimeFactory();
+  }
+  async function restartRefreshQueueIfNeeded() {
+    if (refreshQueue) {
+      await refreshQueue.stop();
+      refreshQueue = null;
+    }
+    await startRefreshQueueIfNeeded();
+  }
+  return {
+    getManager: () => manager,
+    getRuntimeFactory: () => runtimeFactory,
+    async load(auth, provider) {
+      if (auth.type !== "oauth") {
+        await options.migrateFromAuthJson?.(options.authJsonProviderKey, options.store);
+        const recoveredFromStore = await initializeManagerFromStore();
+        return recoveredFromStore ? createLoaderResult() : createPassthroughResult();
+      }
+      zeroProviderModelCosts(provider);
+      const credentials = auth;
+      await options.migrateFromAuthJson?.(options.authJsonProviderKey, options.store);
+      await initializeManagerFromAuth(credentials);
+      const initializedManager = manager;
+      if (!initializedManager) {
+        return createPassthroughResult();
+      }
+      await options.afterOAuthLoad?.(credentials, initializedManager);
+      if (initializedManager.getAccountCount() > 0) {
+        const activeAccount = initializedManager.getActiveAccount?.();
+        const activeLabel = activeAccount ? options.getAccountLabel(activeAccount) : "none";
+        options.client.tui.showToast({
+          body: {
+            message: `Multi-Auth: ${initializedManager.getAccountCount()} account(s) loaded. Active: ${activeLabel}`,
+            variant: "info"
+          }
+        }).catch(() => {
+        });
+        await initializedManager.validateNonActiveTokens?.(options.client);
+        const disabledCount = initializedManager.getAccounts().filter((account) => account.isAuthDisabled).length;
+        if (disabledCount > 0) {
+          options.client.tui.showToast({
+            body: {
+              message: `${disabledCount} account(s) have auth failures.`,
+              variant: "warning"
+            }
+          }).catch(() => {
+          });
+        }
+        await restartRefreshQueueIfNeeded();
+      }
+      return createLoaderResult();
+    }
+  };
+}
+
+// src/native-plugin-auth.ts
+function toInputs(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return void 0;
+  }
+  return value;
+}
+function createOpenCodeNativeAuthMethods(options) {
+  return [
+    {
+      label: options.oauthLabel,
+      type: "oauth",
+      authorize: async (...args) => options.authorize(toInputs(args[0]))
+    }
+  ];
+}
+
+// src/native-plugin-loader.ts
+function readProviderModels(provider) {
+  return provider.models && typeof provider.models === "object" && !Array.isArray(provider.models) ? provider.models : {};
+}
+function createOpenCodeNativeAuthLoader(options) {
+  return async function openCodeNativeAuthLoader(getAuth, provider) {
+    const providerModels = readProviderModels(provider);
+    options.debugLog?.("Auth loader received provider metadata", {
+      providerId: typeof provider.id === "string" ? provider.id : void 0,
+      providerName: typeof provider.name === "string" ? provider.name : void 0,
+      modelCount: Object.keys(providerModels).length,
+      modelIds: Object.keys(providerModels)
+    });
+    await options.beforeAuth?.(provider);
+    const auth = await getAuth();
+    options.debugLog?.("Auth loader resolved auth payload", {
+      authType: typeof auth.type === "string" ? auth.type : void 0,
+      authKeys: Object.keys(auth)
+    });
+    await options.beforeLoad?.({ auth, provider, lifecycle: options.lifecycle });
+    const result = await options.lifecycle.load(auth, provider);
+    const replacement = await options.afterLoad?.({
+      auth,
+      provider,
+      lifecycle: options.lifecycle,
+      manager: options.lifecycle.getManager(),
+      runtimeFactory: options.lifecycle.getRuntimeFactory(),
+      result
+    });
+    if (auth.type !== "oauth") {
+      options.debugLog?.("Auth loader attempted store recovery", {
+        recoveredFromStore: Boolean(options.lifecycle.getManager()?.getAccountCount())
+      });
+    } else {
+      const manager = options.lifecycle.getManager();
+      if (manager) {
+        options.debugLog?.("Auth loader initialized manager state", {
+          accountCount: manager.getAccountCount(),
+          activeAccountUuid: manager.getActiveAccount?.()?.uuid
+        });
+      }
+    }
+    return replacement ?? result;
+  };
+}
+
+// src/native-plugin-bootstrap-auth.ts
+import { promises as fs8 } from "fs";
+import { join as join8 } from "path";
+var AUTH_JSON_FILENAME2 = "auth.json";
+function hasCompleteOAuthCredential(account) {
+  return typeof account.refreshToken === "string" && account.refreshToken.length > 0 && typeof account.accessToken === "string" && account.accessToken.length > 0 && typeof account.expiresAt === "number" && Number.isFinite(account.expiresAt);
+}
+function selectBootstrapAccount(accounts, activeAccountUuid) {
+  const completeAccounts = accounts.filter(hasCompleteOAuthCredential);
+  if (completeAccounts.length === 0) {
+    return null;
+  }
+  const activeAccount = activeAccountUuid ? completeAccounts.find((account) => account.uuid === activeAccountUuid) : void 0;
+  if (activeAccount) {
+    return activeAccount;
+  }
+  const firstUsableAccount = completeAccounts.find(
+    (account) => account.enabled !== false && account.isAuthDisabled !== true
+  );
+  return firstUsableAccount ?? completeAccounts[0];
+}
+async function readCurrentAuth(providerId) {
+  const authPath = join8(getConfigDir2(), AUTH_JSON_FILENAME2);
+  let raw;
+  try {
+    raw = await fs8.readFile(authPath, "utf-8");
+  } catch {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    const providerAuth = parsed[providerId];
+    if (providerAuth?.type !== "oauth" || typeof providerAuth.refresh !== "string" || typeof providerAuth.access !== "string" || typeof providerAuth.expires !== "number") {
+      return null;
+    }
+    return {
+      type: "oauth",
+      refresh: providerAuth.refresh,
+      access: providerAuth.access,
+      expires: providerAuth.expires
+    };
+  } catch {
+    return null;
+  }
+}
+function shouldSyncBootstrapAuth(currentAuth, nextAuth) {
+  if (!currentAuth) {
+    return true;
+  }
+  if (currentAuth.refresh === nextAuth.refresh && currentAuth.access === nextAuth.access && currentAuth.expires === nextAuth.expires) {
+    return false;
+  }
+  return currentAuth.expires < nextAuth.expires;
+}
+async function syncOpenCodeNativeBootstrapAuth(options) {
+  const storage = await options.store.load();
+  const bootstrapAccount = selectBootstrapAccount(storage.accounts, storage.activeAccountUuid);
+  if (!bootstrapAccount) {
+    return false;
+  }
+  const nextAuth = {
+    type: "oauth",
+    refresh: bootstrapAccount.refreshToken,
+    access: bootstrapAccount.accessToken,
+    expires: bootstrapAccount.expiresAt
+  };
+  const currentAuth = await readCurrentAuth(options.providerId);
+  if (!shouldSyncBootstrapAuth(currentAuth, nextAuth)) {
+    return false;
+  }
+  await options.client.auth.set({
+    path: { id: options.providerId },
+    body: nextAuth
+  });
+  return true;
+}
+var __openCodeNativeBootstrapAuthTestUtils = {
+  selectBootstrapAccount,
+  shouldSyncBootstrapAuth
+};
 export {
   ACCOUNTS_FILENAME,
   ANSI,
@@ -2529,6 +2896,7 @@ export {
   TokenRefreshError,
   UsageLimitEntrySchema,
   UsageLimitsSchema,
+  __openCodeNativeBootstrapAuthTestUtils,
   anthropicOAuthAdapter,
   confirm,
   createAccountManagerForProvider,
@@ -2536,6 +2904,9 @@ export {
   createConfigLoader,
   createExecutorForProvider,
   createMinimalClient,
+  createOpenCodeNativeAuthLoader,
+  createOpenCodeNativeAuthMethods,
+  createOpenCodeNativePluginLifecycle,
   createProactiveRefreshQueueForProvider,
   createRateLimitHandlers,
   debugLog,
@@ -2566,6 +2937,7 @@ export {
   setConfigGetter,
   showToast,
   sleep,
+  syncOpenCodeNativeBootstrapAuth,
   updateConfigField,
   withDirectoryLock,
   writeClaim