Back to Signal Feed
CodeTracked since May 20, 2026

Host service OAuth daemon recovery now reads CLI auth config on 401 retries

This PR fixes a correctness gap in CLI-spawned host-service: when an OAuth access token expires during a long-running daemon, the first 401-triggered retry now refreshes credentials from the CLI auth config and updates tokens, so the service can continue operation instead of failing and requiring restart or re-login.

host-serviceOAuthJwtApiAuthProviderCLI auth config

What Happened

  • This PR fixes a correctness gap in CLI-spawned host-service: when an OAuth access token expires during a long-running daemon, the first 401-triggered retry now refreshes credentials from the CLI auth config and updates tokens, so the service can continue operation instead of failing and requiring restart or re-login.
  • This PR fixes a correctness gap in CLI-spawned host-service: when an OAuth access token expires during a long-running daemon, the first 401-triggered retry now refreshes credentials from the CLI auth config and updates tokens, so the service can continue operation instead of failing and requiring restart or re-login.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Rewired the host-service’s retry path to perform OAuth refresh from stored CLI auth config during runtime expiry recovery, added single-flight coordination for concurrent callers, and made token persistence safer with temp-file/atomic writes and concurrent-write checks while preserving static-token behavior.

Why Track This

Why It Matters

Operators running long-lived CLI-spawned host-service instances with OAuth can expect fewer unexpected auth interruptions because expired access tokens can now be refreshed in-process and requests continue after one retry without forcing a daemon restart or user re-login. The retry now pulls and persists credentials from CLI config (`accessToken` and possibly rotated `refreshToken`) through a single-flight, atomic write flow, while static token paths keep their existing behavior; monitor high-concurrency retry windows, refresh-token-missing cases, and token write failures for any remaining silent auth recovery failures.

Impact

Operators running long-lived CLI-spawned host-service instances with OAuth can expect fewer unexpected auth interruptions because expired access tokens can now be refreshed in-process and requests continue after one retry without forcing a daemon restart or user re-login. The retry now pulls and persists credentials from CLI config (`accessToken` and possibly rotated `refreshToken`) through a single-flight, atomic write flow, while static token paths keep their existing behavior; monitor high-concurrency retry windows, refresh-token-missing cases, and token write failures for any remaining silent auth recovery failures.

What To Watch Next

  • Watch whether host-service becomes a repeated pattern.
  • Track follow-up changes around AI Security.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: concurrent_refresh_race, missing_refresh_token_recovery.
Open Topic TimelineOpen Technical EventOpen Original Sourceconcurrent_refresh_race / missing_refresh_token_recovery / atomic_write_failure_during_token_update / oauth_retry_error_regression / static_token_fallback_regression

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

superset-sh/superset PR #4738: SUPER-752 host auth refresh

A daemon can keep running after its initial access token expires, and retry recovery should read current CLI auth config to recover instead of surfacing a 401.