fix: serialize concurrent runtime cache writes

ndycode · ndycode · commit 81c45e5826db · 2026-04-06T11:31:03.000+08:00
Quota cache saves and update-check cache writes could overlap within the
same process. That risks write races, and the update checker also wrote
directly to the final cache file instead of staging through a temp file.

Serialize in-process writes for both caches and make update-check cache
writes atomic via temp-file rename so concurrent runtime writers do not
corrupt the on-disk state.
diff --git a/lib/auto-update-checker.ts b/lib/auto-update-checker.ts
@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, renameSync, unlinkSync } from "node:fs";
 import { join } from "node:path";
 import { createLogger } from "./logger.js";
 import { getCodexCacheDir } from "./runtime-paths.js";
@@ -28,6 +28,7 @@ interface ParsedSemver {
 }
 
 const RETRYABLE_WRITE_ERRORS = new Set(["EBUSY", "EPERM"]);
+let updateCacheWriteQueue: Promise<void> = Promise.resolve();
 
 function sleepSync(ms: number): void {
   const delay = Math.max(0, Math.floor(ms));
@@ -56,30 +57,53 @@ function loadCache(): UpdateCheckCache | null {
   }
 }
 
-function saveCache(cache: UpdateCheckCache): void {
-  try {
-    if (!existsSync(CACHE_DIR)) {
-      mkdirSync(CACHE_DIR, { recursive: true });
-    }
-    const serialized = JSON.stringify(cache, null, 2);
-    let lastError: Error | null = null;
-    for (let attempt = 0; attempt < 4; attempt++) {
-      try {
-        writeFileSync(CACHE_FILE, serialized, "utf8");
-        return;
-      } catch (error) {
-        const code = (error as NodeJS.ErrnoException).code ?? "";
-        lastError = error as Error;
-        if (!RETRYABLE_WRITE_ERRORS.has(code) || attempt >= 3) {
-          throw error;
-        }
-        sleepSync(15 * (2 ** attempt));
-      }
-    }
-    if (lastError) throw lastError;
-  } catch (error) {
-    log.warn("Failed to save update cache", { error: (error as Error).message });
-  }
+async function saveCache(cache: UpdateCheckCache): Promise<void> {
+	const writeTask = (): void => {
+		let tempPath: string | null = null;
+		let wroteTemp = false;
+		try {
+			if (!existsSync(CACHE_DIR)) {
+				mkdirSync(CACHE_DIR, { recursive: true });
+			}
+			const serialized = JSON.stringify(cache, null, 2);
+			tempPath = `${CACHE_FILE}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
+			let lastError: Error | null = null;
+			for (let attempt = 0; attempt < 4; attempt++) {
+				try {
+					writeFileSync(tempPath, serialized, "utf8");
+					renameSync(tempPath, CACHE_FILE);
+					wroteTemp = false;
+					return;
+				} catch (error) {
+					const code = (error as NodeJS.ErrnoException).code ?? "";
+					lastError = error as Error;
+					wroteTemp = true;
+					if (!RETRYABLE_WRITE_ERRORS.has(code) || attempt >= 3) {
+						throw error;
+					}
+					sleepSync(15 * (2 ** attempt));
+				}
+			}
+			if (lastError) throw lastError;
+		} catch (error) {
+			log.warn("Failed to save update cache", { error: (error as Error).message });
+		} finally {
+			if (wroteTemp && tempPath) {
+				try {
+					unlinkSync(tempPath);
+				} catch {
+					// Best effort temp cleanup.
+				}
+			}
+		}
+	};
+
+	const queued = updateCacheWriteQueue.catch(() => undefined).then(writeTask);
+	updateCacheWriteQueue = queued.then(
+		() => undefined,
+		() => undefined,
+	);
+	await queued;
 }
 
 function parseSemver(version: string): ParsedSemver {
@@ -211,11 +235,11 @@ export async function checkForUpdates(force = false): Promise<UpdateCheckResult>
 
   const latestVersion = await fetchLatestVersion();
 
-  saveCache({
-    lastCheck: now,
-    latestVersion,
-    currentVersion,
-  });
+	await saveCache({
+		lastCheck: now,
+		latestVersion,
+		currentVersion,
+	});
 
   const hasUpdate = latestVersion ? compareVersions(currentVersion, latestVersion) > 0 : false;
 
diff --git a/lib/quota-cache.ts b/lib/quota-cache.ts
@@ -33,6 +33,7 @@ interface QuotaCacheFile {
 const QUOTA_CACHE_PATH = join(getCodexMultiAuthDir(), "quota-cache.json");
 const QUOTA_CACHE_LABEL = basename(QUOTA_CACHE_PATH);
 const RETRYABLE_FS_CODES = new Set(["EBUSY", "EPERM"]);
+let quotaCacheWriteQueue: Promise<void> = Promise.resolve();
 
 function isRetryableFsError(error: unknown): boolean {
 	const code = (error as NodeJS.ErrnoException | undefined)?.code;
@@ -223,39 +224,48 @@ export async function saveQuotaCache(data: QuotaCacheData): Promise<void> {
 		byEmail: data.byEmail,
 	};
 
-	try {
-		await fs.mkdir(getCodexMultiAuthDir(), { recursive: true });
-		const tempPath = `${QUOTA_CACHE_PATH}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
-		await fs.writeFile(tempPath, `${JSON.stringify(payload, null, 2)}\n`, {
-			encoding: "utf8",
-			mode: 0o600,
-		});
-		let renamed = false;
+	const writeTask = async (): Promise<void> => {
 		try {
-			for (let attempt = 0; attempt < 5; attempt += 1) {
-				try {
-					await fs.rename(tempPath, QUOTA_CACHE_PATH);
-					renamed = true;
-					break;
-				} catch (error) {
-					if (!isRetryableFsError(error) || attempt >= 4) throw error;
-					await sleep(10 * 2 ** attempt);
+			await fs.mkdir(getCodexMultiAuthDir(), { recursive: true });
+			const tempPath = `${QUOTA_CACHE_PATH}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
+			await fs.writeFile(tempPath, `${JSON.stringify(payload, null, 2)}\n`, {
+				encoding: "utf8",
+				mode: 0o600,
+			});
+			let renamed = false;
+			try {
+				for (let attempt = 0; attempt < 5; attempt += 1) {
+					try {
+						await fs.rename(tempPath, QUOTA_CACHE_PATH);
+						renamed = true;
+						break;
+					} catch (error) {
+						if (!isRetryableFsError(error) || attempt >= 4) throw error;
+						await sleep(10 * 2 ** attempt);
+					}
 				}
-			}
-		} finally {
-			if (!renamed) {
-				try {
-					await fs.unlink(tempPath);
-				} catch {
-					// Best effort temp cleanup.
+			} finally {
+				if (!renamed) {
+					try {
+						await fs.unlink(tempPath);
+					} catch {
+						// Best effort temp cleanup.
+					}
 				}
 			}
+		} catch (error) {
+			logWarn(
+				`Failed to save quota cache to ${QUOTA_CACHE_LABEL}: ${
+					error instanceof Error ? error.message : String(error)
+				}`,
+			);
 		}
-	} catch (error) {
-		logWarn(
-			`Failed to save quota cache to ${QUOTA_CACHE_LABEL}: ${
-				error instanceof Error ? error.message : String(error)
-			}`,
-		);
-	}
+	};
+
+	const queued = quotaCacheWriteQueue.catch(() => undefined).then(writeTask);
+	quotaCacheWriteQueue = queued.then(
+		() => undefined,
+		() => undefined,
+	);
+	await queued;
 }
diff --git a/test/auto-update-checker.test.ts b/test/auto-update-checker.test.ts
@@ -5,6 +5,8 @@ vi.mock("node:fs", () => ({
 	writeFileSync: vi.fn(),
 	existsSync: vi.fn(),
 	mkdirSync: vi.fn(),
+	renameSync: vi.fn(),
+	unlinkSync: vi.fn(),
 }));
 
 describe("auto-update-checker", () => {
@@ -358,11 +360,13 @@ describe("auto-update-checker", () => {
 			await checkForUpdates(true);
 
 			expect(fs.writeFileSync).toHaveBeenCalled();
+			expect(fs.renameSync).toHaveBeenCalled();
 			const writeCall = vi.mocked(fs.writeFileSync).mock.calls[0];
 			const savedData = JSON.parse(writeCall[1] as string) as {
 				latestVersion: string;
 			};
 			expect(savedData.latestVersion).toBe("5.0.0");
+			expect(String(writeCall[0])).toContain("update-check-cache.json.");
 		});
 
 		it("creates cache directory if missing", async () => {
@@ -383,8 +387,8 @@ describe("auto-update-checker", () => {
 			"retries cache writes when filesystem is transiently locked (%s)",
 			async (code) => {
 			let attempts = 0;
-			vi.mocked(fs.writeFileSync).mockClear();
-			vi.mocked(fs.writeFileSync).mockImplementation(() => {
+			vi.mocked(fs.renameSync).mockClear();
+			vi.mocked(fs.renameSync).mockImplementation(() => {
 				attempts += 1;
 				if (attempts < 3) {
 					const error = new Error("busy") as NodeJS.ErrnoException;
@@ -400,10 +404,36 @@ describe("auto-update-checker", () => {
 
 			await checkForUpdates(true);
 
-			expect(fs.writeFileSync).toHaveBeenCalledTimes(3);
+			expect(fs.renameSync).toHaveBeenCalledTimes(3);
 			},
 		);
 
+		it("serializes concurrent cache writes through temp-file renames", async () => {
+			vi.mocked(fs.writeFileSync).mockClear();
+			vi.mocked(fs.renameSync).mockClear();
+			vi.mocked(globalThis.fetch)
+				.mockResolvedValueOnce({
+					ok: true,
+					json: async () => ({ version: "5.0.0" }),
+				} as Response)
+				.mockResolvedValueOnce({
+					ok: true,
+					json: async () => ({ version: "5.0.1" }),
+				} as Response);
+
+			await Promise.all([checkForUpdates(true), checkForUpdates(true)]);
+
+			expect(fs.renameSync).toHaveBeenCalledTimes(2);
+			const writeTargets = vi
+				.mocked(fs.writeFileSync)
+				.mock.calls.map((call) => String(call[0]));
+			expect(
+				writeTargets.every((target) =>
+					target.includes("update-check-cache.json."),
+				),
+			).toBe(true);
+		});
+
 		it("includes updateCommand in result", async () => {
 			vi.mocked(globalThis.fetch).mockResolvedValue({
 				ok: true,
