fix(auth): clear stale runtime block after refresh

NGLSL · NGLSL · commit 01d65a0dba5d · 2026-05-17T02:54:25.000+08:00
diff --git a/sdk/cliproxy/auth/conductor.go b/sdk/cliproxy/auth/conductor.go
@@ -3480,8 +3480,8 @@ func (m *Manager) refreshAuth(ctx context.Context, id string) {
 	}
 	updated.LastRefreshedAt = now
 	updated.NextRefreshAfter = time.Time{}
-	updated.LastError = nil
-	updated.UpdatedAt = now
+	updated.ModelStates = nil
+	clearAuthStateOnSuccess(updated, now)
 	if m.shouldRefresh(updated, now) {
 		updated.NextRefreshAfter = now.Add(refreshIneffectiveBackoff)
 	}
diff --git a/sdk/cliproxy/auth/conductor_update_test.go b/sdk/cliproxy/auth/conductor_update_test.go
@@ -46,6 +46,36 @@ func (e ineffectiveRefreshExecutor) HttpRequest(context.Context, *Auth, *http.Re
 	return nil, nil
 }
 
+type successfulRefreshExecutor struct {
+	provider string
+}
+
+func (e successfulRefreshExecutor) Identifier() string { return e.provider }
+
+func (e successfulRefreshExecutor) Execute(context.Context, *Auth, cliproxyexecutor.Request, cliproxyexecutor.Options) (cliproxyexecutor.Response, error) {
+	return cliproxyexecutor.Response{}, nil
+}
+
+func (e successfulRefreshExecutor) ExecuteStream(context.Context, *Auth, cliproxyexecutor.Request, cliproxyexecutor.Options) (*cliproxyexecutor.StreamResult, error) {
+	return nil, nil
+}
+
+func (e successfulRefreshExecutor) Refresh(_ context.Context, auth *Auth) (*Auth, error) {
+	if auth.Metadata == nil {
+		auth.Metadata = make(map[string]any)
+	}
+	auth.Metadata["access_token"] = "new-access-token"
+	return auth, nil
+}
+
+func (e successfulRefreshExecutor) CountTokens(context.Context, *Auth, cliproxyexecutor.Request, cliproxyexecutor.Options) (cliproxyexecutor.Response, error) {
+	return cliproxyexecutor.Response{}, nil
+}
+
+func (e successfulRefreshExecutor) HttpRequest(context.Context, *Auth, *http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
 type metadataMutatingExecutor struct {
 	provider string
 }
@@ -339,6 +369,49 @@ func TestManager_Update_ActiveInheritsModelStates(t *testing.T) {
 	}
 }
 
+func TestManager_RefreshAuth_ClearsInheritedRuntimeBlockAfterSuccessfulRefresh(t *testing.T) {
+	m := NewManager(nil, nil, nil)
+	executor := successfulRefreshExecutor{provider: "claude"}
+	m.RegisterExecutor(executor)
+
+	now := time.Now().UTC()
+	if _, errRegister := m.Register(context.Background(), &Auth{
+		ID:       "auth-refresh-success",
+		Provider: "claude",
+		Status:   StatusError,
+		Metadata: map[string]any{
+			"access_token": "old-access-token",
+		},
+		ModelStates: map[string]*ModelState{
+			"claude-sonnet": {
+				Status:         StatusError,
+				Unavailable:    true,
+				NextRetryAfter: now.Add(30 * time.Minute),
+				LastError:      &Error{Message: "unauthorized", HTTPStatus: http.StatusUnauthorized},
+				UpdatedAt:      now,
+			},
+		},
+	}); errRegister != nil {
+		t.Fatalf("register auth: %v", errRegister)
+	}
+
+	m.refreshAuth(context.Background(), "auth-refresh-success")
+
+	updated, ok := m.GetByID("auth-refresh-success")
+	if !ok || updated == nil {
+		t.Fatalf("expected auth to be present after refresh")
+	}
+	if got := updated.Metadata["access_token"]; got != "new-access-token" {
+		t.Fatalf("access_token = %v, want new-access-token", got)
+	}
+	if updated.Unavailable || !updated.NextRetryAfter.IsZero() || len(updated.ModelStates) != 0 {
+		t.Fatalf("expected successful refresh to clear runtime block, got unavailable=%v next_retry=%s model_states=%d", updated.Unavailable, updated.NextRetryAfter, len(updated.ModelStates))
+	}
+	if updated.LastRefreshedAt.IsZero() {
+		t.Fatal("expected LastRefreshedAt to be set")
+	}
+}
+
 func TestManager_RefreshAuth_SetsBackoffWhenRefreshIsIneffective(t *testing.T) {
 	m := NewManager(nil, nil, nil)
 	executor := ineffectiveRefreshExecutor{provider: "claude"}
diff --git a/sdk/cliproxy/auth/runtime_persistence.go b/sdk/cliproxy/auth/runtime_persistence.go
@@ -277,6 +277,9 @@ func preserveRuntimeSnapshotState(auth *Auth, existing *Auth, now time.Time) {
 	if auth.Disabled || auth.Status == StatusDisabled || existing.Disabled || existing.Status == StatusDisabled {
 		return
 	}
+	if authRefreshTimestampAdvanced(auth, existing) {
+		return
+	}
 	candidate := auth.Clone()
 	sanitizeRuntimeSnapshotAuth(candidate, now)
 	if hasRuntimeSnapshotState(candidate) {
@@ -289,6 +292,13 @@ func preserveRuntimeSnapshotState(auth *Auth, existing *Auth, now time.Time) {
 	_ = applyRuntimeSnapshotState(auth, state, now)
 }
 
+func authRefreshTimestampAdvanced(auth *Auth, existing *Auth) bool {
+	if auth == nil || existing == nil || auth.LastRefreshedAt.IsZero() {
+		return false
+	}
+	return existing.LastRefreshedAt.IsZero() || auth.LastRefreshedAt.After(existing.LastRefreshedAt)
+}
+
 func sanitizeRuntimeSnapshotAuth(auth *Auth, now time.Time) {
 	if auth == nil {
 		return

Original file line number	Diff line number	Diff line change
`@@ -3480,8 +3480,8 @@ func (m *Manager) refreshAuth(ctx context.Context, id string) {`
`3480`	`3480`	`}`
`3481`	`3481`	`updated.LastRefreshedAt = now`
`3482`	`3482`	`updated.NextRefreshAfter = time.Time{}`
`3483`		`- updated.LastError = nil`
`3484`		`- updated.UpdatedAt = now`
	`3483`	`+ updated.ModelStates = nil`
	`3484`	`+ clearAuthStateOnSuccess(updated, now)`
`3485`	`3485`	`if m.shouldRefresh(updated, now) {`
`3486`	`3486`	`updated.NextRefreshAfter = now.Add(refreshIneffectiveBackoff)`
`3487`	`3487`	`}`