Primary finding
saveAuthProfileStore called outside file lock in markAuthProfileGood fallback path
mediumconcurrencyhigh
- src/agents/auth-profiles/profiles.ts:90-110
When `updateAuthProfileStoreWithLock` returns null (e.g. updater returned false because the fresh store doesn't have the profile or provider mismatched), the function falls through to mutating the *caller's* `store` object and writing it back via `saveAuthProfileStore` without any file lock. This is a read-modify-write on the same file that the locked path is meant to protect, defeating the purpose of the lock and risking lost updates. Additionally, the in-memory `store` may be stale relative to disk, so the unlocked write can clobber concurrent changes.
Recommendation
Remove the unlocked fallback write; if the locked update returned null (no change), simply return. Or perform the fallback inside the same lock.