Auth/OpenAI: fresh token save can revert to stale expired profile under live gateway

[vincentkoc]

Bug

Saving a fresh OpenAI token through Configure or Onboard can appear to work, then revert back to a stale expired token while the gateway is still running.

Related: #45516

Root Cause

Locked auth-profile writes in src/agents/auth-profiles/store.ts reload from ensureAuthProfileStore(...), which prefers the runtime auth-store snapshot when one exists. That snapshot can be stale relative to disk.

This means a normal gateway-side auth write like usage/cooldown/last-good persistence can do this:

1. CLI / Configure / Onboard writes a fresh credential to auth-profiles.json
2. gateway later acquires the auth-store file lock
3. locked write reloads the stale in-memory runtime snapshot instead of disk
4. gateway saves that stale snapshot back to disk
5. fresh token/order/config appears to "revert"

This is the same class of bug as #45516, but it also affects actual credential replacement instead of only auth order.

Repro shape

• Have a running gateway with an old OpenAI token loaded in memory
• Save a fresh OpenAI token via Configure / Onboard
• Trigger any gateway-side auth-store write (markAuthProfileUsed, cooldown/failure persistence, lastGood updates, etc.)
• auth-profiles.json can be rewritten with the stale token from runtime memory

Expected

Locked auth-store writers should reload from disk under the file lock, not from the runtime snapshot.

Scope

This can affect:

• Configure / Onboard token replacement
• models auth order set
• any other fresh auth-profile change that races a later gateway-side auth store save

[himey72]

I don't think this bug is squashed. I am stuck in this loop right now. I generate a new token and it has an expiration date of April 3 and when I restart the gateway, that token gets overwritten with one that expired on March 2.