fix(discord): serialize command-deploy cache persists via in-process mutex

lonexreb · lonexreb · commit b672756b0757 · 2026-05-05T13:45:08.000-05:00
Codex follow-up on #77367 noted: re-read-before-write inside persistHashes isn't enough — two deployers running persistHashes in true parallel can both read the same snapshot before either writes, and the later rename overwrites the earlier writer's app-scoped entries. Add a module-level Map<storePath, Promise<void>> mutex and wrap the read-merge-write cycle in withCachePersistLock so concurrent persists for the same on-disk path serialize. In-process is sufficient because Discord deployers only run inside the gateway process. New regression test fires three deployers via Promise.all on the same tick and asserts all three application-scoped entries survive — pre-fix this race lost at least one entry.
diff --git a/extensions/discord/src/internal/command-deploy.test.ts b/extensions/discord/src/internal/command-deploy.test.ts
@@ -393,4 +393,50 @@ describe("DiscordCommandDeployer cache scoping (multi-application)", () => {
     expect(restB.get).not.toHaveBeenCalled();
     expect(restB.post).not.toHaveBeenCalled();
   });
+
+  test("truly parallel deployers serialize cache writes via the per-path mutex (codex follow-up on #77367)", async () => {
+    // Codex follow-up on PR #77367: re-read-before-write alone isn't enough
+    // when two deployers run `persistHashes` in real parallel — both can read
+    // the same snapshot before either writes. The in-process per-path mutex
+    // around the read-merge-write cycle makes the operation atomic.
+    const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-discord-multi-app-"));
+    const hashStorePath = path.join(dir, "command-deploy-cache.json");
+    const commands = [new StaticCommand("ping")];
+
+    // Run BOTH deploys with Promise.all on the SAME process tick — pre-fix,
+    // both `persistHashes` calls would race on read-then-rename and one
+    // writer's `app:<id>:...` entry would be lost.
+    const restA = createRest();
+    const restB = createRest();
+    const restC = createRest();
+    await Promise.all([
+      new DiscordCommandDeployer({
+        clientId: "app-default",
+        commands,
+        hashStorePath,
+        rest: () => restA,
+      }).deploy({ mode: "reconcile" }),
+      new DiscordCommandDeployer({
+        clientId: "app-secondary",
+        commands,
+        hashStorePath,
+        rest: () => restB,
+      }).deploy({ mode: "reconcile" }),
+      new DiscordCommandDeployer({
+        clientId: "app-tertiary",
+        commands,
+        hashStorePath,
+        rest: () => restC,
+      }).deploy({ mode: "reconcile" }),
+    ]);
+
+    const raw = await fs.readFile(hashStorePath, "utf8");
+    const parsed = JSON.parse(raw) as { hashes: Record<string, string> };
+    const keys = Object.keys(parsed.hashes);
+    // All three apps' entries must survive — pre-fix, one or two would be
+    // lost to the race.
+    expect(keys).toContain("app:app-default:global:reconcile");
+    expect(keys).toContain("app:app-secondary:global:reconcile");
+    expect(keys).toContain("app:app-tertiary:global:reconcile");
+  });
 });
diff --git a/extensions/discord/src/internal/command-deploy.ts b/extensions/discord/src/internal/command-deploy.ts
@@ -20,6 +20,41 @@ export type DeployCommandOptions = {
 
 type SerializedCommand = ReturnType<BaseCommand["serialize"]>;
 
+/**
+ * Per-`command-deploy-cache.json` path async mutex. `server-channels.ts` can
+ * start several Discord deployers concurrently in the same Node.js process;
+ * each one shares the same on-disk cache file. Without this lock, two
+ * deployers can run `persistHashes` in parallel, both read the same on-disk
+ * snapshot before either writes, and the later `rename` then overwrites the
+ * earlier writer's entries — defeating the rate-limit cache.
+ *
+ * This is an in-process lock; cross-process serialization would need an OS
+ * file lock. Discord deployers only run inside the gateway process, so an
+ * in-process mutex is sufficient for the documented concurrency surface.
+ */
+const cachePersistLocks = new Map<string, Promise<void>>();
+
+async function withCachePersistLock<T>(storePath: string, fn: () => Promise<T>): Promise<T> {
+  const previous = cachePersistLocks.get(storePath) ?? Promise.resolve();
+  let release: () => void = () => {};
+  const next = new Promise<void>((resolve) => {
+    release = resolve;
+  });
+  cachePersistLocks.set(
+    storePath,
+    previous.then(() => next),
+  );
+  try {
+    await previous;
+    return await fn();
+  } finally {
+    release();
+    if (cachePersistLocks.get(storePath) === previous.then(() => next)) {
+      cachePersistLocks.delete(storePath);
+    }
+  }
+}
+
 export class DiscordCommandDeployer {
   private readonly hashes = new Map<string, string>();
   private hashesLoaded = false;
@@ -178,18 +213,24 @@ export class DiscordCommandDeployer {
     if (!storePath) {
       return;
     }
+    // Serialize concurrent persists for the same on-disk path. The earlier
+    // "re-read inside persistHashes" merge alone is not enough — two
+    // deployers running `persistHashes` in true parallel would both read the
+    // same snapshot before either writes, and the later `rename` would still
+    // overwrite the earlier one's `app:<id>:...` entries. The mutex makes the
+    // read-merge-write cycle atomic for in-process callers.
+    await withCachePersistLock(storePath, async () => {
+      await this.persistHashesLocked(storePath);
+    });
+  }
+
+  private async persistHashesLocked(storePath: string): Promise<void> {
     try {
       await fs.mkdir(path.dirname(storePath), { recursive: true });
       // Re-read the on-disk hashes immediately before writing and merge them
-      // with our in-memory entries. Multiple Discord accounts on the same
-      // gateway share `command-deploy-cache.json`, and `server-channels.ts`
-      // can start their deployers concurrently. Without this re-read step,
-      // two deployers that both load the old file and then both write would
-      // each persist only their own scoped keys (`app:<id>:...`) and drop the
-      // other deployer's keys, defeating the rate-limit protection the cache
-      // was added for. Our in-memory entries always win on key collisions
-      // (we just produced them); on-disk entries that we don't have in memory
-      // are preserved as-is.
+      // with our in-memory entries. Our in-memory entries always win on key
+      // collisions (we just produced them); on-disk entries that we don't have
+      // in memory are preserved as-is.
       const merged = new Map<string, string>();
       try {
         const raw = await fs.readFile(storePath, "utf8");
