Severity: High (data-loss: silent Linear disconnect) · from 2026-05-29 audit.
When desktop and ade serve share the encrypted cred store, a near-expiry Linear OAuth refresh can race: Linear rotates the refresh token on first exchange, the losing runtime retries with the stale token, gets invalid_grant, and unconditionally clears the shared credentials (linearCredentialService.ts:550-558, headlessLinearServices.ts:1264-1266) — forcing a reconnect though the connection was valid. Introduced by #395.
Fix: cross-process file lock + re-read the cred store on invalid_grant; treat a rotated/fresh token as a benign race and keep the connection.
Fixed by PR #400. (Note: that PR's sleepSync uses Atomics.wait, which blocks the main thread — switch to async sleep before merging.)
Severity: High (data-loss: silent Linear disconnect) · from 2026-05-29 audit.
When desktop and
ade serveshare the encrypted cred store, a near-expiry Linear OAuth refresh can race: Linear rotates the refresh token on first exchange, the losing runtime retries with the stale token, getsinvalid_grant, and unconditionally clears the shared credentials (linearCredentialService.ts:550-558,headlessLinearServices.ts:1264-1266) — forcing a reconnect though the connection was valid. Introduced by #395.Fix: cross-process file lock + re-read the cred store on
invalid_grant; treat a rotated/fresh token as a benign race and keep the connection.Fixed by PR #400. (Note: that PR's
sleepSyncusesAtomics.wait, which blocks the main thread — switch to async sleep before merging.)