feat(msfs): reload AIS authn_token_file on rotation

[ankitmaster08]

AIS auth tokens (JWTs) are rotated on disk by an external process, but setupAIStoreContext loaded the token once and cached it in api.BaseParams.Token for the life of the mount, so a rotated token was never picked up without a restart.

Re-read authn_token_file whenever its mtime changes (thread-safe), via a new currentBaseParams accessor consulted before each AIStore API call, so a rotated token is used live. The AIS SDK applies BaseParams.Token per request (SetAuxHeaders in api.do), so a per-call refreshed copy takes effect on the next request. Mirrors MSC's FileBasedCredentialsProvider. An inline authn_token still wins and is never reloaded; anonymous (no token) is unchanged.

NGCDP-9025

Description

Change description.

{Relates to/Closes} {Task ID}.

Checklist

• Development PR
  • .release_notes/.unreleased.md
    • Notable changes to the client (i.e. not related to tooling, CI/CD, etc.) from this PR have been added.
• Release PR
  • CI/CD
    • The default branch pipelines are passing in both GitHub + GitLab (latter for SwiftStack E2E tests).
  • multi-storage-client/pyproject.toml
    • The package version has been bumped.
  • .release_notes/.unreleased.md
    • This file's contents have been moved into a .release_notes/{bumped package version}.md file.

Summary by CodeRabbit

• New Features

  • AIStore-backed storage now refreshes authentication tokens automatically when the token file changes, so long-running sessions can pick up rotated credentials without restarting.
  • Requests that rely on AIStore authentication now use the latest available token across reads, listings, stats, and delete operations.

• Tests

  • Added coverage for token reload behavior, including unchanged files, rotated files, and inline token handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds live AIStore authentication token reloading when authn_token_file is configured. The aistoreContextStruct gains authnTokenFile, tokenMu, and tokenMTime fields. A new currentBaseParams method reloads the token from disk when the file's mtime changes. All AIStore API call sites are updated to use currentBaseParams(). Two unit tests validate the caching and reload behavior.

Changes

AIStore Live Token Reload

Layer / File(s)	Summary
Context struct extension and initialization multi-storage-file-system/backend_aistore.go	Adds authnTokenFile, tokenMu, tokenMTime fields to aistoreContextStruct and seeds tokenMTime from os.Stat during setupAIStoreContext for file-based tokens only.
currentBaseParams reload method multi-storage-file-system/backend_aistore.go	Implements currentBaseParams, which locks tokenMu, re-stats the token file, and calls authn.LoadToken to refresh baseParams.Token when mtime changes.
Call site updates multi-storage-file-system/backend_aistore.go	Replaces direct aisContext.baseParams with aisContext.currentBaseParams() across deleteFile, listDirectory, listObjects, readFile, statDirectory, and statFile.
Unit tests multi-storage-file-system/backend_aistore_test.go	Adds writeAISTokenFile helper and two tests covering the no-file (inline token) case and the mtime-triggered reload with cache stability verification.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 Hop, hop — the token's stale no more,
I sniff the mtime behind the door.
If the file has changed, I fetch anew,
else serve the cache — quick as morning dew.
No auth shall lapse on my fuzzy watch! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description includes the core change and task ID, but it leaves the template sections and checklist items unfilled.	Fill in the required ## Description content, replace the placeholder task line, and complete or remove the checklist entries.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately describes the main change: reloading AIS authn_token_file on rotation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat-msfs-ais-token-refresh

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

multi-storage-file-system/backend_aistore.go (1)

88-93: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Only seed tokenMTime after a successful initial file load. If authn.LoadToken fails during setup, the file’s current mtime still gets pinned, so currentBaseParams won’t retry unless the mtime changes. That can leave a repaired token file stuck on the empty token until restart or a touch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@multi-storage-file-system/backend_aistore.go` around lines 88 - 93, The
initial token load in backendAIStore currently clears the error but still seeds
tokenMTime even when authn.LoadToken fails, which can prevent retries after a
later repair. Update the setup flow around authn.LoadToken and currentBaseParams
so tokenMTime is only recorded after a successful load, and leave it unset/reset
on failure so the token file can be re-read when it becomes readable again.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@multi-storage-file-system/backend_aistore.go`:
- Around line 88-93: The initial token load in backendAIStore currently clears
the error but still seeds tokenMTime even when authn.LoadToken fails, which can
prevent retries after a later repair. Update the setup flow around
authn.LoadToken and currentBaseParams so tokenMTime is only recorded after a
successful load, and leave it unset/reset on failure so the token file can be
re-read when it becomes readable again.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cdce2b81-7081-4618-9839-3e9548998fe4

📥 Commits

Reviewing files that changed from the base of the PR and between 499911b and 4f23c34.

📒 Files selected for processing (2)

• multi-storage-file-system/backend_aistore.go
• multi-storage-file-system/backend_aistore_test.go

[edmc-ss]

LGTM