Optional capability: advisory lock on (sid, federationName) pairs, used by
POST /oauth/federation/:name/token (TODO-F-6) to prevent concurrent
federation-refresh thundering herd. Consumers detect presence with
supportsLock; when absent, the refresh path proceeds without
coordination — acceptable for low-concurrency deployments.
Error semantics
acquireLock returns a LockResult discriminated union for the two expected
outcomes — acquired or wait-timed-out. A thrown/rejected Promise from
acquireLock indicates a client-level failure (network partition,
cluster down, authentication error) that the caller must decide how to
handle: typical choices are to surface HTTP 503 or to fall back to an
unlocked refresh. Lock implementations SHOULD NOT internalize these errors
as { acquired: false } because the caller's response code depends on
whether the failure is transient-operational or protocol-level.
Optional capability: advisory lock on (sid, federationName) pairs, used by
POST /oauth/federation/:name/token(TODO-F-6) to prevent concurrent federation-refresh thundering herd. Consumers detect presence with supportsLock; when absent, the refresh path proceeds without coordination — acceptable for low-concurrency deployments.Error semantics
acquireLockreturns aLockResultdiscriminated union for the two expected outcomes — acquired or wait-timed-out. A thrown/rejected Promise fromacquireLockindicates a client-level failure (network partition, cluster down, authentication error) that the caller must decide how to handle: typical choices are to surface HTTP 503 or to fall back to an unlocked refresh. Lock implementations SHOULD NOT internalize these errors as{ acquired: false }because the caller's response code depends on whether the failure is transient-operational or protocol-level.