There's something strange going on with 5 tools accounts that surfaced due to the attached patch when I manually patched it into the server to try it out while I was watching.
tools.sbot, tools.xtools-ec, tools.pagepile, tools.ib2test, tools.wikidata-recon have mysql usernames that do NOT match their UIDs. In every case, it's some other number, typically for a different tool.
Therefore, when trying to check for new tools by UID instead of username, they come up as "new" tools and then fail because you cannot have two of the same exact username in the accounts table of the database for maintain-dbusers.
Write access to toolsdb is handled by username, so this does not seem like a good or sensible situation. It also makes these user accounts somewhat fragile if we need to rotate their credentials.