Skip to content

fix(windows): secure lifecycle handoff#450

Merged
ScriptedAlchemy merged 7 commits into
masterfrom
fix/user-message-search-storage-scope
Jul 11, 2026
Merged

fix(windows): secure lifecycle handoff#450
ScriptedAlchemy merged 7 commits into
masterfrom
fix/user-message-search-storage-scope

Conversation

@ScriptedAlchemy

@ScriptedAlchemy ScriptedAlchemy commented Jul 11, 2026

Copy link
Copy Markdown
Owner

Summary

Follow-up to #448 after its automatic merge. The final Windows lifecycle audit landed immediately afterward and must ship before deployment.

Correctness fix

Windows no longer authorizes cross-process exclusive lifecycle inheritance from lifecycle.lock.owner text. Sidecar contents are diagnostic state and can briefly describe a previous live owner during lock handoff; treating them as authority could let an old post-update child bypass a newer owner.

The updater now holds the OS lifecycle lock through binary installation, releases it immediately before spawning the new binary, and requires post-update to acquire a fresh exclusive OS lock. If another process wins the handoff race, post-update fails closed instead of mutating concurrently. Non-Windows inherited handoff also validates live PID/process-start identity to reject dead owners and PID reuse.

Windows coverage

The broad Windows exclusions added during initial CI diagnosis are removed. All platform-neutral consolidation tests and all post-update health E2E tests compile on Windows again. Only the directory-symlink fixture remains gated because Windows symlink creation depends on runner privilege/developer mode.

Validation

  • lifecycle lease unit tests: 9/9 passed
  • update lease handoff regression: passed
  • consolidation tests: 35/35 passed
  • post-update health E2E: 4/4 passed
  • Clippy all targets/features with warnings denied: passed
  • cargo check --tests --target x86_64-pc-windows-gnu: passed
  • formatting and diff checks: passed

Includes a patch changeset for the required follow-up release.

CI-discovered Windows recovery fixes

The first fully enabled Windows run exposed several independent assumptions that Linux and macOS had hidden. These are fixed rather than re-gating the tests:

  • Atomic migration copies now create and retain a writable destination handle, stream the source into it, restore source permissions, and flush through that same handle before rename. Windows FlushFileBuffers rejects a read-only handle with Access is denied (os error 5), which previously broke backup and staging publication across every consolidation shard. Retaining the writable handle also preserves read-only source artifacts without sacrificing durability.
  • Retry paths no longer attempt a redundant read-handle flush on Windows. The atomic publication path already flushes file contents before rename; Unix still fsyncs the file and parent directory on identical-artifact retries.
  • Post-update daemon-service quiesce and refresh now treat platforms without a supported service manager as Missing/no-op. Windows can therefore run the health pass and integration refresh instead of failing before health with the Linux/macOS-only service-install error. Linux systemd and macOS launchd behavior remains unchanged.
  • The lifecycle regression now encodes the actual platform contract: Unix may accept a validated live-parent inheritance token, while Windows must reject inheritance while the parent owns the OS lock and later acquire a fresh lock during handoff.
  • Consolidation unit fixtures use open_at_without_structured_backfill, preventing detached background work from leaking into offline migration tests.
  • Unit-test holder discovery is deterministic for isolated fixture stores. Production continues to scan real processes and fail closed; the evaluator regression still explicitly proves unsupported discovery never weakens offline safety.
  • Synthetic-interruption assertions now include the actual error, so any future failure before the intended durable boundary is diagnosable rather than hidden behind a boolean assertion.

Additional regression coverage exercises interrupted temp recovery, read-only artifact preservation, matching-sidecar rejection on Windows, dead/reused owner identity, all durable consolidation restart states, and all four post-update health scenarios.

Final verification for the CI follow-up

  • migration consolidation suite: 35/35 passed locally
  • lifecycle lease suite: 9/9 passed locally
  • post-update health E2E: 4/4 passed locally
  • read-only atomic-copy and interrupted-temp regressions: passed
  • Linux flaky migration reproduction: repeated focused passes
  • cargo clippy --all-targets --all-features -- -D warnings: passed
  • cargo check --tests --target x86_64-pc-windows-gnu: passed
  • formatting and diff checks: passed

The branch now exercises the Windows behavior in CI instead of relying on compile-only confidence or platform exclusions.

@changeset-bot

changeset-bot Bot commented Jul 11, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 6a33ffe

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant