fix(windows): secure lifecycle handoff#450
Merged
Merged
Conversation
🦋 Changeset detectedLatest commit: 6a33ffe The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #448 after its automatic merge. The final Windows lifecycle audit landed immediately afterward and must ship before deployment.
Correctness fix
Windows no longer authorizes cross-process exclusive lifecycle inheritance from
lifecycle.lock.ownertext. Sidecar contents are diagnostic state and can briefly describe a previous live owner during lock handoff; treating them as authority could let an old post-update child bypass a newer owner.The updater now holds the OS lifecycle lock through binary installation, releases it immediately before spawning the new binary, and requires
post-updateto acquire a fresh exclusive OS lock. If another process wins the handoff race, post-update fails closed instead of mutating concurrently. Non-Windows inherited handoff also validates live PID/process-start identity to reject dead owners and PID reuse.Windows coverage
The broad Windows exclusions added during initial CI diagnosis are removed. All platform-neutral consolidation tests and all post-update health E2E tests compile on Windows again. Only the directory-symlink fixture remains gated because Windows symlink creation depends on runner privilege/developer mode.
Validation
cargo check --tests --target x86_64-pc-windows-gnu: passedIncludes a patch changeset for the required follow-up release.
CI-discovered Windows recovery fixes
The first fully enabled Windows run exposed several independent assumptions that Linux and macOS had hidden. These are fixed rather than re-gating the tests:
FlushFileBuffersrejects a read-only handle withAccess is denied (os error 5), which previously broke backup and staging publication across every consolidation shard. Retaining the writable handle also preserves read-only source artifacts without sacrificing durability.Missing/no-op. Windows can therefore run the health pass and integration refresh instead of failing before health with the Linux/macOS-only service-install error. Linux systemd and macOS launchd behavior remains unchanged.open_at_without_structured_backfill, preventing detached background work from leaking into offline migration tests.Additional regression coverage exercises interrupted temp recovery, read-only artifact preservation, matching-sidecar rejection on Windows, dead/reused owner identity, all durable consolidation restart states, and all four post-update health scenarios.
Final verification for the CI follow-up
cargo clippy --all-targets --all-features -- -D warnings: passedcargo check --tests --target x86_64-pc-windows-gnu: passedThe branch now exercises the Windows behavior in CI instead of relying on compile-only confidence or platform exclusions.