tinyhumansai · senamakel · Apr 29, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026
@@ -6,6 +6,20 @@ description = "Core RPC URL, sidecar restart, dictation hotkey, webview-account,
 allow = [
     "core_rpc_url",
     "restart_core_process",
+    # `restart_app` triggers `app.restart()` so CEF re-initializes against
+    # the active user's `users/<id>/cef` profile after an identity flip
+    # (#900). Without this allow entry, the invoke is silently denied by
+    # Tauri capabilities and webviews keep the prior user's third-party
+    # cookies.
+    "restart_app",
+    "schedule_cef_profile_purge",
+    # `get_active_user_id` reads `~/.openhuman/active_user.toml` so the
+    # frontend can prime `userScopedStorage` from the Rust source of truth
+    # BEFORE redux-persist hydrates — the prior `localStorage`-only seed
+    # was bound to the per-user CEF profile dir and went stale across
+    # restart-driven flips, causing a false re-flip and restart loop on
+    # every login. (#900)
+    "get_active_user_id",
     "service_install_direct",
     "service_start_direct",
     "service_stop_direct",

@@ -36,7 +36,7 @@ fn default_root_dir_name() -> &'static str {
     }
 }
 
-fn default_root_openhuman_dir() -> Result<PathBuf, String> {
+pub fn default_root_openhuman_dir() -> Result<PathBuf, String> {
     if let Ok(workspace) = std::env::var("OPENHUMAN_WORKSPACE") {
         let trimmed = workspace.trim();
         if !trimmed.is_empty() {
@@ -50,7 +50,7 @@ fn default_root_openhuman_dir() -> Result<PathBuf, String> {
     Ok(home.join(default_root_dir_name()))
 }
 
-fn read_active_user_id(default_openhuman_dir: &Path) -> Option<String> {
+pub fn read_active_user_id(default_openhuman_dir: &Path) -> Option<String> {
     let path = default_openhuman_dir.join(ACTIVE_USER_STATE_FILE);
     let contents = std::fs::read_to_string(path).ok()?;
     let state: ActiveUserState = toml::from_str(&contents).ok()?;
@@ -297,6 +297,33 @@ pub fn prepare_process_cache_path() -> Result<PathBuf, String> {
         user_id,
         cache_dir.display()
     );
+
+    // When a real user is active, the pre-login `users/local/cef` bucket is
+    // stale third-party state captured during cold-bootstrap (before
+    // `active_user.toml` existed) — e.g. a Slack/WhatsApp tile added on a
+    // fresh install while the process was still running on the `local`
+    // fallback path. If we don't sweep it, those cookies leak into the
+    // first user's session via webview pre-warm and across users when the
+    // pre-login bucket is reused on subsequent fresh installs. Drop it
+    // synchronously here, before CEF init, so it's safe to delete. (#900)
+    if user_id != PRE_LOGIN_USER_ID {
+        if let Ok(local_cef) = cache_dir_for_user(&default_openhuman_dir, PRE_LOGIN_USER_ID) {
+            if local_cef.exists() {
+                match std::fs::remove_dir_all(&local_cef) {
+                    Ok(()) => log::info!(
+                        "[cef-profile] purged stale pre-login CEF cache path={}",
+                        local_cef.display()
+                    ),
+                    Err(error) => log::warn!(
+                        "[cef-profile] failed to purge stale pre-login CEF cache path={} error={}",
+                        local_cef.display(),
+                        error
+                    ),
+                }
+            }
+        }
+    }
+
     Ok(cache_dir)
 }
 

@@ -18,6 +18,7 @@ mod telegram_scanner;
 mod webview_accounts;
 mod webview_apis;
 mod whatsapp_scanner;
+mod window_state;
 
 use std::sync::Mutex;
 
@@ -318,9 +319,38 @@ async fn restart_core_process(
 #[tauri::command]
 async fn restart_app(app: tauri::AppHandle<AppRuntime>) -> Result<(), String> {
     log::info!("[app] restart_app invoked from frontend");
+    // Persist main-window geometry and hide the window before exit so
+    // the macOS WindowServer doesn't briefly black-out the desktop layer
+    // on the (now defunct) display when the focused app dies, and so
+    // the new process can land its window on the same display+position
+    // the user had it on. (#900 secondary fixes)
+    if let Some(window) = app.get_webview_window("main") {
+        window_state::save_main(&window);
+        if let Err(err) = window.hide() {
+            log::warn!("[app] hide main window before restart failed: {err}");
+        }
+    }
     app.restart();
 }
 
+/// Read the authoritative active user id from `active_user.toml` so the
+/// frontend can seed `userScopedStorage` BEFORE redux-persist hydrates.
+///
+/// The previous frontend-only seed (a `localStorage` key) was bound to the
+/// per-user CEF profile dir, so on every restart-driven user flip the new
+/// process read whatever value the new profile's `localStorage` happened to
+/// hold from a prior session — usually stale, triggering a false re-flip and
+/// a restart loop. The Rust core writes `active_user.toml` atomically as part
+/// of `auth_store_session`, so it's the only profile-independent source of
+/// truth available to the UI at boot. Reuses
+/// `cef_profile::default_root_openhuman_dir()` so the lookup honors
+/// `OPENHUMAN_WORKSPACE` overrides used in test harnesses. (#900)
+#[tauri::command]
+fn get_active_user_id() -> Result<Option<String>, String> {
+    let dir = cef_profile::default_root_openhuman_dir()?;
+    Ok(cef_profile::read_active_user_id(&dir))
+}
+
 #[tauri::command]
 async fn schedule_cef_profile_purge(user_id: Option<String>) -> Result<String, String> {
     let queued = cef_profile::queue_profile_purge_for_user(user_id.as_deref())?;
@@ -962,6 +992,24 @@ pub fn run() {
                 }
             });
 
+            // Restore last-known window position+size before showing the
+            // window so the user's first paint after a restart-driven flow
+            // (#900 identity flip) lands on the same display they used,
+            // not back at the default centered initial size on the
+            // primary monitor. `tauri.conf.json` ships `visible: false`
+            // / `center: false` for the main window so the placement
+            // happens before the first paint and there's no jump.
+            if let Some(window) = app.get_webview_window("main") {
+                if !window_state::restore_main(&window) {
+                    window_state::center_main(&window);
+                }
+                if !daemon_mode {
+                    if let Err(err) = window.show() {
+                        log::warn!("[window-state] show main window failed: {err}");
+                    }
+                }
+            }
+
             if daemon_mode {
                 if let Some(window) = app.get_webview_window("main") {
                     let _ = window.hide();
@@ -1299,6 +1347,7 @@ pub fn run() {
             apply_app_update,
             restart_core_process,
             restart_app,
+            get_active_user_id,
             schedule_cef_profile_purge,
             service_install_direct,
             service_start_direct,

@@ -612,27 +612,27 @@ fn teardown_account_scanners<R: Runtime>(app: &AppHandle<R>, account_id: &str) {
     {
         let registry = registry.inner().clone();
         let acct = account_id.to_string();
-        tokio::spawn(async move { registry.forget(&acct).await });
+        tauri::async_runtime::spawn(async move { registry.forget(&acct).await });
     }
     if let Some(registry) = app.try_state::<std::sync::Arc<crate::slack_scanner::ScannerRegistry>>()
     {
         let registry = registry.inner().clone();
         let acct = account_id.to_string();
-        tokio::spawn(async move { registry.forget(&acct).await });
+        tauri::async_runtime::spawn(async move { registry.forget(&acct).await });
     }
     if let Some(registry) =
         app.try_state::<std::sync::Arc<crate::discord_scanner::ScannerRegistry>>()
     {
         let registry = registry.inner().clone();
         let acct = account_id.to_string();
-        tokio::spawn(async move { registry.forget(&acct).await });
+        tauri::async_runtime::spawn(async move { registry.forget(&acct).await });
     }
     if let Some(registry) =
         app.try_state::<std::sync::Arc<crate::telegram_scanner::ScannerRegistry>>()
     {
         let registry = registry.inner().clone();
         let acct = account_id.to_string();
-        tokio::spawn(async move { registry.forget(&acct).await });
+        tauri::async_runtime::spawn(async move { registry.forget(&acct).await });
     }
 }
 

@@ -0,0 +1,192 @@
+//! Persistence of main-window position + size across restarts.
+//!
+//! `app.restart()` (used by #900's identity-flip flow) spawns a fresh
+//! process, so the new window doesn't inherit anything from the old one.
+//! Without us re-applying state, every login-driven respawn snaps the
+//! window back to the default initial size in the center of the primary
+//! display — even when the user had it on an external monitor or had
+//! resized it.
+//!
+//! This module persists a tiny TOML record at
+//! `<openhuman_dir>/window_state.toml` capturing the outer position and
+//! outer size of the main window in physical pixels. On launch the
+//! record is read and applied before the window is shown. On restart we
+//! save first, hide the window, then call `app.restart()`.
+//!
+//! Saved state is best-effort: read errors, missing file, off-screen
+//! positions, and non-existent monitors all fall back to the default
+//! centered window so we never trap the window where the user can't
+//! reach it.
+
+use std::path::PathBuf;
+
+use serde::{Deserialize, Serialize};
+use tauri::{PhysicalPosition, PhysicalSize, Runtime, WebviewWindow};
+
+use crate::cef_profile;
+
+const STATE_FILE: &str = "window_state.toml";
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+struct WindowState {
+    x: i32,
+    y: i32,
+    width: u32,
+    height: u32,
+}
+
+fn state_path() -> Option<PathBuf> {
+    cef_profile::default_root_openhuman_dir()
+        .ok()
+        .map(|root| root.join(STATE_FILE))
+}
+
+/// Capture the main window's outer geometry and write it to disk.
+///
+/// Called from `restart_app` immediately before `app.restart()` so the
+/// next process can land the new window where the user left it.
+pub fn save_main<R: Runtime>(window: &WebviewWindow<R>) {
+    let Ok(pos) = window.outer_position() else {
+        log::warn!("[window-state] outer_position unavailable; skip save");
+        return;
+    };
+    let Ok(size) = window.outer_size() else {
+        log::warn!("[window-state] outer_size unavailable; skip save");
+        return;
+    };
+    let state = WindowState {
+        x: pos.x,
+        y: pos.y,
+        width: size.width,
+        height: size.height,
+    };
+    let Some(path) = state_path() else {
+        log::warn!("[window-state] no path available; skip save");
+        return;
+    };
+    if let Some(parent) = path.parent() {
+        if let Err(err) = std::fs::create_dir_all(parent) {
+            log::warn!(
+                "[window-state] mkdir {} failed: {}; skip save",
+                parent.display(),
+                err
+            );
+            return;
+        }
+    }
+    let raw = match toml::to_string_pretty(&state) {
+        Ok(r) => r,
+        Err(err) => {
+            log::warn!("[window-state] serialize failed: {err}; skip save");
+            return;
+        }
+    };
+    if let Err(err) = std::fs::write(&path, raw) {
+        log::warn!("[window-state] write {} failed: {err}", path.display());
+    } else {
+        log::info!(
+            "[window-state] saved geometry x={} y={} w={} h={}",
+            state.x,
+            state.y,
+            state.width,
+            state.height
+        );
+    }
+}
+
+/// Read the saved geometry (if any) and apply it to the main window.
+///
+/// Returns `true` when saved geometry was applied. Returns `false` when
+/// no saved file exists, the file is malformed, or the saved position
+/// falls outside every currently-attached monitor (e.g. the user
+/// undocked an external display); the caller is then expected to fall
+/// back to a centered default so we never strand the window off-screen.
+pub fn restore_main<R: Runtime>(window: &WebviewWindow<R>) -> bool {
+    let Some(path) = state_path() else {
+        return false;
+    };
+    let Ok(raw) = std::fs::read_to_string(&path) else {
+        return false;
+    };
+    let state: WindowState = match toml::from_str(&raw) {
+        Ok(s) => s,
+        Err(err) => {
+            log::warn!(
+                "[window-state] parse {} failed: {err}; using default placement",
+                path.display()
+            );
+            return false;
+        }
+    };
+
+    if !position_visible_on_any_monitor(window, state.x, state.y, state.width, state.height) {
+        log::info!(
+            "[window-state] saved position x={} y={} not on any monitor; falling back to centered default",
+            state.x,
+            state.y
+        );
+        return false;
+    }
+
+    if let Err(err) = window.set_size(PhysicalSize::new(state.width, state.height)) {
+        log::warn!("[window-state] set_size failed: {err}");
+    }
+    if let Err(err) = window.set_position(PhysicalPosition::new(state.x, state.y)) {
+        log::warn!("[window-state] set_position failed: {err}");
+        return false;
+    }
+    log::info!(
+        "[window-state] restored geometry x={} y={} w={} h={}",
+        state.x,
+        state.y,
+        state.width,
+        state.height
+    );
+    true
+}
+
+/// Center the main window on the primary display (or its current monitor
+/// if `current_monitor` resolves) when no saved state applied.
+pub fn center_main<R: Runtime>(window: &WebviewWindow<R>) {
+    let Ok(Some(monitor)) = window
+        .primary_monitor()
+        .or_else(|_| window.current_monitor())
+    else {
+        let _ = window.center();
+        return;
-    let Ok(Some(monitor)) = window
-        .primary_monitor()
-        .or_else(|_| window.current_monitor())
-    else {
-        let _ = window.center();
-        return;
+    let monitor = match window.primary_monitor() {
+        Ok(Some(monitor)) => Some(monitor),
+        Ok(None) | Err(_) => window.current_monitor().ok().flatten(),
+    };
+    let Some(monitor) = monitor else {
+        let _ = window.center();
+        return;
+    };
-    let Ok(Some(monitor)) = window
-        .primary_monitor()
-        .or_else(|_| window.current_monitor())
-    else {
-        let _ = window.center();
-        return;
+    let monitor = match window.primary_monitor() {
+        Ok(Some(monitor)) => Some(monitor),
+        Ok(None) | Err(_) => window.current_monitor().ok().flatten(),
+    };
+    let Some(monitor) = monitor else {
+        let _ = window.center();
+        return;
+    };
+    };
+    let Ok(size) = window.outer_size() else {
+        let _ = window.center();
+        return;
+    };
+    let mon_pos = monitor.position();
+    let mon_size = monitor.size();
+    let x = mon_pos.x + (mon_size.width as i32 - size.width as i32) / 2;
+    let y = mon_pos.y + (mon_size.height as i32 - size.height as i32) / 2;
+    let _ = window.set_position(PhysicalPosition::new(x, y));
+}
+
+fn position_visible_on_any_monitor<R: Runtime>(
+    window: &WebviewWindow<R>,
+    x: i32,
+    y: i32,
+    width: u32,
+    height: u32,
+) -> bool {
+    let Ok(monitors) = window.available_monitors() else {
+        return false;
+    };
+    // Treat the window as on-screen if at least a 100x100 px patch of it
+    // overlaps any attached monitor.
+    let win_right = x.saturating_add(width as i32);
+    let win_bottom = y.saturating_add(height as i32);
+    monitors.iter().any(|m| {
+        let pos = m.position();
+        let size = m.size();
+        let mon_right = pos.x.saturating_add(size.width as i32);
+        let mon_bottom = pos.y.saturating_add(size.height as i32);
+        let overlap_w = (win_right.min(mon_right) - x.max(pos.x)).max(0);
+        let overlap_h = (win_bottom.min(mon_bottom) - y.max(pos.y)).max(0);
+        overlap_w >= 100 && overlap_h >= 100
+    })
+}
@@ -16,10 +16,10 @@
         "title": "OpenHuman",
         "width": 1000,
         "height": 800,
-        "visible": true,
+        "visible": false,
         "decorations": true,
         "resizable": true,
-        "center": true
+        "center": false
       }
     ],
     "security": {