fix(tauri): clean shutdown + orphan reap (#1060)

[oxoxDev]

Summary

• Adds shared Tauri process-kill helpers and reuses them from core process management.
• Adds graceful shutdown for the embedded Axum JSON-RPC listener with a CancellationToken.
• Reaps stale OpenHuman bundle-owned processes on macOS startup with TERM then KILL escalation.
• Escalates app orphan-child sweep from TERM to KILL for holdouts and logs structured counts.
• Exposes owned-process diagnostics and documents stuck-process recovery.

Problem

• Hard exits such as SIGKILL, Force Quit, and renderer crashes can bypass Tauri RunEvent::ExitRequested, leaving CEF/core helper processes behind.
• The existing orphan sweep sent only SIGTERM to direct children and did not escalate for TERM-ignoring holdouts.
• The embedded core listener was only aborting the top-level task, so the Axum listener was not given a deterministic graceful-shutdown signal.
• Recovery needed to preserve the existing SingletonLock and port-7788 takeover semantics from Proactively kill stale old OpenHuman RPC processes before the Tauri app reuses their port #1130, plus the [Bug] [P1] App quit does not clean up; macOS reports an error #920/Ensure CEF fully winds down on full app close #1120 shutdown ordering fixes.

Solution

• Add process_kill.rs for reusable TERM/KILL helpers.
• Add a macOS-only process_recovery.rs startup reaper that scopes ownership to argv0 paths inside the launching .app/Contents/, skips self, skips OPENHUMAN_CORE_REUSE_EXISTING=1, and avoids killing a live SingletonLock holder.
• Add CancellationToken plumbing through CoreProcessHandle into run_server_embedded, and call Axum .with_graceful_shutdown(token.cancelled()).
• Update send_terminate_signal/shutdown to cancel before aborting the embedded server task.
• Update sweep_orphan_children to count direct children, send TERM, wait 500ms, KILL holdouts, and log [app] sweep: term=N kill=M total=K.
• Add process_diagnostics_list_owned for diagnostics and document stuck-process recovery in docs/src-tauri/README.md.

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) per docs/TESTING-STRATEGY.md
  N/A: Diff coverage >= 80% local merged coverage was not run; this infrastructure PR is covered by targeted Rust tests plus macOS smoke, and CI coverage remains authoritative.
  N/A: Coverage matrix updated - process lifecycle infrastructure has no feature row to add/remove/rename.
  N/A: All affected feature IDs from the matrix are listed in the PR description under ## Related - no matrix feature IDs apply.
• No new external network dependencies introduced (mock backend used per docs/TESTING-STRATEGY.md)
  N/A: Manual smoke checklist updated if this touches release-cut surfaces - no release checklist row exists for this process lifecycle path; local S1-S6-style smoke results are included below.
• Linked issue closed via Closes #NNN in the ## Related section

Impact

• macOS desktop startup now attempts safe cleanup of stale OpenHuman bundle-owned processes before CEF cache preflight.
• Embedded core shutdown now releases the Axum listener deterministically; standalone CLI shutdown subscriber behavior is unchanged.
• Linux/Windows process recovery remains stubbed for this PR.
• No user-facing reset/force-quit UI is added.

Manual verification:

• cargo fmt --check --all passed.
• cargo check passed with existing warnings.
• cargo check --manifest-path app/src-tauri/Cargo.toml passed with existing warnings.
• cargo clippy --manifest-path app/src-tauri/Cargo.toml --tests passed with existing warnings.
• cargo clippy --tests failed only on known pre-existing denied approx_constant lints outside this PR.
• cargo test --manifest-path app/src-tauri/Cargo.toml --lib passed: 177 passed, 4 ignored.
• Focused tests passed: shutdown_token_stops_axum_listener_within_timeout, send_terminate_signal_cancels_shutdown_token, and process_recovery.
• cargo test -p openhuman-tauri-shell could not run because this checkout has no openhuman-tauri-shell package; the app package is OpenHuman.
• pnpm --filter openhuman-app macos:build:debug built the branch debug .app and DMG successfully.
• Pre-push hook passed format, lint, TypeScript compile, Tauri Rust check, and command token lint. Lint reports existing warnings only.

macOS smoke from the branch-built bundle:

• Quit/AppleEvent path left zero branch-owned .app/Contents/ processes.
• SingletonLock second launch did not create a second main PID and did not kill the first instance.
• kill -9 of the branch main PID left no branch-owned CEF helpers in this run.
• Controlled SIGTERM-ignoring stale helper with argv0 inside the branch bundle was reaped on next startup.
• OPENHUMAN_CORE_REUSE_EXISTING=1 attach path preserved the standalone listener using the repo's actual openhuman-core serve bin.
• Baseline caveat: three old /var/.../openhuman-accessibility-helper/unified_helper_bin PPID-1 processes pre-existed this worktree and are outside the branch bundle-path ownership boundary.

Related

Closes #1060

Cross-reference: #1130
Cross-reference: #920
Cross-reference: #1120

Follow-up PR(s)/TODOs: N/A: none for this PR.

Summary by CodeRabbit

• New Features

  • Cooperative graceful shutdown for the embedded core
  • Automatic detection and cleanup of stale processes on macOS startup
  • Command to list owned processes for diagnostics
  • Two-phase, more robust orphan-process cleanup on quit
  • Cross-platform process termination helpers

• Documentation

  • Added "Stuck process recovery" guidance and logs

• Tests

  • New tests for graceful shutdown and termination-token behavior

• Chores

  • Added a runtime utility dependency to support shutdown handling

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds CancellationToken-driven graceful shutdown for the embedded core server; extracts cross-platform pid-kill helpers; implements macOS startup recovery to reap stale OpenHuman processes; improves orphan-child cleanup with TERM→KILL escalation; and exposes a Tauri diagnostic command to list owned processes.

Changes

Process lifecycle, recovery, and wiring

Layer / File(s)	Summary
Dependency app/src-tauri/Cargo.toml	Adds tokio-util = { version = "0.7", features = ["rt"] }.
Data Shape / Fields app/src-tauri/src/core_process.rs	CoreProcessHandle gains shutdown_token: Arc<Mutex<CancellationToken>> with initialization and a test accessor.
Embedded server API src/core/jsonrpc.rs	run_server_embedded(...) now accepts a CancellationToken; run_server_inner accepts shutdown_token: Option<CancellationToken> and uses it for Axum graceful shutdown. bootstrap_skill_runtime/register_domain_subscribers gain an embedded_core: bool flag and conditionally register shutdown subscribers.
Shutdown plumbing app/src-tauri/src/core_process.rs	ensure_running() refreshes and forwards a fresh shutdown token to the embedded server; adds fresh_shutdown_token() and cancel_shutdown_token() helpers; send_terminate_signal() cancels the token before aborting the server task. reuse_existing_listener_enabled() visibility → pub(crate).
Cross-platform kill helpers app/src-tauri/src/process_kill.rs	New module: kill_pid_term / kill_pid_force implemented for Unix (SIGTERM/SIGKILL with ESRCH handling) and Windows (taskkill variants); includes Unix orphan-child sweep utilities using pgrep/pkill.
macOS startup recovery app/src-tauri/src/process_recovery.rs	reap_stale_openhuman_processes() enumerates ps output, derives bundle-scoped argv0 matches, SIGTERMs stale matches, waits 500ms, re-enumerates, and SIGKILLs holdouts; includes parsing, SingletonLock PID resolution, liveness checks, and unit tests. Non-macOS builds provide no-op stubs and empty lists.
Tauri integration & diagnostics app/src-tauri/src/lib.rs	Adds process_kill and process_recovery modules; calls reap_stale_openhuman_processes() on macOS startup; registers Tauri command process_diagnostics_list_owned() returning ProcessInfo; replaces inline child-sweep with process_kill::sweep_orphan_children().
Tests / Test helpers app/src-tauri/src/core_process_tests.rs, src/core/jsonrpc_tests.rs	Adds Tokio test verifying send_terminate_signal() cancels the shutdown token; adds embedded-server tests/helpers (EnvVarGuard, wait_until_port_accepts, wait_until_port_released) and a test ensuring CancellationToken stops the Axum listener within timeout.
Docs docs/src-tauri/README.md	Adds “Stuck process recovery” section describing startup recovery, TERM→KILL teardown sweep, skip conditions, and the process_diagnostics_list_owned diagnostic command.

Sequence Diagram(s)

sequenceDiagram
    participant Tauri as Tauri App
    participant Recovery as process_recovery
    participant Core as Embedded Core
    participant Axum as Axum Server
    participant Children as Child Processes

    Tauri->>Recovery: reap_stale_openhuman_processes() (macOS startup)
    Recovery->>Recovery: check CEF SingletonLock (may skip)
    Recovery->>Recovery: enumerate ps output & identify stale PIDs
    Recovery->>Children: SIGTERM stale processes
    Recovery->>Recovery: sleep 500ms
    Recovery->>Recovery: re-enumerate & match PID+command
    Recovery->>Children: SIGKILL holdouts
    Recovery-->>Tauri: recovery done

    Tauri->>Core: spawn embedded core with CancellationToken
    Core->>Axum: run_server_embedded(shutdown_token)
    Axum->>Axum: with_graceful_shutdown(shutdown_token)
    Tauri->>Core: send_terminate_signal()
    Core->>Core: cancel shutdown_token
    Axum-->>Axum: graceful shutdown triggered
    Tauri->>Tauri: event loop ends
    Tauri->>Children: sweep_orphan_children() -> pkill -TERM -P
    Tauri->>Tauri: sleep 500ms
    Tauri->>Children: sweep_orphan_children() -> pkill -KILL -P (holdouts)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• tinyhumansai/openhuman#460: Modifies core server shutdown wiring to use external shutdown token — related to embedded shutdown changes.
• tinyhumansai/openhuman#1166: Prior work on startup/listener takeover and kill helpers that this PR refactors/moves into a new module.
• tinyhumansai/openhuman#495: Related edits to core_process shutdown/terminate flow and SIGTERM-before-SIGKILL behavior.

Suggested reviewers

• senamakel
• graycyrus
• M3gA-Mind

Poem

🐇 A token softly tapped to close the gate,
Graceful breaths hush the server’s state.
TERM whispers first, then KILL when it's due,
Stray processes chased until none are true.
Hop—cleanup done; the system sleeps anew.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(tauri): clean shutdown + orphan reap' directly and clearly describes the main changes: adding clean shutdown mechanisms and orphan process reaping functionality.
Linked Issues check	✅ Passed	The PR implements all core coding objectives from #1060: graceful shutdown via CancellationToken, orphan reaping (macOS startup recovery), process termination helpers (TERM→KILL escalation), and diagnostics command process_diagnostics_list_owned.
Out of Scope Changes check	✅ Passed	All changes are in-scope: process_kill.rs and process_recovery.rs implement required termination/reaping, core_process.rs integrates shutdown tokens, jsonrpc.rs adds graceful shutdown, tests verify behavior, and documentation records the implementation.
Docstring Coverage	✅ Passed	Docstring coverage is 98.44% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/src-tauri/src/core_process.rs (1)

367-381: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

shutdown() still aborts before graceful shutdown can finish.

shutdown() is used by restart/update flows, but it cancels the token and immediately aborts the server task. That makes run_server_embedded(...).with_graceful_shutdown(...) mostly a race: in-flight RPCs are still cut off unless the server task happens to win before abort() runs.

I'd keep send_terminate_signal() as the fire-and-forget exit path, but let shutdown() wait a bounded time for the task to exit cleanly before falling back to abort().

Possible direction

 pub async fn shutdown(&self) {
     self.cancel_shutdown_token("").await;
-    self.abort_task("").await;
+    let mut task_guard = self.task.lock().await;
+    if let Some(mut task) = task_guard.take() {
+        if tokio::time::timeout(Duration::from_secs(2), &mut task)
+            .await
+            .is_err()
+        {
+            log::warn!("[core] graceful shutdown timed out; aborting embedded core server task");
+            task.abort();
+        }
+    }
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src-tauri/src/core_process.rs` around lines 367 - 381, shutdown()
currently cancels the shutdown token then immediately aborts the server task,
which prevents graceful shutdown; change shutdown() to call
cancel_shutdown_token("") then wait for the server task to exit with a bounded
timeout (use tokio::time::timeout with a short duration, e.g. 5s) by awaiting
the server task's JoinHandle completion, and only call abort_task("") if the
timeout elapses or the join returns an error; keep send_terminate_signal()
unchanged as the fire-and-forget path and reuse the existing
cancel_shutdown_token and abort_task helpers.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/core/jsonrpc_tests.rs`:
- Around line 11-31: EnvVarGuard must serialize process-global env var mutation
to avoid races: add a static lock (e.g.,
once_cell::sync::Lazy<std::sync::Mutex<()>> named ENV_LOCK) and have EnvVarGuard
acquire that lock in EnvVarGuard::set and store the resulting MutexGuard in the
struct (e.g., add a field like lock: std::sync::MutexGuard<'static, ()> or
Option<...>), then let Drop both restore the old env and drop the guard
(releasing the lock). Update EnvVarGuard::set to lock ENV_LOCK before
reading/setting the env and return the guard-bearing EnvVarGuard, and ensure the
Drop impl still restores or removes the env value then lets the stored guard go
out of scope to release serialization.

---

Outside diff comments:
In `@app/src-tauri/src/core_process.rs`:
- Around line 367-381: shutdown() currently cancels the shutdown token then
immediately aborts the server task, which prevents graceful shutdown; change
shutdown() to call cancel_shutdown_token("") then wait for the server task to
exit with a bounded timeout (use tokio::time::timeout with a short duration,
e.g. 5s) by awaiting the server task's JoinHandle completion, and only call
abort_task("") if the timeout elapses or the join returns an error; keep
send_terminate_signal() unchanged as the fire-and-forget path and reuse the
existing cancel_shutdown_token and abort_task helpers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 92e9f774-165e-4060-a980-2a7266d5ed0d

📥 Commits

Reviewing files that changed from the base of the PR and between ec4d3de and 7b0e4cd.

⛔ Files ignored due to path filters (1)

• app/src-tauri/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (9)

• app/src-tauri/Cargo.toml
• app/src-tauri/src/core_process.rs
• app/src-tauri/src/core_process_tests.rs
• app/src-tauri/src/lib.rs
• app/src-tauri/src/process_kill.rs
• app/src-tauri/src/process_recovery.rs
• docs/src-tauri/README.md
• src/core/jsonrpc.rs
• src/core/jsonrpc_tests.rs

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

app/src-tauri/src/lib.rs (1)

1728-1820: ⚡ Quick win

Move the Unix sweep helpers out of lib.rs.

This entrypoint is already carrying startup, tray, updater, IPC, and shutdown orchestration. Adding another ~100 lines of Unix process-enumeration/kill plumbing here makes it harder to maintain than extracting it into process_kill.rs or a small shutdown module.

As per coding guidelines, Prefer modules ≤ ~500 lines; split growing modules.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src-tauri/src/lib.rs` around lines 1728 - 1820, The lib.rs Unix sweep
helpers (sweep_orphan_children, sweep_orphan_children_unix, direct_child_pids,
parse_pgrep_pids, pkill_children, log_unexpected_pkill_status) should be moved
into a new module (e.g., process_kill.rs): create the file, copy those functions
preserving their #[cfg(unix)] attributes and visibility (make them pub(crate) if
called from lib.rs), add mod process_kill; in lib.rs replace the inline
implementations with a single call to process_kill::sweep_orphan_children()
(retain the non-Unix noop variant in lib.rs or re-export a non-unix wrapper),
ensure any used imports (log, std) remain available or are referenced
fully-qualified, and add the new module to the crate so the build passes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src-tauri/src/lib.rs`:
- Around line 1744-1776: The code currently skips pkill_children when
direct_child_pids() returns Err; change sweep logic so pkill_children("TERM")
and pkill_children("KILL") are invoked regardless of whether
direct_child_pids(parent_pid) succeeded—use the result of direct_child_pids only
for counting/log messages (term_count/kill_count) but do not gate the
pkill_children calls on its Ok state; keep calling log_unexpected_pkill_status
on successful pkill_children and log warnings on Err, and also fix the final log
total to compute total as term_count + kill_count (instead of term_count twice)
so the messages reflect counts correctly.
- Around line 79-94: The current process_diagnostics_list_owned function hides
errors by returning an empty Vec on failure; change its signature to return a
Result<Vec<process_recovery::ProcessInfo>, String> (or other serializable error
type Tauri expects), propagate the error from
process_recovery::enumerate_openhuman_processes() instead of converting it to
Vec::new() (e.g. map_err(|e| e.to_string())), and keep logging the error before
returning Err; update callers (Tauri command registration) if needed so the
command returns the Result and the real error surfaces to the caller.

---

Nitpick comments:
In `@app/src-tauri/src/lib.rs`:
- Around line 1728-1820: The lib.rs Unix sweep helpers (sweep_orphan_children,
sweep_orphan_children_unix, direct_child_pids, parse_pgrep_pids, pkill_children,
log_unexpected_pkill_status) should be moved into a new module (e.g.,
process_kill.rs): create the file, copy those functions preserving their
#[cfg(unix)] attributes and visibility (make them pub(crate) if called from
lib.rs), add mod process_kill; in lib.rs replace the inline implementations with
a single call to process_kill::sweep_orphan_children() (retain the non-Unix noop
variant in lib.rs or re-export a non-unix wrapper), ensure any used imports
(log, std) remain available or are referenced fully-qualified, and add the new
module to the crate so the build passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ac963b9-2594-48b5-ba3d-c09be0b8fe67

📥 Commits

Reviewing files that changed from the base of the PR and between 7b0e4cd and 3d3bb09.

⛔ Files ignored due to path filters (1)

• app/src-tauri/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• app/src-tauri/Cargo.toml
• app/src-tauri/src/core_process.rs
• app/src-tauri/src/core_process_tests.rs
• app/src-tauri/src/lib.rs
• app/src-tauri/src/process_kill.rs
• app/src-tauri/src/process_recovery.rs
• docs/src-tauri/README.md
• src/core/jsonrpc.rs
• src/core/jsonrpc_tests.rs
• src/openhuman/agent/prompts/mod_tests.rs

✅ Files skipped from review due to trivial changes (3)

• app/src-tauri/Cargo.toml
• docs/src-tauri/README.md
• src/core/jsonrpc.rs

🚧 Files skipped from review as they are similar to previous changes (5)

• app/src-tauri/src/core_process_tests.rs
• src/core/jsonrpc_tests.rs
• app/src-tauri/src/core_process.rs
• app/src-tauri/src/process_kill.rs
• app/src-tauri/src/process_recovery.rs

[coderabbitai]

🧹 Nitpick comments (1)

app/src-tauri/src/process_kill.rs (1)

28-39: 💤 Low value

Remove redundant Pid::from_raw and dead code.

Line 29 duplicates the Pid::from_raw(pid as i32) conversion when target (line 28) already holds that value. Line 34 (let _ = target;) is a no-op that appears to be leftover from refactoring.

♻️ Proposed fix

 pub(crate) fn kill_pid_force(pid: u32) -> Result<(), String> {
     use nix::sys::signal::{kill, Signal};
     use nix::unistd::Pid;
     let target = Pid::from_raw(pid as i32);
-    match kill(Pid::from_raw(pid as i32), Signal::SIGKILL) {
+    match kill(target, Signal::SIGKILL) {
         Ok(()) => Ok(()),
         // ESRCH means the process exited between our re-validation and the
         // SIGKILL — the resource is freeing on its own, treat as success.
         Err(nix::errno::Errno::ESRCH) => {
-            let _ = target;
             Ok(())
         }
         Err(e) => Err(format!("SIGKILL pid {pid}: {e}")),
     }
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src-tauri/src/process_kill.rs` around lines 28 - 39, The code creates
target with Pid::from_raw(pid as i32) but then calls kill(Pid::from_raw(pid as
i32), ...) and leaves a no-op let _ = target; in the ESRCH arm; change the kill
call to use the existing target (kill(target, Signal::SIGKILL)) and remove the
dead statement let _ = target; so the function uses the single Pid value and
eliminates redundant conversion and dead code in process_kill.rs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@app/src-tauri/src/process_kill.rs`:
- Around line 28-39: The code creates target with Pid::from_raw(pid as i32) but
then calls kill(Pid::from_raw(pid as i32), ...) and leaves a no-op let _ =
target; in the ESRCH arm; change the kill call to use the existing target
(kill(target, Signal::SIGKILL)) and remove the dead statement let _ = target; so
the function uses the single Pid value and eliminates redundant conversion and
dead code in process_kill.rs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7d644ae-dde4-402a-96b4-76a81977c9ec

📥 Commits

Reviewing files that changed from the base of the PR and between a6b3c4d and 3f885e7.

📒 Files selected for processing (5)

• app/src-tauri/src/core_process.rs
• app/src-tauri/src/lib.rs
• app/src-tauri/src/process_kill.rs
• docs/src-tauri/README.md
• src/core/jsonrpc_tests.rs

✅ Files skipped from review due to trivial changes (1)

• docs/src-tauri/README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• src/core/jsonrpc_tests.rs