ao-core 0.1.0

Core traits and types for the ao-rs agent orchestrator framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258

//! PID-file based advisory locking for singleton daemons.
//!
//! Mirrors `packages/cli/src/lib/lifecycle-service.ts` in the reference repo:
//! a would-be daemon reads a well-known pidfile, checks whether that pid is
//! still running (via `kill(pid, 0)`), and takes over iff the previous owner
//! is gone. The file is removed on clean shutdown.
//!
//! This is **advisory**, not enforced — two racing processes that both pass
//! the "not running" check before either writes can still stomp on each
//! other. The TS reference has the same limitation and shrugs it off for a
//! single-user CLI. Slice 1 Phase D does the same.
//!
//! Why not `fs2::flock`? Flock survives across restarts on Linux but not
//! macOS (BSD flock is tied to the fd), and we want "process-that-owns-pid
//! is alive" semantics anyway, which flock doesn't give us. A PID probe is
//! the behaviour the user actually wants.

use std::fs;
use std::io::{self, Write};
use std::path::{Path, PathBuf};

#[derive(Debug)]
pub enum LockError {
    /// Another live process currently holds the lock.
    HeldBy {
        pid: u32,
        path: PathBuf,
    },
    Io(io::Error),
}

impl From<io::Error> for LockError {
    fn from(e: io::Error) -> Self {
        Self::Io(e)
    }
}

impl std::fmt::Display for LockError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::HeldBy { pid, path } => {
                write!(f, "pidfile {} held by live process {pid}", path.display())
            }
            Self::Io(e) => write!(f, "pidfile io: {e}"),
        }
    }
}

impl std::error::Error for LockError {}

/// RAII handle for a pidfile we currently own. Releases on `Drop`.
///
/// Dropping removes the file **only** if its contents still match our pid —
/// so a second daemon that stole the lock (e.g. after we crashed) doesn't
/// get its pidfile deleted out from under it when we eventually unwind.
#[derive(Debug)]
pub struct PidFile {
    path: PathBuf,
    pid: u32,
    // Once released (drop already removed the file), flip this so the Drop
    // impl doesn't try a second time.
    released: bool,
}

impl PidFile {
    /// Try to take the pidfile at `path`. On success, our pid is written
    /// to disk and held until drop.
    ///
    /// If a previous pidfile exists and that pid is still alive,
    /// `Err(LockError::HeldBy)` is returned and the file is left untouched.
    /// A stale pidfile (dead pid) is silently replaced.
    pub fn acquire(path: impl Into<PathBuf>) -> Result<Self, LockError> {
        let path = path.into();
        if let Some(parent) = path.parent() {
            fs::create_dir_all(parent)?;
        }

        if let Some(existing) = read_pidfile(&path) {
            if is_process_alive(existing) && existing != std::process::id() {
                return Err(LockError::HeldBy {
                    pid: existing,
                    path,
                });
            }
            // Stale: fall through and overwrite.
        }

        let pid = std::process::id();
        // Write via a sibling temp + rename so a concurrent reader never
        // sees a half-written file (matches `SessionManager::save`).
        let temp = path.with_extension("pid.tmp");
        {
            let mut f = fs::File::create(&temp)?;
            writeln!(f, "{pid}")?;
            f.sync_all()?;
        }
        fs::rename(&temp, &path)?;

        Ok(Self {
            path,
            pid,
            released: false,
        })
    }

    pub fn path(&self) -> &Path {
        &self.path
    }

    pub fn pid(&self) -> u32 {
        self.pid
    }

    /// Explicitly release the pidfile now. Equivalent to letting it drop,
    /// except the caller can observe the io error instead of swallowing it.
    pub fn release(mut self) -> io::Result<()> {
        self.released = true;
        remove_if_ours(&self.path, self.pid)
    }
}

impl Drop for PidFile {
    fn drop(&mut self) {
        if self.released {
            return;
        }
        // Best effort — a failed cleanup just leaves a stale file, which
        // the next acquire() will replace.
        let _ = remove_if_ours(&self.path, self.pid);
    }
}

/// Read the pid stored in a pidfile, if the file exists and parses.
pub fn read_pidfile(path: &Path) -> Option<u32> {
    let raw = fs::read_to_string(path).ok()?;
    raw.trim().parse::<u32>().ok()
}

/// Is the given pid currently a running process on this machine?
///
/// Uses `kill(pid, 0)` — the POSIX way to test for a pid's existence
/// without actually signalling it. `EPERM` also counts as "alive" (the
/// process exists but we don't own it, e.g. running as another user).
pub fn is_process_alive(pid: u32) -> bool {
    if pid == 0 {
        return false;
    }
    // SAFETY: `kill` is thread-safe and a signal of 0 performs only the
    // permission/existence check without delivering anything. The only
    // preconditions are a valid pid (we reject 0 above) and a defined
    // signal (0 is always defined), both of which we satisfy.
    let rc = unsafe { libc::kill(pid as libc::pid_t, 0) };
    if rc == 0 {
        return true;
    }
    match io::Error::last_os_error().raw_os_error() {
        Some(libc::EPERM) => true, // exists, not ours
        _ => false,
    }
}

fn remove_if_ours(path: &Path, our_pid: u32) -> io::Result<()> {
    // Re-read the file before deleting; if it no longer says our pid,
    // someone else owns it and we leave it alone.
    match read_pidfile(path) {
        Some(pid) if pid == our_pid => fs::remove_file(path),
        // Either the file is gone already or a different owner took over —
        // both are "nothing to clean up" as far as we're concerned.
        _ => Ok(()),
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::sync::atomic::{AtomicUsize, Ordering};
    use std::time::{SystemTime, UNIX_EPOCH};

    fn unique_tmp(label: &str) -> PathBuf {
        static COUNTER: AtomicUsize = AtomicUsize::new(0);
        let nanos = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .unwrap()
            .as_nanos();
        let n = COUNTER.fetch_add(1, Ordering::Relaxed);
        std::env::temp_dir().join(format!("ao-rs-lock-{label}-{nanos}-{n}.pid"))
    }

    #[test]
    fn acquire_when_no_file_writes_our_pid() {
        let path = unique_tmp("fresh");
        let lock = PidFile::acquire(&path).unwrap();
        assert!(path.exists());
        assert_eq!(read_pidfile(&path), Some(std::process::id()));
        assert_eq!(lock.pid(), std::process::id());
        drop(lock);
        assert!(!path.exists(), "drop should remove the pidfile");
    }

    #[test]
    fn acquire_replaces_stale_pidfile() {
        // Pick a pid that is extremely unlikely to be alive. 999_999 is
        // above the default Linux pid_max (32768) and also not a valid
        // macOS pid. kill(pid, 0) returns ESRCH → dead.
        let stale_pid: u32 = 999_999;
        assert!(!is_process_alive(stale_pid), "sanity: {stale_pid} is dead");

        let path = unique_tmp("stale");
        fs::create_dir_all(path.parent().unwrap()).unwrap();
        fs::write(&path, format!("{stale_pid}\n")).unwrap();

        let lock = PidFile::acquire(&path).unwrap();
        assert_eq!(read_pidfile(&path), Some(std::process::id()));
        drop(lock);
    }

    #[test]
    fn acquire_rejects_live_other_pid() {
        // Fake a pidfile holding pid 1. On every Unix box pid 1 is alive
        // (init / launchd), and it's not us, so this should fail.
        let path = unique_tmp("held");
        fs::create_dir_all(path.parent().unwrap()).unwrap();
        fs::write(&path, "1\n").unwrap();

        match PidFile::acquire(&path) {
            Err(LockError::HeldBy { pid, .. }) => assert_eq!(pid, 1),
            other => panic!("expected HeldBy(1), got {other:?}"),
        }
        // File must not be rewritten by a failed acquire.
        assert_eq!(read_pidfile(&path), Some(1));
        fs::remove_file(&path).ok();
    }

    #[test]
    fn drop_does_not_remove_file_if_stolen() {
        let path = unique_tmp("stolen");
        let lock = PidFile::acquire(&path).unwrap();

        // Simulate a racing daemon overwriting our pidfile with its own pid.
        fs::write(&path, "1\n").unwrap();

        drop(lock);

        // The hijacked contents must survive — we only clean up our own pid.
        assert_eq!(read_pidfile(&path), Some(1));
        fs::remove_file(&path).ok();
    }

    #[test]
    fn is_process_alive_returns_true_for_self() {
        assert!(is_process_alive(std::process::id()));
    }

    #[test]
    fn is_process_alive_returns_false_for_zero() {
        assert!(!is_process_alive(0));
    }
}