running-process 4.5.5

Subprocess and PTY runtime for the running-process project
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353

//! Production-shaped orchestration of one Windows handle-passing handoff
//! (#354, slice 3).
//!
//! This module composes the pieces landed by earlier slices into one
//! broker-side sequence:
//!
//! 1. duplicate the broker-held client pipe into the verified backend
//!    process ([`super::try_duplicate_handle`], or the verified
//!    [`BackendHandle`](crate::broker::backend_handle::BackendHandle)
//!    bridge),
//! 2. deliver the duplicated handle value plus the one-time token to the
//!    backend through a [`HandoffDelivery`] implementation,
//! 3. wait for the backend acknowledgement observed by the delivery
//!    channel, and
//! 4. complete the pending entry in the [`HandoffAckRegistry`], consuming
//!    the one-time token exactly once.
//!
//! Any failure at any step abandons the handoff: the one-time token is
//! revoked, the pending ACK entry is removed, and the caller receives
//! [`WindowsHandoffOutcome::FallbackToReconnect`]. The negotiated
//! `backend_pipe` reconnect path stays authoritative; orchestration
//! failures are silent optimization failures, never client errors, and
//! this function never panics on transport, delivery, or registry errors.
//!
//! # Delivery mechanism
//!
//! Delivery of the `(handle value, token)` pair is abstracted behind the
//! [`HandoffDelivery`] trait so the orchestration sequence, token
//! lifecycle, and fallback contract stay transport-agnostic. The
//! production implementation is
//! [`WireHandoffDelivery`](super::wire::WireHandoffDelivery) (#354 slice
//! 6), which sends a `HandoffOffer` frame over a framed broker↔backend
//! control connection and waits for the matching `HandoffAck`; tests also
//! deliver over the child-helper stdin/stdout protocol from the #358/#363
//! smoke tests.
//!
//! # Handle leak contract
//!
//! `DuplicateHandle` places the duplicated handle directly into the
//! *backend's* handle table. Once duplication has succeeded, the broker
//! cannot close that handle: closing a handle owned by another process
//! would require a second `DUPLICATE_CLOSE_SOURCE` round-trip that is not
//! part of this slice. If delivery or acknowledgement fails after
//! duplication, the duplicated handle therefore leaks in the backend
//! process until the backend exits. The outcome records it in
//! [`WindowsHandoffFallback::leaked_backend_handle`] so callers can log
//! and monitor the leak honestly instead of pretending cleanup happened.

use std::time::Instant;

use super::ack::{HandoffAckRegistry, PendingHandoffBackend};
use super::fallback::{HandoffFallbackDecision, HandoffFallbackReason};
use super::handoff_token::{HandoffToken, HandoffTokenStore};
use super::windows::{
    try_duplicate_handle, DuplicateHandleAttempt, DuplicateHandleResult, DuplicateHandleSuccess,
    WindowsHandleValue,
};
use super::AcknowledgedHandoff;

/// Inputs for one orchestrated Windows handle-passing handoff.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub struct WindowsHandoffRequest {
    /// Broker-owned pipe handle to duplicate into the backend.
    pub pipe_handle: WindowsHandleValue,
    /// Verified backend process ID receiving the duplicated handle.
    pub backend_pid: u32,
    /// One-time token issued at Hello time and registered for an ACK.
    pub token: HandoffToken,
}

impl WindowsHandoffRequest {
    /// Build inputs for one orchestrated handoff.
    pub fn new(pipe_handle: WindowsHandleValue, backend_pid: u32, token: HandoffToken) -> Self {
        Self {
            pipe_handle,
            backend_pid,
            token,
        }
    }
}

/// Delivery channel carrying the duplicated handle value and one-time token
/// from the broker to the backend process.
///
/// Production wire delivery does not exist yet (see the module docs); the
/// orchestration treats delivery as a pluggable step so the sequencing and
/// fallback contract are real today.
pub trait HandoffDelivery {
    /// Deliver the duplicated handle value and paired token to the backend.
    ///
    /// The handle value is only meaningful inside the backend's handle
    /// table. A returned error means the backend cannot be assumed to know
    /// about the handle; the orchestrator abandons the handoff.
    fn deliver(
        &mut self,
        handle: WindowsHandleValue,
        token: &HandoffToken,
    ) -> Result<(), HandoffDeliveryError>;

    /// Block until the backend acknowledges adopting the handed-off
    /// connection, or until `deadline`.
    ///
    /// Returns the instant the acknowledgement was observed. The
    /// orchestrator still validates that instant against the
    /// [`HandoffAckRegistry`] deadline registered at issuance, so a
    /// delivery channel that misjudges the deadline cannot complete an
    /// overdue handoff.
    fn await_backend_ack(
        &mut self,
        token: &HandoffToken,
        deadline: Instant,
    ) -> Result<Instant, HandoffDeliveryError>;
}

/// Errors surfaced by a [`HandoffDelivery`] channel.
#[derive(Clone, Debug, PartialEq, Eq, thiserror::Error)]
pub enum HandoffDeliveryError {
    /// The handle value and token could not be delivered to the backend.
    #[error("handoff delivery to backend failed: {detail}")]
    DeliveryFailed {
        /// Human-readable failure detail for logs.
        detail: String,
    },
    /// The backend acknowledgement was not observed before the deadline.
    #[error("backend handoff ACK was not observed: {detail}")]
    AckNotObserved {
        /// Human-readable failure detail for logs.
        detail: String,
    },
}

/// Step of the orchestration at which a handoff was abandoned.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum WindowsHandoffStage {
    /// `DuplicateHandle` into the backend process failed.
    Duplicate,
    /// Delivering the handle value and token to the backend failed.
    Deliver,
    /// The backend acknowledgement was not observed before the deadline.
    AwaitAck,
    /// The ACK registry rejected the acknowledgement (overdue or already
    /// expired by a sweep).
    Acknowledge,
}

/// A handoff completed end to end: handle duplicated, delivered, and
/// acknowledged before the registry deadline.
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct CompletedWindowsHandoff {
    /// Successful duplication into the backend handle table.
    pub duplicated: DuplicateHandleSuccess,
    /// Timely backend acknowledgement that consumed the one-time token.
    pub acknowledged: AcknowledgedHandoff,
}

/// A handoff abandoned at some orchestration stage.
///
/// The one-time token has been revoked and the pending ACK entry removed;
/// the caller must keep using the negotiated `backend_pipe` reconnect path.
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct WindowsHandoffFallback {
    /// Stage at which the handoff was abandoned.
    pub stage: WindowsHandoffStage,
    /// Silent reconnect fallback decision for the client-visible contract.
    pub decision: HandoffFallbackDecision,
    /// Handle already duplicated into the backend's handle table when the
    /// failure occurred. The broker cannot close another process's handle
    /// (see the module-level leak contract); it leaks in the backend until
    /// that process exits. `None` when duplication itself failed.
    pub leaked_backend_handle: Option<WindowsHandleValue>,
    /// Human-readable failure detail for logs.
    pub detail: String,
}

/// Outcome of one orchestrated Windows handle-passing handoff.
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum WindowsHandoffOutcome {
    /// The backend adopted the connection before the ACK deadline.
    Completed(CompletedWindowsHandoff),
    /// The handoff was abandoned; the client reconnects via `backend_pipe`.
    FallbackToReconnect(WindowsHandoffFallback),
}

impl WindowsHandoffOutcome {
    /// Return true when the handoff completed end to end.
    pub fn is_completed(&self) -> bool {
        matches!(self, Self::Completed(_))
    }

    /// Return the fallback details when the handoff was abandoned.
    pub fn fallback(&self) -> Option<&WindowsHandoffFallback> {
        match self {
            Self::Completed(_) => None,
            Self::FallbackToReconnect(fallback) => Some(fallback),
        }
    }
}

/// Run one production-shaped Windows handoff with the real
/// `DuplicateHandle` transport.
///
/// The token in `request` must have been issued from `tokens` and
/// registered pending in `acks` (the Hello path does both). On success the
/// token is consumed exactly once; on any failure it is revoked and the
/// outcome degrades to the `backend_pipe` reconnect fallback.
pub fn execute_windows_handoff<D>(
    tokens: &mut HandoffTokenStore,
    acks: &mut HandoffAckRegistry,
    request: &WindowsHandoffRequest,
    delivery: &mut D,
) -> WindowsHandoffOutcome
where
    D: HandoffDelivery + ?Sized,
{
    execute_windows_handoff_with_transport(tokens, acks, request, try_duplicate_handle, delivery)
}

/// Run one production-shaped Windows handoff for a verified backend.
///
/// Composes the [`BackendHandle`](crate::broker::backend_handle::BackendHandle)
/// identity bridge from #363 with the orchestration sequence: the backend
/// pid comes from the verified daemon identity, and duplication goes
/// through
/// [`BackendHandle::try_duplicate_windows_handoff_handle`](crate::broker::backend_handle::BackendHandle::try_duplicate_windows_handoff_handle).
#[cfg(windows)]
pub fn execute_verified_windows_handoff<D>(
    backend: &crate::broker::backend_handle::BackendHandle,
    pipe_handle: WindowsHandleValue,
    token: HandoffToken,
    tokens: &mut HandoffTokenStore,
    acks: &mut HandoffAckRegistry,
    delivery: &mut D,
) -> WindowsHandoffOutcome
where
    D: HandoffDelivery + ?Sized,
{
    let request = WindowsHandoffRequest::new(pipe_handle, backend.daemon_process.pid, token);
    execute_windows_handoff_with_transport(
        tokens,
        acks,
        &request,
        |attempt| {
            backend.try_duplicate_windows_handoff_handle(attempt.pipe_handle, attempt.handoff_token)
        },
        delivery,
    )
}

/// Run one orchestrated handoff with an explicit duplication transport.
///
/// Platform-neutral tests inject a mock transport here; production callers
/// use [`execute_windows_handoff`] or the Windows-only
/// `execute_verified_windows_handoff`.
pub fn execute_windows_handoff_with_transport<T, D>(
    tokens: &mut HandoffTokenStore,
    acks: &mut HandoffAckRegistry,
    request: &WindowsHandoffRequest,
    transport: T,
    delivery: &mut D,
) -> WindowsHandoffOutcome
where
    T: FnOnce(&DuplicateHandleAttempt) -> DuplicateHandleResult,
    D: HandoffDelivery + ?Sized,
{
    let attempt =
        DuplicateHandleAttempt::new(request.pipe_handle, request.backend_pid, request.token);
    let duplicated = match transport(&attempt) {
        Ok(success) => success,
        Err(error) => {
            abandon_pending(acks, tokens, &request.token);
            return abandoned(
                WindowsHandoffStage::Duplicate,
                error.fallback_decision(),
                None,
                error.to_string(),
            );
        }
    };
    let backend_handle = duplicated.duplicated_handle;

    if let Err(error) = delivery.deliver(backend_handle, &request.token) {
        abandon_pending(acks, tokens, &request.token);
        return abandoned(
            WindowsHandoffStage::Deliver,
            // The backend never adopts the connection, so the client-visible
            // classification is the same as a missing acknowledgement.
            HandoffFallbackDecision::new(HandoffFallbackReason::BackendAckTimeout),
            Some(backend_handle),
            error.to_string(),
        );
    }

    let deadline = ack_deadline_from(acks, Instant::now());
    let acknowledged_at = match delivery.await_backend_ack(&request.token, deadline) {
        Ok(at) => at,
        Err(error) => {
            abandon_pending(acks, tokens, &request.token);
            return abandoned(
                WindowsHandoffStage::AwaitAck,
                HandoffFallbackDecision::new(HandoffFallbackReason::BackendAckTimeout),
                Some(backend_handle),
                error.to_string(),
            );
        }
    };

    match acks.acknowledge(tokens, &request.token, acknowledged_at) {
        Ok(acknowledged) => WindowsHandoffOutcome::Completed(CompletedWindowsHandoff {
            duplicated,
            acknowledged,
        }),
        Err(error) => {
            // AckDeadlineExceeded already revoked the token; TokenNotPending
            // means a sweep expired it. Revoke defensively either way so no
            // error path can leave the one-time token presentable.
            tokens.revoke(&request.token);
            abandoned(
                WindowsHandoffStage::Acknowledge,
                HandoffFallbackDecision::new(HandoffFallbackReason::BackendAckTimeout),
                Some(backend_handle),
                error.to_string(),
            )
        }
    }
}

/// Abandon one pending handoff: drop the pending ACK entry and revoke the
/// one-time token so a late backend presentation is rejected.
fn abandon_pending(
    acks: &mut HandoffAckRegistry,
    tokens: &mut HandoffTokenStore,
    token: &HandoffToken,
) -> Option<PendingHandoffBackend> {
    acks.abandon(tokens, token)
}

fn abandoned(
    stage: WindowsHandoffStage,
    decision: HandoffFallbackDecision,
    leaked_backend_handle: Option<WindowsHandleValue>,
    detail: String,
) -> WindowsHandoffOutcome {
    WindowsHandoffOutcome::FallbackToReconnect(WindowsHandoffFallback {
        stage,
        decision,
        leaked_backend_handle,
        detail,
    })
}

fn ack_deadline_from(acks: &HandoffAckRegistry, now: Instant) -> Instant {
    now.checked_add(acks.ack_deadline()).unwrap_or(now)
}