fix(reset): release log file handle + queue locked entries on Windows reboot

[YOMXXX]

Summary

• Drop the host-process rolling log file handle (<data_dir>/logs/openhuman-*.log) before remove_dir_all runs — the real reason reset_local_data still hit Windows file locks even after the embedded core was shut down.
• Add a Windows-only fallback: when an external process (anti-virus / indexer / sibling app) still holds the tree open, walk it depth-first and queue every file + (now-empty) directory for deletion at next boot via MoveFileExW(path, NULL, MOVEFILE_DELAY_UNTIL_REBOOT).
• Reword the user-facing error so the next action is concrete ("X files and Y folders queued for deletion the next time you restart Windows") instead of repeating advice the user has already tried.

Problem

#1615 has been open since 1 Sentry-traced report and is the bug that triggers Failed to remove C:\Users\<user>\.openhuman: 另一个程序正在使用此文件，进程无法访问 (os error 32) on Windows. PR #2395 / #1811 surfaced a clearer "close all OpenHuman windows" prompt and pushed core shutdown ahead of the removal, but reports keep coming and the issue is still tracked as having two suggested fixes outstanding:

1. Close own handles before deleting.
2. Schedule deletion on next reboot when a file is still in use.

The remaining-handle problem turned out to be subtle. CoreProcessHandle::shutdown already drops the embedded core's tokio task, which RAII-drops every SQLite connection and writer inside <data_dir>. But the daily-rolling log appender (tracing_appender::rolling::*) is installed by core::logging::init_for_embedded and parked in a process-wide OnceLock<WorkerGuard> — that guard lives in the Tauri host process, not in the core task, so it survives the core shutdown and keeps openhuman-YYYY-MM-DD.log open. Windows then refuses to delete the parent <data_dir>/logs/ directory underneath it.

Solution

1. Release the host-side log file handle (the actual fix)

src/core/logging.rs:

• Convert FILE_GUARD from OnceLock<WorkerGuard> to Mutex<Option<WorkerGuard>> so it can be taken at runtime instead of only at process exit.
• Add pub fn shutdown_file_guard() -> bool that swaps out the guard, drops it, and reports whether anything was actually released. Dropping the guard exits the non-blocking writer's background thread, flushes pending records, and closes the OS file handle.

app/src-tauri/src/lib.rs::reset_local_data:

• Call shutdown_file_guard() between CoreProcessHandle::shutdown().await (step 3) and the remove_dir_all walk (step 4). After this, no part of the OpenHuman process tree holds a handle inside <data_dir>.

The stderr layer and Sentry layer keep working — they don't keep files open. The tracing subscriber itself stays installed (the global try_init cannot be replaced safely from inside the process), so any record written to the file layer after the guard drops is silently discarded. That is intentional and documented on shutdown_file_guard: after a reset the user is expected to restart the app soon, and discarding the in-flight records is preferable to either holding the file open or panicking.

2. Schedule still-locked entries for reboot deletion (the belt-and-suspenders fallback)

New module app/src-tauri/src/reset_reboot_schedule.rs (Windows-only via #![cfg(target_os = \"windows\")]):

• schedule_path_for_reboot_deletion(path) walks path depth-first. For each child it calls MoveFileExW(child, NULL, MOVEFILE_DELAY_UNTIL_REBOOT). Directories are scheduled only after their contents have been queued — the Windows session manager requires directories to be empty at boot-time.
• Symlinks (file or directory) are queued as single leaves rather than descended into, so a symlink pointing outside .openhuman cannot accidentally schedule unrelated paths for deletion.
• Returns a RebootDeletionSchedule { files, dirs } count so the support log records what was actually queued.

reset_local_data_delete_error now consults this fallback when it sees ERROR_SHARING_VIOLATION / ERROR_LOCK_VIOLATION (os error 32/33):

• Success path: returns "Couldn't remove ... right now ... <N> files and <M> folders have been queued for deletion the next time you restart Windows — restart soon to finish the reset."
• Failure path (e.g. unprivileged user where the per-boot session-manager registry key write is denied): preserves the original lock error AND the fallback failure reason, plus the "close OpenHuman windows" guidance that was previously the only message.

The reboot fallback requires the calling user to be in the Administrators group — MoveFileExW(..., DELAY_UNTIL_REBOOT) writes to a HKLM session-manager key and Microsoft documents the elevation requirement. For non-admin users the message degrades gracefully to the failure path above, which still names a concrete next step.

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy — see new unit tests in core::logging::tests, tests of the Tauri shell, and reset_reboot_schedule::tests.
• Diff coverage ≥ 80% — new Rust unit tests cover shutdown_file_guard, the depth-first walk, the single-file / empty-dir / missing-path cases, and the reset error formatter going through both the reboot-scheduled and reboot-failed branches.
• Coverage matrix updated — N/A: this is a behaviour-only change to existing reset/logging modules, no new feature row in docs/TEST-COVERAGE-MATRIX.md.
• All affected feature IDs from the matrix are listed in the PR description under ## Related — N/A: no feature matrix row.
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• Manual smoke checklist updated if this touches release-cut surfaces (docs/RELEASE-MANUAL-SMOKE.md) — the Settings → Reset Local Data path is already on the manual smoke list; the visible change here is the error wording (now reports queued counts on lock failures).
• Linked issue addressed via Refs (not Closes — see Related)

Impact

• Platform: Windows desktop primarily (the file-lock and reboot-schedule paths are no-ops on macOS/Linux). The log-guard fix is cross-platform.
• Performance: negligible — the reboot fallback only runs after a removal already failed, and the directory walk is bounded by the same tree that remove_dir_all would have walked.
• Security: MoveFileExW(.., NULL, DELAY_UNTIL_REBOOT) is well-documented Windows API. The schedule is per-user data inside .openhuman and the calling user already had unrestricted access to it.
• Migration: none.
• Compatibility: core::logging::shutdown_file_guard is a new public function. No existing callers change behaviour — log_directory() and init_for_embedded still work exactly as before.

Related

• Refs Windows: 'Reset local data' fails when .openhuman directory is locked by another process #1615 — closes the two outstanding suggested fixes (close own handles before deleting; schedule deletion on next reboot). Keeping the umbrella issue open in case maintainers want to also extend the reboot fallback to handle the rare case where the daily-rotated log file is the only locked entry.
• Builds on fix: explain reset-data Windows file locks #2395 (PR fix: explain reset-data Windows file locks #2395 / Improve reset local data guidance for locked Windows files #1811) — the user-guidance improvements stay in place; this PR replaces the static "close windows" copy with a fallback-aware version when the lock is breakable via reboot scheduling.

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: `fix/1615-windows-reset-close-handles`
• Commit SHA: `3873ebc0`

Validation Run

• `pnpm --filter openhuman-app format:check` — N/A: no frontend files changed.
• `pnpm typecheck` — N/A locally (blocked, see Validation Blocked below); pre-existing failure on `main` unrelated to this PR (missing `qrcode.react`, `@rive-app/react-webgl2`, `@noble/ciphers/*`, `@tauri-apps/plugin-barcode-scanner` type declarations).
• Focused tests: `cargo test --manifest-path Cargo.toml --lib core::logging::` (10 passed) and `cargo test --manifest-path app/src-tauri/Cargo.toml --lib reset_local_data` (2 passed) on macOS. Windows-gated tests cargo-checked but not executed locally.
• Rust fmt/check (if changed): `GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml --lib` and `GGML_NATIVE=OFF cargo check --manifest-path app/src-tauri/Cargo.toml --lib` both finish clean (only pre-existing warnings).
• Tauri fmt/check (if changed): `cargo fmt --manifest-path app/src-tauri/Cargo.toml --check` clean after one auto-fix commit.

Validation Blocked

• `command:` `pnpm compile` (and the pre-push hook that runs it)
• `error:` `error TS2307: Cannot find module 'qrcode.react' / '@rive-app/react-webgl2' / '@noble/ciphers/chacha' / '@noble/ciphers/webcrypto' / '@tauri-apps/plugin-barcode-scanner'`
• `impact:` pre-existing breakage on `main` in code this PR does not touch. Pushed with `--no-verify` per CLAUDE.md instructions for unrelated pre-existing failures. The Rust pre-push checks (`pnpm rust:check`) passed.

Behavior Changes

• Intended behavior change: `reset_local_data` now (a) releases the host-process log file handle before walking the data tree, and (b) on Windows, queues still-locked entries for deletion at next boot when the in-process removal fails.
• User-visible effect: `Reset Local Data` actually succeeds on Windows in the common case (single OpenHuman instance, no external lock). On the long tail where a third-party process still holds a handle, the error message now reports exactly what was queued for the next reboot instead of repeating the "close OpenHuman windows" advice.

Parity Contract

• Legacy behavior preserved: `is_windows_file_lock_raw_os_error` / `is_windows_file_lock_error` keep the same signature and semantics. The generic non-lock removal error path is byte-for-byte unchanged. `log_directory()` keeps returning `Option<&'static Path>`. `init_for_embedded` is still `Once`-guarded and idempotent.
• Guard/fallback/dispatch parity checks: `shutdown_file_guard` returns `false` instead of panicking when the mutex is poisoned or no guard was installed. The reboot fallback only runs when `is_windows_file_lock_error` reports true, so non-lock errors and non-Windows builds keep the existing behaviour. On Windows the failure path of the fallback still ends with the previous "close OpenHuman windows" guidance.

Duplicate / Superseded PR Handling

• Duplicate PR(s): N/A
• Canonical PR: this PR
• Resolution (closed/superseded/updated): N/A

Summary by CodeRabbit

• Bug Fixes
  • Windows: improved local-data reset to avoid "file in use" failures by closing logging handles before cleanup and queuing locked files/dirs for deletion on reboot with clear diagnostics about queued counts or failures.
  • Non-Windows: retains original guidance when files are locked.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR makes the rolling-log guard droppable mid-process, adds a Windows-only reboot-deletion scheduler that queues files/dirs for deletion at next boot, and wires both into Tauri's reset_local_data so locked-path delete failures either schedule reboot deletions with precise diagnostics or report the original lock cause.

Changes

Windows Cleanup and File-Lock Handling

Layer / File(s)	Summary
Make file appender guard mid-process droppable src/core/logging.rs	Switch file-appender guard storage from OnceLock<WorkerGuard> to Mutex<Option<WorkerGuard>>, install guard under the mutex in embedded init, implement shutdown_file_guard() to lock and take/drop the guard, add a test mutex to serialize tests, and add a unit test verifying the guard is taken and logging becomes a no-op.
Windows reboot-deletion scheduler module app/src-tauri/src/reset_reboot_schedule.rs	Add Windows-only scheduler that depth-first walks paths and calls MoveFileExW(..., MOVEFILE_DELAY_UNTIL_REBOOT) to queue deletions; introduce RebootDeletionSchedule counters and RebootDeletionFailure with partial results; handle symlinks as leaves; provide a scheduler-injection seam and unit tests covering nested trees, single files, missing paths, empty dirs, and simulated scheduler failures.
Tauri reset flow with guard shutdown and reboot-scheduler fallback app/src-tauri/src/lib.rs	Declare the Windows-only module, call shutdown_file_guard() after embedded core shutdown to close rolling-log handles, refactor reset_local_data_delete_error to Result<(), String>, route Windows sharing-violation errors to a reboot-scheduling fallback that returns queued-count or partial/total failure diagnostics, and update tests to assert the new branches.

Sequence Diagram(s)

sequenceDiagram
  participant TauriReset
  participant EmbeddedCore
  participant Logging
  participant RebootScheduler
  participant Windows
  TauriReset->>EmbeddedCore: stop core
  TauriReset->>Logging: shutdown_file_guard()
  Logging->>Windows: close rolling-log handle
  TauriReset->>TauriReset: remove directories
  TauriReset->>RebootScheduler: schedule_path_for_reboot_deletion (on lock error)
  RebootScheduler->>Windows: MoveFileExW(..., MOVEFILE_DELAY_UNTIL_REBOOT)
  Windows-->>RebootScheduler: success/failure
  RebootScheduler-->>TauriReset: RebootDeletionSchedule or error
  TauriReset->>TauriReset: format user diagnostic

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• tinyhumansai/openhuman#2395: Related changes to Tauri reset_local_data Windows delete-failure handling and guidance; this PR extends that handling with reboot-deletion scheduling and refactored error semantics.
• tinyhumansai/openhuman#1811: Related improvements to Windows locked-file error messaging in the reset flow.
• tinyhumansai/openhuman#1769: Earlier changes to the Tauri reset-and-delete sequence; code-level overlap in reset_local_data lifecycle handling.

Suggested reviewers

• M3gA-Mind
• graycyrus

Poem

🐰 A rabbit's ode to cleanup:
Logs let go so files can part,
When Windows locks refuse to yield,
I'll queue them gently for a restart,
Counts and clues in messages revealed,
Hop—reset done, the tree grows healed.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: releasing the log file handle and queuing locked entries for reboot deletion on Windows.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src-tauri/src/lib.rs`:
- Around line 530-532: The log call in reset_local_data uses a mismatched format
string ("... at {}: {schedule_err}") but doesn't supply the value for the {}
placeholder; update the log::error! invocation (the one referencing label and
schedule_err) to include the path's display value by passing path.display() as
the missing argument so the format string is satisfied (e.g., include
path.display() alongside label and schedule_err).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43e56a9d-3164-4aaa-b339-9fcec675522d

📥 Commits

Reviewing files that changed from the base of the PR and between e7e7e8a and 3873ebc.

📒 Files selected for processing (3)

• app/src-tauri/src/lib.rs
• app/src-tauri/src/reset_reboot_schedule.rs
• src/core/logging.rs

[YOMXXX]

Pushed empty commit 4aefaac to retrigger CI after test / Rust Core Tests + Quality failed from GitHub runner disk exhaustion, not a code failure:\n\nNo space left on device : '/home/runner/actions-runner/cached/2.334.0/_diag/Worker_20260526-080520-utc.log'\n\nI tried gh run rerun --failed, but GitHub rejected it because my token does not have repo admin rights, so the empty commit is only to get a clean runner. No file changes were included.

[YOMXXX]

Fixed the Rust core test flake seen in test / Rust Core Tests + Quality by replacing the UUID-derived tool-memory test name with a deterministic counter-based name. The CI failure was:\n\ntool rule put: "store tool rule: document namespace/key cannot contain personal identifiers"\n\nValidation run locally:\n- cargo fmt --all --check\n- GGML_NATIVE=OFF cargo test -p openhuman tool_rule_put_get_list_and_delete_roundtrip -- --nocapture\n\nPushed as 5966d29. I used git push --no-verify because the local pre-push TypeScript check is blocked by missing local frontend modules (qrcode.react, @rive-app/react-webgl2, @noble/ciphers/*, @tauri-apps/plugin-barcode-scanner), unrelated to this Rust test-only change; remote CI has already validated TypeScript in its clean install environment on the prior run.

[YOMXXX]

Latest head 5966d29 is green now. CodeRabbit approved, no unresolved review threads, and all CI checks are passing.\n\nFollow-ups handled while babysitting:\n- fixed the Windows-only log format argument in 1da4ac8\n- retriggered CI after a runner disk exhaustion failure\n- fixed the unrelated Rust tool-memory test flake in 5966d29 by avoiding UUID-derived tool names that can trip the PII guard\n\n@graycyrus could you take another look when you have a chance?

[M3gA-Mind]

Good fix overall — root cause analysis is correct and the two-layer approach (release own handle first, reboot-schedule fallback second) is sound. A few things to address before merge:

Merge conflict

The PR currently has a merge conflict with main (mergeStateStatus: DIRTY). Please rebase on latest main and resolve before this can land.

Issues

Bug (docs) — reset_reboot_schedule.rs module comment
The module-level doc at line 23–27 says:

"scheduling a delete-on-reboot for a file the calling user already owns does not require elevation"

This contradicts the PR body, the lib.rs comments, and Microsoft's own docs — MoveFileExW(..., DELAY_UNTIL_REBOOT) writes to HKLM\...\PendingFileRenameOperations and does require admin rights on current Windows versions. The code handles the non-admin failure path correctly; the comment just needs to match reality. Suggest: "may fail for non-administrator users; the caller handles the failure path gracefully."

Minor — logging.rs test races on global state
shutdown_file_guard_takes_installed_guard mutates the process-global FILE_GUARD without a serialization lock. Other tests in the same binary that touch init_for_embedded run in parallel threads and could race. reset_reboot_schedule::tests avoids this correctly with static SCHEDULE_LOCK: Mutex<()>. Add the same pattern here.

Minor — no is_absolute() guard in schedule_one
MoveFileExW + DELAY_UNTIL_REBOOT paths must be absolute (relative paths are ambiguous at boot time). Data dirs are always absolute in practice, but a debug_assert!(path.is_absolute()) in schedule_one would catch any future regression cheaply.

Minor — partial walk on first error not reflected in error message
schedule_inner returns on the first io::Result::Err, so RebootDeletionSchedule counts may be a partial tally when a mid-walk permission error occurs. The success message reports "N files and M folders queued" without indicating whether the walk completed — could mislead support diagnostics. Low priority, but worth a note or a partial-walk indicator.

Nit — unrelated change in tool_memory.rs
The unique_tool_name AtomicUsize refactor is fine but orthogonal to this bug fix. Consider a separate commit or PR to keep the diff focused.

What's good

• The root cause (host-process WorkerGuard surviving CoreProcessHandle::shutdown) is correctly identified and fixed.
• Mutex<Option<WorkerGuard>> → shutdown_file_guard() is the minimal correct refactor.
• Symlink handling in schedule_inner is correct — DirEntry::metadata() does not follow symlinks, consistent with the top-level symlink_metadata call.
• Depth-first ordering (children before parent) is required for the Windows session manager; it's implemented correctly.
• Test coverage covers happy path, single file, empty dir, missing path, and both the admin/non-admin branches of the error formatter.
• cfg guards are applied consistently; non-Windows builds are unaffected.

Fix the conflict + the doc comment and this is ready.

[YOMXXX]

@M3gA-Mind thanks for the thorough review — all 5 items addressed in eadef1e (also rebased onto the latest upstream/main, force-push of the branch):

1. Merge conflict — rebased; PR is now clean against current main.

2. Doc bug (reset_reboot_schedule.rs:23-27) — rewrote the privileges note to match Microsoft's docs:

MoveFileExW(.., NULL, MOVEFILE_DELAY_UNTIL_REBOOT) writes to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations (the boot-time session manager reads from HKLM, not the per-user hive), so the call may fail for non-administrator users with ERROR_ACCESS_DENIED. That is by design — Microsoft documents the elevation requirement on the MOVEFILE_DELAY_UNTIL_REBOOT flag — and the caller in lib.rs handles the failure path gracefully…

3. Test race on FILE_GUARD — added FILE_GUARD_LOCK: Mutex<()> mirroring the SCHEDULE_LOCK pattern; shutdown_file_guard_takes_installed_guard now serializes against any other test touching FILE_GUARD.

4. debug_assert!(path.is_absolute()) — added in schedule_one, with a comment explaining why the session manager cannot resolve relative paths at boot.

5. Partial-walk indicator — went a step further than just a note: added a new RebootDeletionFailure { error, partial } so the Err branch carries the count of entries queued before the failure. lib.rs now logs partial schedule: files=… dirs=… and reports "N files and M folders were queued for the next reboot before scheduling failed" when partial > 0, falling back to the original "scheduling deletion on next reboot also failed" copy only when nothing was queued at all.

6. PII test (tool_memory.rs) — split out to a standalone PR per your suggestion: #2680.

Validation locally on macOS:

• GGML_NATIVE=OFF cargo check --manifest-path Cargo.toml --lib and --manifest-path app/src-tauri/Cargo.toml --lib — both clean.
• cargo fmt --check clean for core + tauri.
• cargo test --lib core::logging:: — 10/10 pass (including the new serialized guard test).
• cargo test --lib reset on src-tauri — 2/2 non-Windows tests pass; Windows-gated tests cargo-check on the platform target but run on CI.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src-tauri/src/lib.rs`:
- Around line 529-552: In reset_local_data, when handling the Err(failure) from
schedule_path_for_reboot_deletion, special-case the case where
failure.error.kind() == std::io::ErrorKind::NotFound and failure.partial.total()
== 0 and treat it as a success/no-op instead of formatting a hard failure
message; implement this by checking failure.error.kind() and partial_total early
in the Err(failure) arm (using the existing failure.error and failure.partial
identifiers) and returning the successful/no-op result (or skipping the
error-toast path) before emitting the error log and the formatted failure
strings.

In `@app/src-tauri/src/reset_reboot_schedule.rs`:
- Around line 190-255: Tests that call schedule_path_for_reboot_deletion
currently assert success (expect("schedule")) but fail in non-elevated
environments because MoveFileExW(MOVEFILE_DELAY_UNTIL_REBOOT) (invoked via
schedule_one) cannot write the PendingFileRenameOperations registry; update the
tests to not require actual scheduling: change calls to
schedule_path_for_reboot_deletion in tests (e.g.,
schedule_walks_files_then_dirs, schedule_single_file_reports_one_file,
schedule_empty_dir_counts_one_dir) to accept the permission/registry failure
path the runtime code already handles by either (a) injecting a test seam/mocked
schedule_one that returns a successful traversal-only RebootDeletionSchedule, or
(b) asserting that the result is an Err whose partial RebootDeletionSchedule
contains the expected files/dirs counts when the underlying error.kind() ==
io::ErrorKind::PermissionDenied (or the specific registry/MoveFileExW failure);
implement the mock or conditional assertion so tests validate traversal/counting
without requiring MoveFileExW privileges.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7a801f3-929a-42e6-8a10-1641bad8464b

📥 Commits

Reviewing files that changed from the base of the PR and between 5966d29 and eadef1e.

📒 Files selected for processing (3)

• app/src-tauri/src/lib.rs
• app/src-tauri/src/reset_reboot_schedule.rs
• src/core/logging.rs

[YOMXXX]

@coderabbitai both Major items addressed in 9d96612:

1. lib.rs — Treat reboot scheduler NotFound as success/no-op

Changed reset_local_data_delete_error return type from String to Result<(), String>. The Windows reboot fallback now special-cases failure.error.kind() == NotFound && failure.partial.total() == 0 and returns Ok(()) — i.e. when the locked path disappeared between the failed remove_* call and the metadata read inside the reboot walk (the third-party process that held the handle finished cleaning up first), we skip the error toast entirely because the reset goal is already met. remove_path_if_exists / remove_dir_if_exists callers were updated to forward the new Result. Added a Windows-only test reset_local_data_delete_error_swallows_lock_failure_when_path_disappeared that locks this behaviour in.

2. reset_reboot_schedule.rs — Decouple traversal tests from MoveFileExW privileges

Introduced an internal seam schedule_path_with_scheduler(path, &mut scheduler). The public schedule_path_for_reboot_deletion keeps calling the real schedule_one (i.e. MoveFileExW + DELAY_UNTIL_REBOOT); the unit tests now inject a no-op FnMut(&Path) -> io::Result<()> stub so the depth-first traversal, counting, and partial-schedule semantics can be validated on any dev machine, administrator or not, without ever touching the HKLM PendingFileRenameOperations registry key.

The new tests also capture the call order against the stub, so a regression in depth-first ordering (children before their parent dir) would surface as a path-sequence mismatch even though the OS-side scheduling stays out of the test process. Added schedule_propagates_scheduler_failure_with_partial_counts that simulates the non-admin PermissionDenied failure and asserts the partial counts reach the caller intact.

Local validation: cargo check + cargo fmt --check + cargo test --lib reset on macOS — Linux/Windows CI will exercise the Windows-gated paths.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@YOMXXX both approaches are exactly right:

1. NotFound → Ok(()): The Result<(), String> refactor and the kind() == NotFound && partial.total() == 0 short-circuit are the correct semantic — the reset goal was already achieved by the time we tried to schedule. Pinning it with reset_local_data_delete_error_swallows_lock_failure_when_path_disappeared is solid.

2. Scheduler seam: Injecting a FnMut(&Path) -> io::Result<()> stub through schedule_path_with_scheduler is the right pattern here — traversal logic, depth-first ordering, and partial-count propagation are now fully testable without elevation or touching PendingFileRenameOperations. The call-order assertions against the stub are a nice touch.

The implementation looks clean.

🐇 ✨

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/src-tauri/src/lib.rs (1)

394-395: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Re-arm file logging after dropping the guard.

shutdown_file_guard() disables the host file appender for the rest of this Tauri process, so every log::* call after this point—including the new reboot-schedule counts and fallback errors below—misses openhuman-YYYY-MM-DD.log. That means the support diagnostics added in this PR disappear right after the first reset. Please either reopen a fresh file guard before returning or route the reset-path diagnostics to a durable sink that survives the guard drop.

As per coding guidelines, "Log entry/exit, branches, external calls, retries/timeouts, state transitions, and errors with verbose diagnostics using stable grep-friendly prefixes and correlation fields".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src-tauri/src/lib.rs` around lines 394 - 395, The shutdown_file_guard()
call in reset_local_data drops the file-appender guard (log_guard_dropped) so
subsequent log::* calls no longer reach the daily openhuman-YYYY-MM-DD.log;
reopen a fresh file guard or switch the reset diagnostics to a durable sink
before returning: after calling
openhuman_core::core::logging::shutdown_file_guard() (and using
log_guard_dropped) immediately call your logging library's corresponding
"open/reopen file guard" function (or create and install a new file guard
object) so that further logging in reset_local_data and the reboot/fallback
paths is written to the file, or alternatively send those specific messages to a
durable sink (e.g., explicit file write or stderr/syslog) if reopening is not
desired; make the change in reset_local_data around the shutdown_file_guard()
usage so the sequence ensures file logging is re-enabled for the later log
statements.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@app/src-tauri/src/lib.rs`:
- Around line 394-395: The shutdown_file_guard() call in reset_local_data drops
the file-appender guard (log_guard_dropped) so subsequent log::* calls no longer
reach the daily openhuman-YYYY-MM-DD.log; reopen a fresh file guard or switch
the reset diagnostics to a durable sink before returning: after calling
openhuman_core::core::logging::shutdown_file_guard() (and using
log_guard_dropped) immediately call your logging library's corresponding
"open/reopen file guard" function (or create and install a new file guard
object) so that further logging in reset_local_data and the reboot/fallback
paths is written to the file, or alternatively send those specific messages to a
durable sink (e.g., explicit file write or stderr/syslog) if reopening is not
desired; make the change in reset_local_data around the shutdown_file_guard()
usage so the sequence ensures file logging is re-enabled for the later log
statements.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d5168826-c94e-4ea0-9a05-dffda2ead287

📥 Commits

Reviewing files that changed from the base of the PR and between eadef1e and 9d96612.

📒 Files selected for processing (2)

• app/src-tauri/src/lib.rs
• app/src-tauri/src/reset_reboot_schedule.rs

[graycyrus]

Review — Cyrus Grey

Solid fix for #1615. Two-part approach is exactly right: close your own handles first, then fall back to reboot scheduling for foreign locks.

What I liked:

• OnceLock → Mutex<Option<_>> conversion in FILE_GUARD is clean. Guard drops while the mutex is still held, no race window for init_for_embedded to sneak in.
• Test seam via schedule_path_with_scheduler + injectable FnMut is the right pattern — exercises traversal/counting without needing admin rights or real boot-time scheduling.
• Symlink guard in schedule_inner prevents escaping .openhuman via directory symlinks. Good catch.
• The NotFound + empty partial race condition handler (schedule_reboot_delete_or_describe) is well-reasoned — if the path vanished between the lock failure and the reboot walk, the reset goal is already met.
• Error messages are actionable with concrete counts ("142 files / 14 dirs queued") instead of the old generic "close all windows" advice.

Minor notes (non-blocking):

• saturating_add on files/dirs caps at u32::MAX silently, but .openhuman will never hit that — fine as-is.
• After shutdown_file_guard(), subsequent file-layer log records are silently discarded until restart. Documented and intentional — just flagging for anyone reading the diff later.

All CodeRabbit findings already addressed in 9d96612. No new issues from my end.

[YOMXXX]

@graycyrus — same situation as #2654: the two red CI checks on this PR are both pre-existing flakes on main, not regressions from this PR's diff. Detail:

1. Markdown Link Check — external URL flake

Job run — lychee reports:

* [521] <https://status.digitalocean.com/> | Rejected status code: 521 Unknown status code

DigitalOcean's status page was returning 521 (Cloudflare "web server down") at scan time. The URL is in docs/ and unrelated to this PR's diff (log-guard release + reboot-delete fallback). Same URL is failing across other recent PRs in the same window.

2. test / Rust Core Tests + Quality — known main-side flake

Job run — the only failed test is:

test openhuman::memory::ops::sync::tests::memory_ingestion_status_reflects_initialized_client_snapshot ... FAILED
thread '...' panicked at src/openhuman/memory/ops/sync.rs:382:9:
assertion `left == right` failed
  left: 2
 right: 1
test result: FAILED. 9648 passed; 1 failed; 10 ignored

memory_ingestion_status_reflects_initialized_client_snapshot is an inter-test state-leak flake on main — the test observes a stale memory client because a prior parallel test in the same process initialized it differently. This PR's diff is in src/core/logging.rs (FILE_GUARD lifecycle), app/src-tauri/src/lib.rs (reset_local_data flow), and app/src-tauri/src/reset_reboot_schedule.rs (Windows-only new module) — it does not touch src/openhuman/memory/ops/sync.rs or any shared memory client state.

Same test has been flaking on main since the #2683 / #2684 / #2704 series went in. A re-run usually clears it.

Re-run links if helpful:

• Markdown Link Check — Re-run failed jobs
• Rust Core Tests + Quality — Re-run failed jobs