fix(cli): harden auto-refresh service lifecycle by 0xjunha · Pull Request #139 · 0xjunha/darc

0xjunha · 2026-05-11T13:03:41Z

Problem

Auto-refresh service behavior had a few lifecycle and diagnostic gaps:

launchd could have the watcher loaded while Darc reported the wrong watch state because stale status files were collapsed into a
generic “launchd not running” diagnosis.
darc service stop could unload the LaunchAgent but leave run/status.json marked as running: true, making later status output
misleading.
A stopped-status marker depended on diagnostic JSON being readable and on run/ already existing, which could make stop/disable fail
on corrupt or cleaned runtime state.
If two watch loops overlapped, an older exiting process could overwrite a newer watcher’s running status.
Adding KeepAlive exposed a start regression: service start / refresh --auto could hang because Darc bootstrapped a RunAtLoad
service and then immediately ran kickstart -k.

Added LaunchAgent restart hardening with KeepAlive and ThrottleInterval.
Made watch status output distinguish stale-but-loaded from stale-and-unloaded launchd states.
Marked service status as stopped from explicit service stop paths, while tolerating missing, malformed, or non-object status JSON.
Ensured missing run/ directories are created before writing stopped status.
Added per-watch watch_pid / watch_token identity fields so an old watcher only clears status if it still owns the file.
Added refresh lock holder metadata and service-status reporting for active or stale lock state.
Fixed service startup to rely on bootstrap for enabled RunAtLoad LaunchAgents, and only use plain kickstart for runtime-only
plists.
Updated service docs and changelog.

cargo +nightly fmt
cargo test -p darc service_watch
cargo clippy --workspace --all-targets --all-features -- -D warnings -W clippy::all
scripts/check-linux-clippy.sh
cargo test --workspace --all-features
cargo build --bin darc

Built the binary and ran watch/status experiments against isolated Darc roots.
Verified overlapping watch loops do not let an older exiting watcher mark a newer watcher stopped.
Verified refresh-lock metadata appears in darc service status and blocks concurrent refresh with holder details.
Reproduced the kickstart -k hang with a custom LaunchAgent and verified plain runtime kickstart returns immediately.

0xjunha added 3 commits May 11, 2026 22:01

fix(cli): harden auto-refresh service

70ba62c

docs(cli): document auto-refresh hardening

f9acf40

fix(cli): avoid restarting bootstrapped refresh service

deb297f

0xjunha merged commit c6be81a into main May 11, 2026
6 checks passed

0xjunha deleted the auto-refresh branch May 11, 2026 13:03