Data safety: Make config JSON writes power-loss durable

vdavid · vdavid · commit aea4aa0b1ffc · 2026-05-31T22:41:01.000+02:00
The four config-store persistence helpers (`manual_servers.rs`, `known_shares.rs`, `search/history.rs`, `selection/history.rs`) did `fs::write(tmp) + fs::rename(tmp, path)` with no fsync. That's atomic against process death but NOT against power loss: the rename can land in the journal while the temp's data blocks are still only in the page cache, leaving the destination zero-length or torn. `manual-servers.json` is the one that matters most: it holds user-entered SMB servers that aren't rediscoverable via mDNS.

- Extracted a shared `config::durable_write_json(path, tmp, content)` that writes the temp, `sync_all()`s it before the rename, then best-effort fsyncs the parent directory so the rename itself is durable. Mirrors `LocalPosixVolume::write_from_stream`'s data-loss-class discipline.
- All four `atomic_write_json` wrappers now delegate to it, keeping their existing `.json.tmp` temp naming (so each store's `cleanup_tmp_file` stale-temp recovery still works). Updated their doc comments to describe the real durability guarantee instead of just "atomic".
- Added round-trip + overwrite unit tests for the shared helper; the existing `manual_servers` concurrent/sequential write tests already exercise the new path end to end.
diff --git a/apps/desktop/src-tauri/src/config.rs b/apps/desktop/src-tauri/src/config.rs
@@ -2,7 +2,8 @@
 //!
 //! These can be extracted to environment variables or a config file in the future.
 
-use std::path::PathBuf;
+use std::io::Write;
+use std::path::{Path, PathBuf};
 use tauri::{AppHandle, Manager, Runtime};
 
 /// Icon size in pixels (32x32 for retina display)
@@ -58,6 +59,47 @@ pub fn log_app_data_dir<R: Runtime>(app: &AppHandle<R>) {
     }
 }
 
+/// Writes `content` to `path` durably: write the bytes to `tmp`, fsync the temp file, rename
+/// it over `path`, then fsync the parent directory so the rename itself survives a power loss.
+///
+/// `fs::write(tmp) + fs::rename(tmp, path)` alone is atomic against *process* death (the rename
+/// swaps the directory entry as a unit) but NOT against a power loss / hard crash: the rename can
+/// land in the filesystem journal while the temp's data blocks are still only in the page cache,
+/// leaving the destination zero-length or torn. The two fsyncs close that window. This mirrors the
+/// data-loss-class write discipline in `LocalPosixVolume::write_from_stream` (the
+/// copy/move path that survives eject/sleep/power-loss).
+///
+/// The caller owns the temp-path convention (it picks `tmp`) so each store keeps its existing
+/// `cleanup_tmp_file` stale-temp recovery. The parent-directory fsync is best-effort: some
+/// filesystems reject opening a directory for fsync, so a failure there is logged and ignored
+/// rather than failing the whole write (the file's data is already durable at that point).
+pub fn durable_write_json(path: &Path, tmp: &Path, content: &str) -> std::io::Result<()> {
+    {
+        let mut file = std::fs::File::create(tmp)?;
+        file.write_all(content.as_bytes())?;
+        // fsync the temp's data + metadata before the rename so the bytes are on disk, not just
+        // in the page cache, when the directory entry swaps.
+        file.sync_all()?;
+    }
+
+    std::fs::rename(tmp, path)?;
+
+    // Best-effort: fsync the parent directory so the rename (the new directory entry) is durable
+    // too. Logged and ignored on failure, matching `LocalPosixVolume`'s parent-dir fsync.
+    if let Some(parent) = path.parent() {
+        match std::fs::File::open(parent).and_then(|dir| dir.sync_all()) {
+            Ok(()) => {}
+            Err(e) => log::debug!(
+                target: "write_durability",
+                "durable_write_json: parent dir fsync skipped for {}: {e}",
+                parent.display()
+            ),
+        }
+    }
+
+    Ok(())
+}
+
 // MCP Server Security Design:
 // --------------------------
 // The MCP (Model Context Protocol) bridge allows AI assistants to control the app.
@@ -93,4 +135,30 @@ mod tests {
         // Falling through to the Tauri default is the documented behavior.
         assert_eq!(data_dir_from_env(Some("")), None);
     }
+
+    #[test]
+    fn durable_write_json_round_trips_content() {
+        let dir = tempfile::tempdir().expect("create temp dir");
+        let path = dir.path().join("store.json");
+        let tmp = path.with_extension("json.tmp");
+
+        durable_write_json(&path, &tmp, r#"{"a":1}"#).expect("durable write");
+
+        let read_back = std::fs::read_to_string(&path).expect("read back");
+        assert_eq!(read_back, r#"{"a":1}"#);
+        // The temp file must be consumed by the rename, not left behind.
+        assert!(!tmp.exists(), "temp file should be renamed away, not left behind");
+    }
+
+    #[test]
+    fn durable_write_json_overwrites_existing_file() {
+        let dir = tempfile::tempdir().expect("create temp dir");
+        let path = dir.path().join("store.json");
+        let tmp = path.with_extension("json.tmp");
+
+        std::fs::write(&path, "old contents that are much longer").expect("seed file");
+        durable_write_json(&path, &tmp, "new").expect("durable write");
+
+        assert_eq!(std::fs::read_to_string(&path).expect("read back"), "new");
+    }
 }
diff --git a/apps/desktop/src-tauri/src/network/known_shares.rs b/apps/desktop/src-tauri/src/network/known_shares.rs
@@ -57,13 +57,12 @@ fn get_known_shares_mutex() -> &'static Mutex<KnownSharesStore> {
     KNOWN_SHARES.get_or_init(|| Mutex::new(KnownSharesStore::default()))
 }
 
-/// Atomically writes content to a file using write-to-temp + rename.
-/// On failure, the original file (if any) remains intact.
+/// Durably writes content to a file using write-to-temp + fsync + rename + parent-dir fsync.
+/// On failure, the original file (if any) remains intact. The fsyncs make the write survive a
+/// power loss, not just process death. See `crate::config::durable_write_json` for the rationale.
 fn atomic_write_json(path: &Path, content: &str) -> std::io::Result<()> {
     let tmp = path.with_extension("json.tmp");
-    fs::write(&tmp, content)?;
-    fs::rename(&tmp, path)?;
-    Ok(())
+    crate::config::durable_write_json(path, &tmp, content)
 }
 
 /// Removes a stale `.tmp` file left over from a crash during atomic write.
diff --git a/apps/desktop/src-tauri/src/network/manual_servers.rs b/apps/desktop/src-tauri/src/network/manual_servers.rs
@@ -362,13 +362,14 @@ pub async fn check_reachability(host: &str, port: u16) -> Result<(), String> {
 // Atomic file writes
 // ---------------------------------------------------------------------------
 
-/// Atomically writes content to a file using write-to-temp + rename.
-/// On failure, the original file (if any) remains intact.
+/// Durably writes content to a file using write-to-temp + fsync + rename + parent-dir fsync.
+/// On failure, the original file (if any) remains intact. The fsyncs make the write survive a
+/// power loss, not just process death: `manual-servers.json` holds user-entered SMB servers that
+/// aren't rediscoverable via mDNS, so a torn / zero-length write here loses real config. See
+/// `crate::config::durable_write_json` for the durability rationale.
 fn atomic_write_json(path: &Path, content: &str) -> std::io::Result<()> {
     let tmp = path.with_extension("json.tmp");
-    fs::write(&tmp, content)?;
-    fs::rename(&tmp, path)?;
-    Ok(())
+    crate::config::durable_write_json(path, &tmp, content)
 }
 
 /// Removes a stale `.tmp` file left over from a crash during atomic write.
diff --git a/apps/desktop/src-tauri/src/search/history.rs b/apps/desktop/src-tauri/src/search/history.rs
@@ -168,11 +168,11 @@ fn canonical_key(entry: &HistoryEntry) -> String {
 // Atomic file I/O helpers (mirrors `network/known_shares.rs` and `manual_servers.rs`).
 // ---------------------------------------------------------------------------
 
+/// Durably writes content to a file: write-to-temp + fsync + rename + parent-dir fsync, so the
+/// write survives a power loss, not just process death. See `crate::config::durable_write_json`.
 fn atomic_write_json(path: &Path, content: &str) -> std::io::Result<()> {
     let tmp = path.with_extension("json.tmp");
-    fs::write(&tmp, content)?;
-    fs::rename(&tmp, path)?;
-    Ok(())
+    crate::config::durable_write_json(path, &tmp, content)
 }
 
 fn cleanup_tmp_file(path: &Path) {
diff --git a/apps/desktop/src-tauri/src/selection/history.rs b/apps/desktop/src-tauri/src/selection/history.rs
@@ -142,11 +142,11 @@ fn canonical_key(entry: &SelectionHistoryEntry) -> String {
 // Atomic file I/O helpers (mirrors `crate::search::history`).
 // ---------------------------------------------------------------------------
 
+/// Durably writes content to a file: write-to-temp + fsync + rename + parent-dir fsync, so the
+/// write survives a power loss, not just process death. See `crate::config::durable_write_json`.
 fn atomic_write_json(path: &Path, content: &str) -> std::io::Result<()> {
     let tmp = path.with_extension("json.tmp");
-    fs::write(&tmp, content)?;
-    fs::rename(&tmp, path)?;
-    Ok(())
+    crate::config::durable_write_json(path, &tmp, content)
 }
 
 fn cleanup_tmp_file(path: &Path) {
