feat(boot): gate launch on core mode pick + version check

[senamakel]

Summary

• New BootCheckGate runs on every launch before the router mounts; first launch prompts Local (default) or Cloud core, persisted in a new coreMode redux slice (plain localStorage, pre-login scope).
• Inverted Tauri auto-spawn: the embedded core is now started by the UI via a new start_core_process Tauri command. Only daemon_mode keeps the immediate spawn for the headless tray agent.
• Compares core's openhuman.update_version against the app version and renders dedicated recovery screens for: legacy daemon detected (service_stop + service_uninstall), outdated local core (restart_core_process), outdated cloud core (update_run), missing version method, and unreachable core. Adds an app_quit Tauri command for the unreachable Quit affordance.

Problem

We had no way to detect a version drift between the React/Tauri app and the embedded openhuman core binary. A stale local install or a legacy daemon left over from before the in-process model could silently bind to the RPC port, producing 401s, schema mismatches, and confusing failures downstream. The user also had no UI-level choice between running the core locally or pointing at a remote/cloud instance — the spawn happened unconditionally inside Tauri's setup.

Solution

A pre-router gate handles three concerns in one place:

1. Mode selection — first launch shows a picker; choice is persisted to localStorage via redux-persist (slice is intentionally outside userScopedStorage since this runs before login).
2. UI-driven core lifecycle — the auto-spawn block in app/src-tauri/src/lib.rs setup is gated behind daemon_mode. Interactive launches now call the new start_core_process Tauri command from the gate after the user confirms Local mode. Cloud mode never spawns a local core.
3. Version reconciliation — orchestrator in app/src/lib/bootCheck/ probes service_status (daemon detection) then update_version, compares against APP_VERSION from app/src/utils/config.ts, and returns one of: match | daemonDetected | outdatedLocal | outdatedCloud | noVersionMethod | unreachable. The gate component renders a tailored screen per state with a primary action that re-runs the orchestrator after success.

Transport is dependency-injected so the orchestrator is testable without mocking globals. Existing daemon-recovery UI (ServiceBlockingGate) is preserved unchanged — it serves a different purpose (post-boot health) and renders below the new gate.

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) per docs/TESTING-STRATEGY.md
• Diff coverage ≥ 80% — slice (6 tests), orchestrator (13 tests covering every result branch incl. -32601 and timeout via fake timers), gate component (15 tests covering picker/spinner/all states/switch-mode).
• N/A: behaviour-only change (no feature row added/removed/renamed in the matrix)
• N/A: no matrix feature IDs touched
• No new external network dependencies introduced (mock backend used per docs/TESTING-STRATEGY.md)
• N/A: not a release-cut surface change
• N/A: no linked issue

Impact

• Desktop only (Tauri shell + React app). No CLI or core-domain logic changes.
• Removes the silent auto-spawn; cold-start sequence now blocks on a quick UI gate. For Local mode, the user clicks "Continue" on the picker (first launch only) before the embedded core is started.
• daemon_mode (headless tray) startup is unaffected — it still auto-spawns the embedded core.
• The coreMode slice persists to plain localStorage (key persist:coreMode) — not user-scoped on purpose since it must be readable pre-login.

Related

• Closes: N/A
• Follow-up PR(s)/TODOs:
  • Split BootCheckGate.tsx (552 lines) into per-state subcomponents to come back under the project's ≤500-line guideline.
  • Manual smoke run with pnpm tauri dev exercising each branch (legacy daemon detection in particular needs a machine with the com.openhuman.daemon plist installed to verify end-to-end).

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: feat/core-update
• Commit SHA: 253ef65

Validation Run

• pnpm --filter openhuman-app format:check
• pnpm typecheck
• Focused tests: pnpm test:unit — 1678 pass / 4 skipped / 1 todo
• N/A: Rust core not changed
• Tauri fmt/check (if changed): cargo check --manifest-path app/src-tauri/Cargo.toml — 0 errors

Validation Blocked

• command: N/A
• error: N/A
• impact: N/A

Behavior Changes

• Intended behavior change: First launch shows a Local/Cloud mode picker. Every launch runs a version check and walks the user through any mismatch before the app mounts.
• User-visible effect: A brief gate screen on cold start (immediately dismisses on the matched-version path after the first-launch picker is completed once).

Parity Contract

• Legacy behavior preserved: daemon_mode still auto-spawns the embedded core; existing ServiceBlockingGate and restart_core_process flows are untouched. Existing JSON-RPC methods (update_version, update_run, service_*) are reused — no new core surface area.
• Guard/fallback/dispatch parity checks: lazy ensure_running() fallbacks inside core_rpc_relay and restart_core_process are intentionally kept as a safety net.

Duplicate / Superseded PR Handling

• Duplicate PR(s): N/A
• Canonical PR: N/A
• Resolution (closed/superseded/updated): N/A

Summary by CodeRabbit

• New Features

  • Boot-check gate that validates core reachability/version before app mounts and wraps the app root
  • Initial picker to choose local or cloud connection mode, persisted pre-login so choice survives user switches
  • Frontend-driven controls to explicitly start the core and quit the app
  • Production wiring for boot checks (IPC bridge)

• Bug Fixes / Recovery

  • Recovery flows for startup failures: retry, switch mode, restart, or quit

• Tests

  • Comprehensive tests for boot-check logic, picker flows, runBootCheck, and core-mode persistence

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Defers auto-spawning the embedded core in non-daemon runs and exposes Tauri commands (start_core_process, app_quit) for frontend-driven lifecycle. Adds persisted coreMode, a boot-check orchestrator (runBootCheck + transport), a production transport, a pre-router BootCheckGate UI, and tests for the new flows.

Changes

Boot Check & Core Startup

Layer / File(s)	Summary
Data Shape / State app/src/store/coreModeSlice.ts, app/src/store/coreModeSlice.test.ts, app/src/store/index.ts	Adds CoreMode (unset | local | cloud { url }), setCoreMode/resetCoreMode, persists coreMode.mode in non-user defaultStorage, and registers coreMode reducer.
Boot Check Core Logic app/src/lib/bootCheck/index.ts, app/src/lib/bootCheck/index.test.ts	Introduces runBootCheck(mode, transport), BootCheckResult union and BootCheckTransport interface; implements ping polling/backoff, optional legacy-daemon detection, version checks, and maps outcomes (match, daemonDetected, outdatedLocal, outdatedCloud, noVersionMethod, unreachable). Tests cover local/cloud/unset flows and error mappings.
Production Transport app/src/services/bootCheckService.ts	Adds bootCheckTransport implementing BootCheckTransport by delegating callRpc to callCoreRpc and invokeCmd to Tauri invoke.
Frontend Gate UI app/src/components/BootCheckGate/BootCheckGate.tsx, app/src/components/BootCheckGate/__tests__/BootCheckGate.test.tsx	New BootCheckGate pre-router component (picker → checking → result), validates cloud URL, prevents concurrent checks, runs runBootCheck via transport, and renders result-specific actions (retry, switch, start local core, update cloud, remove daemon, quit). Comprehensive UI tests added.
App Integration app/src/App.tsx	Wraps provider/router tree with BootCheckGate so app content mounts only after a successful boot check.
Tauri Backend Wiring app/src-tauri/src/lib.rs	Adds Tauri commands start_core_process and app_quit and registers them; removes unconditional core spawn during setup and only auto-starts core when daemon_mode is true; non-daemon runs defer core startup to frontend via start_core_process.
Tests app/src/lib/bootCheck/index.test.ts, app/src/components/BootCheckGate/__tests__/*, app/src/store/coreModeSlice.test.ts	Unit and integration tests for runBootCheck, BootCheckGate flows, and coreMode reducer behavior.

Sequence Diagram(s)

sequenceDiagram
    participant Frontend as Frontend App
    participant Gate as BootCheckGate
    participant Redux as Redux Store
    participant Tauri as Tauri Backend
    participant Core as Core Process
    participant RPC as RPC Endpoint

    Frontend->>Gate: Mount BootCheckGate
    Gate->>Redux: Read coreMode
    alt coreMode is unset
        Gate->>Gate: Show mode picker
        Frontend->>Redux: User selects local or cloud
    end
    Gate->>Gate: Enter checking phase
    alt local mode
        Gate->>Tauri: invoke start_core_process()
        Tauri->>Core: spawn/start core
        Gate->>RPC: poll openhuman.ping
        Core->>RPC: respond to ping
        Gate->>RPC: openhuman.service_status / openhuman.update_version
    else cloud mode
        Gate->>Redux: persist cloud RPC URL
        Gate->>RPC: openhuman.update_version (cloud endpoint)
    end
    alt version matches
        Gate->>Frontend: pass-through children (app mounts)
    else failure
        Gate->>Frontend: show result screen (daemonDetected / outdated / noVersionMethod / unreachable)
        Frontend->>Gate: user action (retry / switch mode / quit / update / remove daemon)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• tinyhumansai/openhuman#1061: Also modifies Tauri host core startup/IPC surface and lifecycle commands.
• tinyhumansai/openhuman#1248: Related changes to CoreProcessHandle/ensure_running and core lifecycle plumbing.
• tinyhumansai/openhuman#1313: Related to RPC/backend URL resolution and cache invalidation used by the boot-check flow.

Poem

🐰 I tapped the gate and sniffed the ground,

a ping replied, a happy sound —
Local or cloud, I chose the start,
the burrow hummed, the circuits part,
Hooray! the app wakes, whole and sound.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(boot): gate launch on core mode pick + version check' directly and clearly summarizes the main changes: introducing a boot gate that gates app launch on core mode selection and version checking.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

app/src/components/BootCheckGate/BootCheckGate.tsx (1)

396-403: 💤 Low value

Minor simplification: identical branches.

Both branches set the same state — the condition doesn't affect the outcome. This can be simplified:

-       if (checkResult.kind === 'match') {
-         // Gate resolves — render children.
-         setPhase('result');
-         setResult(checkResult);
-       } else {
-         setPhase('result');
-         setResult(checkResult);
-       }
+       setPhase('result');
+       setResult(checkResult);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src/components/BootCheckGate/BootCheckGate.tsx` around lines 396 - 403,
The conditional in BootCheckGate that branches on checkResult.kind is redundant
because both branches call setPhase('result') and setResult(checkResult); remove
the if/else and replace with a single sequence invoking setPhase('result')
followed by setResult(checkResult) where the current branching occurs
(references: checkResult, setPhase, setResult in BootCheckGate).

app/src/components/BootCheckGate/__tests__/BootCheckGate.test.tsx (1)

174-193: 💤 Low value

Minor: Redundant mock setup.

Line 180 duplicates the mockResolvedValue already set on line 176. The second assignment is unnecessary since the mock is already configured.

  it('shows outdated cloud screen', async () => {
-   mockRunBootCheck.mockResolvedValue({ kind: 'outdatedCloud' });
-
    const store = makeStore({ kind: 'cloud', url: 'https://core.example.com/rpc' });
-   // Trigger the check by rendering with an already-set mode
    mockRunBootCheck.mockResolvedValue({ kind: 'outdatedCloud' });
    render(

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src/components/BootCheckGate/__tests__/BootCheckGate.test.tsx` around
lines 174 - 193, The test in the BootCheckGate — outdatedCloud suite redundantly
calls mockRunBootCheck.mockResolvedValue twice; remove the duplicate call so
only one mockResolvedValue({ kind: 'outdatedCloud' }) remains (keep the first
one at the start of the test) to avoid unnecessary duplication and potential
confusion when setting up the mock for the BootCheckGate test that uses
mockRunBootCheck.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src/lib/bootCheck/index.ts`:
- Around line 93-106: The fixed delays array in waitForCore can finish before
maxMs is reached, causing premature timeout; replace the static delays with a
loop that generates backoff delays until elapsed >= maxMs (e.g., start at 200ms,
double each retry capped at 1000ms), compute nextDelay = Math.min(cappedBackoff,
maxMs - elapsed) so you never wait past the remaining time, and use that
nextDelay for the setTimeout and elapsed accumulation around the
callRpc('openhuman.ping', {}) retry logic.
- Around line 51-60: Replace the dynamic imports in defaultCallRpc and
defaultInvokeCmd with static module-level imports: import callCoreRpc from the
core RPC service and import invoke from `@tauri-apps/api/core` at the top of the
file, then call callCoreRpc<T>({ method, params }) inside defaultCallRpc and
invoke<T>(cmd, args) inside defaultInvokeCmd; ensure the imported symbols match
the names used in the functions (callCoreRpc and invoke) and remove the await
import(...) lines so the module uses static imports.

---

Nitpick comments:
In `@app/src/components/BootCheckGate/__tests__/BootCheckGate.test.tsx`:
- Around line 174-193: The test in the BootCheckGate — outdatedCloud suite
redundantly calls mockRunBootCheck.mockResolvedValue twice; remove the duplicate
call so only one mockResolvedValue({ kind: 'outdatedCloud' }) remains (keep the
first one at the start of the test) to avoid unnecessary duplication and
potential confusion when setting up the mock for the BootCheckGate test that
uses mockRunBootCheck.

In `@app/src/components/BootCheckGate/BootCheckGate.tsx`:
- Around line 396-403: The conditional in BootCheckGate that branches on
checkResult.kind is redundant because both branches call setPhase('result') and
setResult(checkResult); remove the if/else and replace with a single sequence
invoking setPhase('result') followed by setResult(checkResult) where the current
branching occurs (references: checkResult, setPhase, setResult in
BootCheckGate).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a57f60b9-5933-4f06-a90f-d5e3c84d7bac

📥 Commits

Reviewing files that changed from the base of the PR and between a08ec95 and e902dc4.

📒 Files selected for processing (9)

• app/src-tauri/src/lib.rs
• app/src/App.tsx
• app/src/components/BootCheckGate/BootCheckGate.tsx
• app/src/components/BootCheckGate/__tests__/BootCheckGate.test.tsx
• app/src/lib/bootCheck/index.test.ts
• app/src/lib/bootCheck/index.ts
• app/src/store/coreModeSlice.test.ts
• app/src/store/coreModeSlice.ts
• app/src/store/index.ts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src/lib/bootCheck/index.ts`:
- Line 253: The log call in bootCheck using log('[boot-check] cloud mode —
url=%s', mode.url) may print sensitive data (userinfo, tokens in query); update
the logging to redact or omit sensitive parts before passing to log: parse
mode.url (in the bootCheck/index.ts flow where mode.url is used) and
replace/remove URL.userinfo and query params (or log only scheme+host+path) so
credentials/tokens are never emitted, then call log with the sanitized string
instead of mode.url.
- Around line 14-15: The module currently imports and calls Tauri's invoke
directly; extract the defaultInvokeCmd wrapper into a new service module (e.g.,
bootCheckService) that encapsulates invoke, export defaultInvokeCmd from that
service, and update the BootCheckTransport type to accept a transport function
(the injected defaultInvokeCmd) instead of importing invoke in the bootCheck
index module; then remove the import of invoke from the bootCheck index, and
update all callers of the bootCheck initialization to pass the service-backed
defaultInvokeCmd implementation into BootCheckTransport so IPC is localized to
the service.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9be58047-3f58-485d-8787-988f15e7a035

📥 Commits

Reviewing files that changed from the base of the PR and between e902dc4 and c38b6bc.

📒 Files selected for processing (1)

• app/src/lib/bootCheck/index.ts

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

app/src/services/bootCheckService.ts (1)

15-21: ⚡ Quick win

Add namespaced debug logs at transport boundaries.

callRpc/invokeCmd are the external-call edges, but they are currently silent. Add entry/success/failure debug logs (with redacted args) so boot-check failures are traceable in production.

As per coding guidelines, "Add substantial, development-oriented logs at entry/exit points, branch decisions, external calls, retries/timeouts, state transitions, and error handling paths; use namespaced debug logs in production app code."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src/services/bootCheckService.ts` around lines 15 - 21, Add namespaced
debug logs to the transport edges: in callRpc and invokeCmd log an entry debug
("bootCheckService:callRpc" / "bootCheckService:invokeCmd") with method/cmd and
redacted params/args, log a success debug on resolved result, and log an error
debug on rejection including the error; callCoreRpc and invoke should remain the
call targets (keep return values), ensure sensitive fields in params/args are
redacted (e.g., replace values for keys like "password", "token", "secret")
before logging, and use consistent namespacing so logs show entry/exit/failure
for these functions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src/lib/bootCheck/index.ts`:
- Around line 247-248: The code currently persists the raw user-provided URL by
calling storeRpcUrl(mode.url), which may contain embedded credentials or
sensitive query tokens; update the logic around storeRpcUrl (and keep
clearCoreRpcUrlCache) to either 1) sanitize/normalize mode.url before storing by
stripping userinfo (username:password@) and removing query parameters and
fragments so only scheme://host[:port]/path remains, or 2) validate and reject
URLs that contain userinfo or query strings and surface an error to the caller;
ensure the check/sanitization runs immediately before calling storeRpcUrl and
reference mode.url, storeRpcUrl, and clearCoreRpcUrlCache when implementing the
change.

---

Nitpick comments:
In `@app/src/services/bootCheckService.ts`:
- Around line 15-21: Add namespaced debug logs to the transport edges: in
callRpc and invokeCmd log an entry debug ("bootCheckService:callRpc" /
"bootCheckService:invokeCmd") with method/cmd and redacted params/args, log a
success debug on resolved result, and log an error debug on rejection including
the error; callCoreRpc and invoke should remain the call targets (keep return
values), ensure sensitive fields in params/args are redacted (e.g., replace
values for keys like "password", "token", "secret") before logging, and use
consistent namespacing so logs show entry/exit/failure for these functions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1323190f-4ca2-4dbf-bf09-ce99d475097e

📥 Commits

Reviewing files that changed from the base of the PR and between c38b6bc and 820563f.

📒 Files selected for processing (3)

• app/src/components/BootCheckGate/BootCheckGate.tsx
• app/src/lib/bootCheck/index.ts
• app/src/services/bootCheckService.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• app/src/components/BootCheckGate/BootCheckGate.tsx

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src/lib/bootCheck/index.ts`:
- Around line 239-250: The current code builds safeUrl including pathname and
then logs it (safeUrl), which may expose sensitive path segments; change the
construction to use only the origin (scheme + host + optional port) by deriving
it from the URL object (e.g., parsed.origin or
`${parsed.protocol}//${parsed.host}`) so safeUrl contains only origin, and
ensure the log call still uses safeUrl (now origin-only) so no path/segments are
ever written to logs; update the assignment of safeUrl and the subsequent
log('[boot-check] cloud mode — url=%s', safeUrl) accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e72aa90b-1d21-486c-ba71-078c69416303

📥 Commits

Reviewing files that changed from the base of the PR and between 820563f and 83c3bf1.

📒 Files selected for processing (1)

• app/src/lib/bootCheck/index.ts