Multi-Hoster-Upload

History

Administrator a6958f1418 fix(persist): stop swallowing save errors + decouple .bak refresh from save Two related fixes from the deep-audit pass: HIGH-2: save-global-settings-sync used `try {} catch {}` and always returned `event.returnValue = true`, so a disk-full / AV-lock / permissions failure looked like success to the renderer's beforeunload chain. The user closes the app, comes back, settings are gone — without any indication. Now the catch sets returnValue=false and debugLogs the error message, and the bak refresh is in its own nested try so a transient lock there doesn't fail the whole save. MED-4: lib/config-store.js _atomicWrite had the same TOCTOU on the .bak refresh — fs.existsSync(...) then fs.readFileSync(...) without guarding the read. Wrapped the read+write of the backup in its own try/catch: a stale .bak is preferable to dropping the new write entirely just because Windows Defender briefly locked the file mid- operation. The rename of tmp → live still throws on real failure, which is what the outer reject is for. 119/119 tests still green; both fixes are defensive guards on already-tested write paths.	2026-04-28 09:40:08 +02:00
..
lessons.md	fix(rotation): session-learning for account failures is now complete	2026-04-21 17:03:59 +02:00
todo.md	fix(persist): stop swallowing save errors + decouple .bak refresh from save	2026-04-28 09:40:08 +02:00

Administrator a6958f1418 fix(persist): stop swallowing save errors + decouple .bak refresh from save

Two related fixes from the deep-audit pass:

HIGH-2: save-global-settings-sync used `try {} catch {}` and always
returned `event.returnValue = true`, so a disk-full / AV-lock /
permissions failure looked like success to the renderer's beforeunload
chain. The user closes the app, comes back, settings are gone —
without any indication. Now the catch sets returnValue=false and
debugLogs the error message, and the bak refresh is in its own
nested try so a transient lock there doesn't fail the whole save.

MED-4: lib/config-store.js _atomicWrite had the same TOCTOU on the
.bak refresh — fs.existsSync(...) then fs.readFileSync(...) without
guarding the read. Wrapped the read+write of the backup in its own
try/catch: a stale .bak is preferable to dropping the new write
entirely just because Windows Defender briefly locked the file mid-
operation. The rename of tmp → live still throws on real failure,
which is what the outer reject is for.

119/119 tests still green; both fixes are defensive guards on
already-tested write paths.

2026-04-28 09:40:08 +02:00

lessons.md

fix(rotation): session-learning for account failures is now complete

2026-04-21 17:03:59 +02:00

todo.md

fix(persist): stop swallowing save errors + decouple .bak refresh from save

2026-04-28 09:40:08 +02:00