fix: runtime snapshot timeouts, config perms, stale lock recovery, summarization-v1 tier, loopback OAuth UX

[M3gA-Mind]

Summary

Fixes five bugs from tester feedback, grouped into three commits:

B1 — build_runtime_snapshot 10s full-timeout (🔴 HIGH)

• Wraps screen_intelligence, local_ai, and autocomplete sub-ops in individual 5s tokio::time::timeout calls inside build_runtime_snapshot; a hung engine falls back to degraded values instead of blocking the entire snapshot.

B2 — Config file never chmod'd to 600 (🔴 HIGH)

• load.rs now auto-applies fs::set_permissions(..., 0o600) when a world-readable config is detected, instead of only logging a warning. Drops MutexGuard before the await to satisfy the Send bound.

B4 — summarization-v1 silently falls back to reasoning-v1 (🟠 LOW)

• Adds MODEL_SUMMARIZATION_V1 constant and registers it in is_known_openhuman_tier; adds hint:summarization → summarization-v1 translation in make_openhuman_backend; updates the fallback warning message.

B5 — Stale auth-profiles.lock with no pid not cleaned up reliably (🟠 LOW)

• Changes malformed_too_old default from map_or(false) to map_or(true) so a pidless lock whose mtime is unreadable (clock skew, platform limitation) is immediately reclaimed rather than leaving callers stuck for the full 35s LOCK_TIMEOUT_MS.

M3 — Ping timeout log message unclear (🟠 LOW)

• Renames timeout_ms local in ws_loop.rs for clarity; expands the ping-timeout log to include interval / timeout breakdown.

M1 — Loopback OAuth stalls 5 min before failing (🟡 MED)

• Reduces DEFAULT_TIMEOUT_SECS from 300 → 60 in loopbackOauthListener.ts.
• Surfaces a user-visible startupError in OAuthProviderButton on timeout instead of silently logging.

Test plan

• App snapshot loads without hanging on first launch (B1)
• World-readable config file is auto-chmod'd to 600 on read (B2)
• summarization-v1 / hint:summarization workloads route correctly without fallback warning (B4)
• Restarting app after a kill no longer stalls on "Initializing OpenHuman" when a pidless lock is present (B5)
• Socket ping-timeout log includes interval/timeout breakdown (M3)
• OAuth button shows error message after 60s instead of spinning for 5 min (M1)

Summary by CodeRabbit

• New Features

  • Localized OAuth sign-in timeout message when the browser redirect doesn't complete.
  • Support for a new summarization model.

• Bug Fixes

  • Config file permissions on Unix are now auto-corrected to secure settings.
  • Stale lock detection improved for cases with unreadable file metadata.

• Improvements

  • OAuth listener timeout shortened from 5 to 1 minute for faster feedback.
  • Background operations have finer-grained timeouts with automatic fallbacks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7832e2b-520b-4b00-9f04-b5389301c838

📥 Commits

Reviewing files that changed from the base of the PR and between 9d9311e and a6776e5.

📒 Files selected for processing (1)

• src/openhuman/config/schema/load.rs

---

📝 Walkthrough

Walkthrough

Shortens the OAuth loopback timeout and surfaces a localized timeout error in the sign-in button; adds the translation entries. Separately, backend fixes add a summarization model tier, per-sub-operation snapshot timeouts with fallbacks, auto-fix for world-readable config permissions, stricter lock reclamation, and clearer ping-timeout logs.

Changes

OAuth Loopback Timeout User Experience

Layer / File(s)	Summary
Loopback listener timeout reduction app/src/utils/loopbackOauthListener.ts	DEFAULT_TIMEOUT_SECS reduced from 300 to 60 seconds.
OAuth button timeout error handling app/src/components/oauth/OAuthProviderButton.tsx	Button .catch now detects loopback listener timeouts, clears loading state, and sets localized oauth.button.loopbackTimeout startup error.
Localized timeout error messages app/src/lib/i18n/en.ts, app/src/lib/i18n/chunks/en-4.ts, app/src/lib/i18n/chunks/{ar,bn,de,es,fr,hi,id,it,ko,pt,ru,zh-CN}-4.ts	Adds oauth.button.loopbackTimeout translation entry across the English master and language chunks.

Backend Robustness and Feature Expansion

Layer / File(s)	Summary
Summarization model tier support src/openhuman/config/schema/types.rs, src/openhuman/config/mod.rs, src/openhuman/inference/provider/factory.rs	Adds MODEL_SUMMARIZATION_V1, recognizes summarization-v1 and hint:summarization, maps hints to the new tier, and includes it in fallback warnings.
Runtime snapshot sub-operation timeouts src/openhuman/app_state/ops.rs	Introduces SNAPSHOT_SUB_OP_TIMEOUT and wraps screen_intelligence, local_ai, and autocomplete calls in per-operation timeouts that log warnings and fall back to degraded snapshot fields on timeout.
Config file permission auto-fix src/openhuman/config/schema/load.rs	Auto-fixes world-readable config.toml files to 0o600 on Unix during load, logging a warning once per path and ignoring set-permissions errors.
Malformed lock file reclamation src/openhuman/credentials/profiles.rs	Treats locks with unreadable mtime as stale/malformed-too-old and eligible for reclamation in clear_lock_if_stale.
Ping timeout logging clarity src/openhuman/socket/ws_loop.rs	Refactors ping deadline calculation to compute an explicit timeout_ms and updates warning logs to include component values (interval, timeout, grace).
Minor formatting src/openhuman/config/mod.rs	Reformats pub use schema::{ ... } re-export list without changing exported identifiers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• tinyhumansai/openhuman#2321: Related changes touching lock stale-reclaim behavior in src/openhuman/credentials/profiles.rs.

Suggested reviewers

• senamakel
• graycyrus

Poem

🐰 I hopped through code with nimble paws,

sixty ticks now end the pause.
Buttons whisper "timeout" clear and bright,
Snapshots race and logs shed light.
Configs snug, locks tidy — sign-in sails tonight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes all five main changes: runtime snapshot timeouts, config permissions, stale lock recovery, summarization-v1 tier, and loopback OAuth UX improvements.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/openhuman/inference/provider/factory.rs (1)

47-60: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Remove local constant duplication in favor of the imported constant.

The is_abstract_tier_model function defines a local MODEL_SUMMARIZATION_V1 constant with a comment stating "No dedicated constant for the summarization tier yet". However, this PR adds exactly that constant to types.rs and imports it at line 82. The function should use the imported constant instead of defining its own to avoid duplication and maintain consistency.

♻️ Proposed fix to use the imported constant

 fn is_abstract_tier_model(model: &str) -> bool {
     use crate::openhuman::config::{
-        MODEL_AGENTIC_V1, MODEL_CODING_V1, MODEL_REASONING_QUICK_V1, MODEL_REASONING_V1,
+        MODEL_AGENTIC_V1, MODEL_CODING_V1, MODEL_REASONING_QUICK_V1, MODEL_REASONING_V1,
+        MODEL_SUMMARIZATION_V1,
     };
-    // No dedicated constant for the summarization tier yet; keep the literal
-    // in sync with the tier name used by the summarizer sub-agent.
-    const MODEL_SUMMARIZATION_V1: &str = "summarization-v1";
     let trimmed = model.trim();
     trimmed == MODEL_REASONING_V1
         || trimmed == MODEL_REASONING_QUICK_V1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/inference/provider/factory.rs` around lines 47 - 60, The
function is_abstract_tier_model defines a local const MODEL_SUMMARIZATION_V1
while an identical constant has already been added and imported; remove the
local MODEL_SUMMARIZATION_V1 declaration and replace its usage with the imported
MODEL_SUMMARIZATION_V1 (keep the trimmed variable and existing comparisons),
ensuring the import of MODEL_SUMMARIZATION_V1 remains in scope so the function
compares trimmed == MODEL_SUMMARIZATION_V1 instead of a duplicated literal.

🧹 Nitpick comments (3)

src/openhuman/app_state/ops.rs (1)

510-531: 💤 Low value

Consider adding a timeout wrapper for consistency (optional).

The service::status call lacks a sub-operation timeout unlike the other three. Since it runs via spawn_blocking, it won't block the async runtime, and the outer RUNTIME_SNAPSHOT_TIMEOUT provides a safety net. However, if service::status hangs, the entire snapshot build will wait the full 10s before falling back.

If the service status check is known to be fast and reliable, this is fine. Otherwise, wrapping it similarly would make all four sub-operations consistent and allow faster degraded fallback.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/app_state/ops.rs` around lines 510 - 531, Wrap the
spawn_blocking call that invokes
crate::openhuman::service::status(&config_for_service) in a tokio::time::timeout
(same RUNTIME_SNAPSHOT_TIMEOUT used by the other sub-operations) so the
sub-operation fails fast on hang; on timeout map the error into the same
fallback ServiceStatus variant (ServiceState::Unknown, details/message
populated) and log a warning similar to the existing Err branch, keeping the
rest of the async block (t timing, elapsed return) unchanged.

src/openhuman/credentials/profiles.rs (1)

1096-1101: ⚡ Quick win

Clarify reclaim log message when age is unreadable.

The new default (map_or(true, ...)) correctly treats pidless locks with unreadable mtime as stale, handling clock-skew and filesystem anomalies. However, the reclaim log message at lines 1125-1128 claims the lock is "older than {MALFORMED_LOCK_GRACE_MS}ms" even when age is None (unreadable), which is misleading for troubleshooting.

Consider updating the log format to distinguish actual measured age from unreadable age:

📝 Suggested refinement

         let reclaim_reason: Option<String> = match pid {
             Some(pid) if !is_pid_alive(pid) => Some(format!("pid {pid} not alive")),
             Some(pid) if too_old => Some(format!(
                 "lock file older than {STALE_LOCK_AGE_MS}ms (recorded pid {pid}, presumed leaked)"
             )),
-            None if malformed_too_old => Some(format!(
-                "no parseable pid and older than {MALFORMED_LOCK_GRACE_MS}ms \
-                 (abandoned in-flight lock, reclaiming)"
-            )),
+            None if malformed_too_old => {
+                let age_desc = age.map_or(
+                    "age unreadable (clock skew or fs issue)".to_string(),
+                    |a| format!("older than {MALFORMED_LOCK_GRACE_MS}ms (age={}ms)", a.as_millis())
+                );
+                Some(format!(
+                    "no parseable pid and {age_desc} (abandoned in-flight lock, reclaiming)"
+                ))
+            },
             Some(_) => return false,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/credentials/profiles.rs` around lines 1096 - 1101, The reclaim
log is misleading because malformed_too_old uses age.map_or(true, ...) and
treats unreadable age (age == None) as stale, but the log message (around the
reclaim path) always claims the lock is "older than
{MALFORMED_LOCK_GRACE_MS}ms"; update the log in the lock-reclaiming code to
branch on the age variable: when age is Some(a) log the actual age in ms (e.g.,
"age {a_ms}ms, threshold {MALFORMED_LOCK_GRACE_MS}ms"), and when age is None log
a clear message like "mtime unreadable; treating as stale (threshold
{MALFORMED_LOCK_GRACE_MS}ms)". Ensure this change references the same
variables/consts used now (age, malformed_too_old, MALFORMED_LOCK_GRACE_MS) so
behavior is unchanged but messaging is accurate.

src/openhuman/socket/ws_loop.rs (1)

342-345: ⚡ Quick win

Consider including the socket ID for log correlation.

The expanded breakdown is a clear improvement. To fully align with the coding guideline requirement for correlation fields in timeout logs, consider including the socket ID to help correlate this timeout event with other connection activity.

📊 Proposed enhancement with socket_id correlation

+            let socket_id = shared.socket_id.read().clone().unwrap_or_else(|| "?".to_string());
             log::warn!(
-                "[socket] No server ping received within {}ms (interval={}ms + timeout={}ms + 5s grace); reconnecting",
+                "[socket][sid={}] No server ping received within {}ms (interval={}ms + timeout={}ms + 5s grace); reconnecting",
+                socket_id,
                 timeout_ms,
                 ping_interval,
                 ping_timeout_ms,
             );

As per coding guidelines: "Log entry/exit, branches, external calls, retries/timeouts, state transitions, and errors with verbose diagnostics using stable grep-friendly prefixes and correlation fields".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/openhuman/socket/ws_loop.rs` around lines 342 - 345, The timeout log for
the server ping currently prints timing details but lacks a correlation field;
update the log call in ws_loop.rs (the ping timeout branch where the message
with timeout_ms, ping_interval, ping_timeout_ms is emitted) to include the
socket ID (e.g., socket_id or self.socket_id) as a correlation field so timeouts
can be traced to the connection; add the socket ID to the formatted message or,
if using a structured logger, include it as a named field alongside the existing
timing args.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/openhuman/config/schema/load.rs`:
- Around line 1128-1141: The code currently ignores fs::set_permissions errors
after inserting the path into the warned cache, which can hide persistent chmod
failures; modify the flow around warned, config_path, fs::set_permissions, and
Permissions::from_mode so you attempt the chmod, check the Result, and only mark
the path as "warned" (or remove it on failure) when the permission change
succeeds; on Err, emit a tracing::error with a stable prefix (e.g.,
"[config][chmod]"), include config_path, the attempted mode (0o600) and the
underlying error, and ensure the once-per-path cache isn't advanced on failure
so subsequent loads will re-attempt and re-log the problem.

---

Outside diff comments:
In `@src/openhuman/inference/provider/factory.rs`:
- Around line 47-60: The function is_abstract_tier_model defines a local const
MODEL_SUMMARIZATION_V1 while an identical constant has already been added and
imported; remove the local MODEL_SUMMARIZATION_V1 declaration and replace its
usage with the imported MODEL_SUMMARIZATION_V1 (keep the trimmed variable and
existing comparisons), ensuring the import of MODEL_SUMMARIZATION_V1 remains in
scope so the function compares trimmed == MODEL_SUMMARIZATION_V1 instead of a
duplicated literal.

---

Nitpick comments:
In `@src/openhuman/app_state/ops.rs`:
- Around line 510-531: Wrap the spawn_blocking call that invokes
crate::openhuman::service::status(&config_for_service) in a tokio::time::timeout
(same RUNTIME_SNAPSHOT_TIMEOUT used by the other sub-operations) so the
sub-operation fails fast on hang; on timeout map the error into the same
fallback ServiceStatus variant (ServiceState::Unknown, details/message
populated) and log a warning similar to the existing Err branch, keeping the
rest of the async block (t timing, elapsed return) unchanged.

In `@src/openhuman/credentials/profiles.rs`:
- Around line 1096-1101: The reclaim log is misleading because malformed_too_old
uses age.map_or(true, ...) and treats unreadable age (age == None) as stale, but
the log message (around the reclaim path) always claims the lock is "older than
{MALFORMED_LOCK_GRACE_MS}ms"; update the log in the lock-reclaiming code to
branch on the age variable: when age is Some(a) log the actual age in ms (e.g.,
"age {a_ms}ms, threshold {MALFORMED_LOCK_GRACE_MS}ms"), and when age is None log
a clear message like "mtime unreadable; treating as stale (threshold
{MALFORMED_LOCK_GRACE_MS}ms)". Ensure this change references the same
variables/consts used now (age, malformed_too_old, MALFORMED_LOCK_GRACE_MS) so
behavior is unchanged but messaging is accurate.

In `@src/openhuman/socket/ws_loop.rs`:
- Around line 342-345: The timeout log for the server ping currently prints
timing details but lacks a correlation field; update the log call in ws_loop.rs
(the ping timeout branch where the message with timeout_ms, ping_interval,
ping_timeout_ms is emitted) to include the socket ID (e.g., socket_id or
self.socket_id) as a correlation field so timeouts can be traced to the
connection; add the socket ID to the formatted message or, if using a structured
logger, include it as a named field alongside the existing timing args.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1cc7f704-9d4a-4e83-a879-ec9e2a061d50

📥 Commits

Reviewing files that changed from the base of the PR and between 844a26c and 0dfa298.

📒 Files selected for processing (23)

• app/src/components/oauth/OAuthProviderButton.tsx
• app/src/lib/i18n/chunks/ar-4.ts
• app/src/lib/i18n/chunks/bn-4.ts
• app/src/lib/i18n/chunks/de-4.ts
• app/src/lib/i18n/chunks/en-4.ts
• app/src/lib/i18n/chunks/es-4.ts
• app/src/lib/i18n/chunks/fr-4.ts
• app/src/lib/i18n/chunks/hi-4.ts
• app/src/lib/i18n/chunks/id-4.ts
• app/src/lib/i18n/chunks/it-4.ts
• app/src/lib/i18n/chunks/ko-4.ts
• app/src/lib/i18n/chunks/pt-4.ts
• app/src/lib/i18n/chunks/ru-4.ts
• app/src/lib/i18n/chunks/zh-CN-4.ts
• app/src/lib/i18n/en.ts
• app/src/utils/loopbackOauthListener.ts
• src/openhuman/app_state/ops.rs
• src/openhuman/config/mod.rs
• src/openhuman/config/schema/load.rs
• src/openhuman/config/schema/types.rs
• src/openhuman/credentials/profiles.rs
• src/openhuman/inference/provider/factory.rs
• src/openhuman/socket/ws_loop.rs