The two consecutive registry lock acquisitions after READY left a window
where session state was Running but the AppReady broadcast had not yet
been sent. A concurrent reader winning the lock in that window would
observe Running without a corresponding event. Combining into one
acquisition closes the window.
- supervise: in the stdout-read-error-before-READY case, immediately
kill the child process, tear down the file portal, mark the session
Stopped, and return; previously the function fell through to child.wait()
leaving the session in Starting state with no guaranteed cleanup path
- supervise: restructure app_shell binding as a match expression so the
compiler can verify the initial None value is not silently discarded
- weft-runtime: replace Mutex::lock().unwrap() with unwrap_or_else in
the weft:app/ipc send, recv, and connect host functions so a poisoned
mutex does not panic inside the Wasmtime host-call context
- blit_software: replace expect() on softbuffer Context and Surface
creation with log-and-skip so a frame failure does not crash the process
- blit_software: replace NonZeroU32::new(1).unwrap() with NonZeroU32::MIN
- resumed: replace create_window().expect() with a match that calls
event_loop.exit() and returns on failure instead of unwinding
- build_rendering_ctx: return Option<RenderingCtx> instead of panicking
when SoftwareRenderingContext creation fails; callers exit cleanly
- resumed (app-shell): exit without emitting READY when no rendering
context is available so weft-appd observes a clean session failure
- weft-servo-shell: bound gesture forwarding to one active thread at a
time using JoinHandle::is_finished(); excess batches are dropped with
a debug log to prevent unbounded thread creation per event loop tick
- shell_client (both shells): replace post-ensure! unwrap() with expect()
that documents the invariant
- winit backend: client insertion and dispatch_clients failures now log
and continue instead of unwinding the event loop
- winit backend: bind/render/submit failures in the redraw handler skip
the frame and log a warning; the compositor stays running
- DRM backend: same client insertion and dispatch_clients treatment
- DRM device_added: use .context()? instead of unwrap() when inserting
the new device entry after the drm field is known to be initialised
- DRM render_output: use guard-return instead of unwrap() to access drm
state that was already verified non-None lines above
- compositor state: duplicate layer surface mapping from a misbehaving
client logs a warning and returns instead of panicking
- Replace Mesa-libEGL-devel and Mesa-libGLES-devel (do not exist on
openSUSE) with libglvnd-devel (Khronos EGL/GLES dispatch headers)
- Replace libseat-devel (does not exist on openSUSE) with seatd-devel
Package names confirmed via rpmfind.net against Tumbleweed and Leap
repositories.
In environments where XDG_RUNTIME_DIR/systemd/private exists but the
user systemd session is not functional, systemd_cgroup_available()
returns true and the test script is wrapped with systemd-run, which
fails immediately, causing ChildStdout to return EOF before READY.
Set WEFT_DISABLE_CGROUP=1 for the duration of the test and restore
it on exit.
- IoView/WasiView split: implement IoView for State, remove table()
from WasiView impl
- preopened_dir: new signature takes host path and guest path directly
- LinkerInstance::func_wrap returns Result in wasmtime 30; use a
variable for the clipboard LinkerInstance
- Set PR_SET_NO_NEW_PRIVS before applying the seccomp filter
- Unconditional syscall block uses empty Vec<SeccompRule>
- flake.nix, infra/nixos/: NixOS VM with Mesa, virtio-gpu, Wayland,
systemd user services for compositor and session supervisor
- infra/vm/: QEMU build and run scripts
- .github/workflows/ci.yml: add Linux job to type-check weft-servo-shell
and weft-app-shell with --features servo-embed
- docs/architecture.md, docs/security.md, docs/building.md: replace
stale pre-implementation design documents
- README.md: rewrite to reflect current codebase
- crates/weft-servo-shell/SERVO_PIN.md: update implementation status and add
SpiderMonkey process boundary statement
- examples/org.weft.demo.counter: stateless counter Wasm component
using weft:app/ipc for increment/decrement/reset; built for
wasm32-wasip2 with wit-bindgen 0.53; dark-themed HTML UI
- examples/org.weft.demo.notes: persistent notes Wasm component
using weft:app/ipc + WASI preopened /data dir (fs:rw:app-data);
save/load via newline-delimited IPC protocol; HTML textarea UI
- examples/keys/: committed demo Ed25519 keypair; both packages
signed with weft-pack sign
- workspace Cargo.toml: exclude examples from workspace members
(they target wasm32-wasip2, not the host toolchain)
- SERVO_PIN.md: update deps section and document shell-client display sharing resolved in
full description of connect_with_display implementation
- Add servo/winit/softbuffer as optional deps in weft-servo-shell and
weft-app-shell Cargo.toml, gated on servo-embed feature
- Replace ShellClient::connect() and connect_as_app() with
connect_with_display() and connect_as_app_with_display(), using
Backend::from_foreign_display to share the winit wl_display connection
- Move ShellClient construction into resumed() in both embedders after
winit window and wl_surface are available
- Pass actual wl_surface to create_window instead of None
- Fix pre-existing field name bug: wayland-scanner generates _type for
the reserved keyword arg name=type, not r#type
Add weft-app-shell binary: takes <app_id> <session_id> args, connects to
zweft_shell_manager_v1 as an application window, resolves the app UI URL,
and runs a single Servo WebView in an isolated process. Prints READY to
stdout after the window is initialised so weft-appd can track the session
lifecycle.
weft-appd runtime.rs: after weft-runtime emits READY, spawn weft-app-shell
(WEFT_APP_SHELL_BIN env var) alongside it. The app shell is killed when the
session ends via abort or natural runtime exit.
weft-servo-shell: remove in-process app WebView management. The shell now
manages the system UI WebView only; all app rendering happens in dedicated
weft-app-shell processes.
Wire ShellClient into App so its Wayland event queue is dispatched each
frame via about_to_wait. This ensures configure, focus_changed, and
window_closed events from the compositor are processed. window_closed
now triggers a clean Servo shutdown.
The EGL rendering path (WindowRenderingContext + surfman eglSwapBuffers)
produces frames transparently via Mesa DMA-BUF buffer sharing; no
explicit zwp_linux_dmabuf_v1 code is required in the shell.
Remaining: ZweftShellWindowV1 is created with surface=null; sharing the
winit wl_surface with the shell client connection is not currently
feasible without refactoring to a single shared Wayland connection.
backdrop-filter is fully implemented across two commits:
- marcoallegretti/stylo servo-weft f1ba496: enables backdrop-filter parsing
- marcoallegretti/servo servo-weft 8e7dc40: wires stacking context and display list
- CSS Grid is implemented via Taffy; backdrop-filter is the remaining unimplemented property
- Document the two-step implementation: stylo parsing enable + display list wiring
- Add Stylo fork section with patch template and step-by-step instructions
- Expand per-app process isolation section with clearer implementation detail
Fork: https://github.com/marcoallegretti/servo
Branch: servo-weft
Base rev: 04ca254f843ed650d3e5b14e5693ad51a60cc84b (upstream main 2026-03-11)
Update the Cargo snippet and update policy to match the fork-and-PR workflow.
The READY timeout branch killed the process and returned Ok(()) without
calling remove_abort_sender(), leaving a spent entry in abort_senders.
Add the call to keep it consistent with all other exit paths.
Path::starts_with is component-aware but does not resolve .., so
/allowed/../etc/passwd would pass the check. Add normalize_path() that
lexically resolves . and .. components without touching the filesystem
so the check works on non-existent paths too. Add regression test.
std::fs::write fails when the destination parent does not exist.
Add create_dir_all before the write so apps can store files in
nested paths (e.g. config/sub/settings.json) without pre-creating
directories. Add regression test for the nested-path case.
Previously the supervisor returned Ok(()) without updating the session
state, leaving it in Starting indefinitely. Now it sets state to
Stopped, removes the abort sender, and broadcasts AppState:stopped
before returning, consistent with every other early-exit path.
RUNNING_APPS response now produces a SyncSessions command instead of
individual Launch commands. The embedder retains only WebViews whose
session_id is in the active list (removes stale entries from sessions
that stopped during a disconnect), then creates WebViews for any
sessions not yet tracked. This is idempotent thanks to the existing
contains_key guard in create_app_webview.
When a runtime process exits naturally (not via TerminateApp) the
oneshot Sender remained in abort_senders until shutdown_all().
Add remove_abort_sender() and call it at the normal exit path in
supervise() to release the entry immediately.
App-level weftIpc messages from the system UI routinely fail Request
deserialization since they are not system commands. Using warn generates
log noise during normal operation.
check_package() now rejects any capabilities not in the known set:
fs:rw:app-data, fs:read:app-data,
fs:rw:xdg-documents, fs:read:xdg-documents
This keeps the manifest in sync with what resolve_preopens() in
weft-appd actually maps; unknown strings would otherwise silently
produce no preopens at runtime.
A broadcast LaunchAck can arrive in addition to any direct response,
causing create_app_webview to be called twice for the same session.
Without the guard the second call silently overwrites the existing
WebView entry without destroying it. Early-return if the session is
already tracked.
Previously LaunchAck was sent only as a direct response to the
requesting connection. The servo-shell appd_ws listener thread is a
separate WebSocket connection and would never receive LaunchAck for
UI-initiated launches, causing those sessions to have no WebView.
Now dispatch() broadcasts LaunchAck over the registry broadcast channel
immediately after returning the direct response, so all connected
WebSocket clients (including the shell listener) learn about every new
session regardless of which connection triggered the launch.
run_listener() now loops forever instead of returning on first failure.
Connect errors retry starting at 500ms, doubling up to 16s.
On disconnect the inner loop breaks and the outer loop reconnects
after the current backoff delay, then resets backoff to 500ms.
QUERY_RUNNING is sent again on each reconnect to re-sync session state.
When WEFT_FILE_PORTAL_SOCKET is present in the process environment
(set by weft-appd before exec), it is now forwarded into the WASI
context so the WASM component can read it via std::env::var or
equivalent and locate the per-session file portal socket.
Runtime spawn failure, READY timeout, and abort-during-startup all
previously returned without killing the portal child process or removing
its socket file. Extracted kill_portal() to consolidate cleanup and
call it in each of those three paths.
Three tests covering the save_session / load_session helpers:
- session_save_load_roundtrip: full write-then-read cycle verifying
content, and that a second load returns None (file deleted).
- session_save_empty_load_returns_empty_vec: edge case of empty list.
- load_session_no_file_returns_none: missing file returns None.
Also fixes save_session to create_dir_all on the parent directory
before writing, which was the root cause of test failures.
On clean shutdown (SIGINT/SIGTERM), save the list of running app IDs to
/weft/last-session.json before calling shutdown_all().
On the next startup, load_session() reads and immediately deletes that
file, then dispatches a LaunchApp for each saved app ID. This restores
the previous session after a system restart or orderly service stop.
If the file does not exist (crash, first boot, or deliberate reset) no
auto-launch occurs. Duplicate detection relies on the existing fact that
the saved processes are gone before appd starts again.
spawn_file_portal() checks WEFT_FILE_PORTAL_BIN; if set, creates a
per-session Unix socket at /weft/portal-<id>.sock and
spawns weft-file-portal with --allow args derived from the same host
paths that resolve_preopens() produces for the session.
WEFT_FILE_PORTAL_SOCKET is added to the runtime environment so
weft-runtime (and the WASM app) can locate the socket.
The portal process is killed and the socket cleaned up at the end of
supervise(), after the runtime exits and the mount is torn down.
When WEFT_FILE_PORTAL_BIN is unset the behaviour is unchanged.
Add RenderingCtx enum wrapping SoftwareRenderingContext or
WindowRenderingContext. build_rendering_ctx() checks WEFT_EGL_RENDERING
at startup: if set, attempts WindowRenderingContext::new with the winit
display/window handles and falls back to software on error.
render_frame() dispatches on the variant: software path blits pixels
through softbuffer; EGL path is a no-op (Servo presents directly to
the EGL surface). All WebViewBuilder calls now use RenderingCtx::as_dyn()
to produce Rc<dyn RenderingContext>.
The software path is unchanged. The EGL path is gated behind
WEFT_EGL_RENDERING and only activates with the servo-embed feature.
Task 10 -- App WebView lifecycle.
appd_ws module (servo-embed gated):
Background thread connects to the appd WebSocket on startup.
Sends QUERY_RUNNING to receive initial running sessions.
Translates LAUNCH_ACK -> AppdCmd::Launch and APP_STATE stopped
-> AppdCmd::Stop, then wakes the winit event loop via the
shared EventLoopWaker.
embedder changes:
App struct gains app_rx (mpsc receiver), app_webviews
(HashMap<session_id, WebView>), active_session, and a stored
rendering_context used when creating app WebViews later.
create_app_webview(): resolves weft-app://<app_id>/index.html
to a file URL, creates a dedicated UserContentManager with the
weftIpc bridge injected (includes window.weftSessionId), builds
and registers a new WebView.
about_to_wait() drains app_rx: creates WebViews for Launch
commands, removes and clears active_session for Stop commands.
active_webview() returns the active-session WebView when one
exists, falling back to the system-ui WebView. Rendering,
keyboard, and mouse events all route through active_webview().
Resize propagates to both the system WebView and all app WebViews.
run() creates the mpsc channel and spawns the appd listener
before entering the winit event loop.
