Bug #1 (CRITIQUE) — A3 flip+ensure inconsistency
- Before: EnsureForAccount failure after flip was WARN-only, SetActiveAccount
still fired → daemon declared target active while shared symlinks were
absent/divergent → transcripts silently duplicated, resume broken.
- After: ensure failure triggers rollback flip to previous account home;
if rollback succeeds → explicit error, ActiveAccount stays on previous.
If rollback ALSO fails → sticky partialSwap flag + ErrPartialSwap; all
further swaps refused until operator intervention (daemon restart).
- New public IsPartialSwap() for watchdog / health-check integration.
Bug #10 (MOYENNE) — requiredShared contract never exercised
- All existing tests override a.sharedSymlinks with tmpdir-scoped lists,
so symlinks.RequiredShared itself was never tested. A rename or drop
would pass every test but silently break prod failover.
- TestRequiredSharedIsCoherent asserts (no filesystem): 3 entries with
the exact required names, absolute targets, and a single shared parent
directory (invariant EnsureForAccount depends on).
Tests:
- go test ./... PASS
- go test -race ./... PASS (no data race)
- 2 new switcher tests: TestFlipEnsureFailureTriggersRollback,
TestFlipEnsureAndRollbackFailure
- 1 new symlinks test: TestRequiredSharedIsCoherent
- 1 obsolete test replaced: TestFlipEnsureSymlinksFailureDoesNotAbortSwap
(encoded the old buggy best-effort behaviour)
20063b1939