feat: exit host/tunnel if window not visible in taskbar

Watches the program's window state once per second during handoff new
and handoff tunnel. If neither the process's own console window nor
any ancestor process has a taskbar-visible window, the watcher writes
a reason to the support log and exits with code 1.

Falls back to walking the parent process chain so Windows Terminal and
VS Code-style hosts (where the conhost is hidden by design) still work.

Adds go test to CI so the suite gates PRs.

Author: RealWhyKnot

.github/workflows/ci.yml

@@ -19,6 +19,9 @@ jobs:
       - name: go vet
         run: go vet ./...
 
+      - name: go test
+        run: go test ./...
+
       - name: go build (default)
         run: go build -v ./...
 

cmd/new.go

@@ -18,6 +18,7 @@ import (
 	"github.com/RealWhyKnot/Handoff/internal/dispatch"
 	"github.com/RealWhyKnot/Handoff/internal/relay"
 	"github.com/RealWhyKnot/Handoff/internal/supportlog"
+	"github.com/RealWhyKnot/Handoff/internal/visibility"
 )
 
 // Version is stamped from main.go.
@@ -73,6 +74,11 @@ func New(args []string) {
 		cancel()
 	}()
 
+	// Force-quit if the program's window stops being visible in the
+	// taskbar -- closes the loophole where a hidden console keeps the
+	// remote-control channel open after the host thinks it's gone.
+	visibility.StartWatcher(ctx)
+
 	// Open the bridge WS.
 	dialCtx, dialCancel := context.WithTimeout(ctx, 15*time.Second)
 	bridge, err := relay.Dial(dialCtx, relayBase, mint.WriteToken)

cmd/tunnel.go

@@ -22,6 +22,7 @@ import (
 	"time"
 
 	"github.com/RealWhyKnot/Handoff/internal/supportlog"
+	"github.com/RealWhyKnot/Handoff/internal/visibility"
 	"github.com/coder/websocket"
 )
 
@@ -99,6 +100,9 @@ func Tunnel(args []string) {
 	client := newTunnelClient(conn)
 	defer client.shutdown("operator close")
 
+	// Force-quit if our window disappears from the taskbar mid-tunnel.
+	visibility.StartWatcher(ctx)
+
 	go client.acceptLoop(ctx, listener)
 	if err := client.readLoop(ctx); err != nil && !errors.Is(err, context.Canceled) {
 		supportlog.Printf("tunnel client read loop ended: %v", err)

internal/visibility/integration_windows_test.go

@@ -0,0 +1,127 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+//go:build windows
+
+package visibility
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"testing"
+	"time"
+)
+
+// TestCollectParents_IncludesSelf verifies the toolhelp snapshot syscall
+// plumbing. Our own PID must show up in the snapshot with a non-zero
+// parent.
+func TestCollectParents_IncludesSelf(t *testing.T) {
+	parents, err := collectParents()
+	if err != nil {
+		t.Fatalf("collectParents: %v", err)
+	}
+	self := uint32(os.Getpid())
+	parent, ok := parents[self]
+	if !ok {
+		t.Fatalf("snapshot does not contain our own PID %d", self)
+	}
+	if parent == 0 {
+		t.Errorf("our parent PID is 0; expected a real PPID")
+	}
+	if len(parents) < 3 {
+		t.Errorf("snapshot has %d entries; expected >= 3 on a real Windows session", len(parents))
+	}
+}
+
+// TestEnumWindows_PopulatesCollector verifies the EnumWindows callback
+// plumbing. On any normal desktop session it returns at least one
+// top-level window; we skip rather than fail on session-0 / headless
+// environments where 0 is plausible.
+func TestEnumWindows_PopulatesCollector(t *testing.T) {
+	enumCollector = enumCollector[:0]
+	enumWindowsProc.Call(enumProcCallback, 0)
+	if len(enumCollector) == 0 {
+		t.Skip("EnumWindows returned 0 windows; likely a headless or session-0 environment")
+	}
+}
+
+// TestPerformCheck_PassesInDevEnvironment confirms the full check returns
+// ok=true when run from an interactive session with a visible ancestor
+// window. Auto-skips on CI.
+func TestPerformCheck_PassesInDevEnvironment(t *testing.T) {
+	if os.Getenv("CI") != "" {
+		t.Skip("skipping live visibility check on CI")
+	}
+	res := performCheck()
+	if !res.ok {
+		t.Errorf("performCheck failed in dev environment: %s", res.reason)
+	}
+}
+
+// TestProbe_SurvivesWithVisibleAncestor builds the probe binary and runs
+// it inheriting our environment. Probe should heartbeat and exit cleanly.
+// Skips if the current environment has no visible ancestor at all (the
+// kill switch would correctly fire there).
+func TestProbe_SurvivesWithVisibleAncestor(t *testing.T) {
+	if !performCheck().ok {
+		t.Skip("no visible ancestor in this environment; can't test survival here")
+	}
+	probe := buildProbe(t)
+
+	out, err := exec.Command(probe).CombinedOutput()
+	if err != nil {
+		t.Fatalf("probe exited with error: %v\noutput:\n%s", err, out)
+	}
+	if !strings.Contains(string(out), "alive") {
+		t.Fatalf("probe didn't print heartbeat; output:\n%s", out)
+	}
+}
+
+// TestProbe_KilledWhenLaunchedHiddenWithoutVisibleAncestor exercises the
+// kill path end-to-end. We spawn the probe with a new hidden console; the
+// probe's own console check fails, and its ancestor walk inherits our
+// process tree. If our process tree also has no visible window (headless
+// CI) the watcher kills the probe within a few seconds. We skip locally
+// where a visible terminal would shield the probe.
+func TestProbe_KilledWhenLaunchedHiddenWithoutVisibleAncestor(t *testing.T) {
+	if performCheck().ok {
+		t.Skip("visible ancestor in this environment would shield the probe via the ancestor walk. Run headless to exercise the kill path.")
+	}
+	probe := buildProbe(t)
+
+	cmd := exec.Command(probe)
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		HideWindow:    true,
+		CreationFlags: 0x00000010, // CREATE_NEW_CONSOLE
+	}
+
+	start := time.Now()
+	err := cmd.Run()
+	elapsed := time.Since(start)
+
+	if err == nil {
+		t.Fatal("expected probe to be killed by the watcher; it exited cleanly")
+	}
+	if exitErr, ok := err.(*exec.ExitError); ok {
+		if code := exitErr.ExitCode(); code != 1 {
+			t.Errorf("probe exit code = %d, want 1", code)
+		}
+	}
+	if elapsed > 8*time.Second {
+		t.Errorf("probe took %v to be killed; watcher should fire by ~3s", elapsed)
+	}
+	if elapsed < 2*time.Second {
+		t.Errorf("probe exited too fast (%v); kill should not fire before the 2s startup grace", elapsed)
+	}
+}
+
+func buildProbe(t *testing.T) string {
+	t.Helper()
+	out := filepath.Join(t.TempDir(), "probe.exe")
+	cmd := exec.Command("go", "build", "-o", out, "./testdata/probe")
+	if combined, err := cmd.CombinedOutput(); err != nil {
+		t.Fatalf("build probe: %v\n%s", err, combined)
+	}
+	return out
+}

internal/visibility/testdata/probe/main.go

@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+// Probe is a test fixture for visibility integration tests. It starts the
+// real visibility watcher and prints a heartbeat for a few seconds. If the
+// watcher kills the process, os.Exit(1) fires from the watcher goroutine
+// and the test sees a non-zero exit. If the watcher stays quiet, the probe
+// exits 0 after the deadline.
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/RealWhyKnot/Handoff/internal/visibility"
+)
+
+func main() {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	visibility.StartWatcher(ctx)
+
+	deadline := time.Now().Add(8 * time.Second)
+	for time.Now().Before(deadline) {
+		fmt.Println("alive")
+		time.Sleep(500 * time.Millisecond)
+	}
+	os.Exit(0)
+}

internal/visibility/visibility.go

@@ -0,0 +1,81 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+// Package visibility kills the running process when no taskbar-visible
+// window can be found in its process ancestry. The check runs once per
+// second while a long-running command (host bridge or operator tunnel)
+// is active. On non-Windows builds StartWatcher is a no-op.
+package visibility
+
+import (
+	"context"
+	"time"
+)
+
+const (
+	defaultTick       = time.Second
+	defaultGraceTicks = 2
+	maxAncestorDepth  = 32
+)
+
+type checkResult struct {
+	ok     bool
+	reason string
+}
+
+// runWatcher drives the visibility loop. It reads ticks from the supplied
+// channel, skips the first graceTicks of them, then calls check on every
+// subsequent tick. On a failed check it calls exit and returns. A canceled
+// ctx returns without calling exit. Factored from StartWatcher so tests can
+// drive ticks deterministically.
+func runWatcher(
+	ctx context.Context,
+	ticks <-chan time.Time,
+	graceTicks int,
+	check func() checkResult,
+	exit func(reason string),
+) {
+	elapsed := 0
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case _, ok := <-ticks:
+			if !ok {
+				return
+			}
+			elapsed++
+			if elapsed <= graceTicks {
+				continue
+			}
+			res := check()
+			if !res.ok {
+				exit(res.reason)
+				return
+			}
+		}
+	}
+}
+
+// buildAncestors returns the set of PIDs containing self and every parent
+// reachable through parents. The walk stops at PID 0, PID 4 (the Windows
+// System process), a missing parent entry, a self-loop, or once
+// maxAncestorDepth steps have been taken.
+func buildAncestors(self uint32, parents map[uint32]uint32) map[uint32]struct{} {
+	out := map[uint32]struct{}{}
+	cur := self
+	for i := 0; i < maxAncestorDepth; i++ {
+		if cur == 0 || cur == 4 {
+			break
+		}
+		if _, seen := out[cur]; seen {
+			break
+		}
+		out[cur] = struct{}{}
+		parent, ok := parents[cur]
+		if !ok {
+			break
+		}
+		cur = parent
+	}
+	return out
+}

internal/visibility/visibility_other.go

@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+//go:build !windows
+
+package visibility
+
+import "context"
+
+// StartWatcher is a no-op on non-Windows builds. The kill switch only
+// matters on Windows; this stub exists so dev builds on macOS/Linux still
+// compile.
+func StartWatcher(ctx context.Context) {
+	_ = ctx
+}