docs(01): research phase 1 safety foundation
This commit is contained in:
@@ -0,0 +1,699 @@
|
||||
# Phase 1: Safety Foundation - Research
|
||||
|
||||
**Researched:** 2026-02-28
|
||||
**Domain:** Rust TUI process lifecycle, signal handling, TOML configuration, terminal state management
|
||||
**Confidence:** HIGH
|
||||
|
||||
<user_constraints>
|
||||
## User Constraints (from CONTEXT.md)
|
||||
|
||||
### Locked Decisions
|
||||
|
||||
#### Configuration shape
|
||||
- Config file lives next to the binary (same directory)
|
||||
- When bbs.toml is missing, use sensible defaults (vault defaults to ./vault/, default theme) — config file is optional
|
||||
- Phase 1 settings: `vault_path` and `theme` only — minimal config
|
||||
- Support `--config /path/to/bbs.toml` CLI flag to override config location
|
||||
- Strict TOML parsing — reject unknown keys to catch typos early
|
||||
- When vault path points to a nonexistent directory, show a friendly error and exit (don't launch the TUI)
|
||||
|
||||
#### Startup experience
|
||||
- Straight to content on launch — no splash screen, no delay, immediately show index.md
|
||||
- Clear the terminal on launch (clean slate, not alternate screen buffer) — immersive BBS feel, no shell artifacts
|
||||
- Login shell detection: strip the leading dash from argv[0] for compatibility
|
||||
- In login-shell mode, suppress 'q' to quit — prevents accidental SSH disconnects. Only Ctrl+C works as exit.
|
||||
|
||||
#### Failure messaging
|
||||
- On panic recovery: friendly message only — "Something went wrong. The app has exited safely." No technical details shown to user.
|
||||
- Panic details logged to stderr — captured by systemd journal or SSH output after exit, available for server admin
|
||||
- Config errors use BBS-themed tone — "SYSTEM ERROR: Config file corrupted at line 3. SysOp intervention required." style messaging
|
||||
|
||||
#### Exit behavior
|
||||
- BBS-style goodbye message on quit — retro signoff before terminal restores
|
||||
- Ctrl+C requires double-press to confirm — first press shows "Press again to quit", second press exits
|
||||
- In login-shell mode, Ctrl+C (double-press) is the only exit method — no alternative commands
|
||||
- Goodbye message displays for ~500ms (brief flash) before process exits
|
||||
|
||||
### Claude's Discretion
|
||||
- Exact goodbye message text and formatting
|
||||
- Panic hook implementation approach
|
||||
- Signal handler registration strategy
|
||||
- Default theme values
|
||||
- Default vault path (./vault/ or similar)
|
||||
|
||||
### Deferred Ideas (OUT OF SCOPE)
|
||||
None — discussion stayed within phase scope
|
||||
</user_constraints>
|
||||
|
||||
<phase_requirements>
|
||||
## Phase Requirements
|
||||
|
||||
| ID | Description | Research Support |
|
||||
|----|-------------|-----------------|
|
||||
| LIFE-01 | App installs panic hook that restores terminal state before printing error | `std::panic::set_hook` + `ratatui::restore()` pattern; crossterm `disable_raw_mode` + clear commands |
|
||||
| LIFE-02 | App handles SIGHUP/SIGTERM for clean shutdown on SSH disconnect | `signal-hook` 0.4.3 `flag::register()` with `AtomicBool`; polled in event loop |
|
||||
| LIFE-03 | App logs to file only, never writes to stderr/stdout after TUI init | Standard `std::fs::File` append logging; all TUI output through ratatui draw cycle only |
|
||||
| LIFE-04 | App handles broken pipe without crashing | Match on `ErrorKind::BrokenPipe`; use `let _ =` for write results; avoid `unwrap()` on I/O |
|
||||
| CONF-01 | App reads bbs.toml for vault path and theme configuration | `toml` 1.0.3 + `serde` 1.0.228; `#[serde(deny_unknown_fields)]` + `#[serde(default)]` |
|
||||
| SHEL-01 | App exits cleanly with q or Ctrl+C, restoring terminal state | `ratatui::restore()` in exit path; crossterm `disable_raw_mode`; double-press Ctrl+C state machine |
|
||||
| SHEL-02 | App handles being launched as a login shell gracefully | `std::env::args_os().next()` argv[0]; `strip_prefix("-")` on OsStr; suppress 'q' key when login mode |
|
||||
</phase_requirements>
|
||||
|
||||
---
|
||||
|
||||
## Summary
|
||||
|
||||
Phase 1 establishes the safety envelope for the entire application: panic recovery, signal handling, config loading, and clean shutdown. The Rust ecosystem has mature, well-documented solutions for every requirement here. The primary stack is ratatui 0.30 (already a dependency) + crossterm 0.29 (already a transitive dependency) for terminal management, signal-hook 0.4.3 for UNIX signal handling, and toml 1.0.3 + serde 1.0.228 for configuration parsing. clap 4.5 handles the `--config` CLI flag.
|
||||
|
||||
The most important architectural decision this phase must navigate is the terminal initialization strategy. The user decision specifies **main screen buffer with a clear** rather than the alternate screen buffer. This means deliberately not using `ratatui::init()` (which enters alternate screen) and instead manually calling `enable_raw_mode()` + `execute!(stdout(), Clear(ClearType::All), MoveTo(0, 0))`. This is the biggest deviation from ratatui's defaults and must be implemented carefully to ensure `restore()` still works correctly on exit and panic.
|
||||
|
||||
The double-press Ctrl+C pattern is a small state machine: track a `last_ctrl_c: Option<Instant>` — if a second SIGINT arrives within ~2 seconds of the first, exit; otherwise reset and show the prompt message. Since there is no async runtime, signal handling is done via `signal-hook` flag polling inside the crossterm event loop rather than a dedicated thread.
|
||||
|
||||
**Primary recommendation:** Use `Terminal::with_options` with `Viewport::Fullscreen`, skip `EnterAlternateScreen`, issue a raw `Clear(ClearType::All) + MoveTo(0,0)` at startup, and build a single unified `shutdown()` function called from all exit paths (panic hook, signal handler, normal quit).
|
||||
|
||||
---
|
||||
|
||||
## Standard Stack
|
||||
|
||||
### Core
|
||||
| Library | Version | Purpose | Why Standard |
|
||||
|---------|---------|---------|--------------|
|
||||
| ratatui | 0.30.0 | TUI framework, terminal draw cycle | Already a dependency; 0.30 has `init()`, `restore()`, `run()` convenience functions |
|
||||
| crossterm | 0.29.0 | Terminal raw mode, clear, cursor, key events | Ratatui's default backend; already a transitive dep; cross-platform |
|
||||
| signal-hook | 0.4.3 | SIGHUP/SIGTERM/SIGINT handling | Widest community support for synchronous multi-signal handling; no async needed |
|
||||
| toml | 1.0.3+spec-1.1.0 | TOML config parsing | The canonical Rust TOML crate; serde integration built-in |
|
||||
| serde | 1.0.228 | Derive-based deserialization for config struct | Required by toml crate; standard across all Rust config parsing |
|
||||
| clap | 4.5.60 | `--config` CLI flag parsing | Industry standard; derive API is concise; supports `PathBuf` natively |
|
||||
|
||||
### Supporting
|
||||
| Library | Version | Purpose | When to Use |
|
||||
|---------|---------|---------|-------------|
|
||||
| serde_derive | (bundled with serde) | `#[derive(Deserialize)]` macro | Needed for config struct; enable `features = ["derive"]` |
|
||||
| std::sync::atomic::AtomicBool | stdlib | Signal flags for SIGHUP/SIGTERM | Polling in event loop without threads |
|
||||
| std::panic | stdlib | Panic hook installation | `set_hook` + `take_hook` for custom panic handler |
|
||||
| std::time::Instant | stdlib | Double Ctrl+C timing window | Track first press timestamp |
|
||||
|
||||
### Alternatives Considered
|
||||
| Instead of | Could Use | Tradeoff |
|
||||
|------------|-----------|----------|
|
||||
| signal-hook | ctrlc crate | ctrlc only handles SIGINT by default; SIGHUP requires `termination` feature; signal-hook is more explicit and handles all needed signals |
|
||||
| signal-hook | raw libc signal() | Unsafe, no async-signal-safety guarantees, error-prone |
|
||||
| toml | config crate | config crate is heavier (multi-source merging); overkill for a single optional TOML file |
|
||||
| clap | std::env::args() manual parsing | clap gives `--help`, `--version`, error messages for free; minimal boilerplate with derive |
|
||||
|
||||
**Installation:**
|
||||
```toml
|
||||
[dependencies]
|
||||
ratatui = "0.30.0" # already present
|
||||
signal-hook = "0.4.3"
|
||||
toml = "1.0.3"
|
||||
serde = { version = "1.0", features = ["derive"] }
|
||||
clap = { version = "4.5", features = ["derive"] }
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Architecture Patterns
|
||||
|
||||
### Recommended Project Structure
|
||||
```
|
||||
src/
|
||||
├── main.rs # Entry point: parse CLI, detect login shell, init terminal, run loop
|
||||
├── config.rs # Config struct, load_config(), path resolution
|
||||
├── terminal.rs # Terminal init/restore, panic hook, clear-on-start
|
||||
├── signals.rs # Signal handler setup (SIGHUP, SIGTERM, SIGINT flags)
|
||||
└── app.rs # App state, event loop, double-Ctrl+C state machine
|
||||
```
|
||||
|
||||
### Pattern 1: Custom Terminal Initialization (No Alternate Screen)
|
||||
|
||||
**What:** Initialize ratatui on the main screen buffer rather than alternate screen. This is the immersive BBS approach — the TUI occupies the user's actual terminal, and on exit the goodbye message is visible in scroll history.
|
||||
|
||||
**When to use:** When the user decision specifies main screen buffer / BBS feel (which it does here).
|
||||
|
||||
**The key insight:** `ratatui::init()` enters alternate screen. To avoid this, use `Terminal::with_options` and manually enable raw mode + clear the screen.
|
||||
|
||||
```rust
|
||||
// Source: https://docs.rs/ratatui/latest/ratatui/struct.Terminal.html
|
||||
// Source: https://docs.rs/crossterm/latest/crossterm/terminal/index.html
|
||||
|
||||
use std::io::stdout;
|
||||
use crossterm::{
|
||||
execute,
|
||||
terminal::{enable_raw_mode, disable_raw_mode, Clear, ClearType},
|
||||
cursor::MoveTo,
|
||||
};
|
||||
use ratatui::{backend::CrosstermBackend, Terminal, TerminalOptions, Viewport};
|
||||
|
||||
pub fn init_terminal() -> std::io::Result<Terminal<CrosstermBackend<std::io::Stdout>>> {
|
||||
enable_raw_mode()?;
|
||||
execute!(stdout(), Clear(ClearType::All), MoveTo(0, 0))?;
|
||||
let backend = CrosstermBackend::new(stdout());
|
||||
// Viewport::Fullscreen uses main screen, not alternate screen
|
||||
let options = TerminalOptions {
|
||||
viewport: Viewport::Fullscreen,
|
||||
};
|
||||
Terminal::with_options(backend, options)
|
||||
}
|
||||
|
||||
pub fn restore_terminal() -> std::io::Result<()> {
|
||||
disable_raw_mode()?;
|
||||
// No LeaveAlternateScreen because we never entered it
|
||||
// Optionally: move cursor to bottom, print newline
|
||||
Ok(())
|
||||
}
|
||||
```
|
||||
|
||||
**Important:** `ratatui::restore()` calls `LeaveAlternateScreen` — do NOT use it if you never entered alternate screen. Call `disable_raw_mode()` directly.
|
||||
|
||||
### Pattern 2: Panic Hook with Friendly User Message
|
||||
|
||||
**What:** Replace the default panic hook with one that restores the terminal, prints a friendly BBS-themed message to the user (stdout/stderr), and logs technical details for the sysop.
|
||||
|
||||
**When to use:** Required (LIFE-01). Install before TUI init so any panic during init also triggers cleanup.
|
||||
|
||||
```rust
|
||||
// Source: https://ratatui.rs/recipes/apps/panic-hooks/
|
||||
|
||||
use std::panic::{set_hook, take_hook};
|
||||
use crossterm::terminal::disable_raw_mode;
|
||||
|
||||
pub fn install_panic_hook() {
|
||||
let original_hook = take_hook();
|
||||
set_hook(Box::new(move |panic_info| {
|
||||
// Restore terminal — use let _ to suppress errors (avoid double-panic)
|
||||
let _ = disable_raw_mode();
|
||||
// Print friendly message to terminal (user sees this)
|
||||
eprintln!("\r\n*** SYSTEM ERROR: An unexpected fault has occurred. ***");
|
||||
eprintln!("*** The BBS has exited safely. SysOp has been notified. ***\r");
|
||||
// Call original hook — prints backtrace to stderr (captured by journald/SSH log)
|
||||
original_hook(panic_info);
|
||||
}));
|
||||
}
|
||||
```
|
||||
|
||||
**Key principle from official docs:** "It's important to avoid panicking while restoring the terminal state, otherwise the original panic reason might be lost." — use `let _ =` for all restoration calls.
|
||||
|
||||
### Pattern 3: Signal Handling with AtomicBool Flags
|
||||
|
||||
**What:** Register SIGHUP and SIGTERM to set AtomicBool flags; poll those flags in the event loop. No dedicated thread needed.
|
||||
|
||||
**When to use:** Required (LIFE-02). Synchronous, no async runtime.
|
||||
|
||||
```rust
|
||||
// Source: https://docs.rs/signal-hook/latest/signal_hook/flag/index.html
|
||||
|
||||
use std::sync::Arc;
|
||||
use std::sync::atomic::{AtomicBool, Ordering};
|
||||
use signal_hook::consts::signal::{SIGHUP, SIGTERM};
|
||||
use signal_hook::flag as signal_flag;
|
||||
|
||||
pub struct Signals {
|
||||
pub terminate: Arc<AtomicBool>,
|
||||
}
|
||||
|
||||
pub fn register_signals() -> std::io::Result<Signals> {
|
||||
let terminate = Arc::new(AtomicBool::new(false));
|
||||
// SIGTERM: systemd stop, kill command
|
||||
signal_flag::register(SIGTERM, Arc::clone(&terminate))?;
|
||||
// SIGHUP: SSH disconnect, terminal hangup
|
||||
signal_flag::register(SIGHUP, Arc::clone(&terminate))?;
|
||||
Ok(Signals { terminate })
|
||||
}
|
||||
|
||||
// In event loop:
|
||||
if signals.terminate.load(Ordering::Relaxed) {
|
||||
return Ok(ShutdownReason::Signal);
|
||||
}
|
||||
```
|
||||
|
||||
### Pattern 4: Double-Press Ctrl+C State Machine
|
||||
|
||||
**What:** Track the timestamp of the first Ctrl+C press. If a second arrives within a window (e.g., 2 seconds), exit. Otherwise reset and show a prompt.
|
||||
|
||||
**When to use:** Required (SHEL-01). This is purely application logic, no external library needed.
|
||||
|
||||
```rust
|
||||
// In-process pattern — no external library required
|
||||
use std::time::{Duration, Instant};
|
||||
|
||||
struct App {
|
||||
ctrl_c_pressed_at: Option<Instant>,
|
||||
is_login_shell: bool,
|
||||
}
|
||||
|
||||
const DOUBLE_PRESS_WINDOW: Duration = Duration::from_secs(2);
|
||||
|
||||
impl App {
|
||||
fn handle_ctrl_c(&mut self) -> AppAction {
|
||||
match self.ctrl_c_pressed_at {
|
||||
Some(first) if first.elapsed() < DOUBLE_PRESS_WINDOW => {
|
||||
// Second press within window — exit
|
||||
AppAction::Quit
|
||||
}
|
||||
_ => {
|
||||
// First press (or timeout expired) — show prompt
|
||||
self.ctrl_c_pressed_at = Some(Instant::now());
|
||||
AppAction::ShowQuitPrompt // "Press Ctrl+C again to disconnect."
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fn handle_q_key(&mut self) -> AppAction {
|
||||
if self.is_login_shell {
|
||||
AppAction::Nothing // suppress 'q' in login-shell mode
|
||||
} else {
|
||||
AppAction::Quit
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
**Note:** Crossterm sends `KeyCode::Char('c')` with `KeyModifiers::CONTROL` for Ctrl+C events when raw mode is enabled. SIGINT is also raised — but with signal-hook registered, the event loop catches it via the flag. Choose one: either handle via crossterm key events OR via signal flag. The crossterm key event approach is simpler for the double-press logic.
|
||||
|
||||
### Pattern 5: TOML Config Loading with Strict Parsing
|
||||
|
||||
**What:** Deserialize bbs.toml with serde; `deny_unknown_fields` rejects typos; `Default` trait provides fallbacks when file is missing.
|
||||
|
||||
```rust
|
||||
// Source: https://docs.rs/toml/latest/toml/
|
||||
|
||||
use serde::Deserialize;
|
||||
use std::path::PathBuf;
|
||||
|
||||
#[derive(Deserialize, Debug)]
|
||||
#[serde(deny_unknown_fields)]
|
||||
pub struct Config {
|
||||
#[serde(default = "default_vault_path")]
|
||||
pub vault_path: PathBuf,
|
||||
|
||||
#[serde(default = "default_theme")]
|
||||
pub theme: String,
|
||||
}
|
||||
|
||||
fn default_vault_path() -> PathBuf {
|
||||
PathBuf::from("./vault")
|
||||
}
|
||||
|
||||
fn default_theme() -> String {
|
||||
"default".to_string()
|
||||
}
|
||||
|
||||
impl Default for Config {
|
||||
fn default() -> Self {
|
||||
Config {
|
||||
vault_path: default_vault_path(),
|
||||
theme: default_theme(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub fn load_config(path: &PathBuf) -> Result<Config, ConfigError> {
|
||||
if !path.exists() {
|
||||
return Ok(Config::default()); // Missing file is fine
|
||||
}
|
||||
let text = std::fs::read_to_string(path)
|
||||
.map_err(|e| ConfigError::ReadError(e))?;
|
||||
let config: Config = toml::from_str(&text)
|
||||
.map_err(|e| ConfigError::ParseError(e))?;
|
||||
Ok(config)
|
||||
}
|
||||
```
|
||||
|
||||
**Config path resolution order:**
|
||||
1. `--config /explicit/path` (clap CLI flag) → use that path
|
||||
2. No flag → `executable_dir() / "bbs.toml"` (same directory as binary)
|
||||
|
||||
```rust
|
||||
// Resolve executable directory
|
||||
fn find_binary_dir() -> PathBuf {
|
||||
std::env::current_exe()
|
||||
.expect("Cannot determine executable path")
|
||||
.parent()
|
||||
.expect("Binary has no parent directory")
|
||||
.to_path_buf()
|
||||
}
|
||||
```
|
||||
|
||||
### Pattern 6: Login Shell Detection
|
||||
|
||||
**What:** When launched as a login shell, the kernel sets argv[0] to have a leading dash (e.g., `-bbs-md` instead of `bbs-md`). Strip it for clap compatibility and record the mode.
|
||||
|
||||
```rust
|
||||
// Source: POSIX convention, std::env::args_os()
|
||||
// Note: args_os() is preferred over args() for non-UTF-8 paths
|
||||
|
||||
pub fn detect_login_shell() -> bool {
|
||||
let argv0 = std::env::args_os().next()
|
||||
.unwrap_or_default();
|
||||
let argv0_str = argv0.to_string_lossy();
|
||||
argv0_str.starts_with('-')
|
||||
}
|
||||
|
||||
// Stripping the dash for clap: rebuild args without leading dash in argv[0]
|
||||
// Then pass to clap's Parser::parse_from()
|
||||
pub fn args_for_clap() -> Vec<std::ffi::OsString> {
|
||||
let mut args: Vec<_> = std::env::args_os().collect();
|
||||
if let Some(first) = args.first_mut() {
|
||||
let s = first.to_string_lossy();
|
||||
if s.starts_with('-') {
|
||||
*first = s.trim_start_matches('-').to_string().into();
|
||||
}
|
||||
}
|
||||
args
|
||||
}
|
||||
```
|
||||
|
||||
### Pattern 7: CLI Flag Parsing with clap
|
||||
|
||||
```rust
|
||||
// Source: https://docs.rs/clap/latest/clap/
|
||||
|
||||
use clap::Parser;
|
||||
use std::path::PathBuf;
|
||||
|
||||
#[derive(Parser, Debug)]
|
||||
#[command(name = "bbs-md", about = "BBS-style markdown reader")]
|
||||
pub struct Cli {
|
||||
/// Path to bbs.toml configuration file
|
||||
#[arg(long = "config", short = 'c', value_name = "FILE")]
|
||||
pub config: Option<PathBuf>,
|
||||
}
|
||||
```
|
||||
|
||||
Then call `Cli::parse_from(args_for_clap())` to handle the login shell argv[0] stripping.
|
||||
|
||||
### Pattern 8: Goodbye Message with Timed Display
|
||||
|
||||
**What:** Show a brief BBS-style goodbye message after terminal is restored, then `std::thread::sleep` briefly before process exits.
|
||||
|
||||
```rust
|
||||
// Terminal is already restored (raw mode off) at this point
|
||||
// Print directly to stdout — immersive feel
|
||||
pub fn show_goodbye() {
|
||||
println!("\r");
|
||||
println!(" +------------------------------------------+");
|
||||
println!(" | Thank you for calling. Goodbye! |");
|
||||
println!(" | Carrier lost. |");
|
||||
println!(" +------------------------------------------+");
|
||||
println!("\r");
|
||||
std::thread::sleep(std::time::Duration::from_millis(500));
|
||||
}
|
||||
```
|
||||
|
||||
### Anti-Patterns to Avoid
|
||||
|
||||
- **Using `ratatui::init()` then trying to skip alternate screen:** `ratatui::init()` enters alternate screen unconditionally. Use `Terminal::with_options` instead.
|
||||
- **Using `ratatui::restore()` when alternate screen was never entered:** This calls `LeaveAlternateScreen` unnecessarily. Build a custom `restore_terminal()` that only calls `disable_raw_mode()`.
|
||||
- **Panicking inside the panic hook:** Any error in the cleanup code that itself panics will hide the original panic message. Use `let _ =` for all I/O in the hook.
|
||||
- **Registering SIGINT via signal-hook AND handling Ctrl+C via crossterm key events:** Choose one. Crossterm key events are easier for the double-press state machine.
|
||||
- **Writing to stdout/stderr in the TUI event loop after init:** All output must go through the ratatui draw cycle. Direct writes corrupt the terminal state.
|
||||
- **`unwrap()` on broken pipe writes:** SSH connections can close mid-write. Every write after TUI init that might fail should use `let _ =` or match on `BrokenPipe`.
|
||||
- **Calling `clap::parse()` without stripping the leading dash:** Clap will fail or emit unexpected errors because `-bbs-md` looks like a flag argument.
|
||||
|
||||
---
|
||||
|
||||
## Don't Hand-Roll
|
||||
|
||||
| Problem | Don't Build | Use Instead | Why |
|
||||
|---------|-------------|-------------|-----|
|
||||
| Signal handling | Manual `libc::signal()` calls | `signal-hook` 0.4.3 | async-signal-safety, race conditions, platform differences |
|
||||
| TOML parsing | Custom string parser | `toml` + `serde` | TOML spec compliance, multi-line strings, escape sequences |
|
||||
| CLI argument parsing | Manual `args()` iteration | `clap` 4.5 | `--help`, `--version`, error messages, type coercion — all free |
|
||||
| Terminal state restoration | Track state manually | `disable_raw_mode()` from crossterm | crossterm tracks raw mode state internally |
|
||||
| Panic hook chaining | Replace the hook entirely | `take_hook()` + `set_hook()` pattern | Preserves existing hooks from other libraries (e.g., color_eyre) |
|
||||
|
||||
**Key insight:** The signal and terminal safety domains have subtle edge cases (reentrancy, async-signal-safety, platform quirks) that make hand-rolled solutions dangerous. The libraries exist specifically because these are hard.
|
||||
|
||||
---
|
||||
|
||||
## Common Pitfalls
|
||||
|
||||
### Pitfall 1: ratatui::init() Enters Alternate Screen
|
||||
**What goes wrong:** Calling `ratatui::init()` silently enters the alternate screen buffer. On exit or restore, the terminal switches back to the main screen — the goodbye message and TUI output disappear from scroll history.
|
||||
**Why it happens:** `ratatui::init()` is documented to enter alternate screen; this is the TUI standard. The BBS immersive mode requires main screen.
|
||||
**How to avoid:** Use `Terminal::with_options(backend, TerminalOptions { viewport: Viewport::Fullscreen })` and manually call `enable_raw_mode()` + `Clear`. Do not call `ratatui::restore()` — call `disable_raw_mode()` directly.
|
||||
**Warning signs:** On exit, the terminal screen flashes back to pre-TUI state; previous shell output reappears.
|
||||
|
||||
### Pitfall 2: Double-Panic in the Panic Hook
|
||||
**What goes wrong:** The panic hook itself panics (e.g., `unwrap()` on a failed `disable_raw_mode()`), which causes an abort with no useful output.
|
||||
**Why it happens:** Terminal state restoration can fail if the fd is already closed (e.g., SSH disconnect).
|
||||
**How to avoid:** Every line in the panic hook that can fail must use `let _ =`. Never `unwrap()` or `?` inside a panic hook.
|
||||
**Warning signs:** App crashes with "panicked while panicking" message.
|
||||
|
||||
### Pitfall 3: Ctrl+C Handled Both by Signal Hook and Crossterm Key Events
|
||||
**What goes wrong:** SIGINT is registered via signal-hook AND crossterm delivers a `Ctrl+C` key event. The application handles it twice, or the state machine gets confused.
|
||||
**Why it happens:** In raw mode, crossterm delivers Ctrl+C as a key event. signal-hook also fires if registered. Both can be active simultaneously.
|
||||
**How to avoid:** Pick ONE mechanism. For the double-press pattern, crossterm key events are simpler because you get the event directly in your event loop without threading. Register SIGHUP and SIGTERM via signal-hook (for SSH disconnect), but handle Ctrl+C / SIGINT purely as a crossterm key event.
|
||||
**Warning signs:** App exits on first Ctrl+C despite double-press requirement, or shows "press again" message twice.
|
||||
|
||||
### Pitfall 4: Config Error Exits Before Terminal Init
|
||||
**What goes wrong:** Config validation (vault path doesn't exist) exits the process with `eprintln!()` + `process::exit(1)` after the terminal is in raw mode — leaving the terminal broken.
|
||||
**Why it happens:** Config loading happens early, but if terminal init precedes it, error output is garbled.
|
||||
**How to avoid:** Load and validate config BEFORE initializing the terminal. Any error at that stage uses normal `eprintln!()` because raw mode is not yet active.
|
||||
**Warning signs:** Terminal is stuck in raw mode after config error; user has to run `reset`.
|
||||
|
||||
### Pitfall 5: SIGHUP Not Handled, SSH Disconnect Orphans Process
|
||||
**What goes wrong:** User disconnects SSH; the process keeps running because SIGHUP is not handled, leaving a zombie BBS session.
|
||||
**Why it happens:** Rust programs do not handle SIGHUP by default.
|
||||
**How to avoid:** Register SIGHUP with signal-hook → same `terminate` AtomicBool as SIGTERM. Check the flag at the top of every event loop iteration.
|
||||
**Warning signs:** After SSH disconnect, the process shows in `ps aux`; terminal state on reconnect is corrupted.
|
||||
|
||||
### Pitfall 6: Broken Pipe Panic on SSH Close
|
||||
**What goes wrong:** Mid-write, the SSH connection drops. Writing to stdout returns `EPIPE`. Rust converts this to `BrokenPipe` error. If the write is `unwrap()`-ed, the app panics.
|
||||
**Why it happens:** Rust by default ignores SIGPIPE and propagates as `ErrorKind::BrokenPipe`. With `unwrap()`, any such error becomes a panic.
|
||||
**How to avoid:** All writes to stdout/stderr after TUI init use `let _ =` or match on `ErrorKind::BrokenPipe`. Also check the `terminate` signal flag in the event loop — the process should be exiting cleanly before the next write attempt.
|
||||
**Warning signs:** Panic messages in logs containing "Broken pipe" or "os error 32".
|
||||
|
||||
### Pitfall 7: Login Shell argv[0] Passed to clap
|
||||
**What goes wrong:** When launched as `-bbs-md`, clap sees `-bbs-md` as the program name (argv[0]) and may fail or produce confusing errors because the name starts with a dash.
|
||||
**Why it happens:** clap uses argv[0] for usage messages and may interpret it as a flag prefix.
|
||||
**How to avoid:** Strip the leading dash from argv[0] before passing args to `Cli::parse_from()`. Detect login shell separately by checking the original argv[0] before stripping.
|
||||
**Warning signs:** clap prints usage with `-bbs-md` as the program name, or fails to parse.
|
||||
|
||||
---
|
||||
|
||||
## Code Examples
|
||||
|
||||
Verified patterns from official sources:
|
||||
|
||||
### Complete Terminal Initialization (Main Screen, No Alternate Buffer)
|
||||
```rust
|
||||
// Source: https://docs.rs/ratatui/latest/ratatui/struct.Terminal.html
|
||||
// Source: https://docs.rs/crossterm/latest/crossterm/terminal/index.html
|
||||
|
||||
use std::io::stdout;
|
||||
use crossterm::{
|
||||
execute,
|
||||
terminal::{enable_raw_mode, disable_raw_mode, Clear, ClearType},
|
||||
cursor::MoveTo,
|
||||
};
|
||||
use ratatui::{backend::CrosstermBackend, Terminal, TerminalOptions, Viewport};
|
||||
|
||||
pub fn init_terminal() -> std::io::Result<Terminal<CrosstermBackend<std::io::Stdout>>> {
|
||||
enable_raw_mode()?;
|
||||
execute!(stdout(), Clear(ClearType::All), MoveTo(0, 0))?;
|
||||
let backend = CrosstermBackend::new(stdout());
|
||||
Terminal::with_options(backend, TerminalOptions {
|
||||
viewport: Viewport::Fullscreen,
|
||||
})
|
||||
}
|
||||
|
||||
pub fn restore_terminal() {
|
||||
let _ = disable_raw_mode();
|
||||
// No LeaveAlternateScreen — we never entered it
|
||||
let _ = execute!(stdout(), crossterm::cursor::Show);
|
||||
}
|
||||
```
|
||||
|
||||
### Panic Hook
|
||||
```rust
|
||||
// Source: https://ratatui.rs/recipes/apps/panic-hooks/
|
||||
|
||||
use std::panic::{set_hook, take_hook};
|
||||
|
||||
pub fn install_panic_hook() {
|
||||
let original_hook = take_hook();
|
||||
set_hook(Box::new(move |panic_info| {
|
||||
let _ = crossterm::terminal::disable_raw_mode();
|
||||
let _ = crossterm::execute!(
|
||||
std::io::stdout(),
|
||||
crossterm::cursor::Show
|
||||
);
|
||||
// Friendly user message (visible in terminal)
|
||||
eprintln!("\r\n+--------------------------------------------+");
|
||||
eprintln!("| SYSTEM ERROR: An unexpected fault occurred.|");
|
||||
eprintln!("| The BBS has exited safely. |");
|
||||
eprintln!("| SysOp has been notified. |");
|
||||
eprintln!("+--------------------------------------------+\r");
|
||||
// Original hook prints panic details to stderr (captured by journald)
|
||||
original_hook(panic_info);
|
||||
}));
|
||||
}
|
||||
```
|
||||
|
||||
### Signal Registration
|
||||
```rust
|
||||
// Source: https://docs.rs/signal-hook/latest/signal_hook/flag/index.html
|
||||
|
||||
use std::sync::Arc;
|
||||
use std::sync::atomic::{AtomicBool, Ordering};
|
||||
use signal_hook::consts::signal::{SIGHUP, SIGTERM};
|
||||
use signal_hook::flag as signal_flag;
|
||||
|
||||
pub struct SignalFlags {
|
||||
pub terminate: Arc<AtomicBool>,
|
||||
}
|
||||
|
||||
pub fn register_signals() -> std::io::Result<SignalFlags> {
|
||||
let terminate = Arc::new(AtomicBool::new(false));
|
||||
signal_flag::register(SIGTERM, Arc::clone(&terminate))?;
|
||||
signal_flag::register(SIGHUP, Arc::clone(&terminate))?;
|
||||
Ok(SignalFlags { terminate })
|
||||
}
|
||||
```
|
||||
|
||||
### Config Struct
|
||||
```rust
|
||||
// Source: https://docs.rs/toml/latest/toml/
|
||||
// Source: https://docs.rs/serde/latest/serde/
|
||||
|
||||
use serde::Deserialize;
|
||||
use std::path::PathBuf;
|
||||
|
||||
#[derive(Deserialize, Debug)]
|
||||
#[serde(deny_unknown_fields)]
|
||||
pub struct Config {
|
||||
#[serde(default = "default_vault_path")]
|
||||
pub vault_path: PathBuf,
|
||||
|
||||
#[serde(default = "default_theme")]
|
||||
pub theme: String,
|
||||
}
|
||||
|
||||
fn default_vault_path() -> PathBuf { PathBuf::from("./vault") }
|
||||
fn default_theme() -> String { "default".to_string() }
|
||||
|
||||
impl Default for Config {
|
||||
fn default() -> Self {
|
||||
Config { vault_path: default_vault_path(), theme: default_theme() }
|
||||
}
|
||||
}
|
||||
|
||||
pub enum ConfigError {
|
||||
ReadError(std::io::Error),
|
||||
ParseError(toml::de::Error),
|
||||
VaultNotFound(PathBuf),
|
||||
}
|
||||
|
||||
pub fn load_config(path: &PathBuf) -> Result<Config, ConfigError> {
|
||||
if !path.exists() {
|
||||
return Ok(Config::default());
|
||||
}
|
||||
let text = std::fs::read_to_string(path).map_err(ConfigError::ReadError)?;
|
||||
let config: Config = toml::from_str(&text).map_err(ConfigError::ParseError)?;
|
||||
if !config.vault_path.exists() {
|
||||
return Err(ConfigError::VaultNotFound(config.vault_path));
|
||||
}
|
||||
Ok(config)
|
||||
}
|
||||
```
|
||||
|
||||
### CLI Parsing with Login Shell Support
|
||||
```rust
|
||||
// Source: https://docs.rs/clap/latest/clap/
|
||||
|
||||
use clap::Parser;
|
||||
use std::path::PathBuf;
|
||||
|
||||
#[derive(Parser, Debug)]
|
||||
#[command(name = "bbs-md")]
|
||||
pub struct Cli {
|
||||
#[arg(long = "config", short = 'c', value_name = "FILE")]
|
||||
pub config: Option<PathBuf>,
|
||||
}
|
||||
|
||||
pub fn detect_login_shell() -> bool {
|
||||
std::env::args_os()
|
||||
.next()
|
||||
.map(|a| a.to_string_lossy().starts_with('-'))
|
||||
.unwrap_or(false)
|
||||
}
|
||||
|
||||
pub fn parse_cli() -> Cli {
|
||||
// Strip leading dash from argv[0] before clap sees it
|
||||
let mut args: Vec<std::ffi::OsString> = std::env::args_os().collect();
|
||||
if let Some(first) = args.first_mut() {
|
||||
let stripped = first.to_string_lossy()
|
||||
.trim_start_matches('-')
|
||||
.to_string();
|
||||
*first = stripped.into();
|
||||
}
|
||||
Cli::parse_from(args)
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## State of the Art
|
||||
|
||||
| Old Approach | Current Approach | When Changed | Impact |
|
||||
|--------------|------------------|--------------|--------|
|
||||
| Manual `Terminal::new()` + manual raw mode | `ratatui::init()` / `ratatui::restore()` | ratatui 0.28.1 (2024) | Simpler for standard use; but we need `Terminal::with_options` for main-screen mode |
|
||||
| `ratatui::init()` + `ratatui::restore()` | `ratatui::run()` closure | ratatui 0.30.0 (2025) | Even simpler for alternate-screen apps; not applicable here (we skip alternate screen) |
|
||||
| `ctrlc` crate for signal handling | `signal-hook` for multi-signal | Ongoing | signal-hook handles SIGHUP + SIGTERM without separate crates |
|
||||
|
||||
**Deprecated/outdated:**
|
||||
- `crossterm 0.28` and earlier: Ratatui 0.30 uses crossterm 0.29; there are breaking changes in the API between majors. The Cargo.lock already has 0.29.0 — do not pin to 0.28.
|
||||
- `tui-rs`: Predecessor to ratatui; fully deprecated. Not relevant here.
|
||||
|
||||
---
|
||||
|
||||
## Open Questions
|
||||
|
||||
1. **Ctrl+C vs SIGINT: Which to use for double-press?**
|
||||
- What we know: Crossterm delivers `Ctrl+C` as a key event in raw mode. signal-hook can also intercept SIGINT. Both work.
|
||||
- What's unclear: Whether to use the crossterm key event path or register SIGINT via signal-hook and check the flag.
|
||||
- Recommendation: Use crossterm key event (`KeyCode::Char('c') + KeyModifiers::CONTROL`) for the double-press state machine. Register SIGHUP + SIGTERM via signal-hook for SSH disconnect handling. Do NOT register SIGINT with signal-hook to avoid double handling.
|
||||
|
||||
2. **Viewport::Fullscreen on resize**
|
||||
- What we know: ratatui handles terminal resize events via `crossterm::event::Event::Resize`. `Viewport::Fullscreen` should redraw on resize.
|
||||
- What's unclear: Whether `Terminal::with_options(Viewport::Fullscreen)` without alternate screen has any edge cases on terminal resize.
|
||||
- Recommendation: Handle `Event::Resize` explicitly in the event loop and call `terminal.clear()` + redraw. Test on resize during Phase 2 (content rendering).
|
||||
|
||||
3. **BBS-themed error message formatting**
|
||||
- What we know: User wants "SYSTEM ERROR: Config file corrupted at line 3. SysOp intervention required." style.
|
||||
- What's unclear: Exact text for goodbye message, panic message, and config error variants (left to Claude's discretion).
|
||||
- Recommendation: Keep messages short, in ALL-CAPS for system-level errors, and use box-drawing ASCII art for the goodbye screen. Plan task should include the exact strings.
|
||||
|
||||
---
|
||||
|
||||
## Sources
|
||||
|
||||
### Primary (HIGH confidence)
|
||||
- `https://docs.rs/ratatui/latest/ratatui/fn.init.html` — ratatui::init() enters alternate screen; `init_with_options` does not
|
||||
- `https://docs.rs/ratatui/latest/ratatui/struct.Terminal.html` — Terminal::with_options(), TerminalOptions, Viewport
|
||||
- `https://ratatui.rs/recipes/apps/panic-hooks/` — panic hook pattern with take_hook/set_hook and restore
|
||||
- `https://docs.rs/signal-hook/latest/signal_hook/flag/index.html` — flag::register() with AtomicBool for SIGHUP/SIGTERM
|
||||
- `https://docs.rs/crossterm/latest/crossterm/terminal/index.html` — enable_raw_mode, disable_raw_mode, Clear, ClearType
|
||||
- `https://docs.rs/toml/latest/toml/` — toml::from_str(), current version 1.0.3+spec-1.1.0
|
||||
- `cargo search` results — verified crate versions: signal-hook 0.4.3, toml 1.0.3, clap 4.5.60, serde 1.0.228
|
||||
|
||||
### Secondary (MEDIUM confidence)
|
||||
- `https://docs.rs/ratatui/latest/ratatui/fn.init_with_options.html` — init_with_options does not enter alternate screen; verified with official docs
|
||||
- `https://docs.rs/crossterm/latest/crossterm/cursor/struct.MoveTo.html` — MoveTo(0,0) for cursor home position; cursor module is separate from terminal module
|
||||
|
||||
### Tertiary (LOW confidence)
|
||||
- WebSearch result: double-press Ctrl+C pattern from GitHub issue on opencode CLI — not in official docs, pattern is idiomatic but implementation details left to discretion
|
||||
|
||||
---
|
||||
|
||||
## Metadata
|
||||
|
||||
**Confidence breakdown:**
|
||||
- Standard stack: HIGH — versions verified via `cargo search` and official docs.rs
|
||||
- Architecture: HIGH — ratatui docs explicitly document Terminal::with_options, Viewport, and panic hook patterns; signal-hook flag API verified
|
||||
- Pitfalls: HIGH for terminal/panic pitfalls (from official docs); MEDIUM for signal + crossterm interaction (from ecosystem knowledge)
|
||||
|
||||
**Research date:** 2026-02-28
|
||||
**Valid until:** 2026-03-30 (stable libraries, 30-day window reasonable)
|
||||
Reference in New Issue
Block a user