fix: terminate unrar sidecars when the launcher closes mid-install

Bug report: unrar.exe kept running after closing the launcher during a
game install. The orphaned process kept extracting in the background and
held file handles on the staging directory.

Root cause (regular install path): run_unrar_sidecar ran the unrar
sidecar via tauri-plugin-shell's Command::output(). That helper spawns
the process on a detached SharedChild OS thread and immediately drops the
CommandChild; there is no Drop impl that kills the process. On app exit
only shutdown_peer_runtime ran, and Windows does not cascade-kill child
processes, so closing the launcher left unrar running.

Fix:
- run_unrar_sidecar now uses .spawn() instead of .output(), keeping a
  killable CommandChild. It registers the child in a new
  LanSpreadState.active_unrar_children registry and an RAII
  UnrarChildGuard deregisters it on every return path. The CommandEvent
  stream is drained to reproduce the exact stdout/stderr (NEWLINE_BYTE
  is b'\n'), status code, success flag, and UnpackLogEntry the old
  .output() produced, so logging behavior is unchanged.
- kill_active_unrar_children() runs in the RunEvent::Exit handler before
  shutdown_peer_runtime, killing every in-progress unrar. Killing first
  also lets the install task unwind so the runtime stops promptly.

Two concurrency hazards were closed in the registry design:
- Children are keyed by a monotonic id, not pid. A pid key let a
  finishing install's guard deregister a different install's child after
  the OS recycled the pid, which could re-orphan a live child.
- A shutting_down latch lives in the registry under the same mutex as
  the kill sweep. The sweep is a one-shot drain, so a child registered
  after it (a task caught between spawn() and registration, or a later
  archive in a multi-archive install -- unpack_archives does not observe
  the shutdown token) would be missed. Registration now checks the latch
  under that mutex and kills the child immediately instead of inserting
  it. Since registration and the sweep serialize on one mutex, every
  interleaving kills the child.

Also hardened the streamed-install sender path (ExternalUnrarStream
Provider) with kill_on_drop(true) on its tokio unrar spawns, so a
dropped or aborted producer task cannot orphan unrar there either.

Known limitation: a hard force-kill or crash of the launcher (e.g. Task
Manager -> End Task) bypasses RunEvent::Exit and is not covered. Making
that bulletproof would require a Windows Job Object with
JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE; the reported "close the launcher"
case is fully fixed.

Test Plan:
- just clippy (pedantic, -D warnings): clean.
- just fmt: no changes.
- just test: all suites pass (incl. the 20 Tauri-lib unit tests).
- Manual (Windows): start a game install, close the launcher mid-extract,
  confirm no unrar.exe remains in Task Manager. Repeat with two
  concurrent installs and with a multi-archive game.

crates/lanspread-peer/src/stream_install.rs

@@ -225,6 +225,7 @@ async fn unrar_listing(program: &Path, archive: &Path) -> eyre::Result<RarListin
         .arg("lt")
         .arg("-cfg-")
         .arg(archive)
+        .kill_on_drop(true)
         .output()
         .await?;
     if !output.status.success() {
@@ -329,6 +330,9 @@ async fn stream_unrar_entries(
         .arg(archive)
         .stdout(Stdio::piped())
         .stderr(Stdio::null())
+        // Safety net: if this task is dropped before its cancel/error path runs
+        // (e.g. on shutdown), tokio still kills unrar instead of orphaning it.
+        .kill_on_drop(true)
         .spawn()?;
 
     let result = async {

crates/lanspread-tauri-deno-ts/src-tauri/src/lib.rs

@@ -3,7 +3,12 @@ use std::{
     fs::{self, OpenOptions},
     io::{self, Read as _, Seek as _, SeekFrom, Write as _},
     path::{Component, Path, PathBuf},
-    sync::{Arc, Mutex, OnceLock},
+    sync::{
+        Arc,
+        Mutex,
+        OnceLock,
+        atomic::{AtomicU64, Ordering},
+    },
     time::{Duration, SystemTime, UNIX_EPOCH},
 };
 
@@ -27,7 +32,10 @@ use lanspread_peer::{
     start_peer_with_options,
 };
 use tauri::{AppHandle, Emitter as _, Manager};
-use tauri_plugin_shell::{ShellExt, process::Command};
+use tauri_plugin_shell::{
+    ShellExt,
+    process::{Command, CommandChild, CommandEvent},
+};
 use tokio::sync::{
     RwLock,
     mpsc::{UnboundedReceiver, UnboundedSender},
@@ -92,8 +100,32 @@ struct LanSpreadState {
     main_log_sink: OnceLock<MainLogSink>,
     active_outbound_transfers: OutboundTransfers,
     outbound_transfer_emit: Arc<RwLock<OutboundTransferEmitState>>,
+    /// Live unrar sidecar processes, so they can be killed if the launcher exits
+    /// mid-unpack. The shell plugin does not kill spawned children on app exit,
+    /// and the OS does not cascade-kill child processes, so without this an
+    /// in-progress unrar keeps running after the launcher closes.
+    active_unrar_children: Arc<Mutex<UnrarChildRegistry>>,
 }
 
+/// Live unrar sidecar children plus a shutdown latch.
+///
+/// Children are keyed by a monotonic id (not pid) so a finishing install never
+/// deregisters another install's child after a pid is recycled. The
+/// `shutting_down` latch closes a time-of-check/time-of-use hole: the exit kill
+/// sweep drains the map only once, so a child registered *after* the sweep (an
+/// install task caught between `spawn()` and registration, or a later archive in
+/// a multi-archive install — `unpack_archives` does not observe the shutdown
+/// token) would be orphaned. Once the latch is set under this mutex, registration
+/// kills the child immediately instead of inserting it where nothing will reap it.
+#[derive(Default)]
+struct UnrarChildRegistry {
+    shutting_down: bool,
+    children: HashMap<u64, CommandChild>,
+}
+
+/// Monotonic id source for [`UnrarChildRegistry`] entries.
+static UNRAR_CHILD_SEQ: AtomicU64 = AtomicU64::new(0);
+
 #[derive(Clone, Debug, PartialEq, Eq)]
 struct InstallSettings {
     account_name: String,
@@ -1303,16 +1335,19 @@ async fn run_unrar_sidecar(
     paths: &UnrarPaths,
     started_at_ms: u64,
 ) -> eyre::Result<()> {
-    let out = match sidecar
+    // Spawn (instead of `.output()`) so we keep a killable handle. The shell
+    // plugin's `output()` drops the `CommandChild` immediately and only drains
+    // the event channel, leaving the unrar process orphaned if the launcher
+    // exits before extraction finishes.
+    let (mut events, child) = match sidecar
         .arg("x") // extract files
         .arg(&paths.archive)
         .arg("-y") // Assume Yes on all queries
         .arg("-o") // Set overwrite mode
         .arg(&paths.destination_arg)
-        .output()
-        .await
+        .spawn()
     {
-        Ok(out) => out,
+        Ok(spawned) => spawned,
         Err(err) => {
             let stderr = format!("failed to run unrar sidecar: {err}");
             record_unpack_failure(
@@ -1327,10 +1362,42 @@ async fn run_unrar_sidecar(
         }
     };
 
-    let stdout = clean_terminal_log(&String::from_utf8_lossy(&out.stdout));
-    let stderr = clean_terminal_log(&String::from_utf8_lossy(&out.stderr));
-    let status_code = out.status.code();
-    let success = out.status.success();
+    // Register the live child so a launcher exit can kill it, and deregister it
+    // automatically on every exit path via the RAII guard.
+    let registry = app_handle
+        .state::<LanSpreadState>()
+        .active_unrar_children
+        .clone();
+    let child_id = UNRAR_CHILD_SEQ.fetch_add(1, Ordering::Relaxed);
+    register_unrar_child(&registry, child_id, child);
+    let _child_guard = UnrarChildGuard { registry, child_id };
+
+    let mut stdout_bytes = Vec::new();
+    let mut stderr_bytes = Vec::new();
+    let mut status_code = None;
+    while let Some(event) = events.recv().await {
+        match event {
+            CommandEvent::Stdout(line) => {
+                stdout_bytes.extend(line);
+                stdout_bytes.push(b'\n');
+            }
+            CommandEvent::Stderr(line) => {
+                stderr_bytes.extend(line);
+                stderr_bytes.push(b'\n');
+            }
+            CommandEvent::Terminated(payload) => {
+                status_code = payload.code;
+            }
+            CommandEvent::Error(err) => {
+                log::warn!("unrar sidecar event error: {err}");
+            }
+            _ => {}
+        }
+    }
+
+    let stdout = clean_terminal_log(&String::from_utf8_lossy(&stdout_bytes));
+    let stderr = clean_terminal_log(&String::from_utf8_lossy(&stderr_bytes));
+    let success = status_code == Some(0);
 
     record_unpack_log(
         app_handle,
@@ -1360,6 +1427,79 @@ async fn run_unrar_sidecar(
     Ok(())
 }
 
+/// Tracks a spawned unrar sidecar so the launcher can kill it on shutdown.
+///
+/// If shutdown has already begun (or the registry is poisoned), the child is
+/// killed immediately instead of inserted, since the exit kill sweep has already
+/// run and would never reap a late registration.
+fn register_unrar_child(
+    registry: &Arc<Mutex<UnrarChildRegistry>>,
+    child_id: u64,
+    child: CommandChild,
+) {
+    let Ok(mut guard) = registry.lock() else {
+        // A poisoned registry means we can no longer guarantee the child is
+        // killed on exit, so kill it now rather than risk orphaning it.
+        let pid = child.pid();
+        log::warn!("unrar child registry is poisoned; killing pid {pid} immediately");
+        if let Err(err) = child.kill() {
+            log::warn!("Failed to kill untracked unrar child (pid {pid}): {err}");
+        }
+        return;
+    };
+
+    if guard.shutting_down {
+        drop(guard);
+        let pid = child.pid();
+        log::info!("Killing unrar child (pid {pid}) that spawned during shutdown");
+        if let Err(err) = child.kill() {
+            log::warn!("Failed to kill unrar child (pid {pid}) spawned during shutdown: {err}");
+        }
+        return;
+    }
+
+    guard.children.insert(child_id, child);
+}
+
+/// Removes an unrar sidecar from the registry when its `run_unrar_sidecar` call
+/// returns, regardless of success, error, or early bail.
+struct UnrarChildGuard {
+    registry: Arc<Mutex<UnrarChildRegistry>>,
+    child_id: u64,
+}
+
+impl Drop for UnrarChildGuard {
+    fn drop(&mut self) {
+        if let Ok(mut guard) = self.registry.lock() {
+            guard.children.remove(&self.child_id);
+        }
+    }
+}
+
+/// Kills every in-progress unrar sidecar and latches the registry into shutdown
+/// so any install task that spawns unrar after this point kills it on
+/// registration. Called on app exit so a game install that is mid-extraction does
+/// not leave `unrar` running after the launcher closes.
+fn kill_active_unrar_children(app_handle: &AppHandle) {
+    let state = app_handle.state::<LanSpreadState>();
+    let children = {
+        let Ok(mut guard) = state.active_unrar_children.lock() else {
+            log::warn!("unrar child registry is poisoned; cannot kill children on shutdown");
+            return;
+        };
+        guard.shutting_down = true;
+        guard.children.drain().collect::<Vec<_>>()
+    };
+
+    for (_child_id, child) in children {
+        let pid = child.pid();
+        match child.kill() {
+            Ok(()) => log::info!("Killed in-progress unrar child (pid {pid}) on shutdown"),
+            Err(err) => log::warn!("Failed to kill unrar child (pid {pid}) on shutdown: {err}"),
+        }
+    }
+}
+
 async fn record_unpack_failure(
     app_handle: &AppHandle,
     archive: String,
@@ -2249,6 +2389,10 @@ pub fn run() {
         .expect("error while building tauri application")
         .run(|app_handle, event| {
             if matches!(event, tauri::RunEvent::Exit) {
+                // Kill unrar first: an in-progress extraction would otherwise keep
+                // running after the launcher closes, and killing it lets the
+                // install task unwind so the peer runtime can stop promptly.
+                kill_active_unrar_children(app_handle);
                 shutdown_peer_runtime(app_handle);
             }
         });