[audit] hot-exit: PendingRestoreState memory leak when secondary window fails restore

[claude]

Problem

PendingRestoreState in src-tauri/src/hot_exit/coordinator.rs:24-46 stores full document content for all windows during restore. It is only cleared when:

1. All expected windows call mark_window_restore_complete (line 502-521), OR
2. hot_exit_clear_session is explicitly called

If any secondary window crashes, hangs, or fails to call hot_exit_window_restore_complete, the completed_windows set never satisfies all_complete(), and the state persists in the OnceLock<Arc<Mutex<...>>> for the lifetime of the process.

Impact

Document content for all windows remains in memory indefinitely. For sessions with many tabs containing large documents, this could be significant memory waste.

Suggested fix

Add a timeout-based cleanup. After restore_session_multi_window stores state in PENDING_RESTORE, spawn a background task that clears it after a generous timeout (e.g., 60 seconds):

// After populating PENDING_RESTORE in restore_session_multi_window:
tokio::spawn(async {
    tokio::time::sleep(Duration::from_secs(60)).await;
    let pending = get_pending_restore_state();
    let mut state = lock_pending_restore(&pending);
    if !state.expected_labels.is_empty() {
        eprintln!("[HotExit] Restore timeout — clearing pending state");
        state.clear();
    }
});

Alternatively, have the frontend's setupRestoreListeners timeout handler invoke hot_exit_clear_session when the restore times out.

File

src-tauri/src/hot_exit/coordinator.rs:24-50

[xiaolai]

Fixed: Added spawn_restore_timeout() — a background task that clears PendingRestoreState after 60 seconds if not all windows have completed restore. This prevents memory leaks when a secondary window crashes or hangs during restoration.