fix: harden daemon engine stability

[zensh]

What changed

Stability review of anda_bot/src/engine.rs, fixing four issues plus one simplification:

• Atomic config writes: PUT /daemon/config previously overwrote config.toml in place with tokio::fs::write, which truncates before writing. A crash or power loss mid-write would corrupt the config and prevent the daemon (and the anda CLI, which parses the config on load) from starting. Writes now go through a same-directory temp file with sync_all followed by an atomic rename, with temp-file cleanup on failure.
• Serialized config updates: concurrent PUT /daemon/config requests could interleave the backup check, backup copy, and file write. Updates are now serialized with a tokio::sync::Mutex in the route state. Reads need no lock since rename is atomic.
• Non-fatal skill loading: skills_tool.load().await? aborted daemon startup on any skill-directory scan error. The scanned dirs include the shared, user-writable ~/.agents/skills, so a permission problem there could brick startup entirely. Failures are now logged and the daemon starts without skills.
• Status errors surface their cause: /daemon/status failures (which depend on the brain service via brain_status()) returned a fixed "Failed to get status" with no logging. The handler now logs a warning and includes the error detail in the 500 response.
• Simplification: removed verify_update_request, an empty pass-through wrapper around verify_authenticated_request.

Reviewed and intentionally unchanged

• /daemon/status stays unauthenticated: it is the launcher's readiness probe (250ms polling), returns only three counters, and the gateway binds to 127.0.0.1:8042 by default.
• The brain CWT token is signed once at startup without an exp claim; cwt_from only validates expiry when the claim is present, so long-running daemons cannot hit token expiry.

Testing

• cargo test -p anda_bot --bin anda engine — 113 passed, including a new test covering the atomic write helper (replace + create paths, no leftover temp files).
• cargo clippy and cargo fmt --check clean.

🤖 Generated with Claude Code

[zensh]

Superseded: rebasing locally onto main instead.

[Copilot]

Pull request overview

This PR focuses on improving daemon stability and launcher update UX in the anda_bot crate, including safer daemon config writes and clearer launcher update behavior.

Changes:

• Harden daemon config writes by serializing concurrent updates and writing via temp-file + fsync + rename.
• Make daemon startup more resilient by logging (not failing) on skill-directory scan/load errors.
• Adjust launcher update flow to only install/restart from explicit user action, with improved menu state handling and updated localized strings.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
scripts/publish-homebrew.sh	Updates Homebrew formula test to assert the macOS launcher binary exists.
CHANGELOG.md	Adds 0.9.7 release notes describing daemon stability and launcher update UX changes.
Cargo.lock	Bumps anda_bot package version to 0.9.7.
anda_bot/Cargo.toml	Bumps crate version to 0.9.7.
anda_bot/src/engine/agent.rs	Avoids duplicating final background outputs when they match the latest progress output; adds tests.
anda_bot/src/engine.rs	Adds serialized + atomic config writes, makes skill loading non-fatal, improves /daemon/status error reporting.
anda_bot/src/bin/anda_launcher/windows.rs	Removes auto-prompting on downloaded updates; aligns restart-success UI state handling.
anda_bot/src/bin/anda_launcher/macos.rs	Same update-flow adjustments as Windows launcher.
anda_bot/src/bin/anda_launcher/core.rs	Adds finish_update_restart_success to clear “downloaded update” menu state after successful install/restart.
anda_bot/locales/app.yml	Updates EN/ZH menu text to “Install and restart …”.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.