dashpay · Claudius-Maginificent · May 22, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
@@ -360,7 +360,18 @@ pub unsafe extern "C" fn platform_wallet_manager_destroy(
         // left alive to fire a callback against freed memory.
         // `shutdown()` is idempotent, so this is safe even if the host
         // already stopped some sync managers before calling destroy.
-        runtime().block_on(manager.shutdown());
+        // It now joins the coordinator OS threads and returns their
+        // per-thread exit status; the C ABI exposes none of that, so we
+        // just log it (a panicked loop is worth surfacing) and drop it.
+        let status = runtime().block_on(manager.shutdown());
+        if !status.all_clean() {
+            tracing::warn!(
+                ?status,
+                "platform wallet coordinator(s) did not exit cleanly"
+            );
+        } else {
+            tracing::debug!(?status, "platform wallet coordinators joined cleanly");
+        }
     }
     PlatformWalletFFIResult::ok()
 }

@@ -75,6 +75,20 @@ use crate::wallet::platform_wallet::WalletId;
 /// startup default.
 pub const DEFAULT_SYNC_INTERVAL_SECS: u64 = 60;
 
+/// RAII guard that clears `is_syncing` when dropped.
+///
+/// Created at the start of a sync pass (after the `compare_exchange`
+/// that takes the slot). On any exit — normal return, early return, or
+/// panic-unwind — the flag is cleared, so `quiesce()`'s drain loop
+/// never spins forever on a panicked pass.
+struct IsSyncingGuard<'a>(&'a AtomicBool);
+
+impl Drop for IsSyncingGuard<'_> {
+    fn drop(&mut self) {
+        self.0.store(false, Ordering::Release);
+    }
+}
+
 /// Maximum number of token ids fetched in a single
 /// `IdentityTokenBalancesQuery`.
 ///
@@ -160,6 +174,11 @@ where
     persister: Arc<P>,
     /// Cancel token for the background loop, if running.
     background_cancel: StdMutex<Option<CancellationToken>>,
+    /// Join handle for the background loop's OS thread, if running.
+    /// Taken and joined by [`quiesce`](Self::quiesce) so shutdown can
+    /// confirm the `!Send` loop fully exited before the host drops the
+    /// runtime.
+    background_join: StdMutex<Option<std::thread::JoinHandle<()>>>,
     /// Monotonically increasing generation counter. Incremented each
     /// time `start()` installs a new cancel token so the exiting
     /// thread can tell whether its token is still current.
@@ -204,6 +223,7 @@ where
             sdk,
             persister,
             background_cancel: StdMutex::new(None),
+            background_join: StdMutex::new(None),
             background_generation: AtomicU64::new(0),
             interval_secs: AtomicU64::new(DEFAULT_SYNC_INTERVAL_SECS),
             is_syncing: AtomicBool::new(false),
@@ -395,18 +415,17 @@ where
     /// The first pass runs immediately; subsequent passes fire every
     /// [`interval`](Self::interval).
     pub fn start(self: Arc<Self>) {
-        let mut guard = self.background_cancel.lock().expect("bg_cancel poisoned");
-        if guard.is_some() {
+        let mut cancel_guard = self.background_cancel.lock().expect("bg_cancel poisoned");
+        if cancel_guard.is_some() {
             return;
         }
         let cancel = CancellationToken::new();
-        *guard = Some(cancel.clone());
+        *cancel_guard = Some(cancel.clone());
         let my_gen = self.background_generation.fetch_add(1, Ordering::AcqRel) + 1;
-        drop(guard);
 
         let handle = tokio::runtime::Handle::current();
-        let this = self;
-        std::thread::Builder::new()
+        let this = Arc::clone(&self);
+        let join = std::thread::Builder::new()
             .name("identity-sync".into())
             .spawn(move || {
                 handle.block_on(async move {
@@ -434,6 +453,11 @@ where
                 });
             })
             .expect("failed to spawn identity-sync thread");
+        // Store the join handle while still holding cancel_guard — a
+        // concurrent quiesce() must wait for this lock before calling
+        // stop(), so the handle is always stored before it can be taken.
+        *self.background_join.lock().expect("bg_join poisoned") = Some(join);
+        // cancel_guard drops here, releasing background_cancel.
     }
 
     /// Stop the background sync loop. No-op if not running.
@@ -473,13 +497,25 @@ where
     /// so its falling edge (with the gate up) is a sound "fully drained"
     /// signal. The gate is reopened before returning so a later
     /// start/sync works normally.
-    pub async fn quiesce(&self) {
+    ///
+    /// Finally **joins** the loop's OS thread (after the drain, so the
+    /// thread is on its way out) and returns its terminal status. Joining
+    /// while the runtime is still alive is what lets the manager promise
+    /// the `!Send` loop has stopped touching `tokio::time` before a
+    /// one-shot host drops the runtime.
+    pub async fn quiesce(&self) -> super::CoordinatorThreadStatus {
         self.quiescing.store(true, Ordering::Release);
         self.stop();
         while self.is_syncing.load(Ordering::Acquire) {
             tokio::time::sleep(Duration::from_millis(20)).await;
         }
         self.quiescing.store(false, Ordering::Release);
+        let handle = self
+            .background_join
+            .lock()
+            .expect("bg_join poisoned")
+            .take();
+        super::join_coordinator_thread(handle).await
     }
 
     /// Run one sync pass across every registered identity.
@@ -501,12 +537,17 @@ where
             return;
         }
 
+        // RAII guard: clears `is_syncing` on every exit path, including
+        // panics. Without this a panic inside the pass would leave
+        // `is_syncing=true` forever and wedge `quiesce()`'s drain loop.
+        let _is_syncing_guard = IsSyncingGuard(&self.is_syncing);
+
         // A `quiesce()` may have raised the gate between our CAS and
-        // here; if so, release the slot and bail without running a pass
-        // so the drain can complete and shutdown gets a true barrier
-        // (no further `persister.store(...)` after quiesce returns).
+        // here; if so, bail without running a pass so the drain can
+        // complete and shutdown gets a true barrier (no further
+        // `persister.store(...)` after quiesce returns).
+        // Guard clears `is_syncing` on return.
         if self.quiescing.load(Ordering::Acquire) {
-            self.is_syncing.store(false, Ordering::Release);
             return;
         }
 
@@ -532,7 +573,7 @@ where
             .map(|d| d.as_secs())
             .unwrap_or(0);
         self.last_sync_unix.store(now, Ordering::Release);
-        self.is_syncing.store(false, Ordering::Release);
+        // `_is_syncing_guard` drops here → `is_syncing = false`
     }
 
     /// Sync a single identity's watched tokens against Platform.