Update power handling to review-protocol 0.19.0

Align roxyd's node power handling with review-protocol 0.19.0
semantics: immediate Reboot/Shutdown are fire-and-forget on the wire
and are spawned as background tasks (Linux only). Graceful operations
still follow request/response and return NodePowerResponse::Initiated.

Remove the PendingPowerOperation/PowerAction types and the old
release-ordering machinery; simplify dispatch to call
review_protocol::request::handle directly. Retain PowerExecutor and
MockPowerExecutor for testability. Update CHANGELOG; roxyd tests pass
and clippy is clean.

Author: octoaide[bot]

CHANGELOG.md

@@ -8,17 +8,14 @@ this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ### Added
 
-- Implement the full `node_power` family directly in `roxyd`. Immediate
-  `NodePowerRequest::Reboot` and `NodePowerRequest::Shutdown` (and the legacy
-  flat `reboot`/`shutdown` compatibility requests) now prepare a pending
-  reboot or power-off operation and only execute the destructive system call
-  after `roxyd` has written `NodePowerResponse::Initiated` successfully on
-  the request stream. If the response write fails, the pending operation is
-  cancelled without rebooting or powering off. Immediate variants remain
-  Linux-only and return `"invalid command"` on other platforms.
-  `NodePowerRequest::GracefulReboot` and `NodePowerRequest::GracefulShutdown`
-  spawn the platform's standard reboot/poweroff command and return
-  `"fail"` if the process could not be started.
+- `roxyd` now handles node power-control requests from a Manager (immediate
+  and graceful reboot/shutdown), replacing the previous unimplemented
+  scaffolding. On Linux, immediate reboot and shutdown run in the background;
+  grouped `node_power` requests do not return a protocol response for these
+  operations. Graceful reboot and shutdown spawn the platform's standard
+  reboot or poweroff command and report success or `"fail"` to the Manager.
+  Legacy flat `reboot` and `shutdown` requests use the same behavior.
+  Immediate reboot and shutdown are not supported on non-Linux platforms.
 
 ## [0.6.0] - 2026-04-16
 

src/bin/roxyd/control.rs

@@ -227,18 +227,7 @@ async fn dispatch(send: &mut quinn::SendStream, recv: &mut quinn::RecvStream) ->
     dispatch_with_executor(send, recv, Arc::new(SystemPowerExecutor)).await
 }
 
-/// Power-aware dispatch entry that takes a caller-supplied
-/// [`PowerExecutor`].
-///
-/// Immediate `NodePowerRequest::Reboot` and `NodePowerRequest::Shutdown`
-/// (and the legacy flat `reboot`/`shutdown` compatibility paths) prepare a
-/// [`handlers::power::PendingPowerOperation`] inside the handler but do not
-/// execute the destructive system call. After
-/// [`review_protocol::request::handle`] returns successfully — which means
-/// the `NodePowerResponse::Initiated` response has been written to the
-/// stream — this function releases the pending operation. If the response
-/// write fails, the pending operation is dropped without being released and
-/// the executor is never invoked.
+/// Power-aware dispatch entry that takes a caller-supplied [`PowerExecutor`].
 ///
 /// # Errors
 ///
@@ -249,19 +238,9 @@ async fn dispatch_with_executor(
     executor: Arc<dyn PowerExecutor>,
 ) -> Result<()> {
     let mut handler = RequestHandler::new(executor);
-    let result = review_protocol::request::handle(&mut handler, send, recv)
+    review_protocol::request::handle(&mut handler, send, recv)
         .await
-        .map_err(|e| anyhow::anyhow!("{e}"));
-
-    if result.is_ok() {
-        // The response stream wrote successfully; release any prepared
-        // immediate power operations so they proceed to reboot/poweroff.
-        let _join_handles = handler.power.release_pending();
-    }
-    // On error, `handler` is dropped here; any unreleased pending power
-    // operations observe the closed sender and exit without rebooting.
-
-    result
+        .map_err(|e| anyhow::anyhow!("{e}"))
 }
 
 /// Request handler that maps review-protocol requests into roxyd handlers.
@@ -1191,35 +1170,6 @@ mod tests {
     /// reaches the peer (simulated here by closing the stream from the
     /// server side after the connection-level send), the pending immediate
     /// power operation is not released and the executor is never invoked.
-    #[tokio::test]
-    async fn pending_reboot_cancelled_on_dispatch_error() {
-        use std::sync::atomic::Ordering;
-
-        // Build a handler and call into it directly to simulate the dispatch
-        // path. This isolates the cancellation invariant from the QUIC
-        // transport.
-        let mock = Arc::new(handlers::power::MockPowerExecutor::default());
-        let mut handler = super::RequestHandler::new(mock.clone() as Arc<dyn PowerExecutor>);
-
-        // Drive the node_power handler directly. On non-Linux this returns
-        // an error and there is nothing pending — the assertion holds.
-        let _ = review_protocol::request::Handler::node_power(
-            &mut handler,
-            review_protocol::types::node::NodePowerRequest::Reboot,
-        )
-        .await;
-
-        // Drop without calling release_pending — simulates a response-write
-        // failure in dispatch_with_executor.
-        drop(handler);
-
-        for _ in 0..20 {
-            tokio::task::yield_now().await;
-        }
-
-        assert_eq!(mock.reboot_count.load(Ordering::SeqCst), 0);
-    }
-
     #[tokio::test]
     async fn dispatch_resource_usage_over_live_connection() {
         let (inner, server, _endpoint) = setup_test_connection().await;