@photostructure/fs-metadata 0.7.0 → 0.8.0

package/src/common/fd_guard.h

@@ -0,0 +1,71 @@
+// src/common/fd_guard.h
+// RAII wrapper for POSIX file descriptors
+// Ensures file descriptors are properly closed, even when exceptions occur
+
+#pragma once
+
+#include <unistd.h>
+
+namespace FSMeta {
+
+/**
+ * RAII guard for POSIX file descriptors.
+ *
+ * Automatically closes the file descriptor when destroyed, preventing
+ * resource leaks. Particularly important for:
+ * - Exception safety (fd closed even if exception thrown)
+ * - Early returns (fd closed regardless of return path)
+ * - Fork safety (when combined with O_CLOEXEC)
+ *
+ * Usage:
+ *   int fd = open(path, O_RDONLY | O_CLOEXEC);
+ *   if (fd < 0) { handle error }
+ *   FdGuard guard(fd);
+ *   // fd is automatically closed when guard goes out of scope
+ */
+class FdGuard {
+public:
+  explicit FdGuard(int fd) noexcept : fd_(fd) {}
+
+  ~FdGuard() noexcept {
+    if (fd_ >= 0) {
+      close(fd_);
+    }
+  }
+
+  // Get the underlying file descriptor
+  int get() const noexcept { return fd_; }
+
+  // Release ownership of the file descriptor (caller must close it)
+  int release() noexcept {
+    int fd = fd_;
+    fd_ = -1;
+    return fd;
+  }
+
+  // Check if the guard holds a valid file descriptor
+  bool isValid() const noexcept { return fd_ >= 0; }
+
+  // Non-copyable
+  FdGuard(const FdGuard &) = delete;
+  FdGuard &operator=(const FdGuard &) = delete;
+
+  // Movable
+  FdGuard(FdGuard &&other) noexcept : fd_(other.fd_) { other.fd_ = -1; }
+
+  FdGuard &operator=(FdGuard &&other) noexcept {
+    if (this != &other) {
+      if (fd_ >= 0) {
+        close(fd_);
+      }
+      fd_ = other.fd_;
+      other.fd_ = -1;
+    }
+    return *this;
+  }
+
+private:
+  int fd_;
+};
+
+} // namespace FSMeta

package/src/{darwin → common}/path_security.h

@@ -1,12 +1,15 @@
-// src/darwin/path_security.h
-// Secure path validation for macOS using realpath()
-// Implements recommendations from Apple's Secure Coding Guide
+// src/common/path_security.h
+// Secure path validation using POSIX realpath()
+// Based on recommendations from Apple's Secure Coding Guide and CERT C
+// guidelines References:
+// -
 // https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/RaceConditions.html
+// - https://wiki.sei.cmu.edu/confluence/x/DtcxBQ (FIO02-C)
 
 #pragma once
 
-#include "../common/debug_log.h"
-#include "../common/error_utils.h"
+#include "debug_log.h"
+#include "error_utils.h"
 #include <cerrno>
 #include <cstring>
 #include <string>

package/src/common/volume_utils.h

@@ -0,0 +1,51 @@
+// src/common/volume_utils.h
+// Shared utilities for volume metadata calculations
+
+#pragma once
+
+#include <cstdint>
+#include <limits>
+
+namespace FSMeta {
+
+/**
+ * Checks if multiplying two uint64_t values would overflow.
+ *
+ * Used to safely calculate volume sizes: size = blockSize * blockCount
+ * Must be called BEFORE performing the multiplication.
+ *
+ * @param a First operand (e.g., block size)
+ * @param b Second operand (e.g., block count)
+ * @return true if multiplication would overflow, false if safe
+ *
+ * Example usage:
+ *   if (WouldOverflow(blockSize, totalBlocks)) {
+ *     SetError("Total volume size calculation would overflow");
+ *     return false;
+ *   }
+ *   uint64_t totalSize = blockSize * totalBlocks;  // Safe
+ */
+inline bool WouldOverflow(uint64_t a, uint64_t b) noexcept {
+  // Overflow occurs if a * b > MAX, which is equivalent to a > MAX / b
+  // We need b > 0 check to avoid division by zero
+  return b > 0 && a > std::numeric_limits<uint64_t>::max() / b;
+}
+
+/**
+ * Safely multiplies two uint64_t values, returning 0 on overflow.
+ *
+ * @param a First operand
+ * @param b Second operand
+ * @param overflow_out Optional pointer to receive overflow status
+ * @return Product of a * b, or 0 if overflow would occur
+ */
+inline uint64_t SafeMultiply(uint64_t a, uint64_t b,
+                             bool *overflow_out = nullptr) noexcept {
+  bool overflow = WouldOverflow(a, b);
+  if (overflow_out) {
+    *overflow_out = overflow;
+  }
+  return overflow ? 0 : a * b;
+}
+
+} // namespace FSMeta

package/src/darwin/hidden.cpp

@@ -2,7 +2,9 @@
 #include "hidden.h"
 #include "../common/debug_log.h"
 #include "../common/error_utils.h"
-#include "path_security.h"
+#include "../common/fd_guard.h"
+#include "../common/path_security.h"
+#include <fcntl.h>  // for open(), O_RDONLY, O_CLOEXEC
 #include <string.h> // for strcmp
 #include <sys/mount.h>
 #include <sys/stat.h>
@@ -42,19 +44,35 @@ void GetHiddenWorker::Execute() {
   DEBUG_LOG("[GetHiddenWorker] Using validated path: %s",
             validated_path.c_str());
 
-  struct stat statbuf;
-  if (stat(validated_path.c_str(), &statbuf) != 0) {
+  // SECURITY: Use file descriptor-based approach to prevent TOCTOU race
+  // condition. Opening the file and using fstat() on the fd ensures we're
+  // checking the same file that realpath() validated.
+  // O_CLOEXEC: Prevent fd leak to child processes on fork/exec
+  // O_RDONLY: We only need to read the flags
+  int fd = open(validated_path.c_str(), O_RDONLY | O_CLOEXEC);
+  if (fd < 0) {
     int error = errno;
     if (error == ENOENT) {
       DEBUG_LOG("[GetHiddenWorker] path not found: %s", validated_path.c_str());
       SetError("Path not found: '" + validated_path + "'");
     } else {
-      DEBUG_LOG("[GetHiddenWorker] failed to stat path %s: %s (%d)",
+      DEBUG_LOG("[GetHiddenWorker] failed to open path %s: %s (%d)",
                 validated_path.c_str(), strerror(error), error);
-      SetError(CreatePathErrorMessage("stat", validated_path, error));
+      SetError(CreatePathErrorMessage("open", validated_path, error));
     }
     return;
   }
+  FdGuard fd_guard(fd);
+
+  struct stat statbuf;
+  if (fstat(fd, &statbuf) != 0) {
+    int error = errno;
+    DEBUG_LOG("[GetHiddenWorker] failed to fstat path %s: %s (%d)",
+              validated_path.c_str(), strerror(error), error);
+    SetError(CreatePathErrorMessage("fstat", validated_path, error));
+    return;
+  }
+
   is_hidden_ = (statbuf.st_flags & UF_HIDDEN) != 0;
   DEBUG_LOG("[GetHiddenWorker] path %s is %s", validated_path.c_str(),
             is_hidden_ ? "hidden" : "not hidden");
@@ -121,19 +139,34 @@ void SetHiddenWorker::Execute() {
   DEBUG_LOG("[SetHiddenWorker] Using validated path: %s",
             validated_path.c_str());
 
-  struct stat statbuf;
-  if (stat(validated_path.c_str(), &statbuf) != 0) {
+  // SECURITY: Use file descriptor-based approach to prevent TOCTOU race
+  // condition. Opening the file, reading flags with fstat(), and setting
+  // flags with fchflags() all operate on the same inode via the fd.
+  // O_CLOEXEC: Prevent fd leak to child processes on fork/exec
+  // O_RDONLY: fchflags() doesn't require write access to the file contents
+  int fd = open(validated_path.c_str(), O_RDONLY | O_CLOEXEC);
+  if (fd < 0) {
     int error = errno;
     if (error == ENOENT) {
       DEBUG_LOG("[SetHiddenWorker] path not found: %s", validated_path.c_str());
       SetError("Path not found: '" + validated_path + "'");
     } else {
-      DEBUG_LOG("[SetHiddenWorker] failed to stat path %s: %s (%d)",
+      DEBUG_LOG("[SetHiddenWorker] failed to open path %s: %s (%d)",
                 validated_path.c_str(), strerror(error), error);
-      SetError(CreatePathErrorMessage("stat", validated_path, error));
+      SetError(CreatePathErrorMessage("open", validated_path, error));
     }
     return;
   }
+  FdGuard fd_guard(fd);
+
+  struct stat statbuf;
+  if (fstat(fd, &statbuf) != 0) {
+    int error = errno;
+    DEBUG_LOG("[SetHiddenWorker] failed to fstat path %s: %s (%d)",
+              validated_path.c_str(), strerror(error), error);
+    SetError(CreatePathErrorMessage("fstat", validated_path, error));
+    return;
+  }
 
   u_int32_t new_flags;
   if (hidden_) {
@@ -142,15 +175,15 @@ void SetHiddenWorker::Execute() {
     new_flags = statbuf.st_flags & ~UF_HIDDEN;
   }
 
-  if (chflags(validated_path.c_str(), new_flags) != 0) {
+  if (fchflags(fd, new_flags) != 0) {
     int error = errno;
     DEBUG_LOG("[SetHiddenWorker] failed to set flags for %s: %s (%d)",
               validated_path.c_str(), strerror(error), error);
 
-    // Check if this is an APFS filesystem issue
+    // Check if this is an APFS filesystem issue using fstatfs on the fd
     struct statfs fs;
     bool is_apfs = false;
-    if (statfs(validated_path.c_str(), &fs) == 0) {
+    if (fstatfs(fd, &fs) == 0) {
       is_apfs = (strcmp(fs.f_fstypename, "apfs") == 0);
       DEBUG_LOG("[SetHiddenWorker] filesystem type: %s", fs.f_fstypename);
     }
@@ -160,9 +193,9 @@ void SetHiddenWorker::Execute() {
       SetError("Setting hidden attribute failed on APFS filesystem. "
                "This is a known issue with some APFS volumes. "
                "Error: " +
-               CreatePathErrorMessage("chflags", validated_path, error));
+               CreatePathErrorMessage("fchflags", validated_path, error));
     } else {
-      SetError(CreatePathErrorMessage("chflags", validated_path, error));
+      SetError(CreatePathErrorMessage("fchflags", validated_path, error));
     }
     return;
   }

package/src/darwin/raii_utils.h

@@ -18,8 +18,8 @@ private:
   T *resource_;
 
 public:
-  ResourceRAII() : resource_(nullptr) {}
-  ~ResourceRAII() {
+  ResourceRAII() noexcept : resource_(nullptr) {}
+  ~ResourceRAII() noexcept {
     if (resource_) {
       free(resource_);
     }
@@ -56,8 +56,8 @@ private:
   struct statfs *buffer_;
 
 public:
-  MountBufferRAII() : buffer_(nullptr) {}
-  ~MountBufferRAII() {
+  MountBufferRAII() noexcept : buffer_(nullptr) {}
+  ~MountBufferRAII() noexcept {
     if (buffer_) {
       free(buffer_);
     }
@@ -96,9 +96,9 @@ private:
 
 public:
   explicit CFReleaser(T ref = nullptr) noexcept : ref_(ref) {}
-  ~CFReleaser() { reset(); }
+  ~CFReleaser() noexcept { reset(); }
 
-  void reset(T ref = nullptr) {
+  void reset(T ref = nullptr) noexcept {
     if (ref_) {
       CFRelease(ref_);
     }
@@ -139,7 +139,7 @@ public:
   explicit DASessionRAII(DASessionRef session = nullptr) noexcept
       : session_(session), is_scheduled_(false) {}
 
-  ~DASessionRAII() { unschedule(); }
+  ~DASessionRAII() noexcept { unschedule(); }
 
   // Schedule the session on a dispatch queue
   void scheduleOnQueue(dispatch_queue_t queue) {
@@ -150,7 +150,7 @@ public:
   }
 
   // Unschedule the session (must be called before session is released)
-  void unschedule() {
+  void unschedule() noexcept {
     if (is_scheduled_ && session_.isValid()) {
       DASessionSetDispatchQueue(session_.get(), nullptr);
       is_scheduled_ = false;

package/src/darwin/volume_metadata.cpp

@@ -2,20 +2,23 @@
 // Thread-safe implementation with DiskArbitration mutex synchronization
 
 #include "../common/debug_log.h"
+#include "../common/fd_guard.h"
+#include "../common/path_security.h"
+#include "../common/volume_utils.h"
 #include "./fs_meta.h"
-#include "./path_security.h"
 #include "./raii_utils.h"
 
 #include <CoreFoundation/CoreFoundation.h>
 #include <DiskArbitration/DiskArbitration.h>
-#include <fcntl.h> // For open(), O_RDONLY, O_DIRECTORY
+#include <cstring> // For strlen()
+#include <fcntl.h> // For open(), O_RDONLY, O_DIRECTORY, O_CLOEXEC
 #include <memory>
 #include <mutex>
 #include <string>
 #include <sys/mount.h>
 #include <sys/param.h>
 #include <sys/statvfs.h>
-#include <unistd.h> // For close()
+#include <unistd.h>
 
 namespace FSMeta {
 
@@ -55,17 +58,9 @@ static std::string CFStringToString(CFStringRef cfString) {
     return "";
   }
 
-  // Find actual string length by looking for null terminator
-  // This is safer than using strlen which could read past buffer
-  size_t actualLength = 0;
-  for (size_t i = 0; i < static_cast<size_t>(maxSize); ++i) {
-    if (result[i] == '\0') {
-      actualLength = i;
-      break;
-    }
-  }
-
-  result.resize(actualLength);
+  // CFStringGetCString guarantees null termination on success, so strlen is
+  // safe here. The buffer was sized with GetMaximumSizeForEncoding + 1.
+  result.resize(strlen(result.c_str()));
   return result;
 }
 
@@ -122,7 +117,8 @@ private:
     // Use file descriptors to prevent TOCTOU race conditions
     // Open the mount point directory with O_DIRECTORY to ensure it's a
     // directory
-    int fd = open(mountPoint.c_str(), O_RDONLY | O_DIRECTORY);
+    // O_CLOEXEC: Prevent fd leak to child processes on fork/exec
+    int fd = open(mountPoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC);
     if (fd < 0) {
       int error = errno;
       DEBUG_LOG("[GetVolumeMetadataWorker] open failed: %s (%d)",
@@ -132,14 +128,7 @@ private:
     }
 
     // RAII wrapper for file descriptor to ensure it's always closed
-    struct FdGuard {
-      int fd;
-      ~FdGuard() {
-        if (fd >= 0) {
-          close(fd);
-        }
-      }
-    } fd_guard{fd};
+    FdGuard fd_guard(fd);
 
     struct statvfs vfs;
     struct statfs fs;
@@ -172,19 +161,17 @@ private:
     const uint64_t freeBlocks = static_cast<uint64_t>(vfs.f_bfree);
 
     // Check for overflow before multiplication
-    if (blockSize > 0) {
-      if (totalBlocks > std::numeric_limits<uint64_t>::max() / blockSize) {
-        SetError("Total volume size calculation would overflow");
-        return false;
-      }
-      if (availBlocks > std::numeric_limits<uint64_t>::max() / blockSize) {
-        SetError("Available space calculation would overflow");
-        return false;
-      }
-      if (freeBlocks > std::numeric_limits<uint64_t>::max() / blockSize) {
-        SetError("Free space calculation would overflow");
-        return false;
-      }
+    if (WouldOverflow(blockSize, totalBlocks)) {
+      SetError("Total volume size calculation would overflow");
+      return false;
+    }
+    if (WouldOverflow(blockSize, availBlocks)) {
+      SetError("Available space calculation would overflow");
+      return false;
+    }
+    if (WouldOverflow(blockSize, freeBlocks)) {
+      SetError("Free space calculation would overflow");
+      return false;
     }
 
     const uint64_t totalSize = blockSize * totalBlocks;
@@ -243,6 +230,12 @@ private:
     // it. We use a background queue (not main queue) to avoid deadlock in
     // Node.js. The RAII wrapper will automatically unschedule in its
     // destructor.
+    //
+    // NOTE: This static dispatch queue is intentionally never released.
+    // It's a singleton that lives for the process lifetime. The queue is
+    // lightweight (just a reference to GCD's internal structures), and
+    // releasing it on module unload could race with in-flight operations.
+    // This pattern is standard for long-lived queues in macOS applications.
     static dispatch_queue_t da_queue =
         dispatch_queue_create("com.photostructure.fs-metadata.diskarbitration",
                               DISPATCH_QUEUE_SERIAL);
@@ -327,14 +320,15 @@ private:
     CFURLRef url = (CFURLRef)CFDictionaryGetValue(
         description, kDADiskDescriptionVolumePathKey);
     if (!url) {
-      metadata.error = "Invalid URL";
+      metadata.status = "partial";
+      metadata.error = "Volume path not available in disk description";
       return;
     }
     CFReleaser<CFStringRef> urlString(
         CFURLCopyFileSystemPath(url, kCFURLPOSIXPathStyle));
     if (!urlString.isValid()) {
-      metadata.error = std::string("Invalid URL string: ") +
-                       CFStringToString(urlString.get());
+      metadata.status = "partial";
+      metadata.error = "Failed to get filesystem path from volume URL";
       return;
     }
 

package/src/index.ts

@@ -13,13 +13,13 @@ import {
   setHiddenImpl,
 } from "./hidden";
 import {
+  getTimeoutMsDefault,
   IncludeSystemVolumesDefault,
   LinuxMountTablePathsDefault,
   OptionsDefault,
   optionsWithDefaults,
   SystemFsTypesDefault,
   SystemPathPatternsDefault,
-  TimeoutMsDefault,
 } from "./options";
 import type { StringEnum, StringEnumKeys, StringEnumType } from "./string_enum";
 import type { SystemVolumeConfig } from "./system_volume";
@@ -118,7 +118,7 @@ export function getVolumeMetadata(
  * {@link https://nodejs.org/api/os.html#osavailableparallelism | os.availableParallelism()}
  * @param opts.timeoutMs - Maximum time to wait for
  * {@link getVolumeMountPointsImpl}, as well as **each** {@link getVolumeMetadataImpl}
- * to complete. Defaults to {@link TimeoutMsDefault}
+ * to complete. Defaults to {@link getTimeoutMsDefault}
  * @returns Promise that resolves to an array of either VolumeMetadata objects
  * or error objects containing the mount point and error
  * @throws Never - errors are caught and returned as part of the result array
@@ -186,12 +186,12 @@ export function setHidden(
 }
 
 export {
+  getTimeoutMsDefault,
   IncludeSystemVolumesDefault,
   LinuxMountTablePathsDefault,
   OptionsDefault,
   optionsWithDefaults,
   SystemFsTypesDefault,
   SystemPathPatternsDefault,
-  TimeoutMsDefault,
   VolumeHealthStatuses,
 };

package/src/linux/blkid_cache.cpp

@@ -32,17 +32,11 @@ BlkidCache::~BlkidCache() {
     const std::lock_guard<std::mutex> lock(mutex_);
     if (cache_) { // Double-check after acquiring lock
       DEBUG_LOG("[BlkidCache] releasing cache");
-      try {
-        blkid_put_cache(cache_);
-        cache_ = nullptr; // Avoid double-release
-        DEBUG_LOG("[BlkidCache] cache released successfully");
-      } catch (const std::exception &e) {
-        DEBUG_LOG("[BlkidCache] error releasing cache: %s", e.what());
-        cache_ = nullptr; // Ensure it's nulled even on error
-        // Optional: Log error during cache cleanup
-        // std::cerr << "Error while releasing blkid cache: " << e.what()
-        //           << std::endl;
-      }
+      // Note: blkid_put_cache() is a C function that cannot throw C++
+      // exceptions, so no try-catch is needed here.
+      blkid_put_cache(cache_);
+      cache_ = nullptr;
+      DEBUG_LOG("[BlkidCache] cache released successfully");
     }
   }
 }

package/src/linux/blkid_cache.h

@@ -21,8 +21,29 @@ public:
 
   operator bool() const { return cache_ != nullptr; }
 
+  // Prevent copying - each instance owns its cache
   BlkidCache(const BlkidCache &) = delete;
   BlkidCache &operator=(const BlkidCache &) = delete;
+
+  // Allow moving - transfers ownership of the cache
+  BlkidCache(BlkidCache &&other) noexcept : cache_(other.cache_) {
+    other.cache_ = nullptr;
+  }
+  BlkidCache &operator=(BlkidCache &&other) noexcept {
+    if (this != &other) {
+      // Release current cache if any (under lock)
+      if (cache_) {
+        const std::lock_guard<std::mutex> lock(mutex_);
+        if (cache_) {
+          blkid_put_cache(cache_);
+        }
+      }
+      // Take ownership from other
+      cache_ = other.cache_;
+      other.cache_ = nullptr;
+    }
+    return *this;
+  }
 };
 
 } // namespace FSMeta

package/src/linux/gio_utils.cpp

@@ -101,29 +101,13 @@ void MountIterator::forEachMount(const MountCallback &callback) {
   DEBUG_LOG("[gio::MountIterator::forEachMount] completed");
 }
 
-// OPTIONAL: Try to get GVolumeMonitor (may fail, that's OK)
-// This is best-effort enrichment and should NOT be required for basic operation
-GVolumeMonitor *MountIterator::tryGetMonitor() noexcept {
-  try {
-    // NOTE: This violates GVolumeMonitor thread-safety requirements when
-    // called from worker threads. We use it only for optional metadata
-    // enrichment. The primary path uses thread-safe g_unix_mounts_get().
-    //
-    // Future work: Consider removing this entirely or moving enrichment
-    // to main thread if needed.
-    GVolumeMonitor *monitor = g_volume_monitor_get();
-    if (!monitor) {
-      DEBUG_LOG("[gio::tryGetMonitor] g_volume_monitor_get() returned null");
-    }
-    return monitor; // May be null, caller must check
-  } catch (const std::exception &e) {
-    DEBUG_LOG("[gio::tryGetMonitor] Exception: %s", e.what());
-    return nullptr;
-  } catch (...) {
-    DEBUG_LOG("[gio::tryGetMonitor] Unknown exception");
-    return nullptr;
-  }
-}
+// NOTE: tryGetMonitor() has been removed.
+//
+// GVolumeMonitor is NOT thread-safe and must only be used from the main thread.
+// See: https://docs.gtk.org/gio/class.VolumeMonitor.html
+//
+// Since all our code runs on Napi::AsyncWorker threads, using GVolumeMonitor
+// causes race conditions leading to GLib-GObject-CRITICAL errors.
 
 } // namespace gio
 } // namespace FSMeta

package/src/linux/gio_utils.h

@@ -18,7 +18,8 @@ template <typename T> struct GObjectDeleter {
   }
 };
 
-// Custom deleter for g_free
+// Custom deleter for g_free (used for strings from GIO APIs like
+// g_file_get_path)
 struct GFreeDeleter {
   void operator()(void *ptr) const {
     if (ptr) {
@@ -27,18 +28,18 @@ struct GFreeDeleter {
   }
 };
 
-// Add this before any existing smart pointer definitions
-struct GFileInfoDeleter {
-  void operator()(GFileInfo *ptr) {
-    if (ptr)
-      g_object_unref(ptr);
-  }
-};
-using GFileInfoPtr = std::unique_ptr<GFileInfo, GFileInfoDeleter>;
-
-// Smart pointer aliases
+// Smart pointer aliases for RAII management of GIO resources
+// These ensure proper cleanup even when exceptions occur
 template <typename T> using GObjectPtr = std::unique_ptr<T, GObjectDeleter<T>>;
 
+// Common GIO object types
+using GFilePtr = GObjectPtr<GFile>;
+using GMountPtr = GObjectPtr<GMount>;
+using GVolumePtr = GObjectPtr<GVolume>;
+using GVolumeMonitorPtr = GObjectPtr<GVolumeMonitor>;
+using GFileInfoPtr = GObjectPtr<GFileInfo>;
+
+// For strings allocated by GIO (g_file_get_path, g_file_get_uri, etc.)
 using GCharPtr = std::unique_ptr<char, GFreeDeleter>;
 
 namespace FSMeta {
@@ -55,37 +56,12 @@ public:
   // This is safe to call from worker threads
   static void forEachMount(const MountCallback &callback);
 
-  // OPTIONAL: Try to get GVolumeMonitor for metadata enrichment
-  // Returns nullptr if unavailable (that's OK, not required)
-  // WARNING: Violates thread-safety when called from worker threads
-  // Only use for best-effort enrichment
-  static GVolumeMonitor *tryGetMonitor() noexcept;
+  // NOTE: tryGetMonitor() has been removed because GVolumeMonitor is NOT
+  // thread-safe. See: https://docs.gtk.org/gio/class.VolumeMonitor.html
 };
 
-// Helper class for scoped GIO resource management
-template <typename T> class GioResource {
-public:
-  explicit GioResource(T *resource) : resource_(resource) {}
-  ~GioResource() {
-    if (resource_) {
-      g_object_unref(resource_);
-    }
-  }
-
-  T *get() const { return resource_; }
-  T *release() {
-    T *temp = resource_;
-    resource_ = nullptr;
-    return temp;
-  }
-
-  // Prevent copying
-  GioResource(const GioResource &) = delete;
-  GioResource &operator=(const GioResource &) = delete;
-
-private:
-  T *resource_;
-};
+// Note: GioResource<T> has been removed in favor of GObjectPtr<T> above,
+// which provides equivalent RAII semantics with std::unique_ptr.
 
 } // namespace gio
 } // namespace FSMeta