furtka/furtka/installer.py

import shutil
from pathlib import Path

from furtka.manifest import ManifestError, load_manifest
from furtka.paths import apps_dir, bundled_apps_dir

# Values that an app's .env.example may use as obvious "fill me in" markers.
# If any of these reach the live .env, install refuses — otherwise we'd ship
# an SMB share with password "changeme" out of the box, which is the kind of
# default that ends up screenshotted on Hacker News.
PLACEHOLDER_SECRETS: frozenset[str] = frozenset({"changeme"})


class InstallError(RuntimeError):
    pass


def _placeholder_keys(env_path: Path) -> list[str]:
    if not env_path.exists():
        return []
    bad: list[str] = []
    for raw in env_path.read_text().splitlines():
        line = raw.strip()
        if not line or line.startswith("#") or "=" not in line:
            continue
        key, _, value = line.partition("=")
        value = value.strip().strip('"').strip("'")
        if value in PLACEHOLDER_SECRETS:
            bad.append(key.strip())
    return bad


def resolve_source(source: str) -> Path:
    """Resolve a `furtka app install <source>` arg to a real source folder.

    If `source` looks like a path (or exists on disk), use it. Otherwise treat
    it as a bundled app name and look up under /opt/furtka/apps/<name>.
    """
    p = Path(source)
    if p.is_dir():
        return p
    if "/" in source or source.startswith("."):
        raise InstallError(f"{source!r} is not a directory")
    bundled = bundled_apps_dir() / source
    if bundled.is_dir():
        return bundled
    raise InstallError(f"{source!r} not found as a path or bundled app")


def install_from(src: Path) -> Path:
    """Copy a validated app folder into /var/lib/furtka/apps/<name>/.

    Preserves an existing .env on upgrade. Bootstraps .env from .env.example
    on first install if .env wasn't shipped. Refuses to finish (raises
    InstallError) if the resulting .env still has placeholder secrets — the
    target folder is left in place so the user can edit and re-run.

    Returns the target folder on success.
    """
    manifest_path = src / "manifest.json"
    if not manifest_path.exists():
        raise InstallError(f"{src} has no manifest.json")
    try:
        m = load_manifest(manifest_path)
    except ManifestError as e:
        raise InstallError(str(e)) from e

    target = apps_dir() / m.name
    target.mkdir(parents=True, exist_ok=True)

    for item in src.iterdir():
        if not item.is_file():
            continue
        # Never overwrite an existing user .env.
        if item.name == ".env" and (target / ".env").exists():
            continue
        shutil.copy2(item, target / item.name)

    # First install with no .env shipped: bootstrap from .env.example so the
    # user has something to edit and compose has values to substitute.
    env = target / ".env"
    env_example = target / ".env.example"
    if not env.exists() and env_example.exists():
        shutil.copy2(env_example, env)

    # .env carries app secrets — lock to root-only. Done before the placeholder
    # check so even the half-installed state is at least not world-readable.
    if env.exists():
        env.chmod(0o600)

    bad = _placeholder_keys(env)
    if bad:
        raise InstallError(
            f"{m.name}: {env} still has placeholder values for {', '.join(bad)}. "
            f"Edit the file (set real values), then re-run "
            f"`furtka app install {m.name}`."
        )

    return target


def remove(name: str) -> Path:
    """Delete /var/lib/furtka/apps/<name>/. Volumes are NOT touched.

    Caller is responsible for stopping the compose project first.
    """
    target = apps_dir() / name
    if not target.exists():
        raise InstallError(f"{name!r} is not installed")
    shutil.rmtree(target)
    return target
feat(furtka): reconciler + install/remove — slice 2 Fills in the act-on-it half of the resource manager. Reconciler walks the scanner output and brings docker into the desired state: ensures each manifest-declared volume exists (idempotent), then runs docker compose up -d for the project. install/remove on the CLI work end-to-end against a real /var/lib/furtka/apps/ tree. - furtka.dockerops: thin subprocess wrapper. Volume + compose primitives that other modules call. `_run` raises DockerError with the actual stderr so failures are diagnosable. - furtka.reconciler: builds an ordered Action list (volumes then compose_up per app), executes unless dry-run. Broken manifests produce a "skip" action, the rest of the apps still get reconciled. - furtka.installer: copy-from-source with two non-obvious rules — user .env is preserved across upgrade installs, and a missing .env is bootstrapped from .env.example so compose has values to substitute on first install. Bundled-app lookup falls back to /opt/furtka/apps/<name>/ when the source arg isn't a path. - furtka.cli: app install/remove wired up. remove() ignores compose down failures so a botched compose doesn't trap users with an un-removable folder. - 15 new tests using monkeypatch'd dockerops so the suite still runs without docker installed. Covers reconcile dry-run, multi-volume apps, broken-manifest skip behavior, .env preservation, bundled-name resolution, and remove edge cases. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:02:00 +02:00			`import shutil`
			`from pathlib import Path`

			`from furtka.manifest import ManifestError, load_manifest`
			`from furtka.paths import apps_dir, bundled_apps_dir`

fix(furtka): audit follow-ups — placeholder secrets, isolate reconcile, .env perms Addresses the four issues raised in the slice-3 audit before pushing. #1 (critical) — refuse to finish install when .env still contains placeholder secrets like "changeme". Without this, `furtka app install fileshare` would happily start an SMB server with a publicly-known password — the kind of default that ends up screenshotted on Hacker News. PLACEHOLDER_SECRETS lives in installer.py; new tests cover placeholder rejection, post-edit retry, and quoted values. #3 — reconciler now catches DockerError / FileNotFoundError / OSError per-app instead of letting a single broken app abort the whole boot-scan. Errors get surfaced as Action(kind="error", …) and has_errors() drives the CLI exit code so systemd still shows red, but the other apps actually got reconciled. #4 — chmod 0600 on .env after install so app secrets aren't world- readable on multi-user boxes. Done before the placeholder check so even the half-installed state is safe. #5 — load_manifest() got an optional expected_name. The scanner passes the folder name (filesystem source-of-truth contract); installer leaves it None so `furtka app install /tmp/some-fork/` works regardless of what the source folder is named. #2 — TODO comment on dperson/samba:latest. Switching to a digest needs a verified upstream release; left for the test-day pin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:17:00 +02:00			`# Values that an app's .env.example may use as obvious "fill me in" markers.`
			`# If any of these reach the live .env, install refuses — otherwise we'd ship`
			`# an SMB share with password "changeme" out of the box, which is the kind of`
			`# default that ends up screenshotted on Hacker News.`
			`PLACEHOLDER_SECRETS: frozenset[str] = frozenset({"changeme"})`

feat(furtka): reconciler + install/remove — slice 2 Fills in the act-on-it half of the resource manager. Reconciler walks the scanner output and brings docker into the desired state: ensures each manifest-declared volume exists (idempotent), then runs docker compose up -d for the project. install/remove on the CLI work end-to-end against a real /var/lib/furtka/apps/ tree. - furtka.dockerops: thin subprocess wrapper. Volume + compose primitives that other modules call. `_run` raises DockerError with the actual stderr so failures are diagnosable. - furtka.reconciler: builds an ordered Action list (volumes then compose_up per app), executes unless dry-run. Broken manifests produce a "skip" action, the rest of the apps still get reconciled. - furtka.installer: copy-from-source with two non-obvious rules — user .env is preserved across upgrade installs, and a missing .env is bootstrapped from .env.example so compose has values to substitute on first install. Bundled-app lookup falls back to /opt/furtka/apps/<name>/ when the source arg isn't a path. - furtka.cli: app install/remove wired up. remove() ignores compose down failures so a botched compose doesn't trap users with an un-removable folder. - 15 new tests using monkeypatch'd dockerops so the suite still runs without docker installed. Covers reconcile dry-run, multi-volume apps, broken-manifest skip behavior, .env preservation, bundled-name resolution, and remove edge cases. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:02:00 +02:00
			`class InstallError(RuntimeError):`
			`pass`


fix(furtka): audit follow-ups — placeholder secrets, isolate reconcile, .env perms Addresses the four issues raised in the slice-3 audit before pushing. #1 (critical) — refuse to finish install when .env still contains placeholder secrets like "changeme". Without this, `furtka app install fileshare` would happily start an SMB server with a publicly-known password — the kind of default that ends up screenshotted on Hacker News. PLACEHOLDER_SECRETS lives in installer.py; new tests cover placeholder rejection, post-edit retry, and quoted values. #3 — reconciler now catches DockerError / FileNotFoundError / OSError per-app instead of letting a single broken app abort the whole boot-scan. Errors get surfaced as Action(kind="error", …) and has_errors() drives the CLI exit code so systemd still shows red, but the other apps actually got reconciled. #4 — chmod 0600 on .env after install so app secrets aren't world- readable on multi-user boxes. Done before the placeholder check so even the half-installed state is safe. #5 — load_manifest() got an optional expected_name. The scanner passes the folder name (filesystem source-of-truth contract); installer leaves it None so `furtka app install /tmp/some-fork/` works regardless of what the source folder is named. #2 — TODO comment on dperson/samba:latest. Switching to a digest needs a verified upstream release; left for the test-day pin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:17:00 +02:00			`def _placeholder_keys(env_path: Path) -> list[str]:`
			`if not env_path.exists():`
			`return []`
			`bad: list[str] = []`
			`for raw in env_path.read_text().splitlines():`
			`line = raw.strip()`
			`if not line or line.startswith("#") or "=" not in line:`
			`continue`
			`key, _, value = line.partition("=")`
			`value = value.strip().strip('"').strip("'")`
			`if value in PLACEHOLDER_SECRETS:`
			`bad.append(key.strip())`
			`return bad`


feat(furtka): reconciler + install/remove — slice 2 Fills in the act-on-it half of the resource manager. Reconciler walks the scanner output and brings docker into the desired state: ensures each manifest-declared volume exists (idempotent), then runs docker compose up -d for the project. install/remove on the CLI work end-to-end against a real /var/lib/furtka/apps/ tree. - furtka.dockerops: thin subprocess wrapper. Volume + compose primitives that other modules call. `_run` raises DockerError with the actual stderr so failures are diagnosable. - furtka.reconciler: builds an ordered Action list (volumes then compose_up per app), executes unless dry-run. Broken manifests produce a "skip" action, the rest of the apps still get reconciled. - furtka.installer: copy-from-source with two non-obvious rules — user .env is preserved across upgrade installs, and a missing .env is bootstrapped from .env.example so compose has values to substitute on first install. Bundled-app lookup falls back to /opt/furtka/apps/<name>/ when the source arg isn't a path. - furtka.cli: app install/remove wired up. remove() ignores compose down failures so a botched compose doesn't trap users with an un-removable folder. - 15 new tests using monkeypatch'd dockerops so the suite still runs without docker installed. Covers reconcile dry-run, multi-volume apps, broken-manifest skip behavior, .env preservation, bundled-name resolution, and remove edge cases. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:02:00 +02:00			`def resolve_source(source: str) -> Path:`
			"""Resolve a `furtka app install <source>` arg to a real source folder.

			If `source` looks like a path (or exists on disk), use it. Otherwise treat
			`it as a bundled app name and look up under /opt/furtka/apps/<name>.`
			`"""`
			`p = Path(source)`
			`if p.is_dir():`
			`return p`
			`if "/" in source or source.startswith("."):`
			`raise InstallError(f"{source!r} is not a directory")`
			`bundled = bundled_apps_dir() / source`
			`if bundled.is_dir():`
			`return bundled`
			`raise InstallError(f"{source!r} not found as a path or bundled app")`


			`def install_from(src: Path) -> Path:`
			`"""Copy a validated app folder into /var/lib/furtka/apps/<name>/.`

			`Preserves an existing .env on upgrade. Bootstraps .env from .env.example`
fix(furtka): audit follow-ups — placeholder secrets, isolate reconcile, .env perms Addresses the four issues raised in the slice-3 audit before pushing. #1 (critical) — refuse to finish install when .env still contains placeholder secrets like "changeme". Without this, `furtka app install fileshare` would happily start an SMB server with a publicly-known password — the kind of default that ends up screenshotted on Hacker News. PLACEHOLDER_SECRETS lives in installer.py; new tests cover placeholder rejection, post-edit retry, and quoted values. #3 — reconciler now catches DockerError / FileNotFoundError / OSError per-app instead of letting a single broken app abort the whole boot-scan. Errors get surfaced as Action(kind="error", …) and has_errors() drives the CLI exit code so systemd still shows red, but the other apps actually got reconciled. #4 — chmod 0600 on .env after install so app secrets aren't world- readable on multi-user boxes. Done before the placeholder check so even the half-installed state is safe. #5 — load_manifest() got an optional expected_name. The scanner passes the folder name (filesystem source-of-truth contract); installer leaves it None so `furtka app install /tmp/some-fork/` works regardless of what the source folder is named. #2 — TODO comment on dperson/samba:latest. Switching to a digest needs a verified upstream release; left for the test-day pin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:17:00 +02:00			`on first install if .env wasn't shipped. Refuses to finish (raises`
			`InstallError) if the resulting .env still has placeholder secrets — the`
			`target folder is left in place so the user can edit and re-run.`

			`Returns the target folder on success.`
feat(furtka): reconciler + install/remove — slice 2 Fills in the act-on-it half of the resource manager. Reconciler walks the scanner output and brings docker into the desired state: ensures each manifest-declared volume exists (idempotent), then runs docker compose up -d for the project. install/remove on the CLI work end-to-end against a real /var/lib/furtka/apps/ tree. - furtka.dockerops: thin subprocess wrapper. Volume + compose primitives that other modules call. `_run` raises DockerError with the actual stderr so failures are diagnosable. - furtka.reconciler: builds an ordered Action list (volumes then compose_up per app), executes unless dry-run. Broken manifests produce a "skip" action, the rest of the apps still get reconciled. - furtka.installer: copy-from-source with two non-obvious rules — user .env is preserved across upgrade installs, and a missing .env is bootstrapped from .env.example so compose has values to substitute on first install. Bundled-app lookup falls back to /opt/furtka/apps/<name>/ when the source arg isn't a path. - furtka.cli: app install/remove wired up. remove() ignores compose down failures so a botched compose doesn't trap users with an un-removable folder. - 15 new tests using monkeypatch'd dockerops so the suite still runs without docker installed. Covers reconcile dry-run, multi-volume apps, broken-manifest skip behavior, .env preservation, bundled-name resolution, and remove edge cases. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:02:00 +02:00			`"""`
			`manifest_path = src / "manifest.json"`
			`if not manifest_path.exists():`
			`raise InstallError(f"{src} has no manifest.json")`
			`try:`
			`m = load_manifest(manifest_path)`
			`except ManifestError as e:`
			`raise InstallError(str(e)) from e`

			`target = apps_dir() / m.name`
			`target.mkdir(parents=True, exist_ok=True)`

			`for item in src.iterdir():`
			`if not item.is_file():`
			`continue`
			`# Never overwrite an existing user .env.`
			`if item.name == ".env" and (target / ".env").exists():`
			`continue`
			`shutil.copy2(item, target / item.name)`

			`# First install with no .env shipped: bootstrap from .env.example so the`
			`# user has something to edit and compose has values to substitute.`
			`env = target / ".env"`
			`env_example = target / ".env.example"`
			`if not env.exists() and env_example.exists():`
			`shutil.copy2(env_example, env)`

fix(furtka): audit follow-ups — placeholder secrets, isolate reconcile, .env perms Addresses the four issues raised in the slice-3 audit before pushing. #1 (critical) — refuse to finish install when .env still contains placeholder secrets like "changeme". Without this, `furtka app install fileshare` would happily start an SMB server with a publicly-known password — the kind of default that ends up screenshotted on Hacker News. PLACEHOLDER_SECRETS lives in installer.py; new tests cover placeholder rejection, post-edit retry, and quoted values. #3 — reconciler now catches DockerError / FileNotFoundError / OSError per-app instead of letting a single broken app abort the whole boot-scan. Errors get surfaced as Action(kind="error", …) and has_errors() drives the CLI exit code so systemd still shows red, but the other apps actually got reconciled. #4 — chmod 0600 on .env after install so app secrets aren't world- readable on multi-user boxes. Done before the placeholder check so even the half-installed state is safe. #5 — load_manifest() got an optional expected_name. The scanner passes the folder name (filesystem source-of-truth contract); installer leaves it None so `furtka app install /tmp/some-fork/` works regardless of what the source folder is named. #2 — TODO comment on dperson/samba:latest. Switching to a digest needs a verified upstream release; left for the test-day pin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:17:00 +02:00			`# .env carries app secrets — lock to root-only. Done before the placeholder`
			`# check so even the half-installed state is at least not world-readable.`
			`if env.exists():`
			`env.chmod(0o600)`

			`bad = _placeholder_keys(env)`
			`if bad:`
			`raise InstallError(`
			`f"{m.name}: {env} still has placeholder values for {', '.join(bad)}. "`
			`f"Edit the file (set real values), then re-run "`
			f"`furtka app install {m.name}`."
			`)`

feat(furtka): reconciler + install/remove — slice 2 Fills in the act-on-it half of the resource manager. Reconciler walks the scanner output and brings docker into the desired state: ensures each manifest-declared volume exists (idempotent), then runs docker compose up -d for the project. install/remove on the CLI work end-to-end against a real /var/lib/furtka/apps/ tree. - furtka.dockerops: thin subprocess wrapper. Volume + compose primitives that other modules call. `_run` raises DockerError with the actual stderr so failures are diagnosable. - furtka.reconciler: builds an ordered Action list (volumes then compose_up per app), executes unless dry-run. Broken manifests produce a "skip" action, the rest of the apps still get reconciled. - furtka.installer: copy-from-source with two non-obvious rules — user .env is preserved across upgrade installs, and a missing .env is bootstrapped from .env.example so compose has values to substitute on first install. Bundled-app lookup falls back to /opt/furtka/apps/<name>/ when the source arg isn't a path. - furtka.cli: app install/remove wired up. remove() ignores compose down failures so a botched compose doesn't trap users with an un-removable folder. - 15 new tests using monkeypatch'd dockerops so the suite still runs without docker installed. Covers reconcile dry-run, multi-volume apps, broken-manifest skip behavior, .env preservation, bundled-name resolution, and remove edge cases. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-15 10:02:00 +02:00			`return target`


			`def remove(name: str) -> Path:`
			`"""Delete /var/lib/furtka/apps/<name>/. Volumes are NOT touched.`

			`Caller is responsible for stopping the compose project first.`
			`"""`
			`target = apps_dir() / name`
			`if not target.exists():`
			`raise InstallError(f"{name!r} is not installed")`
			`shutil.rmtree(target)`
			`return target`