Merge pull request #178 from Aperivue/feat/v46-self-update-pr1b-updater

feat(updater): one-click classroom self-update — verified download + safe extraction (PR-1b)

Author: Yoojin-nam

.github/workflows/validate.yml

@@ -43,6 +43,9 @@ jobs:
       - name: Transactional installer crash-recovery + legacy-migration test
         run: python3 installers/tests/test_txn.py
 
+      - name: Updater verify / safe-extract / check-update test (offline)
+        run: python3 installers/tests/test_update.py
+
       - name: install.py transactional self-test (no host/state dir touched)
         run: python3 installers/install.py --self-test
 
@@ -219,19 +222,26 @@ jobs:
       - name: npm pack content audit (real pack, package/ prefix normalized)
         run: python3 scripts/check_npm_package_contents.py --real
 
-  # Cross-platform safety for the transactional installer (PR-1a). Ubuntu-only CI cannot
-  # assert Windows path/journal/os.replace behavior; these run the crash-recovery +
-  # legacy-migration tests and the transactional self-test on Windows. (Hash-based manifest
-  # --check stays Ubuntu-only — it is sensitive to checkout line endings, not OS behavior.)
-  foundation-windows:
-    runs-on: windows-latest
+  # Cross-platform safety for the transactional installer + updater (PR-1a/PR-1b). Ubuntu-only CI
+  # cannot assert macOS/Windows path/journal/os.replace/extraction behavior; this matrix runs the
+  # crash-recovery + legacy-migration tests, the updater verify/safe-extract tests, and the
+  # transactional self-test on macOS + Windows (Ubuntu is covered by the `validate` job). Hash-based
+  # manifest --check stays Ubuntu-only — it is sensitive to checkout line endings, not OS behavior.
+  foundation-os:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: "3.11"
-      - name: Transactional installer crash-recovery + legacy-migration test (Windows)
+      - name: Transactional installer crash-recovery + legacy-migration test
         run: python installers/tests/test_txn.py
-      - name: install.py transactional self-test (Windows)
+      - name: Updater verify / safe-extract / check-update test (offline)
+        run: python installers/tests/test_update.py
+      - name: install.py transactional self-test
         run: python installers/install.py --self-test

README.md

@@ -526,6 +526,26 @@ See [docs/classroom_distribution_plan.md](docs/classroom_distribution_plan.md) a
 
 > **Tip:** Not sure which skill to use? Start with `/orchestrate` -- it will classify your request and route you to the right tool.
 
+## Updating
+
+MedSci Skills updates often. You do **not** need GitHub, git, or the command line to stay current.
+
+- **One click (recommended for the classroom install).** After installing, an updater is placed at
+  `~/.medsci-skills/updater/` (and, if you chose `--desktop-launcher`, an **"Update MedSci Skills"**
+  icon on your Desktop). Double-click it: it downloads the latest release from GitHub, verifies it,
+  and re-installs — transactionally, so an interrupted update never corrupts your install.
+- **Already installed an old copy?** Re-download the latest classroom ZIP **once** and double-click
+  the installer; from then on the one-click updater is in place for every future update.
+- **Terminal users:** `npx medsci-skills@latest install` always installs the latest.
+- **Just checking:** `python3 installers/install.py --check-update` reports whether a newer version
+  is available and installs nothing.
+- **Claude Code plugin marketplace:** third-party marketplace **auto-update is off by default** —
+  enable it in Claude Code or run a manual plugin update.
+
+Updates connect only to GitHub, send no information about your machine or work, and create no
+telemetry or tracking. Modified skills are backed up before an update and never auto-deleted. See
+the [update privacy & data notice](docs/update_privacy.md).
+
 ## Key Features
 
 ### Autonomous E2E Pipeline

docs/update_privacy.md

@@ -0,0 +1,53 @@
+# Updating — privacy & data notice
+
+The self-updater exists so physician-researchers can stay current without using GitHub, git,
+or a terminal. It is intentionally minimal about data.
+
+## What it connects to
+
+- **`api.github.com`** — a single public, read-only GitHub REST call to look up the latest
+  release of `Aperivue/medsci-skills` (tag + the release asset's name and SHA-256 digest).
+- **GitHub's release-asset host** (`*.githubusercontent.com`) — to download the classroom ZIP
+  for your operating system over HTTPS.
+
+No other servers are contacted.
+
+## What is (and is not) sent
+
+- The only thing sent is an ordinary HTTPS GET request (with a generic `User-Agent:
+  medsci-skills-updater`). GitHub, like any web host, sees your IP address and the request.
+- **Nothing about your machine or work is collected or transmitted.** The updater does **not**
+  read or send your working directory, file contents, transcripts, session data, or skill usage.
+  There is **no telemetry, no analytics, and no unique install identifier**.
+- Because GitHub is a US-based service, the network request may be processed outside your country.
+
+## What is stored locally
+
+Everything the updater writes stays on your computer under `~/.medsci-skills/`:
+
+- `targets/<target>/` — what version is installed where (an installed-manifest + small state file).
+- `backups/<timestamp>/<target>/` — snapshots of any skill you had modified, kept before an update
+  overwrites it. **These are never deleted automatically** — remove them yourself when you no longer
+  need them.
+- `updater/` — the one-click updater itself.
+- `update_check.json` — a small cache so the update check runs at most once a day.
+
+Install logs are written next to the installer and **mask your home directory as `~`**.
+
+## Checking, opting out, and uninstalling
+
+- **Check only:** `python3 installers/install.py --check-update` reports whether a newer version
+  exists and installs nothing.
+- **Skip the per-session update check** (if you opted into it): set the environment variable
+  `MEDSCI_NO_UPDATE_CHECK=1`.
+- **Uninstall the updater / state:** delete the `~/.medsci-skills/` folder (and any Desktop
+  "Update MedSci Skills" launcher you chose to create). The installed skills under
+  `~/.claude/skills` / `~/.agents/skills` are separate and remain until you remove them.
+
+## Security note (honest scope)
+
+Downloading a release and running its bundled installer is, by nature, **running code from
+GitHub**. The updater verifies the download's SHA-256 against the digest GitHub's API reports for
+that release asset, which **detects a corrupted or tampered-in-transit download** — it does **not**
+protect against a compromised GitHub account or a malicious official release. Treat updates with the
+same trust you place in this GitHub repository.

installers/install.py

@@ -194,13 +194,30 @@ def parse_args() -> argparse.Namespace:
         action="store_true",
         help="Simulate installs into temp dirs, assert all skills are discoverable, and touch no host directory. Exits 0 on pass.",
     )
+    parser.add_argument(
+        "--check-update",
+        action="store_true",
+        help="Report whether a newer release is available (connects to GitHub; installs nothing).",
+    )
+    parser.add_argument(
+        "--desktop-launcher",
+        action="store_true",
+        help="With your consent, also place an 'Update MedSci Skills' launcher on your Desktop.",
+    )
     return parser.parse_args()
 
 
 def main() -> int:
     args = parse_args()
     if args.self_test:
         return run_self_test()
+    if args.check_update:
+        try:
+            import update  # noqa: PLC0415 - optional, only when explicitly requested
+            return update.check_update(medsci_txn.state_home())
+        except Exception as exc:  # noqa: BLE001
+            print(f"MedSci Skills: update check unavailable ({exc}).", file=sys.stderr)
+            return 1
     log_lines: list[str] = []
     log("MedSci Skills Installer", log_lines)
     log(f"Repository: {REPO_ROOT}", log_lines)
@@ -228,6 +245,17 @@ def main() -> int:
         failures.append("cursor")
         log(f"\n[cursor] FAILED: {exc}", log_lines)
 
+    # Place the one-click updater under ~/.medsci-skills/updater/ so a future update needs no
+    # GitHub/terminal even if this download folder is deleted (best-effort; never fatal).
+    if not args.dry_run:
+        try:
+            import update  # noqa: PLC0415
+            update.install_updater_home(REPO_ROOT, medsci_txn.state_home(),
+                                        lambda m: log(m, log_lines),
+                                        desktop=args.desktop_launcher)
+        except Exception as exc:  # noqa: BLE001
+            log(f"\n[updater] could not install the one-click updater ({exc}); updates still work via re-running the installer.", log_lines)
+
     if failures:
         log(f"\nCompleted with errors on: {', '.join(failures)}. Other targets are fully installed.", log_lines)
         log("If this happened during class, send the install log to the instructor.", log_lines)

installers/tests/test_update.py

@@ -0,0 +1,201 @@
+#!/usr/bin/env python3
+"""Updater tests for installers/update.py — fully offline (network + install injected).
+
+Builds a synthetic classroom ZIP (single root, skills + installers + a matching
+distribution_files.json), fakes the GitHub API (digest = the ZIP's sha256) and the byte
+download, and mocks the install step (so no real host dir is touched). Covers the happy
+path + the supply-chain guards (digest mismatch, fail-closed no-digest, traversal, symlink,
+duplicate, unexpected file, hash/size mismatch, zip-bomb caps, draft/prerelease) and the
+check_update cache/semver logic. Run: python3 installers/tests/test_update.py
+"""
+from __future__ import annotations
+
+import hashlib
+import io
+import json
+import os
+import sys
+import tempfile
+import zipfile
+from pathlib import Path
+
+HERE = Path(__file__).resolve().parent
+sys.path.insert(0, str(HERE.parent))
+import update as U  # noqa: E402
+import medsci_txn  # noqa: E402
+
+PASS = 0
+FAIL = 0
+ROOT = "medsci-skills-classroom-2.0.0"
+
+
+def check(label, cond):
+    global PASS, FAIL
+    print(f"  {'PASS' if cond else 'FAIL'}  {label}")
+    PASS += (1 if cond else 0)
+    FAIL += (0 if cond else 1)
+
+
+def _sha(b: bytes) -> str:
+    return hashlib.sha256(b).hexdigest()
+
+
+def build_payload(tmp: Path) -> dict[str, bytes]:
+    """Return {relpath: bytes} for a minimal valid classroom payload (skills + installers +
+    README_FIRST), with metadata/distribution_files.json matching the skills/installers/readme."""
+    files: dict[str, bytes] = {}
+    files["README_FIRST.md"] = b"# MedSci Skills\n"
+    files["skills/demo/SKILL.md"] = b"# demo\n"
+    files["skills/demo/x.txt"] = b"data\n"
+    # ship the real installer modules so an extracted install.py would be runnable + the updater
+    # can self-install (update.py + medsci_txn.py) from the payload.
+    for n in ("install.py", "medsci_txn.py", "update.py"):
+        files[f"installers/{n}"] = (HERE.parent / n).read_bytes()
+    # inventory excludes the metadata manifests themselves (matches gen scope)
+    inv = [{"path": p, "size": len(b), "sha256": _sha(b)} for p, b in sorted(files.items())]
+    files["metadata/distribution_files.json"] = (json.dumps({"schema_version": 1, "files": inv}) + "\n").encode()
+    files["metadata/distribution_manifest.json"] = (json.dumps(
+        {"schema_version": 1, "version": "2.0.0", "owned_skills": ["demo"]}) + "\n").encode()
+    return files
+
+
+def make_zip(files: dict[str, bytes], root: str = ROOT, extra: dict[str, bytes] | None = None,
+             symlink: str | None = None, dup: bool = False) -> bytes:
+    buf = io.BytesIO()
+    with zipfile.ZipFile(buf, "w", zipfile.ZIP_DEFLATED) as zf:
+        for rel, b in files.items():
+            zf.writestr(f"{root}/{rel}", b)
+        for rel, b in (extra or {}).items():
+            zf.writestr(f"{root}/{rel}", b)
+        if symlink:
+            info = zipfile.ZipInfo(f"{root}/{symlink}")
+            info.external_attr = (0o120777 << 16)  # symlink mode
+            zf.writestr(info, "skills/demo")
+        if dup:
+            zf.writestr(f"{root}/skills/DEMO/SKILL.md", b"dup\n")  # case-insensitive dup of skills/demo
+    return buf.getvalue()
+
+
+def fake_api(zip_bytes: bytes, asset="medsci-skills-classroom-macos.zip", tag="v2.0.0",
+             draft=False, prerelease=False, digest=True):
+    def get_json(_url):
+        a = {"name": asset, "browser_download_url": "https://release-assets.githubusercontent.com/x.zip"}
+        if digest:
+            a["digest"] = "sha256:" + _sha(zip_bytes)
+        return {"tag_name": tag, "draft": draft, "prerelease": prerelease, "assets": [a]}
+    return get_json
+
+
+def run():
+    asset = "medsci-skills-classroom-macos.zip"
+    with tempfile.TemporaryDirectory(prefix="medsci-upd-") as tmp:
+        base = Path(tmp)
+        files = build_payload(base)
+        zbytes = make_zip(files)
+
+        # --- happy path: resolve + verify + safe-extract + install (mocked) + updater home ---
+        home = base / "home"
+        installs = []
+        rc = U.do_update(home, lambda m: None,
+                         get_json=fake_api(zbytes, asset=asset),
+                         get_bytes=lambda url: zbytes,
+                         asset_name=asset,
+                         run_install=lambda inst: installs.append(inst) or 0)
+        check("happy path returns tag v2.0.0", rc["tag"] == "v2.0.0")
+        check("happy path called the extracted installer", len(installs) == 1 and installs[0].name == "install.py")
+        check("updater installed to ~/.medsci-skills/updater/", (home / "updater" / "update.py").is_file())
+
+        # --- fail closed: no digest ---
+        try:
+            U.resolve_latest(fake_api(zbytes, asset=asset, digest=False), asset)
+            check("no-digest fails closed", False)
+        except U.UpdateError:
+            check("no-digest fails closed", True)
+
+        # --- draft/prerelease excluded ---
+        for flag in ("draft", "prerelease"):
+            try:
+                U.resolve_latest(fake_api(zbytes, asset=asset, **{flag: True}), asset)
+                check(f"{flag} release rejected", False)
+            except U.UpdateError:
+                check(f"{flag} release rejected", True)
+
+        # --- digest mismatch (tampered bytes) ---
+        try:
+            U.do_update(home, lambda m: None, get_json=fake_api(zbytes, asset=asset),
+                        get_bytes=lambda url: zbytes + b"X", asset_name=asset, run_install=lambda i: 0)
+            check("digest mismatch aborts", False)
+        except U.UpdateError:
+            check("digest mismatch aborts", True)
+
+        # --- safe_extract guards (extract a verified zip's bytes directly) ---
+        _, inv = U.read_inventory_from_zip(zbytes)
+
+        def extracts_ok(zb):
+            d = base / ("ex-%d" % len(os.listdir(base)))
+            d.mkdir()
+            U.safe_extract(zb, d, U.read_inventory_from_zip(zb)[1])
+
+        def rejects(label, zb):
+            try:
+                d = base / ("rej-%d" % len(os.listdir(base)))
+                d.mkdir()
+                U.safe_extract(zb, d, inv)
+                check(label, False)
+            except U.UpdateError:
+                check(label, True)
+
+        check("clean zip extracts", (extracts_ok(zbytes) is None))
+        rejects("traversal entry rejected", make_zip(files, extra={"../evil.txt": b"x"}))
+        rejects("unexpected file (not in inventory) rejected", make_zip(files, extra={"skills/demo/EXTRA.bin": b"x"}))
+        rejects("symlink entry rejected", make_zip(files, symlink="link"))
+        rejects("case-insensitive duplicate rejected", make_zip(files, dup=True))
+        # hash/size mismatch: change a payload file's bytes but keep the old inventory
+        tampered = dict(files)
+        tampered["skills/demo/x.txt"] = b"TAMPERED-DIFFERENT-LENGTH"
+        rejects("payload hash/size mismatch rejected", make_zip(tampered))
+
+        # zip-bomb caps
+        old_entries, old_total = U.MAX_ENTRIES, U.MAX_TOTAL_UNCOMPRESSED
+        try:
+            U.MAX_TOTAL_UNCOMPRESSED = 10
+            rejects("total-size cap rejects", zbytes)
+        finally:
+            U.MAX_TOTAL_UNCOMPRESSED = old_total
+        try:
+            U.MAX_ENTRIES = 1
+            rejects("entry-count cap rejects", zbytes)
+        finally:
+            U.MAX_ENTRIES = old_entries
+
+        # --- check_update semver + cache ---
+        h2 = base / "home2"
+        medsci_txn.atomic_write_json(h2 / "targets" / "claude" / "state.json", {"installed_version": "1.0.0"})
+        rc = U.check_update(h2, get_json=fake_api(zbytes, asset=asset, tag="v2.0.0"), asset_name=asset, force=True)
+        check("check_update: newer -> UPDATE_AVAILABLE", rc == U.CHK_UPDATE_AVAILABLE)
+        rc = U.check_update(h2, get_json=fake_api(zbytes, asset=asset, tag="v1.0.0"), asset_name=asset, force=True)
+        check("check_update: same -> UP_TO_DATE", rc == U.CHK_UP_TO_DATE)
+        # cache fresh -> no network call
+        called = {"n": 0}
+        def counting(_u):
+            called["n"] += 1
+            return fake_api(zbytes, asset=asset, tag="v2.0.0")(_u)
+        U.check_update(h2, get_json=counting, asset_name=asset, force=True)   # populates cache
+        U.check_update(h2, get_json=counting, asset_name=asset)              # should use cache
+        check("check_update: fresh cache avoids 2nd network call", called["n"] == 1)
+        # unknown local
+        rc = U.check_update(base / "home_empty", get_json=fake_api(zbytes, asset=asset), asset_name=asset, force=True)
+        check("check_update: unknown install -> UNKNOWN_LOCAL", rc == U.CHK_UNKNOWN_LOCAL)
+        # network failure
+        def boom(_u):
+            raise U.UpdateError("offline")
+        rc = U.check_update(h2, get_json=boom, asset_name=asset, force=True)
+        check("check_update: network failure -> NETWORK_FAILURE", rc == U.CHK_NETWORK_FAILURE)
+
+    print("----")
+    print(f"test_update: {PASS} passed, {FAIL} failed")
+    return 1 if FAIL else 0
+
+
+if __name__ == "__main__":
+    sys.exit(run())