feat(sec/bootstrap,ci,docs): policy lib wiring, secure bootstrap, path fixes, MOTD/docs sync

Author: ShinniUwU

.github/workflows/shellcheck.yml

@@ -0,0 +1,44 @@
+name: ShellCheck Lint 🧪
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'serverutils'
+      - 'Scripts/**'
+      - 'site/run.sh'
+      - 'ci/**'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'serverutils'
+      - 'Scripts/**'
+      - 'site/run.sh'
+      - 'ci/**'
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck:
+    name: ShellCheck (bash lints)
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Install shellcheck
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y shellcheck
+      - name: Run shellcheck
+        run: |
+          set -euo pipefail
+          echo "Linting shell scripts with shellcheck"
+          shellcheck -V
+          # Lint top-level runner and site bootstrap
+          shellcheck -e SC1090 -e SC1091 serverutils site/run.sh || true
+          # Lint Scripts and CI scripts
+          find Scripts -type f -name '*.sh' -print0 | xargs -0 -r shellcheck -e SC1090 -e SC1091 || true
+          find ci -type f -name '*.sh' -print0 | xargs -0 -r shellcheck -e SC1090 -e SC1091 || true
+

.github/workflows/static.yml

@@ -44,6 +44,7 @@ jobs:
           test -f Scripts/lib/solen.sh
           test -f Scripts/lib/edit.sh
           test -f Scripts/lib/pm.sh
+          test -f Scripts/lib/policy.sh
           # Update scripts present
           test -f Scripts/update/check.sh
           test -f Scripts/update/apply.sh
@@ -60,6 +61,7 @@ jobs:
           grep -Fxq 'Scripts/lib/solen.sh' "$tmp_tar_list"
           grep -Fxq 'Scripts/lib/edit.sh' "$tmp_tar_list"
           grep -Fxq 'Scripts/lib/pm.sh' "$tmp_tar_list"
+          grep -Fxq 'Scripts/lib/policy.sh' "$tmp_tar_list"
           rm -f "$tmp_tar_list"
           # Create channel pointers and legacy latest name
           cp -f "$ver_tar" site/releases/solen-stable.tar.gz

.github/workflows/validate-json.yml

@@ -0,0 +1,36 @@
+name: Validate JSON Outputs ✅
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'serverutils'
+      - 'Scripts/**'
+      - 'docs/**'
+      - 'ci/**'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'serverutils'
+      - 'Scripts/**'
+      - 'docs/**'
+      - 'ci/**'
+
+permissions:
+  contents: read
+
+jobs:
+  validate-json:
+    name: Validate NDJSON contracts
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y jq
+      - name: Run validation script
+        run: |
+          bash ci/validate-json.sh
+

README.md

@@ -40,6 +40,14 @@ serverutils           # TUI
 serverutils list      # scripts with summaries
 ```
 
+Verify the install:
+
+```bash
+serverutils status                 # installed vs latest version
+serverutils list --long            # categories with one-line summaries
+serverutils run health/check -- --json   # quick JSON health snapshot
+```
+
 Developers — clone instead of curl:
 
 ```bash
@@ -94,6 +102,9 @@ Security:
 - Manifests include sha256 and can be signed in CI. To enforce verification, set `SOLEN_SIGN_PUBKEY_PEM` (PEM public key)
   and optional `SOLEN_REQUIRE_SIGNATURE=1` on hosts.
 - Updates stage to a temp dir, copy into `~/.local/share/solen/latest`, and keep `latest-prev` for rollback.
+ - The bootstrap also supports channels and signature verification:
+   - `bash <(curl -sL https://solen.shinni.dev/run.sh) --channel stable --user --with-motd --yes`
+   - When `SOLEN_SIGN_PUBKEY_PEM` is set, the manifest signature is verified before applying.
 
 ---
 
@@ -236,6 +247,25 @@ Tips
 * `SOLEN_NOOP=1` forces dry-run behavior globally.
 * `SOLEN_LOG_DIR=/path` overrides the default log base (`/var/log/solen` or `~/.local/share/solen`).
 * `SOLEN_ASSUME_YES=1` bypasses confirmation prompts.
+* Supported distros: Debian/Ubuntu first-class; Fedora/Arch/openSUSE best-effort via the package abstraction.
+
+---
+
+## ♻️ Uninstall
+
+Per‑user uninstall (runner symlinks and hooks):
+
+```bash
+serverutils install --uninstall --user --yes
+```
+
+Remove everything installed by SOLEN (user scope):
+
+```bash
+serverutils install --uninstall-everything --user --yes
+```
+
+System‑wide variants use `--global` and may require `sudo`.
 
 ---
 

Scripts/lib/policy.sh

@@ -0,0 +1,212 @@
+#!/usr/bin/env bash
+# Minimal policy helpers for SOLEN
+# Looks for a YAML policy file and answers allow/deny queries.
+#
+# Policy resolution precedence (first found wins):
+#   1) $SOLEN_POLICY (set to /dev/null to disable policy)
+#   2) $HOME/.serverutils/policy.yaml
+#   3) /etc/solen/policy.yaml
+#
+# Behavior:
+# - If no policy file is present, all checks allow by default (return 0).
+# - If a list exists under allow.* for a given check, membership is required.
+# - deny.* lists override and force a deny when matched.
+
+__SOLEN_POLICY_LOADED=0
+__SOLEN_POLICY_FILE=""
+declare -a _SOLEN_ALLOW_TOKENS
+declare -a _SOLEN_ALLOW_SERV_RESTART
+declare -a _SOLEN_ALLOW_PATHS_PRUNE
+declare -a _SOLEN_DENY_SERV_RESTART
+declare -a _SOLEN_DENY_PATHS_PRUNE
+
+solen__policy_path() {
+  local p=""
+  if [[ -n "${SOLEN_POLICY:-}" ]]; then
+    [[ "${SOLEN_POLICY}" == "/dev/null" ]] && echo "" && return 0
+    [[ -r "${SOLEN_POLICY}" ]] && echo "${SOLEN_POLICY}" && return 0
+  fi
+  if [[ -r "${HOME}/.serverutils/policy.yaml" ]]; then
+    echo "${HOME}/.serverutils/policy.yaml"; return 0
+  fi
+  if [[ -r "/etc/solen/policy.yaml" ]]; then
+    echo "/etc/solen/policy.yaml"; return 0
+  fi
+  echo ""
+}
+
+solen__arr_contains() { # arrname value
+  local __arr_name="$1"; shift
+  local needle="$1"; shift || true
+  local v
+  # shellcheck disable=SC1087,SC2128
+  for v in ${!__arr_name[@]}; do :; done >/dev/null 2>&1 || true
+  # iterate using indirect expansion
+  local -n __arr_ref="${__arr_name}"
+  for v in "${__arr_ref[@]}"; do
+    [[ "$v" == "$needle" ]] && return 0
+  done
+  return 1
+}
+
+solen__path_has_prefix() { # haystack_path candidate_prefix
+  local path="$1"; local pref="$2"
+  [[ -z "$path" || -z "$pref" ]] && return 1
+  case "$path" in
+    "$pref"|"$pref"/*) return 0 ;;
+  esac
+  return 1
+}
+
+solen__read_inline_list() { # input like: key: ["a", "b", c]
+  local line="$1"
+  local inside="${line#*[}"
+  inside="${inside%]*}"
+  # split by comma
+  local IFS=,
+  read -r -a parts <<< "$inside"
+  for it in "${parts[@]}"; do
+    it="${it## }"; it="${it%% }"
+    it="${it%\r}"
+    it="${it%\n}"
+    it="${it%\,}"
+    it="${it#\"}"; it="${it%\"}"
+    it="${it#\'}"; it="${it%\'}"
+    [[ -n "$it" ]] && printf '%s\n' "$it"
+  done
+}
+
+solen__policy_load_awk() {
+  local f="$1"
+  local mode="" sub=""
+  while IFS= read -r line; do
+    # normalize tabs
+    case "$line" in $'\t'*) line="${line//$'\t'/  }" ;; esac
+    # state transitions
+    if [[ "$line" =~ ^[[:space:]]*allow: ]]; then mode="allow"; sub=""; continue; fi
+    if [[ "$line" =~ ^[[:space:]]*deny: ]]; then mode="deny"; sub=""; continue; fi
+    if [[ "$line" =~ ^[[:space:]]*services: ]]; then sub="services"; continue; fi
+    if [[ "$line" =~ ^[[:space:]]*paths: ]]; then sub="paths"; continue; fi
+    if [[ "$line" =~ ^[[:space:]]*tokens: ]]; then
+      if [[ "$line" =~ \[.*\] ]]; then
+        while IFS= read -r item; do _SOLEN_ALLOW_TOKENS+=("$item"); done < <(solen__read_inline_list "$line")
+        continue
+      fi
+      # read multi-line list that follows under allow: tokens:
+      while IFS= read -r nxt; do
+        [[ ! "$nxt" =~ ^[[:space:]]*-[[:space:]] ]] && { line="$nxt"; break; }
+        nxt="${nxt#*- }"; nxt="${nxt## }"; nxt="${nxt%% }"; nxt="${nxt#\"}"; nxt="${nxt%\"}"; nxt="${nxt#\'}"; nxt="${nxt%\'}"
+        [[ -n "$nxt" ]] && _SOLEN_ALLOW_TOKENS+=("$nxt")
+      done
+      continue
+    fi
+    # services.restart / services.enable
+    if [[ "$mode" == "allow" && "$sub" == "services" && "$line" =~ ^[[:space:]]*restart: ]]; then
+      if [[ "$line" =~ \[.*\] ]]; then
+        while IFS= read -r item; do _SOLEN_ALLOW_SERV_RESTART+=("$item"); done < <(solen__read_inline_list "$line")
+      else
+        while IFS= read -r nxt; do
+          [[ ! "$nxt" =~ ^[[:space:]]*-[[:space:]] ]] && { line="$nxt"; break; }
+          nxt="${nxt#*- }"; nxt="${nxt## }"; nxt="${nxt%% }"; nxt="${nxt#\"}"; nxt="${nxt%\"}"; nxt="${nxt#\'}"; nxt="${nxt%\'}"
+          [[ -n "$nxt" ]] && _SOLEN_ALLOW_SERV_RESTART+=("$nxt")
+        done
+      fi
+      continue
+    fi
+    # paths.prune
+    if [[ "$sub" == "paths" && "$line" =~ ^[[:space:]]*prune: ]]; then
+      local arrname="_SOLEN_ALLOW_PATHS_PRUNE"
+      if [[ "$mode" == "deny" ]]; then arrname="_SOLEN_DENY_PATHS_PRUNE"; fi
+      if [[ "$line" =~ \[.*\] ]]; then
+        while IFS= read -r item; do eval "$arrname+=(\"\$item\")"; done < <(solen__read_inline_list "$line")
+      else
+        while IFS= read -r nxt; do
+          [[ ! "$nxt" =~ ^[[:space:]]*-[[:space:]] ]] && { line="$nxt"; break; }
+          nxt="${nxt#*- }"; nxt="${nxt## }"; nxt="${nxt%% }"; nxt="${nxt#\"}"; nxt="${nxt%\"}"; nxt="${nxt#\'}"; nxt="${nxt%\'}"
+          [[ -n "$nxt" ]] && eval "$arrname+=(\"\$nxt\")"
+        done
+      fi
+      continue
+    fi
+    # deny.services.restart
+    if [[ "$mode" == "deny" && "$sub" == "services" && "$line" =~ ^[[:space:]]*restart: ]]; then
+      if [[ "$line" =~ \[.*\] ]]; then
+        while IFS= read -r item; do _SOLEN_DENY_SERV_RESTART+=("$item"); done < <(solen__read_inline_list "$line")
+      else
+        while IFS= read -r nxt; do
+          [[ ! "$nxt" =~ ^[[:space:]]*-[[:space:]] ]] && { line="$nxt"; break; }
+          nxt="${nxt#*- }"; nxt="${nxt## }"; nxt="${nxt%% }"; nxt="${nxt#\"}"; nxt="${nxt%\"}"; nxt="${nxt#\'}"; nxt="${nxt%\'}"
+          [[ -n "$nxt" ]] && _SOLEN_DENY_SERV_RESTART+=("$nxt")
+        done
+      fi
+      continue
+    fi
+  done < "$f"
+}
+
+solen__policy_load() {
+  [[ $__SOLEN_POLICY_LOADED -eq 1 ]] && return 0
+  __SOLEN_POLICY_FILE="$(solen__policy_path)"
+  if [[ -z "$__SOLEN_POLICY_FILE" || ! -r "$__SOLEN_POLICY_FILE" ]]; then
+    __SOLEN_POLICY_LOADED=1; return 0
+  fi
+  # Clear arrays
+  _SOLEN_ALLOW_TOKENS=()
+  _SOLEN_ALLOW_SERV_RESTART=()
+  _SOLEN_ALLOW_PATHS_PRUNE=()
+  _SOLEN_DENY_SERV_RESTART=()
+  _SOLEN_DENY_PATHS_PRUNE=()
+  if command -v yq >/dev/null 2>&1; then
+    # allow tokens
+    while IFS= read -r t; do [[ -n "$t" && "$t" != "null" ]] && _SOLEN_ALLOW_TOKENS+=("$t"); done < <(yq -r '.allow.tokens[]? // empty' "$__SOLEN_POLICY_FILE" 2>/dev/null)
+    # services.restart allow/deny
+    while IFS= read -r s; do [[ -n "$s" && "$s" != "null" ]] && _SOLEN_ALLOW_SERV_RESTART+=("$s"); done < <(yq -r '.allow.services.restart[]? // empty' "$__SOLEN_POLICY_FILE" 2>/dev/null)
+    while IFS= read -r s; do [[ -n "$s" && "$s" != "null" ]] && _SOLEN_DENY_SERV_RESTART+=("$s"); done < <(yq -r '.deny.services.restart[]? // empty' "$__SOLEN_POLICY_FILE" 2>/dev/null)
+    # paths.prune allow/deny
+    while IFS= read -r p; do [[ -n "$p" && "$p" != "null" ]] && _SOLEN_ALLOW_PATHS_PRUNE+=("$p"); done < <(yq -r '.allow.paths.prune[]? // empty' "$__SOLEN_POLICY_FILE" 2>/dev/null)
+    while IFS= read -r p; do [[ -n "$p" && "$p" != "null" ]] && _SOLEN_DENY_PATHS_PRUNE+=("$p"); done < <(yq -r '.deny.paths.prune[]? // empty' "$__SOLEN_POLICY_FILE" 2>/dev/null)
+  else
+    solen__policy_load_awk "$__SOLEN_POLICY_FILE"
+  fi
+  __SOLEN_POLICY_LOADED=1
+}
+
+solen_policy_allows_token() { # token
+  local token="$1"
+  solen__policy_load
+  # No policy => allow
+  if [[ -z "$__SOLEN_POLICY_FILE" ]]; then return 0; fi
+  # If allow list is empty or missing, allow
+  local count=${#_SOLEN_ALLOW_TOKENS[@]}
+  if (( count == 0 )); then return 0; fi
+  solen__arr_contains _SOLEN_ALLOW_TOKENS "$token"
+}
+
+solen_policy_allows_service_restart() { # service
+  local svc="$1"
+  solen__policy_load
+  if [[ -z "$__SOLEN_POLICY_FILE" ]]; then return 0; fi
+  # deny overrides
+  if solen__arr_contains _SOLEN_DENY_SERV_RESTART "$svc"; then return 1; fi
+  local count=${#_SOLEN_ALLOW_SERV_RESTART[@]}
+  if (( count == 0 )); then return 0; fi
+  solen__arr_contains _SOLEN_ALLOW_SERV_RESTART "$svc"
+}
+
+solen_policy_allows_prune_path() { # path
+  local path="$1"
+  solen__policy_load
+  if [[ -z "$__SOLEN_POLICY_FILE" ]]; then return 0; fi
+  # deny overrides
+  local p
+  for p in "${_SOLEN_DENY_PATHS_PRUNE[@]}"; do
+    if solen__path_has_prefix "$path" "$p"; then return 1; fi
+  done
+  local count=${#_SOLEN_ALLOW_PATHS_PRUNE[@]}
+  if (( count == 0 )); then return 0; fi
+  for p in "${_SOLEN_ALLOW_PATHS_PRUNE[@]}"; do
+    if solen__path_has_prefix "$path" "$p"; then return 0; fi
+  done
+  return 1
+}
+

Scripts/lib/solen.sh

@@ -69,3 +69,13 @@ solen_json_record_full() {
   local status="$1" summary="$2" details_fragment="$3"
   solen_json_record "$status" "$summary" "" "$details_fragment"
 }
+
+# Try to source policy helpers if available; otherwise permissive fallbacks
+__SOLEN_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "${__SOLEN_LIB_DIR}/policy.sh" ]; then
+  . "${__SOLEN_LIB_DIR}/policy.sh"
+else
+  solen_policy_allows_token() { return 0; }
+  solen_policy_allows_service_restart() { return 0; }
+  solen_policy_allows_prune_path() { return 0; }
+fi