Add apl-feed config sync subcommand and metadata-LWW apply gate (#83)

* feat(apply): gate writes with metadata last-write-wins

Skip per-key writes whose incoming edited_at is not strictly newer than the on-disk feed.meta.json entry, with a bogus-future heal exception. Symmetric with the server-side LWW in /api/feeders/config/sync.

* feat(apl-feed): add config sync subcommand and systemd timer

Periodic ~60s poll of POST /api/feeders/config/sync that pushes the local snapshot and applies the server's merged response. Authenticates with the existing Bearer alv1 token. Hardening: tight ReadWritePaths, jitter, on-disk metadata round-trip with rejected_fields healing.

* fix(config-sync): four review-driven correctness fixes

LWW bogus-future check now uses APL_APPLY_INCOMING_SERVER_TIME from the response so a fast local clock cannot self-mask future-stamped on-disk metadata. Atomic position-group LWW pre-check in config.sh stops a partial server response from mixing local and server axes. _config_sync_load_meta validates RFC 3339 and edited_by enum per entry. read_secret_file failure is captured cleanly so a corrupt secret exits 64 instead of 1.

Author: d4rken

scripts/airplanes-config-sync.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=airplanes.live feeder remote-config sync
+Wants=network-online.target
+After=network-online.target airplanes-feed.service
+ConditionPathExists=/etc/airplanes/feeder-claim-secret
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/apl-feed config sync
+TimeoutStartSec=60s
+SyslogIdentifier=airplanes-config-sync
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+ReadWritePaths=/var/lib/airplanes /etc/airplanes /run

scripts/airplanes-config-sync.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Sync feeder remote configuration with airplanes.live every 60 seconds
+
+[Timer]
+OnBootSec=45s
+OnUnitActiveSec=60s
+RandomizedDelaySec=30s
+Unit=airplanes-config-sync.service
+Persistent=true
+
+[Install]
+WantedBy=timers.target

scripts/apl-feed.sh

@@ -111,6 +111,8 @@ source "$APL_FEED_LIB_DIR/apply.sh"
 source "$APL_FEED_LIB_DIR/schema.sh"
 # shellcheck source=scripts/apl-feed/import.sh
 source "$APL_FEED_LIB_DIR/import.sh"
+# shellcheck source=scripts/apl-feed/config.sh
+source "$APL_FEED_LIB_DIR/config.sh"
 
 main() {
     local cmd="${1:-}"
@@ -159,6 +161,10 @@ main() {
             shift
             dispatch_import "$@"
             ;;
+        config)
+            shift
+            dispatch_config "$@"
+            ;;
         -h|--help|'')
             usage
             ;;

scripts/apl-feed/common.sh

@@ -51,6 +51,7 @@ Usage:
   apl-feed diagnostics disable
   apl-feed apply [--no-restart] [--lock-timeout SECS]
   apl-feed schema
+  apl-feed config sync [--dry-run] [--no-restart]
   apl-feed import legacy-config [--no-restart] <path>
   apl-feed backup <file>
   apl-feed restore <file>