fix(claim): stop airplanes-claim.timer after a successful claim write

Once the secret lands on disk the timer's job is done. Without an active stop, its OnUnitActiveSec=5min keeps firing and systemd logs a condition-skip line against airplanes-claim.service on every fire — which the webconfig Claim activity panel surfaces to feeder owners as endless 'unmet condition' noise.

Hook into both writers (claim register success, claim set new-write + idempotent re-normalize). The helper is silent on hosts without systemctl or the timer unit, mirroring restart_feeder_services's guards, so legacy non-image installs are unaffected. WantedBy=timers.target stays intact so a future factory reset or reclaim re-arms the timer on the next reboot.

Author: d4rken

scripts/apl-feed/claim.sh

@@ -118,6 +118,11 @@ claim_register() {
                     chmod 640 "$pending"
                     mv "$pending" "$final"
                 fi
+                # The secret is on disk; stop the timer before any later
+                # failure (write_version_file errno, echo EPIPE, etc.)
+                # could abort under `set -e` and leave the retry timer
+                # firing indefinitely against a now-claimed feeder.
+                stop_claim_timer_if_present
                 write_version_file "$version"
                 echo "SUCCESS ($status, version $version)"
                 echo "Secret persisted to $final"
@@ -394,10 +399,16 @@ claim_rotate() {
 claim_set() {
     # Save a claim secret minted by the website (e.g. the same-IP claim
     # legacy bootstrap, the owner-side Reset secret flow, or a support
-    # reset) and restart feeder services so the new value takes effect
-    # immediately. The secret is read from stdin (TTY prompts; pipes work
+    # reset). The secret is read from stdin (TTY prompts; pipes work
     # too) so the value never lands in argv or shell history.
     #
+    # No feeder-daemon restart: neither airplanes-feed nor airplanes-mlat
+    # reads the claim secret — only apl-feed itself does, and the next
+    # CLI invocation picks up the file change immediately. The only
+    # systemd touch is stopping the image-side airplanes-claim.timer
+    # post-write so the now-claimed feeder stops accumulating condition-
+    # skip noise in the service journal.
+    #
     # Refuses to overwrite an existing different secret unless --force is
     # passed; a no-op when the supplied secret already matches the local
     # one.
@@ -468,7 +479,7 @@ claim_set() {
 
     echo "Feeder ID: $uuid"
     if (( DRY_RUN )); then
-        echo "(dry-run; would save secret + restart feeder services)"
+        echo "(dry-run; would save secret to $final)"
         return 0
     fi
 
@@ -481,14 +492,17 @@ claim_set() {
         # Same canonical value already on disk. Re-write to normalize byte
         # contents (lowercase / hyphenated raw input gets canonicalized)
         # and the file mode (0600). Don't drop the version file — the
-        # local secret bytes haven't functionally changed. Don't restart
-        # services either: nothing observable changed.
+        # local secret bytes haven't functionally changed.
         write_secret_file "$final" "$secret"
+        stop_claim_timer_if_present
         echo "Local claim secret already matches — no change."
         return 0
     fi
 
     write_secret_file "$final" "$secret"
+    # Secret is on disk; stop the timer before any later step (rm,
+    # echo EPIPE) could abort under `set -e`.
+    stop_claim_timer_if_present
 
     # Local secret no longer matches whatever the version file claimed.
     # Drop the version file so `claim show` / `backup` can't pair a
@@ -497,12 +511,10 @@ claim_set() {
     rm -f "$version_path"
 
     echo "Claim secret saved."
-    # No daemon restart: neither airplanes-feed nor airplanes-mlat reads
-    # the claim secret. Only this CLI does, and the next CLI invocation
-    # picks up the file change immediately. The website's hash is already
-    # the new value (this command is run AFTER the website mints the
-    # secret), so the next outbound `status` or `rotate` from the feeder
-    # authenticates fine.
+    # The website's hash is already the new value (this command is run
+    # AFTER the website mints the secret), so the next outbound `status`
+    # or `rotate` from the feeder authenticates fine. No daemon restart
+    # — neither airplanes-feed nor airplanes-mlat reads this file.
     echo "Done. The feeder will use the new secret on its next contact with the website."
 }
 

scripts/apl-feed/common.sh

@@ -510,6 +510,34 @@ restart_feeder_services() {
     return $rc
 }
 
+# Stop the image-side airplanes-claim.timer after a successful claim write
+# (claim register / claim set). The timer drives retry of unclaimed feeders;
+# once the secret is on disk it has nothing to do, and every subsequent
+# 5-min fire logs `Condition check resulted in ... skipped` against the
+# service unit — which the webconfig "Claim activity" panel surfaces as
+# noise. The timer's WantedBy=timers.target keeps it re-armable on next
+# reboot if the secret is ever deleted (factory reset, manual reclaim).
+#
+# Defensive on every leg: silently no-ops on hosts without systemctl,
+# hosts without the timer unit (legacy non-image installs), and non-root
+# --root invocations (mirrors restart_feeder_services — stopping the
+# host's timer when operating on a different rootfs is wrong).
+#
+# APL_FEED_TEST_TIMER_STOP_FORCE is a test-only override so bats
+# integration tests can exercise the helper while using --root to scope
+# filesystem fixtures. The TEST prefix is deliberate so a stray export
+# in a production shell is visible at a glance; production callers must
+# never set this.
+stop_claim_timer_if_present() {
+    if [[ "$ROOT" != "/" && -z "${APL_FEED_TEST_TIMER_STOP_FORCE:-}" ]]; then
+        return 0
+    fi
+    if ! command -v systemctl >/dev/null 2>&1; then
+        return 0
+    fi
+    systemctl --no-block stop airplanes-claim.timer 2>/dev/null || true
+}
+
 parse_common_option() {
     case "${1:-}" in
         --root)

test/test_apl_feed_cli.bats

@@ -570,22 +570,32 @@ EOF
     [ "$(cat "$ROOT_DIR/etc/airplanes/feeder-claim-secret.version")" = "7" ]
 }
 
-@test "claim set never invokes systemctl (no daemon consumes the secret)" {
+@test "claim set never restarts feeder daemons (no daemon consumes the secret)" {
     # The claim secret is consumed only by apl-feed itself, not by
     # airplanes-feed or airplanes-mlat. Saving it must not bounce a
-    # working feeder. Use a sentinel stub that fails the test if invoked.
+    # working feeder. The only permitted systemctl call is the post-write
+    # stop of airplanes-claim.timer (see test_claim_timer_stop.bats);
+    # this assertion pins that NOTHING ELSE is touched.
+    COMMAND_LOG="$(mktemp)"
     cat > "$STUB_BIN_DIR/systemctl" <<'STUB'
 #!/usr/bin/env bash
-echo "systemctl invoked with: $*" >&2
-exit 99
+{ printf 'systemctl'; for a in "$@"; do printf ' %s' "$a"; done; printf '\n'; } >> "$COMMAND_LOG"
+exit 0
 STUB
     chmod +x "$STUB_BIN_DIR/systemctl"
+    export COMMAND_LOG APL_FEED_TEST_TIMER_STOP_FORCE=1
 
     run env "$SCRIPT" claim set --root "$ROOT_DIR" <<<"ABCDEFGHIJKLMNOP"
 
     [ "$status" -eq 0 ]
-    [[ ! "$output" =~ "systemctl invoked" ]]
     [[ ! "$output" =~ "Restarted" ]]
+    # Every recorded systemctl invocation must be the timer-stop. No
+    # restart, no reload, no apl-feed daemon touched.
+    while IFS= read -r line; do
+        [[ "$line" == "systemctl --no-block stop airplanes-claim.timer" ]] \
+            || { echo "unexpected systemctl call: $line" >&2; false; }
+    done < "$COMMAND_LOG"
+    rm -f "$COMMAND_LOG"
 }
 
 @test "claim set is idempotent when supplied secret already matches local" {
@@ -657,6 +667,93 @@ STUB
     [ ! -f "$restart_log" ]
 }
 
+
+# --- claim set: post-write timer stop -------------------------------------
+#
+# Coordinated with the image-side airplanes-claim.timer. Once claim set
+# lands the secret on disk, the timer has nothing left to do, and every
+# subsequent fire pollutes the service journal with condition-skip lines
+# that the webconfig Claim activity panel surfaces.
+
+@test "claim set new-secret write stops airplanes-claim.timer" {
+    COMMAND_LOG="$(mktemp)"
+    cat > "$STUB_BIN_DIR/systemctl" <<'STUB'
+#!/usr/bin/env bash
+{ printf 'systemctl'; for a in "$@"; do printf ' %s' "$a"; done; printf '\n'; } >> "$COMMAND_LOG"
+exit 0
+STUB
+    chmod +x "$STUB_BIN_DIR/systemctl"
+    export COMMAND_LOG APL_FEED_TEST_TIMER_STOP_FORCE=1
+
+    run env "$SCRIPT" claim set --root "$ROOT_DIR" <<<"ABCDEFGHIJKLMNOP"
+
+    [ "$status" -eq 0 ]
+    grep -F -- '--no-block stop airplanes-claim.timer' "$COMMAND_LOG"
+    rm -f "$COMMAND_LOG"
+}
+
+@test "claim set same-canonical-value (idempotent) still stops the timer" {
+    # The re-normalize path also writes the file (to fix mode / casing), so
+    # we want the timer-stop here too — keeps the helper invariant simple:
+    # any successful secret write triggers the stop.
+    echo "abcd-efgh-ijkl-mnop" > "$ROOT_DIR/etc/airplanes/feeder-claim-secret"
+    chmod 644 "$ROOT_DIR/etc/airplanes/feeder-claim-secret"
+    COMMAND_LOG="$(mktemp)"
+    cat > "$STUB_BIN_DIR/systemctl" <<'STUB'
+#!/usr/bin/env bash
+{ printf 'systemctl'; for a in "$@"; do printf ' %s' "$a"; done; printf '\n'; } >> "$COMMAND_LOG"
+exit 0
+STUB
+    chmod +x "$STUB_BIN_DIR/systemctl"
+    export COMMAND_LOG APL_FEED_TEST_TIMER_STOP_FORCE=1
+
+    run env "$SCRIPT" claim set --root "$ROOT_DIR" <<<"ABCD-EFGH-IJKL-MNOP"
+
+    [ "$status" -eq 0 ]
+    [[ "$output" =~ "already matches" ]]
+    grep -F -- '--no-block stop airplanes-claim.timer' "$COMMAND_LOG"
+    rm -f "$COMMAND_LOG"
+}
+
+@test "claim set --dry-run does NOT stop the timer (no secret was written)" {
+    COMMAND_LOG="$(mktemp)"
+    cat > "$STUB_BIN_DIR/systemctl" <<'STUB'
+#!/usr/bin/env bash
+{ printf 'systemctl'; for a in "$@"; do printf ' %s' "$a"; done; printf '\n'; } >> "$COMMAND_LOG"
+exit 0
+STUB
+    chmod +x "$STUB_BIN_DIR/systemctl"
+    export COMMAND_LOG APL_FEED_TEST_TIMER_STOP_FORCE=1
+
+    run env "$SCRIPT" claim set --root "$ROOT_DIR" --dry-run <<<"ABCDEFGHIJKLMNOP"
+
+    [ "$status" -eq 0 ]
+    [[ "$output" =~ "dry-run" ]]
+    [ ! -f "$ROOT_DIR/etc/airplanes/feeder-claim-secret" ]
+    ! grep -F -- 'stop airplanes-claim.timer' "$COMMAND_LOG"
+    rm -f "$COMMAND_LOG"
+}
+
+@test "claim set refuse-without-force does NOT stop the timer (nothing written)" {
+    echo "OLDSECRETXYZ1234" > "$ROOT_DIR/etc/airplanes/feeder-claim-secret"
+    chmod 600 "$ROOT_DIR/etc/airplanes/feeder-claim-secret"
+    COMMAND_LOG="$(mktemp)"
+    cat > "$STUB_BIN_DIR/systemctl" <<'STUB'
+#!/usr/bin/env bash
+{ printf 'systemctl'; for a in "$@"; do printf ' %s' "$a"; done; printf '\n'; } >> "$COMMAND_LOG"
+exit 0
+STUB
+    chmod +x "$STUB_BIN_DIR/systemctl"
+    export COMMAND_LOG APL_FEED_TEST_TIMER_STOP_FORCE=1
+
+    run env "$SCRIPT" claim set --root "$ROOT_DIR" <<<"NEWSECRETXYZ5678"
+
+    [ "$status" -ne 0 ]
+    [[ "$output" =~ "different claim secret" ]]
+    ! grep -F -- 'stop airplanes-claim.timer' "$COMMAND_LOG"
+    rm -f "$COMMAND_LOG"
+}
+
 @test "id set writes a new UUID and restarts both daemons feed-first" {
     rm -f "$ROOT_DIR/etc/airplanes/feeder-id"
     local restart_log="$ROOT_DIR/restart.log"