refactor(webconfig): collapse update UI to one system-update path

Webconfig, feed, and mlat now ship and update together through the runtime overlay, so the per-step apt-only update is redundant with the orchestrator's own apt stage. Remove that path end-to-end — the /api/system-upgrade endpoint, its sudoers grant and helper script, the log slug, and the per-step buttons — leaving the Updates card with just Update System and Update System log.

Author: d4rken

.claude/CLAUDE.md

@@ -57,7 +57,7 @@ web/
 files/                          rootfs payload installed by install.sh (tarred at release time)
   etc/sudoers.d/                010 (base privilege)
   etc/systemd/system/           airplanes-webconfig.service + reset oneshot
-  usr/local/lib/airplanes-webconfig/  reset, system-upgrade.sh
+  usr/local/lib/airplanes-webconfig/  reset, identity-export.sh, identity-import.sh
   usr/local/lib/airplanes/      wifi-validators.sh, wifi-keyfile.sh (sourced by apl-wifi + airplanes-first-run)
   usr/local/bin/apl-wifi        privileged Wi-Fi management helper
 install.sh                      build-mode entrypoint (image build only)

files/etc/sudoers.d/010_airplanes-webconfig

@@ -34,15 +34,14 @@ airplanes-webconfig ALL=(root) NOPASSWD: /usr/local/bin/apl-wifi status --json
 airplanes-webconfig ALL=(root) NOPASSWD: /usr/bin/systemctl reboot
 airplanes-webconfig ALL=(root) NOPASSWD: /usr/bin/systemctl poweroff
 airplanes-webconfig ALL=(root) NOPASSWD: /usr/bin/systemctl start --no-block airplanes-claim.service
-airplanes-webconfig ALL=(root) NOPASSWD: /usr/bin/systemd-run --unit=airplanes-system-upgrade --collect /usr/local/lib/airplanes-webconfig/system-upgrade.sh
 
-# Unified update orchestrator (apt → feed → webconfig → runtime overlay).
+# Unified update orchestrator (apt → runtime overlay).
 # The trampoline at /usr/local/lib/airplanes-webconfig/start-orchestrator.sh
 # is shipped by airplanes-live/image (pi-gen stage 06d); it execs into the
 # orchestrator binary inside the active runtime release. --collect drops
 # the transient unit record on exit so a repeat invocation doesn't 409 on
 # a stale unit name. ExecStopPost HUPs this service so the schema cache
-# reloads after the orchestrator's feed leg may have rewritten
+# reloads after the orchestrator's overlay leg may have rewritten
 # /etc/airplanes/*.
 airplanes-webconfig ALL=(root) NOPASSWD: /usr/bin/systemd-run --unit=airplanes-update-orchestrator.service --collect --property=ExecStopPost=/usr/bin/systemctl kill -s HUP airplanes-webconfig.service /usr/local/lib/airplanes-webconfig/start-orchestrator.sh
 

files/usr/local/lib/airplanes-webconfig/system-upgrade.sh

@@ -444,18 +444,17 @@ func TestSystemctl_IsActiveMixedUnits(t *testing.T) {
 	runner := Runner(s, priv)
 	// maintenanceUnitActive calls all maintenance units in one
 	// is-active. They must be inactive so the maintenance guard lets
-	// reboot/system-upgrade through.
+	// reboot / Update System through.
 	res, err := runner(context.Background(), []string{
 		"/usr/bin/systemctl", "is-active",
-		"airplanes-system-upgrade.service",
 		"airplanes-update-orchestrator.service",
 	})
 	if err != nil {
 		t.Fatalf("runner: %v", err)
 	}
 	lines := strings.Split(strings.TrimRight(string(res.Stdout), "\n"), "\n")
-	if len(lines) != 2 {
-		t.Fatalf("expected 2 state lines, got %d (out=%q)", len(lines), res.Stdout)
+	if len(lines) != 1 {
+		t.Fatalf("expected 1 state line, got %d (out=%q)", len(lines), res.Stdout)
 	}
 	for _, l := range lines {
 		if l != "inactive" {
@@ -474,25 +473,24 @@ func TestSystemdRun_PinsMaintenanceUnitActivating(t *testing.T) {
 	s := mustNewState(t)
 	priv := StubPrivilegedArgv()
 	runner := Runner(s, priv)
-	// Fire the system-upgrade transient — the maintenance unit must flip
+	// Fire the orchestrator transient — the maintenance unit must flip
 	// to `activating` so a follow-up handlers.maintenanceUnitActive guard
 	// returns the unit name and the second click sees 409.
-	if _, err := runner(context.Background(), priv.StartSystemUpgrade); err != nil {
+	if _, err := runner(context.Background(), priv.StartOrchestrator); err != nil {
 		t.Fatalf("runner: %v", err)
 	}
-	if got := s.ServiceState("airplanes-system-upgrade.service"); got != "activating" {
-		t.Fatalf("after StartSystemUpgrade: airplanes-system-upgrade.service=%q want activating", got)
+	if got := s.ServiceState("airplanes-update-orchestrator.service"); got != "activating" {
+		t.Fatalf("after StartOrchestrator: airplanes-update-orchestrator.service=%q want activating", got)
 	}
-	// Fan-out is-active over the maintenance units; the system-upgrade
-	// one must come back activating, the others inactive.
+	// Fan-out is-active over the maintenance units; the orchestrator
+	// must come back activating.
 	res, _ := runner(context.Background(), []string{
 		"/usr/bin/systemctl", "is-active",
-		"airplanes-system-upgrade.service",
 		"airplanes-update-orchestrator.service",
 	})
 	lines := strings.Split(strings.TrimRight(string(res.Stdout), "\n"), "\n")
-	if len(lines) != 2 || lines[0] != "activating" || lines[1] != "inactive" {
-		t.Fatalf("is-active fan-out=%v want [activating inactive]", lines)
+	if len(lines) != 1 || lines[0] != "activating" {
+		t.Fatalf("is-active fan-out=%v want [activating]", lines)
 	}
 }
 

internal/devfakes/devfakes_test.go

@@ -71,7 +71,6 @@ func StubPrivilegedArgv() server.PrivilegedArgv {
 		SchemaFeed:           []string{"dev-stub", "apl-feed", "schema"},
 		Reboot:               []string{"dev-stub", "systemctl", "reboot"},
 		Poweroff:             []string{"dev-stub", "systemctl", "poweroff"},
-		StartSystemUpgrade:   []string{"dev-stub", "systemd-run", "airplanes-system-upgrade"},
 		StartOrchestrator:    []string{"dev-stub", "systemd-run", "airplanes-update-orchestrator"},
 		RegisterClaim:        []string{"dev-stub", "systemctl", "claim-register"},
 		WifiList:             []string{"dev-stub", "apl-wifi", "list"},
@@ -98,7 +97,7 @@ func StubPrivilegedArgv() server.PrivilegedArgv {
 //     The fake returns "0" so the dashboard never renders an exit-status
 //     warning over the simulated feed.
 //   - dev-stub systemctl {reboot,poweroff} — log the intent and exit 0.
-//   - dev-stub systemd-run airplanes-system-upgrade
+//   - dev-stub systemd-run airplanes-update-orchestrator
 //     — log the intent and exit 0. The HTTP handler writes 202.
 //   - dev-stub systemctl claim-register — calls state.RegisterClaim()
 //     so the next GET /api/identity reports claim_secret_present=true.
@@ -644,12 +643,8 @@ var unitLogLines = map[string][]string{
 		"webconfig: dev-mode active",
 		"webconfig: /api/status served in 1.2ms",
 	},
-	"airplanes-system-upgrade.service": {
-		"system-upgrade: apt-get update (simulated)",
-		"system-upgrade: 0 packages to upgrade",
-	},
 	"airplanes-update-orchestrator.service": {
-		"update-orchestrator: sequencing apt -> feed -> webconfig -> runtime",
+		"update-orchestrator: sequencing apt -> runtime",
 		"update-orchestrator: idle",
 	},
 }

internal/devfakes/runners.go

@@ -164,10 +164,9 @@ func NewState(p Paths) *State {
 			"airplanes-978.service":       "active",
 			"lighttpd.service":            "active",
 			"airplanes-webconfig.service": "active",
-			// Maintenance units — must be inactive so the pre-flight
+			// Maintenance unit — must be inactive so the pre-flight
 			// guard at handlers.go:maintenanceUnitActive lets the user click
-			// reboot / system-upgrade / update-system without a 409.
-			"airplanes-system-upgrade.service":      "inactive",
+			// reboot / Update System without a 409.
 			"airplanes-update-orchestrator.service": "inactive",
 			// Claim unit — never reported active; the SPA pulls progress from
 			// the claim SSE log instead.

internal/devfakes/state.go

@@ -33,7 +33,6 @@ var Whitelist = map[string]string{
 	"uat":                 "airplanes-978.service",
 	"claim":               "airplanes-claim.service",
 	"webconfig":           "airplanes-webconfig.service",
-	"system-upgrade":      "airplanes-system-upgrade.service",
 	"update-orchestrator": "airplanes-update-orchestrator.service",
 }
 

internal/logs/logs.go

@@ -25,7 +25,6 @@ func TestResolve_Whitelist(t *testing.T) {
 		"uat":                 "airplanes-978.service",
 		"claim":               "airplanes-claim.service",
 		"webconfig":           "airplanes-webconfig.service",
-		"system-upgrade":      "airplanes-system-upgrade.service",
 		"update-orchestrator": "airplanes-update-orchestrator.service",
 	}
 	for slug, want := range cases {

internal/logs/logs_test.go

@@ -721,12 +721,10 @@ func (s *Server) runSudo(ctx context.Context, argv []string, timeout time.Durati
 }
 
 // maintenanceUnits is the set of transient maintenance units that must not
-// overlap each other or be interrupted by a reboot. Each touches apt/dpkg,
-// release artefacts, or shells out to the others, and would deadlock on
-// the dpkg lock or leave half-configured state if any overlapped with
-// another or with a shutdown.
+// be interrupted by a reboot. The orchestrator touches apt/dpkg and release
+// artefacts, and would deadlock on the dpkg lock or leave half-configured
+// state if it overlapped with a shutdown.
 var maintenanceUnits = []string{
-	"airplanes-system-upgrade.service",
 	"airplanes-update-orchestrator.service",
 }
 
@@ -752,51 +750,6 @@ func (s *Server) maintenanceUnitActive(ctx context.Context) string {
 	return ""
 }
 
-// startTransientUnit kicks off a transient systemd unit via the supplied
-// pinned argv (sudo systemd-run ...). It refuses with 409 if any maintenance
-// unit is already busy, and maps systemd-run's "already exists" stderr to a
-// 409 as well. On success it writes 202 + the unit name.
-//
-// The is-active guard and the systemd-run call are serialized via
-// maintenanceMu so two concurrent POSTs can't both observe an idle state and
-// then both kick off — by the time the second contender acquires the lock,
-// the first's transient unit is already registered and is-active reports it
-// as activating.
-func (s *Server) startTransientUnit(w http.ResponseWriter, r *http.Request, argv []string, unit, label string) {
-	s.maintenanceMu.Lock()
-	defer s.maintenanceMu.Unlock()
-	if busy := s.maintenanceUnitActive(r.Context()); busy != "" {
-		writeJSONError(w, http.StatusConflict, label+" refused: "+busy+" is in progress")
-		return
-	}
-	cctx, cancel := context.WithTimeout(r.Context(), systemctlTimeout)
-	defer cancel()
-	res, err := s.runner(cctx, argv)
-	if err != nil {
-		stderr := strings.TrimSpace(string(res.Stderr))
-		log.Printf("%s: %v stderr=%q", label, err, stderr)
-		if strings.Contains(stderr, "already exists") || strings.Contains(stderr, "already running") {
-			writeJSONError(w, http.StatusConflict, label+" is already in progress")
-			return
-		}
-		writeJSONError(w, http.StatusInternalServerError, label+" start failed")
-		return
-	}
-	writeJSON(w, http.StatusAccepted, map[string]string{
-		"status":     "running",
-		"unit":       unit,
-		"started_at": time.Now().UTC().Format(time.RFC3339),
-	})
-}
-
-// /api/system-upgrade (POST): kicks off a transient
-// airplanes-system-upgrade.service that runs apt-get update + upgrade.
-// Returns 202 + the unit name so the SPA can stream
-// /api/log/system-upgrade for live output.
-func (s *Server) handleSystemUpgrade(w http.ResponseWriter, r *http.Request) {
-	s.startTransientUnit(w, r, s.priv.StartSystemUpgrade, "airplanes-system-upgrade.service", "system upgrade")
-}
-
 // /api/reboot (POST): refuses with 409 if a maintenance unit is active
 // (rebooting mid-dpkg would brick the device). Otherwise writes 202 + flushes,
 // then triggers reboot from a goroutine after a brief delay so the response

internal/server/handlers.go

@@ -134,8 +134,8 @@ func orchestratorRunning(path string) (bool, error) {
 // SPA polls /api/orchestrator/state for progress and a terminal step.
 //
 // The wire envelope on success is `{"status":"running","unit":...,
-// "started_at":...}` — identical to /api/system-upgrade so the SPA's
-// transient-unit response shape is uniform across update flows.
+// "started_at":...}`, which the SPA polls against after navigating to
+// the progress view.
 func (s *Server) handleOrchestratorStart(w http.ResponseWriter, r *http.Request) {
 	if !s.orchestratorCapableFunc() {
 		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"reason": "orchestrator_unavailable"})
@@ -196,12 +196,10 @@ func (s *Server) handleOrchestratorStart(w http.ResponseWriter, r *http.Request)
 
 // handleOrchestratorState is GET /api/orchestrator/state.
 //
-// The endpoint is informational — the UI uses it both to decide whether
-// to render the unified "Update System" button (orchestrator capable =
-// yes) and to render progress while a run is in flight. So the
-// capability-failure response is a 200 with `{"step":"unavailable"}`,
-// not a 503; only POST /api/orchestrator/start hard-refuses on
-// capability failure.
+// The endpoint is informational — the UI polls it to render progress
+// while a run is in flight. The capability-failure response is a 200
+// with `{"step":"unavailable"}`, not a 503; only POST
+// /api/orchestrator/start hard-refuses on capability failure.
 //
 // Missing state file → `{"step":"idle"}` (capable but no run yet on
 // this boot — /run is tmpfs so this is the normal post-boot state).