Conversation
…ning
Second PR in the v1.99 Update Engine Canonization track. Deepens G3-U4
with package-install target detection + two new preflight checks + a
planning-only RecoveryPlan surface. No mutation, no apply logic.
Architecture constraint (INV-U-001) remains intact:
Update is still a BOUNDED TRIGGER into the rebuild/lifecycle pipeline.
Apply work stays deferred to PR-18.
New file internal/installer/update/target.go:
- DetectInstallOrigin: probe rpm -q / dpkg -s / NFTBAN_SOURCE_DIR env
to classify origin when operator didn't pass --rpm/--deb/--source
- DetectPackageTarget: query rpm -q --queryformat '%{VERSION}' OR
dpkg -s | grep ^Version:
- Both functions READ-ONLY — no package manager transactions
Extensions:
- DetectVersions signature: +origin param; source tree wins over
package query so explicit --source-dir is always honoured
- Preflight: +origin param; new checks P-6 rebuild_recovery_available
(terminal prior state + ip nftban + nft binary) and P-7
install_origin_coherent (declared vs detected match)
- BuildRecoveryPlan: produces RecoveryPlan metadata (mechanism=rebuild,
Available bool, Notes). Planning-only — no recovery execution
- Plan.AttachRecovery + Plan.Recovery field: new planning surface
apply (PR-18) will consume per INV-U-002
- Plan.Render: shows Recovery block with availability + mechanism
Installer binary cmd/nftban-installer/update_dryrun.go:
- auto-detects origin via update.DetectInstallOrigin when no flag
passed (so package-install hosts without --rpm/--deb still get a
correct plan)
- attaches BuildRecoveryPlan output to the rendered plan
Tests (new target_test.go + extended update_test.go):
- 11 new unit tests covering DetectInstallOrigin (rpm/deb/source/unknown),
DetectPackageTarget (rpm/deb/not-owned/unknown-origin), DetectVersions
package-deb fallback + source-tree override, P-6/P-7 preflight paths,
BuildRecoveryPlan happy/no-state/in-progress cases
CI gate extensions:
- G3-U4 now asserts all 7 preflight checks reported
- New G3-U4-deepen step: Recovery block + Mechanism line must render
Out of scope (explicit — per spec + user guidance):
- No payload mutation
- No apply logic
- No rebuild switch changes
- No shell update path deletion
- No .conf.local write path changes
- No config delivery changes
- No rollback logic beyond planning/metadata
Depends on: v1.98.2 tag (already shipped), PR-16 merged (ca48884).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Second PR in the v1.99 Update Engine Canonization track. Deepens G3-U4 with package-install target detection + two new preflight checks + planning-only RecoveryPlan metadata. No mutation, no apply logic — apply stays deferred to PR-18.
Architecture constraint (INV-U-001) remains intact: update is still a bounded trigger into the rebuild/lifecycle pipeline.
Scope
In scope
DetectInstallOrigin— probes rpm -q / dpkg -s / NFTBAN_SOURCE_DIR env to classify "rpm" / "deb" / "source" / "". Family-level discrimination only — no point-release branching. Mirrors the existing shell_detect_install_typehelper so the Go and shell paths agree until PR-21 removes the shell path.DetectPackageTarget— queries rpm -q / dpkg -s for target version. Tries bothnftban-coreand legacynftbanpackage names (matches shell behaviour).DetectVersions— extended withoriginparam; source tree wins over package query so explicit--source-diris always honoured.RecoveryPlan— new planning-only metadata surface: Available bool, Mechanism string (=rebuild), Notes. PR-18 consumes this per INV-U-002.update_dryrun.gowhen operator didn't pass--rpm/--deb/--source.Explicit non-scope (per spec + user guidance)
.conf.localwrite path changesDesign discipline — no point-release branching
Per design principle codified in
target.gopackage doc:Same discipline already used by
internal/installer/detect/distro.go(onlyIDbranches,VersionIDis metadata) andpayload.isDebianFamily.Reuse, not duplication
DetectInstallOriginis the Go mirror ofcli/lib/nftban/cli/cmd_update_detection.sh::_detect_install_type. Both probe the same package managers in the same order and return the same origin strings. Until PR-21 removes the shell, both must stay in sync.Test plan
Sub-gate coverage
Closure chain
ca48884460383f01Draft — standard PR-draft pattern for v1.99 track, un-drafts after CI green.
🤖 Generated with Claude Code