openclacky 1.2.2 → 1.2.4

data/lib/clacky/utils/file_ignore_helper.rb

@@ -116,21 +116,94 @@ module Clacky
         CONFIG_FILE_PATTERNS.any? { |pattern| file.match?(pattern) }
       end
 
+      # Paths considered too broad to recursively walk by default. Searching from
+      # these would commonly traverse millions of files (system roots, $HOME with
+      # many workspaces, WSL Windows mounts). Tools should refuse such requests
+      # and ask for a narrower base_path.
+      def self.dangerous_root?(path)
+        return false if path.nil? || path.empty?
+
+        expanded = File.expand_path(path)
+        return true if expanded == "/"
+
+        system_roots = ["/root", "/home", "/Users", "/mnt", "/media", "/var", "/etc", "/usr", "/opt"]
+        return true if system_roots.include?(expanded)
+
+        ["/Users/", "/home/"].each do |prefix|
+          next unless expanded.start_with?(prefix)
+          tail = expanded[prefix.length..]
+          return true if tail && !tail.empty? && !tail.include?("/")
+        end
+
+        return true if expanded =~ %r{\A/mnt/[a-zA-Z]\z}
+
+        home = ENV["HOME"]
+        return true if home && !home.empty? && expanded == File.expand_path(home)
+
+        false
+      end
+
+      # Hard ceiling on directories visited in a single walk. Prevents indefinite
+      # traversal across huge trees (e.g. /root, $HOME, /mnt/c on WSL).
+      MAX_DIRS_VISITED = 20_000
+
+      # Wall-clock budget for a single walk, in seconds.
+      WALK_TIMEOUT_SECONDS = 15
+
+      # Raised internally to abort a walk when a budget is exhausted.
+      class WalkBudgetExceeded < StandardError
+        attr_reader :reason
+        def initialize(reason)
+          @reason = reason
+          super(reason.to_s)
+        end
+      end
+
       # Walk a directory tree, pruning ignored directories early.
       # Yields each non-ignored file path. Supports nested .gitignore files.
       # @param skipped [Hash, nil] If provided, increments :ignored for each gitignore-skipped entry.
-      def self.walk_files(base_path, gitignore: nil, skipped: nil, &block)
-        return enum_for(:walk_files, base_path, gitignore: gitignore, skipped: skipped) unless block_given?
+      # @param status [Hash, nil] If provided, populated with :truncated and :truncation_reason
+      #   when the walk is aborted due to dir-count or wall-clock budget.
+      def self.walk_files(base_path, gitignore: nil, skipped: nil, status: nil,
+                          max_dirs_visited: MAX_DIRS_VISITED,
+                          timeout_seconds: WALK_TIMEOUT_SECONDS,
+                          &block)
+        unless block_given?
+          return enum_for(:walk_files, base_path,
+                          gitignore: gitignore, skipped: skipped, status: status,
+                          max_dirs_visited: max_dirs_visited, timeout_seconds: timeout_seconds)
+        end
 
         root_gitignore = gitignore || begin
           gi_path = find_gitignore(base_path)
           gi_path ? Clacky::GitignoreParser.new(gi_path) : nil
         end
 
-        _walk_recursive(base_path, base_path, root_gitignore, skipped, &block)
+        budget = {
+          dirs_visited: 0,
+          max_dirs: max_dirs_visited,
+          deadline: timeout_seconds ? (Process.clock_gettime(Process::CLOCK_MONOTONIC) + timeout_seconds) : nil
+        }
+
+        begin
+          _walk_recursive(base_path, base_path, root_gitignore, skipped, budget, &block)
+        rescue WalkBudgetExceeded => e
+          if status
+            status[:truncated] = true
+            status[:truncation_reason] = e.reason.to_s
+          end
+        end
       end
 
-      def self._walk_recursive(dir, base_path, gitignore, skipped, &block)
+      def self._walk_recursive(dir, base_path, gitignore, skipped, budget, &block)
+        budget[:dirs_visited] += 1
+        if budget[:dirs_visited] > budget[:max_dirs]
+          raise WalkBudgetExceeded.new(:max_dirs_visited)
+        end
+        if budget[:deadline] && Process.clock_gettime(Process::CLOCK_MONOTONIC) > budget[:deadline]
+          raise WalkBudgetExceeded.new(:timeout)
+        end
+
         child_gitignore_path = File.join(dir, ".gitignore")
         if dir != base_path && File.exist?(child_gitignore_path)
           gitignore ||= Clacky::GitignoreParser.new(nil)
@@ -153,7 +226,7 @@ module Clacky
             if gitignore&.ignored?("#{relative}/") || should_ignore_file?(full, base_path, gitignore)
               next
             end
-            _walk_recursive(full, base_path, gitignore, skipped, &block)
+            _walk_recursive(full, base_path, gitignore, skipped, budget, &block)
           else
             if !is_config_file?(full) && should_ignore_file?(full, base_path, gitignore)
               skipped[:ignored] += 1 if skipped

data/lib/clacky/utils/login_shell.rb

@@ -51,7 +51,9 @@ module Clacky
 
         # { rc_sources; } 1>&2 — send rc-time stdout to stderr so target's
         # stdout is pristine. `exec` replaces the shell with target.
-        script = "{ #{rc_sources}; } 1>&2; exec #{command}"
+        # PS1 trick: Ubuntu .bashrc has `[ -z "$PS1" ] && return` guard that
+        # skips the entire file in non-interactive shells. Setting PS1 defeats it.
+        script = "PS1='$ '; { #{rc_sources}; } 1>&2; exec #{command}"
         [shell, "-c", script]
       end
 

data/lib/clacky/utils/model_pricing.rb

@@ -366,6 +366,24 @@ module Clacky
       #     surprising users with the explicit 25% surcharge).
       #   - We bill reads at 20% (implicit rate) — the conservative side; users on
       #     explicit caching will see real bills slightly *lower* than displayed.
+      "qwen3.7-max" => {
+        input:  { default: 1.20, over_200k: 1.20 },
+        output: { default: 6.00, over_200k: 6.00 },
+        cache:  { write: 1.20, read: 0.24 }
+      },
+
+      "qwen3.7-plus" => {
+        input:  { default: 0.40, over_200k: 0.40 },
+        output: { default: 2.40, over_200k: 2.40 },
+        cache:  { write: 0.40, read: 0.08 }
+      },
+
+      "qwen3.7-flash" => {
+        input:  { default: 0.15, over_200k: 0.15 },
+        output: { default: 0.90, over_200k: 0.90 },
+        cache:  { write: 0.15, read: 0.03 }
+      },
+
       "qwen3.6-plus" => {
         input:  { default: 0.40, over_200k: 0.40 },
         output: { default: 2.40, over_200k: 2.40 },
@@ -571,9 +589,16 @@ module Clacky
           "minimax-m2.7"
 
         # Qwen (Alibaba DashScope) — strict anchored match per registered
-        # model id in providers.rb. qwen3.6-* are the new flagship line;
-        # qwen-plus-latest is the rolling alias for the latest Qwen-Plus
-        # release; qwen-vl-* are the multimodal SKUs.
+        # model id in providers.rb. qwen3.7-* is the latest flagship line;
+        # qwen3.6-* are the previous generation; qwen-plus-latest is the
+        # rolling alias for the latest Qwen-Plus release; qwen-vl-* are
+        # the multimodal SKUs.
+        when /^qwen3\.7-max$/i
+          "qwen3.7-max"
+        when /^qwen3\.7-plus$/i
+          "qwen3.7-plus"
+        when /^qwen3\.7-flash$/i
+          "qwen3.7-flash"
         when /^qwen3\.6-plus$/i
           "qwen3.6-plus"
         when /^qwen3\.6-max$/i

data/lib/clacky/utils/scripts_manager.rb

@@ -21,6 +21,7 @@ module Clacky
         install_browser.sh
         install_system_deps.sh
         install_rails_deps.sh
+        wsl_network_doctor.ps1
       ].freeze
 
       # Copy bundled scripts to ~/.clacky/scripts/ if missing or outdated.

data/lib/clacky/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Clacky
-  VERSION = "1.2.2"
+  VERSION = "1.2.4"
 end

data/lib/clacky/web/app.css

@@ -3649,6 +3649,7 @@ body {
 .model-card-grid-actions {
   display: flex;
   flex-direction: row;
+  flex-wrap: wrap;
   gap: 0.5rem;
   padding-top: 0.625rem;
   border-top: 1px solid var(--color-border-primary);

data/lib/clacky/web/settings.js

@@ -169,6 +169,11 @@ const Settings = (() => {
       providerValue.classList.add("placeholder");
     }
 
+    // Reset save button
+    const saveBtn = document.getElementById("model-modal-save");
+    saveBtn.textContent = I18n.t("settings.models.btn.save");
+    saveBtn.disabled = false;
+
     // Clear test result
     document.getElementById("model-modal-test-result").textContent = "";
     document.getElementById("model-modal-test-result").className = "model-test-result";

data/lib/clacky/web/weixin-qr.html

@@ -140,10 +140,11 @@
   <script>
     const params  = new URLSearchParams(location.search);
     const url     = params.get("url");
-    // since: Unix timestamp (seconds) passed by the setup skill when opening this page.
-    // We only show success if token_updated_at > since, preventing false positives
-    // when the user already had a token from a previous login.
-    const since   = parseInt(params.get("since") || "0", 10);
+    // since: the moment this page loaded, in Unix seconds.
+    // We only show success if token_updated_at >= since, so a pre-existing token
+    // never triggers the overlay.
+    // Intentionally NOT taken from the URL param — the page is the source of truth.
+    const since   = Math.floor(Date.now() / 1000);
     const el      = document.getElementById("qrcode");
 
     if (!url) {

data/scripts/build/lib/apt.sh

@@ -4,6 +4,76 @@
 # Sets-Vars: (none)
 # Include via: @include lib/apt.sh
 
+# Wait until apt/dpkg lock files are no longer held (e.g. by apt-daily on
+# freshly-booted WSL/Ubuntu). Uses flock(1) — the same mechanism apt uses —
+# rather than checking file existence (the lock files are always present;
+# advisory locks live in the kernel, not the filesystem).
+wait_apt_lock() {
+    [ "$DISTRO" = "ubuntu" ] || [ "$DISTRO" = "debian" ] || return 0
+
+    local locks=(
+        "/var/lib/dpkg/lock-frontend"
+        "/var/lib/dpkg/lock"
+        "/var/lib/apt/lists/lock"
+    )
+    local max_wait="${1:-120}"
+    local waited=0
+    local announced=false
+
+    while :; do
+        local busy=false
+        for f in "${locks[@]}"; do
+            [ -e "$f" ] || continue
+            if ! sudo flock -n "$f" -c true 2>/dev/null; then
+                busy=true
+                break
+            fi
+        done
+
+        [ "$busy" = false ] && break
+
+        if [ "$announced" = false ]; then
+            print_info "Waiting for system apt/dpkg to finish (up to ${max_wait}s)..."
+            announced=true
+        fi
+
+        if [ "$waited" -ge "$max_wait" ]; then
+            print_error "apt is still locked after ${max_wait}s."
+            print_info  "On WSL try: 'wsl --shutdown' from PowerShell, then rerun the installer."
+            return 1
+        fi
+
+        sleep 3
+        waited=$((waited + 3))
+    done
+
+    [ "$announced" = true ] && print_success "apt lock released"
+    return 0
+}
+
+# Run an apt-get subcommand with lock-wait + transient-failure retry.
+# Usage: apt_get_run update [-qq]
+#        apt_get_run install -y pkg1 pkg2
+apt_get_run() {
+    local attempts=3
+    local i=1
+    while [ "$i" -le "$attempts" ]; do
+        wait_apt_lock 120 || return 1
+        if sudo apt-get "$@"; then
+            return 0
+        fi
+        local rc=$?
+        if [ "$i" -lt "$attempts" ]; then
+            print_warning "apt-get $1 failed (exit $rc), retrying ($i/$((attempts-1)))..."
+            sleep 5
+        else
+            print_error "apt-get $1 failed after $attempts attempts."
+            return "$rc"
+        fi
+        i=$((i + 1))
+    done
+}
+
 # Configure apt mirror for CN region and run apt-get update.
 # Guards: only runs on ubuntu/debian ($DISTRO).
 # Relies on $USE_CN_MIRRORS set by detect_network_region (network.sh).
@@ -51,6 +121,6 @@ EOF
         print_info "Region: global — using default apt sources"
     fi
 
-    sudo apt-get update -qq
+    apt_get_run update -qq || return 1
     print_success "apt updated"
 }

data/scripts/build/src/install.sh.cc

@@ -34,7 +34,7 @@ ensure_ruby() {
 
     if is_linux_apt; then
         print_info "Installing Ruby via apt..."
-        sudo apt-get install -y ruby ruby-dev 2>/dev/null && check_ruby && return 0
+        apt_get_run install -y ruby ruby-dev 2>/dev/null && check_ruby && return 0
         print_warning "apt Ruby install failed or version too old"
     fi
 

data/scripts/build/src/install_rails_deps.sh.cc

@@ -31,8 +31,8 @@ install_ruby() {
     if is_macos; then
         brew install openssl@3 libyaml gmp
     elif is_linux_apt; then
-        sudo apt-get install -y \
-            rustc libssl-dev libyaml-dev zlib1g-dev libgmp-dev
+        apt_get_run install -y \
+            rustc libssl-dev libyaml-dev zlib1g-dev libgmp-dev || return 1
     fi
 
     ensure_mise || return 1
@@ -75,8 +75,8 @@ install_postgres() {
 
     elif is_linux_apt; then
         setup_apt_mirror
-        sudo apt-get install -y postgresql libpq-dev \
-            libssl-dev libreadline-dev zlib1g-dev libyaml-dev libffi-dev
+        apt_get_run install -y postgresql libpq-dev \
+            libssl-dev libreadline-dev zlib1g-dev libyaml-dev libffi-dev || return 1
         sudo systemctl enable --now postgresql || true
     fi
 

data/scripts/build/src/install_system_deps.sh.cc

@@ -67,7 +67,7 @@ ensure_linux_deps() {
 
     detect_network_region
     setup_apt_mirror
-    sudo apt-get install -y build-essential git curl python3
+    apt_get_run install -y build-essential git curl python3 || return 1
     print_success "Dependencies installed"
 }
 

data/scripts/install.ps1

@@ -11,8 +11,8 @@
 #     -BrandName    Display name shown in prompts    (default: OpenClacky)
 #     -CommandName  CLI command name after install   (default: openclacky)
 #
-# WSL2 is preferred. If virtualisation is unavailable (e.g. running inside a VM),
-# the script automatically falls back to WSL1.
+# WSL1 is preferred (shares Windows network stack — no mirrored networking needed).
+# If WSL1 import fails, the script falls back to WSL2 with mirrored networking.
 # If WSL is not installed at all, the script enables it and asks you to reboot.
 # After rebooting, run the same command again to complete installation.
 #
@@ -501,32 +501,59 @@ if ($installPhase -eq "wsl-pending" -and $wslCode -eq 1) {
 # wslCode != 1 (0, -1, -444, 50, etc.): WSL is functional, continue.
 Remove-InstallReg -Name "InstallPhase"
 
-# Step 2: Install Ubuntu, preferring WSL2 when the real rootfs imports cleanly.
+# Step 2: Install Ubuntu, preferring WSL1 (shares Windows network — no mirrored needed).
+# If WSL1 import fails, fall back to WSL2.
+# If the distro already exists, keep whatever version was previously installed.
 if (Test-UbuntuInstalled) {
     Write-Info "Ubuntu (WSL) already installed — skipping import."
     $wslVersion = Get-InstallReg -Name "WslVersion" -Default 2
 } else {
     $tarPath = Get-UbuntuRootfs
-    if (Test-VirtualisationSupported -TarPath $tarPath) {
-        wsl.exe --set-default-version 2 >$null 2>$null
-        Install-UbuntuRootfs -WslVersion 2 -TarPath $tarPath
-        $wslVersion = 2
+
+    # Try WSL1 first
+    Write-Info "Attempting WSL1 import..."
+    $wsl1Ok = $false
+    try {
+        New-Item -ItemType Directory -Force -Path $UBUNTU_WSL_DIR | Out-Null
+        wsl.exe --import Ubuntu $UBUNTU_WSL_DIR $tarPath --version 1 >$null 2>$null
+        $wsl1Ok = ($LASTEXITCODE -eq 0)
+    } catch {
+        $wsl1Ok = $false
+    }
+
+    if ($wsl1Ok) {
+        Write-Success "Ubuntu (WSL1) imported successfully."
+        $wslVersion = 1
     } else {
-        if ($wslFeaturesEnabled -ne "1") {
-            # WSL components were never fully prepared — run Enable-WslFeatures and reboot.
-            Write-Warn "WSL2 is not available and WSL components have not been fully set up."
-            Enable-WslFeatures
-            # Always exits (prompts reboot)
+        # Clean up failed WSL1 attempt
+        wsl.exe --unregister Ubuntu 2>$null | Out-Null
+        Remove-Item -Force -Recurse -ErrorAction SilentlyContinue $UBUNTU_WSL_DIR
+
+        Write-Info "WSL1 import failed, trying WSL2..."
+        if (Test-VirtualisationSupported -TarPath $tarPath) {
+            wsl.exe --set-default-version 2 >$null 2>$null
+            Install-UbuntuRootfs -WslVersion 2 -TarPath $tarPath
+            $wslVersion = 2
+        } else {
+            if ($wslFeaturesEnabled -ne "1") {
+                Write-Warn "Neither WSL1 nor WSL2 is available. Enabling WSL components..."
+                Enable-WslFeatures
+                # Always exits (prompts reboot)
+            }
+            Write-Fail "Failed to import Ubuntu into both WSL1 and WSL2."
+            Write-Fail "Please ensure Windows Subsystem for Linux is enabled and try again."
+            exit 1
         }
-        Write-Info "[main] WSL2 unavailable, falling back to WSL1..."
-        Install-UbuntuRootfs -WslVersion 1 -TarPath $tarPath
-        $wslVersion = 1
     }
 }
 
-if ($wslVersion -eq 2) { Set-Wsl2MirroredNetworking }
-
 Write-Success "WSL is ready."
 Run-InstallInWsl
+
+# For WSL2, configure mirrored networking AFTER install.sh succeeds (NAT is more
+# reliable for outbound traffic during installation). The shutdown here is safe
+# because installation is already complete.
+if ($wslVersion -eq 2) { Set-Wsl2MirroredNetworking }
+
 Set-InstallReg -Name "WslVersion" -Value $wslVersion
 Show-PostInstall -WslVersion $wslVersion

data/scripts/install.sh

@@ -271,6 +271,76 @@ detect_network_region() {
 
 # ---[ @include lib/apt.sh ]---
 
+# Wait until apt/dpkg lock files are no longer held (e.g. by apt-daily on
+# freshly-booted WSL/Ubuntu). Uses flock(1) — the same mechanism apt uses —
+# rather than checking file existence (the lock files are always present;
+# advisory locks live in the kernel, not the filesystem).
+wait_apt_lock() {
+    [ "$DISTRO" = "ubuntu" ] || [ "$DISTRO" = "debian" ] || return 0
+
+    local locks=(
+        "/var/lib/dpkg/lock-frontend"
+        "/var/lib/dpkg/lock"
+        "/var/lib/apt/lists/lock"
+    )
+    local max_wait="${1:-120}"
+    local waited=0
+    local announced=false
+
+    while :; do
+        local busy=false
+        for f in "${locks[@]}"; do
+            [ -e "$f" ] || continue
+            if ! sudo flock -n "$f" -c true 2>/dev/null; then
+                busy=true
+                break
+            fi
+        done
+
+        [ "$busy" = false ] && break
+
+        if [ "$announced" = false ]; then
+            print_info "Waiting for system apt/dpkg to finish (up to ${max_wait}s)..."
+            announced=true
+        fi
+
+        if [ "$waited" -ge "$max_wait" ]; then
+            print_error "apt is still locked after ${max_wait}s."
+            print_info  "On WSL try: 'wsl --shutdown' from PowerShell, then rerun the installer."
+            return 1
+        fi
+
+        sleep 3
+        waited=$((waited + 3))
+    done
+
+    [ "$announced" = true ] && print_success "apt lock released"
+    return 0
+}
+
+# Run an apt-get subcommand with lock-wait + transient-failure retry.
+# Usage: apt_get_run update [-qq]
+#        apt_get_run install -y pkg1 pkg2
+apt_get_run() {
+    local attempts=3
+    local i=1
+    while [ "$i" -le "$attempts" ]; do
+        wait_apt_lock 120 || return 1
+        if sudo apt-get "$@"; then
+            return 0
+        fi
+        local rc=$?
+        if [ "$i" -lt "$attempts" ]; then
+            print_warning "apt-get $1 failed (exit $rc), retrying ($i/$((attempts-1)))..."
+            sleep 5
+        else
+            print_error "apt-get $1 failed after $attempts attempts."
+            return "$rc"
+        fi
+        i=$((i + 1))
+    done
+}
+
 # Configure apt mirror for CN region and run apt-get update.
 # Guards: only runs on ubuntu/debian ($DISTRO).
 # Relies on $USE_CN_MIRRORS set by detect_network_region (network.sh).
@@ -318,7 +388,7 @@ EOF
         print_info "Region: global — using default apt sources"
     fi
 
-    sudo apt-get update -qq
+    apt_get_run update -qq || return 1
     print_success "apt updated"
 }
 
@@ -427,7 +497,7 @@ ensure_ruby() {
 
     if is_linux_apt; then
         print_info "Installing Ruby via apt..."
-        sudo apt-get install -y ruby ruby-dev 2>/dev/null && check_ruby && return 0
+        apt_get_run install -y ruby ruby-dev 2>/dev/null && check_ruby && return 0
         print_warning "apt Ruby install failed or version too old"
     fi
 

data/scripts/install_rails_deps.sh

@@ -275,6 +275,76 @@ detect_network_region() {
 
 # ---[ @include lib/apt.sh ]---
 
+# Wait until apt/dpkg lock files are no longer held (e.g. by apt-daily on
+# freshly-booted WSL/Ubuntu). Uses flock(1) — the same mechanism apt uses —
+# rather than checking file existence (the lock files are always present;
+# advisory locks live in the kernel, not the filesystem).
+wait_apt_lock() {
+    [ "$DISTRO" = "ubuntu" ] || [ "$DISTRO" = "debian" ] || return 0
+
+    local locks=(
+        "/var/lib/dpkg/lock-frontend"
+        "/var/lib/dpkg/lock"
+        "/var/lib/apt/lists/lock"
+    )
+    local max_wait="${1:-120}"
+    local waited=0
+    local announced=false
+
+    while :; do
+        local busy=false
+        for f in "${locks[@]}"; do
+            [ -e "$f" ] || continue
+            if ! sudo flock -n "$f" -c true 2>/dev/null; then
+                busy=true
+                break
+            fi
+        done
+
+        [ "$busy" = false ] && break
+
+        if [ "$announced" = false ]; then
+            print_info "Waiting for system apt/dpkg to finish (up to ${max_wait}s)..."
+            announced=true
+        fi
+
+        if [ "$waited" -ge "$max_wait" ]; then
+            print_error "apt is still locked after ${max_wait}s."
+            print_info  "On WSL try: 'wsl --shutdown' from PowerShell, then rerun the installer."
+            return 1
+        fi
+
+        sleep 3
+        waited=$((waited + 3))
+    done
+
+    [ "$announced" = true ] && print_success "apt lock released"
+    return 0
+}
+
+# Run an apt-get subcommand with lock-wait + transient-failure retry.
+# Usage: apt_get_run update [-qq]
+#        apt_get_run install -y pkg1 pkg2
+apt_get_run() {
+    local attempts=3
+    local i=1
+    while [ "$i" -le "$attempts" ]; do
+        wait_apt_lock 120 || return 1
+        if sudo apt-get "$@"; then
+            return 0
+        fi
+        local rc=$?
+        if [ "$i" -lt "$attempts" ]; then
+            print_warning "apt-get $1 failed (exit $rc), retrying ($i/$((attempts-1)))..."
+            sleep 5
+        else
+            print_error "apt-get $1 failed after $attempts attempts."
+            return "$rc"
+        fi
+        i=$((i + 1))
+    done
+}
+
 # Configure apt mirror for CN region and run apt-get update.
 # Guards: only runs on ubuntu/debian ($DISTRO).
 # Relies on $USE_CN_MIRRORS set by detect_network_region (network.sh).
@@ -322,7 +392,7 @@ EOF
         print_info "Region: global — using default apt sources"
     fi
 
-    sudo apt-get update -qq
+    apt_get_run update -qq || return 1
     print_success "apt updated"
 }
 
@@ -632,8 +702,8 @@ install_ruby() {
     if is_macos; then
         brew install openssl@3 libyaml gmp
     elif is_linux_apt; then
-        sudo apt-get install -y \
-            rustc libssl-dev libyaml-dev zlib1g-dev libgmp-dev
+        apt_get_run install -y \
+            rustc libssl-dev libyaml-dev zlib1g-dev libgmp-dev || return 1
     fi
 
     ensure_mise || return 1
@@ -676,8 +746,8 @@ install_postgres() {
 
     elif is_linux_apt; then
         setup_apt_mirror
-        sudo apt-get install -y postgresql libpq-dev \
-            libssl-dev libreadline-dev zlib1g-dev libyaml-dev libffi-dev
+        apt_get_run install -y postgresql libpq-dev \
+            libssl-dev libreadline-dev zlib1g-dev libyaml-dev libffi-dev || return 1
         sudo systemctl enable --now postgresql || true
     fi