@rubytech/create-maxy-code 0.1.332 → 0.1.334

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,62 @@
1
+ // Contract for the hardware watchdog arming point.
2
+ //
3
+ // On a constrained Pi the installer's `RuntimeWatchdogSec=20s` drop-in,
4
+ // armed at install step 1, reboot-looped its own install: the heavy npm/swap
5
+ // steps stalled PID1 past 20s, the board reset, the relaunch stalled again.
6
+ // The fix arms the watchdog only as the final install action, once the heavy
7
+ // build/swap window is over, and applies it via `daemon-reexec` so it is
8
+ // actually active (RuntimeWatchdogUSec non-zero) without waiting for a reboot.
9
+ //
10
+ // Static-grep, not behaviour: the call site and the apply command live in the
11
+ // top-level install flow of index.ts, which executes real sudo/systemctl.
12
+ // Same pattern as base-toolchain-deps.test.ts — read src/index.ts at runtime
13
+ // as the authoritative source.
14
+ import test from "node:test";
15
+ import assert from "node:assert/strict";
16
+ import { readFileSync } from "node:fs";
17
+ import { fileURLToPath } from "node:url";
18
+ import { dirname, resolve } from "node:path";
19
+ // dist/__tests__/watchdog-deferred-arming.test.js → ../../src/index.ts
20
+ const here = dirname(fileURLToPath(import.meta.url));
21
+ const INDEX_TS = resolve(here, "../../src/index.ts");
22
+ const SRC = readFileSync(INDEX_TS, "utf-8");
23
+ /** Body of configureHardwareWatchdog(), up to the next top-level function. */
24
+ function watchdogFnBody() {
25
+ const start = SRC.indexOf("function configureHardwareWatchdog");
26
+ assert.ok(start >= 0, "could not locate configureHardwareWatchdog in index.ts");
27
+ const end = SRC.indexOf("function installSystemDeps", start);
28
+ assert.ok(end > start, "could not bound configureHardwareWatchdog body");
29
+ return SRC.slice(start, end);
30
+ }
31
+ test("watchdog is armed after buildPlatform and installService, not at step 1", () => {
32
+ const watchdogCall = SRC.indexOf("configureHardwareWatchdog();");
33
+ const build = SRC.indexOf("buildPlatform();");
34
+ const service = SRC.indexOf("installService();");
35
+ assert.ok(watchdogCall >= 0, "no configureHardwareWatchdog() call in the install flow");
36
+ assert.ok(build >= 0 && service >= 0, "expected buildPlatform()/installService() calls");
37
+ assert.ok(watchdogCall > build, "watchdog must be armed after buildPlatform()");
38
+ assert.ok(watchdogCall > service, "watchdog must be armed after installService()");
39
+ // the old step-1 placement (immediately after installSystemDeps()) is gone
40
+ assert.equal(SRC.includes("installSystemDeps();\n configureHardwareWatchdog();"), false, "watchdog must not be armed at step 1, right after installSystemDeps()");
41
+ });
42
+ test("watchdog drop-in is applied with daemon-reexec, not daemon-reload", () => {
43
+ const body = watchdogFnBody();
44
+ // match the quoted systemctl argument so explanatory comments naming the old
45
+ // command do not skew the assertion.
46
+ assert.ok(body.includes('"daemon-reexec"'), "configureHardwareWatchdog must apply via daemon-reexec");
47
+ assert.equal(body.includes('"daemon-reload"'), false, "daemon-reload does not apply RuntimeWatchdogSec");
48
+ });
49
+ test("idempotent re-run only skips re-arming when the watchdog is live-armed", () => {
50
+ // A drop-in on disk does not prove the live PID1 has the watchdog active
51
+ // (prior daemon-reload, or a just-removed disable override). The function must
52
+ // read RuntimeWatchdogUSec and re-arm when it is 0, so the muvin remediation
53
+ // (drop-in present, previously disabled) actually arms.
54
+ const body = watchdogFnBody();
55
+ assert.ok(body.includes("RuntimeWatchdogUSec"), "must read live RuntimeWatchdogUSec before skipping the arm");
56
+ assert.ok(body.includes('"--value"'), "must read the live watchdog value, not just the drop-in content");
57
+ });
58
+ test("watchdog keeps the 20s runtime / 2min reboot values", () => {
59
+ const body = watchdogFnBody();
60
+ assert.ok(body.includes("RuntimeWatchdogSec=20s"), "RuntimeWatchdogSec stays 20s");
61
+ assert.ok(body.includes("RebootWatchdogSec=2min"), "RebootWatchdogSec stays 2min");
62
+ });
package/dist/index.js CHANGED
@@ -617,6 +617,53 @@ function writeChromiumBinaryPathFile() {
617
617
  // warns, never aborts the install. Cannot recover a latched-off brownout (no
618
618
  // power = no watchdog) — that needs the external power-cycler documented in
619
619
  // deployment.md.
620
+ //
621
+ // Called as the FINAL install action (not step 1): RuntimeWatchdogSec=20s is a
622
+ // tight timer, and the heavy npm-install/swap-thrash steps stall PID1 past 20s
623
+ // on a constrained Pi. Arming early reboot-looped the install (the board reset
624
+ // mid-build, relaunched under the same load, reset again). Deferring the arm to
625
+ // after the build/swap window, then applying it with `daemon-reexec` so it is
626
+ // active immediately (RuntimeWatchdogUSec non-zero), keeps kernel-hang recovery
627
+ // without the loop.
628
+ // Disable the hardware watchdog drop-in for the duration of the install.
629
+ // configureHardwareWatchdog() writes /etc/systemd/system.conf.d/10-maxy-watchdog.conf
630
+ // (RuntimeWatchdogSec=20s) at the END of every install. That file persists
631
+ // across reboots, so on every install AFTER the first, PID1 already has the
632
+ // watchdog armed from boot. The heavy npm/Playwright/swap step in step [3/11]
633
+ // can stall PID1 past 20s on a constrained Pi, the SoC resets mid-install,
634
+ // boot resumes with the watchdog re-armed, the install never completes, and
635
+ // the box wedges (SSH never returns; observed on beacons).
636
+ //
637
+ // Neutralise the watchdog at install start by overwriting the drop-in with
638
+ // RuntimeWatchdogSec=0 and daemon-reexec to apply it immediately. Re-armed
639
+ // at install end by configureHardwareWatchdog(). If install fails between
640
+ // the two, the box is unarmed — recoverable, far better than reboot-loop.
641
+ function disableHardwareWatchdogForInstall() {
642
+ try {
643
+ if (!isLinux()) {
644
+ logFile(" hardware watchdog: disable-for-install skipped (not Linux)");
645
+ return;
646
+ }
647
+ if (!existsSync("/dev/watchdog")) {
648
+ logFile(" hardware watchdog: disable-for-install skipped (/dev/watchdog absent)");
649
+ return;
650
+ }
651
+ const disabled = "[Manager]\nRuntimeWatchdogSec=0\n";
652
+ const dropinDir = "/etc/systemd/system.conf.d";
653
+ const dropinPath = `${dropinDir}/10-maxy-watchdog.conf`;
654
+ const tmpPath = "/tmp/10-maxy-watchdog.conf";
655
+ writeFileSync(tmpPath, disabled);
656
+ console.log(" [privileged] disable hardware watchdog for install duration (RuntimeWatchdogSec=0)");
657
+ shell("mkdir", ["-p", dropinDir], { sudo: true });
658
+ shell("cp", [tmpPath, dropinPath], { sudo: true });
659
+ spawnSync("rm", ["-f", tmpPath]);
660
+ spawnSync("sudo", ["systemctl", "daemon-reexec"], { stdio: "inherit" });
661
+ logFile(` hardware watchdog: disabled for install (${dropinPath}, RuntimeWatchdogSec=0; re-armed at install end)`);
662
+ }
663
+ catch (err) {
664
+ console.error(` WARNING: failed to disable hardware watchdog for install: ${err instanceof Error ? err.message : String(err)}`);
665
+ }
666
+ }
620
667
  function configureHardwareWatchdog() {
621
668
  try {
622
669
  if (!isLinux()) {
@@ -640,18 +687,33 @@ function configureHardwareWatchdog() {
640
687
  current = "";
641
688
  }
642
689
  }
643
- if (current === desired) {
644
- logFile(` hardware watchdog: already active (${dropinPath})`);
690
+ if (current !== desired) {
691
+ const tmpPath = "/tmp/10-maxy-watchdog.conf";
692
+ writeFileSync(tmpPath, desired);
693
+ console.log(" [privileged] install systemd hardware watchdog drop-in (RuntimeWatchdogSec=20s RebootWatchdogSec=2min)");
694
+ shell("mkdir", ["-p", dropinDir], { sudo: true });
695
+ shell("cp", [tmpPath, dropinPath], { sudo: true });
696
+ spawnSync("rm", ["-f", tmpPath]);
697
+ }
698
+ // Arm now, idempotently. The drop-in being on disk does NOT mean the live
699
+ // PID1 has the watchdog active — a prior install that only ran daemon-reload,
700
+ // or a just-removed disable override (RuntimeWatchdogSec=0), leaves the file
701
+ // present but RuntimeWatchdogUSec=0. So read the live value and only skip the
702
+ // re-exec when the watchdog is genuinely armed already; otherwise daemon-reexec
703
+ // re-execs PID1 in place (host-wide; running services are preserved) to apply
704
+ // the system-manager setting. daemon-reload does not apply RuntimeWatchdogSec.
705
+ const liveUsec = spawnSync("systemctl", ["show", "-p", "RuntimeWatchdogUSec", "--value"], {
706
+ encoding: "utf-8",
707
+ stdio: "pipe",
708
+ timeout: 5_000,
709
+ });
710
+ const usec = (liveUsec.stdout ?? "").trim();
711
+ if (current === desired && usec !== "" && usec !== "0") {
712
+ logFile(` hardware watchdog: already active (${dropinPath}, RuntimeWatchdogUSec=${usec})`);
645
713
  return;
646
714
  }
647
- const tmpPath = "/tmp/10-maxy-watchdog.conf";
648
- writeFileSync(tmpPath, desired);
649
- console.log(" [privileged] install systemd hardware watchdog drop-in (RuntimeWatchdogSec=20s RebootWatchdogSec=2min)");
650
- shell("mkdir", ["-p", dropinDir], { sudo: true });
651
- shell("cp", [tmpPath, dropinPath], { sudo: true });
652
- spawnSync("rm", ["-f", tmpPath]);
653
- spawnSync("sudo", ["systemctl", "daemon-reload"], { stdio: "inherit" });
654
- logFile(` hardware watchdog: enabled (wrote ${dropinPath}; arms on next boot or systemd re-exec)`);
715
+ spawnSync("sudo", ["systemctl", "daemon-reexec"], { stdio: "inherit" });
716
+ logFile(` hardware watchdog: enabled (${dropinPath}; armed now via daemon-reexec, after the build/swap window)`);
655
717
  }
656
718
  catch (err) {
657
719
  console.error(` WARNING: failed to configure hardware watchdog: ${err instanceof Error ? err.message : String(err)}`);
@@ -1502,6 +1564,28 @@ WantedBy=multi-user.target
1502
1564
  spawnSync("sudo", ["systemctl", "daemon-reload"], { stdio: "inherit" });
1503
1565
  console.log(" [privileged] systemctl enable");
1504
1566
  shell("systemctl", ["enable", serviceName], { sudo: true });
1567
+ // Tear down a legacy-package dedicated Neo4j unit pinning the same port.
1568
+ // The `-code` rewrite packages (`create-<brand>-code`) replace the legacy
1569
+ // `create-<brand>` packages. When migrating a device from legacy to -code,
1570
+ // both packages' dedicated Neo4j units exist (`neo4j-<brand>.service` and
1571
+ // `neo4j-<brand>-code.service`) and both try to bind the same dedicated
1572
+ // bolt port. The legacy unit wins the race (it boots first because it's
1573
+ // alphabetically earlier in systemd's load order), the new unit silently
1574
+ // fails with `bind failed -98 Address already in use`, and the seed step
1575
+ // talks to the legacy instance with the wrong password — auth fails with
1576
+ // a misleading "client is unauthorized" (observed on beacons).
1577
+ if (brandSuffix.endsWith("-code")) {
1578
+ const legacyBrand = brandSuffix.slice(0, -"-code".length);
1579
+ const legacyUnit = `neo4j-${legacyBrand}.service`;
1580
+ const legacyUnitFile = `/etc/systemd/system/${legacyUnit}`;
1581
+ if (existsSync(legacyUnitFile)) {
1582
+ const legacyMsg = ` [neo4j] legacy unit detected (${legacyUnit}) — stopping + disabling so the -code unit owns port ${NEO4J_PORT}`;
1583
+ console.log(legacyMsg);
1584
+ logFile(legacyMsg);
1585
+ shell("systemctl", ["stop", legacyUnit], { sudo: true, bestEffort: true });
1586
+ shell("systemctl", ["disable", legacyUnit], { sudo: true, bestEffort: true });
1587
+ }
1588
+ }
1505
1589
  // skip stop+disable when a peer brand on this host still depends
1506
1590
  // on the apt `neo4j.service` (port 7687). Disabling it would kill the peer's
1507
1591
  // database reproducer on Neo's laptop. The kept-active path is
@@ -2794,7 +2878,29 @@ function writeInstallDefaults(accountId) {
2794
2878
  mkdirSync(publicDir, { recursive: true });
2795
2879
  const publicTemplatesDir = join(INSTALL_DIR, "platform/templates/agents/public");
2796
2880
  const publicIdentityDst = join(publicDir, "IDENTITY.md");
2797
- cpSync(join(publicTemplatesDir, "IDENTITY.md"), publicIdentityDst);
2881
+ const publicIdentitySrc = join(publicTemplatesDir, "IDENTITY.md");
2882
+ cpSync(publicIdentitySrc, publicIdentityDst);
2883
+ // Defensive verify: a 0-byte IDENTITY.md silently traps the brand server
2884
+ // in STARTING (the reachability auditor logs `reachable=false reason=files
2885
+ // -missing IDENTITY.md:empty` every minute and the splash never clears).
2886
+ // Observed on 192.168.88.16 after a re-install: source 1655 bytes, dest
2887
+ // 0 bytes. Loud-fail here so a corrupt copy can never reach the device's
2888
+ // runtime.
2889
+ try {
2890
+ const srcBytes = statSync(publicIdentitySrc).size;
2891
+ const dstBytes = statSync(publicIdentityDst).size;
2892
+ if (dstBytes === 0 || dstBytes !== srcBytes) {
2893
+ throw new Error(`public-identity copy verify failed: src=${publicIdentitySrc} (${srcBytes} bytes) ` +
2894
+ `dst=${publicIdentityDst} (${dstBytes} bytes). A 0-byte or partial copy traps the brand ` +
2895
+ `server in STARTING forever — re-run the installer after restoring the template, or ` +
2896
+ `report this as a copy regression.`);
2897
+ }
2898
+ }
2899
+ catch (err) {
2900
+ if (err instanceof Error && err.message.startsWith("public-identity copy verify failed"))
2901
+ throw err;
2902
+ throw new Error(`public-identity verify stat failed: ${err instanceof Error ? err.message : String(err)}`);
2903
+ }
2798
2904
  console.log(` [install-defaults] public-identity path=${publicIdentityDst}`);
2799
2905
  logFile(` [install-defaults] public-identity path=${publicIdentityDst}`);
2800
2906
  }
@@ -4255,8 +4361,12 @@ console.log("");
4255
4361
  logDiagnostics("pre-flight");
4256
4362
  logFile(` Neo4j instance: ${NEO4J_DEDICATED ? "dedicated" : "shared"} on bolt://localhost:${NEO4J_PORT}`);
4257
4363
  try {
4364
+ // Disable any pre-existing hardware-watchdog drop-in BEFORE any heavy step.
4365
+ // configureHardwareWatchdog() re-arms it at install end. Without this, the
4366
+ // 20s deadline armed from boot reboots the box mid-install on every install
4367
+ // after the first.
4368
+ disableHardwareWatchdogForInstall();
4258
4369
  installSystemDeps();
4259
- configureHardwareWatchdog();
4260
4370
  installNodejs();
4261
4371
  installClaudeCode();
4262
4372
  installNeo4j();
@@ -4314,6 +4424,11 @@ try {
4314
4424
  const ok = freezing ? immutable : !immutable;
4315
4425
  console.log(` [agent-guard] op=${ok ? op : `${op}-failed`} target=${target}`);
4316
4426
  }
4427
+ // Arm the hardware watchdog as the final install action — after the heavy
4428
+ // build/swap window, so a tight watchdog can never reboot the box mid-install
4429
+ // (the reboot-loop this defends against). A partial/failed install exits
4430
+ // before this point and never writes the drop-in.
4431
+ configureHardwareWatchdog();
4317
4432
  console.log("");
4318
4433
  console.log("================================================================");
4319
4434
  console.log("");
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@rubytech/create-maxy-code",
3
- "version": "0.1.332",
3
+ "version": "0.1.334",
4
4
  "description": "Install Maxy — AI for Productive People",
5
5
  "bin": {
6
6
  "create-maxy-code": "./dist/index.js"
@@ -145,6 +145,15 @@ SETTINGS_EOF
145
145
  [ "$_AGENT_NAME" = "admin" ] && continue
146
146
  [ -f "$_AGENT_DIR/IDENTITY.md" ] || continue
147
147
  cp "$TEMPLATES_DIR/agents/public/IDENTITY.md" "$_AGENT_DIR/IDENTITY.md"
148
+ # Defensive verify — a 0-byte cp traps the brand server in STARTING (the
149
+ # reachability auditor reports `reachable=false reason=files-missing
150
+ # IDENTITY.md:empty` every minute). Observed on 192.168.88.16 after a
151
+ # re-install: source 1655 bytes, dest 0 bytes. Loud-fail here so the
152
+ # operator sees the bad write at install time, not the splash forever.
153
+ if [ ! -s "$_AGENT_DIR/IDENTITY.md" ]; then
154
+ echo " [setup] FATAL agents/$_AGENT_NAME/IDENTITY.md is empty after copy from $TEMPLATES_DIR/agents/public/IDENTITY.md ($(wc -c < "$TEMPLATES_DIR/agents/public/IDENTITY.md") bytes); aborting before the brand server starts" >&2
155
+ return 1
156
+ fi
148
157
  echo " agents/$_AGENT_NAME/IDENTITY.md re-synced"
149
158
  done
150
159