@rubytech/create-realagent-code 0.1.21 → 0.1.23

package/dist/__tests__/samba-provision.test.js

@@ -0,0 +1,202 @@
+// Task 034 — acceptance grid for samba-provision.ts pure layer.
+//
+// Locks every branch of the rendering, merging, removal, interface-pick, and
+// marker-format functions. No spawnSync, no /etc reads — every test feeds
+// concrete strings or interface fixtures. Mirrors apt-resolve.test.ts in
+// style and runs under `node --test dist/__tests__/*.test.js` after build.
+import test from "node:test";
+import assert from "node:assert/strict";
+import { renderBrandStanza, renderGlobalSection, renderFullSmbConf, pickLanInterface, mergeSmbConf, removeBrandStanza, hasAnyBrandStanza, formatSambaMarker, SAMBA_STEPS, } from "../samba-provision.js";
+// ---------------------------------------------------------------------------
+// Fixtures
+// ---------------------------------------------------------------------------
+const PI_WLAN0_ONLY = {
+    lo: [{ address: "127.0.0.1", netmask: "255.0.0.0", family: "IPv4", mac: "00:00:00:00:00:00", internal: true, cidr: "127.0.0.1/8" }],
+    wlan0: [{ address: "192.168.1.50", netmask: "255.255.255.0", family: "IPv4", mac: "aa:bb:cc:dd:ee:ff", internal: false, cidr: "192.168.1.50/24" }],
+};
+const PI_BOTH_IFACES = {
+    lo: [{ address: "127.0.0.1", netmask: "255.0.0.0", family: "IPv4", mac: "00:00:00:00:00:00", internal: true, cidr: "127.0.0.1/8" }],
+    eth0: [{ address: "10.0.0.5", netmask: "255.255.255.0", family: "IPv4", mac: "11:11:11:11:11:11", internal: false, cidr: "10.0.0.5/24" }],
+    wlan0: [{ address: "192.168.1.50", netmask: "255.255.255.0", family: "IPv4", mac: "aa:bb:cc:dd:ee:ff", internal: false, cidr: "192.168.1.50/24" }],
+};
+const PI_ETH0_ONLY = {
+    lo: [{ address: "127.0.0.1", netmask: "255.0.0.0", family: "IPv4", mac: "00:00:00:00:00:00", internal: true, cidr: "127.0.0.1/8" }],
+    eth0: [{ address: "10.0.0.5", netmask: "255.255.255.0", family: "IPv4", mac: "11:11:11:11:11:11", internal: false, cidr: "10.0.0.5/24" }],
+};
+const PI_LO_ONLY = {
+    lo: [{ address: "127.0.0.1", netmask: "255.0.0.0", family: "IPv4", mac: "00:00:00:00:00:00", internal: true, cidr: "127.0.0.1/8" }],
+};
+const PI_IPV6_ONLY_LAN = {
+    lo: [{ address: "127.0.0.1", netmask: "255.0.0.0", family: "IPv4", mac: "00:00:00:00:00:00", internal: true, cidr: "127.0.0.1/8" }],
+    eth0: [{ address: "fe80::1", netmask: "ffff:ffff:ffff:ffff::", family: "IPv6", mac: "11:11:11:11:11:11", internal: false, cidr: "fe80::1/64", scopeid: 0 }],
+};
+const PI_USB0_FALLBACK = {
+    lo: [{ address: "127.0.0.1", netmask: "255.0.0.0", family: "IPv4", mac: "00:00:00:00:00:00", internal: true, cidr: "127.0.0.1/8" }],
+    usb0: [{ address: "172.17.0.2", netmask: "255.255.255.0", family: "IPv4", mac: "22:22:22:22:22:22", internal: false, cidr: "172.17.0.2/24" }],
+};
+// ---------------------------------------------------------------------------
+// pickLanInterface
+// ---------------------------------------------------------------------------
+test("pickLanInterface: wlan0 wins over eth0 when both present", () => {
+    assert.equal(pickLanInterface(PI_BOTH_IFACES), "wlan0");
+});
+test("pickLanInterface: wlan0 alone is picked", () => {
+    assert.equal(pickLanInterface(PI_WLAN0_ONLY), "wlan0");
+});
+test("pickLanInterface: eth0 alone is picked", () => {
+    assert.equal(pickLanInterface(PI_ETH0_ONLY), "eth0");
+});
+test("pickLanInterface: fallback to any non-loopback IPv4 (usb0)", () => {
+    assert.equal(pickLanInterface(PI_USB0_FALLBACK), "usb0");
+});
+test("pickLanInterface: returns null when only loopback is present", () => {
+    assert.equal(pickLanInterface(PI_LO_ONLY), null);
+});
+test("pickLanInterface: returns null when the only non-loopback iface has no IPv4", () => {
+    // smbd cannot bind to an IPv6-only address with `interfaces = lo eth0` syntax
+    // unmodified; treat as no usable LAN interface so caller loud-fails rather
+    // than writing a broken smb.conf.
+    assert.equal(pickLanInterface(PI_IPV6_ONLY_LAN), null);
+});
+// ---------------------------------------------------------------------------
+// renderBrandStanza — exact spec match
+// ---------------------------------------------------------------------------
+test("renderBrandStanza emits the spec directives in order", () => {
+    const stanza = renderBrandStanza({ brand: "maxy-code", sharePath: "/home/admin/maxy-code" });
+    assert.equal(stanza, [
+        "[maxy-code]",
+        "   path = /home/admin/maxy-code",
+        "   read only = no",
+        "   valid users = admin",
+        "   force user = admin",
+        "   browseable = yes",
+        "   create mask = 0664",
+        "   directory mask = 0775",
+        "",
+    ].join("\n"));
+});
+test("renderBrandStanza handles realagent-code with its own share path", () => {
+    const stanza = renderBrandStanza({ brand: "realagent-code", sharePath: "/home/admin/realagent-code" });
+    assert.match(stanza, /^\[realagent-code\]\n/);
+    assert.match(stanza, /\n   path = \/home\/admin\/realagent-code\n/);
+    assert.match(stanza, /\n   force user = admin\n/);
+});
+// ---------------------------------------------------------------------------
+// renderGlobalSection — LAN-only enforcement
+// ---------------------------------------------------------------------------
+test("renderGlobalSection binds to lo + LAN interface only", () => {
+    const globals = renderGlobalSection({ lanInterface: "wlan0" });
+    assert.match(globals, /^\[global\]\n/);
+    assert.match(globals, /\n   interfaces = lo wlan0\n/);
+    assert.match(globals, /\n   bind interfaces only = yes\n/);
+    // No `map to guest = ok` — guests are explicitly rejected as bad-user.
+    assert.match(globals, /\n   map to guest = bad user\n/);
+});
+// ---------------------------------------------------------------------------
+// renderFullSmbConf — composition order
+// ---------------------------------------------------------------------------
+test("renderFullSmbConf places globals before the brand stanza", () => {
+    const conf = renderFullSmbConf({ brand: "maxy-code", sharePath: "/home/admin/maxy-code", lanInterface: "wlan0" });
+    const globalIdx = conf.indexOf("[global]");
+    const brandIdx = conf.indexOf("[maxy-code]");
+    assert.ok(globalIdx >= 0 && brandIdx > globalIdx, "[global] must come before [maxy-code]");
+});
+// ---------------------------------------------------------------------------
+// mergeSmbConf — idempotency and section preservation
+// ---------------------------------------------------------------------------
+test("mergeSmbConf: empty existing conf gets globals + brand stanza", () => {
+    const merged = mergeSmbConf({ existing: "", brand: "maxy-code", sharePath: "/home/admin/maxy-code", lanInterface: "wlan0" });
+    assert.match(merged, /\[global\][\s\S]+\[maxy-code\]/);
+    assert.match(merged, /interfaces = lo wlan0/);
+});
+test("mergeSmbConf: idempotent on second application", () => {
+    const once = mergeSmbConf({ existing: "", brand: "maxy-code", sharePath: "/home/admin/maxy-code", lanInterface: "wlan0" });
+    const twice = mergeSmbConf({ existing: once, brand: "maxy-code", sharePath: "/home/admin/maxy-code", lanInterface: "wlan0" });
+    assert.equal(twice, once, "second merge must produce byte-identical output");
+});
+test("mergeSmbConf: replaces an existing global section in place, preserving peer stanzas", () => {
+    const existing = [
+        "[global]",
+        "   workgroup = OLDGROUP",
+        "   interfaces = lo eth0 wlan0",
+        "",
+        "[printers]",
+        "   path = /var/spool/samba",
+        "   guest ok = yes",
+        "",
+    ].join("\n");
+    const merged = mergeSmbConf({ existing, brand: "maxy-code", sharePath: "/home/admin/maxy-code", lanInterface: "wlan0" });
+    assert.match(merged, /interfaces = lo wlan0/);
+    assert.doesNotMatch(merged, /workgroup = OLDGROUP/);
+    assert.match(merged, /\[printers\][\s\S]+path = \/var\/spool\/samba/, "[printers] stanza must survive");
+    assert.match(merged, /\[maxy-code\][\s\S]+path = \/home\/admin\/maxy-code/);
+});
+test("mergeSmbConf: replaces an existing brand stanza in place, leaves peer brand alone", () => {
+    const peerStanza = renderBrandStanza({ brand: "realagent-code", sharePath: "/home/admin/realagent-code" });
+    const oldBrandStanza = "[maxy-code]\n   path = /OLD/PATH\n   read only = yes\n\n";
+    const existing = renderGlobalSection({ lanInterface: "eth0" }) + oldBrandStanza + peerStanza;
+    const merged = mergeSmbConf({ existing, brand: "maxy-code", sharePath: "/home/admin/maxy-code", lanInterface: "wlan0" });
+    assert.doesNotMatch(merged, /\/OLD\/PATH/, "old maxy-code path must be replaced");
+    assert.doesNotMatch(merged, /read only = yes/, "old maxy-code directives must be replaced");
+    assert.match(merged, /\[realagent-code\][\s\S]+path = \/home\/admin\/realagent-code/, "peer brand stanza must survive");
+    assert.match(merged, /\[maxy-code\][\s\S]+path = \/home\/admin\/maxy-code/);
+});
+test("mergeSmbConf: appends brand stanza when not present, keeps existing peer stanzas", () => {
+    const peerStanza = renderBrandStanza({ brand: "realagent-code", sharePath: "/home/admin/realagent-code" });
+    const existing = renderGlobalSection({ lanInterface: "eth0" }) + peerStanza;
+    const merged = mergeSmbConf({ existing, brand: "maxy-code", sharePath: "/home/admin/maxy-code", lanInterface: "wlan0" });
+    assert.match(merged, /\[realagent-code\]/, "peer brand stanza must survive");
+    assert.match(merged, /\[maxy-code\][\s\S]+path = \/home\/admin\/maxy-code/, "new brand stanza must be appended");
+});
+// ---------------------------------------------------------------------------
+// removeBrandStanza — peer-brand isolation
+// ---------------------------------------------------------------------------
+test("removeBrandStanza: removes only this brand, leaves peer brand and global intact", () => {
+    const conf = mergeSmbConf({
+        existing: renderBrandStanza({ brand: "realagent-code", sharePath: "/home/admin/realagent-code" }),
+        brand: "maxy-code",
+        sharePath: "/home/admin/maxy-code",
+        lanInterface: "wlan0",
+    });
+    const after = removeBrandStanza({ existing: conf, brand: "maxy-code" });
+    assert.doesNotMatch(after, /\[maxy-code\]/);
+    assert.match(after, /\[realagent-code\]/);
+    assert.match(after, /\[global\]/);
+});
+test("removeBrandStanza: returns input unchanged when stanza is absent", () => {
+    const conf = mergeSmbConf({ existing: "", brand: "realagent-code", sharePath: "/home/admin/realagent-code", lanInterface: "wlan0" });
+    const after = removeBrandStanza({ existing: conf, brand: "maxy-code" });
+    assert.equal(after, conf);
+});
+// ---------------------------------------------------------------------------
+// hasAnyBrandStanza — apt-purge gate
+// ---------------------------------------------------------------------------
+test("hasAnyBrandStanza: false when only [global] is present", () => {
+    const conf = renderGlobalSection({ lanInterface: "wlan0" });
+    assert.equal(hasAnyBrandStanza(conf), false);
+});
+test("hasAnyBrandStanza: true when any non-global stanza is present", () => {
+    const conf = renderGlobalSection({ lanInterface: "wlan0" }) +
+        renderBrandStanza({ brand: "realagent-code", sharePath: "/home/admin/realagent-code" });
+    assert.equal(hasAnyBrandStanza(conf), true);
+});
+test("hasAnyBrandStanza: false when both brand stanzas have been removed", () => {
+    let conf = renderFullSmbConf({ brand: "maxy-code", sharePath: "/home/admin/maxy-code", lanInterface: "wlan0" });
+    conf = mergeSmbConf({ existing: conf, brand: "realagent-code", sharePath: "/home/admin/realagent-code", lanInterface: "wlan0" });
+    conf = removeBrandStanza({ existing: conf, brand: "maxy-code" });
+    conf = removeBrandStanza({ existing: conf, brand: "realagent-code" });
+    assert.equal(hasAnyBrandStanza(conf), false);
+});
+// ---------------------------------------------------------------------------
+// formatSambaMarker / SAMBA_STEPS — the install-invariant contract
+// ---------------------------------------------------------------------------
+test("SAMBA_STEPS is exactly [apt, conf, user, units] in order", () => {
+    // Locked here so a refactor that reorders the steps must update this test
+    // deliberately. The task brief pins the four-step contract.
+    assert.deepEqual([...SAMBA_STEPS], ["apt", "conf", "user", "units"]);
+});
+test("formatSambaMarker emits the `[install-invariant] samba-provision-<step> <state>` shape", () => {
+    assert.equal(formatSambaMarker("apt", "ok"), "[install-invariant] samba-provision-apt ok");
+    assert.equal(formatSambaMarker("user", "deferred reason=no-plaintext-pin"), "[install-invariant] samba-provision-user deferred reason=no-plaintext-pin");
+    assert.equal(formatSambaMarker("units", "fail: Job for smbd.service failed"), "[install-invariant] samba-provision-units fail: Job for smbd.service failed");
+});

package/dist/index.js

@@ -14,6 +14,8 @@ import { parseSwVers, isSupportedMacosVersion } from "./macos-version.js";
 import { decideChromiumAction, isSnapConfinedPath } from "./snap-chromium.js";
 import { classifyPortHolder } from "./preflight-port-classifier.js";
 import { parsePluginList, computeInstallActions, computeConfigureActions, parseExternalPlugins, } from "./lib/plugin-install.js";
+import { pickLanInterface, mergeSmbConf, formatSambaMarker, } from "./samba-provision.js";
+import { networkInterfaces } from "node:os";
 const PAYLOAD_DIR = resolve(import.meta.dirname, "../payload");
 // Brand manifest — read from payload to derive all brand-specific installation values.
 // The bundler stamps brand.json into the payload at build time.
@@ -2424,18 +2426,17 @@ function installTunnelScripts() {
     createTunnelSymlink(listLink, listSrc);
 }
 // ---------------------------------------------------------------------------
-// Account discovery (shared between installService + installCrons)
+// Account discovery (shared by installService + the post-install summary)
 //
 // Task 955 — `installService` stamps `Environment=ACCOUNT_ID=` into the brand
 // systemd unit so the writeNodeWithEdges gate has a non-undefined identity to
-// compare against; `installCrons` needs the same value to scope cron stdout
-// to the per-account log dir + stamp ACCOUNT_ID into the cron entry env.
-// Both pull from `INSTALL_DIR/data/accounts/<uuid>/account.json` written by
-// seed-neo4j.sh during setupAccount(). One reader, one shape, one source of
-// truth — without sharing, the two callers would drift on classification of
-// `corrupt account.json` (one might count it, the other might not) and the
-// gate would reject writes the cron's "scoped" log was already happily
-// publishing under that uuid.
+// compare against. Pulled from `INSTALL_DIR/data/accounts/<uuid>/account.json`
+// written by seed-neo4j.sh during setupAccount(). One reader, one shape, one
+// source of truth.
+//
+// Task 039 retired the installer's cron registration — `resolveInstallAccountId`
+// kept its second consumer (installService) and is referenced again at print
+// time for the post-install banner.
 // ---------------------------------------------------------------------------
 function resolveInstallAccountId() {
     const accountsDir = join(INSTALL_DIR, "data/accounts");
@@ -2450,68 +2451,13 @@ function resolveInstallAccountId() {
     catch { /* directory unreadable */ }
     return "";
 }
-// ---------------------------------------------------------------------------
-// Cron Registration
-//
-// Registers platform cron jobs (heartbeat, email-fetch, email-auto-respond).
-// Uses BEGIN/END markers for idempotent replacement on re-install.
-// Crons persist across reboots — registered once at install time.
-// Email crons run unconditionally; scripts exit early if unconfigured.
-// ---------------------------------------------------------------------------
-const CRON_BLOCK_BEGIN = `# BEGIN ${BRAND.productName.toUpperCase()} CRONS`;
-const CRON_BLOCK_END = `# END ${BRAND.productName.toUpperCase()} CRONS`;
-function installCrons() {
-    if (!isLinux())
-        return;
-    const nodeBin = spawnSync("which", ["node"], { encoding: "utf-8" }).stdout.trim() || "/usr/bin/node";
-    const platformRoot = join(INSTALL_DIR, "platform");
-    // Account discovery shared with installService — see resolveInstallAccountId.
-    const accountId = resolveInstallAccountId();
-    const accountsDir = join(INSTALL_DIR, "data/accounts");
-    if (!accountId) {
-        console.error("  Cron jobs: skipped — no account found. Crons will register on the next install after account creation.");
-        logFile("  cron registration skipped: no account directory with account.json found");
-        return;
-    }
-    const accountLogDir = join(accountsDir, accountId, "logs");
-    // NEO4J_URI is explicit per brand so a secondary-brand install (dedicated
-    // Neo4j on a non-default port) doesn't silently fall back to
-    // bolt://localhost:7687 in cron — cron inherits none of the user's shell
-    // env or .env file. Without this, the scheduler writes and reads from the
-    // shared default instance, producing cross-install event leaks (Task 571).
-    const accountEnv = `ACCOUNT_ID=${accountId} NEO4J_URI=bolt://localhost:${NEO4J_PORT} `;
-    const cronEntries = [
-        `* * * * * mkdir -p ${accountLogDir} && PLATFORM_ROOT=${platformRoot} ${accountEnv}${nodeBin} ${platformRoot}/plugins/scheduling/mcp/dist/scripts/check-due-events.js >> ${accountLogDir}/check-due-events.log 2>&1 # heartbeat`,
-        `* * * * * mkdir -p ${accountLogDir} && PLATFORM_ROOT=${platformRoot} ${accountEnv}${nodeBin} ${platformRoot}/plugins/email/mcp/dist/scripts/email-fetch.js >> ${accountLogDir}/email-fetch.log 2>&1 # email-fetch`,
-        `* * * * * mkdir -p ${accountLogDir} && PLATFORM_ROOT=${platformRoot} ${accountEnv}${nodeBin} ${platformRoot}/plugins/email/mcp/dist/scripts/email-auto-respond.js >> ${accountLogDir}/email-auto-respond.log 2>&1 # email-auto-respond`,
-    ];
-    // Read existing crontab (empty string if none)
-    const existing = spawnSync("crontab", ["-l"], { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
-    const currentCrontab = existing.status === 0 ? existing.stdout : "";
-    // Strip any existing Maxy cron block
-    const blockPattern = new RegExp(`${CRON_BLOCK_BEGIN}[\\s\\S]*?${CRON_BLOCK_END}\\n?`, "g");
-    const cleaned = currentCrontab.replace(blockPattern, "").trimEnd();
-    // Build new crontab with Maxy block
-    const newBlock = [
-        CRON_BLOCK_BEGIN,
-        ...cronEntries,
-        CRON_BLOCK_END,
-    ].join("\n");
-    const newCrontab = cleaned ? `${cleaned}\n${newBlock}\n` : `${newBlock}\n`;
-    // Write the new crontab
-    const write = spawnSync("crontab", ["-"], {
-        input: newCrontab,
-        encoding: "utf-8",
-        stdio: ["pipe", "pipe", "pipe"],
-    });
-    if (write.status === 0) {
-        console.log("  Cron jobs: registered (heartbeat, email-fetch, email-auto-respond)");
-    }
-    else {
-        console.error(`  Cron jobs: failed to register — ${(write.stderr || "").trim()}`);
-        logFile(`  crontab write failed: ${write.stderr}`);
-    }
-}
+// Task 039 — `installCrons()` and the `# BEGIN/END <BRAND> CRONS` block lived
+// here. All such events must be user-driven, not scheduled by the installer.
+// The legacy block recreated `data/accounts/<accountId>/logs/` every 60s via
+// `mkdir -p`, which tripped seed-neo4j.sh's stub-account-dirs guard on every
+// reinstall after `rm -rf ~/<installDir>`. Uninstall now strips the legacy
+// block (uninstall.ts `removeLegacyCronBlock`) so older installs migrate
+// cleanly. Consumer-side dispatcher replacement is tracked separately.
 // Task 664 retired the ttyd/tmux/xterm admin terminal stack. Upgrades run
 // via the action runner — `systemd-run --user` transient units spawned by
 // POST /api/admin/actions/upgrade — whose lifetime is independent of
@@ -3122,8 +3068,6 @@ WantedBy=multi-user.target
     if (!webServerUp) {
         console.log(`  Server may still be starting. Check http://${DEVICE_HOSTNAME}.local:${PORT} in a moment.`);
     }
-    // Register cron jobs — depends on web server, independent of CDP
-    installCrons();
     // Validate CDP: the programmatic Playwright MCP server connects to Chromium
     // via --cdp-endpoint http://127.0.0.1:9222. In virtual (VNC) mode, Chromium is
     // started by vnc.sh (ExecStartPre) before the web server — a failed probe here
@@ -3183,6 +3127,111 @@ WantedBy=multi-user.target
     }
 }
 // ---------------------------------------------------------------------------
+// Task 034 — Samba provisioning. Runs after installService() so SMB never
+// blocks the admin server starting; pure decisions live in samba-provision.ts.
+//
+// Four steps, each emitting one [install-invariant] samba-provision-<step>
+// marker:
+//   apt   — install the `samba` package
+//   conf  — write the brand stanza + LAN-only globals to /etc/samba/smb.conf
+//   user  — smbpasswd the admin Linux user; deferred at install time on fresh
+//           Pi installs (no plaintext PIN until the operator runs set-pin)
+//   units — systemctl enable --now smbd nmbd
+//
+// The platform's set-pin route handler closes the deferral loop by running
+// `smbpasswd -a admin` inline whenever the PIN is set or rotated.
+// ---------------------------------------------------------------------------
+function emitSambaMarker(step, state) {
+    const line = formatSambaMarker(step, state);
+    console.log(`  ${line}`);
+    logFile(`  ${line}`);
+}
+function provisionSamba() {
+    if (!isLinux()) {
+        logFile(`  samba-provision skipped: platform=${process.platform}`);
+        return;
+    }
+    const brand = BRAND.hostname;
+    const sharePath = INSTALL_DIR;
+    // Step 1 — apt install samba (reuses installAptGroup so resolution, post-
+    // check, and apt diagnostics are identical to every other system dep).
+    try {
+        installAptGroup("samba", ["samba"]);
+        emitSambaMarker("apt", "ok");
+    }
+    catch (err) {
+        const stderr = err instanceof Error ? err.message : String(err);
+        emitSambaMarker("apt", `fail: ${stderr}`);
+        throw err;
+    }
+    // Step 2 — write the brand stanza into /etc/samba/smb.conf.
+    const lanInterface = pickLanInterface(networkInterfaces());
+    if (!lanInterface) {
+        emitSambaMarker("conf", "fail: no non-loopback IPv4 interface");
+        throw new Error("samba-provision: no LAN interface with IPv4 — cannot bind smbd safely");
+    }
+    const SMB_CONF = "/etc/samba/smb.conf";
+    let existing = "";
+    if (existsSync(SMB_CONF)) {
+        try {
+            const cat = spawnSync("sudo", ["cat", SMB_CONF], { encoding: "utf-8", stdio: "pipe", timeout: 5_000 });
+            if (cat.status === 0)
+                existing = cat.stdout ?? "";
+        }
+        catch { /* treat as empty */ }
+    }
+    const merged = mergeSmbConf({ existing, brand, sharePath, lanInterface });
+    try {
+        const tee = spawnSync("sudo", ["tee", SMB_CONF], { input: merged, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"], timeout: 10_000 });
+        if (tee.status !== 0) {
+            throw new Error(`sudo tee ${SMB_CONF} exited ${tee.status}: ${(tee.stderr ?? "").trim()}`);
+        }
+        const testparm = spawnSync("sudo", ["testparm", "-s", "--suppress-prompt"], { stdio: "pipe", encoding: "utf-8", timeout: 10_000 });
+        if (testparm.status !== 0) {
+            throw new Error(`testparm rejected merged smb.conf: ${(testparm.stderr ?? "").trim()}`);
+        }
+        // Grant passwordless sudo to the admin user for the two smbpasswd
+        // invocations the platform's set-pin route makes (add-user-with-stdin
+        // and remove-user). Without this, the user systemd-unit-spawned admin
+        // server cannot sync the SMB password when the operator sets/rotates
+        // the PIN. Scoped tight: only these two literal arg-vectors are
+        // permitted; every other smbpasswd flavour still prompts.
+        const SUDOERS = "/etc/sudoers.d/maxy-samba";
+        const sudoersBody = "# Task 034 — maxy-code Samba provisioning (smbpasswd sync from platform set-pin route).\n" +
+            "admin ALL=(root) NOPASSWD: /usr/bin/smbpasswd -a -s admin, /usr/bin/smbpasswd -x admin\n";
+        const sudoersTee = spawnSync("sudo", ["tee", SUDOERS], { input: sudoersBody, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"], timeout: 5_000 });
+        if (sudoersTee.status !== 0) {
+            throw new Error(`sudo tee ${SUDOERS} exited ${sudoersTee.status}: ${(sudoersTee.stderr ?? "").trim()}`);
+        }
+        spawnSync("sudo", ["chmod", "0440", SUDOERS], { stdio: "pipe", timeout: 5_000 });
+        const visudoCheck = spawnSync("sudo", ["visudo", "-c", "-f", SUDOERS], { stdio: "pipe", encoding: "utf-8", timeout: 5_000 });
+        if (visudoCheck.status !== 0) {
+            throw new Error(`visudo rejected ${SUDOERS}: ${(visudoCheck.stderr ?? "").trim()}`);
+        }
+        emitSambaMarker("conf", `ok lan=${lanInterface}`);
+    }
+    catch (err) {
+        const stderr = err instanceof Error ? err.message : String(err);
+        emitSambaMarker("conf", `fail: ${stderr}`);
+        throw err;
+    }
+    // Step 3 — smbpasswd for the admin user. At install time the plaintext PIN
+    // is not in any file on disk (users.json stores the SHA-256 hash only); the
+    // platform's set-pin route is responsible for syncing on PIN set/rotate.
+    // Mark as deferred so the four-marker contract still fires unbroken.
+    emitSambaMarker("user", "deferred reason=no-plaintext-pin-at-install (set-pin route syncs)");
+    // Step 4 — enable + start smbd and nmbd.
+    try {
+        shell("systemctl", ["enable", "--now", "smbd", "nmbd"], { sudo: true, timeout: 30_000 });
+        emitSambaMarker("units", "ok");
+    }
+    catch (err) {
+        const stderr = err instanceof Error ? err.message : String(err);
+        emitSambaMarker("units", `fail: ${stderr}`);
+        throw err;
+    }
+}
+// ---------------------------------------------------------------------------
 // Main
 // ---------------------------------------------------------------------------
 // Route to uninstall if --uninstall flag is present
@@ -3516,6 +3565,11 @@ try {
     setupAccount();
     installTunnelScripts(); // ~/setup-tunnel.sh, ~/reset-tunnel.sh — the SKILL contract
     installService();
+    // Task 034 — Samba on the LAN. Runs after the brand systemd unit is up so
+    // SMB provisioning never blocks the admin server starting; loud-fail per
+    // step. The smbpasswd `user` step is deferred at install time and synced
+    // by the platform's /set-pin route when the operator sets a PIN.
+    provisionSamba();
     console.log("");
     console.log("================================================================");
     console.log("");