@wlfi-agent/cli 1.4.17 → 1.4.19

package/src/lib/admin-reset.ts

@@ -24,6 +24,7 @@ import {
   LAUNCHD_UNINSTALL_SCRIPT_NAME,
   resolveLaunchDaemonHelperScriptPath,
 } from './launchd-assets.js';
+import { promptHiddenTty } from './hidden-tty-prompt.js';
 import { createSudoSession } from './sudo.js';
 
 const DEFAULT_LAUNCH_DAEMON_LABEL = 'com.wlfi.agent.daemon';
@@ -134,32 +135,7 @@ function validateSecret(value: string, label: string): string {
 }
 
 async function promptHidden(query: string, label: string): Promise<string> {
-  if (!process.stdin.isTTY || !process.stdout.isTTY) {
-    throw new Error(`${label} is required; rerun on a local TTY`);
-  }
-
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout,
-    terminal: true,
-  }) as readline.Interface & { stdoutMuted?: boolean; _writeToOutput?: (value: string) => void };
-
-  rl.stdoutMuted = true;
-  rl._writeToOutput = (value: string) => {
-    if (value.includes(query)) {
-      (rl as unknown as { output: NodeJS.WritableStream }).output.write(value);
-      return;
-    }
-    if (!rl.stdoutMuted) {
-      (rl as unknown as { output: NodeJS.WritableStream }).output.write(value);
-    }
-  };
-
-  const answer = await new Promise<string>((resolve) => {
-    rl.question(query, resolve);
-  });
-  rl.close();
-  process.stdout.write('\n');
+  const answer = await promptHiddenTty(query, `${label} is required; rerun on a local TTY`);
   return validateSecret(answer, label);
 }
 
@@ -184,11 +160,29 @@ async function promptVisible(query: string): Promise<string> {
 const sudoSession = createSudoSession({
   promptPassword: async () =>
     await promptHidden(
-      'Root password (input hidden; required to uninstall the root daemon and delete its state): ',
-      'root password',
+      'macOS admin password for sudo (input hidden; required to uninstall the root daemon and delete its state): ',
+      'macOS admin password for sudo',
     ),
 });
 
+function isSudoWrappedInvocation(): boolean {
+  return (
+    typeof process.geteuid === 'function' &&
+    process.geteuid() === 0 &&
+    typeof process.env.SUDO_UID === 'string' &&
+    process.env.SUDO_UID.trim().length > 0
+  );
+}
+
+function assertNotInvokedViaSudo(commandName: string): void {
+  if (!isSudoWrappedInvocation()) {
+    return;
+  }
+  throw new Error(
+    `run \`wlfi-agent ${commandName}\` as your normal macOS user, not with sudo; the CLI prompts for sudo internally and running it as root can target the wrong local WLFI home`,
+  );
+}
+
 function createProgress(message: string, enabled = true): ProgressHandle {
   if (!enabled) {
     return {
@@ -241,11 +235,58 @@ function print(payload: unknown, asJson: boolean | undefined): void {
     console.log(JSON.stringify(payload, null, 2));
     return;
   }
+  /* c8 ignore start -- this module only calls print() for JSON output; non-JSON summaries bypass this helper */
   if (typeof payload === 'string') {
     console.log(payload);
     return;
   }
   console.dir(payload, { depth: null, colors: process.stdout.isTTY });
+  /* c8 ignore stop */
+}
+
+async function managedPathExists(targetPath: string): Promise<boolean> {
+  const result = await sudoSession.run(['/bin/test', '-e', targetPath]);
+  if (result.code === 0) {
+    return true;
+  }
+  if (
+    result.code === 1 &&
+    !/password is required|try again|authentication failed|sorry/iu.test(result.stderr)
+  ) {
+    return false;
+  }
+  throw new Error(
+    result.stderr.trim() ||
+      result.stdout.trim() ||
+      `failed to inspect managed path '${targetPath}' (exit code ${result.code})`,
+  );
+}
+
+async function assertManagedUninstallArtifactsRemoved(targetPaths: string[]): Promise<void> {
+  const remaining: string[] = [];
+  for (const targetPath of targetPaths) {
+    if (await managedPathExists(targetPath)) {
+      remaining.push(targetPath);
+    }
+  }
+  if (remaining.length > 0) {
+    throw new Error(
+      `admin uninstall left managed root-owned files behind: ${remaining.join(', ')}`,
+    );
+  }
+}
+
+function assertLocalUninstallArtifactsRemoved(result: CleanupLocalAdminUninstallStateResult): void {
+  const remaining: string[] = [];
+  if (result.config.existed && fs.existsSync(result.config.path)) {
+    remaining.push(result.config.path);
+  }
+  if (result.wlfiHome.existed && fs.existsSync(result.wlfiHome.path)) {
+    remaining.push(result.wlfiHome.path);
+  }
+  if (remaining.length > 0) {
+    throw new Error(`admin uninstall left local WLFI files behind: ${remaining.join(', ')}`);
+  }
 }
 
 function printResetSummary(result: {
@@ -332,6 +373,7 @@ export function cleanupLocalAdminResetState(
   const keychainRemoved = agentKeyId ? deleteAgentAuthTokenImpl(agentKeyId) : false;
 
   let configDeleted = false;
+  /* c8 ignore next -- configExists implies readConfigImpl() returned an object in this module; nullish fallback is defensive */
   let configValue: Record<string, unknown> | null = configExists ? redactConfig(currentConfig ?? {}) : null;
   if (options.deleteConfig) {
     if (configExists) {
@@ -477,13 +519,14 @@ async function confirmReset(options: AdminResetOptions): Promise<void> {
 }
 
 async function runAdminReset(options: AdminResetOptions): Promise<void> {
+  assertNotInvokedViaSudo('admin reset');
   await confirmReset(options);
   const showProgress = !options.json;
   const keychainAccount = os.userInfo().username;
 
   if (!options.json && typeof process.geteuid === 'function' && process.geteuid() !== 0) {
     process.stderr.write(
-      'Root password required: reset must uninstall the root LaunchDaemon and delete the root-managed daemon state.\n',
+      'macOS admin password required: reset uses sudo to uninstall the root LaunchDaemon and delete the root-managed daemon state.\n',
     );
   }
   await sudoSession.prime();
@@ -502,6 +545,7 @@ async function runAdminReset(options: AdminResetOptions): Promise<void> {
       keychainAccount,
       '--delete-keychain-password',
     ]);
+    /* c8 ignore next 4 -- sudoSession.run reports command failures via exit codes; synchronous throws are defensive */
   } catch (error) {
     uninstallProgress.fail();
     throw error;
@@ -524,6 +568,7 @@ async function runAdminReset(options: AdminResetOptions): Promise<void> {
       '-f',
       ...managedDaemonResetArtifactPaths(),
     ]);
+    /* c8 ignore next 4 -- sudoSession.run reports command failures via exit codes; synchronous throws are defensive */
   } catch (error) {
     stateProgress.fail();
     throw error;
@@ -612,9 +657,11 @@ function printUninstallSummary(result: {
     result.local.agentKeyId
       ? `old agent key cleared: ${result.local.agentKeyId}`
       : 'old agent key cleared: no configured agent key was found',
+    /* c8 ignore start -- public uninstall summary only reaches here when a WLFI home existed or config provided the helper paths */
     result.local.wlfiHome.existed
       ? `local WLFI home removed: ${result.local.wlfiHome.path}`
       : `local WLFI home not found: ${result.local.wlfiHome.path}`,
+    /* c8 ignore stop */
     result.local.config.existed
       ? `config removed: ${result.local.config.path}`
       : `config not found: ${result.local.config.path}`,
@@ -624,13 +671,14 @@ function printUninstallSummary(result: {
 }
 
 async function runAdminUninstall(options: AdminUninstallOptions): Promise<void> {
+  assertNotInvokedViaSudo('admin uninstall');
   await confirmUninstall(options);
   const showProgress = !options.json;
   const keychainAccount = os.userInfo().username;
 
   if (!options.json && typeof process.geteuid === 'function' && process.geteuid() !== 0) {
     process.stderr.write(
-      'Root password required: uninstall must remove the root LaunchDaemon and all managed root-owned files.\n',
+      'macOS admin password required: uninstall uses sudo to remove the root LaunchDaemon and all managed root-owned files.\n',
     );
   }
   await sudoSession.prime();
@@ -649,6 +697,7 @@ async function runAdminUninstall(options: AdminUninstallOptions): Promise<void>
       keychainAccount,
       '--delete-keychain-password',
     ]);
+    /* c8 ignore next 4 -- sudoSession.run reports command failures via exit codes; synchronous throws are defensive */
   } catch (error) {
     uninstallProgress.fail();
     throw error;
@@ -673,6 +722,7 @@ async function runAdminUninstall(options: AdminUninstallOptions): Promise<void>
       DEFAULT_MANAGED_STATE_DIR,
       DEFAULT_MANAGED_LOG_DIR,
     ]);
+    /* c8 ignore next 4 -- sudoSession.run reports command failures via exit codes; synchronous throws are defensive */
   } catch (error) {
     rootProgress.fail();
     throw error;
@@ -685,11 +735,29 @@ async function runAdminUninstall(options: AdminUninstallOptions): Promise<void>
         || `failed to delete managed root-owned files (exit code ${deleteRootArtifactsResult.code})`,
     );
   }
-  rootProgress.succeed('Managed root-owned files removed');
+  try {
+    await assertManagedUninstallArtifactsRemoved([
+      DEFAULT_LAUNCH_DAEMON_PLIST,
+      DEFAULT_MANAGED_ROOT_DIR,
+      DEFAULT_MANAGED_STATE_DIR,
+      DEFAULT_MANAGED_LOG_DIR,
+    ]);
+    rootProgress.succeed('Managed root-owned files removed');
+  } catch (error) {
+    rootProgress.fail();
+    throw error;
+  }
 
   const localProgress = createProgress('Removing local WLFI files and credentials', showProgress);
-  const local = cleanupLocalAdminUninstallState();
-  localProgress.succeed('Local WLFI files and credentials removed');
+  let local: CleanupLocalAdminUninstallStateResult;
+  try {
+    local = cleanupLocalAdminUninstallState();
+    assertLocalUninstallArtifactsRemoved(local);
+    localProgress.succeed('Local WLFI files and credentials removed');
+  } catch (error) {
+    localProgress.fail();
+    throw error;
+  }
 
   const result = {
     command: 'uninstall',