lightman-agent 1.0.0

package/scripts/lightman-agent.service

@@ -0,0 +1,38 @@
+[Unit]
+Description=LIGHTMAN Agent - Museum Display Management
+Documentation=https://github.com/sagrkv/lightman-app01
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=lightman
+Group=lightman
+WorkingDirectory=/opt/lightman/agent
+ExecStart=/usr/bin/node dist/index.js
+Restart=always
+RestartSec=10
+StartLimitIntervalSec=300
+StartLimitBurst=5
+
+# Environment
+Environment=NODE_ENV=production
+EnvironmentFile=-/opt/lightman/agent/.env
+
+# Security hardening
+ProtectSystem=strict
+ReadWritePaths=/opt/lightman/agent /var/log/lightman /tmp
+PrivateTmp=true
+NoNewPrivileges=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=lightman-agent
+
+[Install]
+WantedBy=multi-user.target

package/scripts/lightman-shell.bat

@@ -0,0 +1,128 @@
+@echo off
+REM ================================================================
+REM LIGHTMAN Shell - Replaces explorer.exe as the Windows shell
+REM ================================================================
+REM SINGLE SOURCE OF TRUTH: agent.config.json
+REM
+REM Boot flow:
+REM   1. Auto-login (no password)
+REM   2. This script runs INSTEAD of explorer.exe
+REM   3. Reads slug + browser from agent.config.json (THE ONLY SOURCE)
+REM   4. Waits for agent service (port 3403)
+REM   5. Launches Chrome fullscreen
+REM   6. If Chrome crashes, relaunches in 3 seconds (infinite loop)
+REM ================================================================
+
+set INSTALL_DIR=C:\Program Files\Lightman\Agent
+set CONFIG_FILE=%INSTALL_DIR%\agent.config.json
+set CHROME_DATA=C:\ProgramData\Lightman\chrome-kiosk
+set LOG_FILE=C:\ProgramData\Lightman\logs\shell.log
+
+REM Ensure directories exist
+if not exist "C:\ProgramData\Lightman\logs" mkdir "C:\ProgramData\Lightman\logs"
+if not exist "%CHROME_DATA%" mkdir "%CHROME_DATA%"
+
+echo [%date% %time%] ===== LIGHTMAN Shell starting ===== >> "%LOG_FILE%"
+
+REM ----------------------------------------------------------------
+REM Read slug and browser from agent.config.json ONLY
+REM No sidecar files, no hardcoded URLs, no confusion.
+REM ----------------------------------------------------------------
+set DEVICE_SLUG=
+set BROWSER=
+set URL=
+
+REM Wait for node.exe to be available
+set NODE_WAIT=0
+:wait_for_node
+    where node >nul 2>&1
+    if %errorlevel%==0 goto node_ready
+    set /a NODE_WAIT+=1
+    if %NODE_WAIT% geq 30 (
+        echo [%date% %time%] ERROR: node.exe not found after 30s >> "%LOG_FILE%"
+        goto use_fallbacks
+    )
+    timeout /t 1 /nobreak >nul
+    goto wait_for_node
+
+:node_ready
+
+REM Read slug from config
+if exist "%CONFIG_FILE%" (
+    for /f "delims=" %%a in ('node -e "try{console.log(JSON.parse(require('fs').readFileSync(String.raw`%CONFIG_FILE%`,'utf8')).deviceSlug)}catch(e){console.log('')}" 2^>nul') do set DEVICE_SLUG=%%a
+)
+
+REM Read browser from config
+if exist "%CONFIG_FILE%" (
+    for /f "delims=" %%a in ('node -e "try{const c=JSON.parse(require('fs').readFileSync(String.raw`%CONFIG_FILE%`,'utf8'));console.log(c.kiosk&&c.kiosk.browserPath||'')}catch(e){console.log('')}" 2^>nul') do set BROWSER=%%a
+)
+
+:use_fallbacks
+
+REM Build URL from slug (ALWAYS from config, never from sidecar)
+if not "%DEVICE_SLUG%"=="" (
+    set URL=http://localhost:3403/display/%DEVICE_SLUG%
+    echo [%date% %time%] Slug: %DEVICE_SLUG% >> "%LOG_FILE%"
+) else (
+    set URL=http://localhost:3403/display
+    echo [%date% %time%] WARNING: No slug in config! >> "%LOG_FILE%"
+)
+
+REM Fallback browser
+if "%BROWSER%"=="" (
+    if exist "C:\Program Files\Google\Chrome\Application\chrome.exe" (
+        set "BROWSER=C:\Program Files\Google\Chrome\Application\chrome.exe"
+    ) else if exist "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" (
+        set "BROWSER=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
+    ) else (
+        echo [%date% %time%] ERROR: Chrome not found! >> "%LOG_FILE%"
+        start explorer.exe
+        exit /b 1
+    )
+)
+
+echo [%date% %time%] Browser: %BROWSER% >> "%LOG_FILE%"
+echo [%date% %time%] URL: %URL% >> "%LOG_FILE%"
+
+REM ----------------------------------------------------------------
+REM Wait for agent service (port 3403)
+REM ----------------------------------------------------------------
+echo [%date% %time%] Waiting for port 3403... >> "%LOG_FILE%"
+set WAIT_COUNT=0
+set MAX_WAIT=60
+
+:wait_for_agent
+    netstat -an | findstr ":3403.*LISTENING" >nul 2>&1
+    if %errorlevel%==0 goto agent_ready
+    set /a WAIT_COUNT+=1
+    if %WAIT_COUNT% geq %MAX_WAIT% (
+        echo [%date% %time%] Port 3403 not ready after %MAX_WAIT%s, launching anyway >> "%LOG_FILE%"
+        goto agent_ready
+    )
+    timeout /t 1 /nobreak >nul
+    goto wait_for_agent
+
+:agent_ready
+echo [%date% %time%] Agent ready >> "%LOG_FILE%"
+
+REM ----------------------------------------------------------------
+REM Infinite Chrome loop
+REM ----------------------------------------------------------------
+:loop
+    REM Re-read slug from config on every loop iteration
+    REM This way if someone changes agent.config.json, the next
+    REM Chrome restart picks up the new slug automatically.
+    if exist "%CONFIG_FILE%" (
+        for /f "delims=" %%a in ('node -e "try{console.log(JSON.parse(require('fs').readFileSync(String.raw`%CONFIG_FILE%`,'utf8')).deviceSlug)}catch(e){console.log('')}" 2^>nul') do (
+            if not "%%a"=="" set URL=http://localhost:3403/display/%%a
+        )
+    )
+
+    echo [%date% %time%] Launching Chrome: %URL% >> "%LOG_FILE%"
+
+    start /wait "" "%BROWSER%" --kiosk --noerrdialogs --disable-infobars --disable-session-crashed-bubble --no-first-run --no-default-browser-check --start-fullscreen --disable-translate --disable-extensions --autoplay-policy=no-user-gesture-required --disable-features=TranslateUI --user-data-dir="%CHROME_DATA%" "%URL%"
+
+    echo [%date% %time%] Chrome exited (code: %errorlevel%). Restarting in 3s... >> "%LOG_FILE%"
+    timeout /t 3 /nobreak >nul
+
+goto loop

package/scripts/reinstall-windows.ps1

@@ -0,0 +1,26 @@
+#Requires -RunAsAdministrator
+<#
+.SYNOPSIS
+    LIGHTMAN Agent - Reinstall (install-windows.ps1 handles cleanup automatically)
+.EXAMPLE
+    powershell -ExecutionPolicy Bypass -File scripts\reinstall-windows.ps1 -Slug "F-AV04" -Server "http://192.168.1.180:3401" -ShellReplace
+#>
+param(
+    [Parameter(Mandatory=$true)] [string]$Slug,
+    [Parameter(Mandatory=$true)] [string]$Server,
+    [switch]$ShellReplace = $false,
+    [string]$Timezone = "Asia/Kolkata",
+    [switch]$NoReboot = $false
+)
+
+$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+
+$args = @("-ExecutionPolicy", "Bypass", "-File", "$ScriptDir\install-windows.ps1", "-Slug", $Slug, "-Server", $Server, "-Timezone", $Timezone)
+if ($ShellReplace) { $args += "-ShellReplace" }
+& powershell @args
+
+if (-not $NoReboot) {
+    Write-Host "  Rebooting in 10 seconds... (Ctrl+C to cancel)" -ForegroundColor Yellow
+    Start-Sleep -Seconds 10
+    Restart-Computer -Force
+}

package/scripts/restore-desktop.ps1

@@ -0,0 +1,32 @@
+# LIGHTMAN - Restore Windows Desktop
+# Reverses shell replacement: sets explorer.exe back as the Windows shell.
+# Run via RDP with admin account, or from Safe Mode:
+#   powershell -ExecutionPolicy Bypass -File restore-desktop.ps1
+#Requires -RunAsAdministrator
+
+$ErrorActionPreference = "Stop"
+
+Write-Host ""
+Write-Host "=== LIGHTMAN - Restore Windows Desktop ===" -ForegroundColor Cyan
+Write-Host ""
+
+# Restore HKLM shell
+$HKLMPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+$original = (Get-ItemProperty -Path $HKLMPath -Name "Shell_Original" -ErrorAction SilentlyContinue).Shell_Original
+if ($original) {
+    Set-ItemProperty -Path $HKLMPath -Name "Shell" -Value $original
+    Write-Host "  HKLM shell restored to: $original" -ForegroundColor Green
+} else {
+    Set-ItemProperty -Path $HKLMPath -Name "Shell" -Value "explorer.exe"
+    Write-Host "  HKLM shell restored to: explorer.exe" -ForegroundColor Green
+}
+
+# Remove HKCU shell override
+$HKCUPath = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
+Remove-ItemProperty -Path $HKCUPath -Name "Shell" -ErrorAction SilentlyContinue
+Write-Host "  HKCU shell override removed" -ForegroundColor Green
+
+Write-Host ""
+Write-Host "  Desktop will be restored on next reboot." -ForegroundColor Yellow
+Write-Host "  Run: Restart-Computer" -ForegroundColor Yellow
+Write-Host ""

package/scripts/setup.ps1

@@ -0,0 +1,116 @@
+# LIGHTMAN Agent - Device Setup Script (Windows)
+# Generates agent.config.json for this specific device.
+#
+# Usage (run from agent directory or scripts directory):
+#   powershell -ExecutionPolicy Bypass -File setup.ps1 -Slug "f-av01" -Server "http://192.168.1.100:3401"
+#   powershell -ExecutionPolicy Bypass -File setup.ps1 -Slug "f-av01" -Server "http://192.168.1.100:3401" -Timezone "Asia/Kolkata"
+#
+# This script MUST be run once on every new device installation.
+# It clears any cached identity so the device provisions fresh.
+
+param(
+    [Parameter(Mandatory=$true)]
+    [string]$Slug,
+
+    [Parameter(Mandatory=$true)]
+    [string]$Server,
+
+    [Parameter(Mandatory=$false)]
+    [string]$Timezone = "Asia/Kolkata",
+
+    [Parameter(Mandatory=$false)]
+    [string]$InstallDir = $null,
+
+    [Parameter(Mandatory=$false)]
+    [switch]$ShellMode = $false
+)
+
+$ErrorActionPreference = "Stop"
+$ScriptDir  = Split-Path -Parent $MyInvocation.MyCommand.Path
+$AgentDir   = Split-Path -Parent $ScriptDir
+
+# Default install dir: the agent folder itself (for dev) or passed explicitly
+if (-not $InstallDir) {
+    $InstallDir = $AgentDir
+}
+
+Write-Host ""
+Write-Host "=== LIGHTMAN Agent - Device Setup ===" -ForegroundColor Cyan
+Write-Host "  Slug:        $Slug"
+Write-Host "  Server:      $Server"
+Write-Host "  Install dir: $InstallDir"
+Write-Host "  Timezone:    $Timezone"
+Write-Host ""
+
+# 1. Clear cached identity (CRITICAL - prevents old device credentials leaking)
+$IdentityFile = Join-Path $InstallDir ".lightman-identity.json"
+if (Test-Path $IdentityFile) {
+    Remove-Item $IdentityFile -Force
+    Write-Host "[OK] Cleared old identity cache (.lightman-identity.json)" -ForegroundColor Green
+} else {
+    Write-Host "[OK] No existing identity cache found (clean install)" -ForegroundColor DarkGray
+}
+
+# 2. Kiosk display URL - always localhost since agent runs the static server locally on port 3403
+$KioskUrl  = "http://localhost:3403/display/$Slug"
+
+# 3. Detect browser path
+$BrowserPath = "C:\Program Files\Google\Chrome\Application\chrome.exe"
+if (-not (Test-Path $BrowserPath)) {
+    $BrowserPath = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
+}
+if (-not (Test-Path $BrowserPath)) {
+    $BrowserPath = "chromium-browser"
+    Write-Host "[WARN] Chrome not found - using 'chromium-browser'" -ForegroundColor Yellow
+}
+
+$ChromeDataDir = "C:\ProgramData\Lightman\chrome-kiosk"
+
+# 4. Read template
+$TemplatePath = Join-Path $AgentDir "agent.config.template.json"
+if (-not (Test-Path $TemplatePath)) {
+    # If running from install dir (post-install), template should have been copied there
+    $TemplatePath = Join-Path $InstallDir "agent.config.template.json"
+}
+if (-not (Test-Path $TemplatePath)) {
+    Write-Host "[ERROR] Template not found. Expected: $TemplatePath" -ForegroundColor Red
+    exit 1
+}
+
+$Template = Get-Content $TemplatePath -Raw
+
+# 5. Replace placeholders
+$BrowserEscaped    = $BrowserPath  -replace '\\', '\\'
+$ChromeDirEscaped  = $ChromeDataDir -replace '\\', '\\'
+
+$Config = $Template `
+    -replace '__SERVER_URL__',    $Server `
+    -replace '__DEVICE_SLUG__',   $Slug `
+    -replace '__KIOSK_URL__',     $KioskUrl `
+    -replace '__BROWSER_PATH__',  $BrowserEscaped `
+    -replace '__CHROME_DATA_DIR__', $ChromeDirEscaped `
+    -replace 'Asia/Kolkata',      $Timezone
+
+# 6. Inject shellMode into kiosk config if requested
+if ($ShellMode) {
+    # Parse as object, set shellMode, re-serialize (reliable, no regex fragility)
+    $configObj = $Config | ConvertFrom-Json
+    $configObj.kiosk | Add-Member -NotePropertyName "shellMode" -NotePropertyValue $true -Force
+    $Config = $configObj | ConvertTo-Json -Depth 4
+    Write-Host "[OK] Shell replacement mode enabled in config" -ForegroundColor Magenta
+}
+
+# 7. Write config
+$ConfigPath = Join-Path $InstallDir "agent.config.json"
+# Write as UTF-8 WITHOUT BOM (BOM breaks JSON parsing in Node.js)
+[System.IO.File]::WriteAllText($ConfigPath, $Config, [System.Text.UTF8Encoding]::new($false))
+
+Write-Host "[OK] Created agent.config.json" -ForegroundColor Green
+Write-Host ""
+Write-Host "  Device slug : $Slug"
+Write-Host "  Server      : $Server"
+Write-Host "  Kiosk URL   : $KioskUrl"
+Write-Host ""
+Write-Host "Setup complete. Start the agent - it will provision automatically." -ForegroundColor Cyan
+Write-Host "(If IP matches, provisioning is instant. Otherwise enter pairing code shown in admin.)" -ForegroundColor DarkGray
+Write-Host ""

package/scripts/setup.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# LIGHTMAN Agent — Device Setup Script (Linux / Raspberry Pi)
+# Generates agent.config.json for this specific device.
+#
+# Usage:
+#   sudo bash setup.sh --slug f-av01 --server http://192.168.1.100:3401
+#   sudo bash setup.sh --slug f-av01 --server http://192.168.1.100:3401 --timezone Asia/Kolkata --dir /opt/lightman/agent
+#
+# This script MUST be run once on every new device installation.
+# It clears any cached identity so the device provisions fresh.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+AGENT_DIR="$(dirname "$SCRIPT_DIR")"
+
+# Defaults
+SLUG=""
+SERVER=""
+TIMEZONE="Asia/Kolkata"
+INSTALL_DIR="/opt/lightman/agent"
+
+# ── Parse arguments ──
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --slug)     SLUG="$2";       shift 2 ;;
+        --server)   SERVER="$2";     shift 2 ;;
+        --timezone) TIMEZONE="$2";   shift 2 ;;
+        --dir)      INSTALL_DIR="$2"; shift 2 ;;
+        -h|--help)
+            echo "Usage: bash setup.sh --slug SLUG --server http://SERVER:3401 [--timezone TZ] [--dir /path]"
+            exit 0
+            ;;
+        *) echo "Unknown option: $1"; exit 1 ;;
+    esac
+done
+
+if [[ -z "$SLUG" ]]; then
+    echo "Error: --slug is required"
+    echo "Usage: bash setup.sh --slug f-av01 --server http://192.168.1.100:3401"
+    exit 1
+fi
+
+if [[ -z "$SERVER" ]]; then
+    echo "Error: --server is required"
+    echo "Usage: bash setup.sh --slug f-av01 --server http://192.168.1.100:3401"
+    exit 1
+fi
+
+echo ""
+echo "=== LIGHTMAN Agent — Device Setup ==="
+echo "  Slug:        $SLUG"
+echo "  Server:      $SERVER"
+echo "  Install dir: $INSTALL_DIR"
+echo "  Timezone:    $TIMEZONE"
+echo ""
+
+# ── 1. Clear cached identity (CRITICAL — prevents old device credentials leaking) ──
+IDENTITY_FILE="$INSTALL_DIR/.lightman-identity.json"
+if [[ -f "$IDENTITY_FILE" ]]; then
+    rm -f "$IDENTITY_FILE"
+    echo "[OK] Cleared old identity cache (.lightman-identity.json)"
+else
+    echo "[OK] No existing identity cache found (clean install)"
+fi
+
+# ── 2. Derive kiosk display URL from server URL ──
+# Replace port with 3403 (display server)
+KIOSK_BASE="$(echo "$SERVER" | sed 's/:[0-9]*$//')"
+KIOSK_URL="${KIOSK_BASE}:3403/display/${SLUG}"
+
+# ── 3. Detect browser ──
+BROWSER_PATH="chromium-browser"
+if command -v chromium &>/dev/null; then
+    BROWSER_PATH="chromium"
+elif command -v chromium-browser &>/dev/null; then
+    BROWSER_PATH="chromium-browser"
+elif command -v google-chrome &>/dev/null; then
+    BROWSER_PATH="google-chrome"
+fi
+CHROME_DATA_DIR="/opt/lightman/chrome-kiosk"
+
+# ── 4. Find template ──
+TEMPLATE="$AGENT_DIR/agent.config.template.json"
+if [[ ! -f "$TEMPLATE" ]]; then
+    # Post-install: template may be in install dir
+    TEMPLATE="$INSTALL_DIR/agent.config.template.json"
+fi
+if [[ ! -f "$TEMPLATE" ]]; then
+    echo "[ERROR] Template not found at $TEMPLATE"
+    exit 1
+fi
+
+# ── 5. Create install dir if needed ──
+mkdir -p "$INSTALL_DIR"
+
+# ── 6. Replace placeholders and write config ──
+sed \
+    -e "s|__SERVER_URL__|${SERVER}|g" \
+    -e "s|__DEVICE_SLUG__|${SLUG}|g" \
+    -e "s|__KIOSK_URL__|${KIOSK_URL}|g" \
+    -e "s|__BROWSER_PATH__|${BROWSER_PATH}|g" \
+    -e "s|__CHROME_DATA_DIR__|${CHROME_DATA_DIR}|g" \
+    -e "s|Asia/Kolkata|${TIMEZONE}|g" \
+    "$TEMPLATE" > "$INSTALL_DIR/agent.config.json"
+
+echo "[OK] Created agent.config.json"
+echo ""
+echo "  Device slug : $SLUG"
+echo "  Server      : $SERVER"
+echo "  Kiosk URL   : $KIOSK_URL"
+echo ""
+echo "Setup complete. Start the agent — it will provision automatically."
+echo "(If IP matches, provisioning is instant. Otherwise enter pairing code shown in admin.)"
+echo ""

package/scripts/uninstall-linux.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# LIGHTMAN Agent — Linux Uninstaller
+# Run as root: sudo bash uninstall-linux.sh
+set -euo pipefail
+
+INSTALL_DIR="/opt/lightman/agent"
+LOG_DIR="/var/log/lightman"
+SERVICE_NAME="lightman-agent"
+
+if [[ $EUID -ne 0 ]]; then
+  echo "Error: This script must be run as root (use sudo)."
+  exit 1
+fi
+
+echo "=== LIGHTMAN Agent — Linux Uninstaller ==="
+echo ""
+
+# --- Stop and disable service ---
+echo "[1/5] Stopping service..."
+systemctl stop "$SERVICE_NAME" 2>/dev/null || true
+systemctl disable "$SERVICE_NAME" 2>/dev/null || true
+
+# --- Remove systemd unit ---
+echo "[2/5] Removing systemd unit..."
+rm -f "/etc/systemd/system/${SERVICE_NAME}.service"
+systemctl daemon-reload
+
+# --- Remove logrotate config ---
+echo "[3/5] Removing logrotate config..."
+rm -f "/etc/logrotate.d/${SERVICE_NAME}"
+
+# --- Remove installation directory ---
+echo "[4/5] Removing ${INSTALL_DIR}..."
+rm -rf "$INSTALL_DIR"
+
+# --- Remove log directory ---
+echo "[5/5] Removing ${LOG_DIR}..."
+rm -rf "$LOG_DIR"
+
+# --- Remove user/group (optional) ---
+read -rp "Remove 'lightman' user and group? [y/N]: " REMOVE_USER
+if [[ "$REMOVE_USER" =~ ^[Yy]$ ]]; then
+  userdel lightman 2>/dev/null || true
+  groupdel lightman 2>/dev/null || true
+  echo "User and group removed."
+fi
+
+echo ""
+echo "=== Uninstallation Complete ==="
+echo ""

package/scripts/uninstall-windows.ps1

@@ -0,0 +1,54 @@
+# LIGHTMAN Agent - Windows Uninstaller
+# Removes everything: service, tasks, processes, files, shell.
+#Requires -RunAsAdministrator
+
+$ErrorActionPreference = "Continue"
+$NssmExe = "C:\ProgramData\Lightman\nssm\nssm.exe"
+$ServiceName = "LightmanAgent"
+
+Write-Host ""
+Write-Host "=== LIGHTMAN Agent - Uninstaller ===" -ForegroundColor Cyan
+
+# 1. Service
+Write-Host "[1/6] Removing service..." -ForegroundColor Yellow
+if (Test-Path $NssmExe) { & $NssmExe stop $ServiceName 2>$null; & $NssmExe remove $ServiceName confirm 2>$null }
+foreach ($sn in @($ServiceName,"lightmanagent.exe")) { sc.exe stop $sn 2>$null; sc.exe delete $sn 2>$null }
+$s = Get-Service -DisplayName "LIGHTMAN*" -ErrorAction SilentlyContinue
+if ($s) { Stop-Service $s.Name -Force -ErrorAction SilentlyContinue; sc.exe delete $s.Name 2>$null }
+
+# 2. Tasks
+Write-Host "[2/6] Removing tasks..." -ForegroundColor Yellow
+foreach ($tn in @("LIGHTMAN Agent","LIGHTMAN Kiosk Browser","LIGHTMAN Guardian")) {
+    $t = Get-ScheduledTask -TaskName $tn -ErrorAction SilentlyContinue
+    if ($t) { Stop-ScheduledTask -TaskName $tn -ErrorAction SilentlyContinue; Unregister-ScheduledTask -TaskName $tn -Confirm:$false -ErrorAction SilentlyContinue }
+}
+
+# 3. Processes
+Write-Host "[3/6] Killing processes..." -ForegroundColor Yellow
+Get-Process -Name "node" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+Get-Process -Name "chrome" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+
+# 4. Firewall
+Write-Host "[4/6] Removing firewall rule..." -ForegroundColor Yellow
+Remove-NetFirewallRule -DisplayName "LIGHTMAN Agent WebSocket" -ErrorAction SilentlyContinue
+
+# 5. Shell
+Write-Host "[5/6] Restoring shell..." -ForegroundColor Yellow
+$HKLMPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+$shell = (Get-ItemProperty -Path $HKLMPath -Name "Shell" -ErrorAction SilentlyContinue).Shell
+if ($shell -and $shell -like "*lightman*") {
+    $orig = (Get-ItemProperty -Path $HKLMPath -Name "Shell_Original" -ErrorAction SilentlyContinue).Shell_Original
+    Set-ItemProperty -Path $HKLMPath -Name "Shell" -Value $(if ($orig) { $orig } else { "explorer.exe" })
+    Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -ErrorAction SilentlyContinue
+    Write-Host "  Shell restored"
+}
+
+# 6. Files
+Write-Host "[6/6] Removing files..." -ForegroundColor Yellow
+Remove-Item "C:\Program Files\Lightman" -Recurse -Force -ErrorAction SilentlyContinue
+$choice = Read-Host "Remove all data (logs, chrome cache, nssm)? [y/N]"
+if ($choice -eq 'y') { Remove-Item "C:\ProgramData\Lightman" -Recurse -Force -ErrorAction SilentlyContinue }
+
+Write-Host ""
+Write-Host "=== Done. Reboot: Restart-Computer ===" -ForegroundColor Green
+Write-Host ""