lightman-agent 1.0.18 → 1.0.20

package/scripts/guardian.ps1

@@ -2,88 +2,30 @@
 # Runs every 5 minutes via Task Scheduler.
 # Restarts the NSSM service if it's down. Checks Chrome kiosk health.
 
-$LogDir = "C:\ProgramData\Lightman\logs"
-$LogFile = Join-Path $LogDir "guardian.log"
-$ServiceName = "LightmanAgent"
-$NssmExe = "C:\ProgramData\Lightman\nssm\nssm.exe"
-$InstallDir = "C:\Program Files\Lightman\Agent"
-$ChromeDataDir = "C:\ProgramData\Lightman\chrome-kiosk"
-
-function Write-GuardianLog($msg) {
-    $ts = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
-    try {
-        if (-not (Test-Path $LogDir)) { New-Item -ItemType Directory -Force -Path $LogDir | Out-Null }
+$LogDir = "C:\ProgramData\Lightman\logs"
+$LogFile = Join-Path $LogDir "guardian.log"
+$ServiceName = "LightmanAgent"
+$NssmExe = "C:\ProgramData\Lightman\nssm\nssm.exe"
+
+function Write-GuardianLog($msg) {
+    $ts = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
+    try {
+        if (-not (Test-Path $LogDir)) { New-Item -ItemType Directory -Force -Path $LogDir | Out-Null }
         Add-Content -Path $LogFile -Value "[$ts] $msg" -ErrorAction SilentlyContinue
         if ((Get-Item $LogFile -ErrorAction SilentlyContinue).Length -gt 1MB) {
             $rotated = "$LogFile.old"
             if (Test-Path $rotated) { Remove-Item $rotated -Force }
             Rename-Item $LogFile $rotated -Force
         }
-    } catch { }
-}
-
-function Get-LightmanNodeProcesses {
-    try {
-        @(Get-CimInstance Win32_Process -Filter "Name = 'node.exe'" -ErrorAction SilentlyContinue | Where-Object {
-            $_.CommandLine -and (
-                $_.CommandLine -like "*$InstallDir*" -or
-                $_.CommandLine -match 'dist\\index\.js|src\\index\.ts|cms-agent\.js'
-            )
-        })
-    } catch {
-        @()
-    }
-}
-
-function Stop-LightmanNodeProcesses {
-    $procs = Get-LightmanNodeProcesses
-    if (-not $procs -or $procs.Count -eq 0) {
-        Write-GuardianLog "No LIGHTMAN-owned node.exe process found"
-        return
-    }
-
-    foreach ($proc in $procs) {
-        try {
-            Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop
-            Write-GuardianLog "Stopped LIGHTMAN node.exe PID $($proc.ProcessId)"
-        } catch {
-            Write-GuardianLog "Failed to stop LIGHTMAN node.exe PID $($proc.ProcessId): $_"
-        }
-    }
-}
-
-function Get-LightmanShellMode {
-    $configPath = Join-Path $InstallDir "agent.config.json"
-    try {
-        if (-not (Test-Path $configPath)) { return $false }
-        $config = Get-Content $configPath -Raw | ConvertFrom-Json
-        return [bool]($config.kiosk.shellMode)
-    } catch {
-        return $false
-    }
-}
-
-function Get-LightmanChromeProcesses {
-    try {
-        @(Get-CimInstance Win32_Process -Filter "Name = 'chrome.exe'" -ErrorAction SilentlyContinue | Where-Object {
-            $_.CommandLine -and (
-                $_.CommandLine -like "*$ChromeDataDir*" -or
-                $_.CommandLine -like "*chrome-kiosk*"
-            )
-        })
-    } catch {
-        @()
-    }
-}
-
-try {
-    $shellMode = Get-LightmanShellMode
-
-    # 1. Check LIGHTMAN service
-    $svc = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
-    if (-not $svc) {
-        $svc = Get-Service -DisplayName "LIGHTMAN*" -ErrorAction SilentlyContinue | Select-Object -First 1
-    }
+    } catch { }
+}
+
+try {
+    # 1. Check LIGHTMAN service
+    $svc = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
+    if (-not $svc) {
+        $svc = Get-Service -DisplayName "LIGHTMAN*" -ErrorAction SilentlyContinue | Select-Object -First 1
+    }
 
     if (-not $svc) {
         Write-GuardianLog "CRITICAL: Service not found!"
@@ -99,51 +41,35 @@ try {
             } else {
                 Start-Service -Name $svc.Name -ErrorAction SilentlyContinue
             }
-            Start-Sleep -Seconds 5
-            $svc.Refresh()
-            Write-GuardianLog "After restart: $($svc.Status)"
-        }
-        elseif ($svc.Status -in @('StartPending', 'StopPending')) {
-            Write-GuardianLog "Service is $($svc.Status). Waiting before targeted restart..."
-            Start-Sleep -Seconds 15
-            $svc.Refresh()
-            if ($svc.Status -in @('StartPending', 'StopPending')) {
-                Write-GuardianLog "Service still stuck in $($svc.Status). Restarting LIGHTMAN service only."
-                Stop-LightmanNodeProcesses
-                Start-Sleep -Seconds 3
-                if (Test-Path $NssmExe) {
-                    & $NssmExe restart $ServiceName 2>$null
-                } else {
-                    Stop-Service -Name $svc.Name -Force -ErrorAction SilentlyContinue
-                    Start-Sleep -Seconds 2
-                    Start-Service -Name $svc.Name -ErrorAction SilentlyContinue
-                }
-                Start-Sleep -Seconds 5
-                $svc.Refresh()
-                Write-GuardianLog "After targeted restart: $($svc.Status)"
-            } else {
-                Write-GuardianLog "Service recovered during wait: $($svc.Status)"
-            }
-        }
-    }
-
-    # 2. Check Chrome kiosk
-    $chrome = Get-LightmanChromeProcesses
-    if (-not $chrome) {
-        if ($shellMode) {
-            Write-GuardianLog "LIGHTMAN kiosk Chrome not running, but shell mode is enabled. Shell will relaunch it."
-        } else {
-            $vbsPath = Join-Path $InstallDir "launch-kiosk.vbs"
-            if (Test-Path $vbsPath) {
-                Start-Sleep -Seconds 10
-                $chromeRecheck = Get-LightmanChromeProcesses
-                if (-not $chromeRecheck) {
-                    Write-GuardianLog "LIGHTMAN Chrome not running. Launching via VBS..."
-                    Start-Process "wscript.exe" -ArgumentList """$vbsPath""" -WindowStyle Hidden
-                }
-            }
-        }
-    }
-} catch {
-    Write-GuardianLog "Guardian error: $_"
-}
+            Start-Sleep -Seconds 5
+            $svc.Refresh()
+            Write-GuardianLog "After restart: $($svc.Status)"
+        }
+        elseif ($svc.Status -in @('StartPending', 'StopPending')) {
+            Write-GuardianLog "Service stuck in $($svc.Status). Force killing node.exe..."
+            Get-Process -Name "node" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+            Start-Sleep -Seconds 3
+            if (Test-Path $NssmExe) { & $NssmExe start $ServiceName 2>$null }
+            else { Start-Service -Name $svc.Name -ErrorAction SilentlyContinue }
+            Start-Sleep -Seconds 5
+            $svc.Refresh()
+            Write-GuardianLog "After force restart: $($svc.Status)"
+        }
+    }
+
+    # 2. Check Chrome kiosk
+    $chrome = Get-Process -Name "chrome" -ErrorAction SilentlyContinue
+    if (-not $chrome) {
+        $vbsPath = "C:\Program Files\Lightman\Agent\launch-kiosk.vbs"
+        if (Test-Path $vbsPath) {
+            Start-Sleep -Seconds 10
+            $chromeRecheck = Get-Process -Name "chrome" -ErrorAction SilentlyContinue
+            if (-not $chromeRecheck) {
+                Write-GuardianLog "Chrome not running. Launching via VBS..."
+                Start-Process "wscript.exe" -ArgumentList """$vbsPath""" -WindowStyle Hidden
+            }
+        }
+    }
+} catch {
+    Write-GuardianLog "Guardian error: $_"
+}

package/scripts/install-windows.ps1

@@ -9,14 +9,13 @@
 #   powershell -ExecutionPolicy Bypass -File install-windows.ps1 -Slug "F-AV01" -Server "http://..." -ShellReplace
 #Requires -RunAsAdministrator
 
-param(
-    [Parameter(Mandatory=$true)]  [string]$Slug,
-    [Parameter(Mandatory=$true)]  [string]$Server,
-    [string]$Timezone = "Asia/Kolkata",
-    [int]$PairingTimeoutSeconds = 900,
-    [string]$Username = "",
-    [switch]$ShellReplace = $false
-)
+param(
+    [Parameter(Mandatory=$true)]  [string]$Slug,
+    [Parameter(Mandatory=$true)]  [string]$Server,
+    [string]$Timezone = "Asia/Kolkata",
+    [string]$Username = "",
+    [switch]$ShellReplace = $false
+)
 
 $ErrorActionPreference = "Stop"
 
@@ -28,111 +27,21 @@ $NssmExe       = "$NssmDir\nssm.exe"
 $ServiceName   = "LightmanAgent"
 $GuardianTask  = "LIGHTMAN Guardian"
 $KioskTask     = "LIGHTMAN Kiosk Browser"
-$AgentTask     = "LIGHTMAN Agent"
-$ScriptDir     = Split-Path -Parent $MyInvocation.MyCommand.Path
-$AgentDir      = Split-Path -Parent $ScriptDir
-
-if (-not $Username) { $Username = $env:USERNAME }
-
-function Get-LightmanNodeProcesses {
-    try {
-        @(Get-CimInstance Win32_Process -Filter "Name = 'node.exe'" -ErrorAction SilentlyContinue | Where-Object {
-            $_.CommandLine -and (
-                $_.CommandLine -like "*$InstallDir*" -or
-                $_.CommandLine -like "*$AgentDir*" -or
-                $_.CommandLine -match 'dist\\index\.js|src\\index\.ts|cms-agent\.js'
-            )
-        })
-    } catch {
-        @()
-    }
-}
-
-function Get-InstallerParentNodePid {
-    try {
-        $self = Get-CimInstance Win32_Process -Filter "ProcessId=$PID" -ErrorAction SilentlyContinue
-        if (-not $self) { return $null }
-
-        $parentPid = $self.ParentProcessId
-        if (-not $parentPid) { return $null }
-
-        $parent = Get-CimInstance Win32_Process -Filter "ProcessId=$parentPid" -ErrorAction SilentlyContinue
-        if ($parent -and $parent.Name -eq "node.exe") {
-            return [int]$parent.ProcessId
-        }
-    } catch {
-        return $null
-    }
-
-    return $null
-}
-
-function Stop-LightmanNodeProcesses {
-    param(
-        [int]$ExcludePid = 0
-    )
-
-    $procs = Get-LightmanNodeProcesses
-    if (-not $procs -or $procs.Count -eq 0) {
-        Write-Host "  No LIGHTMAN-owned node.exe processes found" -ForegroundColor DarkGray
-        return
-    }
-
-    foreach ($proc in $procs) {
-        if ($ExcludePid -gt 0 -and $proc.ProcessId -eq $ExcludePid) {
-            Write-Host "  Keeping installer parent node.exe PID $($proc.ProcessId)" -ForegroundColor DarkGray
-            continue
-        }
-
-        try {
-            Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop
-            Write-Host "  Stopped LIGHTMAN node.exe PID $($proc.ProcessId)" -ForegroundColor DarkGray
-        } catch {
-            Write-Host "  Failed to stop LIGHTMAN node.exe PID $($proc.ProcessId): $_" -ForegroundColor Yellow
-        }
-    }
-}
-
-function Get-LightmanChromeProcesses {
-    try {
-        @(Get-CimInstance Win32_Process -Filter "Name = 'chrome.exe'" -ErrorAction SilentlyContinue | Where-Object {
-            $_.CommandLine -and (
-                $_.CommandLine -like "*$ChromeData*" -or
-                $_.CommandLine -like "*chrome-kiosk*"
-            )
-        })
-    } catch {
-        @()
-    }
-}
-
-function Stop-LightmanChromeProcesses {
-    $procs = Get-LightmanChromeProcesses
-    if (-not $procs -or $procs.Count -eq 0) {
-        Write-Host "  No LIGHTMAN kiosk Chrome processes found" -ForegroundColor DarkGray
-        return
-    }
-
-    foreach ($proc in $procs) {
-        try {
-            Stop-Process -Id $proc.ProcessId -Force -ErrorAction Stop
-            Write-Host "  Stopped LIGHTMAN Chrome PID $($proc.ProcessId)" -ForegroundColor DarkGray
-        } catch {
-            Write-Host "  Failed to stop LIGHTMAN Chrome PID $($proc.ProcessId): $_" -ForegroundColor Yellow
-        }
-    }
-}
+$AgentTask     = "LIGHTMAN Agent"
+$ScriptDir     = Split-Path -Parent $MyInvocation.MyCommand.Path
+$AgentDir      = Split-Path -Parent $ScriptDir
+
+if (-not $Username) { $Username = $env:USERNAME }
 
 Write-Host ""
 Write-Host "=============================================" -ForegroundColor Cyan
 Write-Host "  LIGHTMAN Agent - Complete Windows Installer" -ForegroundColor Cyan
 Write-Host "=============================================" -ForegroundColor Cyan
-Write-Host "  Device slug : $Slug"
-Write-Host "  Server URL  : $Server"
-Write-Host "  Username    : $Username"
-Write-Host "  Mode        : $(if ($ShellReplace) { 'Shell Replacement' } else { 'Standard' })"
-Write-Host "  Pair timeout: $(if ($PairingTimeoutSeconds -eq 0) { 'Disabled' } else { "$PairingTimeoutSeconds s" })"
-Write-Host ""
+Write-Host "  Device slug : $Slug"
+Write-Host "  Server URL  : $Server"
+Write-Host "  Username    : $Username"
+Write-Host "  Mode        : $(if ($ShellReplace) { 'Shell Replacement' } else { 'Standard' })"
+Write-Host ""
 
 # ============================================================
 # PHASE 0: NUKE EVERYTHING FROM PREVIOUS INSTALLS
@@ -158,13 +67,12 @@ foreach ($tn in @($AgentTask, $KioskTask, $GuardianTask)) {
     $t = Get-ScheduledTask -TaskName $tn -ErrorAction SilentlyContinue
     if ($t) { Stop-ScheduledTask -TaskName $tn -ErrorAction SilentlyContinue; Unregister-ScheduledTask -TaskName $tn -Confirm:$false -ErrorAction SilentlyContinue }
 }
-
-# Kill only LIGHTMAN-owned processes
-Write-Host "[0c] Stopping LIGHTMAN node/chrome processes only..." -ForegroundColor Yellow
-$installerParentNodePid = Get-InstallerParentNodePid
-Stop-LightmanNodeProcesses -ExcludePid $installerParentNodePid
-Stop-LightmanChromeProcesses
-Start-Sleep -Seconds 2
+
+# Kill processes
+Write-Host "[0c] Killing node.exe and Chrome..." -ForegroundColor Yellow
+Get-Process -Name "node" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+Get-Process -Name "chrome" -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
+Start-Sleep -Seconds 2
 
 # Remove old files (keep NSSM and logs)
 Write-Host "[0d] Removing old agent files..." -ForegroundColor Yellow
@@ -234,11 +142,11 @@ Pop-Location
 
 # --- 6. Generate config ---
 Write-Host "[6/19] Generating config..." -ForegroundColor Yellow
-if ($ShellReplace) {
-    & "$ScriptDir\setup.ps1" -Slug $Slug -Server $Server -Timezone $Timezone -PairingTimeoutSeconds $PairingTimeoutSeconds -InstallDir $InstallDir -ShellMode
-} else {
-    & "$ScriptDir\setup.ps1" -Slug $Slug -Server $Server -Timezone $Timezone -PairingTimeoutSeconds $PairingTimeoutSeconds -InstallDir $InstallDir
-}
+if ($ShellReplace) {
+    & "$ScriptDir\setup.ps1" -Slug $Slug -Server $Server -Timezone $Timezone -InstallDir $InstallDir -ShellMode
+} else {
+    & "$ScriptDir\setup.ps1" -Slug $Slug -Server $Server -Timezone $Timezone -InstallDir $InstallDir
+}
 
 # --- 7. Fix BOM ---
 Write-Host "[7/19] Fixing config encoding..." -ForegroundColor Yellow

package/scripts/lightman-agent.logrotate

@@ -1,12 +1,12 @@
-/var/log/lightman/*.log {
-    daily
-    rotate 7
-    compress
-    delaycompress
-    missingok
-    notifempty
-    create 0640 lightman lightman
-    postrotate
-        systemctl reload lightman-agent > /dev/null 2>&1 || true
-    endscript
-}
+/var/log/lightman/*.log {
+    daily
+    rotate 7
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 lightman lightman
+    postrotate
+        systemctl reload lightman-agent > /dev/null 2>&1 || true
+    endscript
+}

package/scripts/lightman-agent.service

@@ -1,38 +1,38 @@
-[Unit]
-Description=LIGHTMAN Agent - Museum Display Management
-Documentation=https://github.com/sagrkv/lightman-app01
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-User=lightman
-Group=lightman
-WorkingDirectory=/opt/lightman/agent
-ExecStart=/usr/bin/node dist/index.js
-Restart=always
-RestartSec=10
-StartLimitIntervalSec=300
-StartLimitBurst=5
-
-# Environment
-Environment=NODE_ENV=production
-EnvironmentFile=-/opt/lightman/agent/.env
-
-# Security hardening
-ProtectSystem=strict
-ReadWritePaths=/opt/lightman/agent /var/log/lightman /tmp
-PrivateTmp=true
-NoNewPrivileges=true
-ProtectHome=true
-ProtectKernelTunables=true
-ProtectControlGroups=true
-RestrictSUIDSGID=true
-
-# Logging
-StandardOutput=journal
-StandardError=journal
-SyslogIdentifier=lightman-agent
-
-[Install]
-WantedBy=multi-user.target
+[Unit]
+Description=LIGHTMAN Agent - Museum Display Management
+Documentation=https://github.com/sagrkv/lightman-app01
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=lightman
+Group=lightman
+WorkingDirectory=/opt/lightman/agent
+ExecStart=/usr/bin/node dist/index.js
+Restart=always
+RestartSec=10
+StartLimitIntervalSec=300
+StartLimitBurst=5
+
+# Environment
+Environment=NODE_ENV=production
+EnvironmentFile=-/opt/lightman/agent/.env
+
+# Security hardening
+ProtectSystem=strict
+ReadWritePaths=/opt/lightman/agent /var/log/lightman /tmp
+PrivateTmp=true
+NoNewPrivileges=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=lightman-agent
+
+[Install]
+WantedBy=multi-user.target

package/scripts/reinstall-windows.ps1

@@ -1,26 +1,26 @@
-#Requires -RunAsAdministrator
-<#
-.SYNOPSIS
-    LIGHTMAN Agent - Reinstall (install-windows.ps1 handles cleanup automatically)
-.EXAMPLE
-    powershell -ExecutionPolicy Bypass -File scripts\reinstall-windows.ps1 -Slug "F-AV04" -Server "http://192.168.10.100:3401" -ShellReplace
-#>
-param(
-    [Parameter(Mandatory=$true)] [string]$Slug,
-    [Parameter(Mandatory=$true)] [string]$Server,
-    [switch]$ShellReplace = $false,
-    [string]$Timezone = "Asia/Kolkata",
-    [switch]$NoReboot = $false
-)
-
-$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
-
-$args = @("-ExecutionPolicy", "Bypass", "-File", "$ScriptDir\install-windows.ps1", "-Slug", $Slug, "-Server", $Server, "-Timezone", $Timezone)
-if ($ShellReplace) { $args += "-ShellReplace" }
-& powershell @args
-
-if (-not $NoReboot) {
-    Write-Host "  Rebooting in 10 seconds... (Ctrl+C to cancel)" -ForegroundColor Yellow
-    Start-Sleep -Seconds 10
-    Restart-Computer -Force
-}
+#Requires -RunAsAdministrator
+<#
+.SYNOPSIS
+    LIGHTMAN Agent - Reinstall (install-windows.ps1 handles cleanup automatically)
+.EXAMPLE
+    powershell -ExecutionPolicy Bypass -File scripts\reinstall-windows.ps1 -Slug "F-AV04" -Server "http://192.168.10.100:3401" -ShellReplace
+#>
+param(
+    [Parameter(Mandatory=$true)] [string]$Slug,
+    [Parameter(Mandatory=$true)] [string]$Server,
+    [switch]$ShellReplace = $false,
+    [string]$Timezone = "Asia/Kolkata",
+    [switch]$NoReboot = $false
+)
+
+$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+
+$args = @("-ExecutionPolicy", "Bypass", "-File", "$ScriptDir\install-windows.ps1", "-Slug", $Slug, "-Server", $Server, "-Timezone", $Timezone)
+if ($ShellReplace) { $args += "-ShellReplace" }
+& powershell @args
+
+if (-not $NoReboot) {
+    Write-Host "  Rebooting in 10 seconds... (Ctrl+C to cancel)" -ForegroundColor Yellow
+    Start-Sleep -Seconds 10
+    Restart-Computer -Force
+}

package/scripts/restore-desktop.ps1

@@ -1,32 +1,32 @@
-# LIGHTMAN - Restore Windows Desktop
-# Reverses shell replacement: sets explorer.exe back as the Windows shell.
-# Run via RDP with admin account, or from Safe Mode:
-#   powershell -ExecutionPolicy Bypass -File restore-desktop.ps1
-#Requires -RunAsAdministrator
-
-$ErrorActionPreference = "Stop"
-
-Write-Host ""
-Write-Host "=== LIGHTMAN - Restore Windows Desktop ===" -ForegroundColor Cyan
-Write-Host ""
-
-# Restore HKLM shell
-$HKLMPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
-$original = (Get-ItemProperty -Path $HKLMPath -Name "Shell_Original" -ErrorAction SilentlyContinue).Shell_Original
-if ($original) {
-    Set-ItemProperty -Path $HKLMPath -Name "Shell" -Value $original
-    Write-Host "  HKLM shell restored to: $original" -ForegroundColor Green
-} else {
-    Set-ItemProperty -Path $HKLMPath -Name "Shell" -Value "explorer.exe"
-    Write-Host "  HKLM shell restored to: explorer.exe" -ForegroundColor Green
-}
-
-# Remove HKCU shell override
-$HKCUPath = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
-Remove-ItemProperty -Path $HKCUPath -Name "Shell" -ErrorAction SilentlyContinue
-Write-Host "  HKCU shell override removed" -ForegroundColor Green
-
-Write-Host ""
-Write-Host "  Desktop will be restored on next reboot." -ForegroundColor Yellow
-Write-Host "  Run: Restart-Computer" -ForegroundColor Yellow
-Write-Host ""
+# LIGHTMAN - Restore Windows Desktop
+# Reverses shell replacement: sets explorer.exe back as the Windows shell.
+# Run via RDP with admin account, or from Safe Mode:
+#   powershell -ExecutionPolicy Bypass -File restore-desktop.ps1
+#Requires -RunAsAdministrator
+
+$ErrorActionPreference = "Stop"
+
+Write-Host ""
+Write-Host "=== LIGHTMAN - Restore Windows Desktop ===" -ForegroundColor Cyan
+Write-Host ""
+
+# Restore HKLM shell
+$HKLMPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+$original = (Get-ItemProperty -Path $HKLMPath -Name "Shell_Original" -ErrorAction SilentlyContinue).Shell_Original
+if ($original) {
+    Set-ItemProperty -Path $HKLMPath -Name "Shell" -Value $original
+    Write-Host "  HKLM shell restored to: $original" -ForegroundColor Green
+} else {
+    Set-ItemProperty -Path $HKLMPath -Name "Shell" -Value "explorer.exe"
+    Write-Host "  HKLM shell restored to: explorer.exe" -ForegroundColor Green
+}
+
+# Remove HKCU shell override
+$HKCUPath = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
+Remove-ItemProperty -Path $HKCUPath -Name "Shell" -ErrorAction SilentlyContinue
+Write-Host "  HKCU shell override removed" -ForegroundColor Green
+
+Write-Host ""
+Write-Host "  Desktop will be restored on next reboot." -ForegroundColor Yellow
+Write-Host "  Run: Restart-Computer" -ForegroundColor Yellow
+Write-Host ""

package/scripts/setup.ps1

@@ -15,14 +15,11 @@ param(
     [Parameter(Mandatory=$true)]
     [string]$Server,
 
-    [Parameter(Mandatory=$false)]
-    [string]$Timezone = "Asia/Kolkata",
-
-    [Parameter(Mandatory=$false)]
-    [int]$PairingTimeoutSeconds = 900,
-
-    [Parameter(Mandatory=$false)]
-    [string]$InstallDir = $null,
+    [Parameter(Mandatory=$false)]
+    [string]$Timezone = "Asia/Kolkata",
+
+    [Parameter(Mandatory=$false)]
+    [string]$InstallDir = $null,
 
     [Parameter(Mandatory=$false)]
     [switch]$ShellMode = $false
@@ -39,12 +36,11 @@ if (-not $InstallDir) {
 
 Write-Host ""
 Write-Host "=== LIGHTMAN Agent - Device Setup ===" -ForegroundColor Cyan
-Write-Host "  Slug:        $Slug"
-Write-Host "  Server:      $Server"
-Write-Host "  Install dir: $InstallDir"
-Write-Host "  Timezone:    $Timezone"
-Write-Host "  Pair timeout: $(if ($PairingTimeoutSeconds -eq 0) { 'Disabled' } else { "$PairingTimeoutSeconds s" })"
-Write-Host ""
+Write-Host "  Slug:        $Slug"
+Write-Host "  Server:      $Server"
+Write-Host "  Install dir: $InstallDir"
+Write-Host "  Timezone:    $Timezone"
+Write-Host ""
 
 # 1. Clear cached identity (CRITICAL - prevents old device credentials leaking)
 $IdentityFile = Join-Path $InstallDir ".lightman-identity.json"
@@ -87,14 +83,13 @@ $Template = Get-Content $TemplatePath -Raw
 $BrowserEscaped    = $BrowserPath  -replace '\\', '\\'
 $ChromeDirEscaped  = $ChromeDataDir -replace '\\', '\\'
 
-$Config = $Template `
-    -replace '__SERVER_URL__',    $Server `
-    -replace '__DEVICE_SLUG__',   $Slug `
-    -replace '__KIOSK_URL__',     $KioskUrl `
-    -replace '__BROWSER_PATH__',  $BrowserEscaped `
-    -replace '__CHROME_DATA_DIR__', $ChromeDirEscaped `
-    -replace '__PAIRING_TIMEOUT_SECONDS__', $PairingTimeoutSeconds `
-    -replace 'Asia/Kolkata',      $Timezone
+$Config = $Template `
+    -replace '__SERVER_URL__',    $Server `
+    -replace '__DEVICE_SLUG__',   $Slug `
+    -replace '__KIOSK_URL__',     $KioskUrl `
+    -replace '__BROWSER_PATH__',  $BrowserEscaped `
+    -replace '__CHROME_DATA_DIR__', $ChromeDirEscaped `
+    -replace 'Asia/Kolkata',      $Timezone
 
 # 6. Inject shellMode into kiosk config if requested
 if ($ShellMode) {