plc-checkweigher 1.16.0 → 1.20.0

package/bin/plc_checkweigher

@@ -6,7 +6,8 @@ set -euo pipefail
 
 INSTALL_DIR="/home/pi/plc_checkweigher"
 PYTHON="/home/pi/plc_env/bin/python3"
-SMB_CFG="${INSTALL_DIR}/smb_config.py"
+DATA_DIR="${INSTALL_DIR}/data"
+SMB_CFG="${DATA_DIR}/smb_config.py"
 
 # ── TTY detection — animations only when connected to a real terminal ─────────
 [[ -t 1 ]] && _TTY=1 || _TTY=0
@@ -151,7 +152,16 @@ case "$CMD" in
 
 # ── System diagnostic ─────────────────────────────────────────────────────────
 status|check|diag)
-    exec "${PYTHON}" "${INSTALL_DIR}/debugger.py" "$@"
+    set +e
+    "${PYTHON}" "${INSTALL_DIR}/debugger.py" "$@"
+    _STATUS_EXIT=$?
+    set -e
+    if [[ $_STATUS_EXIT -ne 0 ]]; then
+        echo ""
+        warn "Errors detected — starting auto-fix ..."
+        sleep 1
+        "$0" fix
+    fi
     ;;
 
 # ── Live logs ─────────────────────────────────────────────────────────────────
@@ -201,8 +211,8 @@ stop)
 queue)
     banner "SMB Delivery Queue"
     echo ""
-    QUEUE="${INSTALL_DIR}/delivery_queue.json"
-    LEDGER="${INSTALL_DIR}/delivery_sent.log"
+    QUEUE="${DATA_DIR}/delivery_queue.json"
+    LEDGER="${DATA_DIR}/delivery_sent.log"
     if [[ -f "$QUEUE" ]]; then
         COUNT=$(python3 -c "import json; d=json.load(open('$QUEUE')); print(len(d))" 2>/dev/null || echo 0)
         if [[ "$COUNT" -eq 0 ]]; then
@@ -577,7 +587,335 @@ smb-config)
     ;;
 
 # ─────────────────────────────────────────────────────────────────────────────
-# UNINSTALL — remove everything setup.sh installed
+# FIX — auto-detect and repair common issues
+# Usage: fix [-wifi] [-health] [-programs]   (no flags = run all)
+# ─────────────────────────────────────────────────────────────────────────────
+fix)
+    FIX_WIFI=0; FIX_HEALTH=0; FIX_PROGRAMS=0
+    if [[ $# -eq 0 ]]; then
+        FIX_WIFI=1; FIX_HEALTH=1; FIX_PROGRAMS=1
+    else
+        for _flag in "$@"; do
+            case "$_flag" in
+            -wifi)     FIX_WIFI=1 ;;
+            -health)   FIX_HEALTH=1 ;;
+            -programs) FIX_PROGRAMS=1 ;;
+            *) warn "Unknown flag: $_flag  (valid: -wifi  -health  -programs)" ;;
+            esac
+        done
+    fi
+
+    LOG_DIR="/home/pi/reports/logs"
+    mkdir -p "$LOG_DIR" 2>/dev/null || true
+    # Build mode tag: "all" or hyphen-joined active scopes
+    _LOG_MODES=""
+    [[ $FIX_WIFI     -eq 1 ]] && _LOG_MODES="${_LOG_MODES:+${_LOG_MODES}-}wifi"
+    [[ $FIX_HEALTH   -eq 1 ]] && _LOG_MODES="${_LOG_MODES:+${_LOG_MODES}-}health"
+    [[ $FIX_PROGRAMS -eq 1 ]] && _LOG_MODES="${_LOG_MODES:+${_LOG_MODES}-}programs"
+    [[ "$_LOG_MODES" == "wifi-health-programs" ]] && _LOG_MODES="all"
+    LOG_FILE="${LOG_DIR}/fix_${_LOG_MODES}_$(date '+%Y%m%d_%H%M%S').log"
+    flog()      { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" >> "$LOG_FILE"; }
+    ffix_ok()   { spin_ok   "$*"; flog "FIXED : $*"; FIX_COUNT=$((FIX_COUNT+1)); }
+    ffix_info() { spin_ok   "$*"; flog "INFO  : $*"; }
+    ffix_warn() { spin_warn "$*"; flog "WARN  : $*"; }
+    ffix_err()  { spin_err  "$*"; flog "ERROR : $*"; }
+
+    FIX_COUNT=0
+    flog "=== Run started | wifi=${FIX_WIFI} health=${FIX_HEALTH} programs=${FIX_PROGRAMS} ==="
+
+    banner "Auto Fix"
+    echo ""
+    need_sudo
+
+    # ─────────────────────────────────────────────────────────────────────────
+    # WIFI
+    # ─────────────────────────────────────────────────────────────────────────
+    if [[ $FIX_WIFI -eq 1 ]]; then
+        echo -e "  ${B}▸ WiFi${NC}"; hr; echo ""
+
+        spin_start "NetworkManager"
+        if ! systemctl is-active --quiet NetworkManager 2>/dev/null; then
+            sudo systemctl start NetworkManager 2>/dev/null || true; sleep 2
+            if systemctl is-active --quiet NetworkManager 2>/dev/null; then
+                ffix_ok "NetworkManager was down — restarted"
+            else
+                ffix_err "NetworkManager failed to start"
+            fi
+        else
+            ffix_info "NetworkManager running"
+        fi
+
+        spin_start "WiFi hardware block"
+        if rfkill list wifi 2>/dev/null | grep -q "Hard blocked: yes"; then
+            ffix_warn "Hard blocked — check physical WiFi switch"
+        elif rfkill list wifi 2>/dev/null | grep -q "Soft blocked: yes"; then
+            rfkill unblock wifi 2>/dev/null || true
+            ffix_ok "WiFi soft-block removed"
+        else
+            ffix_info "rfkill OK"
+        fi
+
+        spin_start "wlan0 interface"
+        if ! ip link show wlan0 &>/dev/null; then
+            ffix_warn "wlan0 not found — adapter missing?"
+        elif ! ip link show wlan0 2>/dev/null | grep -q "UP"; then
+            sudo ip link set wlan0 up 2>/dev/null || true; sleep 1
+            if ip link show wlan0 2>/dev/null | grep -q "UP"; then
+                ffix_ok "wlan0 was down — brought up"
+            else
+                ffix_err "Could not bring up wlan0"
+            fi
+        else
+            ffix_info "wlan0 UP"
+        fi
+
+        spin_start "WiFi connection"
+        _WIFI_CON=$(nmcli -t -f NAME,DEVICE,TYPE con show --active 2>/dev/null \
+            | grep ":wlan0:802-11-wireless" | cut -d: -f1 | head -1 || echo "")
+        if [[ -z "$_WIFI_CON" ]]; then
+            _LAST_CON=$(nmcli -t -f NAME,TYPE con show 2>/dev/null \
+                | grep ":802-11-wireless" | head -1 | cut -d: -f1 || echo "")
+            if [[ -n "$_LAST_CON" ]]; then
+                _spin_kill
+                spin_start "Reconnecting to '${_LAST_CON}'"
+                sudo nmcli connection up "$_LAST_CON" 2>/dev/null || true; sleep 3
+                _WIFI_NOW=$(nmcli -t -f NAME,DEVICE,TYPE con show --active 2>/dev/null \
+                    | grep ":wlan0:802-11-wireless" | cut -d: -f1 | head -1 || echo "")
+                if [[ -n "$_WIFI_NOW" ]]; then
+                    _NEW_IP=$(ip -4 addr show wlan0 2>/dev/null \
+                        | grep -oP '(?<=inet )\d+\.\d+\.\d+\.\d+' || echo "")
+                    ffix_ok "Reconnected to '${_WIFI_NOW}'  (IP: ${_NEW_IP:-?})"
+                else
+                    ffix_warn "Could not reconnect — run: plc_checkweigher wifi"
+                fi
+            else
+                ffix_warn "No saved connections — run: plc_checkweigher wifi"
+            fi
+        else
+            _WIFI_IP=$(ip -4 addr show wlan0 2>/dev/null \
+                | grep -oP '(?<=inet )\d+\.\d+\.\d+\.\d+' || echo "?")
+            ffix_info "'${_WIFI_CON}'  (${_WIFI_IP})"
+        fi
+
+        spin_start "Internet connectivity"
+        if ping -c 2 -W 2 8.8.8.8 &>/dev/null; then
+            ffix_info "Internet reachable"
+        else
+            ffix_warn "No internet — local LAN may still work"
+        fi
+
+        echo ""
+    fi
+
+    # ─────────────────────────────────────────────────────────────────────────
+    # HEALTH
+    # ─────────────────────────────────────────────────────────────────────────
+    if [[ $FIX_HEALTH -eq 1 ]]; then
+        echo -e "  ${B}▸ System Health${NC}"; hr; echo ""
+
+        spin_start "Disk space"
+        _DISK_PCT=$(df / --output=pcent 2>/dev/null | tail -1 | tr -d ' %' || echo "0")
+        if [[ "${_DISK_PCT:-0}" -ge 95 ]]; then
+            sudo journalctl --vacuum-size=100M 2>/dev/null || true
+            _DISK_AFTER=$(df / --output=pcent 2>/dev/null | tail -1 | tr -d ' %' || echo "?")
+            ffix_ok "Disk ${_DISK_PCT}% → ${_DISK_AFTER}% after journal clean"
+        elif [[ "${_DISK_PCT:-0}" -ge 85 ]]; then
+            ffix_warn "Disk ${_DISK_PCT}% — consider removing old reports"
+        else
+            ffix_info "Disk ${_DISK_PCT}%"
+        fi
+
+        spin_start "CPU temperature"
+        if command -v vcgencmd &>/dev/null; then
+            _TEMP=$(vcgencmd measure_temp 2>/dev/null | grep -oP '[\d.]+' | head -1 || echo "0")
+            _TEMP_INT=${_TEMP%.*}
+            if [[ "${_TEMP_INT:-0}" -ge 80 ]]; then
+                ffix_warn "${_TEMP}°C — check ventilation"
+            else
+                ffix_info "${_TEMP}°C"
+            fi
+        else
+            ffix_info "Temperature check not available"
+        fi
+
+        spin_start "Memory"
+        _MEM_FREE=$(free -m 2>/dev/null | awk '/^Mem:/{print $7}' || echo "999")
+        _MEM_TOTAL=$(free -m 2>/dev/null | awk '/^Mem:/{print $2}' || echo "1")
+        if [[ "${_MEM_FREE:-999}" -lt 50 ]]; then
+            echo 3 | sudo tee /proc/sys/vm/drop_caches >/dev/null 2>&1 || true
+            _MEM_AFTER=$(free -m 2>/dev/null | awk '/^Mem:/{print $7}' || echo "?")
+            ffix_ok "Low memory ${_MEM_FREE}MB → ${_MEM_AFTER}MB after cache drop"
+        else
+            ffix_info "${_MEM_FREE}MB / ${_MEM_TOTAL}MB free"
+        fi
+
+        spin_start "System time"
+        if timedatectl status 2>/dev/null | grep -q "synchronized: yes"; then
+            ffix_info "NTP synchronized"
+        else
+            sudo timedatectl set-ntp true 2>/dev/null || true
+            command -v chronyc &>/dev/null && sudo chronyc makestep 2>/dev/null || true
+            sleep 2
+            if timedatectl status 2>/dev/null | grep -q "synchronized: yes"; then
+                ffix_ok "NTP sync restored"
+            else
+                ffix_warn "Time not synced — no internet?"
+            fi
+        fi
+
+        spin_start "Reports directory"
+        _REPORTS_DIR="/home/pi/reports"
+        if [[ ! -d "$_REPORTS_DIR" ]]; then
+            mkdir -p "$_REPORTS_DIR" 2>/dev/null && ffix_ok "Created ${_REPORTS_DIR}" \
+                                                 || ffix_warn "Could not create ${_REPORTS_DIR}"
+        else
+            ffix_info "${_REPORTS_DIR} OK"
+        fi
+
+        spin_start "SMB config file"
+        mkdir -p "${DATA_DIR}" 2>/dev/null || true
+        if [[ ! -f "$SMB_CFG" ]]; then
+            printf 'SMB_ENABLED  = False\nSMB_HOST     = ""\nSMB_SHARE    = "Reports"\nSMB_USERNAME = ""\nSMB_PASSWORD = ""\nSMB_SUBDIR   = ""\n' \
+                > "$SMB_CFG" 2>/dev/null || sudo tee "$SMB_CFG" > /dev/null << 'SMBC'
+SMB_ENABLED  = False
+SMB_HOST     = ""
+SMB_SHARE    = "Reports"
+SMB_USERNAME = ""
+SMB_PASSWORD = ""
+SMB_SUBDIR   = ""
+SMBC
+            ffix_ok "Created default smb_config.py (disabled — run: plc_checkweigher smb-config)"
+        else
+            ffix_info "smb_config.py present"
+        fi
+
+        echo ""
+    fi
+
+    # ─────────────────────────────────────────────────────────────────────────
+    # PROGRAMS
+    # ─────────────────────────────────────────────────────────────────────────
+    if [[ $FIX_PROGRAMS -eq 1 ]]; then
+        echo -e "  ${B}▸ Programs & Services${NC}"; hr; echo ""
+
+        for _SVC in plc_watcher plc_web; do
+            spin_start "${_SVC}"
+            _SVC_STATE=$(systemctl is-active "$_SVC" 2>/dev/null || echo "inactive")
+            if [[ "$_SVC_STATE" != "active" ]]; then
+                sudo systemctl enable "$_SVC" 2>/dev/null || true
+                sudo systemctl restart "$_SVC" 2>/dev/null || true; sleep 2
+                _SVC_NOW=$(systemctl is-active "$_SVC" 2>/dev/null || echo "inactive")
+                if [[ "$_SVC_NOW" == "active" ]]; then
+                    ffix_ok "${_SVC} restarted (was: ${_SVC_STATE})"
+                else
+                    ffix_err "${_SVC} failed — check: journalctl -u ${_SVC} -n 30"
+                fi
+            else
+                ffix_info "${_SVC} active"
+            fi
+        done
+
+        spin_start "Python venv"
+        if [[ ! -x "$PYTHON" ]]; then
+            ffix_err "Venv missing at ${PYTHON} — re-run installer"
+        else
+            ffix_info "Venv OK"
+        fi
+
+        spin_start "Python packages"
+        _PKG_MISSING=""
+        for _pkg in flask reportlab pymcprotocol impacket; do
+            "${PYTHON}" -c "import ${_pkg}" &>/dev/null 2>&1 || _PKG_MISSING="${_PKG_MISSING} ${_pkg}"
+        done
+        if [[ -n "$_PKG_MISSING" ]]; then
+            _spin_kill
+            spin_start "Installing:${_PKG_MISSING}"
+            "${PYTHON}" -m pip install ${_PKG_MISSING} --quiet 2>/dev/null || true
+            _PKG_STILL=""
+            for _pkg in ${_PKG_MISSING}; do
+                "${PYTHON}" -c "import ${_pkg}" &>/dev/null 2>&1 || _PKG_STILL="${_PKG_STILL} ${_pkg}"
+            done
+            if [[ -z "$_PKG_STILL" ]]; then
+                ffix_ok "Installed:${_PKG_MISSING}"
+            else
+                ffix_warn "Could not install:${_PKG_STILL}"
+            fi
+        else
+            ffix_info "All packages present"
+        fi
+
+        spin_start "Delivery queue"
+        _QUEUE="${DATA_DIR}/delivery_queue.json"
+        mkdir -p "${DATA_DIR}" 2>/dev/null || true
+        if [[ ! -f "$_QUEUE" ]]; then
+            echo "[]" > "$_QUEUE" 2>/dev/null || true
+            ffix_ok "Created missing delivery_queue.json"
+        elif ! "${PYTHON}" -c "import json; json.load(open('${_QUEUE}'))" &>/dev/null 2>&1; then
+            mv "$_QUEUE" "${_QUEUE}.broken.$(date +%s)" 2>/dev/null || true
+            echo "[]" > "$_QUEUE" 2>/dev/null || true
+            ffix_ok "Corrupt delivery queue reset (backup saved)"
+        else
+            ffix_info "delivery_queue.json valid"
+        fi
+
+        spin_start "systemd unit files"
+        _RESTORED=""
+        for _src in "${INSTALL_DIR}/plc_watcher.service" "${INSTALL_DIR}/web/plc_web.service"; do
+            [[ ! -f "$_src" ]] && continue
+            _dst="/etc/systemd/system/$(basename "$_src")"
+            if [[ ! -f "$_dst" ]]; then
+                sudo cp "$_src" "$_dst" 2>/dev/null || true
+                _RESTORED="${_RESTORED} $(basename "$_src")"
+            fi
+        done
+        if [[ -n "$_RESTORED" ]]; then
+            sudo systemctl daemon-reload 2>/dev/null || true
+            ffix_ok "Restored:${_RESTORED}"
+        else
+            ffix_info "Unit files present"
+        fi
+
+        echo ""
+    fi
+
+    # ── Summary ───────────────────────────────────────────────────────────────
+    flog "=== Complete: ${FIX_COUNT} fix(es) applied ==="
+    hr
+    echo ""
+    if [[ $FIX_COUNT -gt 0 ]]; then
+        ok "${FIX_COUNT} fix(es) applied"
+    else
+        ok "All checks passed — no fixes needed"
+    fi
+    info "Log: ${LOG_FILE}"
+
+    # ── Push log to SMB share ─────────────────────────────────────────────────
+    _SMB_HOST=$(smb_get "SMB_HOST")
+    _SMB_SHARE=$(smb_get "SMB_SHARE")
+    _SMB_USER=$(smb_get "SMB_USERNAME")
+    _SMB_PASS=$(smb_get "SMB_PASSWORD")
+    _SMB_EN=$(grep "^SMB_ENABLED" "${SMB_CFG}" 2>/dev/null | grep -qi "true" && echo "1" || echo "0")
+
+    if [[ "$_SMB_EN" == "1" && -n "$_SMB_HOST" && -n "$_SMB_USER" ]] \
+       && command -v smbclient &>/dev/null; then
+        spin_start "Uploading log to SMB share"
+        _LOG_BASENAME="$(basename "$LOG_FILE")"
+        if smbclient "//${_SMB_HOST}/${_SMB_SHARE}" \
+               -U "${_SMB_USER}%${_SMB_PASS}" \
+               -c "mkdir logs; put ${LOG_FILE} logs/${_LOG_BASENAME}" &>/dev/null 2>&1; then
+            spin_ok "Log pushed → //${_SMB_HOST}/${_SMB_SHARE}/logs/${_LOG_BASENAME}"
+            flog "INFO  : Log uploaded to SMB //${_SMB_HOST}/${_SMB_SHARE}/logs/${_LOG_BASENAME}"
+        else
+            spin_warn "SMB upload failed — log saved locally only"
+            flog "WARN  : SMB log upload failed"
+        fi
+    fi
+
+    echo ""
+    ;;
+
+# ─────────────────────────────────────────────────────────────────────────────
+# UNINSTALL — two modes: software-only or full drive wipe
 # ─────────────────────────────────────────────────────────────────────────────
 uninstall)
     PI_USER="${PI_USER:-pi}"
@@ -591,46 +929,83 @@ uninstall)
     echo -e "${R}  ║              PLC CHECK-WEIGHER UNINSTALLER               ║${NC}"
     echo -e "${R}  ╚══════════════════════════════════════════════════════════╝${NC}"
     echo ""
-    echo -e "  This will permanently remove:"
+    echo -e "  Choose uninstall mode:"
     echo ""
-    echo -e "  ${R}✗${NC}  systemd services    plc_watcher  plc_web"
-    echo -e "  ${R}✗${NC}  project code        ${INSTALL_DIR}"
-    echo -e "  ${R}✗${NC}  Python venv         ${VENV_DIR}"
-    echo -e "  ${R}✗${NC}  CLI tool            /usr/local/bin/plc_checkweigher"
-    echo -e "  ${R}✗${NC}  Plymouth theme      saismruth (reverts to default)"
-    echo -e "  ${R}✗${NC}  RT kernel config    (reverts /boot/firmware/config.txt)"
-    echo -e "  ${R}✗${NC}  LightDM drop-in     /etc/systemd/system/lightdm.service.d/"
-    echo -e "  ${R}✗${NC}  NetworkManager cfg  /etc/systemd/system/NetworkManager-wait-online.service.d/"
-    echo -e "  ${R}✗${NC}  Hotspot connection  plc-hotspot (nmcli)"
-    echo -e "  ${Y}!${NC}  reports folder      ${REPORTS_DIR}  (you will be asked)"
+    echo -e "  ${Y}1)${NC}  ${W}Software only${NC}"
+    echo -e "     ${D}Remove PLC services, code, venv and kernel config.${NC}"
+    echo -e "     ${D}OS, user files and WiFi credentials are kept intact.${NC}"
     echo ""
-    echo -e "  ${D}System packages (git, python3-venv, samba-client) are NOT removed.${NC}"
+    echo -e "  ${R}2)${NC}  ${W}Clean drive${NC}  — prepare for fresh OS flash"
+    echo -e "     ${D}Everything above PLUS all user data and WiFi credentials,${NC}"
+    echo -e "     ${D}then zeros the entire SD card.${NC}"
+    echo -e "     ${R}     ⚠  The Pi will NOT boot after this. Reflash required.${NC}"
     echo ""
-    hr
+
+    while true; do
+        read -r -p "  Mode [1 / 2]: " UNINSTALL_MODE </dev/tty
+        [[ "$UNINSTALL_MODE" == "1" || "$UNINSTALL_MODE" == "2" ]] && break
+        echo -e "  ${R}Enter 1 or 2${NC}"
+    done
     echo ""
 
-    read -r -p "  Type  YES  to confirm full uninstall: " CONFIRM </dev/tty
-    [[ "$CONFIRM" == "YES" ]] || { echo "  Aborted."; exit 0; }
+    # ── Mode-specific confirmation ────────────────────────────────────────────
+    KEEP_REPORTS="Y"
+    if [[ "$UNINSTALL_MODE" == "1" ]]; then
+        hr
+        echo ""
+        echo -e "  ${R}✗${NC}  systemd services    plc_watcher  plc_web"
+        echo -e "  ${R}✗${NC}  project code        ${INSTALL_DIR}"
+        echo -e "  ${R}✗${NC}  Python venv         ${VENV_DIR}"
+        echo -e "  ${R}✗${NC}  CLI tool            plc_checkweigher"
+        echo -e "  ${R}✗${NC}  Plymouth theme      saismruth → default"
+        echo -e "  ${R}✗${NC}  RT kernel config    /boot/firmware/config.txt"
+        echo -e "  ${Y}!${NC}  reports folder      ${REPORTS_DIR}  (you will be asked)"
+        echo ""
+        echo -e "  ${D}System packages (git, python3-venv, samba-client) NOT removed.${NC}"
+        echo ""
+        hr; echo ""
+        read -r -p "  Type  YES  to confirm: " _CONFIRM </dev/tty
+        [[ "$_CONFIRM" == "YES" ]] || { echo "  Aborted."; exit 0; }
+        echo ""
+        read -r -p "  Keep report PDFs in ${REPORTS_DIR}? [Y/n]: " KEEP_REPORTS </dev/tty
+        KEEP_REPORTS="${KEEP_REPORTS:-Y}"
+    else
+        # Detect the drive that holds the root filesystem
+        _ROOT_SRC=$(findmnt -n -o SOURCE / 2>/dev/null || echo "")
+        _ROOT_DEV=$(lsblk -no pkname "$_ROOT_SRC" 2>/dev/null || echo "")
+        _ROOT_DEV_PATH="/dev/${_ROOT_DEV}"
 
-    echo ""
-    read -r -p "  Keep report PDFs in ${REPORTS_DIR}? [Y/n]: " KEEP_REPORTS </dev/tty
-    KEEP_REPORTS="${KEEP_REPORTS:-Y}"
+        hr; echo ""
+        echo -e "  ${R}⚠  DESTRUCTIVE — READ CAREFULLY${NC}"
+        echo ""
+        echo -e "  ${R}✗${NC}  All PLC software, services and kernel config"
+        echo -e "  ${R}✗${NC}  All reports, logs and SMB credentials"
+        echo -e "  ${R}✗${NC}  SSH keys, bash history, npm cache, user configs"
+        echo -e "  ${R}✗${NC}  All saved WiFi connections"
+        echo -e "  ${R}✗${NC}  Entire drive zeroed: ${W}${_ROOT_DEV_PATH}${NC}"
+        echo ""
+        echo -e "  ${R}The Pi will become unresponsive during the wipe.${NC}"
+        echo -e "  ${D}Power off after ~2 minutes, then reflash with Raspberry Pi Imager.${NC}"
+        echo ""
+        hr; echo ""
+        read -r -p "  Type  WIPE  to confirm drive wipe: " _CONFIRM </dev/tty
+        [[ "$_CONFIRM" == "WIPE" ]] || { echo "  Aborted."; exit 0; }
+    fi
 
     echo ""
     need_sudo
 
-    # Step counter
-    _US=0; _UT=9
+    # ── Step counter (9 for software-only, 12 for clean drive) ───────────────
+    _UT=$([[ "$UNINSTALL_MODE" == "1" ]] && echo "9" || echo "12")
+    _US=0
     ustep() { _US=$((_US + 1)); spin_start "[${_US}/${_UT}] $*"; }
 
     # ── 1. Stop and disable services ─────────────────────────────────────────
     echo ""
     ustep "Stopping and disabling services"
     for SVC in plc_watcher plc_web; do
-        systemctl is-active --quiet "$SVC" 2>/dev/null \
-            && sudo systemctl stop    "$SVC" 2>/dev/null || true
-        systemctl is-enabled --quiet "$SVC" 2>/dev/null \
-            && sudo systemctl disable "$SVC" 2>/dev/null || true
+        systemctl is-active  --quiet "$SVC" 2>/dev/null && sudo systemctl stop    "$SVC" 2>/dev/null || true
+        systemctl is-enabled --quiet "$SVC" 2>/dev/null && sudo systemctl disable "$SVC" 2>/dev/null || true
     done
     sudo rm -f /etc/systemd/system/plc_watcher.service \
                /etc/systemd/system/plc_web.service
@@ -657,27 +1032,23 @@ uninstall)
     fi
     spin_ok "Reverted to '${DEFAULT_THEME:-default}'"
 
-    # ── 4. Rebuild initramfs (slowest step — keep spinner alive) ─────────────
+    # ── 4. Rebuild initramfs ─────────────────────────────────────────────────
     ustep "Rebuilding initramfs  ${D}(~30 s)${NC}"
     sudo update-initramfs -u > /tmp/uninstall_initramfs.log 2>&1 \
-        && spin_ok \
-        || spin_warn "Warnings — see /tmp/uninstall_initramfs.log"
+        && spin_ok || spin_warn "Warnings — see /tmp/uninstall_initramfs.log"
 
     # ── 5. RT kernel revert ──────────────────────────────────────────────────
     ustep "Reverting RT kernel config"
     if [[ -f "${BOOT_FW}/config.txt" ]]; then
-        sudo sed -i '/### PLC-RT-BLOCK-START ###/,/### PLC-RT-BLOCK-END ###/d' \
-            "${BOOT_FW}/config.txt"
+        sudo sed -i '/### PLC-RT-BLOCK-START ###/,/### PLC-RT-BLOCK-END ###/d' "${BOOT_FW}/config.txt"
         sudo sed -i '/^gpu_mem=128$/d' "${BOOT_FW}/config.txt"
-        sudo rm -f "${BOOT_FW}/kernel8-rt.img" \
-                   "${BOOT_FW}/initramfs8-rt"   \
-                   "${BOOT_FW}/kernel8-stock.img"
-        spin_ok "Stock kernel will boot after reboot"
+        sudo rm -f "${BOOT_FW}/kernel8-rt.img" "${BOOT_FW}/initramfs8-rt" "${BOOT_FW}/kernel8-stock.img"
+        spin_ok "Stock kernel restored"
     else
         spin_warn "config.txt not found — skipped"
     fi
 
-    # ── 6. Hotspot + nmcli cleanup ───────────────────────────────────────────
+    # ── 6. Network cleanup ───────────────────────────────────────────────────
     ustep "Cleaning up network connections"
     sudo nmcli connection delete "plc-hotspot" 2>/dev/null || true
     sudo systemctl daemon-reload
@@ -685,15 +1056,10 @@ uninstall)
 
     # ── 7. Python venv ───────────────────────────────────────────────────────
     ustep "Removing Python environment"
-    if [[ -d "$VENV_DIR" ]]; then
-        rm -rf "$VENV_DIR"
-        spin_ok "Removed ${VENV_DIR}"
-    else
-        spin_ok "Already gone"
-    fi
+    [[ -d "$VENV_DIR" ]] && rm -rf "$VENV_DIR" && spin_ok "Removed ${VENV_DIR}" || spin_ok "Already gone"
 
-    # ── 8. Reports (optional) + temp files ───────────────────────────────────
-    ustep "Cleaning up runtime files"
+    # ── 8. Runtime files + CLI ───────────────────────────────────────────────
+    ustep "Cleaning up runtime files and CLI"
     rm -f /tmp/plc_live.json 2>/dev/null || true
     BASHRC="${HOME_DIR}/.bashrc"
     [[ -f "$BASHRC" ]] && sed -i '/export PATH.*\.local\/bin/d' "$BASHRC" 2>/dev/null || true
@@ -704,16 +1070,61 @@ uninstall)
     fi
     spin_ok "CLI and temp files removed"
 
-    # ── 9. Remove project directory (self-deletes last) ───────────────────────
+    # ── 9. Project code ──────────────────────────────────────────────────────
     ustep "Removing project code"
     if [[ -d "$INSTALL_DIR" ]]; then
-        rm -rf "$INSTALL_DIR"
-        spin_ok "Removed ${INSTALL_DIR}"
+        sudo rm -rf "$INSTALL_DIR" && spin_ok "Removed ${INSTALL_DIR}"
     else
         spin_ok "Already gone"
     fi
 
-    # ── Done ─────────────────────────────────────────────────────────────────
+    # ─────────────────────────────────────────────────────────────────────────
+    # MODE 2 ONLY: wipe all user data then zero the drive
+    # ─────────────────────────────────────────────────────────────────────────
+    if [[ "$UNINSTALL_MODE" == "2" ]]; then
+
+        # ── 10. All WiFi connections ─────────────────────────────────────────
+        ustep "Removing all WiFi connections"
+        nmcli -t -f NAME con show 2>/dev/null | while IFS= read -r _CON; do
+            [[ -n "$_CON" ]] && sudo nmcli connection delete "$_CON" 2>/dev/null || true
+        done
+        spin_ok "All network connections cleared"
+
+        # ── 11. User data ────────────────────────────────────────────────────
+        ustep "Wiping user data"
+        rm -rf "${REPORTS_DIR}"             2>/dev/null || true
+        rm -rf "${HOME_DIR}/.ssh"           2>/dev/null || true
+        rm -f  "${HOME_DIR}/.bash_history"  2>/dev/null || true
+        rm -rf "${HOME_DIR}/.npm"           2>/dev/null || true
+        rm -rf "${HOME_DIR}/.config"        2>/dev/null || true
+        rm -rf "${HOME_DIR}/.cache"         2>/dev/null || true
+        rm -rf "${HOME_DIR}/.local"         2>/dev/null || true
+        spin_ok "User data cleared"
+
+        # ── 12. Zero the drive ───────────────────────────────────────────────
+        ustep "Zeroing drive — ${_ROOT_DEV_PATH}"
+        _spin_kill
+        echo ""
+        echo -e "  ${R}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+        echo -e "  ${R}  Starting drive wipe. The system will become unresponsive.${NC}"
+        echo -e "  ${R}  Power off after 2 minutes and reflash with Pi Imager.${NC}"
+        echo -e "  ${R}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+        echo ""
+        for _i in 10 9 8 7 6 5 4 3 2 1; do
+            printf "\r  Wiping in %2d s ... (Ctrl-C to abort)  " "$_i"
+            sleep 1
+        done
+        printf '\r\033[K'
+        echo -e "  ${R}Wiping ${_ROOT_DEV_PATH} ...${NC}"
+        echo ""
+        sudo dd if=/dev/zero of="${_ROOT_DEV_PATH}" bs=4M status=progress 2>&1 || true
+        # The system will have crashed by here. This line is a safety net.
+        echo ""
+        warn "Wipe complete — power off and reflash."
+        exit 0
+    fi
+
+    # ── Done (mode 1 only) ────────────────────────────────────────────────────
     echo ""
     echo -e "${G}"
     echo "  ╔══════════════════════════════════════════════════════════╗"
@@ -724,13 +1135,10 @@ uninstall)
     echo -e "${NC}"
     [[ "${KEEP_REPORTS^^}" == "Y" ]] && info "PDFs still at: ${REPORTS_DIR}  (remove manually if needed)"
     echo ""
-
     read -r -p "  Reboot now? [Y/n]: " DO_REBOOT </dev/tty
     DO_REBOOT="${DO_REBOOT:-Y}"
     if [[ "${DO_REBOOT^^}" == "Y" ]]; then
-        spin_start "Rebooting"
-        sleep 1
-        sudo reboot
+        spin_start "Rebooting"; sleep 1; sudo reboot
     else
         warn "Remember to reboot for kernel changes to take effect."
         echo ""
@@ -745,7 +1153,11 @@ help|--help|-h)
     echo -e "${B}  plc_checkweigher${NC} — PLC Check-Weigher system CLI"
     echo ""
     echo -e "  ${W}Diagnostics${NC}"
-    echo "    status                     Full system diagnostic — all checks + fix hints"
+    echo "    status                     Full system diagnostic (auto-runs fix on errors)"
+    echo "    fix                        Auto-detect and repair all issues + write log"
+    echo "    fix -wifi                  Fix WiFi connectivity only"
+    echo "    fix -health                Fix disk, memory, time, dirs"
+    echo "    fix -programs              Fix services, packages, queue, unit files"
     echo "    logs                       Stream live logs (plc_watcher + plc_web)"
     echo "    queue                      Show SMB pending queue and delivery ledger"
     echo ""

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plc-checkweigher",
-  "version": "1.16.0",
+  "version": "1.20.0",
   "description": "One-command installer for the PLC Check-Weigher system on Raspberry Pi (PREEMPT_RT kernel, Python stack, WiFi, SMB, systemd RT services)",
   "scripts": {
     "postinstall": "node bin/cli.js"

package/setup.sh

@@ -12,12 +12,13 @@
 #    3.  Clone / update repo
 #    4.  Python venv + pip install
 #    5.  Create /home/<user>/reports
-#    6.  WiFi     — scan → pick from list → password
-#    7.  SMB      — enter host IP, share name, credentials  → smb_config.py
+#    6.  WiFi      — scan → pick from list → password
+#    7.  SMB       — enter host IP, share name, credentials  → smb_config.py
 #    8.  NetworkManager-wait-online
 #    9.  systemd services (plc_watcher + plc_web)
-#   10.  Boot logo  — Plymouth theme with logo.png + "SAI SAMARTH ENGG"
-#   11.  Display    — LightDM priority, CPU isolation, utmpx, GPU memory
+#   10.  Boot logo — Plymouth theme with logo.png + "SAI SAMARTH ENGG"
+#   11.  Display   — LightDM priority, CPU isolation, utmpx
+#  11b.  VS Code   — priority daemon: cores 0-2, Nice=-5
 #   12.  PREEMPT_RT kernel  ← installed last so only one reboot is needed
 #   13.  REBOOT
 # =============================================================================
@@ -31,6 +32,7 @@ REPO_URL="https://github.com/Bibin-VR/plc-checkweigher.git"
 REPO_BRANCH="main"
 HOME_DIR="/home/${PI_USER}"
 INSTALL_DIR="${HOME_DIR}/plc_checkweigher"
+DATA_DIR="${INSTALL_DIR}/data"        # pi-writable: queue, log, smb_config
 VENV_DIR="${HOME_DIR}/plc_env"
 REPORTS_DIR="${HOME_DIR}/reports"
 BOOT_FW="/boot/firmware"
@@ -106,15 +108,20 @@ install_system_packages() {
 # ── 2. Clone / update repo ────────────────────────────────────────────────────
 setup_repo() {
     step "Repository ..."
+    # Mark safe so git operations work regardless of ownership state.
+    git config --global --add safe.directory "${INSTALL_DIR}" 2>/dev/null || true
+
     if [[ -d "${INSTALL_DIR}/.git" ]]; then
-        sudo -u "${PI_USER}" git -C "${INSTALL_DIR}" pull --ff-only origin "${REPO_BRANCH}" \
+        # Temporarily unlock so git can write index / pack files.
+        chown -R root:root "${INSTALL_DIR}" 2>/dev/null || true
+        git -C "${INSTALL_DIR}" pull --ff-only origin "${REPO_BRANCH}" \
             && ok "Repo updated  →  ${INSTALL_DIR}" \
             || warn "git pull failed — using existing files"
     else
-        sudo -u "${PI_USER}" git clone --branch "${REPO_BRANCH}" \
-            "${REPO_URL}" "${INSTALL_DIR}"
+        git clone --branch "${REPO_BRANCH}" "${REPO_URL}" "${INSTALL_DIR}"
         ok "Repo cloned  →  ${INSTALL_DIR}"
     fi
+    # Permissions are finalised by lock_source_files() later.
 }
 
 # ── 3. Python venv ────────────────────────────────────────────────────────────
@@ -134,6 +141,13 @@ setup_dirs() {
     mkdir -p "${REPORTS_DIR}"
     chown "${PI_USER}:${PI_USER}" "${REPORTS_DIR}"
     ok "${REPORTS_DIR}"
+
+    # pi-writable data directory — queue, delivery log, SMB credentials live here.
+    # Source files above this directory are root-locked after install_services().
+    mkdir -p "${DATA_DIR}"
+    chown "${PI_USER}:${PI_USER}" "${DATA_DIR}"
+    chmod 755 "${DATA_DIR}"
+    ok "${DATA_DIR}  (runtime data — pi-writable)"
 }
 
 # ── CLI tool — install plc_checkweigher command ───────────────────────────────
@@ -252,8 +266,8 @@ setup_smb() {
     prompt SMB_HOST     "Host IP address"   ""
     if [[ -z "${SMB_HOST}" ]]; then
         warn "SMB push disabled — no host entered."
-        # Write a disabled smb_config.py
-        cat > "${INSTALL_DIR}/smb_config.py" << 'EOF'
+        # Write a disabled smb_config.py to the pi-writable data/ directory.
+        cat > "${DATA_DIR}/smb_config.py" << 'EOF'
 # SMB push disabled during setup
 SMB_ENABLED  = False
 SMB_HOST     = ""
@@ -262,7 +276,7 @@ SMB_USERNAME = ""
 SMB_PASSWORD = ""
 SMB_SUBDIR   = ""
 EOF
-        chown "${PI_USER}:${PI_USER}" "${INSTALL_DIR}/smb_config.py"
+        chown "${PI_USER}:${PI_USER}" "${DATA_DIR}/smb_config.py"
         return
     fi
 
@@ -274,8 +288,9 @@ EOF
     hr
     echo ""
 
-    # Write smb_config.py (gitignored — credentials stay off GitHub)
-    cat > "${INSTALL_DIR}/smb_config.py" << EOF
+    # Write smb_config.py to data/ (gitignored — credentials stay off GitHub).
+    # Stored in data/ so the pi user can update it via: plc_checkweigher smb-config
+    cat > "${DATA_DIR}/smb_config.py" << EOF
 # SMB configuration — written by setup.sh, NOT committed to git.
 SMB_ENABLED  = True
 SMB_HOST     = "${SMB_HOST}"
@@ -284,8 +299,8 @@ SMB_USERNAME = "${SMB_USERNAME}"
 SMB_PASSWORD = "${SMB_PASSWORD}"
 SMB_SUBDIR   = "${SMB_SUBDIR}"
 EOF
-    chown "${PI_USER}:${PI_USER}" "${INSTALL_DIR}/smb_config.py"
-    ok "SMB config saved  →  ${INSTALL_DIR}/smb_config.py"
+    chown "${PI_USER}:${PI_USER}" "${DATA_DIR}/smb_config.py"
+    ok "SMB config saved  →  ${DATA_DIR}/smb_config.py"
 
     # Test connectivity
     echo -n "  Testing connection to ${SMB_HOST} ..."
@@ -478,13 +493,13 @@ setup_display() {
 # Start after hardware udev settles (HDMI/DSI detected) — not after network.
 After=systemd-udev-settle.service local-fs.target acpid.socket dbus.service
 Wants=systemd-udev-settle.service
+# StartLimit* MUST be in [Unit] — ignored in [Service].
+StartLimitBurst=10
+StartLimitIntervalSec=60
 
 [Service]
-# Generous restart policy — display should always recover.
-StartLimitBurst=20
-StartLimitIntervalSec=120
 Restart=on-failure
-RestartSec=3
+RestartSec=5
 
 # CPU cores 0-2 only — core 3 is reserved for SCHED_FIFO PLC process.
 CPUAffinity=0 1 2
@@ -494,7 +509,7 @@ Nice=-5
 
 LimitNOFILE=65536
 EOF
-    ok "LightDM: CPUAffinity=0-2, Nice=-5, network dep removed"
+    ok "LightDM: CPUAffinity=0-2, Nice=-5, StartLimitBurst=10 in [Unit]"
 
     # ── Fix utmpx — PAM needs /run/utmp to track sessions ───────────────────
     cat > /etc/tmpfiles.d/utmp-fix.conf << 'EOF'
@@ -503,18 +518,127 @@ EOF
     systemd-tmpfiles --create /etc/tmpfiles.d/utmp-fix.conf 2>/dev/null || true
     ok "/run/utmp fixed (utmpx PAM session tracking)"
 
-    # ── GPU memory — 128 MB: enough for 1080p desktop and HMI use ───────────
-    sed -i '/^gpu_mem=/d' "${BOOT_FW}/config.txt"
-    if grep -q "### PLC-RT-BLOCK-START ###" "${BOOT_FW}/config.txt"; then
-        sed -i '/### PLC-RT-BLOCK-START ###/i gpu_mem=128' "${BOOT_FW}/config.txt"
+    # ── Fix vc4-kms display driver — PREEMPT_RT EPROBE_DEFER workaround ─────
+    # On the RT kernel, vc4_hdmi defers its probe indefinitely waiting for the
+    # PCM audio component (-517 = EPROBE_DEFER). noaudio removes that dependency
+    # so the display DRM card is created on first probe attempt.
+    # hdmi_force_hotplug=1 initialises HDMI hardware even when no display is
+    # connected at boot (required for headless + Pi Connect screen sharing).
+    sed -i 's/^dtoverlay=vc4-kms-v3d$/dtoverlay=vc4-kms-v3d,noaudio/' \
+        "${BOOT_FW}/config.txt" 2>/dev/null || true
+    if ! grep -q '^hdmi_force_hotplug' "${BOOT_FW}/config.txt"; then
+        if grep -q '^\[all\]' "${BOOT_FW}/config.txt"; then
+            sed -i '/^\[all\]/a hdmi_force_hotplug=1' "${BOOT_FW}/config.txt"
+        else
+            echo "hdmi_force_hotplug=1" >> "${BOOT_FW}/config.txt"
+        fi
     else
-        echo "gpu_mem=128" >> "${BOOT_FW}/config.txt"
+        sed -i 's/^hdmi_force_hotplug=.*/hdmi_force_hotplug=1/' "${BOOT_FW}/config.txt"
     fi
-    ok "gpu_mem=128 set in config.txt (128 MB VRAM)"
+    ok "vc4-kms-v3d,noaudio + hdmi_force_hotplug=1  (HDMI always initialised)"
+
+    # ── Enable rpi-connect user service (Pi Connect remote access) ──────────
+    loginctl enable-linger "${PI_USER}" 2>/dev/null || true
+    sudo -u "${PI_USER}" systemctl --user enable rpi-connect.service 2>/dev/null || true
+    ok "rpi-connect user service enabled (sign in with: rpi-connect signin)"
 
     systemctl daemon-reload
     systemctl enable lightdm.service 2>/dev/null || true
-    ok "LightDM enabled — starts on every boot when display is connected"
+    ok "LightDM enabled — starts on every boot"
+}
+
+# ── 11b. VS Code server priority ──────────────────────────────────────────────
+setup_vscode_priority() {
+    step "VS Code server priority ..."
+
+    cat > /usr/local/bin/vscode-priority-daemon << 'DAEMON'
+#!/usr/bin/env bash
+# Apply CPU affinity (cores 0-2) and Nice=-5 to VS Code server processes.
+# Core 3 is reserved exclusively for the SCHED_FIFO PLC process.
+# Runs every 60s so newly-spawned extension host processes are caught promptly.
+while true; do
+    mapfile -t pids < <(pgrep -u pi -f '\.vscode-server' 2>/dev/null || true)
+    for pid in "${pids[@]}"; do
+        taskset -cp 0-2 "$pid" >/dev/null 2>&1 || true
+        renice -n -5 -p "$pid" >/dev/null 2>&1 || true
+    done
+    sleep 60
+done
+DAEMON
+    chmod +x /usr/local/bin/vscode-priority-daemon
+
+    cat > /etc/systemd/system/vscode-priority.service << 'EOF'
+[Unit]
+Description=VS Code Server priority manager (cores 0-2, Nice=-5)
+After=multi-user.target
+Wants=multi-user.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/vscode-priority-daemon
+Restart=always
+RestartSec=10
+User=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+    systemctl daemon-reload
+    systemctl enable vscode-priority.service
+    ok "vscode-priority.service  (cores 0-2, Nice=-5) — starts on every boot"
+}
+
+# ── 11c. Lock source files — root:root 644 (requires sudo to edit) ────────────
+lock_source_files() {
+    step "Protecting source files ..."
+
+    # Source files: root:root 644 — readable+executable by all, editable by root only.
+    find "${INSTALL_DIR}" -maxdepth 1 -name "*.py" -exec chown root:root {} \; \
+                                                    -exec chmod 644 {} \;
+    find "${INSTALL_DIR}/web" -name "*.py" -exec chown root:root {} \; \
+                                           -exec chmod 644 {} \; 2>/dev/null || true
+    find "${INSTALL_DIR}/web/templates" -name "*.html" -exec chown root:root {} \; \
+                                                        -exec chmod 644 {} \; 2>/dev/null || true
+    find "${INSTALL_DIR}/web/static" -type f -exec chown root:root {} \; \
+                                             -exec chmod 644 {} \; 2>/dev/null || true
+
+    # Directories: root:root 755 — pi can list/cd but cannot create new files.
+    chown root:root "${INSTALL_DIR}"
+    chmod 755 "${INSTALL_DIR}"
+    [[ -d "${INSTALL_DIR}/web" ]]          && chown root:root "${INSTALL_DIR}/web"           && chmod 755 "${INSTALL_DIR}/web"
+    [[ -d "${INSTALL_DIR}/web/templates" ]] && chown root:root "${INSTALL_DIR}/web/templates" && chmod 755 "${INSTALL_DIR}/web/templates"
+    [[ -d "${INSTALL_DIR}/web/static" ]]   && chown root:root "${INSTALL_DIR}/web/static"    && chmod 755 "${INSTALL_DIR}/web/static"
+    [[ -d "${INSTALL_DIR}/assets" ]]       && chown root:root "${INSTALL_DIR}/assets"         && chmod 755 "${INSTALL_DIR}/assets"
+    [[ -d "${INSTALL_DIR}/bin" ]]          && chown root:root "${INSTALL_DIR}/bin"             && chmod 755 "${INSTALL_DIR}/bin"
+
+    # service files and scripts: root:root, readable
+    find "${INSTALL_DIR}" -maxdepth 2 -name "*.service" -exec chown root:root {} \; \
+                                                         -exec chmod 644 {} \; 2>/dev/null || true
+    find "${INSTALL_DIR}" -maxdepth 2 -name "*.sh" -exec chown root:root {} \; \
+                                                    -exec chmod 755 {} \; 2>/dev/null || true
+
+    # Data directory: pi-owned 755 — services write queue, log, smb_config here.
+    chown "${PI_USER}:${PI_USER}" "${DATA_DIR}"
+    chmod 755 "${DATA_DIR}"
+
+    # Pre-create data files with correct ownership so pi can write on first run.
+    local queue="${DATA_DIR}/delivery_queue.json"
+    local log="${DATA_DIR}/delivery_sent.log"
+    [[ -f "${queue}" ]] || echo '[]' > "${queue}"
+    [[ -f "${log}"   ]] || touch "${log}"
+    chown "${PI_USER}:${PI_USER}" "${queue}" "${log}"
+    chmod 644 "${queue}" "${log}"
+
+    # smb_config.py in data/ stays pi-owned so plc_checkweigher smb-config can update it.
+    [[ -f "${DATA_DIR}/smb_config.py" ]] && \
+        chown "${PI_USER}:${PI_USER}" "${DATA_DIR}/smb_config.py" && \
+        chmod 644 "${DATA_DIR}/smb_config.py"
+
+    ok "Source files locked  (root:root 644 — sudo required to edit)"
+    ok "Data dir writable    ${DATA_DIR}  (queue / log / smb_config)"
+    info "To update source:  sudo nano ${INSTALL_DIR}/plc_reader.py"
+    info "To update SMB:     plc_checkweigher smb-config  (no sudo needed)"
 }
 
 # ── 12. RT kernel — installed LAST so only one reboot is needed ───────────────
@@ -576,10 +700,11 @@ do_reboot() {
     banner "Setup Complete"
     echo ""
     PI_IP="$(hostname -I | awk '{print $1}' 2>/dev/null || echo '<pi-ip>')"
-    printf "  ${G}%-32s${NC} %s\n"  "Repo:"                  "${INSTALL_DIR}"
+    printf "  ${G}%-32s${NC} %s\n"  "Source (root-locked):"  "${INSTALL_DIR}"
+    printf "  ${G}%-32s${NC} %s\n"  "Data (pi-writable):"   "${DATA_DIR}"
     printf "  ${G}%-32s${NC} %s\n"  "Python venv:"           "${VENV_DIR}"
     printf "  ${G}%-32s${NC} %s\n"  "Reports output:"        "${REPORTS_DIR}"
-    printf "  ${G}%-32s${NC} %s\n"  "SMB config:"            "${INSTALL_DIR}/smb_config.py"
+    printf "  ${G}%-32s${NC} %s\n"  "SMB config:"            "${DATA_DIR}/smb_config.py"
     printf "  ${G}%-32s${NC} %s\n"  "RT kernel:"             "kernel8-rt.img  (active after reboot)"
     printf "  ${G}%-32s${NC} %s\n"  "Stock kernel fallback:" "kernel8-stock.img"
     echo ""
@@ -621,9 +746,11 @@ main() {
     setup_smb                 # 7  — interactive SMB config → smb_config.py
     setup_network_online      # 8
     install_services          # 9
-    setup_boot_logo           # 9  — Plymouth: logo + "SAI SAMARTH ENGG"
-    setup_display             # 10 — LightDM priority, CPU isolation, utmpx, GPU
-    install_rt_kernel         # 11 — LAST, so only one reboot needed
+    setup_boot_logo           # 10 — Plymouth: logo + "SAI SAMARTH ENGG"
+    setup_display             # 11 — LightDM priority, CPU isolation, utmpx
+    setup_vscode_priority     # 11b — VS Code: cores 0-2, Nice=-5
+    lock_source_files         # 11c — root:root on .py, pi:pi on data/
+    install_rt_kernel         # 12 — LAST, so only one reboot needed
     do_reboot                 # 12 — single reboot applies everything
 }