plc-checkweigher 1.24.0 → 1.28.0

package/bin/plc_checkweigher

@@ -1186,22 +1186,23 @@ update)
     _NEW_HASH=$(${_GIT} rev-parse HEAD 2>/dev/null || echo "unknown")
     _NEW_SHORT="${_NEW_HASH:0:7}"
 
+    _CODE_CHANGED=1
     if [[ "$_PREV_HASH" == "$_NEW_HASH" ]]; then
+        _CODE_CHANGED=0
         spin_ok "Already up to date  (${_PREV_SHORT})"
+        info "Code current — verifying system configuration anyway ..."
+        ulog "GIT: already up to date (${_PREV_SHORT})"
         echo ""
-        info "No changes pulled — services not restarted."
+    else
+        spin_ok "Pulled  ${_PREV_SHORT} → ${_NEW_SHORT}"
+        ulog "GIT: pulled ${_PREV_SHORT} -> ${_NEW_SHORT}"
+        # ── Show what changed ─────────────────────────────────────────────────
+        echo ""
+        info "Changes:"
+        ${_GIT} log --oneline "${_PREV_HASH}..HEAD" 2>/dev/null \
+            | sed 's/^/     /' | head -15
         echo ""
-        exit 0
     fi
-    spin_ok "Pulled  ${_PREV_SHORT} → ${_NEW_SHORT}"
-    ulog "GIT: pulled ${_PREV_SHORT} -> ${_NEW_SHORT}"
-
-    # ── Show what changed ─────────────────────────────────────────────────────
-    echo ""
-    info "Changes:"
-    ${_GIT} log --oneline "${_PREV_HASH}..HEAD" 2>/dev/null \
-        | sed 's/^/     /' | head -15
-    echo ""
 
     # ── Re-lock source files (root:root 644) ──────────────────────────────────
     spin_start "Re-locking source file permissions"
@@ -1408,11 +1409,95 @@ PYEOF
         ulog "CONFIG: services OK"
     fi
 
-    # ── Restart services ──────────────────────────────────────────────────────
-    spin_start "Restarting services"
-    sudo systemctl restart plc_watcher plc_web 2>/dev/null
-    sleep 2
-    spin_ok "Services restarted"
+    # 6. setserial masked (hangs on RT kernel, blocks boot completion)
+    spin_start "setserial mask"
+    if [[ "$(systemctl is-enabled setserial 2>/dev/null)" != "masked" ]] \
+       && systemctl list-unit-files setserial.service 2>/dev/null | grep -q setserial; then
+        sudo systemctl mask --now setserial.service &>/dev/null \
+            && spin_ok "setserial was unmasked — masked now" \
+            || spin_warn "Could not mask setserial"
+        ulog "FIXED: setserial masked"
+    else
+        spin_ok "setserial masked / absent"
+        ulog "CONFIG: setserial OK"
+    fi
+
+    # 7. Shutdown timeout cap (10 s per unit)
+    spin_start "Shutdown timeout cap"
+    _SHUT_CONF="/etc/systemd/system.conf.d/plc-shutdown.conf"
+    if ! grep -q "DefaultTimeoutStopSec=10s" "$_SHUT_CONF" 2>/dev/null; then
+        sudo mkdir -p /etc/systemd/system.conf.d
+        printf '[Manager]\nDefaultTimeoutStopSec=10s\n' | sudo tee "$_SHUT_CONF" >/dev/null
+        sudo systemctl daemon-reload
+        spin_ok "Shutdown cap installed (10 s)"
+        ulog "FIXED: shutdown timeout cap installed"
+    else
+        spin_ok "10 s cap active"
+        ulog "CONFIG: shutdown cap OK"
+    fi
+
+    # 8. Persistent journal (capped 64 MB)
+    spin_start "Persistent journal"
+    _JRN_CONF="/etc/systemd/journald.conf.d/plc-journal.conf"
+    if ! grep -q "Storage=persistent" "$_JRN_CONF" 2>/dev/null; then
+        sudo mkdir -p /etc/systemd/journald.conf.d /var/log/journal
+        printf '[Journal]\nStorage=persistent\nSystemMaxUse=64M\n' | sudo tee "$_JRN_CONF" >/dev/null
+        sudo systemctl restart systemd-journald 2>/dev/null || true
+        spin_ok "Persistent journal enabled (64 MB cap)"
+        ulog "FIXED: persistent journal enabled"
+    else
+        spin_ok "Persistent journal active"
+        ulog "CONFIG: journal OK"
+    fi
+
+    # 9b. Web maintenance sudoers rule (dashboard FIX button)
+    spin_start "Web maintenance sudoers rule"
+    _SUDOERS_F="/etc/sudoers.d/010_plc-web-fix"
+    if [[ ! -f "$_SUDOERS_F" ]]; then
+        cat > /tmp/010_plc-web-fix << 'SUDOEOF'
+# Web dashboard maintenance console — allows the locked, root-owned CLI
+# to run its fix command from plc_web (User=pi). Scope: fix only.
+pi ALL=(root) NOPASSWD: /usr/local/bin/plc_checkweigher fix, /usr/local/bin/plc_checkweigher fix *
+SUDOEOF
+        if sudo visudo -c -f /tmp/010_plc-web-fix &>/dev/null; then
+            sudo cp /tmp/010_plc-web-fix "$_SUDOERS_F"
+            sudo chmod 440 "$_SUDOERS_F"
+            spin_ok "Sudoers rule installed (web FIX button enabled)"
+            ulog "FIXED: web maintenance sudoers rule installed"
+        else
+            spin_warn "Sudoers rule failed validation — skipped"
+            ulog "WARN: sudoers rule validation failed"
+        fi
+        rm -f /tmp/010_plc-web-fix
+    else
+        spin_ok "Sudoers rule present"
+        ulog "CONFIG: web sudoers OK"
+    fi
+
+    # 9. lightdm must not wait on deprecated udev-settle (~2.4 s saved)
+    spin_start "lightdm boot dependency"
+    _LDM_DROPIN="/etc/systemd/system/lightdm.service.d/display-priority.conf"
+    if [[ -f "$_LDM_DROPIN" ]] && grep -q "udev-settle" "$_LDM_DROPIN"; then
+        sudo sed -i 's/^After=systemd-udev-settle.service /After=/' "$_LDM_DROPIN"
+        sudo sed -i '/^Wants=systemd-udev-settle.service/d' "$_LDM_DROPIN"
+        sudo systemctl daemon-reload
+        spin_ok "udev-settle wait removed from lightdm"
+        ulog "FIXED: lightdm udev-settle dependency removed"
+    else
+        spin_ok "lightdm dependencies clean"
+        ulog "CONFIG: lightdm OK"
+    fi
+
+    # ── Restart services (only when code or unit files actually changed) ─────
+    if [[ $_CODE_CHANGED -eq 1 || $_UNITS_UPDATED -eq 1 ]]; then
+        spin_start "Restarting services"
+        sudo systemctl restart plc_watcher plc_web 2>/dev/null
+        sleep 2
+        spin_ok "Services restarted"
+    else
+        info "No code/unit changes — services left running undisturbed"
+        ulog "SERVICES: not restarted (no changes)"
+    fi
 
     # ── Final status ──────────────────────────────────────────────────────────
     echo ""
@@ -1601,6 +1686,7 @@ uninstall)
     BASHRC="${HOME_DIR}/.bashrc"
     [[ -f "$BASHRC" ]] && sed -i '/export PATH.*\.local\/bin/d' "$BASHRC" 2>/dev/null || true
     sudo rm -f /usr/local/bin/plc_checkweigher
+    sudo rm -f /etc/sudoers.d/010_plc-web-fix
     rm -f "${HOME_DIR}/.local/bin/plc_checkweigher" 2>/dev/null || true
     if [[ "${KEEP_REPORTS^^}" != "Y" && -d "$REPORTS_DIR" ]]; then
         rm -rf "$REPORTS_DIR"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plc-checkweigher",
-  "version": "1.24.0",
+  "version": "1.28.0",
   "description": "One-command installer for the PLC Check-Weigher system on Raspberry Pi (PREEMPT_RT kernel, Python stack, WiFi, SMB, systemd RT services)",
   "scripts": {
     "postinstall": "node bin/cli.js"

package/setup.sh

@@ -168,6 +168,22 @@ install_cli() {
     else
         warn "bin/plc_checkweigher not found — skipping CLI install"
     fi
+
+    # Scoped sudoers rule: web dashboard maintenance console can run the
+    # locked root-owned CLI's fix command (and nothing else) without password.
+    cat > /tmp/010_plc-web-fix << 'EOF'
+# Web dashboard maintenance console — allows the locked, root-owned CLI
+# to run its fix command from plc_web (User=pi). Scope: fix only.
+pi ALL=(root) NOPASSWD: /usr/local/bin/plc_checkweigher fix, /usr/local/bin/plc_checkweigher fix *
+EOF
+    if visudo -c -f /tmp/010_plc-web-fix &>/dev/null; then
+        cp /tmp/010_plc-web-fix /etc/sudoers.d/010_plc-web-fix
+        chmod 440 /etc/sudoers.d/010_plc-web-fix
+        ok "Web maintenance sudoers rule installed  (fix only, validated)"
+    else
+        warn "sudoers rule failed validation — web FIX button will not work"
+    fi
+    rm -f /tmp/010_plc-web-fix
 }
 
 # ── 5. WiFi — scan → pick → password ─────────────────────────────────────────
@@ -545,8 +561,7 @@ setup_display() {
     cat > /etc/systemd/system/lightdm.service.d/display-priority.conf << 'EOF'
 [Unit]
 # Start after hardware udev settles (HDMI/DSI detected) — not after network.
-After=systemd-udev-settle.service local-fs.target acpid.socket dbus.service
-Wants=systemd-udev-settle.service
+After=local-fs.target acpid.socket dbus.service
 # StartLimit* MUST be in [Unit] — ignored in [Service].
 StartLimitBurst=10
 StartLimitIntervalSec=60
@@ -730,6 +745,34 @@ setup_system_optimize() {
         || echo "dtoverlay=disable-bt" >> "${BOOT_FW}/config.txt"
     ok "Bluetooth radio disabled at boot  (dtoverlay=disable-bt)"
 
+    # setserial hangs at boot on the RT kernel ("Loading the saved-state of
+    # the serial devices...") and blocks multi-user.target forever. Mask it —
+    # PLC comms are TCP; nothing here needs serial port tuning.
+    systemctl mask --now setserial.service &>/dev/null || true
+    ok "setserial masked  (hangs on RT kernel, blocks boot completion)"
+
+    # Fast, bounded shutdown — no unit may hold a reboot longer than 10 s
+    # (systemd default is 90 s per unit; one hung service = very slow poweroff).
+    # plc_watcher keeps its own TimeoutStopSec=10 for batch finalization;
+    # going below 10 s globally risks cutting off journald/fs sync on SD card.
+    mkdir -p /etc/systemd/system.conf.d
+    cat > /etc/systemd/system.conf.d/plc-shutdown.conf << 'EOF'
+[Manager]
+DefaultTimeoutStopSec=10s
+EOF
+    ok "Shutdown timeout capped at 10 s per unit"
+
+    # Persistent journal (capped at 64 MB) — boot/shutdown logs survive
+    # reboots so hangs and crashes can actually be diagnosed afterwards
+    mkdir -p /etc/systemd/journald.conf.d /var/log/journal
+    cat > /etc/systemd/journald.conf.d/plc-journal.conf << 'EOF'
+[Journal]
+Storage=persistent
+SystemMaxUse=64M
+EOF
+    systemd-tmpfiles --create --prefix /var/log/journal 2>/dev/null || true
+    ok "Persistent journal enabled  (max 64 MB)"
+
     ok "System optimized — PLC stack, WiFi, SSH, Pi Connect untouched"
 }