plc-checkweigher 1.28.2 → 1.29.1

package/bin/plc_checkweigher

@@ -1450,27 +1450,29 @@ PYEOF
         ulog "CONFIG: journal OK"
     fi
 
-    # 9b. Web maintenance sudoers rule (dashboard FIX button)
+    # 9b. Web maintenance sudoers rule (dashboard terminal)
     spin_start "Web maintenance sudoers rule"
     _SUDOERS_F="/etc/sudoers.d/010_plc-web-fix"
-    if [[ ! -f "$_SUDOERS_F" ]]; then
+    # Content-aware: rewrite if missing OR still the old fix-only version
+    if [[ ! -f "$_SUDOERS_F" ]] \
+       || ! sudo grep -q "plc_checkweigher update" "$_SUDOERS_F" 2>/dev/null; then
         cat > /tmp/010_plc-web-fix << 'SUDOEOF'
-# Web dashboard maintenance console — allows the locked, root-owned CLI
-# to run its fix command from plc_web (User=pi). Scope: fix only.
-pi ALL=(root) NOPASSWD: /usr/local/bin/plc_checkweigher fix, /usr/local/bin/plc_checkweigher fix *
+# Web dashboard maintenance terminal — allows the locked, root-owned CLI
+# to run whitelisted maintenance subcommands from plc_web (User=pi).
+pi ALL=(root) NOPASSWD: /usr/local/bin/plc_checkweigher fix, /usr/local/bin/plc_checkweigher fix *, /usr/local/bin/plc_checkweigher status, /usr/local/bin/plc_checkweigher restart, /usr/local/bin/plc_checkweigher start, /usr/local/bin/plc_checkweigher stop, /usr/local/bin/plc_checkweigher update
 SUDOEOF
         if sudo visudo -c -f /tmp/010_plc-web-fix &>/dev/null; then
             sudo cp /tmp/010_plc-web-fix "$_SUDOERS_F"
             sudo chmod 440 "$_SUDOERS_F"
-            spin_ok "Sudoers rule installed (web FIX button enabled)"
-            ulog "FIXED: web maintenance sudoers rule installed"
+            spin_ok "Sudoers rule installed/upgraded (web terminal enabled)"
+            ulog "FIXED: web maintenance sudoers rule installed/upgraded"
         else
             spin_warn "Sudoers rule failed validation — skipped"
             ulog "WARN: sudoers rule validation failed"
         fi
         rm -f /tmp/010_plc-web-fix
     else
-        spin_ok "Sudoers rule present"
+        spin_ok "Sudoers rule current"
         ulog "CONFIG: web sudoers OK"
     fi
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plc-checkweigher",
-  "version": "1.28.2",
+  "version": "1.29.1",
   "description": "One-command installer for the PLC Check-Weigher system on Raspberry Pi (PREEMPT_RT kernel, Python stack, WiFi, SMB, systemd RT services)",
   "scripts": {
     "postinstall": "node bin/cli.js"

package/setup.sh

@@ -169,19 +169,21 @@ install_cli() {
         warn "bin/plc_checkweigher not found — skipping CLI install"
     fi
 
-    # Scoped sudoers rule: web dashboard maintenance console can run the
-    # locked root-owned CLI's fix command (and nothing else) without password.
+    # Scoped sudoers rule: web maintenance terminal can run whitelisted
+    # subcommands of the locked root-owned CLI — and nothing else.
+    # Interactive/destructive subcommands (wifi, smb-config, uninstall,
+    # hotspot) are deliberately NOT listed.
     cat > /tmp/010_plc-web-fix << 'EOF'
-# Web dashboard maintenance console — allows the locked, root-owned CLI
-# to run its fix command from plc_web (User=pi). Scope: fix only.
-pi ALL=(root) NOPASSWD: /usr/local/bin/plc_checkweigher fix, /usr/local/bin/plc_checkweigher fix *
+# Web dashboard maintenance terminal — allows the locked, root-owned CLI
+# to run whitelisted maintenance subcommands from plc_web (User=pi).
+pi ALL=(root) NOPASSWD: /usr/local/bin/plc_checkweigher fix, /usr/local/bin/plc_checkweigher fix *, /usr/local/bin/plc_checkweigher status, /usr/local/bin/plc_checkweigher restart, /usr/local/bin/plc_checkweigher start, /usr/local/bin/plc_checkweigher stop, /usr/local/bin/plc_checkweigher update
 EOF
     if visudo -c -f /tmp/010_plc-web-fix &>/dev/null; then
         cp /tmp/010_plc-web-fix /etc/sudoers.d/010_plc-web-fix
         chmod 440 /etc/sudoers.d/010_plc-web-fix
-        ok "Web maintenance sudoers rule installed  (fix only, validated)"
+        ok "Web maintenance sudoers rule installed  (whitelisted subcommands)"
     else
-        warn "sudoers rule failed validation — web FIX button will not work"
+        warn "sudoers rule failed validation — web maintenance terminal limited"
     fi
     rm -f /tmp/010_plc-web-fix
 }
@@ -622,15 +624,27 @@ setup_vscode_priority() {
 
     cat > /usr/local/bin/vscode-priority-daemon << 'DAEMON'
 #!/usr/bin/env bash
-# Apply CPU affinity (cores 0-2) and Nice=-5 to VS Code server processes.
+# Apply CPU affinity (cores 0-2) and Nice=-5 to remote-dev processes:
+#   - VS Code server + all its extensions (extension host, Claude Code,
+#     GitHub, language servers — anything under ~/.vscode-server)
+#   - standalone claude CLI sessions (run outside VS Code)
+#   - sshd listener + active SSH sessions
 # Core 3 is reserved exclusively for the SCHED_FIFO PLC process.
-# Runs every 60s so newly-spawned extension host processes are caught promptly.
-while true; do
-    mapfile -t pids < <(pgrep -u pi -f '\.vscode-server' 2>/dev/null || true)
-    for pid in "${pids[@]}"; do
+# Runs every 60s so newly-spawned processes are caught promptly.
+prioritize() {
+    local pid
+    for pid in "$@"; do
         taskset -cp 0-2 "$pid" >/dev/null 2>&1 || true
         renice -n -5 -p "$pid" >/dev/null 2>&1 || true
     done
+}
+while true; do
+    # VS Code server tree — extension binaries live under .vscode-server/extensions/
+    prioritize $(pgrep -u pi -f '\.vscode-server' 2>/dev/null)
+    # Standalone claude CLI (plain terminal, outside the VS Code tree)
+    prioritize $(pgrep -u pi -x claude 2>/dev/null)
+    # SSH — listener and per-session processes (keep off the RT core)
+    prioritize $(pgrep -x sshd 2>/dev/null) $(pgrep -x sshd-session 2>/dev/null)
     sleep 60
 done
 DAEMON