Fix command shim status edge cases

Author: rodion-m

Sources/App/Services/BrokerStatusController.swift

@@ -369,8 +369,11 @@ struct LocalBrokerStatusController: BrokerStatusControlling {
             _ = runProcess(executable: "/bin/launchctl", arguments: ["bootout", "gui/\(getuid())", launchAgent.path])
         }
 
-        removeManagedShims(in: shimDirectory, appDestination: appDestination)
-        try? fileManager.removeItem(at: shimDirectory)
+        removeManagedShims(
+            in: shimDirectory,
+            expectedShimBinary: binDirectory.appendingPathComponent("agentic-secrets-shim")
+        )
+        removeDirectoryIfEmpty(shimDirectory)
 
         for executable in Self.installExecutables {
             try? fileManager.removeItem(at: binDirectory.appendingPathComponent(executable))
@@ -394,18 +397,22 @@ struct LocalBrokerStatusController: BrokerStatusControlling {
         removeEmptyDirectories(from: URL(fileURLWithPath: plan.prefixPath, isDirectory: true))
     }
 
-    private func removeManagedShims(in shimDirectory: URL, appDestination: URL) {
+    private func removeManagedShims(in shimDirectory: URL, expectedShimBinary: URL) {
         let fileManager = FileManager.default
         guard let entries = try? fileManager.contentsOfDirectory(at: shimDirectory, includingPropertiesForKeys: [.isSymbolicLinkKey]) else { return }
-        let expectedTargets = Set([
-            appDestination.appendingPathComponent("Contents/MacOS/agentic-secrets-shim").path,
-            appDestination.appendingPathComponent("Contents/MacOS/agentic-secrets-shim").standardizedFileURL.path
-        ])
-        for entry in entries where expectedTargets.contains(entry.resolvingSymlinksInPath().path) {
+        for entry in entries where CommandShimInstallationInspector.pointsToShimBinary(shimURL: entry, expectedShimBinary: expectedShimBinary) {
             try? fileManager.removeItem(at: entry)
         }
     }
 
+    private func removeDirectoryIfEmpty(_ directory: URL) {
+        let fileManager = FileManager.default
+        guard let entries = try? fileManager.contentsOfDirectory(atPath: directory.path), entries.isEmpty else {
+            return
+        }
+        try? fileManager.removeItem(at: directory)
+    }
+
     private func removeManagedAppBundle(at appURL: URL, legacyAppDestination: URL) throws {
         let fileManager = FileManager.default
         guard fileManager.fileExists(atPath: appURL.path) || (try? fileManager.destinationOfSymbolicLink(atPath: appURL.path)) != nil else {
@@ -536,15 +543,18 @@ struct LocalBrokerStatusController: BrokerStatusControlling {
     private func daemonUnavailableReason(_ error: Error) -> DaemonUnavailableReason {
         let description = String(describing: error)
         let plan = makeInstallPlan()
-        if !plan.currentAppIsInstalledCopy && FileManager.default.fileExists(atPath: plan.appDestinationPath) {
-            return .wrongAppCopy
-        }
         if description.contains("No such file or directory") || description.contains("connect") {
             return FileManager.default.fileExists(atPath: plan.launchAgentPath) ? .notRunning : .notInstalled
         }
         if description.contains("unauthorizedPeer") || description.contains("wrongHash") || description.contains("wrongPath") || description.contains("wrongCDHash") {
+            if !plan.currentAppIsInstalledCopy && FileManager.default.fileExists(atPath: plan.appDestinationPath) {
+                return .wrongAppCopy
+            }
             return .manifestMismatch
         }
+        if !plan.currentAppIsInstalledCopy && FileManager.default.fileExists(atPath: plan.appDestinationPath) {
+            return .wrongAppCopy
+        }
         return .unreachable
     }
 
@@ -666,8 +676,15 @@ enum ShellConfigurationCleaner {
         guard index + 1 < lines.count else { return nil }
         let marker = lines[index].trimmingCharacters(in: .whitespaces)
         guard marker == "# Agentic Secrets PATH" || marker == "# AgenticSecrets CLI shims" else { return nil }
-        guard lines[index + 1].trimmingCharacters(in: .whitespaces) == #"case ":$PATH:" in"# else { return nil }
-        var cursor = index + 2
+        let caseIndex: Int
+        if lines[index + 1].trimmingCharacters(in: .whitespaces).hasPrefix("agentic_secrets_path_dir=") {
+            caseIndex = index + 2
+        } else {
+            caseIndex = index + 1
+        }
+        guard caseIndex < lines.count,
+              lines[caseIndex].trimmingCharacters(in: .whitespaces) == #"case ":$PATH:" in"# else { return nil }
+        var cursor = caseIndex + 1
         while cursor < lines.count {
             if lines[cursor].trimmingCharacters(in: .whitespaces) == "esac" {
                 return cursor

Sources/App/Services/ControlPlaneClient.swift

@@ -181,7 +181,10 @@ struct IPCControlPlaneClient: ControlPlaneClient {
             return nil
         }
         let prefix = URL(fileURLWithPath: "/" + components[1..<applicationsIndex].joined(separator: "/"), isDirectory: true)
-        return isLegacyLocalInstallPrefix(prefix) ? prefix : nil
+        guard prefix.path != "/" else {
+            return nil
+        }
+        return isLegacyLocalInstallPrefix(prefix) || bundle.lastPathComponent == "AgenticSecrets.app" ? prefix : nil
     }
 
     static func defaultInstallPrefix() -> URL {

Sources/App/Services/UISmokeRunner.swift

@@ -26,6 +26,8 @@ enum UISmokeRunner {
         try await testEmptyState()
         try await testSettingsLayout()
         try await testRegisterWizardValidation()
+        try testCLIShimInstallerEnvironment()
+        try testCLIShimStatusPresentation()
         try testManagementEditorValidation()
         try testPasteboardCopy()
         try testCommandPolicyDraft()
@@ -200,6 +202,45 @@ enum UISmokeRunner {
         ]).isEmpty, "whitespace-only secret values are omitted from registration payload")
     }
 
+    private static func testCLIShimInstallerEnvironment() throws {
+        let prefix = URL(fileURLWithPath: "/tmp/agentic-secrets-custom-prefix", isDirectory: true)
+        let environment = CLIShimInstaller.subprocessEnvironment(
+            base: ["PATH": "/usr/bin"],
+            installPrefix: prefix
+        )
+        try expect(environment["AGENTIC_SECRETS_INSTALL_PREFIX"] == prefix.path, "shim installer subprocess receives the app install prefix")
+        try expect(environment["AGENTIC_SECRETS_SHIM_DIR"] == prefix.appendingPathComponent("shims", isDirectory: true).path, "shim installer subprocess uses the matching prefix shims directory")
+        try expect(environment["AGENTIC_SECRETS_SHIM_BINARY"] == prefix.appendingPathComponent("bin/agentic-secrets-shim").path, "shim installer subprocess uses the matching prefix shim helper")
+        try expect(environment["PATH"] == "/usr/bin", "shim installer subprocess preserves unrelated environment")
+    }
+
+    private static func testCLIShimStatusPresentation() throws {
+        let installed = CLIShimStatusPresentation(rawValue: "installed")
+        try expect(installed.label == "Installed", "installed shim status has a human label")
+        try expect(installed.canInstall, "installed shim can be repaired")
+        try expect(installed.canRemove, "installed shim can be removed")
+
+        let missing = CLIShimStatusPresentation(rawValue: "not installed")
+        try expect(missing.label == "Not Installed", "missing shim status has a human label")
+        try expect(missing.canInstall, "missing shim can be installed")
+        try expect(!missing.canRemove, "missing shim cannot be removed")
+
+        let blocked = CLIShimStatusPresentation(rawValue: "blocked")
+        try expect(blocked.label == "Blocked", "blocked shim status has a human label")
+        try expect(!blocked.canInstall, "blocked shim install action is disabled until the path is reviewed")
+        try expect(!blocked.canRemove, "blocked shim remove action is disabled because the path is not verified as managed")
+
+        let helperUnavailable = CLIShimStatusPresentation(rawValue: "helper unavailable")
+        try expect(helperUnavailable.label == "Helper Unavailable", "helper-unavailable shim status has a human label")
+        try expect(!helperUnavailable.canInstall, "helper-unavailable shim cannot be repaired through per-CLI install")
+        try expect(!helperUnavailable.canRemove, "helper-unavailable shim cannot be removed as a verified managed shim")
+
+        let unknown = CLIShimStatusPresentation(rawValue: "unexpected")
+        try expect(unknown.label == "Unknown", "unexpected shim status falls back to Unknown")
+        try expect(!unknown.canInstall, "unknown shim status does not enable install")
+        try expect(!unknown.canRemove, "unknown shim status does not enable remove")
+    }
+
     private static func testManagementEditorValidation() throws {
         try expect(APISessionProfileEditorDefaults.pathPrefixes == "/v1/", "proxy add flow has a safe default path prefix")
         try expect(APISessionProfileEditorDefaults.methods == "GET, POST", "proxy add flow has default HTTP methods")
@@ -397,6 +438,9 @@ enum UISmokeRunner {
         store.brokerInstallPlan = plan
         store.brokerStatus.message = "Open the installed copy so the authenticated IPC manifest matches the running UI."
         try expect(store.bestDaemonAction == .openInstalledApp, "wrong app copy state highlights opening the installed copy")
+        store.brokerStatus.message = "Local daemon is installed but not running."
+        try expect(store.bestDaemonAction != .openInstalledApp, "daemon-down state does not over-prioritize opening the installed copy")
+        store.brokerStatus.message = "Open the installed copy so the authenticated IPC manifest matches the running UI."
         try verifyHostingLayout(
             LocalStateUnavailableView(store: store),
             width: 680,
@@ -734,6 +778,13 @@ enum UISmokeRunner {
           *) export PATH="\(binDir):$PATH" ;;
         esac
 
+        # AgenticSecrets CLI shims
+        agentic_secrets_path_dir='\(shimDir)'
+        case ":$PATH:" in
+          *":$agentic_secrets_path_dir:"*) ;;
+          *) export PATH="$agentic_secrets_path_dir:$PATH" ;;
+        esac
+
         # AgenticSecrets CLI shims
         case ":$PATH:" in
           *":\(shimDir):"*) ;;

Sources/App/Stores/ControlPlaneStore.swift

@@ -225,7 +225,9 @@ final class ControlPlaneStore {
             guard let plan = brokerInstallPlan else {
                 return brokerStatus.canRepair ? .restart : .check
             }
-            if !plan.currentAppIsInstalledCopy && FileManager.default.fileExists(atPath: plan.appDestinationPath) {
+            if brokerStatus.message.contains("Open the installed copy"),
+               !plan.currentAppIsInstalledCopy,
+               FileManager.default.fileExists(atPath: plan.appDestinationPath) {
                 return .openInstalledApp
             }
             if plan.canInstall {
@@ -438,11 +440,7 @@ final class ControlPlaneStore {
 
     func refreshAfterActivation() async {
         guard !isLoading else { return }
-        if snapshot == nil {
-            await refresh()
-        } else {
-            await checkDaemon()
-        }
+        await refresh()
     }
 
     func repairDaemon() async {
@@ -570,8 +568,12 @@ final class ControlPlaneStore {
                 successMessage = "CLI registered"
                 errorMessage = nil
             }
-            snapshot = try await client.loadSnapshot()
-            maintainSelections()
+            do {
+                snapshot = try await loadSnapshotWithTransientRetry()
+                maintainSelections()
+            } catch {
+                errorMessage = "\(successMessage ?? "CLI registered"), but the updated local state could not be refreshed. \(localStateLoadError(error))"
+            }
             return true
         } catch {
             errorMessage = userFacingError(error)
@@ -890,7 +892,10 @@ final class ControlPlaneStore {
         errorMessage = nil
         try? await Task.sleep(for: .milliseconds(350))
         brokerStatus = await brokerController.status()
-        guard brokerStatus.state == .healthy else { return }
+        guard brokerStatus.state == .healthy else {
+            snapshot = nil
+            return
+        }
         do {
             try await loadSnapshotAfterHealthyStatus()
             errorMessage = nil

Sources/App/Support/CLIShimInstaller.swift

@@ -13,6 +13,7 @@ enum CLIShimInstaller {
         let process = Process()
         process.executableURL = URL(fileURLWithPath: try cliPath())
         process.arguments = arguments
+        process.environment = subprocessEnvironment()
 
         let output = Pipe()
         let errors = Pipe()
@@ -48,6 +49,19 @@ enum CLIShimInstaller {
         }
         throw CLIShimInstallerError.missingCLI
     }
+
+    static func subprocessEnvironment(
+        base: [String: String] = ProcessInfo.processInfo.environment,
+        installPrefix: URL? = IPCControlPlaneClient.installPrefixFromBundle()
+    ) -> [String: String] {
+        var environment = base
+        if let installPrefix {
+            environment["AGENTIC_SECRETS_INSTALL_PREFIX"] = installPrefix.path
+            environment["AGENTIC_SECRETS_SHIM_DIR"] = installPrefix.appendingPathComponent("shims", isDirectory: true).path
+            environment["AGENTIC_SECRETS_SHIM_BINARY"] = installPrefix.appendingPathComponent("bin/agentic-secrets-shim").path
+        }
+        return environment
+    }
 }
 
 enum CLIShimInstallerError: Error, CustomStringConvertible {

Sources/App/Views/ManagementViews.swift

@@ -142,11 +142,12 @@ private struct CLIRegistrationDetail: View {
     var body: some View {
         ScrollView {
             if let cli = store.selectedCLIRegistration {
+                let shimStatus = CLIShimStatusPresentation(rawValue: cli.shimStatus)
                 VStack(alignment: .leading, spacing: 18) {
                     header(cli.name, subtitle: cli.targetPath)
                     HStack {
                         StatusBadge(text: cli.trustStatus, systemImage: "checkmark.shield")
-                        StatusBadge(text: cli.shimStatus, systemImage: "link")
+                        StatusBadge(text: shimStatus.label, systemImage: "link")
                     }
                     Form {
                         Section("Environment bindings") {
@@ -175,23 +176,23 @@ private struct CLIRegistrationDetail: View {
                             }
                         }
                         Section("Shim") {
-                            LabeledContent("Status", value: cli.shimStatus)
+                            LabeledContent("Status", value: shimStatus.label)
                             HStack {
                                 Button {
                                     Task { await store.installShim(for: cli.name) }
                                 } label: {
-                                    Label(cli.shimStatus == "installed" ? "Repair Shim" : "Install Shim", systemImage: "link")
+                                    Label(shimStatus.primaryActionTitle, systemImage: shimStatus.primaryActionSystemImage)
                                 }
                                 .buttonStyle(.borderedProminent)
-                                .disabled(!store.canManageBrokerState)
+                                .disabled(!store.canManageBrokerState || !shimStatus.canInstall)
                                 .help("Install or repair the local command shim for this CLI")
                                 Button("Remove Shim", role: .destructive) {
                                     pendingShimRemoval = cli
                                 }
-                                .disabled(!store.canManageBrokerState)
+                                .disabled(!store.canManageBrokerState || !shimStatus.canRemove)
                                 .help("Remove the local command shim for this CLI")
                             }
-                            Text("A shim routes normal \(cli.name) invocations through Agentic Secrets when the local shims folder is before the native CLI on PATH.")
+                            Text(shimStatus.guidance(commandName: cli.name))
                                 .font(.caption)
                                 .foregroundStyle(.secondary)
                         }
@@ -253,6 +254,100 @@ private struct CLIRegistrationDetail: View {
     }
 }
 
+enum CLIShimStatusPresentation: Equatable {
+    case installed
+    case notInstalled
+    case blocked
+    case helperUnavailable
+    case unknown(String)
+
+    init(rawValue: String) {
+        switch rawValue {
+        case "installed":
+            self = .installed
+        case "not installed":
+            self = .notInstalled
+        case "blocked":
+            self = .blocked
+        case "helper unavailable":
+            self = .helperUnavailable
+        default:
+            self = .unknown(rawValue)
+        }
+    }
+
+    var label: String {
+        switch self {
+        case .installed:
+            "Installed"
+        case .notInstalled:
+            "Not Installed"
+        case .blocked:
+            "Blocked"
+        case .helperUnavailable:
+            "Helper Unavailable"
+        case .unknown:
+            "Unknown"
+        }
+    }
+
+    var canInstall: Bool {
+        switch self {
+        case .installed, .notInstalled:
+            true
+        case .blocked, .helperUnavailable, .unknown:
+            false
+        }
+    }
+
+    var canRemove: Bool {
+        self == .installed
+    }
+
+    var primaryActionTitle: String {
+        switch self {
+        case .installed:
+            "Repair Shim"
+        case .notInstalled:
+            "Install Shim"
+        case .blocked:
+            "Shim Blocked"
+        case .helperUnavailable:
+            "Repair Daemon"
+        case .unknown:
+            "Check Daemon"
+        }
+    }
+
+    var primaryActionSystemImage: String {
+        switch self {
+        case .helperUnavailable:
+            "wrench.and.screwdriver"
+        case .unknown:
+            "questionmark.circle"
+        case .blocked:
+            "exclamationmark.triangle"
+        case .installed, .notInstalled:
+            "link"
+        }
+    }
+
+    func guidance(commandName: String) -> String {
+        switch self {
+        case .installed:
+            "Normal \(commandName) invocations use Agentic Secrets when the local shims folder is before the native CLI on PATH."
+        case .notInstalled:
+            "Install the local command shim to route normal \(commandName) invocations through Agentic Secrets."
+        case .blocked:
+            "A non-Agentic Secrets path already exists where this command shim should be. Review that path before replacing it."
+        case .helperUnavailable:
+            "The Agentic Secrets shim helper is missing or does not match the local install manifest. Repair the local daemon install."
+        case .unknown:
+            "The local daemon did not report enough install information to verify this command shim. Check the daemon status."
+        }
+    }
+}
+
 private struct NoCLIRegistrationsView: View {
     @Bindable var store: ControlPlaneStore