fix(security): preserve checksums on failed reload

Author: Dicklesworthstone

scripts/generated/internal_checksums.sh

@@ -8,7 +8,7 @@
 # Used by check-manifest-drift.sh to detect unauthorized changes.
 
 declare -gA ACFS_INTERNAL_CHECKSUMS=(
-  [scripts/lib/security.sh]="8fa466969cb0ec945266296900bbbc6ea04bf9a41b521458799ad9ac3dec0fd1"
+  [scripts/lib/security.sh]="4f63909711279bc5fafd8f0abd2e608c428312584e6e6a7e72da2447bdabab15"
   [scripts/lib/agents.sh]="66fac24c48c9ce7d17ae213ff2f8669a1902e77f01266f4eeaccdcef09e02856"
   [scripts/lib/update.sh]="70903e24c0a0fc3711d754d19e475be8e9aae59fb5ad0e66c8c5c3535885dffa"
   [scripts/lib/doctor.sh]="8b055f242330f1e9571bb25d006ff09cf1f8bcbe81ba07260959e37c1b0f9e2b"

scripts/lib/security.sh

@@ -879,6 +879,9 @@ load_checksums() {
     local in_installers=false
     local installers_indent=0
     local tool_indent=""
+    local tool=""
+    local -A parsed_checksums=()
+    local -A parsed_installers=()
     # Use ACFS colors if available, preserving empty-string NO_COLOR behavior.
     local warn_color="${ACFS_YELLOW-\033[0;33m}"
     local nc_color="${ACFS_NC-\033[0m}"
@@ -888,9 +891,6 @@ load_checksums() {
         return 1
     fi
 
-    # Clear any previously loaded checksums (avoid stale entries if reloaded).
-    LOADED_CHECKSUMS=()
-
     # Lightweight YAML parsing for our specific format:
     #
     # installers:
@@ -957,21 +957,31 @@ load_checksums() {
             url_value="${url_value#\'}"
 
             if [[ "$url_value" =~ ^https://[^[:space:]]+$ ]]; then
-                KNOWN_INSTALLERS["$current_tool"]="$url_value"
+                parsed_installers["$current_tool"]="$url_value"
             fi
         fi
 
         # Match sha256 value for the current tool.
         if [[ -n "$current_tool" ]] && [[ "$line" =~ sha256:[[:space:]]*['\"]?([0-9A-Fa-f]{64})['\"]? ]]; then
-            LOADED_CHECKSUMS["$current_tool"]="${BASH_REMATCH[1],,}"
+            parsed_checksums["$current_tool"]="${BASH_REMATCH[1],,}"
         fi
     done < "$file"
 
-    if [[ ${#LOADED_CHECKSUMS[@]} -eq 0 ]]; then
+    if [[ ${#parsed_checksums[@]} -eq 0 ]]; then
         printf "${warn_color}Warning:${nc_color} No valid installer checksums found in: %s\n" "$file" >&2
         return 1
     fi
 
+    # Commit parsed data only after validating that the new file has usable
+    # checksum entries, so a malformed refresh cannot erase previous state.
+    LOADED_CHECKSUMS=()
+    for tool in "${!parsed_checksums[@]}"; do
+        LOADED_CHECKSUMS["$tool"]="${parsed_checksums[$tool]}"
+        if [[ -n "${parsed_installers[$tool]:-}" ]]; then
+            KNOWN_INSTALLERS["$tool"]="${parsed_installers[$tool]}"
+        fi
+    done
+
     return 0
 }
 

tests/unit/lib/test_security.bats

@@ -456,3 +456,37 @@ EOF
     assert_equal "${KNOWN_INSTALLERS[tool2]}" "https://example.com/2"
     assert_equal "${KNOWN_INSTALLERS[tool3]}" "https://example.com/3"
 }
+
+@test "load_checksums: failed reload preserves previous checksum state" {
+    local good_sha="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    local bad_file
+    bad_file="$(create_temp_file)"
+
+    declare -gA LOADED_CHECKSUMS=()
+    KNOWN_INSTALLERS["txn_tool"]="https://example.com/old"
+
+    cat > "$CHECKSUMS_FILE" <<EOF
+installers:
+  txn_tool:
+    url: "https://example.com/good"
+    sha256: "$good_sha"
+EOF
+
+    load_checksums
+    assert_equal "$?" "0"
+    assert_equal "$(get_checksum "txn_tool")" "$good_sha"
+    assert_equal "${KNOWN_INSTALLERS["txn_tool"]}" "https://example.com/good"
+
+    cat > "$bad_file" <<'EOF'
+installers:
+  txn_tool:
+    url: "https://example.com/bad"
+    sha256: "not-a-valid-sha"
+EOF
+
+    if load_checksums "$bad_file"; then
+        fail "malformed checksums reload unexpectedly succeeded"
+    fi
+    assert_equal "$(get_checksum "txn_tool")" "$good_sha"
+    assert_equal "${KNOWN_INSTALLERS["txn_tool"]}" "https://example.com/good"
+}