feat(installer): add post-install verification

deepakdgupta1 · deepakdgupta1 · commit f4cb59856b8b · 2026-02-04T08:58:17.000+05:30
Replace direct sudo commands with run_as_target helper for consistency
and add comprehensive error handling and verification to the installation
process. This includes:

- Postcondition assertions in finalize() to verify critical files
- Bootstrap verification for container file transfers
- Post-install verification for container-based installations
- Improved error handling with specific warning messages

These changes ensure installation failures are detected early and
provide clearer feedback when components are missing.
diff --git a/docs/installer-design-principles.md b/docs/installer-design-principles.md
@@ -0,0 +1,157 @@
+# Long-Duration Installer Design Principles
+
+Research notes from RCA of ACFS installation issues in LXD containers.
+
+## Problem Context
+
+Long-running installers (like ACFS's multi-phase bash installer) have unique reliability challenges:
+- Network transience
+- Mid-execution failures
+- User context switching (root ↔ target user)
+- Resumability requirements
+- Silent failures masking root causes
+
+This document captures design principles for building robust installers.
+
+---
+
+## 1. Fail-Fast with Explicit Precondition Checks
+
+Every phase should validate its preconditions *before* executing any actions, not discover failures mid-execution.
+
+```bash
+# Good: Explicit precondition check
+install_phase_finalize() {
+    # Preconditions
+    [[ -d "$ACFS_HOME" ]] || { log_error "ACFS_HOME does not exist"; return 1; }
+    [[ -w "$ACFS_HOME" ]] || { log_error "ACFS_HOME not writable"; return 1; }
+    
+    # Actions only after preconditions pass
+    ...
+}
+```
+
+**Why**: Catching issues early produces clearer error messages and avoids partial state.
+
+---
+
+## 2. Postcondition Assertions
+
+After each phase completes, assert that the expected artifacts exist. Don't trust that commands succeeded—verify the outputs.
+
+```bash
+# After installing scripts
+assert_file_exists() { 
+    [[ -f "$1" ]] || { log_error "Missing expected file: $1"; return 1; }
+}
+
+# Postcondition check at end of finalize phase
+assert_file_exists "$ACFS_HOME/scripts/lib/dashboard.sh"
+assert_file_exists "$ACFS_HOME/scripts/lib/info.sh"
+assert_file_exists "/usr/local/bin/acfs"
+```
+
+**Why**: Commands can succeed (exit 0) but produce no output due to edge cases. Verification catches these.
+
+---
+
+## 3. Idempotent Operations
+
+Every step should be safe to re-run:
+- Use `mkdir -p` (doesn't fail if exists)
+- Check existence before creating
+- Use `cp -f` (overwrites safely)
+- Use `ln -sf` (replaces symlinks)
+
+**Why**: Enables reliable resume after failures without manual cleanup.
+
+---
+
+## 4. Consistent User Context
+
+Never mix root operations with user operations in the same logical step. Be explicit about which context you're in.
+
+```bash
+# Bad: Mixed contexts
+$SUDO mkdir -p "$USER_DIR"           # Creates as root
+chown "$USER:$USER" "$USER_DIR"      # Fix ownership after
+
+# Good: Consistent user context from the start
+run_as_target mkdir -p "$USER_DIR"   # Created with correct ownership
+```
+
+**Why**: Mixed contexts lead to ownership issues and race conditions.
+
+---
+
+## 5. Atomic Multi-Step Transactions
+
+When multiple files must all succeed together, use a staging area and atomic move.
+
+```bash
+# Stage files to temp, then move all atomically
+stage_dir=$(mktemp -d)
+cp script1.sh "$stage_dir/"
+cp script2.sh "$stage_dir/"
+# All copies succeeded, now move atomically
+mv "$stage_dir"/* "$ACFS_HOME/scripts/lib/"
+rmdir "$stage_dir"
+```
+
+**Why**: Prevents partial installations where some files exist but not others.
+
+---
+
+## 6. Explicit Error Propagation (No Silent Failures)
+
+Never use `|| true` for operations that *must* succeed. Reserve it only for truly optional operations.
+
+```bash
+# Bad: Silently swallows critical failure
+$SUDO chown "$TARGET_USER:$TARGET_USER" "$ACFS_STATE_FILE" || true
+
+# Good: Explicit error handling with degraded mode
+if ! $SUDO chown "$TARGET_USER:$TARGET_USER" "$ACFS_STATE_FILE"; then
+    log_warn "Could not fix state.json ownership—some features may require sudo"
+fi
+```
+
+**Why**: Silent failures cascade into mysterious downstream errors.
+
+---
+
+## 7. Structured Phase Orchestration
+
+Use a single orchestrator pattern for all phases, never inline phase logic in `main()`.
+
+```bash
+# Single pattern for all phases
+for phase_id in "${ACFS_PHASE_IDS[@]}"; do
+    run_phase "$phase_id" "phase_${phase_id}" || exit 1
+done
+```
+
+**Why**: Consistent orchestration enables consistent error handling, timing, and resumability.
+
+---
+
+## Application to ACFS
+
+ACFS already implements many of these principles:
+- `state.sh`: Atomic writes, phase tracking, resume capability
+- `error_tracking.sh`: `try_step`, error context, output capture
+- `run_as_target`: Proper user context switching
+
+The RCA revealed these patterns were **inconsistently applied** in the `finalize()` phase, leading to:
+- Directories created as root instead of target user
+- Silent ownership failures (`|| true`)
+- No postcondition verification
+- No bootstrap verification for container deployment
+
+---
+
+## Related Files
+
+- [install.sh](file:///home/deeog/Desktop/agentic-coding/install.sh) - Main installer
+- [scripts/lib/state.sh](file:///home/deeog/Desktop/agentic-coding/scripts/lib/state.sh) - State management
+- [scripts/lib/error_tracking.sh](file:///home/deeog/Desktop/agentic-coding/scripts/lib/error_tracking.sh) - Error tracking
diff --git a/install.sh b/install.sh
@@ -4625,7 +4625,7 @@ finalize() {
 
     # Install acfs scripts (for acfs CLI subcommands)
     log_detail "Installing acfs scripts"
-    try_step "Creating ACFS scripts directory" $SUDO mkdir -p "$ACFS_HOME/scripts/lib" || return 1
+    try_step "Creating ACFS scripts directory" run_as_target mkdir -p "$ACFS_HOME/scripts/lib" || return 1
     
     # Install script libraries
     try_step "Installing logging.sh" install_asset "scripts/lib/logging.sh" "$ACFS_HOME/scripts/lib/logging.sh" || return 1
@@ -4663,7 +4663,7 @@ finalize() {
     try_step "Installing newproj_screens.sh" install_asset "scripts/lib/newproj_screens.sh" "$ACFS_HOME/scripts/lib/newproj_screens.sh" || return 1
     try_step "Installing newproj_tui.sh" install_asset "scripts/lib/newproj_tui.sh" "$ACFS_HOME/scripts/lib/newproj_tui.sh" || return 1
 
-    try_step "Creating newproj_screens directory" $SUDO mkdir -p "$ACFS_HOME/scripts/lib/newproj_screens" || return 1
+    try_step "Creating newproj_screens directory" run_as_target mkdir -p "$ACFS_HOME/scripts/lib/newproj_screens" || return 1
     
     local screens=(
         "screen_agents_preview.sh"
@@ -4710,7 +4710,9 @@ finalize() {
     # Legacy state file (only if state.sh is unavailable)
     if type -t state_load &>/dev/null; then
         if [[ -f "$ACFS_STATE_FILE" ]]; then
-            $SUDO chown "$TARGET_USER:$TARGET_USER" "$ACFS_STATE_FILE" || true
+            if ! $SUDO chown "$TARGET_USER:$TARGET_USER" "$ACFS_STATE_FILE"; then
+                log_warn "Could not set ownership on state.json"
+            fi
         fi
     else
         cat > "$ACFS_STATE_FILE" << EOF
@@ -4729,6 +4731,36 @@ EOF
         $SUDO chown "$TARGET_USER:$TARGET_USER" "$ACFS_STATE_FILE"
     fi
 
+    # ============================================================
+    # Postcondition Assertions
+    # Verify critical files were installed correctly
+    # ============================================================
+    local critical_files=(
+        "$ACFS_HOME/scripts/lib/dashboard.sh"
+        "$ACFS_HOME/scripts/lib/info.sh"
+        "$ACFS_HOME/scripts/lib/state.sh:optional"
+        "$ACFS_HOME/bin/acfs"
+    )
+
+    local missing_critical=0
+    for f_entry in "${critical_files[@]}"; do
+        local f="${f_entry%%:*}"
+        local optional="${f_entry#*:}"
+        if [[ ! -f "$f" ]]; then
+            if [[ "$optional" == "optional" ]]; then
+                log_warn "Optional file missing after finalize: $f"
+            else
+                log_error "Critical file missing after finalize: $f"
+                missing_critical=1
+            fi
+        fi
+    done
+
+    if [[ $missing_critical -eq 1 ]]; then
+        log_error "finalize phase failed postcondition checks"
+        return 1
+    fi
+
     log_success "Installation complete!"
 }
 
diff --git a/scripts/local/acfs_container.sh b/scripts/local/acfs_container.sh
@@ -82,8 +82,17 @@ cmd_create() {
     # Copy installer and repo files to container via tar pipe
     # This bypasses "Forbidden" errors some LXD setups produce when trying to read host files directly.
     log_detail "Transferring ACFS repo to container..."
-    tar -C "$REPO_ROOT" -cf - install.sh scripts acfs acfs.manifest.yaml checksums.yaml 2>/dev/null | \
-        acfs_lxc exec "$ACFS_CONTAINER_NAME" -- tar -xf - -C /tmp/
+    if ! tar -C "$REPO_ROOT" -cf - install.sh scripts acfs acfs.manifest.yaml checksums.yaml 2>/dev/null | \
+        acfs_lxc exec "$ACFS_CONTAINER_NAME" -- tar -xf - -C /tmp/; then
+        log_error "Failed to transfer ACFS repo to container"
+        return 1
+    fi
+
+    # Verify critical bootstrap files exist in container
+    if ! acfs_lxc exec "$ACFS_CONTAINER_NAME" -- test -f /tmp/scripts/acfs-global 2>/dev/null; then
+        log_error "Bootstrap verification failed: scripts/acfs-global not in container"
+        return 1
+    fi
 
     # Run installer inside container
     # We set ACFS_BOOTSTRAP_DIR=/tmp so install.sh knows where to find its own scripts/lib
@@ -96,6 +105,33 @@ cmd_create() {
         bash /tmp/install.sh --local --yes --mode vibe --skip-ubuntu-upgrade
     "
 
+    # Post-install verification
+    log_info "Verifying installation..."
+    local verification_warnings=0
+
+    # Check user-local acfs command
+    if ! acfs_sandbox_exec "test -x ~/.local/bin/acfs" 2>/dev/null; then
+        log_warn "User acfs command not found at ~/.local/bin/acfs"
+        verification_warnings=1
+    fi
+
+    # Check global wrapper
+    if ! acfs_sandbox_exec_root "test -x /usr/local/bin/acfs" 2>/dev/null; then
+        log_warn "Global acfs wrapper not found at /usr/local/bin/acfs"
+        verification_warnings=1
+    fi
+
+    # Check critical library scripts
+    if ! acfs_sandbox_exec "test -f ~/.acfs/scripts/lib/dashboard.sh" 2>/dev/null; then
+        log_warn "dashboard.sh not found in ~/.acfs/scripts/lib/"
+        verification_warnings=1
+    fi
+
+    if [[ $verification_warnings -eq 1 ]]; then
+        log_warn "Some ACFS components may not have installed correctly"
+        log_info "Run 'acfs-local shell' then 'acfs doctor' to diagnose"
+    fi
+
     echo ""
     echo "╔═══════════════════════════════════════════════════════════════╗"
     echo "║                    Installation Complete!                     ║"
