Release 0.0.6: token-gated updates (M13) with encrypted storage
release / release (push) Successful in 13s

- updates gated to Gitea account holders via a Personal Access Token (D18
  revised: anonymous HTTP -> authenticated HTTP, since the instance requires
  sign-in for all anonymous access)
- token stored encrypted in the OS keyring (secret-tool) when available, with
  a 0600-file fallback; $RIGDOCTOR_TOKEN override; auto-migrate file->keyring
  once libsecret-tools is installed
- core/updates: token-aware fetch_latest + update_state (no-token/auth/network/
  up-to-date/available)
- CLI: rigdoctor login / logout / update [--check]
- GUI: Setup "Update access" panel (token field, get-a-token, backend status);
  sidebar update states; libsecret-tools added to the installer catalog
- token storage tests (file fallback + env override, keyring mocked)
- version 0.0.6, CHANGELOG, docs

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-21 17:47:01 +02:00
parent 2e6a981120
commit 4e3f6aa94e
12 changed files with 383 additions and 30 deletions
+15 -2
View File
@@ -152,9 +152,22 @@ reachable from it. This **supersedes the earlier "CLI-first / terminal-first" fr
- *No change to layering (D2):* the core, CLI, and daemon stay **stdlib-only** and must run
without Qt. "GUI-first" is about emphasis and front-end parity, not dropping headless support.
### D18 — Auto-update (M13) — *PLANNED 2026-05-21*
### D18 — Auto-update (M13) — *PLANNED 2026-05-21; mechanism revised 2026-05-21*
RigDoctor should **check for a newer version on launch and self-update** (new module **M13**).
**Mechanism (chosen): user-local, no-root self-update from the public repo.**
**Mechanism (revised): user-local, no-root self-update over authenticated HTTP (token).**
*Why revised:* the Gitea instance requires sign-in for **all** anonymous access (repo page,
releases feed, raw, API all 303/403 anonymously), so the original "public HTTP" plan can't
work. Updates are therefore **gated to people with an account on the Gitea server**, which is
desirable — access control is delegated to Gitea.
- *Auth:* each user creates a **Personal Access Token** (scope `read:repository`); RigDoctor
stores it at `~/.config/rigdoctor/token` (mode 0600) or reads `RIGDOCTOR_TOKEN`. Requests
send `Authorization: token <PAT>`. Finer access = repo visibility/collaborators on Gitea.
- *Check:* `GET /api/v1/repos/jessey/rigdoctor/releases/latest` with the token; compare tags.
- *Apply:* `pip install --upgrade "git+https://oauth2:<token>@…/rigdoctor.git@<tag>"` into the
user-local venv, then restart (incl. the daemon). No root.
- *States surfaced:* no-token → "connect to update server"; auth error → "access denied";
newer → "Update to v…"; else "up-to-date".
- *Original (now-superseded) plan was anonymous public HTTP:*
- *Install model (D8 revised):* primary install is **user-local** (`~/.local`), so the running
app can replace its own files and update with **no apt, no root, no password prompt**.
- *Check:* on launch, query the **public Gitea releases API**
+6 -4
View File
@@ -64,10 +64,12 @@ Status: ⬜ not started · 🟦 designing · 🟨 in progress · ✅ done
no hosted relay), (3) **gated interactive terminal** wrapping tmate/sshx (read-only by
default; read-write only on explicit consent — a deliberate exception to D9). Per-session
consent, ephemeral revocable tokens, audit log.
- **M13 Auto-update** (D18) — *check half implemented:* on GUI launch, `core/updates` queries
the Gitea releases API and the sidebar shows up-to-date / an "Update to v…" button / "update
check unavailable" (the instance currently requires sign-in for anonymous API calls). The
no-root **self-update** (download → verify → atomic swap → restart) is still pending.
- **M13 Auto-update** (D18) — *check + auth implemented:* updates are **gated to Gitea account
holders** via a Personal Access Token, stored **encrypted in the OS keyring** (`secret-tool`)
with a 0600-file fallback (`config.load_token`/`save_token`/`token_backend`). `core/updates`
queries the releases API with the token; CLI `login`/`logout`/`update`; GUI Setup "Update
access" panel + sidebar states. The no-root **self-update apply** (download → verify → swap →
restart) and the user-local install script are still pending.
*Original plan:* On launch, check the public Gitea releases API and
**self-update a user-local install with no root** (download → verify checksum/signature →
atomic symlink swap → restart, incl. the daemon). HTTPS-only, version-check-only (no