refactor: post-review hardening pass

Independent re-audit surfaced 11 follow-ups across two layers of review (my fresh-eyes read + a parallel agent pass). Bundled into a single commit because changes are small and intertwined. Symlink / state consistency: - FileSystem.same_symlink now uses raw readlink() instead of resolve(). Aligns the three sites that ask "is this our link?" (_load_state, _check_overwrite_safe, remove_symlink) on a single rule: exact-readlink match. Following symlink chains would let externally-modified links pass as ours and be silently overwritten. - LinkedState.from_dict raises ConfigError on missing required fields instead of .get(..., False) silent defaults. Matches InstalledState. - LinkOp.source is now consistently None for remove_link ops; the service derives expected_source from current.links. Removes the asymmetry between in-state and orphan-broken removal ops. - _apply_plan: rename shadowing local from link_target to spec. Fail loud: - _xdg() now treats XDG_CONFIG_HOME="" the same as unset. Previously an empty env var produced Path("") and state files were written to $PWD instead of ~/.local/state/flow. - _resolve_target raises PlanConflict when a package contains a bare _root entry (no path components) instead of silently dropping it. - _strip_prefix raises FlowError when a declared install path does not start with its section's expected prefix (e.g. etc/foo under install.bin). Speculative abstraction removed (CLAUDE.md): - core.template.substitute (the $VAR form) had no production callers -- deleted along with its tests; only the {{var}} form remains. - SetupModule base class -- five subclasses, no shared behaviour, no polymorphic call site. Deleted. - Profile.arch -- parsed but never read. Deleted. - PackagePlan.pm_command -- set but never read. Deleted (service recomputes pm_install_command at the call site). - FileSystem.ensure_dir(mode=...), .copy_file(sudo=...), .read_text( default=...) -- no callers. Deleted along with their test. - bootstrap _execute_action: the upfront `phase not in VALID_PHASES` check duplicated the trailing exhaustive raise. Kept the trailing raise as the single source of truth; phase set still documented in VALID_PHASES. Completion ctx threading: - Removed _config()/_manifest() helpers that re-loaded from disk on every completion call. _list_targets, _list_namespaces, _list_platforms, _list_bootstrap_profiles, _list_manifest_packages now take ctx and read from ctx.config / ctx.manifest. Test coverage and e2e: - e2e container test exercises a real `flow dotfiles link` (no dry-run) and asserts the resulting symlinks point into the dotfiles dir; reruns to verify idempotency. - New tests: LinkedState corrupt-state ConfigError, LinkedState bad-version ConfigError, bare-_root PlanConflict, service-level _root path routing + skip semantics. - 11 stale test imports removed (pyflakes clean across src/ + tests/). 357 unit tests + 1 e2e (gated) all pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 00:23:06 +03:00
parent 6a0eb9f6ef
commit 6b7a48bb20
32 changed files with 239 additions and 181 deletions
--- a/tests/test_service_bootstrap.py
+++ b/tests/test_service_bootstrap.py
@@ -96,21 +96,21 @@ class TestBootstrapService:

    def test_unknown_phase_raises(self):
        from flow.domain.bootstrap.models import BootstrapAction, BootstrapPlan
-        from flow.domain.bootstrap.models import VALID_PHASES

        manifest = {"profiles": {"work": {"os": "linux"}}}
        ctx = _make_ctx(manifest)
        svc = BootstrapService(ctx)
-        # Forge an action with a phase that VALID_PHASES contains but the
-        # dispatch can't handle (shouldn't happen, but tests the explicit guard).
-        # Use a phase NOT in VALID_PHASES first to confirm the "Unknown" branch.
+        # Forge an action with a phase the dispatcher doesn't handle.
+        # The trailing raise in _execute_action is the single source of
+        # truth for unhandled phases — adding a phase to VALID_PHASES
+        # without a handler should surface here.
        action = BootstrapAction.__new__(BootstrapAction)
        object.__setattr__(action, "phase", "no-such-phase")
        object.__setattr__(action, "description", "")
        object.__setattr__(action, "commands", ())
        object.__setattr__(action, "needs_sudo", False)
        plan = BootstrapPlan(profile="work", actions=(), packages_to_install=())
-        with pytest.raises(FlowError, match="Unknown bootstrap phase"):
+        with pytest.raises(FlowError, match="Unhandled bootstrap phase"):
            svc._execute_action(action, plan, "work")

    def test_run_uses_dotfiles_profile_override(self, monkeypatch):