Remove the accidentally-committed Claude Code scratch state and add
the canonical ignore entries.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Independent re-audit surfaced 11 follow-ups across two layers of review
(my fresh-eyes read + a parallel agent pass). Bundled into a single
commit because changes are small and intertwined.
Symlink / state consistency:
- FileSystem.same_symlink now uses raw readlink() instead of resolve().
Aligns the three sites that ask "is this our link?" (_load_state,
_check_overwrite_safe, remove_symlink) on a single rule: exact-readlink
match. Following symlink chains would let externally-modified links
pass as ours and be silently overwritten.
- LinkedState.from_dict raises ConfigError on missing required fields
instead of .get(..., False) silent defaults. Matches InstalledState.
- LinkOp.source is now consistently None for remove_link ops; the
service derives expected_source from current.links. Removes the
asymmetry between in-state and orphan-broken removal ops.
- _apply_plan: rename shadowing local from link_target to spec.
Fail loud:
- _xdg() now treats XDG_CONFIG_HOME="" the same as unset. Previously
an empty env var produced Path("") and state files were written to
$PWD instead of ~/.local/state/flow.
- _resolve_target raises PlanConflict when a package contains a bare
_root entry (no path components) instead of silently dropping it.
- _strip_prefix raises FlowError when a declared install path does not
start with its section's expected prefix (e.g. etc/foo under install.bin).
Speculative abstraction removed (CLAUDE.md):
- core.template.substitute (the $VAR form) had no production callers --
deleted along with its tests; only the {{var}} form remains.
- SetupModule base class -- five subclasses, no shared behaviour, no
polymorphic call site. Deleted.
- Profile.arch -- parsed but never read. Deleted.
- PackagePlan.pm_command -- set but never read. Deleted (service
recomputes pm_install_command at the call site).
- FileSystem.ensure_dir(mode=...), .copy_file(sudo=...), .read_text(
default=...) -- no callers. Deleted along with their test.
- bootstrap _execute_action: the upfront `phase not in VALID_PHASES`
check duplicated the trailing exhaustive raise. Kept the trailing
raise as the single source of truth; phase set still documented in
VALID_PHASES.
Completion ctx threading:
- Removed _config()/_manifest() helpers that re-loaded from disk on
every completion call. _list_targets, _list_namespaces, _list_platforms,
_list_bootstrap_profiles, _list_manifest_packages now take ctx and
read from ctx.config / ctx.manifest.
Test coverage and e2e:
- e2e container test exercises a real `flow dotfiles link` (no dry-run)
and asserts the resulting symlinks point into the dotfiles dir;
reruns to verify idempotency.
- New tests: LinkedState corrupt-state ConfigError, LinkedState bad-version
ConfigError, bare-_root PlanConflict, service-level _root path routing
+ skip semantics.
- 11 stale test imports removed (pyflakes clean across src/ + tests/).
357 unit tests + 1 e2e (gated) all pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Makefile gains `test` and `test-e2e` targets; `deps` now installs the
dev extras so pytest is available after `make deps`.
- .github/workflows/test.yml runs unit tests on push and PR to main
(Python 3.13 on ubuntu-latest, ignores tests/e2e by default).
- tests/e2e/Containerfile + test_dotfiles_e2e.py scaffold a real
container-based smoke test of `flow dotfiles init` + `link` against
the example dotfiles repo. Gated by FLOW_RUN_E2E=1 so unit runs
stay fast; verified locally with podman.
- tests/fakes.FakeRunner uses ordered subsequence matching instead of
unordered containment -- prevents accidental match between unrelated
commands that happen to share tokens.
- example/README.md rewritten for the current command surface
(no more `dotfiles undo`, `dotfiles modules ...`, `--relink`,
`bootstrap list/show/run --profile`, `bootstrap packages --resolved`).
Adds an "External modules" section documenting `_module.yaml`.
- example/dotfiles-repo profiles.yaml drops `allow-sudo: true` along
with the runtime support.
- pyproject.toml adds [tool.coverage] config.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fail loud at the boundary:
- substitute_template raises ConfigError on unresolved {{...}}; no more
silent literal placeholders in download URLs.
- parse_profile raises ConfigError when 'os' is missing -- no
raw.get("os", "linux") default that silently masks typos.
- urllib download failures wrapped to FlowError.
- bootstrap _execute_action dispatches phases explicitly and raises
on unhandled phase; no more "anything else runs as shell".
Direct access over defensive wrapping:
- plan_bootstrap requires env; plan_install requires pm. Drop the
dead `or os.environ` / `or detect_package_manager()` fallbacks.
- InstalledState.from_dict raises ConfigError on missing fields
rather than .get(..., default).
- Replace `x or {}` chains with explicit `x if x is not None else {}`
in package resolution; catalog validates type/platform-map/install
shapes at parse.
One canonical form / direct access:
- Path.home() replaced with paths.HOME in services/packages.py and
commands/completion.py. paths.HOME is the single source now.
- Use Path.is_relative_to for install-path containment instead of
str.startswith.
Domain purity:
- domain/containers/resolution.resolve_mounts takes a filesystem_check
predicate; service passes the probe in. Domain no longer touches
the filesystem directly.
No speculative abstraction:
- Drop the `allow_sudo` field entirely. The _script_uses_sudo check
it gated was bypassable (substring match) and gave false confidence;
the manifest is fully user-trusted anyway.
- Delete dead terminfo_fix_command + RemoteService.fix_terminfo
(no command surface exposes them).
- FileSystem.remove_tree no longer swallows errors via ignore_errors;
callers opt into missing_ok if needed.
Typed enums:
- PackageDef.type, AppConfig.container_runtime as Literal[...].
container_runtime values validated at config parse.
Completion bypasses runtime no longer:
- complete(ctx, ...) threads context; ContainerRuntime and state-file
reads go through ctx.runtime instead of constructing primitives.
Tests added for: template raise, missing os raise, env/pm required,
unknown phase raise, no allow_sudo gate, URL download failure, install
path escape, corrupt installed.json, container_runtime Literal,
filesystem_check controls mounts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Atomic state writes (tempfile + os.replace) so a crash mid-write cannot
corrupt linked.json.
- Managed-symlink guards in FileSystem.create_symlink and the new
remove_symlink: refuse to overwrite or delete a path unless it is
absent or already a symlink pointing to the expected source. Stops
silent user-file deletion in the plan/apply race window.
- plan_link adopts orphan symlinks whose readlink already matches the
desired source, so a partial-apply failure can be recovered by rerun.
- _load_state warns loudly on each stale entry it drops, and status()
no longer rewrites linked.json as a side effect of read.
- _apply_plan dispatches exhaustively; unknown LinkOp types raise.
- Remove _checkout_module_ref early-return for branch == "main" -- it
assumed the remote default was main, breaking master-default repos.
Always run the explicit checkout (idempotent).
- Warn when a module's cache_dir is absent during link, suggesting
flow dotfiles repos pull.
- LinkOp.type and ModuleRef.ref_type tightened to Literal[...]; dead
"create_dir" enum value removed from the model.
Tests: +29 covering atomic writes, overwrite guards, remove_symlink
semantics, orphan adoption (match/mismatch), partial-failure rerun,
status read-only, branch/tag/commit checkout argv, uncloned-module
warning, stale-state warnings.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1. _merge_config: track explicit fields instead of comparing to defaults
2. plan_install: let asset resolution errors propagate (fail loudly)
3. _install_binary/_install_appimage: use argv lists instead of shell strings
4. _find_module: narrow exception to OSError/YAMLError, raise ConfigError
5. _install_binary: use pkg.extract_dir to scope binary search
6. plan_install: raise FlowError when pkg type needs PM but none found
7. Frozen dataclasses: change mutable list fields to tuples throughout
8. Remove dead stream_shell method and unused Console import
9. Guard os.getuid() with hasattr for cross-platform safety
10. _parse_targets: raise ConfigError on malformed entries
11. Bootstrap modules: use shlex.quote on all interpolated values
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete old core modules (action, stow, process, system, variables),
old services (package_defs, ssh), and all tests for deleted code.
191 tests pass with the new codebase.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Complete rewrite of all core modules with proper abstractions:
- FlowError hierarchy with PlanConflict and ExecutionError
- Pure template substitution ($VAR, ${VAR}, {{expr}})
- XDG path constants
- Frozen PlatformInfo dataclass with context detection
- Console with color/quiet/TTY support
- Runtime primitives (CommandRunner, FileSystem, GitClient, SystemRuntime)
- Config loading with target parsing and manifest merging
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Plan fixes:
- detect_platform raises FlowError not RuntimeError
- TargetConfig lives in core/config.py only (remote domain imports it)
- plan_link handles source changes (remove_link + create_link)
- resolve_package_targets skips local files when mount_path is root
- LinkedState.from_dict guards on version mismatch
- Added missing test for parse_module_ref with absent ref
- Task 12 now has full tests and serialization format
- Task 13 uses spec signatures as truth, old code as reference
- Task 15 includes describe() examples and tests
- Task 24 has detailed test cases for ProjectService
- Note that conflicts.py is intentionally merged into planning.py
- Spec Section 12 example fixed to include filesystem_check arg
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add CLAUDE.md with development standards
- Remove docs/architecture.md and docs/flows.md (obsoleted by redesign spec)
- Track docs/code-review.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add TargetConfig model to remote domain with normalization rules
- Add SetupModuleDef model to bootstrap domain
- Fix domain purity: Package carries pre-walked file lists, parse_module_ref
takes parsed dict not file path, discover_packages moved to service layer
- Clarify conflict detection: cross-package collisions (pure) vs filesystem
conflicts (injected callback in plan_link)
- Add dry_run to init, repos_pull, repos_push, stop, remove, respawn
- Document interactive commands (edit, attach, exec) as dry_run exceptions
- Document ProjectService as read-only (no dry_run needed)
- Fix ContainerState -> ContainerInfo naming consistency
- Add post-install and allow-sudo fields to config YAML example
- Document core/paths.py constants including MODULES_DIR
- Add target config normalization rules
- Clarify validate_env as eager precondition check, not a plan action
- Clarify setup show as effectively setup run --dry-run
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
