Independent re-audit surfaced 11 follow-ups across two layers of review
(my fresh-eyes read + a parallel agent pass). Bundled into a single
commit because changes are small and intertwined.
Symlink / state consistency:
- FileSystem.same_symlink now uses raw readlink() instead of resolve().
Aligns the three sites that ask "is this our link?" (_load_state,
_check_overwrite_safe, remove_symlink) on a single rule: exact-readlink
match. Following symlink chains would let externally-modified links
pass as ours and be silently overwritten.
- LinkedState.from_dict raises ConfigError on missing required fields
instead of .get(..., False) silent defaults. Matches InstalledState.
- LinkOp.source is now consistently None for remove_link ops; the
service derives expected_source from current.links. Removes the
asymmetry between in-state and orphan-broken removal ops.
- _apply_plan: rename shadowing local from link_target to spec.
Fail loud:
- _xdg() now treats XDG_CONFIG_HOME="" the same as unset. Previously
an empty env var produced Path("") and state files were written to
$PWD instead of ~/.local/state/flow.
- _resolve_target raises PlanConflict when a package contains a bare
_root entry (no path components) instead of silently dropping it.
- _strip_prefix raises FlowError when a declared install path does not
start with its section's expected prefix (e.g. etc/foo under install.bin).
Speculative abstraction removed (CLAUDE.md):
- core.template.substitute (the $VAR form) had no production callers --
deleted along with its tests; only the {{var}} form remains.
- SetupModule base class -- five subclasses, no shared behaviour, no
polymorphic call site. Deleted.
- Profile.arch -- parsed but never read. Deleted.
- PackagePlan.pm_command -- set but never read. Deleted (service
recomputes pm_install_command at the call site).
- FileSystem.ensure_dir(mode=...), .copy_file(sudo=...), .read_text(
default=...) -- no callers. Deleted along with their test.
- bootstrap _execute_action: the upfront `phase not in VALID_PHASES`
check duplicated the trailing exhaustive raise. Kept the trailing
raise as the single source of truth; phase set still documented in
VALID_PHASES.
Completion ctx threading:
- Removed _config()/_manifest() helpers that re-loaded from disk on
every completion call. _list_targets, _list_namespaces, _list_platforms,
_list_bootstrap_profiles, _list_manifest_packages now take ctx and
read from ctx.config / ctx.manifest.
Test coverage and e2e:
- e2e container test exercises a real `flow dotfiles link` (no dry-run)
and asserts the resulting symlinks point into the dotfiles dir;
reruns to verify idempotency.
- New tests: LinkedState corrupt-state ConfigError, LinkedState bad-version
ConfigError, bare-_root PlanConflict, service-level _root path routing
+ skip semantics.
- 11 stale test imports removed (pyflakes clean across src/ + tests/).
357 unit tests + 1 e2e (gated) all pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fail loud at the boundary:
- substitute_template raises ConfigError on unresolved {{...}}; no more
silent literal placeholders in download URLs.
- parse_profile raises ConfigError when 'os' is missing -- no
raw.get("os", "linux") default that silently masks typos.
- urllib download failures wrapped to FlowError.
- bootstrap _execute_action dispatches phases explicitly and raises
on unhandled phase; no more "anything else runs as shell".
Direct access over defensive wrapping:
- plan_bootstrap requires env; plan_install requires pm. Drop the
dead `or os.environ` / `or detect_package_manager()` fallbacks.
- InstalledState.from_dict raises ConfigError on missing fields
rather than .get(..., default).
- Replace `x or {}` chains with explicit `x if x is not None else {}`
in package resolution; catalog validates type/platform-map/install
shapes at parse.
One canonical form / direct access:
- Path.home() replaced with paths.HOME in services/packages.py and
commands/completion.py. paths.HOME is the single source now.
- Use Path.is_relative_to for install-path containment instead of
str.startswith.
Domain purity:
- domain/containers/resolution.resolve_mounts takes a filesystem_check
predicate; service passes the probe in. Domain no longer touches
the filesystem directly.
No speculative abstraction:
- Drop the `allow_sudo` field entirely. The _script_uses_sudo check
it gated was bypassable (substring match) and gave false confidence;
the manifest is fully user-trusted anyway.
- Delete dead terminfo_fix_command + RemoteService.fix_terminfo
(no command surface exposes them).
- FileSystem.remove_tree no longer swallows errors via ignore_errors;
callers opt into missing_ok if needed.
Typed enums:
- PackageDef.type, AppConfig.container_runtime as Literal[...].
container_runtime values validated at config parse.
Completion bypasses runtime no longer:
- complete(ctx, ...) threads context; ContainerRuntime and state-file
reads go through ctx.runtime instead of constructing primitives.
Tests added for: template raise, missing os raise, env/pm required,
unknown phase raise, no allow_sudo gate, URL download failure, install
path escape, corrupt installed.json, container_runtime Literal,
filesystem_check controls mounts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Complete rewrite of all core modules with proper abstractions:
- FlowError hierarchy with PlanConflict and ExecutionError
- Pure template substitution ($VAR, ${VAR}, {{expr}})
- XDG path constants
- Frozen PlatformInfo dataclass with context detection
- Console with color/quiet/TTY support
- Runtime primitives (CommandRunner, FileSystem, GitClient, SystemRuntime)
- Config loading with target parsing and manifest merging
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
