2026-06-10 22:31:18 +02:00
|
|
|
#!/bin/bash
|
|
|
|
|
# ============================================================================
|
|
|
|
|
# Diet Guard installer: hidden budget + log-to-unlock gate.
|
|
|
|
|
#
|
|
|
|
|
# Usage: bash install.sh
|
|
|
|
|
#
|
|
|
|
|
# What it does:
|
|
|
|
|
# 1. Ensures system deps (setxkbmap for VT-disable, requests for OFF lookups)
|
2026-06-22 12:18:39 +02:00
|
|
|
# 2. pip-installs this package + gatelock into system Python's user
|
|
|
|
|
# site-packages (the systemd service runs /usr/bin/python directly, not
|
|
|
|
|
# a venv, so the package must live where that interpreter can find it —
|
|
|
|
|
# see CLAUDE.md's "Production dependency installation" section)
|
|
|
|
|
# 3. Installs + enables the systemd user timer that fires the gate every ~30m
|
Add cross-device log sync (Python half of Milestone 3)
Pulls every other device's pushed log from GitHub-backed dumb storage,
merges it with the local log, and pushes this device's own merged copy
back -- the PC half of the diet-guard-app sync plan.
- _sync_merge.py: pure union-by-id merge, tombstone always wins, legacy
(time, desc) dedup for pre-id entries. Commutative and idempotent.
- _sync_github.py: minimal GitHub Contents API client (list/get/put),
distinguishing a 404 on an unused path from the repo itself being
unreachable.
- _sync.py: orchestration -- pull, merge, re-sign every persisted entry
regardless of origin, write, rebuild the food bank, push. Re-signing
unconditionally is load-bearing: an unsigned phone-origin entry would
otherwise be silently dropped on the very next read once a machine
holds the shared HMAC key.
- _foodbank.rebuild_food_bank(): the "replay a full log into a fresh
bank" entrypoint the Python side was missing (the Dart port already
had its equivalent). Backs sync's bank-rebuild step.
- New diet-guard-sync.service/.timer (15-minute cadence, headless, a
separate unit from the gate so a held lock can't stall sync) and a
new install.sh step to install them.
- Created the private kuhyx/diet-guard-sync GitHub repo for storage.
Incidental to this feature: adding the `sync` subcommand pushed _cli.py
past the repo's 500-line cap, so `gate`'s CLI glue moved out alongside
sync's into _cli_gate.py/_cli_sync.py -- same split pattern already used
for the gate window logic itself, not a sync-specific design choice.
338 tests, 100% branch coverage. Verified importing and running cleanly
under /usr/bin/python (the production interpreter), not just the dev
venv -- the gap that caused the earlier 3-day outage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FU3f5KQ1GHXsbbSecfVEyF
2026-06-22 19:36:27 +02:00
|
|
|
# 4. Installs + enables the systemd user timer that syncs the log every ~15m
|
|
|
|
|
# (the sync itself stays unconfigured -- and a no-op -- until you create
|
|
|
|
|
# a sync token; see the reminder this step prints)
|
|
|
|
|
# 5. Seals your daily budget from biometrics (only if not already sealed)
|
|
|
|
|
# 6. Locks the budget file immutable with `chattr +i` (the real tamper gate)
|
2026-06-10 22:31:18 +02:00
|
|
|
# ============================================================================
|
|
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
|
|
|
|
# Split declare/assign so the command-substitution exit code is not masked (SC2155).
|
|
|
|
|
SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
|
|
|
|
|
readonly SCRIPT_DIR
|
2026-06-22 12:18:39 +02:00
|
|
|
readonly REPO_DIR="$SCRIPT_DIR"
|
2026-06-10 22:31:18 +02:00
|
|
|
readonly SERVICE_SRC="$SCRIPT_DIR/diet-guard-gate.service"
|
|
|
|
|
readonly TIMER_SRC="$SCRIPT_DIR/diet-guard-gate.timer"
|
Add cross-device log sync (Python half of Milestone 3)
Pulls every other device's pushed log from GitHub-backed dumb storage,
merges it with the local log, and pushes this device's own merged copy
back -- the PC half of the diet-guard-app sync plan.
- _sync_merge.py: pure union-by-id merge, tombstone always wins, legacy
(time, desc) dedup for pre-id entries. Commutative and idempotent.
- _sync_github.py: minimal GitHub Contents API client (list/get/put),
distinguishing a 404 on an unused path from the repo itself being
unreachable.
- _sync.py: orchestration -- pull, merge, re-sign every persisted entry
regardless of origin, write, rebuild the food bank, push. Re-signing
unconditionally is load-bearing: an unsigned phone-origin entry would
otherwise be silently dropped on the very next read once a machine
holds the shared HMAC key.
- _foodbank.rebuild_food_bank(): the "replay a full log into a fresh
bank" entrypoint the Python side was missing (the Dart port already
had its equivalent). Backs sync's bank-rebuild step.
- New diet-guard-sync.service/.timer (15-minute cadence, headless, a
separate unit from the gate so a held lock can't stall sync) and a
new install.sh step to install them.
- Created the private kuhyx/diet-guard-sync GitHub repo for storage.
Incidental to this feature: adding the `sync` subcommand pushed _cli.py
past the repo's 500-line cap, so `gate`'s CLI glue moved out alongside
sync's into _cli_gate.py/_cli_sync.py -- same split pattern already used
for the gate window logic itself, not a sync-specific design choice.
338 tests, 100% branch coverage. Verified importing and running cleanly
under /usr/bin/python (the production interpreter), not just the dev
venv -- the gap that caused the earlier 3-day outage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FU3f5KQ1GHXsbbSecfVEyF
2026-06-22 19:36:27 +02:00
|
|
|
readonly SYNC_SERVICE_SRC="$SCRIPT_DIR/diet-guard-sync.service"
|
|
|
|
|
readonly SYNC_TIMER_SRC="$SCRIPT_DIR/diet-guard-sync.timer"
|
2026-06-10 22:31:18 +02:00
|
|
|
readonly SYSTEMD_USER_DIR="$HOME/.config/systemd/user"
|
|
|
|
|
readonly DATA_DIR="$HOME/.local/share/diet_guard"
|
|
|
|
|
readonly BUDGET_FILE="$DATA_DIR/.budget"
|
Add cross-device log sync (Python half of Milestone 3)
Pulls every other device's pushed log from GitHub-backed dumb storage,
merges it with the local log, and pushes this device's own merged copy
back -- the PC half of the diet-guard-app sync plan.
- _sync_merge.py: pure union-by-id merge, tombstone always wins, legacy
(time, desc) dedup for pre-id entries. Commutative and idempotent.
- _sync_github.py: minimal GitHub Contents API client (list/get/put),
distinguishing a 404 on an unused path from the repo itself being
unreachable.
- _sync.py: orchestration -- pull, merge, re-sign every persisted entry
regardless of origin, write, rebuild the food bank, push. Re-signing
unconditionally is load-bearing: an unsigned phone-origin entry would
otherwise be silently dropped on the very next read once a machine
holds the shared HMAC key.
- _foodbank.rebuild_food_bank(): the "replay a full log into a fresh
bank" entrypoint the Python side was missing (the Dart port already
had its equivalent). Backs sync's bank-rebuild step.
- New diet-guard-sync.service/.timer (15-minute cadence, headless, a
separate unit from the gate so a held lock can't stall sync) and a
new install.sh step to install them.
- Created the private kuhyx/diet-guard-sync GitHub repo for storage.
Incidental to this feature: adding the `sync` subcommand pushed _cli.py
past the repo's 500-line cap, so `gate`'s CLI glue moved out alongside
sync's into _cli_gate.py/_cli_sync.py -- same split pattern already used
for the gate window logic itself, not a sync-specific design choice.
338 tests, 100% branch coverage. Verified importing and running cleanly
under /usr/bin/python (the production interpreter), not just the dev
venv -- the gap that caused the earlier 3-day outage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FU3f5KQ1GHXsbbSecfVEyF
2026-06-22 19:36:27 +02:00
|
|
|
readonly SYNC_TOKEN_FILE="$HOME/.config/diet_guard/sync_token"
|
2026-06-10 22:31:18 +02:00
|
|
|
|
|
|
|
|
echo "=== Diet Guard Installer ==="
|
|
|
|
|
|
|
|
|
|
# 1. System dependencies ------------------------------------------------------
|
Add cross-device log sync (Python half of Milestone 3)
Pulls every other device's pushed log from GitHub-backed dumb storage,
merges it with the local log, and pushes this device's own merged copy
back -- the PC half of the diet-guard-app sync plan.
- _sync_merge.py: pure union-by-id merge, tombstone always wins, legacy
(time, desc) dedup for pre-id entries. Commutative and idempotent.
- _sync_github.py: minimal GitHub Contents API client (list/get/put),
distinguishing a 404 on an unused path from the repo itself being
unreachable.
- _sync.py: orchestration -- pull, merge, re-sign every persisted entry
regardless of origin, write, rebuild the food bank, push. Re-signing
unconditionally is load-bearing: an unsigned phone-origin entry would
otherwise be silently dropped on the very next read once a machine
holds the shared HMAC key.
- _foodbank.rebuild_food_bank(): the "replay a full log into a fresh
bank" entrypoint the Python side was missing (the Dart port already
had its equivalent). Backs sync's bank-rebuild step.
- New diet-guard-sync.service/.timer (15-minute cadence, headless, a
separate unit from the gate so a held lock can't stall sync) and a
new install.sh step to install them.
- Created the private kuhyx/diet-guard-sync GitHub repo for storage.
Incidental to this feature: adding the `sync` subcommand pushed _cli.py
past the repo's 500-line cap, so `gate`'s CLI glue moved out alongside
sync's into _cli_gate.py/_cli_sync.py -- same split pattern already used
for the gate window logic itself, not a sync-specific design choice.
338 tests, 100% branch coverage. Verified importing and running cleanly
under /usr/bin/python (the production interpreter), not just the dev
venv -- the gap that caused the earlier 3-day outage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FU3f5KQ1GHXsbbSecfVEyF
2026-06-22 19:36:27 +02:00
|
|
|
echo "[1/6] Checking system dependencies..."
|
2026-06-10 22:31:18 +02:00
|
|
|
if ! command -v setxkbmap &>/dev/null; then
|
|
|
|
|
echo " Installing xorg-setxkbmap (gate disables VT switching while locked)..."
|
|
|
|
|
sudo pacman -S --noconfirm xorg-setxkbmap
|
|
|
|
|
else
|
|
|
|
|
echo " setxkbmap present"
|
|
|
|
|
fi
|
|
|
|
|
|
2026-06-22 12:18:39 +02:00
|
|
|
# 2. Install this package + its dependencies into system Python -------------
|
Add cross-device log sync (Python half of Milestone 3)
Pulls every other device's pushed log from GitHub-backed dumb storage,
merges it with the local log, and pushes this device's own merged copy
back -- the PC half of the diet-guard-app sync plan.
- _sync_merge.py: pure union-by-id merge, tombstone always wins, legacy
(time, desc) dedup for pre-id entries. Commutative and idempotent.
- _sync_github.py: minimal GitHub Contents API client (list/get/put),
distinguishing a 404 on an unused path from the repo itself being
unreachable.
- _sync.py: orchestration -- pull, merge, re-sign every persisted entry
regardless of origin, write, rebuild the food bank, push. Re-signing
unconditionally is load-bearing: an unsigned phone-origin entry would
otherwise be silently dropped on the very next read once a machine
holds the shared HMAC key.
- _foodbank.rebuild_food_bank(): the "replay a full log into a fresh
bank" entrypoint the Python side was missing (the Dart port already
had its equivalent). Backs sync's bank-rebuild step.
- New diet-guard-sync.service/.timer (15-minute cadence, headless, a
separate unit from the gate so a held lock can't stall sync) and a
new install.sh step to install them.
- Created the private kuhyx/diet-guard-sync GitHub repo for storage.
Incidental to this feature: adding the `sync` subcommand pushed _cli.py
past the repo's 500-line cap, so `gate`'s CLI glue moved out alongside
sync's into _cli_gate.py/_cli_sync.py -- same split pattern already used
for the gate window logic itself, not a sync-specific design choice.
338 tests, 100% branch coverage. Verified importing and running cleanly
under /usr/bin/python (the production interpreter), not just the dev
venv -- the gap that caused the earlier 3-day outage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FU3f5KQ1GHXsbbSecfVEyF
2026-06-22 19:36:27 +02:00
|
|
|
echo "[2/6] Installing diet_guard + dependencies for /usr/bin/python..."
|
2026-06-22 12:18:39 +02:00
|
|
|
/usr/bin/python3 -m pip install --user --break-system-packages -e "$REPO_DIR"
|
|
|
|
|
echo " Installed. Verifying import..."
|
|
|
|
|
/usr/bin/python3 -c "import diet_guard; import gatelock" \
|
|
|
|
|
&& echo " diet_guard and gatelock import cleanly from the system interpreter."
|
|
|
|
|
|
Add cross-device log sync (Python half of Milestone 3)
Pulls every other device's pushed log from GitHub-backed dumb storage,
merges it with the local log, and pushes this device's own merged copy
back -- the PC half of the diet-guard-app sync plan.
- _sync_merge.py: pure union-by-id merge, tombstone always wins, legacy
(time, desc) dedup for pre-id entries. Commutative and idempotent.
- _sync_github.py: minimal GitHub Contents API client (list/get/put),
distinguishing a 404 on an unused path from the repo itself being
unreachable.
- _sync.py: orchestration -- pull, merge, re-sign every persisted entry
regardless of origin, write, rebuild the food bank, push. Re-signing
unconditionally is load-bearing: an unsigned phone-origin entry would
otherwise be silently dropped on the very next read once a machine
holds the shared HMAC key.
- _foodbank.rebuild_food_bank(): the "replay a full log into a fresh
bank" entrypoint the Python side was missing (the Dart port already
had its equivalent). Backs sync's bank-rebuild step.
- New diet-guard-sync.service/.timer (15-minute cadence, headless, a
separate unit from the gate so a held lock can't stall sync) and a
new install.sh step to install them.
- Created the private kuhyx/diet-guard-sync GitHub repo for storage.
Incidental to this feature: adding the `sync` subcommand pushed _cli.py
past the repo's 500-line cap, so `gate`'s CLI glue moved out alongside
sync's into _cli_gate.py/_cli_sync.py -- same split pattern already used
for the gate window logic itself, not a sync-specific design choice.
338 tests, 100% branch coverage. Verified importing and running cleanly
under /usr/bin/python (the production interpreter), not just the dev
venv -- the gap that caused the earlier 3-day outage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FU3f5KQ1GHXsbbSecfVEyF
2026-06-22 19:36:27 +02:00
|
|
|
# 3. systemd user timer + service (gate) -------------------------------------
|
|
|
|
|
echo "[3/6] Installing the gate's systemd user timer + service..."
|
2026-06-10 22:31:18 +02:00
|
|
|
mkdir -p "$SYSTEMD_USER_DIR"
|
|
|
|
|
cp "$SERVICE_SRC" "$SYSTEMD_USER_DIR/diet-guard-gate.service"
|
|
|
|
|
cp "$TIMER_SRC" "$SYSTEMD_USER_DIR/diet-guard-gate.timer"
|
|
|
|
|
systemctl --user daemon-reload
|
|
|
|
|
systemctl --user enable --now diet-guard-gate.timer
|
|
|
|
|
echo " Timer enabled and started (fires the gate every ~30 min)."
|
|
|
|
|
|
Add cross-device log sync (Python half of Milestone 3)
Pulls every other device's pushed log from GitHub-backed dumb storage,
merges it with the local log, and pushes this device's own merged copy
back -- the PC half of the diet-guard-app sync plan.
- _sync_merge.py: pure union-by-id merge, tombstone always wins, legacy
(time, desc) dedup for pre-id entries. Commutative and idempotent.
- _sync_github.py: minimal GitHub Contents API client (list/get/put),
distinguishing a 404 on an unused path from the repo itself being
unreachable.
- _sync.py: orchestration -- pull, merge, re-sign every persisted entry
regardless of origin, write, rebuild the food bank, push. Re-signing
unconditionally is load-bearing: an unsigned phone-origin entry would
otherwise be silently dropped on the very next read once a machine
holds the shared HMAC key.
- _foodbank.rebuild_food_bank(): the "replay a full log into a fresh
bank" entrypoint the Python side was missing (the Dart port already
had its equivalent). Backs sync's bank-rebuild step.
- New diet-guard-sync.service/.timer (15-minute cadence, headless, a
separate unit from the gate so a held lock can't stall sync) and a
new install.sh step to install them.
- Created the private kuhyx/diet-guard-sync GitHub repo for storage.
Incidental to this feature: adding the `sync` subcommand pushed _cli.py
past the repo's 500-line cap, so `gate`'s CLI glue moved out alongside
sync's into _cli_gate.py/_cli_sync.py -- same split pattern already used
for the gate window logic itself, not a sync-specific design choice.
338 tests, 100% branch coverage. Verified importing and running cleanly
under /usr/bin/python (the production interpreter), not just the dev
venv -- the gap that caused the earlier 3-day outage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FU3f5KQ1GHXsbbSecfVEyF
2026-06-22 19:36:27 +02:00
|
|
|
# 4. systemd user timer + service (sync) -------------------------------------
|
|
|
|
|
echo "[4/6] Installing the sync's systemd user timer + service..."
|
|
|
|
|
cp "$SYNC_SERVICE_SRC" "$SYSTEMD_USER_DIR/diet-guard-sync.service"
|
|
|
|
|
cp "$SYNC_TIMER_SRC" "$SYSTEMD_USER_DIR/diet-guard-sync.timer"
|
|
|
|
|
systemctl --user daemon-reload
|
|
|
|
|
systemctl --user enable --now diet-guard-sync.timer
|
|
|
|
|
echo " Timer enabled and started (syncs the log every ~15 min)."
|
|
|
|
|
if [[ -e "$SYNC_TOKEN_FILE" ]]; then
|
|
|
|
|
echo " Sync token already present at $SYNC_TOKEN_FILE."
|
|
|
|
|
else
|
|
|
|
|
echo " No sync token yet at $SYNC_TOKEN_FILE -- sync will no-op (and log a"
|
|
|
|
|
echo " failure) on every tick until you create a fine-grained GitHub PAT"
|
|
|
|
|
echo " scoped to the diet-guard-sync repo's contents and save it there,"
|
|
|
|
|
echo " mode 600: chmod 600 \"$SYNC_TOKEN_FILE\""
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# 5. Seal the daily budget (hidden) ------------------------------------------
|
|
|
|
|
echo "[5/6] Sealing your daily budget..."
|
2026-06-10 22:31:18 +02:00
|
|
|
if [[ -e "$BUDGET_FILE" ]]; then
|
|
|
|
|
echo " Budget already sealed at $BUDGET_FILE - skipping init."
|
|
|
|
|
else
|
|
|
|
|
echo " Enter your biometrics (used once then discarded; the value is hidden):"
|
2026-06-22 12:18:39 +02:00
|
|
|
python -m diet_guard init
|
2026-06-10 22:31:18 +02:00
|
|
|
fi
|
|
|
|
|
|
Add cross-device log sync (Python half of Milestone 3)
Pulls every other device's pushed log from GitHub-backed dumb storage,
merges it with the local log, and pushes this device's own merged copy
back -- the PC half of the diet-guard-app sync plan.
- _sync_merge.py: pure union-by-id merge, tombstone always wins, legacy
(time, desc) dedup for pre-id entries. Commutative and idempotent.
- _sync_github.py: minimal GitHub Contents API client (list/get/put),
distinguishing a 404 on an unused path from the repo itself being
unreachable.
- _sync.py: orchestration -- pull, merge, re-sign every persisted entry
regardless of origin, write, rebuild the food bank, push. Re-signing
unconditionally is load-bearing: an unsigned phone-origin entry would
otherwise be silently dropped on the very next read once a machine
holds the shared HMAC key.
- _foodbank.rebuild_food_bank(): the "replay a full log into a fresh
bank" entrypoint the Python side was missing (the Dart port already
had its equivalent). Backs sync's bank-rebuild step.
- New diet-guard-sync.service/.timer (15-minute cadence, headless, a
separate unit from the gate so a held lock can't stall sync) and a
new install.sh step to install them.
- Created the private kuhyx/diet-guard-sync GitHub repo for storage.
Incidental to this feature: adding the `sync` subcommand pushed _cli.py
past the repo's 500-line cap, so `gate`'s CLI glue moved out alongside
sync's into _cli_gate.py/_cli_sync.py -- same split pattern already used
for the gate window logic itself, not a sync-specific design choice.
338 tests, 100% branch coverage. Verified importing and running cleanly
under /usr/bin/python (the production interpreter), not just the dev
venv -- the gap that caused the earlier 3-day outage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FU3f5KQ1GHXsbbSecfVEyF
2026-06-22 19:36:27 +02:00
|
|
|
# 6. Lock the budget immutable (the real tamper friction) --------------------
|
|
|
|
|
echo "[6/6] Locking the budget file (chattr +i)..."
|
2026-06-10 22:31:18 +02:00
|
|
|
read -r attrs _ <<<"$(lsattr -d "$BUDGET_FILE" 2>/dev/null || true)"
|
|
|
|
|
if [[ "$attrs" == *i* ]]; then
|
|
|
|
|
echo " Already immutable."
|
|
|
|
|
else
|
|
|
|
|
sudo chattr +i "$BUDGET_FILE"
|
|
|
|
|
echo " Locked. To change it later: sudo chattr -i '$BUDGET_FILE'; re-run init; re-lock."
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "=== Installation complete ==="
|
|
|
|
|
echo "The gate checks every ~30 min (08:00-22:00) and locks until you log a meal"
|
|
|
|
|
echo "once you have gone 5h without logging."
|
2026-06-22 12:18:39 +02:00
|
|
|
echo "Test the lock now (safe, closeable): python -m diet_guard gate --demo"
|