diff options
| -rw-r--r-- | todo.org | 22 |
1 files changed, 13 insertions, 9 deletions
@@ -200,15 +200,19 @@ contract for what diagnose must detect and what the panel must say. - Missing speedtest backend — Detect: speedtest-go absent. Report: "Install speedtest-go to run a speed test." - Privileged op fails (helper missing / sudo declined) — Detect: helper exits non-zero or absent. Report: "Couldn't get admin rights for this repair — <install/fix the helper>." -*** TODO Sudo helper + NOPASSWD sudoers (gates everything; archsetup-installed) -Root-owned =/usr/local/bin/net-priv= (or similar), NOT stowed/user-writable, dispatching net's -fixed privileged verbs; narrow NOPASSWD sudoers scoped to that helper only. =repair.py= calls -=sudo net-priv <verb>=. Must also fix the latent bug it unblocks: the detached -=portal_restore_watch= runs with no tty and can't prompt, so today =_restore_dot= silently fails -when sudo creds aren't cached, leaving DNS unencrypted until a manual =net portal --restore=. -Separately reconcile where velox's DoT actually lives (currently -DNSOverTLS, no drop-in, so the -"drop DoT" step is a no-op there; =NET_DOT_CONF= overrides the path) — decide whether velox should -run DoT at all. +*** 2026-07-01 Wed @ 13:02 -0400 net-priv helper landed (V2.1) +Craig's call: stowed (not root-owned), low security on locked-down single-user machines. +Shipped =net.priv= module + stowed =net-priv= bin (dotfiles =00aac1e=): a fixed 12-verb set +(rfkill/radio/mac-random/conn-up/net-off/net-on/restart-nm/dns-set/dns-revert/restart-resolved/ +dot-disable/dot-enable) with per-arg validation (uuid/iface/ipv4/resolved.conf.d-path, injection +rejected). =repair.py= now routes every privileged op through =priv.run(verb)= in-process instead +of scattered inline sudo — which also fixes the detached DoT-restore watcher (runs privileged ops +with no tty) and closes the gap where rfkill repair ran unprivileged. 244 net + 33 dotfiles suites +green. NO new sudoers needed: archsetup already grants =%<user> ALL=(ALL) NOPASSWD: ALL= +(archsetup:1089), so every build's primary user already runs net-priv's commands passwordless; +"replicate in archsetup" is already satisfied. net-priv rides =make stow hyprland=; hand-linked on +velox. The velox DoT-path reconcile (whether velox should run DoT at all) stays open — folded into +the deeper reconcile, low priority since the guard makes it a no-op. *** TODO Merged Diagnostics panel + nav restructure (Connections | Diagnostics | Performance) **** 2026-06-30 Tue @ 17:36 -0400 Dispositioned the 4th-review findings into the spec Codex's 9 fourth-review findings (8 accept, 1 modify) are folded into the spec's |
