archy/core/archipelago/src/container/version_config.rs

//! Per-app version preferences — the persistence layer for multi-version support.
//!
//! Multi-version support (`docs/bitcoin-multi-version-design.md`) lets a node
//! runner pin Bitcoin Core / Knots to a specific version and opt into
//! auto-update-to-latest. Both choices live in the existing per-app config file
//! at `/var/lib/archipelago/app-configs/<id>.json` as two keys:
//!
//! ```jsonc
//! { "pinnedVersion": "29.3.knots20260508", "autoUpdate": false }
//! ```
//!
//! This is the single source of truth the orchestrator's install path reads to
//! resolve the image, and that the auto-update tick + "available update" badge
//! consult. Reads/writes are merge-preserving so they never clobber any
//! `containerConfig` (ports/volumes/env) a generic app may also store here.
//!
//! Platform-managed apps (bitcoin-core/knots/…) never use the
//! `containerConfig`-style keys (see `config.rs::dynamic_app_config`, which
//! returns early for them), so adding these keys to their file is collision-free.

use serde_json::{Map, Value};
use std::path::PathBuf;

/// Resolved version preferences for one app. Defaults: no pin, auto-update off
/// (consensus-critical apps opt in explicitly — design open-question #4).
#[derive(Debug, Clone, Default, PartialEq, Eq)]
pub struct AppVersionConfig {
    /// The version string the runner pinned, if any. Suppresses the update badge
    /// and overrides the catalog default at install/recreate time.
    pub pinned_version: Option<String>,
    /// When true, the hourly catalog tick updates this app to the catalog
    /// default automatically. Ignored while a version is pinned.
    pub auto_update: bool,
}

fn config_dir() -> PathBuf {
    let base = std::env::var("ARCHIPELAGO_DATA_DIR")
        .unwrap_or_else(|_| "/var/lib/archipelago".to_string());
    PathBuf::from(base).join("app-configs")
}

fn config_path(app_id: &str) -> PathBuf {
    config_dir().join(format!("{app_id}.json"))
}

/// App ids that have opted into auto-update-to-latest AND are not pinned (a pin
/// is an explicit "stay here"). Drives the hourly per-app auto-update tick. The
/// app id is the config file stem. Returns empty when the dir is absent.
pub fn auto_update_apps() -> Vec<String> {
    let mut out = Vec::new();
    let Ok(entries) = std::fs::read_dir(config_dir()) else {
        return out;
    };
    for entry in entries.flatten() {
        let path = entry.path();
        if path.extension().and_then(|e| e.to_str()) != Some("json") {
            continue;
        }
        let Some(app_id) = path.file_stem().and_then(|s| s.to_str()) else {
            continue;
        };
        let cfg = read(app_id);
        if cfg.auto_update && cfg.pinned_version.is_none() {
            out.push(app_id.to_string());
        }
    }
    out
}

fn read_raw(app_id: &str) -> Map<String, Value> {
    let path = config_path(app_id);
    match std::fs::read_to_string(&path) {
        Ok(s) => serde_json::from_str::<Value>(&s)
            .ok()
            .and_then(|v| v.as_object().cloned())
            .unwrap_or_default(),
        Err(_) => Map::new(),
    }
}

/// Read the version preferences for `app_id`. Returns defaults when the file is
/// absent or the keys are unset.
pub fn read(app_id: &str) -> AppVersionConfig {
    let obj = read_raw(app_id);
    AppVersionConfig {
        pinned_version: obj
            .get("pinnedVersion")
            .and_then(Value::as_str)
            .filter(|s| !s.is_empty())
            .map(String::from),
        auto_update: obj
            .get("autoUpdate")
            .and_then(Value::as_bool)
            .unwrap_or(false),
    }
}

/// The pinned version for `app_id`, if set. Convenience for the hot path.
pub fn pinned_version(app_id: &str) -> Option<String> {
    read(app_id).pinned_version
}

/// Parse the leading numeric `major.minor.patch` of a version string into a
/// comparable tuple. Stops at the first non-numeric component, so Bitcoin Core
/// (`31.0`, `28.4`) and the Knots date-suffixed form (`29.3.knots20260508` →
/// `(29, 3, 0)`) both compare on their consensus-relevant major/minor. The
/// Knots build-date suffix is intentionally ignored — a same-major.minor Knots
/// rebuild is not a chainstate downgrade.
fn version_key(version: &str) -> (u64, u64, u64) {
    let mut it = version.split('.').map(|c| {
        // Take the leading digit run of each dotted component (`knots20260508`
        // yields no leading digits → 0; `3` → 3).
        c.chars()
            .take_while(|ch| ch.is_ascii_digit())
            .collect::<String>()
            .parse::<u64>()
            .unwrap_or(0)
    });
    (
        it.next().unwrap_or(0),
        it.next().unwrap_or(0),
        it.next().unwrap_or(0),
    )
}

/// True when installing `candidate` over `current` is a DOWNGRADE — an older
/// Bitcoin release over a chainstate written by a newer one. This is the
/// highest-risk operation (Core refuses to start on a newer chainstate without
/// an expensive reindex; pruned nodes can lose data), so the UI must warn and
/// the switch must be explicitly confirmed (design §4). Equal or newer → false.
pub fn is_downgrade(current: &str, candidate: &str) -> bool {
    version_key(candidate) < version_key(current)
}

/// Merge `cfg` into the on-disk config, preserving every other key. A
/// `pinned_version` of `None` removes the `pinnedVersion` key (un-pins / "track
/// latest"). Creates the directory and file on first write.
pub fn write(app_id: &str, cfg: &AppVersionConfig) -> std::io::Result<()> {
    let path = config_path(app_id);
    let mut obj = read_raw(app_id);
    match &cfg.pinned_version {
        Some(v) => {
            obj.insert("pinnedVersion".to_string(), Value::String(v.clone()));
        }
        None => {
            obj.remove("pinnedVersion");
        }
    }
    obj.insert("autoUpdate".to_string(), Value::Bool(cfg.auto_update));

    if let Some(parent) = path.parent() {
        std::fs::create_dir_all(parent)?;
    }
    let serialized = serde_json::to_string_pretty(&Value::Object(obj))
        .map_err(|e| std::io::Error::new(std::io::ErrorKind::InvalidData, e))?;
    // Atomic-ish write: temp + rename so a crash mid-write can't truncate config.
    let tmp = path.with_extension("json.tmp");
    std::fs::write(&tmp, serialized.as_bytes())?;
    std::fs::rename(&tmp, &path)
}

#[cfg(test)]
mod tests {
    use super::*;

    // `ARCHIPELAGO_DATA_DIR` is process-global, so the write/read tests must not
    // run concurrently — serialize them and give each a unique dir. Without this
    // lock, parallel `cargo test` races on the env var (poisoning is fine: a
    // panicking test still releases a usable guard).
    static ENV_LOCK: std::sync::Mutex<u64> = std::sync::Mutex::new(0);

    fn with_tmp_data_dir<F: FnOnce()>(f: F) {
        let mut counter = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
        *counter += 1;
        let dir = std::env::temp_dir().join(format!(
            "archy-vc-test-{}-{}",
            std::process::id(),
            *counter
        ));
        let _ = std::fs::remove_dir_all(&dir);
        std::fs::create_dir_all(&dir).unwrap();
        std::env::set_var("ARCHIPELAGO_DATA_DIR", &dir);
        f();
        std::env::remove_var("ARCHIPELAGO_DATA_DIR");
        let _ = std::fs::remove_dir_all(&dir);
        // `counter` guard drops here, releasing the lock for the next test.
    }

    #[test]
    fn defaults_when_absent() {
        with_tmp_data_dir(|| {
            let cfg = read("bitcoin-core");
            assert_eq!(cfg.pinned_version, None);
            assert!(!cfg.auto_update);
        });
    }

    #[test]
    fn write_then_read_roundtrips() {
        with_tmp_data_dir(|| {
            write(
                "bitcoin-knots",
                &AppVersionConfig {
                    pinned_version: Some("29.3.knots20260508".into()),
                    auto_update: false,
                },
            )
            .unwrap();
            let cfg = read("bitcoin-knots");
            assert_eq!(cfg.pinned_version.as_deref(), Some("29.3.knots20260508"));
            assert!(!cfg.auto_update);
        });
    }

    #[test]
    fn write_preserves_existing_keys() {
        with_tmp_data_dir(|| {
            // Simulate a generic app's containerConfig already on disk.
            let path = config_path("someapp");
            std::fs::create_dir_all(path.parent().unwrap()).unwrap();
            std::fs::write(&path, r#"{"ports":["80:80"],"autoUpdate":false}"#).unwrap();
            write(
                "someapp",
                &AppVersionConfig {
                    pinned_version: Some("1.2.3".into()),
                    auto_update: true,
                },
            )
            .unwrap();
            let raw = read_raw("someapp");
            assert!(raw.contains_key("ports"), "ports key must survive");
            assert_eq!(raw.get("pinnedVersion").unwrap(), "1.2.3");
            assert_eq!(raw.get("autoUpdate").unwrap(), &Value::Bool(true));
        });
    }

    #[test]
    fn downgrade_detection() {
        // Older over newer = downgrade.
        assert!(is_downgrade("31.0", "30.0"));
        assert!(is_downgrade("28.4", "27.2"));
        // Same or newer = not a downgrade.
        assert!(!is_downgrade("30.0", "31.0"));
        assert!(!is_downgrade("28.4", "28.4"));
        // Knots date-suffixed strings compare on major.minor only.
        assert!(is_downgrade("29.3.knots20260508", "28.1.knots20251010"));
        assert!(!is_downgrade(
            "29.3.knots20260101",
            "29.3.knots20260508"
        ));
    }

    #[test]
    fn unpin_removes_key() {
        with_tmp_data_dir(|| {
            write(
                "bitcoin-core",
                &AppVersionConfig {
                    pinned_version: Some("31.0".into()),
                    auto_update: true,
                },
            )
            .unwrap();
            write(
                "bitcoin-core",
                &AppVersionConfig {
                    pinned_version: None,
                    auto_update: true,
                },
            )
            .unwrap();
            let raw = read_raw("bitcoin-core");
            assert!(!raw.contains_key("pinnedVersion"));
            assert_eq!(read("bitcoin-core").pinned_version, None);
            assert!(read("bitcoin-core").auto_update);
        });
    }
}
feat(bitcoin): multi-version support for Core & Knots (install/switch/pin/auto-update) Lets a node runner choose which Bitcoin Core / Knots version to install (latest pre-selected), then switch, pin, or opt into auto-update from the app's interface — all manifest/catalog-driven, rootless, signed-registry, zero-data-loss. Motivated by upcoming BIP-110 signalling: runners need a real choice of software version. Backend: - version_config.rs: per-app pin + auto-update persistence (atomic, merge- preserving), downgrade detection, auto-update enumeration (+ unit tests). - app_catalog.rs: CatalogVersion / versions[] schema, catalog_versions(), catalog_image_for_version() (same-repo guard); a pin suppresses the update badge. - prod_orchestrator.rs: pinned version wins over the catalog default on every install/recreate. - install.rs: install-time `version` param persisted (default = unpinned). - set_config.rs: package.versions (read) + package.set-config (write) RPCs; downgrade is gated behind explicit confirm (warn + confirm + allow). - update.rs/main.rs: hourly per-app auto-update tick via the orchestrator (opt-in, pin-respecting); fix handle_package_update to be non-fatal for orchestrator-managed apps lacking a catalog primary image (bitcoin-core). UI: - MarketplaceAppDetails.vue: install-time version selector (shown when an app offers >=2 versions). - appDetails/AppSidebar.vue: "Version & Updates" card (switch / pin / auto- update toggle / downgrade warning), per app. - rpc-client.ts + en.json: RPC methods, types, strings. Phase 0 image pipeline: - scripts/build-bitcoin-image.sh: download official tarball + SHA256SUMS(.asc), verify SHA-256 + pinned-maintainer OpenPGP signature (fail-closed), build a minimal rootless image, smoke-test, tag + push. - apps/bitcoin-core/Dockerfile rewritten (drops stale community base); apps/bitcoin-knots/Dockerfile added. - generate-app-catalog.sh: emit curated versions[]; published + catalog now offers Core 25.2/26.2/27.2/28.4/29.3/30.2/31.0 + Knots 29.3.knots20260508. docs/bitcoin-multi-version-design.md: live progress tracker. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-28 18:46:17 -04:00			`//! Per-app version preferences — the persistence layer for multi-version support.`
			`//!`
			//! Multi-version support (`docs/bitcoin-multi-version-design.md`) lets a node
			`//! runner pin Bitcoin Core / Knots to a specific version and opt into`
			`//! auto-update-to-latest. Both choices live in the existing per-app config file`
			//! at `/var/lib/archipelago/app-configs/<id>.json` as two keys:
			`//!`
			//! ```jsonc
			`//! { "pinnedVersion": "29.3.knots20260508", "autoUpdate": false }`
			//! ```
			`//!`
			`//! This is the single source of truth the orchestrator's install path reads to`
			`//! resolve the image, and that the auto-update tick + "available update" badge`
			`//! consult. Reads/writes are merge-preserving so they never clobber any`
			//! `containerConfig` (ports/volumes/env) a generic app may also store here.
			`//!`
			`//! Platform-managed apps (bitcoin-core/knots/…) never use the`
			//! `containerConfig`-style keys (see `config.rs::dynamic_app_config`, which
			`//! returns early for them), so adding these keys to their file is collision-free.`

			`use serde_json::{Map, Value};`
			`use std::path::PathBuf;`

			`/// Resolved version preferences for one app. Defaults: no pin, auto-update off`
			`/// (consensus-critical apps opt in explicitly — design open-question #4).`
			`#[derive(Debug, Clone, Default, PartialEq, Eq)]`
			`pub struct AppVersionConfig {`
			`/// The version string the runner pinned, if any. Suppresses the update badge`
			`/// and overrides the catalog default at install/recreate time.`
			`pub pinned_version: Option<String>,`
			`/// When true, the hourly catalog tick updates this app to the catalog`
			`/// default automatically. Ignored while a version is pinned.`
			`pub auto_update: bool,`
			`}`

			`fn config_dir() -> PathBuf {`
			`let base = std::env::var("ARCHIPELAGO_DATA_DIR")`
			`.unwrap_or_else(\|_\| "/var/lib/archipelago".to_string());`
			`PathBuf::from(base).join("app-configs")`
			`}`

			`fn config_path(app_id: &str) -> PathBuf {`
			`config_dir().join(format!("{app_id}.json"))`
			`}`

			`/// App ids that have opted into auto-update-to-latest AND are not pinned (a pin`
			`/// is an explicit "stay here"). Drives the hourly per-app auto-update tick. The`
			`/// app id is the config file stem. Returns empty when the dir is absent.`
			`pub fn auto_update_apps() -> Vec<String> {`
			`let mut out = Vec::new();`
			`let Ok(entries) = std::fs::read_dir(config_dir()) else {`
			`return out;`
			`};`
			`for entry in entries.flatten() {`
			`let path = entry.path();`
			`if path.extension().and_then(\|e\| e.to_str()) != Some("json") {`
			`continue;`
			`}`
			`let Some(app_id) = path.file_stem().and_then(\|s\| s.to_str()) else {`
			`continue;`
			`};`
			`let cfg = read(app_id);`
			`if cfg.auto_update && cfg.pinned_version.is_none() {`
			`out.push(app_id.to_string());`
			`}`
			`}`
			`out`
			`}`

			`fn read_raw(app_id: &str) -> Map<String, Value> {`
			`let path = config_path(app_id);`
			`match std::fs::read_to_string(&path) {`
			`Ok(s) => serde_json::from_str::<Value>(&s)`
			`.ok()`
			`.and_then(\|v\| v.as_object().cloned())`
			`.unwrap_or_default(),`
			`Err(_) => Map::new(),`
			`}`
			`}`

			/// Read the version preferences for `app_id`. Returns defaults when the file is
			`/// absent or the keys are unset.`
			`pub fn read(app_id: &str) -> AppVersionConfig {`
			`let obj = read_raw(app_id);`
			`AppVersionConfig {`
			`pinned_version: obj`
			`.get("pinnedVersion")`
			`.and_then(Value::as_str)`
			`.filter(\|s\| !s.is_empty())`
			`.map(String::from),`
			`auto_update: obj`
			`.get("autoUpdate")`
			`.and_then(Value::as_bool)`
			`.unwrap_or(false),`
			`}`
			`}`

			/// The pinned version for `app_id`, if set. Convenience for the hot path.
			`pub fn pinned_version(app_id: &str) -> Option<String> {`
			`read(app_id).pinned_version`
			`}`

			/// Parse the leading numeric `major.minor.patch` of a version string into a
			`/// comparable tuple. Stops at the first non-numeric component, so Bitcoin Core`
			/// (`31.0`, `28.4`) and the Knots date-suffixed form (`29.3.knots20260508` →
			/// `(29, 3, 0)`) both compare on their consensus-relevant major/minor. The
			`/// Knots build-date suffix is intentionally ignored — a same-major.minor Knots`
			`/// rebuild is not a chainstate downgrade.`
			`fn version_key(version: &str) -> (u64, u64, u64) {`
			`let mut it = version.split('.').map(\|c\| {`
			// Take the leading digit run of each dotted component (`knots20260508`
			// yields no leading digits → 0; `3` → 3).
			`c.chars()`
			`.take_while(\|ch\| ch.is_ascii_digit())`
			`.collect::<String>()`
			`.parse::<u64>()`
			`.unwrap_or(0)`
			`});`
			`(`
			`it.next().unwrap_or(0),`
			`it.next().unwrap_or(0),`
			`it.next().unwrap_or(0),`
			`)`
			`}`

			/// True when installing `candidate` over `current` is a DOWNGRADE — an older
			`/// Bitcoin release over a chainstate written by a newer one. This is the`
			`/// highest-risk operation (Core refuses to start on a newer chainstate without`
			`/// an expensive reindex; pruned nodes can lose data), so the UI must warn and`
			`/// the switch must be explicitly confirmed (design §4). Equal or newer → false.`
			`pub fn is_downgrade(current: &str, candidate: &str) -> bool {`
			`version_key(candidate) < version_key(current)`
			`}`

			/// Merge `cfg` into the on-disk config, preserving every other key. A
			/// `pinned_version` of `None` removes the `pinnedVersion` key (un-pins / "track
			`/// latest"). Creates the directory and file on first write.`
			`pub fn write(app_id: &str, cfg: &AppVersionConfig) -> std::io::Result<()> {`
			`let path = config_path(app_id);`
			`let mut obj = read_raw(app_id);`
			`match &cfg.pinned_version {`
			`Some(v) => {`
			`obj.insert("pinnedVersion".to_string(), Value::String(v.clone()));`
			`}`
			`None => {`
			`obj.remove("pinnedVersion");`
			`}`
			`}`
			`obj.insert("autoUpdate".to_string(), Value::Bool(cfg.auto_update));`

			`if let Some(parent) = path.parent() {`
			`std::fs::create_dir_all(parent)?;`
			`}`
			`let serialized = serde_json::to_string_pretty(&Value::Object(obj))`
			`.map_err(\|e\| std::io::Error::new(std::io::ErrorKind::InvalidData, e))?;`
			`// Atomic-ish write: temp + rename so a crash mid-write can't truncate config.`
			`let tmp = path.with_extension("json.tmp");`
			`std::fs::write(&tmp, serialized.as_bytes())?;`
			`std::fs::rename(&tmp, &path)`
			`}`

			`#[cfg(test)]`
			`mod tests {`
			`use super::*;`

			// `ARCHIPELAGO_DATA_DIR` is process-global, so the write/read tests must not
			`// run concurrently — serialize them and give each a unique dir. Without this`
			// lock, parallel `cargo test` races on the env var (poisoning is fine: a
			`// panicking test still releases a usable guard).`
			`static ENV_LOCK: std::sync::Mutex<u64> = std::sync::Mutex::new(0);`

			`fn with_tmp_data_dir<F: FnOnce()>(f: F) {`
			`let mut counter = ENV_LOCK.lock().unwrap_or_else(\|e\| e.into_inner());`
			`*counter += 1;`
			`let dir = std::env::temp_dir().join(format!(`
			`"archy-vc-test-{}-{}",`
			`std::process::id(),`
			`*counter`
			`));`
			`let _ = std::fs::remove_dir_all(&dir);`
			`std::fs::create_dir_all(&dir).unwrap();`
			`std::env::set_var("ARCHIPELAGO_DATA_DIR", &dir);`
			`f();`
			`std::env::remove_var("ARCHIPELAGO_DATA_DIR");`
			`let _ = std::fs::remove_dir_all(&dir);`
			// `counter` guard drops here, releasing the lock for the next test.
			`}`

			`#[test]`
			`fn defaults_when_absent() {`
			`with_tmp_data_dir(\|\| {`
			`let cfg = read("bitcoin-core");`
			`assert_eq!(cfg.pinned_version, None);`
			`assert!(!cfg.auto_update);`
			`});`
			`}`

			`#[test]`
			`fn write_then_read_roundtrips() {`
			`with_tmp_data_dir(\|\| {`
			`write(`
			`"bitcoin-knots",`
			`&AppVersionConfig {`
			`pinned_version: Some("29.3.knots20260508".into()),`
			`auto_update: false,`
			`},`
			`)`
			`.unwrap();`
			`let cfg = read("bitcoin-knots");`
			`assert_eq!(cfg.pinned_version.as_deref(), Some("29.3.knots20260508"));`
			`assert!(!cfg.auto_update);`
			`});`
			`}`

			`#[test]`
			`fn write_preserves_existing_keys() {`
			`with_tmp_data_dir(\|\| {`
			`// Simulate a generic app's containerConfig already on disk.`
			`let path = config_path("someapp");`
			`std::fs::create_dir_all(path.parent().unwrap()).unwrap();`
			`std::fs::write(&path, r#"{"ports":["80:80"],"autoUpdate":false}"#).unwrap();`
			`write(`
			`"someapp",`
			`&AppVersionConfig {`
			`pinned_version: Some("1.2.3".into()),`
			`auto_update: true,`
			`},`
			`)`
			`.unwrap();`
			`let raw = read_raw("someapp");`
			`assert!(raw.contains_key("ports"), "ports key must survive");`
			`assert_eq!(raw.get("pinnedVersion").unwrap(), "1.2.3");`
			`assert_eq!(raw.get("autoUpdate").unwrap(), &Value::Bool(true));`
			`});`
			`}`

			`#[test]`
			`fn downgrade_detection() {`
			`// Older over newer = downgrade.`
			`assert!(is_downgrade("31.0", "30.0"));`
			`assert!(is_downgrade("28.4", "27.2"));`
			`// Same or newer = not a downgrade.`
			`assert!(!is_downgrade("30.0", "31.0"));`
			`assert!(!is_downgrade("28.4", "28.4"));`
			`// Knots date-suffixed strings compare on major.minor only.`
			`assert!(is_downgrade("29.3.knots20260508", "28.1.knots20251010"));`
			`assert!(!is_downgrade(`
			`"29.3.knots20260101",`
			`"29.3.knots20260508"`
			`));`
			`}`

			`#[test]`
			`fn unpin_removes_key() {`
			`with_tmp_data_dir(\|\| {`
			`write(`
			`"bitcoin-core",`
			`&AppVersionConfig {`
			`pinned_version: Some("31.0".into()),`
			`auto_update: true,`
			`},`
			`)`
			`.unwrap();`
			`write(`
			`"bitcoin-core",`
			`&AppVersionConfig {`
			`pinned_version: None,`
			`auto_update: true,`
			`},`
			`)`
			`.unwrap();`
			`let raw = read_raw("bitcoin-core");`
			`assert!(!raw.contains_key("pinnedVersion"));`
			`assert_eq!(read("bitcoin-core").pinned_version, None);`
			`assert!(read("bitcoin-core").auto_update);`
			`});`
			`}`
			`}`