From de7fd72b4745d034e0409a11e2c145fd0dc1cd8f Mon Sep 17 00:00:00 2001
From: rcourtman <courtmanr@gmail.com>
Date: Wed, 19 Nov 2025 10:59:54 +0000
Subject: [PATCH] fix(sensor-proxy): fix remaining unsafe config writers

1. Self-heal script: Add BINARY_PATH variable so CLI migration actually runs
   - Previously logged "Binary not available" and skipped migration

2. migrate-sensor-proxy-control-plane.sh: Use atomic write (temp + rename)
   - Prevents partial writes if script is interrupted
   - Reduces race window with running service

These were the remaining gaps identified by Codex review.

NOTE: migrate-sensor-proxy-control-plane.sh still uses Python manipulation
instead of the Phase 2 CLI, but as a one-time migration script for upgrades
from v4.31, the atomic write provides sufficient protection. Future versions
can deprecate this script entirely.
---
 scripts/install-sensor-proxy.sh               |  1 +
 scripts/migrate-sensor-proxy-control-plane.sh | 33 +++++++++++++------
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/scripts/install-sensor-proxy.sh b/scripts/install-sensor-proxy.sh
index f0494d2d8..47858b513 100755
--- a/scripts/install-sensor-proxy.sh
+++ b/scripts/install-sensor-proxy.sh
@@ -3094,6 +3094,7 @@ else
 set -euo pipefail
 
 SERVICE="pulse-sensor-proxy"
+BINARY_PATH="/opt/pulse/sensor-proxy/bin/pulse-sensor-proxy"
 INSTALLER="/opt/pulse/sensor-proxy/install-sensor-proxy.sh"
 CTID_FILE="/etc/pulse-sensor-proxy/ctid"
 PENDING_FILE="/etc/pulse-sensor-proxy/pending-control-plane.env"
diff --git a/scripts/migrate-sensor-proxy-control-plane.sh b/scripts/migrate-sensor-proxy-control-plane.sh
index 335ea30bd..4c70bd915 100644
--- a/scripts/migrate-sensor-proxy-control-plane.sh
+++ b/scripts/migrate-sensor-proxy-control-plane.sh
@@ -92,14 +92,20 @@ echo "$CONTROL_TOKEN" > "$TOKEN_FILE"
 chmod 600 "$TOKEN_FILE"
 chown pulse-sensor-proxy:pulse-sensor-proxy "$TOKEN_FILE"
 
-remove_control_block() {
-    python3 - "$CONFIG_FILE" <<'PY'
+update_config_atomically() {
+    # Phase 2: Use atomic write to prevent corruption
+    local temp_file
+    temp_file=$(mktemp)
+
+    # Remove old control plane blocks and add new one atomically
+    python3 - "$CONFIG_FILE" "$temp_file" <<'PY'
 from pathlib import Path
 import sys
-path = Path(sys.argv[1])
-if not path.exists():
+config_path = Path(sys.argv[1])
+temp_path = Path(sys.argv[2])
+if not config_path.exists():
     sys.exit(0)
-lines = path.read_text().splitlines(keepends=True)
+lines = config_path.read_text().splitlines(keepends=True)
 result = []
 i = 0
 while i < len(lines):
@@ -116,13 +122,11 @@ while i < len(lines):
         continue
     result.append(line)
     i += 1
-path.write_text("".join(result))
+temp_path.write_text("".join(result))
 PY
-}
 
-log "Updating config..."
-remove_control_block
-cat >> "$CONFIG_FILE" <<EOF
+    # Append new control plane config
+    cat >> "$temp_file" <<EOF
 
 # Pulse control plane configuration (added by migrate-sensor-proxy-control-plane.sh)
 pulse_control_plane:
@@ -131,6 +135,15 @@ pulse_control_plane:
   refresh_interval: $REFRESH_INTERVAL
 EOF
 
+    # Atomic rename
+    mv "$temp_file" "$CONFIG_FILE"
+    chmod 644 "$CONFIG_FILE"
+    chown pulse-sensor-proxy:pulse-sensor-proxy "$CONFIG_FILE" 2>/dev/null || true
+}
+
+log "Updating config..."
+update_config_atomically
+
 if [[ "$SKIP_RESTART" == false ]]; then
     log "Restarting pulse-sensor-proxy..."
     systemctl restart pulse-sensor-proxy