feat(self-update): non-elevated update skips the broker (+ zero-UAC docs)#466
Merged
Merged
Conversation
…efresh hint) The broker is the one elevated component — a LocalSystem service. A non-elevated `uffs --update` can neither stop its service (to unlock `uffs-broker.exe`) nor restart it without admin, so it would fail at the broker quiesce. But the broker wire protocol is fixed and back-compatible, so a slightly-older broker keeps serving a newer daemon. So when NOT elevated, drop the broker from the apply: update the other five binaries, leave the running broker alone, and print a hint that a full refresh (including the broker) needs one elevated `uffs --update`. Elevated runs are unchanged (they update all six). This completes the zero-UAC update story: with the broker installed, a non-elevated update now succeeds instead of erroring at the broker. - uffs-winsvc: add `is_elevated()` (TokenElevation query; `false` off Windows), the natural home for this Windows-privilege check (no new deps). - plan: `Snapshot::drop_broker()` removes the `broker` running entry + every `uffs-broker` binary target, returning its version for the hint. - apply: skip the broker when `!is_elevated()`; print the elevated-refresh hint on success. No-op away from Windows (no broker in the snapshot there). Verified: macOS + windows-msvc builds, macOS + windows clippy, and unit tests for `drop_broker` (removes broker / reports version / None when absent). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reflect the new behavior: a non-elevated `uffs --update` updates every binary except the LocalSystem broker (which keeps serving and is refreshed by a later elevated run). Replaces the now-imprecise "later updates keep it current". Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A multi-line `#[expect(unsafe_code, …)]` (an over-long reason that fmt reflowed) hid the `// SAFETY:` comment from `undocumented_unsafe_blocks`, failing windows clippy. Shorten the reason so the attribute stays single-line, matching every other unsafe block in the file. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…on guides) installation.md and daemon.md presented "Administrator required" as the only Windows model, predating the Access Broker. Update both to lead with the broker: install it once (`uffs-broker --install`, elevated) and search, daemon start/stop/restart, and non-elevated updates all run with no UAC — Administrator terminal / gsudo become the fallbacks. Covers the §3 privileges tables, the Windows options block, the daemon live-access note, and the "Permission denied" troubleshooting row. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Completes the zero-UAC update story on Windows and documents the broker's no-admin narrative.
Code — non-elevated update skips the broker
The broker is the one elevated component (a
LocalSystemservice). A non-elevateduffs --updatecan neither stop its service (to unlockuffs-broker.exe) nor restart it without admin — so it would fail at the broker quiesce. But the broker wire protocol is fixed and back-compatible, so a slightly-older broker keeps serving a newer daemon.So when not elevated, drop the broker from the apply: update the other five binaries, leave the running broker alone, and print a hint that a full refresh (incl. the broker) needs one elevated
uffs --update. Elevated runs are unchanged (all six).uffs-winsvc: addis_elevated()(TokenElevation query;falseoff Windows) — no new deps.plan:Snapshot::drop_broker()removes thebrokerrunning entry + everyuffs-brokerbinary target, returning its version for the hint.run_apply: skip the broker when non-elevated; print the elevated-refresh hint. No-op away from Windows.Docs — Access Broker = zero-UAC
uffs-broker --install(one-time elevation → no UAC on later search, daemon start/stop/restart, and non-elevated updates); Administrator terminal / gsudo become fallbacks. Updates the §3 privileges tables and the "Permission denied" troubleshooting row.Verification
macOS +
x86_64-pc-windows-msvcbuilds, macOS + Windows clippy,drop_brokerunit tests, full pre-push gate green (after acargo cleanto clear pre-existing E0514 stale-target artifacts).🤖 Generated with Claude Code