Redflag/docs/Installer_Fix1_Implementation.md

# Installer Fix1 Implementation

**Date:** 2026-03-29
**Branch:** culurien

---

## Summary

Fixed 6 bugs and performed ETHOS cleanup on the existing installer templates and dashboard code. No new features.

## Files Changed

### 1. `aggregator-server/internal/services/templates/install/scripts/windows.ps1.tmpl`

**F-1 (HIGH): `$AgentBinary` undefined**
- Line 204 referenced `$AgentPath` and `$AgentDir` which were never defined
- Added `$AgentBinary = Join-Path $InstallDir "redflag-agent.exe"` before the registration block
- `$InstallDir` is defined at line 15 as `C:\Program Files\RedFlag`
- Registration now correctly resolves to `C:\Program Files\RedFlag\redflag-agent.exe`

**F-2 (HIGH): No admin/UAC check**
- Added `#Requires -RunAsAdministrator` directive at top of script
- Added runtime `IsInRole` check with clear error messages (no emoji)
- Script now fails immediately with actionable instructions if not elevated

### 2. `aggregator-web/src/pages/settings/AgentManagement.tsx`

**F-5 (MEDIUM): Dashboard saves `.bat` instead of `.ps1`**
- Changed `-OutFile install.bat; .\install.bat` to `-OutFile install.ps1; powershell -ExecutionPolicy Bypass -File install.ps1`
- Added `-UseBasicParsing` flag to `iwr` (required on older Windows)
- The install script is PowerShell, not batch — the old `.bat` extension caused Windows to try running it as CMD

### 3. `aggregator-agent/internal/service/windows.go`

**F-6 (MEDIUM): Windows config path inconsistency**
- `getConfigPath()` hardcoded `C:\ProgramData\RedFlag\config.json` (no `agent` subdir)
- `constants.GetAgentConfigPath()` returns `C:\ProgramData\RedFlag\agent\config.json`
- The agent's `main.go` uses `constants.GetAgentConfigPath()` for registration, loading, and saving
- **Canonical path:** `C:\ProgramData\RedFlag\agent\config.json` (with `agent` subdir)
- **Fix:** Changed `getConfigPath()` to call `constants.GetAgentConfigPath()`
- The `constants` package was already imported in `windows.go`

**Decision rationale:** The `main.go` registration flow (lines 219, 265, 468) consistently uses `constants.GetAgentConfigPath()`. The installer template creates config at `C:\ProgramData\RedFlag\config.json` — this means fresh Windows installs via the installer template would create config in one location while the Windows service reads from another. By making the service use `constants.GetAgentConfigPath()`, both paths converge. The installer template's config path (`$ConfigDir\config.json` where `$ConfigDir = C:\ProgramData\RedFlag`) will need a separate fix to include the `agent` subdirectory — flagged as future work.

### 4. `aggregator-server/internal/services/templates/install/scripts/linux.sh.tmpl`

**F-9 (LOW): Duplicate variable declarations**
- Lines 16-22 and 41-53 both declared `CONFIG_DIR`, `LOG_DIR`, `AGENT_USER`, `SUDOERS_FILE`
- Merged into a single variables block (lines 16-31) containing all static and template variables
- No values changed — all duplicates had identical values

**F-10 (LOW): Duplicate step numbering**
- Two "Step 4" and two "Step 5" existed
- Renumbered sequentially: Steps 1-11 (was 1-5, 4-9)
- No content changed — only the comment labels

### 5. Emoji Decision (F-7, F-8)

**Decision: KEPT. Not an ETHOS violation.**

All emoji in both templates (`linux.sh.tmpl`, `windows.ps1.tmpl`) are in user-facing terminal output (`echo`, `Write-Host`). Examples:
- `echo "... Existing installation detected..."` (checkmark for user feedback)
- `Write-Host "... Installation complete!" -ForegroundColor Green`

ETHOS #1 applies to server log statements (`log.Printf`, structured logging). Installer scripts are user-facing CLI tools — their terminal output is equivalent to the setup wizard and terminal display, which have an existing exemption. No emoji appear in log file output or structured logging.

## Manual Test Plan

### Linux
- [ ] Run install script on Ubuntu 22.04 (fresh VM or container)
- [ ] Confirm service starts: `systemctl status redflag-agent`
- [ ] Run script again (idempotency test)
- [ ] Confirm backup created for existing install
- [ ] Verify step numbers display sequentially in output

### Windows
- [ ] Run script in PowerShell as Administrator
- [ ] Confirm admin check blocks non-elevated execution
- [ ] Confirm `$AgentBinary` resolves to `C:\Program Files\RedFlag\redflag-agent.exe`
- [ ] Confirm service created: `Get-Service RedFlagAgent`
- [ ] Run script again (idempotency test)

### Dashboard
- [ ] Generate Linux one-liner from AgentManagement page
- [ ] Generate Windows one-liner — confirm filename is `.ps1` not `.bat`
- [ ] Confirm Windows command includes `-ExecutionPolicy Bypass`

Note: Template changes cannot be automatically tested via Go tests (they are rendered shell/PowerShell scripts). Manual verification on target platforms is required.

## Go Test Results

```
Server: 7 packages passed, 0 failures (103 tests)
Agent: 10 packages passed, 0 failures (60 tests)
Total: 163 tests, 0 failures
TypeScript: 0 errors
```

## ETHOS Pre-Integration Checklist

- [x] `$AgentBinary` undefined bug fixed (Windows)
- [x] Admin check added (Windows)
- [x] Dashboard outputs `.ps1` not `.bat`
- [x] Config path consistent across Windows code
- [x] Duplicate variables removed (Linux)
- [x] Duplicate step numbers fixed (Linux)
- [x] Emoji decision documented (keep UX, exempt from ETHOS #1)
- [x] All Go tests pass
- [x] No banned words in new template text
- [x] No new `fmt.Printf` in server Go code