mirror of
https://github.com/wwiinnddyy/LanMountainDesktop.git
synced 2026-06-20 23:54:26 +08:00
Harden OOBE, launch-source and elevation flow
Introduce a per-user OOBE state model and hardened launch/elevation handling. Adds OobeStateFile/OobeLaunchDecision models, OobeStateService (persisting %LOCALAPPDATA%/.launcher/state/oobe-state.json), and LauncherExecutionContext to capture elevation and user SID. CommandContext now normalizes/infers launch-source values (normal, postinstall, apply-update, plugin-install, debug-preview) and exposes maintenance checks. LauncherFlowCoordinator propagates richer launcher context details for diagnostics and suppresses OOBE for elevated/maintenance contexts. PluginInstallerService avoids requesting elevation for user-scoped installs and returns a clear error when installation target is outside the current user's LocalAppData. LauncherClient maps and surfaces result codes, UpdateWorkflow and installer invocation now pass explicit --launch-source values, and WelcomeOobeStep persists OOBE completion via the new service. Adds unit tests (CommandContext, OobeStateService, PluginInstallerService), docs/specs/checklists for the contract, and makes internals visible to tests.
This commit is contained in:
lincube
@@ -0,0 +1,8 @@
|
||||
# Launcher OOBE and Elevation Hardening Checklist
|
||||
|
||||
- [ ] New install shows OOBE once.
|
||||
- [ ] Same-user reinstall does not show OOBE again.
|
||||
- [ ] `postinstall` launch path is handled without misclassifying the user state.
|
||||
- [ ] `apply-update` and `plugin-install` do not auto-enter OOBE.
|
||||
- [ ] Default plugin install does not request UAC.
|
||||
- [ ] Logs include OOBE status, suppression reason, and launch source.
|
||||
43
.trae/specs/launcher-oobe-elevation-hardening/spec.md
Normal file
43
.trae/specs/launcher-oobe-elevation-hardening/spec.md
Normal file
@@ -0,0 +1,43 @@
|
||||
# Launcher OOBE and Elevation Hardening Spec
|
||||
|
||||
## Goal
|
||||
|
||||
Stabilize the launcher startup path so that:
|
||||
|
||||
- OOBE does not reappear for the same Windows user after reinstall/upgrade.
|
||||
- Normal startup, OOBE, update checks, incremental downloads, and default plugin installs do not trigger unexpected UAC prompts.
|
||||
- Only the approved elevation paths remain allowed.
|
||||
|
||||
## Scope
|
||||
|
||||
- Launcher OOBE state handling
|
||||
- launch source classification
|
||||
- elevation boundary cleanup
|
||||
- plugin install default behavior
|
||||
- diagnostic logging and troubleshooting guidance
|
||||
|
||||
## Behavior
|
||||
|
||||
- OOBE state is stored as a per-user truth source at `%LOCALAPPDATA%\LanMountainDesktop\.launcher\state\oobe-state.json`.
|
||||
- `first_run_completed` is treated as a legacy compatibility marker only.
|
||||
- `launchSource` values are treated as:
|
||||
- `normal`
|
||||
- `postinstall`
|
||||
- `apply-update`
|
||||
- `plugin-install`
|
||||
- `debug-preview`
|
||||
- Automatic OOBE is allowed only for normal user-mode startup.
|
||||
- `postinstall` may show OOBE only when the launcher is not elevated and user state is available.
|
||||
- `apply-update`, `plugin-install`, and `debug-preview` must not auto-enter OOBE.
|
||||
- Allowed elevation paths are limited to:
|
||||
- the installer itself
|
||||
- full installer update application
|
||||
- user-confirmed legacy uninstall
|
||||
- Default plugin installation targets the current user's LocalAppData scope and must not request elevation by default.
|
||||
|
||||
## Acceptance
|
||||
|
||||
- Same-user reinstall does not re-enter OOBE.
|
||||
- Missing or damaged OOBE state does not silently bounce the user back into OOBE loops.
|
||||
- Default plugin installation path never triggers surprise UAC.
|
||||
- Logs can explain why OOBE was shown or suppressed and why elevation was or was not requested.
|
||||
9
.trae/specs/launcher-oobe-elevation-hardening/tasks.md
Normal file
9
.trae/specs/launcher-oobe-elevation-hardening/tasks.md
Normal file
@@ -0,0 +1,9 @@
|
||||
# Launcher OOBE and Elevation Hardening Tasks
|
||||
|
||||
- [ ] Move OOBE state to a single per-user JSON source.
|
||||
- [ ] Treat `first_run_completed` as legacy migration-only state.
|
||||
- [ ] Add explicit `launchSource` handling for startup and maintenance flows.
|
||||
- [ ] Suppress auto-OOBE for maintenance and elevated launch contexts.
|
||||
- [ ] Remove default elevation from plugin installation into the user data scope.
|
||||
- [ ] Add structured diagnostics for OOBE decisions and elevation reasons.
|
||||
- [ ] Update launcher docs and troubleshooting guidance.
|
||||
@@ -6,3 +6,6 @@
|
||||
- [x] Legacy plugin install arguments still execute.
|
||||
- [x] OOBE and splash are implemented as separate windows.
|
||||
- [x] Update and rollback logic use version directory markers.
|
||||
|
||||
- [ ] Treat `first_run_completed` as legacy-only compatibility data.
|
||||
- [ ] Keep the authoritative OOBE state in `%LOCALAPPDATA%\LanMountainDesktop\.launcher\state\oobe-state.json`.
|
||||
|
||||
@@ -52,3 +52,9 @@ Upgrade `LanMountainDesktop.Launcher` into the unified Launcher for:
|
||||
|
||||
- `IOobeStep` for future multi-step OOBE
|
||||
- `ISplashStageReporter` for future startup progress visualization
|
||||
|
||||
## Compatibility Addendum
|
||||
|
||||
- The current production OOBE state format is a per-user JSON file at `%LOCALAPPDATA%\LanMountainDesktop\.launcher\state\oobe-state.json`.
|
||||
- `first_run_completed` remains legacy compatibility data only.
|
||||
- Same-user reinstall or upgrade should not re-enter OOBE.
|
||||
|
||||
Reference in New Issue
Block a user