Skip to content

fix(lifecycle): roll back bun install when trust verification fails#402

Merged
Drswith merged 1 commit into
mainfrom
cursor/critical-quantex-cli-bugs-895c
Jul 2, 2026
Merged

fix(lifecycle): roll back bun install when trust verification fails#402
Drswith merged 1 commit into
mainfrom
cursor/critical-quantex-cli-bugs-895c

Conversation

@cursor

@cursor cursor Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Fix a high-severity install bug where Bun global install could succeed on disk but fail trust verification, return false, and leave installAgent() to fall through to npm — creating duplicate global installs and untracked Bun packages.

The fix rolls back packages added by a successful bun add -g when trust verification fails afterward, before reporting install failure. Update paths are unchanged.

Linked Artifacts

  • Issue:
  • ADR:
  • OpenSpec: openspec/changes/fix-bun-install-trust-rollback
  • Discussion:

Validation

  • bun run memory:check
  • bun run lint
  • bun run format:check
  • bun run typecheck
  • bun run test (if behavior changed)

Release Intent

  • Release: patch - bug fix

Docs Updated

  • openspec/...

Scope Check

  • I did not add a new ad hoc root-level Markdown file.
  • I updated the relevant issue, ADR, spec, runbook, or captured the missing doc work as follow-up.
  • I did not silently expand project scope without recording it explicitly.

Closure Check

  • OpenSpec change is still active by design until merge, queued for agent-driven archive closure.

Notes

Bug impact: Duplicate global installs (Bun + npm) and incorrect install-source tracking when Bun trust verification fails after a successful add.

Trigger scenario: Agent with Bun-first install methods; bun add -g succeeds; bun pm -g untrusted or bun pm -g trust fails.

Root cause: runGlobalBunCommandWithTrust() returned failure without rolling back the successful add, and installAgent() tried the next install method.

Fix: Best-effort bun remove -g rollback for packages added when trust fails after bun add -g.

Remaining owner: Archive follow-up for fix-bun-install-trust-rollback after merge.

Open in Web View Automation 

When bun add -g succeeds but post-install trust verification fails,
installAgent() falls through to the next install method and leaves a
duplicate Bun global package on disk.

Roll back packages added by a successful bun add -g before reporting
install failure. Update paths are unchanged.

OpenSpec change: fix-bun-install-trust-rollback
@Drswith Drswith force-pushed the cursor/critical-quantex-cli-bugs-895c branch from 44c8beb to d895b45 Compare July 2, 2026 01:28
@Drswith Drswith marked this pull request as ready for review July 2, 2026 01:30
@Drswith Drswith merged commit ac25c92 into main Jul 2, 2026
9 checks passed
@Drswith Drswith deleted the cursor/critical-quantex-cli-bugs-895c branch July 2, 2026 01:30

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quantex PR Governance — #402

Verdict: Non-blocking governance pass. No approval.

Note: This PR merged to main before this review completed. Assessment is retrospective; remaining work is post-merge archive closure.

OpenSpec intake — pass

  • Observable lifecycle behavior change correctly used OpenSpec change fix-bun-install-trust-rollback with proposal, design, spec delta, and tasks before code.
  • Change remains active on main by design until archive follow-up — expected.

Validation — pass

  • Checklist matches the changed surface: memory:check, lint, format, typecheck, and test for src/package-manager/ behavior.
  • CI green: classify, lint, cross-platform test, sandbox-tests, and validate-body. No failures to triage.

PR body / closure — pass with minor gaps

  • Template sections present; PR Governance / validate-body succeeded.
  • Release intent patch matches fix: commit metadata.
  • Non-blocking: bun run openspec:validate is in tasks.md but not the PR Validation checklist.
  • Non-blocking: Closure Check only marks OpenSpec; working-tree / branch-pushed items are unchecked (acceptable given merge delivery).
  • Non-blocking: No linked issue for regression context.

Post-merge owners

  • OpenSpec Archive agent: Sync the rollback scenario additively into openspec/specs/agent-update/spec.md (do not drop existing Bun trust scenarios), then archive fix-bun-install-trust-rollback.
  • Release automation: Patch release via release-please when main CI is green.

Reviewers

Maintainer-authored final commit on a cursor branch; no additional reviewer request (PR already merged).

Open in Web View Automation 

Sent by Cursor Automation: Quantex CLI PR Governance


### Requirement: Bun-managed updates MUST trust requested blocked lifecycle scripts across platform path styles

The agent update system SHALL recognize Bun global untrusted package output for requested managed packages regardless of whether Bun prints `node_modules` paths with POSIX or Windows separators. When the untrusted probe cannot be read after a successful Bun global install or update command, Quantex SHALL NOT report that managed operation as successful. When trust verification fails after a successful Bun global **install** command, Quantex SHALL roll back the newly added package before reporting install failure.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking (archive follow-up): This delta re-lists existing Bun trust scenarios plus the new rollback scenario. The archive PR must merge additively into openspec/specs/agent-update/spec.md — extend the existing requirement with the rollback sentence/scenario only; do not replace or drop the current spec text.

## 2. Validation

- [x] 2.1 Run `bun run lint`, `bun run format:check`, `bun run typecheck`, and `bun run test`
- [x] 2.2 Run `bun run openspec:validate`

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking: bun run openspec:validate is recorded here but omitted from the PR Validation checklist. For future behavior PRs, mirror OpenSpec validation in the template checklist when openspec/ changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant