fix(lifecycle): roll back bun install when trust verification fails#402
Conversation
When bun add -g succeeds but post-install trust verification fails, installAgent() falls through to the next install method and leaves a duplicate Bun global package on disk. Roll back packages added by a successful bun add -g before reporting install failure. Update paths are unchanged. OpenSpec change: fix-bun-install-trust-rollback
44c8beb to
d895b45
Compare
There was a problem hiding this comment.
Quantex PR Governance — #402
Verdict: Non-blocking governance pass. No approval.
Note: This PR merged to
mainbefore this review completed. Assessment is retrospective; remaining work is post-merge archive closure.
OpenSpec intake — pass
- Observable lifecycle behavior change correctly used OpenSpec change
fix-bun-install-trust-rollbackwith proposal, design, spec delta, and tasks before code. - Change remains active on
mainby design until archive follow-up — expected.
Validation — pass
- Checklist matches the changed surface:
memory:check, lint, format, typecheck, and test forsrc/package-manager/behavior. - CI green:
classify,lint, cross-platformtest,sandbox-tests, andvalidate-body. No failures to triage.
PR body / closure — pass with minor gaps
- Template sections present;
PR Governance / validate-bodysucceeded. - Release intent
patchmatchesfix:commit metadata. - Non-blocking:
bun run openspec:validateis intasks.mdbut not the PR Validation checklist. - Non-blocking: Closure Check only marks OpenSpec; working-tree / branch-pushed items are unchecked (acceptable given merge delivery).
- Non-blocking: No linked issue for regression context.
Post-merge owners
- OpenSpec Archive agent: Sync the rollback scenario additively into
openspec/specs/agent-update/spec.md(do not drop existing Bun trust scenarios), then archivefix-bun-install-trust-rollback. - Release automation: Patch release via release-please when
mainCI is green.
Reviewers
Maintainer-authored final commit on a cursor branch; no additional reviewer request (PR already merged).
Sent by Cursor Automation: Quantex CLI PR Governance
|
|
||
| ### Requirement: Bun-managed updates MUST trust requested blocked lifecycle scripts across platform path styles | ||
|
|
||
| The agent update system SHALL recognize Bun global untrusted package output for requested managed packages regardless of whether Bun prints `node_modules` paths with POSIX or Windows separators. When the untrusted probe cannot be read after a successful Bun global install or update command, Quantex SHALL NOT report that managed operation as successful. When trust verification fails after a successful Bun global **install** command, Quantex SHALL roll back the newly added package before reporting install failure. |
There was a problem hiding this comment.
Non-blocking (archive follow-up): This delta re-lists existing Bun trust scenarios plus the new rollback scenario. The archive PR must merge additively into openspec/specs/agent-update/spec.md — extend the existing requirement with the rollback sentence/scenario only; do not replace or drop the current spec text.
| ## 2. Validation | ||
|
|
||
| - [x] 2.1 Run `bun run lint`, `bun run format:check`, `bun run typecheck`, and `bun run test` | ||
| - [x] 2.2 Run `bun run openspec:validate` |
There was a problem hiding this comment.
Non-blocking: bun run openspec:validate is recorded here but omitted from the PR Validation checklist. For future behavior PRs, mirror OpenSpec validation in the template checklist when openspec/ changes.


Summary
Fix a high-severity install bug where Bun global install could succeed on disk but fail trust verification, return
false, and leaveinstallAgent()to fall through to npm — creating duplicate global installs and untracked Bun packages.The fix rolls back packages added by a successful
bun add -gwhen trust verification fails afterward, before reporting install failure. Update paths are unchanged.Linked Artifacts
openspec/changes/fix-bun-install-trust-rollbackValidation
bun run memory:checkbun run lintbun run format:checkbun run typecheckbun run test(if behavior changed)Release Intent
Docs Updated
openspec/...Scope Check
Closure Check
Notes
Bug impact: Duplicate global installs (Bun + npm) and incorrect install-source tracking when Bun trust verification fails after a successful add.
Trigger scenario: Agent with Bun-first install methods;
bun add -gsucceeds;bun pm -g untrustedorbun pm -g trustfails.Root cause:
runGlobalBunCommandWithTrust()returned failure without rolling back the successful add, andinstallAgent()tried the next install method.Fix: Best-effort
bun remove -grollback for packages added when trust fails afterbun add -g.Remaining owner: Archive follow-up for
fix-bun-install-trust-rollbackafter merge.