feat(install): quote package tokens, add remove/update/downgrade builders

- Add install/utils with shell_single_quote and strict name validation
- Harden pacman/AUR/batch builders; add aur_install_body and CascadeMode verbs
- Document Phase 4 in INSTALL_MODULE_PHASE; sync index and crate prep docs
- Expand install_example tutorial; touch release v0.2.0 notes

Made-with: Cursor

Author: Firstp1ck

dev/AUR_TOOLKIT_CRATE_PREPARATION.md

@@ -13,7 +13,7 @@ This document provides a detailed structured plan for implementing the Index Mod
 | **Estimated Effort** | 20-30 hours |
 | **Complexity** | Medium (system command execution, data persistence, async operations) |
 | **Dependencies** | `types` module, optional `aur` module for enrichment |
-| **Status** | ✅ Core complete - Tasks 3.1 through 3.4 complete; follow-ups pending |
+| **Status** | ✅ Complete - Tasks 3.1 through 3.5 complete (mirror management + `repos.conf` discovery + fetch parity hardening shipped); Task 3.6 (background updates) intentionally not ported |
 
 ## Overview
 
@@ -260,12 +260,12 @@ This module is foundational and used by other modules (deps, install) for packag
 **Estimated Effort**: 2-3 hours
 
 **Acceptance Criteria**:
-- [ ] Mirror fetching works
-- [ ] Windows-specific code is optional
-- [ ] Unit tests
-- [ ] Code passes quality checks
+- [x] Mirror fetching works (see `src/index/mirrors.rs::fetch_mirrors`)
+- [x] Windows-specific code is optional (module is platform-agnostic; consumers select via `index` feature)
+- [x] Unit tests (`parse_mirrors_from_json_extracts_rows`, `generate_mirrorlist_filters_to_active_https`)
+- [x] Code passes quality checks
 
-**Note**: This may be low priority if Windows support is not needed initially.
+**Note**: Implementation shipped in current tree via `fetch_mirrors()` + `generate_mirrorlist()` using `reqwest`. Example available: `examples/index_mirrors_example.rs`.
 
 ---
 
@@ -278,10 +278,10 @@ This module is foundational and used by other modules (deps, install) for packag
 **Estimated Effort**: 2-3 hours
 
 **Acceptance Criteria**:
-- [ ] Extra repositories can be discovered from `repos.conf`
-- [ ] Index fetch includes discovered third-party repos (e.g., Chaotic-AUR)
-- [ ] Behavior degrades gracefully when config parsing fails
-- [ ] Unit tests cover parser + repo list derivation
+- [x] Extra repositories can be discovered from `repos.conf` (see `src/repos/config.rs::repos_conf_repo_names_for_index_sl`)
+- [x] Index fetch includes discovered third-party repos (e.g., Chaotic-AUR) via `merged_repos_for_index_fetch` in `src/index/fetch.rs`
+- [x] Behavior degrades gracefully when config parsing fails (baseline `core/extra/multilib` still fetched)
+- [x] Unit tests cover parser + repo list derivation (see `src/index/fetch.rs` tests using `ARCH_TOOLKIT_REPOS_CONF_PATH`)
 
 ---
 
@@ -294,10 +294,10 @@ This module is foundational and used by other modules (deps, install) for packag
 **Estimated Effort**: 2-3 hours
 
 **Acceptance Criteria**:
-- [ ] Repo/name dedup behavior matches intended Pacsea parity
-- [ ] Extra-repo `pacman -Sl` handling is resilient to partial failures
-- [ ] Fallback behavior remains explicit and test-covered
-- [ ] Unit tests cover parity-critical scenarios
+- [x] Repo/name dedup behavior matches intended Pacsea parity (lowercase dedup in `merged_repos_for_index_fetch`)
+- [x] Extra-repo `pacman -Sl` handling is resilient to partial failures (baseline strict, extras soft-fail)
+- [x] Fallback behavior remains explicit and test-covered (pacman-first with API fallback in `fetch_official_index_async`)
+- [x] Unit tests cover parity-critical scenarios
 
 ---
 
@@ -520,10 +520,10 @@ The Index Module is complete when:
 - [ ] Example program works
 - [x] Code passes `cargo fmt`, `cargo clippy`, `cargo check` (for completed tasks)
 - [ ] README updated with index module documentation
-- [x] Module entry point created (Task 3.7 - partial, installed/explicit/query/fetch/persist modules complete)
-- [ ] Mirror management follow-up complete (Task 3.5.1 - optional)
-- [ ] `repos.conf` extra repo discovery follow-up complete (Task 3.5.2 - pending)
-- [ ] Fetch parity hardening follow-up complete (Task 3.5.3 - pending)
+- [x] Module entry point created (Task 3.7)
+- [x] Mirror management follow-up complete (Task 3.5.1)
+- [x] `repos.conf` extra repo discovery follow-up complete (Task 3.5.2)
+- [x] Fetch parity hardening follow-up complete (Task 3.5.3)
 
 ---
 
@@ -535,25 +535,24 @@ The Index Module is complete when:
 | 3.2: Installed Queries | 4-6 | High | ✅ Complete |
 | 3.3: Official Queries | 7-9 | High | ✅ Complete |
 | 3.4: Persistence | 2-3 | High | ✅ Complete |
-| 3.5: Mirror Management | 2-3 | Medium (Optional) |
-| 3.5.2: `repos.conf` Extra Repo Discovery | 2-3 | Medium | ⏳ Pending |
-| 3.5.3: Fetch Parity Hardening | 2-3 | Medium | ⏳ Pending |
-| 3.6: Background Updates | 2-3 | Low (Optional) |
-| 3.7: Module Entry Point | 1-2 | High | ✅ Partial (installed/explicit/query/fetch/persist complete) |
-| 3.8: Testing & Docs | 7-10 | High | ✅ Partial (installed/explicit/query/fetch/persist complete) |
+| 3.5.1: Mirror Management | 2-3 | Medium | ✅ Complete |
+| 3.5.2: `repos.conf` Extra Repo Discovery | 2-3 | Medium | ✅ Complete |
+| 3.5.3: Fetch Parity Hardening | 2-3 | Medium | ✅ Complete |
+| 3.6: Background Updates | 2-3 | Low | ⏳ Not ported (optional, TUI runtime concern) |
+| 3.7: Module Entry Point | 1-2 | High | ✅ Complete |
+| 3.8: Testing & Docs | 7-10 | High | ✅ Complete |
 | **Total** | **31-45 hours** | |
 
-**Recommended Approach**: Keep core tasks complete (3.1-3.4, 3.7-3.8) and prioritize follow-ups in order: 3.5.2, 3.5.3, then optional 3.5.1/3.6 as needed.
+**Recommended Approach**: Phase 3 index module is done. Task 3.6 (background updates) stays in consumer crates (Pacsea) as it depends on a host runtime/notification channel design.
 
 ---
 
 ## Next Steps
 
-1. Maintain Task 3.4 as completed baseline in this document
-2. Implement Task 3.5.2 (`repos.conf`-driven extra repo discovery)
-3. Implement Task 3.5.3 (fetch parity hardening)
-4. Reassess Task 3.5.1 (mirror management) based on platform priorities
-5. Update this document after each follow-up is completed
+Phase 3 is complete. Remaining work moves to Phase 4 (install module) - see [INSTALL_MODULE_PHASE.md](./INSTALL_MODULE_PHASE.md).
+
+Deferred (not blocking Phase 4):
+- Task 3.6 (background updates): kept in consumer crates; would require a channel/callback design that is not yet justified at the library boundary.
 
 ---
 

dev/INDEX_MODULE_PHASE.md

@@ -0,0 +1,152 @@
+# Install Module - Phase 4 Implementation Plan
+
+This document tracks the scope, progress, and explicit non-goals of the Install Module (`feature = "install"`) in `arch-toolkit`. This is Phase 4 of the extraction plan from Pacsea.
+
+---
+
+## Executive Summary
+
+| Aspect | Details |
+|--------|---------|
+| **Module** | `install` (feature = "install") |
+| **Source** | `Pacsea/src/install/` (command-string helpers only) + `Pacsea/src/logic/privilege.rs` (already represented in `arch-toolkit` as `src/system/privilege.rs`) |
+| **Estimated Effort** | 8-12 hours |
+| **Complexity** | Low-medium (pure string algebra + strict shell-quoting discipline) |
+| **Dependencies** | `error`, `system::privilege` |
+| **Status** | ✅ Complete - Priorities 1-4 shipped, example and phase doc in place |
+
+Phase 4 is intentionally scoped to **framework-agnostic, pure-Rust command string builders** for `pacman`/AUR-helper operations. Password pipes, PTY spawning, TUI wiring, and filesystem scans stay in Pacsea.
+
+---
+
+## Scope
+
+### In scope (ported / aligned)
+
+- Shell-quoting helpers (`shell_single_quote`, `is_safe_package_name`, `validate_package_names`, `quote_and_join_package_names`) - [src/install/utils.rs](../src/install/utils.rs)
+- Install command builders hardened to quote every interpolated package name:
+  - `build_pacman_install_command` (official `-S` installs)
+  - `build_aur_install_command` (helper installs with an explicit `AurHelper`)
+  - `build_batch_install_command` (mixed official + AUR planning with overlap preflight)
+- Stateless helpers for constructing AUR planning fragments:
+  - `aur_install_helper_flags` (constant flag selection)
+  - `aur_install_body` (paru-preferred / yay-fallback shell snippet)
+  - `detect_aur_helper` (PATH-based preference)
+  - `aur_pkgnames_also_in_official_catalog` (overlap detection)
+- Remove / downgrade / update command builders wired through [`system::privilege`](../src/system/privilege.rs):
+  - `CascadeMode` (mirrors Pacsea's `-R` / `-Rs` / `-Rns` modes)
+  - `build_remove_command(tool, names, cascade, dry_run)`
+  - `build_downgrade_command(tool, names, dry_run)` (guards against missing `downgrade` helper)
+  - `build_update_command(commands, dry_run)` (chain with `&&`, dry-run echoes each step)
+
+### Out of scope (remains in Pacsea)
+
+- `Pacsea/src/install/executor.rs` — PTY spawning, password pipes, `sudo -S` integration, hold-tail loop, credential warm-up.
+- `Pacsea/src/install/scan/` and `Pacsea/src/install/patterns.rs` — scanner + env wiring; better fit a future Sandbox phase or a dedicated `scan` feature.
+- `Pacsea/src/install/logging.rs`, terminal spawn helpers, UX-specific dry-run failure simulation (`PACSEA_TEST_SIMULATE_PACMAN_FAILURE`).
+- Consumers that need password pipes should compose them themselves using `crate::system::privilege::build_privilege_command` plus their own redacted logging strategy. The library deliberately does not construct password pipe commands to keep its security surface small.
+
+---
+
+## Priorities and progress
+
+### Priority 1 — Security parity on existing APIs ✅
+
+- [x] Added `shell_single_quote`, `is_safe_package_name`, and `validate_package_names` to `src/install/utils.rs` (mirrors Pacsea's pattern).
+- [x] Re-exported the quoting helpers from the `install` module root.
+- [x] Updated `build_pacman_install_command`, `build_aur_install_command`, and the batch builder to single-quote **every** package token before interpolation.
+- [x] Regression tests cover metacharacters (`;`, `$(...)`, embedded single quotes) and dry-run wrapping.
+
+### Priority 2 — Align helpers with Pacsea's pure install layer ✅
+
+- [x] Ported `aur_install_body(flags, quoted_names)` so consumers can compose `paru || yay` fallback snippets without running `detect_aur_helper` at planning time.
+- [x] Kept the existing `aur_install_helper_flags(reinstall)` constant function for shared flag strings.
+
+### Priority 3 — Remove / update / downgrade command strings ✅
+
+- [x] Added `CascadeMode` (`Basic` / `Cascade` / `CascadeWithConfigs`) matching Pacsea.
+- [x] `build_remove_command(tool, names, cascade, dry_run)` uses `system::privilege::build_privilege_command`.
+- [x] `build_downgrade_command(tool, names, dry_run)` emits the defensive `if (command -v downgrade) || pacman -Qi downgrade; then ... else echo ...; fi` shell guard.
+- [x] `build_update_command(commands, dry_run)` chains pre-built steps with ` && ` and wraps each step in `echo DRY RUN: '...'` on dry-run.
+- [x] Unit tests cover empty inputs, both privilege tools, cascade variants, dry-run wrapping, and guard logic.
+
+### Priority 4 — Process / documentation ✅
+
+- [x] Update [AUR_TOOLKIT_CRATE_PREPARATION.md](./AUR_TOOLKIT_CRATE_PREPARATION.md) Phase 4 bullet to reflect in-progress state.
+- [x] Reconcile [INDEX_MODULE_PHASE.md](./INDEX_MODULE_PHASE.md) with the current `src/index` + `src/repos` tree (Task 3.5.x are implemented).
+- [x] Author this `INSTALL_MODULE_PHASE.md`.
+- [x] Expand `examples/install_example.rs` to tutorial-style parity with `pkgbuild_example` / `deps_types_example` (see Examples below).
+
+---
+
+## Public API surface (current)
+
+```text
+arch_toolkit::install
+├── utils::shell_single_quote
+├── utils::is_safe_package_name
+├── utils::validate_package_names
+├── utils::quote_and_join_package_names
+├── InstallSource { Official, Aur }
+├── InstallTarget { name, source }
+├── AurHelper { Paru, Yay } + binary_name()
+├── aur_install_helper_flags(reinstall)
+├── aur_install_body(flags, quoted_names)
+├── detect_aur_helper()
+├── build_pacman_install_command(packages, reinstall, dry_run)
+├── build_aur_install_command(helper, packages, reinstall, dry_run)
+├── build_batch_install_command(targets, official_has_reinstall, aur_has_reinstall, official_catalog, dry_run) -> Result
+├── aur_pkgnames_also_in_official_catalog(targets, catalog) -> Vec<String>
+├── CascadeMode { Basic, Cascade, CascadeWithConfigs } + flag()
+├── build_remove_command(tool, names, cascade, dry_run)
+├── build_downgrade_command(tool, names, dry_run)
+└── build_update_command(commands, dry_run)
+```
+
+All package tokens interpolated into shell command strings are passed through `shell_single_quote`. Callers who need strict allowlist enforcement should invoke `validate_package_names` before building commands.
+
+---
+
+## Acceptance criteria
+
+- [x] Every builder that interpolates package tokens quotes them individually.
+- [x] Unit tests exist for each builder, including empty-list and dry-run paths.
+- [x] Regression tests prove shell metacharacters are neutralised.
+- [x] Remove / update / downgrade builders delegate privilege-tool selection to `crate::system::privilege`.
+- [x] No new environment-variable test-overrides ship in release builds.
+- [x] `cargo test --all-features -- --test-threads=1` passes.
+- [x] `cargo clippy --all-targets --all-features -- -D warnings` is clean.
+- [x] `examples/install_example.rs` walks through each public API in sectioned output (parity with Phase 2/3 examples).
+
+---
+
+## Examples parity (pending)
+
+Bring `examples/install_example.rs` up to the same tutorial style as [`examples/pkgbuild_example.rs`](../examples/pkgbuild_example.rs) and [`examples/deps_types_example.rs`](../examples/deps_types_example.rs):
+
+- Sectioned stdout walkthrough ("# 1. Shell quoting", "# 2. Validation", "# 3. Pacman install", "# 4. AUR install", "# 5. Mixed batch", "# 6. Remove / downgrade / update").
+- Scenarios to demonstrate: empty lists, `reinstall = true/false`, `dry_run = true/false`, mixed official + AUR batch, overlap error path, quoting of awkward-but-valid edge cases.
+- Include `cargo run --example install_example --features install` in the file header doc comment.
+
+---
+
+## Verification
+
+Run from the repository root (per [AGENTS.md](../AGENTS.md)):
+
+```bash
+cargo fmt --all
+cargo clippy --all-targets --all-features -- -D warnings
+cargo check
+cargo test --all-features -- --test-threads=1
+```
+
+---
+
+## References
+
+- [AUR_TOOLKIT_CRATE_PREPARATION.md](./AUR_TOOLKIT_CRATE_PREPARATION.md) — overall extraction plan.
+- [DEPENDENCIES_MODULE_PHASE.md](./DEPENDENCIES_MODULE_PHASE.md) — Phase 2 reference for doc structure.
+- [INDEX_MODULE_PHASE.md](./INDEX_MODULE_PHASE.md) — Phase 3 reference.
+- Pacsea source: `src/install/` — source code for command-string helpers.
+- Pacsea source: `src/logic/privilege.rs` — already represented here as `src/system/privilege.rs`.

dev/INSTALL_MODULE_PHASE.md

@@ -9,39 +9,45 @@ This release completes the dependency management module with full resolution, qu
 ### ✨ New Features
 
 **Dependency Resolution**
+
 - Resolve dependencies for official, AUR, and local packages
 - Configurable resolution (include optional, make, check dependencies)
 - Batch dependency fetching for efficient queries
 - Conflict detection and status determination
 - Support for PKGBUILD cache callbacks
 
 **Reverse Dependency Analysis**
+
 - Find all packages that depend on packages being removed
 - Distinguish direct vs transitive dependents
 - Generate conflict status with detailed reasons
 - Helper functions for quick dependency checks
 
 **Version Comparison**
+
 - Pacman-compatible version comparison algorithm
 - Version requirement satisfaction checking
 - Major version bump detection
 - Extract major version components
 
 **Package Querying**
+
 - Query installed packages
 - Query upgradable packages
 - Get installed and available package versions
 - Check if packages are installed or provided
 - Graceful degradation when pacman is unavailable
 
 **Source Determination**
+
 - Determine package source (official, AUR, local)
 - Identify core repository packages
 - Detect critical system packages
 
 ### 📚 Examples
 
 Seven comprehensive example files demonstrate all new functionality:
+
 - `examples/deps_example.rs` - Complete dependency module overview
 - `examples/parse_example.rs` - Dependency specification parsing
 - `examples/query_example.rs` - Package querying examples
@@ -160,6 +166,7 @@ arch-toolkit = { version = "0.2.0", features = ["deps", "aur"] }
 No breaking changes! This is a backward-compatible release. All existing code will continue to work.
 
 **New capabilities:**
+
 - Use `DependencyResolver` to resolve dependencies for packages
 - Use `ReverseDependencyAnalyzer` to analyze reverse dependencies
 - Use version comparison functions for package version checks
@@ -179,5 +186,4 @@ Found a bug or have a feature request? Open an issue on [GitHub](https://github.
 
 ---
 
-**Full Changelog**: See [CHANGELOG.md](../CHANGELOG.md) for detailed technical changes.
-
+**Full Changelog**: See [CHANGELOG.md](../CHANGELOG.md) for detailed technical changes.