fix: update runSetup to use CheckLatestTag and pass tag to Install

CheckLatestVersion was removed in favor of CheckLatestTag, but runSetup
was missed. Also passes the resolved tag to Install so the upgrade
installs the exact version that was checked.

Author: Joyce-O

cmd/greywall/main.go

@@ -586,30 +586,6 @@ func runCommand(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	// Inject keyring secrets for active profiles (Linux only).
-	// This reads from the host keyring before sandboxing blocks D-Bus access.
-	// Check the command itself and any explicitly loaded profiles.
-	if !learning {
-		profileNames := []string{cmdName}
-		if profileName != "" {
-			for _, name := range strings.Split(profileName, ",") {
-				name = strings.TrimSpace(name)
-				if name != "" {
-					profileNames = append(profileNames, name)
-				}
-			}
-		}
-		for _, name := range profileNames {
-			canonical := profiles.IsKnownAgent(name)
-			if canonical == "" {
-				continue
-			}
-			if secrets := profiles.GetKeyringSecrets(canonical); secrets != nil {
-				hardenedEnv = append(hardenedEnv, profiles.ResolveKeyringSecrets(secrets, debug)...)
-			}
-		}
-	}
-
 	execCmd := exec.Command("sh", "-c", sandboxedCommand) //nolint:gosec // sandboxedCommand is constructed from user input - intentional
 	execCmd.Env = hardenedEnv
 	execCmd.Stdin = os.Stdin
@@ -805,9 +781,9 @@ func runCheck(_ *cobra.Command, _ []string) error {
 			fmt.Println(sandbox.CheckFail("greyproxy running"))
 			steps = append(steps, "greywall setup")
 		}
-		if latestTag, err := proxy.CheckLatestTag(false); err == nil {
-			latest := strings.TrimPrefix(latestTag, "v")
-			if proxy.IsOlderVersion(status.Version, latest) {
+		if latestTag, err := proxy.CheckLatestTag(); err == nil {
+			if proxy.IsOlderVersion(status.Version, latestTag) {
+				latest := strings.TrimPrefix(latestTag, "v")
 				fmt.Println(sandbox.CheckFail(fmt.Sprintf("greyproxy up-to-date (v%s available, installed v%s)", latest, status.Version)))
 				steps = append(steps, upgradeHint)
 			}
@@ -859,14 +835,15 @@ func runSetup(_ *cobra.Command, _ []string) error {
 	status := proxy.Detect()
 
 	if status.Installed && status.Running {
-		latest, err := proxy.CheckLatestVersion()
+		latestTag, err := proxy.CheckLatestTag()
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Warning: could not check for updates: %v\n", err)
 			fmt.Printf("greyproxy is already installed (v%s) and running.\n", status.Version)
 			fmt.Printf("Run 'greywall check' for full status.\n")
 			return nil
 		}
-		if proxy.IsOlderVersion(status.Version, latest) {
+		if proxy.IsOlderVersion(status.Version, latestTag) {
+			latest := strings.TrimPrefix(latestTag, "v")
 			fmt.Printf("greyproxy update available: v%s -> v%s\n", status.Version, latest)
 			if proxy.IsBrewManaged(status.Path) {
 				fmt.Printf("greyproxy is managed by Homebrew. To update, run:\n")

internal/proxy/install.go

@@ -38,14 +38,14 @@ type asset struct {
 // InstallOptions controls the greyproxy installation behavior.
 type InstallOptions struct {
 	Output io.Writer // progress output (typically os.Stderr)
-	Tag    string    // specific tag to install; if empty, uses latest stable
-	Beta   bool      // if Tag is empty and Beta is true, fetches latest pre-release tag
 }
 
 // IsOlderVersion returns true if current is strictly older than latest,
 // or if current is not a valid semver string (e.g. "dev").
-// Both strings should be in "major.minor.patch" format (no "v" prefix).
+// Accepts strings with or without a "v" prefix (e.g. "v1.2.3" or "1.2.3").
 func IsOlderVersion(current, latest string) bool {
+	current = strings.TrimPrefix(current, "v")
+	latest = strings.TrimPrefix(latest, "v")
 	cp := strings.SplitN(current, ".", 3)
 	lp := strings.SplitN(latest, ".", 3)
 	if len(lp) != 3 {
@@ -85,21 +85,7 @@ func Install(opts InstallOptions) error {
 		opts.Output = os.Stderr
 	}
 
-	// Resolve which tag to install
-	var rel *release
-	var err error
-	switch {
-	case opts.Tag != "":
-		rel, err = fetchReleaseFor(nil, "", githubOwner, githubRepo, opts.Tag)
-	case opts.Beta:
-		tag, tagErr := fetchLatestPreReleaseTagFor(nil, "", githubOwner, githubRepo)
-		if tagErr != nil {
-			return fmt.Errorf("failed to fetch latest pre-release: %w", tagErr)
-		}
-		rel, err = fetchReleaseFor(nil, "", githubOwner, githubRepo, tag)
-	default:
-		rel, err = fetchLatestRelease()
-	}
+	rel, err := fetchLatestRelease()
 	if err != nil {
 		return fmt.Errorf("failed to fetch release: %w", err)
 	}
@@ -155,26 +141,16 @@ func Install(opts InstallOptions) error {
 }
 
 // CheckLatestTag returns the latest greyproxy release tag (with "v" prefix).
-// If beta is true, returns the latest pre-release tag.
-func CheckLatestTag(beta bool) (string, error) {
-	return CheckLatestTagFor(githubOwner, githubRepo, beta)
-}
-
-// CheckLatestTagFor returns the latest release tag for any GitHub repo.
-// If beta is true, returns the latest pre-release tag; otherwise returns the latest stable tag.
-func CheckLatestTagFor(owner, repo string, beta bool) (string, error) {
-	return checkLatestTagFor(nil, "", owner, repo, beta)
+func CheckLatestTag() (string, error) {
+	return checkLatestTag(nil, "")
 }
 
-func checkLatestTagFor(client *http.Client, apiBase, owner, repo string, beta bool) (string, error) {
-	if !beta {
-		rel, err := fetchReleaseFor(client, apiBase, owner, repo, "latest")
-		if err != nil {
-			return "", err
-		}
-		return rel.TagName, nil
+func checkLatestTag(client *http.Client, apiBase string) (string, error) {
+	rel, err := fetchReleaseFor(client, apiBase, githubOwner, githubRepo, "latest")
+	if err != nil {
+		return "", err
 	}
-	return fetchLatestPreReleaseTagFor(client, apiBase, owner, repo)
+	return rel.TagName, nil
 }
 
 // fetchLatestRelease queries the GitHub API for the latest greyproxy release.
@@ -337,50 +313,3 @@ func fetchReleaseFor(client *http.Client, apiBase, owner, repo, endpoint string)
 	}
 	return &rel, nil
 }
-
-// fetchLatestPreReleaseTagFor returns the most recent pre-release tag for the given repo.
-// client and apiBase are optional; nil/empty use production defaults.
-func fetchLatestPreReleaseTagFor(client *http.Client, apiBase, owner, repo string) (string, error) {
-	if client == nil {
-		client = &http.Client{Timeout: apiTimeout}
-	}
-	if apiBase == "" {
-		apiBase = "https://api.github.com"
-	}
-	apiURL := fmt.Sprintf("%s/repos/%s/%s/releases?per_page=20", apiBase, owner, repo)
-
-	ctx, cancel := context.WithTimeout(context.Background(), apiTimeout)
-	defer cancel()
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiURL, nil)
-	if err != nil {
-		return "", err
-	}
-	req.Header.Set("Accept", "application/vnd.github+json")
-	req.Header.Set("User-Agent", "greywall-setup")
-
-	resp, err := client.Do(req) //nolint:gosec // apiURL is built from controlled inputs
-	if err != nil {
-		return "", fmt.Errorf("GitHub API request failed: %w", err)
-	}
-	defer func() { _ = resp.Body.Close() }()
-
-	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("GitHub API returned status %d", resp.StatusCode)
-	}
-
-	var releases []struct {
-		TagName    string `json:"tag_name"`
-		PreRelease bool   `json:"prerelease"`
-	}
-	if err := json.NewDecoder(resp.Body).Decode(&releases); err != nil {
-		return "", fmt.Errorf("failed to parse releases response: %w", err)
-	}
-
-	for _, r := range releases {
-		if r.PreRelease {
-			return r.TagName, nil
-		}
-	}
-	return "", fmt.Errorf("no pre-release found for %s/%s", owner, repo)
-}

internal/proxy/install_test.go

@@ -46,9 +46,9 @@ func TestIsOlderVersion(t *testing.T) {
 	}
 }
 
-func TestCheckLatestTagFor_Stable(t *testing.T) {
+func TestCheckLatestTag_OK(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path != "/repos/owner/repo/releases/latest" {
+		if r.URL.Path != "/repos/greyhavenhq/greyproxy/releases/latest" {
 			http.NotFound(w, r)
 			return
 		}
@@ -57,7 +57,7 @@ func TestCheckLatestTagFor_Stable(t *testing.T) {
 	}))
 	defer srv.Close()
 
-	tag, err := checkLatestTagFor(srv.Client(), srv.URL, "owner", "repo", false)
+	tag, err := checkLatestTag(srv.Client(), srv.URL)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -66,61 +66,13 @@ func TestCheckLatestTagFor_Stable(t *testing.T) {
 	}
 }
 
-func TestCheckLatestTagFor_Beta(t *testing.T) {
-	releases := []struct {
-		TagName    string `json:"tag_name"`
-		PreRelease bool   `json:"prerelease"`
-	}{
-		{TagName: "v2.0.0-beta.1", PreRelease: true},
-		{TagName: "v1.9.0", PreRelease: false},
-	}
-
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path != "/repos/owner/repo/releases" {
-			http.NotFound(w, r)
-			return
-		}
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(releases)
-	}))
-	defer srv.Close()
-
-	tag, err := checkLatestTagFor(srv.Client(), srv.URL, "owner", "repo", true)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if tag != "v2.0.0-beta.1" {
-		t.Errorf("got tag %q, want %q", tag, "v2.0.0-beta.1")
-	}
-}
-
-func TestCheckLatestTagFor_BetaNoneFound(t *testing.T) {
-	releases := []struct {
-		TagName    string `json:"tag_name"`
-		PreRelease bool   `json:"prerelease"`
-	}{
-		{TagName: "v1.9.0", PreRelease: false},
-	}
-
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(releases)
-	}))
-	defer srv.Close()
-
-	_, err := checkLatestTagFor(srv.Client(), srv.URL, "owner", "repo", true)
-	if err == nil {
-		t.Fatal("expected error when no pre-release found, got nil")
-	}
-}
-
-func TestCheckLatestTagFor_APIError(t *testing.T) {
+func TestCheckLatestTag_APIError(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "rate limited", http.StatusTooManyRequests)
 	}))
 	defer srv.Close()
 
-	_, err := checkLatestTagFor(srv.Client(), srv.URL, "owner", "repo", false)
+	_, err := checkLatestTag(srv.Client(), srv.URL)
 	if err == nil {
 		t.Fatal("expected error on non-200 response, got nil")
 	}