fix: enforce Watchtower scope and labels in compose generation for legacy user configs

Author: MRColorR

tests/test_generator.py

@@ -158,6 +158,51 @@ def test_watchtower_service_omitted_when_disabled(self):
         doc = self._compose(watchtower_enabled=False)
         self.assertNotIn("watchtower", doc.get("services", {}))
 
+    def test_watchtower_scope_enforced_on_old_user_config(self):
+        """Scope env vars and label are injected even when old user-config lacks them."""
+        import copy
+
+        # Simulate an older user-config whose watchtower service has no scope entries
+        user_cfg = copy.deepcopy(_USER_CFG_BASE)
+        user_cfg["compose_config_common"]["watchtower_service"]["proxy_disabled"] = {
+            "container_name": "${DEVICE_NAME}_watchtower",
+            "image": "nickfedor/watchtower:latest",
+            # intentionally missing WATCHTOWER_SCOPE env and scope label
+            "environment": ["WATCHTOWER_CLEANUP=true"],
+            "labels": ["com.centurylinklabs.watchtower.enable=true"],
+            "volumes": ["/var/run/docker.sock:/var/run/docker.sock"],
+            "restart": "always",
+        }
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".yaml") as f:
+            compose_path = f.name
+        try:
+            assemble_docker_compose(
+                _M4B_CFG, _APP_CFG, user_cfg, compose_path, is_main_instance=True
+            )
+            with open(compose_path) as f:
+                doc = yaml.safe_load(f) or {}
+        finally:
+            if os.path.exists(compose_path):
+                os.unlink(compose_path)
+
+        wt = doc.get("services", {}).get("watchtower", {})
+        env = wt.get("environment", [])
+        labels = wt.get("labels", [])
+
+        self.assertTrue(
+            any("WATCHTOWER_SCOPE" in e for e in env),
+            "WATCHTOWER_SCOPE must be enforced in watchtower environment",
+        )
+        self.assertTrue(
+            any("WATCHTOWER_LABEL_ENABLE" in e for e in env),
+            "WATCHTOWER_LABEL_ENABLE must be enforced in watchtower environment",
+        )
+        self.assertTrue(
+            any("watchtower.scope" in lbl for lbl in labels),
+            "scope label must be enforced on watchtower service",
+        )
+
 
 if __name__ == "__main__":
     unittest.main()

utils/fn_setupApps.py

@@ -735,11 +735,17 @@ def setup_watchtower(user_config: dict[str, Any]) -> None:
             print("Keeping existing Watchtower settings.")
             logging.info("User chose to keep existing Watchtower settings.")
             return
+    else:
+        print("The M4B built-in Watchtower (auto-updater) is currently disabled.")
+        if not ask_question_yn("Do you want to change the Watchtower settings?"):
+            print("Keeping existing Watchtower settings (Watchtower remains disabled).")
+            logging.info("User chose to keep existing Watchtower settings (disabled).")
+            return
 
     if ask_question_yn(
         "Do you want M4B to manage container auto-updates via its built-in Watchtower?\n"
         "(Disable only if another Watchtower instance is already running on this host)",
-        default=True,
+        default=current_enabled,
     ):
         watchtower_config["enabled"] = True
         print("M4B built-in Watchtower enabled. Container images will be auto-updated.")

utils/generator.py

@@ -1,3 +1,4 @@
+import copy
 import logging
 import os
 import re
@@ -305,9 +306,28 @@ def assemble_docker_compose(
                 watchtower_service_key = (
                     "proxy_enabled" if proxy_enabled else "proxy_disabled"
                 )
-                watchtower_service = compose_config_common["watchtower_service"][
-                    watchtower_service_key
-                ]
+                watchtower_service = copy.deepcopy(
+                    compose_config_common["watchtower_service"][watchtower_service_key]
+                )
+                # Enforce scoping env vars at generation time so older user-config
+                # files (missing WATCHTOWER_SCOPE / WATCHTOWER_LABEL_ENABLE) still
+                # produce a correctly scoped Watchtower service.
+                wt_env: list = watchtower_service.setdefault("environment", [])
+                required_env = {
+                    "WATCHTOWER_SCOPE": "WATCHTOWER_SCOPE=${M4B_WATCHTOWER_SCOPE}",
+                    "WATCHTOWER_LABEL_ENABLE": "WATCHTOWER_LABEL_ENABLE=${M4B_WATCHTOWER_LABELS}",
+                }
+                existing_keys = {e.split("=")[0] for e in wt_env if isinstance(e, str)}
+                for key, entry in required_env.items():
+                    if key not in existing_keys:
+                        wt_env.append(entry)
+                        logging.info(f"Enforced missing Watchtower env var: {entry}")
+                # Enforce scope label so the service is self-managed within scope.
+                wt_labels: list = watchtower_service.setdefault("labels", [])
+                scope_label = "com.centurylinklabs.watchtower.scope=${M4B_WATCHTOWER_SCOPE}"
+                if scope_label not in wt_labels:
+                    wt_labels.append(scope_label)
+                    logging.info("Enforced missing Watchtower scope label")
                 services["watchtower"] = watchtower_service
             # Only add m4bwebdashboard if dashboard is enabled
             m4b_dashboard_config = user_config.get("m4b_dashboard", {})