Register base-protection health check for conda doctor --fix

.github/workflows/build.yml

@@ -53,7 +53,7 @@ jobs:
           environments: ${{ env.PIXI_ENV_NAME }}
 
       - name: Build recipe
-        run: pixi run --environment ${{ env.PIXI_ENV_NAME }} build --channel conda-forge
+        run: pixi run --environment ${{ env.PIXI_ENV_NAME }} build --channel conda-forge --channel main
 
       - name: Upload to conda-canary
         # Only publish canary builds after successful pushes to main in the canonical repo

.github/workflows/tests.yml

@@ -55,7 +55,10 @@ jobs:
         if: matrix.channel == 'defaults'
         shell: bash
         run: |
+          # Use defaults channel instead of conda-forge
           sed -i.bak 's|channels = \["conda-forge"\]|channels = ["https://repo.anaconda.com/pkgs/main", "https://repo.anaconda.com/pkgs/r", "https://repo.anaconda.com/pkgs/msys2"]|g' pyproject.toml
+          # Remove osx-64 (conda not available on defaults for macOS Intel)
+          sed -i.bak 's|platforms = \["linux-64", "osx-64", "osx-arm64", "win-64"\]|platforms = ["linux-64", "osx-arm64", "win-64"]|g' pyproject.toml
           rm pixi.lock
       - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
         with:

README.md

@@ -1,6 +1,10 @@
 # conda-self
 
-A `self` command to manage your `base` environment safely.
+Commands to manage your `base` environment safely.
+
+## `conda self`
+
+Manage your conda 'base' environment safely.
 
 ```
 $ conda self
@@ -19,6 +23,32 @@ subcommands:
     reset               Reset 'base' environment to essential packages only.
     update              Update 'conda' and/or its plugins in the 'base' environment.
 ```
+
+## Base Environment Protection
+
+To check if your base environment is protected, run:
+
+```
+conda doctor base-protection
+```
+
+To protect your base environment, run:
+
+```
+conda doctor base-protection --fix
+```
+
+This will:
+1. Clone your current base environment to a new "default" environment
+2. Reset base to essential packages only
+3. Freeze the base environment to prevent modifications
+
+To see all available health checks, run:
+
+```
+conda doctor --list
+```
+
 ## Installation
 
 1. `conda install -n base conda-self`

conda_self/health_checks/__init__.py

@@ -0,0 +1,9 @@
+# Copyright (C) 2012 Anaconda, Inc
+# SPDX-License-Identifier: BSD-3-Clause
+"""Health checks for conda-self."""
+
+from __future__ import annotations
+
+from . import base_protection
+
+plugins = [base_protection]

conda_self/health_checks/base_protection.py

@@ -0,0 +1,148 @@
+# Copyright (C) 2012 Anaconda, Inc
+# SPDX-License-Identifier: BSD-3-Clause
+"""Health check: Base environment protection.
+
+Checks if the base environment is protected (frozen) and offers to
+protect it by cloning to a default environment and resetting base.
+"""
+
+from __future__ import annotations
+
+import sys
+from typing import TYPE_CHECKING
+
+from conda.base.constants import OK_MARK, PREFIX_FROZEN_FILE, X_MARK
+from conda.core.prefix_data import PrefixData
+
+if TYPE_CHECKING:
+    from argparse import Namespace
+
+    from conda.plugins.types import ConfirmCallback
+
+
+def is_base_environment(prefix: str) -> bool:
+    """Check if the given prefix is the base environment."""
+    return prefix == sys.prefix
+
+
+def is_base_protected() -> bool:
+    """Check if the base environment is protected (frozen)."""
+    frozen_file = PrefixData(sys.prefix).prefix_path / PREFIX_FROZEN_FILE
+    return frozen_file.exists()
+
+
+def check(prefix: str, _verbose: bool) -> None:
+    """Health check: Verify base environment protection status.
+
+    Only runs when checking the base environment.
+    """
+    if not is_base_environment(prefix):
+        print("Skipping base protection: not running on base environment.\n")
+        return
+
+    if is_base_protected():
+        print(f"{OK_MARK} Base environment is protected (frozen).\n")
+    else:
+        print(f"{X_MARK} Base environment is not protected.\n")
+        print("  Run `conda doctor --fix` to protect it.\n")
+
+
+def fix(prefix: str, args: Namespace, confirm: ConfirmCallback) -> int:
+    """Fix: Protect the base environment.
+
+    This clones the base environment to a new 'default' environment,
+    resets base to essentials, and freezes it.
+    """
+    from pathlib import Path
+
+    from conda.base.context import context
+
+    if not is_base_environment(prefix):
+        print("Skipping: not running on base environment.")
+        return 0
+
+    if is_base_protected():
+        print("Base environment is already protected.")
+        return 0
+
+    default_env = "default"
+    message = "Protected by Base Environment Protection health fix"
+
+    if not context.quiet:
+        print(f"This will clone 'base' to '{default_env}', reset base, and freeze it.")
+    confirm("Proceed?")
+
+    import io
+    import json
+    from contextlib import nullcontext, redirect_stdout
+    from datetime import datetime
+
+    from conda.cli.condarc import ConfigurationFile
+    from conda.exceptions import CondaOSError
+    from conda.gateways.disk.delete import rm_rf
+    from conda.misc import clone_env
+    from conda.models.environment import Environment
+
+    from ..query import permanent_dependencies
+    from ..reset import reset
+
+    base_prefix = Path(sys.prefix)
+
+    # Get packages to keep in base
+    uninstallable_packages = permanent_dependencies()
+
+    # Check destination environment
+    dest_prefix_data = PrefixData.from_name(default_env)
+
+    if dest_prefix_data.is_environment():
+        confirm(f"Environment '{default_env}' already exists. Remove and recreate?")
+        rm_rf(dest_prefix_data.prefix_path)
+    elif dest_prefix_data.exists():
+        confirm(f"Directory exists at '{dest_prefix_data.prefix_path}'. Continue?")
+
+    # Take a snapshot using the environment exporter plugin system,
+    # which captures both conda and pip-installed packages.
+    env = Environment.from_prefix(
+        str(base_prefix), name="base", platform=context.subdir
+    )
+    exporter = context.plugin_manager.get_environment_exporter_by_format("yaml")
+    snapshot_file = (
+        base_prefix
+        / "conda-meta"
+        / f"environment.{datetime.now():%Y-%m-%d-%H-%M-%S}.yml"
+    )
+    if not context.quiet:
+        print(f"Saving snapshot to {snapshot_file}")
+    snapshot_file.write_text(exporter.export(env))
+
+    if not context.quiet:
+        print(f"Cloning 'base' to '{default_env}'...")
+        print("Resetting 'base' environment...")
+
+    # Suppress conda's transaction spinner output when --quiet
+    stdout_ctx = redirect_stdout(io.StringIO()) if context.quiet else nullcontext()
+    with stdout_ctx:
+        clone_env(
+            str(base_prefix),
+            str(dest_prefix_data.prefix_path),
+            verbose=False,
+            quiet=True,
+        )
+        reset(uninstallable_packages=uninstallable_packages)
+
+    # Freeze base
+    try:
+        frozen_path = base_prefix / PREFIX_FROZEN_FILE
+        frozen_path.write_text(json.dumps({"message": message}) if message else "")
+    except OSError as e:
+        raise CondaOSError(f"Could not protect environment: {e}") from e
+
+    # Update default activation environment
+    if not context.quiet:
+        print(f"Setting default environment to '{default_env}'")
+    with ConfigurationFile.from_user_condarc() as config:
+        config.set_key("default_activation_env", str(dest_prefix_data.prefix_path))
+
+    if not context.quiet:
+        print(f"\nDone! To use your packages: conda activate {default_env}")
+    return 0

conda_self/plugin.py

@@ -1,24 +1,38 @@
-"""
-Plugin definition for 'conda self' subcommand.
-"""
+"""Plugin hook implementations for conda-self."""
 
 from __future__ import annotations
 
 from typing import TYPE_CHECKING
 
-from conda import plugins
+from conda.plugins.hookspec import hookimpl
+from conda.plugins.types import CondaHealthCheck, CondaSubcommand
 
 from .cli import configure_parser, execute
 
 if TYPE_CHECKING:
     from collections.abc import Iterable
 
 
-@plugins.hookimpl
-def conda_subcommands() -> Iterable[plugins.CondaSubcommand]:
-    yield plugins.CondaSubcommand(
+@hookimpl
+def conda_subcommands() -> Iterable[CondaSubcommand]:
+    """Expose the `self` subcommand."""
+    yield CondaSubcommand(
         name="self",
         action=execute,
         configure_parser=configure_parser,
         summary="Manage your conda 'base' environment safely.",
     )
+
+
+@hookimpl
+def conda_health_checks() -> Iterable[CondaHealthCheck]:
+    """Register the base environment protection health check."""
+    from .health_checks import base_protection
+
+    yield CondaHealthCheck(
+        name="base-protection",
+        action=base_protection.check,
+        fixer=base_protection.fix,
+        summary="Check if base is frozen to prevent accidental modifications",
+        fix="Clone base to 'default' environment, reset base, and freeze it",
+    )