Windows update support: .zip archives, .exe binary, testable pipeline (#67)

## Summary
- Add Windows support for the self-update command: use `.zip` archives
and `msgvault.exe` on Windows instead of `.tar.gz` and `msgvault`
- Extract `installFromArchiveTo` for a testable update-from-archive
pipeline with zip extraction, path-traversal protection, and
table-driven tests
- Avoid double-hashing during update download by plumbing the SHA-256
computed during download through to checksum verification, eliminating a
redundant full file re-read

## Test plan
- [x] All existing update tests pass (`go test ./internal/update/`)
- [x] Full project test suite passes (`make test`)
- [x] New tests cover: zip extraction, zip path traversal, tar.gz path
traversal, symlink skipping, `installFromArchiveTo` happy paths (zip +
tar.gz), checksum mismatch, empty checksum, missing binary, overwrite
existing binary
- [x] Manual test on Windows: `msgvault update` downloads `.zip` and
extracts `.exe`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: wesm

cmd/msgvault/cmd/build_cache.go

@@ -14,6 +14,7 @@ import (
 	_ "github.com/marcboeker/go-duckdb"
 	_ "github.com/mattn/go-sqlite3"
 	"github.com/spf13/cobra"
+	"github.com/wesm/msgvault/internal/config"
 )
 
 var fullRebuild bool
@@ -507,12 +508,12 @@ func setupSQLiteSource(duckDB *sql.DB, dbPath string) (cleanup func(), err error
 	}
 
 	// CSV fallback: export SQLite tables to CSV, create DuckDB views.
-	// Use the database's parent directory for temp files instead of the
-	// system temp dir, which can have restricted permissions on Windows
-	// (e.g. for downloaded executables).
-	tmpDir, err := os.MkdirTemp(filepath.Dir(dbPath), ".cache-tmp-*")
+	// Prefer the database's parent directory for temp files (avoids
+	// cross-device moves), but fall back through system temp and
+	// ~/.msgvault/tmp/ for read-only or restricted environments.
+	tmpDir, err := config.MkTempDir(".cache-tmp-*", filepath.Dir(dbPath))
 	if err != nil {
-		return nil, fmt.Errorf("create temp dir: %w", err)
+		return nil, err
 	}
 
 	sqliteDB, err := sql.Open("sqlite3", dbPath+"?mode=ro")

internal/config/config.go

@@ -155,6 +155,47 @@ func (c *Config) ConfigFilePath() string {
 	return filepath.Join(c.HomeDir, "config.toml")
 }
 
+// MkTempDir creates a temporary directory with fallback logic for restricted
+// environments (e.g. Windows where %TEMP% may be inaccessible due to
+// permissions, antivirus, or group policy).
+//
+// It tries the following locations in order:
+//  1. Each directory in preferredDirs (if any)
+//  2. The system default temp directory (os.TempDir())
+//  3. A "tmp" subdirectory under the msgvault home directory (~/.msgvault/tmp/)
+//
+// The first successful location is used. If all locations fail, the error
+// from the system temp dir attempt is returned along with the final fallback error.
+func MkTempDir(pattern string, preferredDirs ...string) (string, error) {
+	// Try preferred directories first
+	for _, base := range preferredDirs {
+		if base == "" {
+			continue
+		}
+		dir, err := os.MkdirTemp(base, pattern)
+		if err == nil {
+			return dir, nil
+		}
+	}
+
+	// Try system temp dir
+	dir, sysErr := os.MkdirTemp("", pattern)
+	if sysErr == nil {
+		return dir, nil
+	}
+
+	// Fallback: use ~/.msgvault/tmp/
+	fallbackBase := filepath.Join(DefaultHome(), "tmp")
+	if err := os.MkdirAll(fallbackBase, 0700); err != nil {
+		return "", fmt.Errorf("create temp dir: %w (fallback also failed: %v)", sysErr, err)
+	}
+	dir, err := os.MkdirTemp(fallbackBase, pattern)
+	if err != nil {
+		return "", fmt.Errorf("create temp dir: %w (fallback also failed: %v)", sysErr, err)
+	}
+	return dir, nil
+}
+
 // resolveRelative makes a relative path absolute by joining it with base.
 // Absolute paths and empty strings are returned unchanged.
 func resolveRelative(path, base string) string {

internal/config/config_test.go

@@ -344,6 +344,105 @@ func TestDefaultHomeExpandsTilde(t *testing.T) {
 	}
 }
 
+func TestMkTempDir(t *testing.T) {
+	t.Run("uses system temp when no preferred dirs", func(t *testing.T) {
+		dir, err := MkTempDir("test-*")
+		if err != nil {
+			t.Fatalf("MkTempDir failed: %v", err)
+		}
+		defer os.RemoveAll(dir)
+
+		if _, err := os.Stat(dir); err != nil {
+			t.Errorf("temp dir does not exist: %v", err)
+		}
+	})
+
+	t.Run("uses preferred dir when available", func(t *testing.T) {
+		preferred := t.TempDir()
+		dir, err := MkTempDir("test-*", preferred)
+		if err != nil {
+			t.Fatalf("MkTempDir failed: %v", err)
+		}
+		defer os.RemoveAll(dir)
+
+		if !strings.HasPrefix(dir, preferred) {
+			t.Errorf("temp dir %q not under preferred %q", dir, preferred)
+		}
+	})
+
+	t.Run("skips empty preferred dir strings", func(t *testing.T) {
+		dir, err := MkTempDir("test-*", "")
+		if err != nil {
+			t.Fatalf("MkTempDir failed: %v", err)
+		}
+		defer os.RemoveAll(dir)
+
+		// Should have used system temp, not errored
+		if _, err := os.Stat(dir); err != nil {
+			t.Errorf("temp dir does not exist: %v", err)
+		}
+	})
+
+	t.Run("falls back to system temp when preferred dir is inaccessible", func(t *testing.T) {
+		dir, err := MkTempDir("test-*", "/nonexistent-dir-that-does-not-exist")
+		if err != nil {
+			t.Fatalf("MkTempDir failed: %v", err)
+		}
+		defer os.RemoveAll(dir)
+
+		// Should have fallen back to system temp
+		if strings.Contains(dir, "nonexistent") {
+			t.Errorf("should not have used nonexistent dir, got %q", dir)
+		}
+	})
+
+	t.Run("falls back to msgvault home when system temp is unavailable", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("cannot make system temp dir unwritable on Windows")
+		}
+
+		// Create a restricted temp dir so os.MkdirTemp("", ...) fails
+		restrictedTmp := t.TempDir()
+		if err := os.Chmod(restrictedTmp, 0o500); err != nil {
+			t.Fatalf("chmod failed: %v", err)
+		}
+		t.Cleanup(func() { _ = os.Chmod(restrictedTmp, 0o700) })
+
+		// Probe whether the restriction actually works (root and some ACL
+		// configurations can still write to 0500 directories).
+		probe, probeErr := os.MkdirTemp(restrictedTmp, "probe-*")
+		if probeErr == nil {
+			os.Remove(probe)
+			t.Skip("chmod 0500 did not restrict writes (running as root or permissive ACLs)")
+		}
+
+		// Point TMPDIR to the restricted dir and MSGVAULT_HOME to a writable dir
+		msgvaultHome := t.TempDir()
+		t.Setenv("TMPDIR", restrictedTmp)
+		t.Setenv("MSGVAULT_HOME", msgvaultHome)
+
+		dir, err := MkTempDir("test-*")
+		if err != nil {
+			t.Fatalf("MkTempDir failed: %v", err)
+		}
+		defer os.RemoveAll(dir)
+
+		expectedBase := filepath.Join(msgvaultHome, "tmp")
+		if !strings.HasPrefix(dir, expectedBase) {
+			t.Errorf("temp dir %q not under fallback %q", dir, expectedBase)
+		}
+
+		// Verify the tmp dir was created with restrictive permissions
+		info, err := os.Stat(expectedBase)
+		if err != nil {
+			t.Fatalf("stat fallback dir: %v", err)
+		}
+		if perm := info.Mode().Perm(); perm != 0o700 {
+			t.Errorf("fallback dir permissions = %04o, want 0700", perm)
+		}
+	})
+}
+
 func TestNewDefaultConfig(t *testing.T) {
 	// Use a temp directory as MSGVAULT_HOME
 	tmpDir := t.TempDir()

internal/testutil/archive_helpers.go

@@ -56,6 +56,32 @@ func CreateTarGz(t *testing.T, path string, entries []ArchiveEntry) {
 	}
 }
 
+// CreateZip creates a zip archive at path containing the given entries.
+func CreateZip(t *testing.T, path string, entries []ArchiveEntry) {
+	t.Helper()
+	f, err := os.Create(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	w := zip.NewWriter(f)
+	for _, e := range entries {
+		fw, err := w.Create(e.Name)
+		if err != nil {
+			t.Fatalf("create zip entry %s: %v", e.Name, err)
+		}
+		if len(e.Content) > 0 {
+			if _, err := fw.Write([]byte(e.Content)); err != nil {
+				t.Fatalf("write zip entry %s: %v", e.Name, err)
+			}
+		}
+	}
+	if err := w.Close(); err != nil {
+		t.Fatalf("close zip writer: %v", err)
+	}
+}
+
 // CreateTempZip creates a zip file in a temporary directory containing the
 // provided entries (filename -> content). Returns the path to the zip file.
 func CreateTempZip(t *testing.T, entries map[string]string) string {