feat: implement privileged update helper for agent self-update and update sudoers configuration

Author: goktugcy

CHANGELOG.md

@@ -15,6 +15,9 @@ Formatting rules:
 
 ## [Unreleased]
 
+### Fixed
+- Fleet self-update now uses a dedicated privileged helper so rollout handoff works on hosts that ship `sudo-rs`, where sudoers wildcard argument matching is more restrictive than classic `sudo`.
+
 ## [1.0.0] - 2026-04-02
 
 ### Added

README.md

@@ -48,7 +48,7 @@ The installer:
 - checks and installs required packages
 - creates the `noderax` system user
 - grants passwordless `sudo` only for `apt-get install/remove/purge`
-- grants passwordless `sudo` to the dedicated `noderax-agent update` command used by fleet rollouts
+- grants passwordless `sudo` to the dedicated `/usr/local/libexec/noderax-agent-self-update` helper used by fleet rollouts
 - downloads the correct prebuilt agent binary
 - bootstraps the node with the provided token
 - reports bootstrap progress back to the API so the web `Add node` modal can update live
@@ -204,10 +204,10 @@ sudo noderax-agent status
 ## Fleet Self-Update
 
 Platform-admin fleet rollouts do not use `shell.exec`. They dispatch the dedicated
-`agent.update` task type, which hands off to the root-only CLI command below:
+`agent.update` task type, which hands off to the root-only helper below:
 
 ```bash
-sudo noderax-agent update --target-version 1.0.1 --target-id <rollout-target-id>
+sudo /usr/local/libexec/noderax-agent-self-update --target-version 1.0.1 --target-id <rollout-target-id>
 ```
 
 The managed updater:
@@ -345,7 +345,7 @@ The agent executes `shell.exec` tasks in a controlled non-interactive environmen
 - when installed through the bootstrap installer, shell and package tasks run under the `noderax` user
 - `shell.exec` does not auto-elevate to root; it runs in the `noderax` user context by default
 - package operations can elevate through passwordless `sudo -n`, but only for `apt-get install`, `apt-get remove`, and `apt-get purge`
-- agent self-update can elevate through passwordless `sudo -n`, but only for the dedicated `noderax-agent update` command
+- agent self-update can elevate through passwordless `sudo -n`, but only for the dedicated `/usr/local/libexec/noderax-agent-self-update` helper
 - ad-hoc root shell commands are intentionally out of scope for the bundled sudoers profile
 
 For package listing on Debian/Ubuntu, the agent uses optimized `dpkg -l` parsing to return structured package metadata.

internal/agentctl/commands.go

@@ -27,15 +27,16 @@ const (
 	serviceManagerSystemd = "systemd"
 	serviceManagerLaunchd = "launchd"
 
-	linuxInstallDir  = "/opt/noderax-agent"
-	linuxBinaryPath  = linuxInstallDir + "/noderax-agent"
-	linuxSymlinkPath = "/usr/local/bin/noderax-agent"
-	linuxConfigPath  = "/etc/noderax-agent/config.json"
-	linuxStatePath   = "/var/lib/noderax-agent/agent_identity.json"
-	linuxServiceUnit = "/etc/systemd/system/noderax-agent.service"
-	linuxServiceName = "noderax-agent.service"
-	linuxServiceUser = "noderax"
-	linuxServiceHome = "/var/lib/noderax-agent"
+	linuxInstallDir                 = "/opt/noderax-agent"
+	linuxBinaryPath                 = linuxInstallDir + "/noderax-agent"
+	linuxSymlinkPath                = "/usr/local/bin/noderax-agent"
+	linuxPrivilegedUpdateHelperPath = "/usr/local/libexec/noderax-agent-self-update"
+	linuxConfigPath                 = "/etc/noderax-agent/config.json"
+	linuxStatePath                  = "/var/lib/noderax-agent/agent_identity.json"
+	linuxServiceUnit                = "/etc/systemd/system/noderax-agent.service"
+	linuxServiceName                = "noderax-agent.service"
+	linuxServiceUser                = "noderax"
+	linuxServiceHome                = "/var/lib/noderax-agent"
 
 	macOSInstallDir  = "/usr/local/lib/noderax-agent"
 	macOSBinaryPath  = macOSInstallDir + "/noderax-agent"
@@ -47,22 +48,23 @@ const (
 )
 
 type platformSpec struct {
-	Manager       string
-	InstallDir    string
-	BinaryPath    string
-	SymlinkPath   string
-	ConfigPath    string
-	StatePath     string
-	ServiceUnit   string
-	ServiceName   string
-	WorkingDir    string
-	RequiresRoot  bool
-	ServiceDomain string
-	LogStdoutPath string
-	LogStderrPath string
-	ServiceUser   string
-	ServiceGroup  string
-	ServiceHome   string
+	Manager                    string
+	InstallDir                 string
+	BinaryPath                 string
+	SymlinkPath                string
+	PrivilegedUpdateHelperPath string
+	ConfigPath                 string
+	StatePath                  string
+	ServiceUnit                string
+	ServiceName                string
+	WorkingDir                 string
+	RequiresRoot               bool
+	ServiceDomain              string
+	LogStdoutPath              string
+	LogStderrPath              string
+	ServiceUser                string
+	ServiceGroup               string
+	ServiceHome                string
 }
 
 type installOptions struct {
@@ -205,6 +207,9 @@ func (c CLI) Install(ctx context.Context, args []string) error {
 			return fmt.Errorf("create symlink: %w", err)
 		}
 	}
+	if err := writePrivilegedUpdateHelper(spec); err != nil {
+		return fmt.Errorf("write privileged update helper: %w", err)
+	}
 
 	switch spec.Manager {
 	case serviceManagerSystemd:
@@ -339,6 +344,18 @@ func (c CLI) Uninstall(ctx context.Context) error {
 	}
 	recordRemovalResult(&removed, &missing, "symlink", spec.SymlinkPath, symlinkRemoved)
 
+	helperRemoved, err := removeFileIfExists(spec.PrivilegedUpdateHelperPath)
+	if err != nil {
+		return err
+	}
+	recordRemovalResult(
+		&removed,
+		&missing,
+		"privileged update helper",
+		spec.PrivilegedUpdateHelperPath,
+		helperRemoved,
+	)
+
 	configRemoved, err := removeFileIfExists(configPath)
 	if err != nil {
 		return err
@@ -485,36 +502,38 @@ func currentPlatformSpec() (platformSpec, error) {
 	switch runtime.GOOS {
 	case "linux":
 		return platformSpec{
-			Manager:       serviceManagerSystemd,
-			InstallDir:    linuxInstallDir,
-			BinaryPath:    linuxBinaryPath,
-			SymlinkPath:   linuxSymlinkPath,
-			ConfigPath:    linuxConfigPath,
-			StatePath:     linuxStatePath,
-			ServiceUnit:   linuxServiceUnit,
-			ServiceName:   linuxServiceName,
-			WorkingDir:    linuxInstallDir,
-			RequiresRoot:  true,
-			ServiceDomain: "system",
-			ServiceUser:   linuxServiceUser,
-			ServiceGroup:  linuxServiceUser,
-			ServiceHome:   linuxServiceHome,
+			Manager:                    serviceManagerSystemd,
+			InstallDir:                 linuxInstallDir,
+			BinaryPath:                 linuxBinaryPath,
+			SymlinkPath:                linuxSymlinkPath,
+			PrivilegedUpdateHelperPath: linuxPrivilegedUpdateHelperPath,
+			ConfigPath:                 linuxConfigPath,
+			StatePath:                  linuxStatePath,
+			ServiceUnit:                linuxServiceUnit,
+			ServiceName:                linuxServiceName,
+			WorkingDir:                 linuxInstallDir,
+			RequiresRoot:               true,
+			ServiceDomain:              "system",
+			ServiceUser:                linuxServiceUser,
+			ServiceGroup:               linuxServiceUser,
+			ServiceHome:                linuxServiceHome,
 		}, nil
 	case "darwin":
 		return platformSpec{
-			Manager:       serviceManagerLaunchd,
-			InstallDir:    macOSInstallDir,
-			BinaryPath:    macOSBinaryPath,
-			SymlinkPath:   macOSSymlinkPath,
-			ConfigPath:    macOSConfigPath,
-			StatePath:     macOSStatePath,
-			ServiceUnit:   macOSServiceUnit,
-			ServiceName:   macOSServiceName,
-			WorkingDir:    macOSInstallDir,
-			RequiresRoot:  true,
-			ServiceDomain: "system",
-			LogStdoutPath: "/var/log/noderax-agent.log",
-			LogStderrPath: "/var/log/noderax-agent.error.log",
+			Manager:                    serviceManagerLaunchd,
+			InstallDir:                 macOSInstallDir,
+			BinaryPath:                 macOSBinaryPath,
+			SymlinkPath:                macOSSymlinkPath,
+			PrivilegedUpdateHelperPath: "",
+			ConfigPath:                 macOSConfigPath,
+			StatePath:                  macOSStatePath,
+			ServiceUnit:                macOSServiceUnit,
+			ServiceName:                macOSServiceName,
+			WorkingDir:                 macOSInstallDir,
+			RequiresRoot:               true,
+			ServiceDomain:              "system",
+			LogStdoutPath:              "/var/log/noderax-agent.log",
+			LogStderrPath:              "/var/log/noderax-agent.error.log",
 		}, nil
 	default:
 		return platformSpec{}, fmt.Errorf("unsupported platform %s", runtime.GOOS)
@@ -1018,6 +1037,53 @@ func ensureSymlink(target, link string) error {
 	return nil
 }
 
+func writePrivilegedUpdateHelper(spec platformSpec) error {
+	path := strings.TrimSpace(spec.PrivilegedUpdateHelperPath)
+	if path == "" {
+		return nil
+	}
+
+	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+		return fmt.Errorf("create helper directory for %s: %w", path, err)
+	}
+
+	content := renderPrivilegedUpdateHelper(spec)
+	if err := os.WriteFile(path, []byte(content), 0o755); err != nil {
+		return fmt.Errorf("write helper %s: %w", path, err)
+	}
+
+	return nil
+}
+
+func renderPrivilegedUpdateHelper(spec platformSpec) string {
+	return fmt.Sprintf(`#!/bin/sh
+set -eu
+
+usage() {
+  echo "usage: %s --target-version <version> --target-id <target-id> [--rollback]" >&2
+  exit 64
+}
+
+if [ "$#" -ne 4 ] && [ "$#" -ne 5 ]; then
+  usage
+fi
+
+if [ "$1" != "--target-version" ] || [ -z "${2:-}" ] || [ "$3" != "--target-id" ] || [ -z "${4:-}" ]; then
+  usage
+fi
+
+if [ "$#" -eq 5 ] && [ "$5" != "--rollback" ]; then
+  usage
+fi
+
+if [ "$#" -eq 5 ]; then
+  exec %q update --target-version "$2" --target-id "$4" --rollback
+fi
+
+exec %q update --target-version "$2" --target-id "$4"
+`, spec.PrivilegedUpdateHelperPath, spec.BinaryPath, spec.BinaryPath)
+}
+
 func writeServiceUnit(path, content string) error {
 	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
 		return fmt.Errorf("create service directory for %s: %w", path, err)

internal/agentctl/summary_test.go

@@ -44,3 +44,26 @@ func TestRenderInstallSummaryIncludesUsefulCommands(t *testing.T) {
 		}
 	}
 }
+
+func TestRenderPrivilegedUpdateHelperTargetsManagedBinary(t *testing.T) {
+	t.Parallel()
+
+	spec := platformSpec{
+		BinaryPath:                 linuxBinaryPath,
+		PrivilegedUpdateHelperPath: linuxPrivilegedUpdateHelperPath,
+	}
+
+	script := renderPrivilegedUpdateHelper(spec)
+
+	expectedSnippets := []string{
+		"usage: " + linuxPrivilegedUpdateHelperPath,
+		"exec \"" + linuxBinaryPath + "\" update --target-version \"$2\" --target-id \"$4\" --rollback",
+		"exec \"" + linuxBinaryPath + "\" update --target-version \"$2\" --target-id \"$4\"",
+	}
+
+	for _, snippet := range expectedSnippets {
+		if !strings.Contains(script, snippet) {
+			t.Fatalf("helper script missing snippet %q\n%s", snippet, script)
+		}
+	}
+}

internal/tasks/executor.go

@@ -26,6 +26,8 @@ const (
 	TaskTypePackageInstall = "packageInstall"
 	TaskTypePackageRemove  = "packageRemove"
 	TaskTypePackagePurge   = "packagePurge"
+
+	linuxPrivilegedUpdateHelperPath = "/usr/local/libexec/noderax-agent-self-update"
 )
 
 var (
@@ -127,6 +129,7 @@ type ShellExecutor struct {
 	goos           string
 	lookPath       func(string) (string, error)
 	executablePath func() (string, error)
+	fileExists     func(string) bool
 	newCommand     func(context.Context, string, ...string) commandRunner
 }
 
@@ -136,7 +139,11 @@ func NewShellExecutor(defaultTimeout time.Duration) *ShellExecutor {
 		goos:           runtime.GOOS,
 		lookPath:       exec.LookPath,
 		executablePath: os.Executable,
-		newCommand:     newExecCommandRunner,
+		fileExists: func(path string) bool {
+			_, err := os.Stat(path)
+			return err == nil
+		},
+		newCommand: newExecCommandRunner,
 	}
 }
 
@@ -327,6 +334,40 @@ func (e *ShellExecutor) agentUpdateCommand(payload json.RawMessage) (commandSpec
 		args = append(args, "--rollback")
 	}
 
+	if e.goos == "linux" && e.fileExists(linuxPrivilegedUpdateHelperPath) {
+		helperArgs := []string{
+			"--target-version",
+			targetVersion,
+			"--target-id",
+			targetID,
+		}
+		if parsed.Rollback {
+			helperArgs = append(helperArgs, "--rollback")
+		}
+
+		commandName, commandArgs, err := e.wrapWithSudo(
+			linuxPrivilegedUpdateHelperPath,
+			helperArgs,
+		)
+		if err != nil {
+			return commandSpec{}, err
+		}
+
+		return commandSpec{
+			name:         commandName,
+			args:         commandArgs,
+			startMessage: fmt.Sprintf("handing off agent update to %s", targetVersion),
+			parseResult: func(string, func(string, string)) any {
+				return map[string]any{
+					"status":        "handoff",
+					"targetId":      targetID,
+					"targetVersion": targetVersion,
+					"rollback":      parsed.Rollback,
+				}
+			},
+		}, nil
+	}
+
 	commandName, commandArgs, err := e.wrapWithSudo(agentPath, args)
 	if err != nil {
 		return commandSpec{}, err