# 🚀 **apt-ostree Daemon Implementation Plan - Deep Dive**

## 🏗️ **Architecture Overview**

Based on the comprehensive analysis of rpm-ostree's DBus implementation, apt-ostree will implement a Rust-based daemon that mirrors the proven architecture while adapting to the Debian/Ubuntu ecosystem.

```
┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   CLI Client    │    │   Rust Core     │    │   Rust Daemon   │
│   (Rust)        │◄──►│   (DBus)        │◄──►│   (aptostreed)  │
│                 │    │                 │    │                 │
│ • Commands      │    │ • Client Logic  │    │ • OSTree Ops    │
│ • User Input    │    │ • DBus Client   │    │ • APT Package  │
│ • Output Display│    │ • Error Handling│    │ • Transactions  │
└─────────────────┘    └─────────────────┘    └─────────────────┘
```

## 📋 **Phase 1: Foundation & Infrastructure (Week 1-2)**

### **1.1 Project Structure Setup**
```
apt-ostree/
├── src/
│   ├── main.rs              # CLI client (existing)
│   ├── daemon/
│   │   ├── mod.rs           # Daemon module
│   │   ├── main.rs          # Daemon entry point
│   │   ├── dbus.rs          # DBus interface
│   │   ├── transaction.rs   # Transaction management
│   │   ├── ostree.rs        # OSTree operations
│   │   ├── apt.rs           # APT package management
│   │   ├── security.rs      # Security & privileges
│   │   ├── sysroot.rs       # Sysroot management
│   │   └── os.rs            # OS interface
│   └── client/
│       ├── mod.rs           # Client module
│       ├── dbus.rs          # DBus client
│       └── transaction.rs   # Transaction client
├── daemon/
│   ├── Cargo.toml           # Daemon dependencies
│   ├── systemd/
│   │   ├── apt-ostreed.service
│   │   └── apt-ostreed.socket
│   └── polkit/
│       └── apt-ostree.policy
└── docs/
    └── daemon-architecture.md
```

### **1.2 Dependencies & Crates**
```toml
# daemon/Cargo.toml
[dependencies]
tokio = { version = "1.0", features = ["full"] }
zbus = "3.0"                    # DBus implementation
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
tracing = "0.1"
tracing-subscriber = "0.3"
thiserror = "1.0"
anyhow = "1.0"
ostree = "0.20"
apt-pkg-native = "0.3"
uuid = "1.0"
chrono = { version = "0.4", features = ["serde"] }
libc = "0.2"
nix = "0.26"
```

### **1.3 DBus Interface Definition**
Based on the rpm-ostree analysis, we'll implement a compatible interface:

```xml
<!-- org.projectatomic.aptostree1.xml -->
<interface name="org.projectatomic.aptostree1.Sysroot">
  <!-- Core Properties -->
  <property name="Booted" type="o" access="read"/>
  <property name="Path" type="s" access="read"/>
  <property name="ActiveTransaction" type="(sss)" access="read"/>
  <property name="ActiveTransactionPath" type="s" access="read"/>
  <property name="Deployments" type="aa{sv}" access="read"/>
  <property name="AutomaticUpdatePolicy" type="s" access="read"/>
  
  <!-- Client Management -->
  <method name="RegisterClient">
    <arg type="a{sv}" name="options" direction="in"/>
  </method>
  
  <method name="UnregisterClient">
    <arg type="a{sv}" name="options" direction="in"/>
  </method>
  
  <!-- System Management -->
  <method name="Reload"/>
  <method name="ReloadConfig"/>
  
  <!-- OS Access -->
  <method name="GetOS">
    <arg name="name" type="s" direction="in"/>
    <arg name="object_path" type="o" direction="out"/>
  </method>
</interface>

<interface name="org.projectatomic.aptostree1.OS">
  <!-- Deployment Properties -->
  <property name="BootedDeployment" type="a{sv}" access="read"/>
  <property name="DefaultDeployment" type="a{sv}" access="read"/>
  <property name="RollbackDeployment" type="a{sv}" access="read"/>
  <property name="CachedUpdate" type="a{sv}" access="read"/>
  <property name="HasCachedUpdateAptDiff" type="b" access="read"/>
  <property name="Name" type="s" access="read"/>
  
  <!-- Core Operations -->
  <method name="Deploy">
    <arg type="s" name="revision" direction="in"/>
    <arg type="a{sv}" name="options" direction="in"/>
    <arg type="s" name="transaction_address" direction="out"/>
  </method>
  
  <method name="Upgrade">
    <arg type="a{sv}" name="options" direction="in"/>
    <arg type="s" name="transaction_address" direction="out"/>
  </method>
  
  <method name="Rollback">
    <arg type="a{sv}" name="options" direction="in"/>
    <arg type="s" name="transaction_address" direction="out"/>
  </method>
  
  <!-- Package Management -->
  <method name="PkgChange">
    <arg type="a{sv}" name="options" direction="in"/>
    <arg type="as" name="packages_added" direction="in"/>
    <arg type="as" name="packages_removed" direction="in"/>
    <arg type="s" name="transaction_address" direction="out"/>
  </method>
  
  <!-- System Configuration -->
  <method name="KernelArgs">
    <arg type="s" name="existing_kernel_arg_string" direction="in"/>
    <arg type="as" name="kernel_args_added" direction="in"/>
    <arg type="as" name="kernel_args_replaced" direction="in"/>
    <arg type="as" name="kernel_args_removed" direction="in"/>
    <arg type="a{sv}" name="options" direction="in"/>
    <arg type="s" name="transaction_address" direction="out"/>
  </method>
  
  <method name="SetInitramfsState">
    <arg type="b" name="regenerate" direction="in"/>
    <arg type="as" name="args" direction="in"/>
    <arg type="a{sv}" name="options" direction="in"/>
    <arg type="s" name="transaction_address" direction="out"/>
  </method>
  
  <!-- Advanced Operations -->
  <method name="UpdateDeployment">
    <arg type="a{sv}" name="modifiers" direction="in"/>
    <arg type="a{sv}" name="options" direction="in"/>
    <arg type="s" name="transaction_address" direction="out"/>
  </method>
  
  <method name="FinalizeDeployment">
    <arg type="a{sv}" name="options" direction="in"/>
    <arg type="s" name="transaction_address" direction="out"/>
  </method>
  
  <!-- Package Search -->
  <method name="WhatProvides">
    <arg type="as" name="provides" direction="in"/>
    <arg type="aa{sv}" name="packages" direction="out"/>
  </method>
  
  <method name="GetPackages">
    <arg type="as" name="names" direction="in"/>
    <arg type="aa{sv}" name="packages" direction="out"/>
  </method>
  
  <method name="Search">
    <arg type="as" name="names" direction="in"/>
    <arg type="aa{sv}" name="packages" direction="out"/>
  </method>
</interface>

<interface name="org.projectatomic.aptostree1.Transaction">
  <!-- Properties -->
  <property name="Title" type="s" access="read"/>
  <property name="InitiatingClientDescription" type="s" access="read"/>
  
  <!-- Methods -->
  <method name="Start">
    <arg type="b" name="started" direction="out"/>
  </method>
  
  <method name="Cancel"/>
  
  <!-- Signals -->
  <signal name="Finished">
    <arg name="success" type="b" direction="out"/>
    <arg name="error_message" type="s" direction="out"/>
  </signal>
  
  <signal name="Message">
    <arg name="text" type="s" direction="out"/>
  </signal>
  
  <signal name="TaskBegin">
    <arg name="text" type="s" direction="out"/>
  </signal>
  
  <signal name="TaskEnd">
    <arg name="text" type="s" direction="out"/>
  </signal>
  
  <signal name="PercentProgress">
    <arg name="text" type="s" direction="out"/>
    <arg name="percentage" type="u" direction="out"/>
  </signal>
  
  <signal name="DownloadProgress">
    <arg name="time" type="(tt)" direction="out"/>
    <arg name="outstanding" type="(uu)" direction="out"/>
    <arg name="metadata" type="(uuu)" direction="out"/>
    <arg name="content" type="(uu)" direction="out"/>
    <arg name="transfer" type="(tt)" direction="out"/>
  </signal>
  
  <signal name="ProgressEnd"/>
</interface>
```

## 🔌 **Phase 2: Core Daemon Implementation (Week 2-3)**

### **2.1 Daemon Main Structure**
```rust
// daemon/src/main.rs
use zbus::{ConnectionBuilder, dbus_interface};
use std::sync::Arc;
use tokio::sync::RwLock;
use std::collections::HashMap;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Initialize logging
    tracing_subscriber::fmt::init();
    
    // Create daemon instance
    let daemon = Arc::new(AptOstreeDaemon::new()?);
    
    // Set up DBus connection
    let _connection = ConnectionBuilder::system()?
        .name("org.projectatomic.aptostree1")?
        .serve_at("/org/projectatomic/aptostree1/Sysroot", daemon.clone())?
        .serve_at("/org/projectatomic/aptostree1/OS/debian", daemon.clone())?
        .build()
        .await?;
    
    // Keep daemon running
    loop {
        tokio::time::sleep(tokio::time::Duration::from_secs(1)).await;
    }
}

struct AptOstreeDaemon {
    transactions: Arc<RwLock<HashMap<String, Transaction>>>,
    ostree_manager: Arc<OstreeManager>,
    apt_manager: Arc<AptManager>,
    security_manager: Arc<SecurityManager>,
    sysroot_manager: Arc<SysrootManager>,
    os_manager: Arc<OsManager>,
    clients: Arc<RwLock<HashMap<String, ClientInfo>>>,
}

#[dbus_interface(name = "org.projectatomic.aptostree1.Sysroot")]
impl AptOstreeDaemon {
    async fn get_booted(&self) -> zbus::fdo::Result<zbus::zvariant::OwnedObjectPath> {
        // Implementation
    }
    
    async fn get_path(&self) -> zbus::fdo::Result<String> {
        Ok("/".to_string())
    }
    
    async fn get_active_transaction(&self) -> zbus::fdo::Result<(String, String, String)> {
        // Implementation
    }
    
    async fn get_deployments(&self) -> zbus::fdo::Result<Vec<HashMap<String, zbus::zvariant::Value>>> {
        // Implementation
    }
    
    async fn register_client(
        &self,
        options: HashMap<String, zbus::zvariant::Value>,
    ) -> zbus::fdo::Result<()> {
        // Implementation
    }
    
    async fn unregister_client(
        &self,
        options: HashMap<String, zbus::zvariant::Value>,
    ) -> zbus::fdo::Result<()> {
        // Implementation
    }
    
    async fn reload(&self) -> zbus::fdo::Result<()> {
        // Implementation
    }
    
    async fn reload_config(&self) -> zbus::fdo::Result<()> {
        // Implementation
    }
    
    async fn get_os(&self, name: &str) -> zbus::fdo::Result<zbus::zvariant::OwnedObjectPath> {
        // Implementation
    }
}
```

### **2.2 Transaction Management**
```rust
// daemon/src/transaction.rs
use serde::{Deserialize, Serialize};
use uuid::Uuid;
use chrono::{DateTime, Utc};
use zbus::zvariant::{Type, Value};

#[derive(Debug, Clone, Serialize, Deserialize, Type)]
pub struct Transaction {
    pub id: String,
    pub state: TransactionState,
    pub operations: Vec<Operation>,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
    pub user_id: u32,
    pub session_id: String,
    pub title: String,
    pub client_description: String,
    pub sysroot_path: String,
    pub sysroot_locked: bool,
}

#[derive(Debug, Clone, Serialize, Deserialize, Type)]
pub enum TransactionState {
    Created,
    InProgress,
    Committed,
    Failed,
    RolledBack,
    Cancelled,
}

#[derive(Debug, Clone, Serialize, Deserialize, Type)]
pub enum Operation {
    InstallPackage { name: String, version: String },
    RemovePackage { name: String },
    UpdateSystem,
    DeployCommit { commit: String },
    RollbackDeployment,
    SetKernelArgs { added: Vec<String>, removed: Vec<String> },
    SetInitramfsState { regenerate: bool, args: Vec<String> },
}

impl Transaction {
    pub fn new(user_id: u32, session_id: String, title: String, client_description: String) -> Self {
        Self {
            id: Uuid::new_v4().to_string(),
            state: TransactionState::Created,
            operations: Vec::new(),
            created_at: Utc::now(),
            updated_at: Utc::now(),
            user_id,
            session_id,
            title,
            client_description,
            sysroot_path: "/".to_string(),
            sysroot_locked: false,
        }
    }
    
    pub fn add_operation(&mut self, operation: Operation) {
        self.operations.push(operation);
        self.updated_at = Utc::now();
    }
    
    pub async fn execute(&mut self, daemon: &AptOstreeDaemon) -> Result<(), TransactionError> {
        self.state = TransactionState::InProgress;
        
        // Lock sysroot
        self.sysroot_locked = true;
        
        // Execute operations
        for operation in &self.operations {
            match operation {
                Operation::InstallPackage { name, version } => {
                    daemon.install_package(name, version).await?;
                }
                Operation::RemovePackage { name } => {
                    daemon.remove_package(name).await?;
                }
                Operation::UpdateSystem => {
                    daemon.update_system().await?;
                }
                // ... other operations
            }
        }
        
        self.state = TransactionState::Committed;
        self.sysroot_locked = false;
        Ok(())
    }
    
    pub async fn rollback(&mut self, daemon: &AptOstreeDaemon) -> Result<(), TransactionError> {
        self.state = TransactionState::RolledBack;
        self.sysroot_locked = false;
        
        // Implement rollback logic
        Ok(())
    }
}
```

### **2.3 OSTree Operations in Daemon**
```rust
// daemon/src/ostree.rs
use ostree::Repo;
use std::path::PathBuf;
use tokio::sync::RwLock;

pub struct OstreeManager {
    repo: Arc<RwLock<Repo>>,
    sysroot_path: PathBuf,
}

impl OstreeManager {
    pub async fn new(sysroot_path: PathBuf) -> Result<Self, OstreeError> {
        let repo = Repo::new(&sysroot_path.join("ostree/repo"))?;
        repo.open()?;
        
        Ok(Self {
            repo: Arc::new(RwLock::new(repo)),
            sysroot_path,
        })
    }
    
    pub async fn create_staging_deployment(&self) -> Result<String, OstreeError> {
        // Create staging deployment
        // Return deployment reference
    }
    
    pub async fn install_packages_in_staging(
        &self,
        staging_ref: &str,
        packages: &[String],
    ) -> Result<(), OstreeError> {
        // Install packages in staging deployment
        // Handle dependencies
        // Resolve conflicts
    }
    
    pub async fn commit_staging_deployment(
        &self,
        staging_ref: &str,
        message: &str,
    ) -> Result<String, OstreeError> {
        // Commit staging deployment
        // Return new commit hash
    }
    
    pub async fn deploy_commit(&self, commit: &str) -> Result<(), OstreeError> {
        // Deploy specific commit
        // Update bootloader if needed
    }
    
    pub async fn list_deployments(&self) -> Result<Vec<DeploymentInfo>, OstreeError> {
        // List all deployments
        // Return deployment information
    }
    
    pub async fn get_booted_deployment(&self) -> Result<Option<DeploymentInfo>, OstreeError> {
        // Get currently booted deployment
    }
}
```

### **2.4 APT Package Management**
```rust
// daemon/src/apt.rs
use apt_pkg_native::Cache;
use std::sync::Arc;
use tokio::sync::RwLock;

pub struct AptManager {
    cache: Arc<RwLock<Cache>>,
}

impl AptManager {
    pub async fn new() -> Result<Self, AptError> {
        let cache = Cache::new()?;
        
        Ok(Self {
            cache: Arc::new(RwLock::new(cache)),
        })
    }
    
    pub async fn resolve_package_dependencies(
        &self,
        package_name: &str,
    ) -> Result<Vec<PackageInfo>, AptError> {
        // Resolve package dependencies
        // Handle conflicts
        // Return dependency list
    }
    
    pub async fn download_package(
        &self,
        package_name: &str,
    ) -> Result<PathBuf, AptError> {
        // Download package file
        // Return local path
    }
    
    pub async fn extract_package(
        &self,
        package_path: &Path,
        extract_path: &Path,
    ) -> Result<(), AptError> {
        // Extract DEB package
        // Handle file conflicts
    }
    
    pub async fn calculate_package_impact(
        &self,
        packages: &[String],
    ) -> Result<PackageImpact, AptError> {
        // Calculate system changes
        // Identify conflicts
        // Estimate space requirements
    }
}

#[derive(Debug, Clone)]
pub struct PackageImpact {
    pub files_added: Vec<String>,
    pub files_removed: Vec<String>,
    pub files_modified: Vec<String>,
    pub space_required: u64,
    pub space_freed: u64,
    pub dependencies_added: Vec<String>,
    pub dependencies_removed: Vec<String>,
    pub conflicts: Vec<String>,
}
```

## 🔐 **Phase 3: Security & Privileges (Week 3-4)**

### **3.1 Polkit Integration**
```rust
// daemon/src/security.rs
use zbus::dbus_interface;
use std::collections::HashMap;

pub struct SecurityManager {
    polkit_authority: polkit::Authority,
}

impl SecurityManager {
    pub fn new() -> Result<Self, SecurityError> {
        let authority = polkit::Authority::get_local()?;
        
        Ok(Self {
            polkit_authority,
        })
    }
    
    pub async fn check_authorization(
        &self,
        action: &str,
        user_id: u32,
        details: HashMap<String, String>,
    ) -> Result<bool, SecurityError> {
        let subject = polkit::UnixProcess::new(
            std::process::id(),
            std::time::SystemTime::now(),
        );
        
        let result = self.polkit_authority
            .check_authorization(
                action,
                &subject,
                polkit::CheckAuthorizationFlags::NONE,
            )
            .await?;
        
        Ok(result.is_authorized())
    }
    
    pub async fn authorize_package_install(
        &self,
        user_id: u32,
        packages: &[String],
    ) -> Result<bool, SecurityError> {
        let mut details = HashMap::new();
        details.insert("packages".to_string(), packages.join(","));
        
        self.check_authorization(
            "org.projectatomic.aptostree.install-uninstall-packages",
            user_id,
            details,
        ).await
    }
    
    pub async fn authorize_system_update(
        &self,
        user_id: u32,
    ) -> Result<bool, SecurityError> {
        self.check_authorization(
            "org.projectatomic.aptostree.upgrade",
            user_id,
            HashMap::new(),
        ).await
    }
    
    pub async fn authorize_boot_config(
        &self,
        user_id: u32,
    ) -> Result<bool, SecurityError> {
        self.check_authorization(
            "org.projectatomic.aptostree.bootconfig",
            user_id,
            HashMap::new(),
        ).await
    }
}
```

### **3.2 Polkit Policy File**
```xml
<!-- /usr/share/polkit-1/actions/org.projectatomic.aptostree.policy -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>

  <vendor>apt-ostree</vendor>
  <vendor_url>https://github.com/particle-os/apt-ostree</vendor_url>
  <icon_name>package-x-generic</icon_name>

  <action id="org.projectatomic.aptostree.install-uninstall-packages">
    <description>Install and remove packages</description>
    <message>Authentication is required to install and remove software</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.install-local-packages">
    <description>Install local packages</description>
    <message>Authentication is required to install software</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.override">
    <description>Override packages</description>
    <message>Authentication is required to override base OS software</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.deploy">
    <description>Update base OS</description>
    <message>Authentication is required to update software</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.upgrade">
    <description>Update base OS</description>
    <message>Authentication is required to update software</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.rebase">
    <description>Switch to a different base OS</description>
    <message>Authentication is required to switch to a different base OS</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.rollback">
    <description>Rollback OS updates</description>
    <message>Authentication is required to roll back software updates</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.bootconfig">
    <description>Change boot configuration</description>
    <message>Authentication is required to change boot configuration</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.reload-daemon">
    <description>Reload the daemon state</description>
    <message>Authentication is required to reload the daemon</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

  <action id="org.projectatomic.aptostree.cleanup">
    <description>Clean up system data</description>
    <message>Authentication is required to clean up system data</message>
    <icon_name>package-x-generic</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
</policyconfig>
```

## 🔌 **Phase 4: Client Integration (Week 4-5)**

### **4.1 DBus Client Implementation**
```rust
// src/client/dbus.rs
use zbus::Connection;
use serde::{Deserialize, Serialize};

pub struct AptOstreeClient {
    connection: Connection,
    proxy: zbus::Proxy<'static>,
}

impl AptOstreeClient {
    pub async fn new() -> Result<Self, ClientError> {
        let connection = Connection::system().await?;
        let proxy = zbus::Proxy::new(
            &connection,
            "org.projectatomic.aptostree1",
            "/org/projectatomic/aptostree1/Sysroot",
            "org.projectatomic.aptostree1.Sysroot",
        ).await?;
        
        Ok(Self {
            connection,
            proxy,
        })
    }
    
    pub async fn get_deployments(&self) -> Result<Vec<DeploymentInfo>, ClientError> {
        let result: Vec<DeploymentInfo> = self.proxy
            .call_method("GetDeployments", &())
            .await?
            .body()?;
        
        Ok(result)
    }
    
    pub async fn create_transaction(&self) -> Result<String, ClientError> {
        let result: String = self.proxy
            .call_method("CreateTransaction", &())
            .await?
            .body()?;
        
        Ok(result)
    }
    
    pub async fn install_packages(
        &self,
        transaction_id: &str,
        packages: Vec<String>,
    ) -> Result<bool, ClientError> {
        let result: bool = self.proxy
            .call_method("InstallPackages", &(transaction_id, packages))
            .await?
            .body()?;
        
        Ok(result)
    }
    
    pub async fn upgrade_system(&self) -> Result<String, ClientError> {
        let options = HashMap::new();
        let result: String = self.proxy
            .call_method("Upgrade", &(options,))
            .await?
            .body()?;
        
        Ok(result)
    }
    
    pub async fn rollback_system(&self) -> Result<String, ClientError> {
        let options = HashMap::new();
        let result: String = self.proxy
            .call_method("Rollback", &(options,))
            .await?
            .body()?;
        
        Ok(result)
    }
}
```

### **4.2 Updated CLI Commands**
```rust
// src/main.rs (updated)
async fn install_package(package_name: &str) -> AptOstreeResult<()> {
    info!("Installing package: {}", package_name);
    
    // Connect to daemon
    let client = AptOstreeClient::new().await?;
    
    // Create transaction
    let transaction_id = client.create_transaction().await?;
    println!("📋 Created transaction: {}", transaction_id);
    
    // Install package
    let success = client.install_packages(
        &transaction_id,
        vec![package_name.to_string()],
    ).await?;
    
    if success {
        // Commit transaction
        let committed = client.commit_transaction(&transaction_id).await?;
        if committed {
            println!("✅ Package installed successfully!");
        } else {
            println!("❌ Failed to commit transaction");
        }
    } else {
        println!("❌ Failed to install package");
    }
    
    Ok(())
}

async fn upgrade_system() -> AptOstreeResult<()> {
    info!("Upgrading system");
    
    let client = AptOstreeClient::new().await?;
    
    // Start upgrade transaction
    let transaction_id = client.upgrade_system().await?;
    println!("🚀 Started system upgrade: {}", transaction_id);
    
    // Monitor progress
    client.monitor_transaction(&transaction_id).await?;
    
    Ok(())
}

async fn rollback_system() -> AptOstreeResult<()> {
    info!("Rolling back system");
    
    let client = AptOstreeClient::new().await?;
    
    // Start rollback transaction
    let transaction_id = client.rollback_system().await?;
    println!("⏪ Started system rollback: {}", transaction_id);
    
    // Monitor progress
    client.monitor_transaction(&transaction_id).await?;
    
    Ok(())
}
```

## 🚀 **Phase 5: System Integration (Week 5-6)**

### **5.1 Systemd Service Files**
```ini
# /etc/systemd/system/apt-ostreed.service
[Unit]
Description=APT OSTree Daemon
Documentation=man:apt-ostreed(8)
After=network.target ostree-remount.service
RequiresMountsFor=/boot
ConditionPathExists=/ostree

[Service]
Type=notify
ExecStart=/usr/bin/apt-ostreed
Restart=on-failure
RestartSec=5
User=apt-ostree
DynamicUser=yes
NotifyAccess=main

# Security settings
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/ostree /var/lib/apt-ostree /var/cache/apt-ostree
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true

# Significantly bump this timeout from the default because
# we do a lot of stuff on daemon startup.
TimeoutStartSec=5m

# Environment
Environment="DOWNLOAD_FILELISTS=false"
Environment="APT_CONFIG=/etc/apt/apt.conf.d/apt-ostree.conf"

[Install]
WantedBy=multi-user.target
```

### **5.2 Socket Activation**
```ini
# /etc/systemd/system/apt-ostreed.socket
[Unit]
Description=APT OSTree Daemon Socket
Documentation=man:apt-ostreed(8)

[Socket]
ListenStream=/run/apt-ostreed.sock
SocketUser=apt-ostree
SocketGroup=apt-ostree
SocketMode=0660

[Install]
WantedBy=sockets.target
```

### **5.3 Configuration Files**
```ini
# /etc/apt-ostreed/apt-ostreed.conf
[Daemon]
# Idle exit timeout in seconds (0 = never exit)
IdleExitTimeout = 300

# Automatic update policy: none, check, stage
AutomaticUpdatePolicy = none

# Lock package layering (prevent new package installations)
LockLayering = false

# Disable recommends during package installation
DisableRecommends = false

# Maximum concurrent downloads
MaxConcurrentDownloads = 5

# Download timeout in seconds
DownloadTimeout = 300

[Experimental]
# Enable experimental features
Enabled = false

# Enable live filesystem operations
LiveFs = false
```

## 🧪 **Phase 6: Testing & Validation (Week 6)**

### **6.1 Unit Tests**
```rust
#[cfg(test)]
mod tests {
    use super::*;
    
    #[tokio::test]
    async fn test_transaction_creation() {
        let daemon = AptOstreeDaemon::new().await.unwrap();
        let transaction_id = daemon.create_transaction().await.unwrap();
        assert!(!transaction_id.is_empty());
    }
    
    #[tokio::test]
    async fn test_package_installation() {
        let daemon = AptOstreeDaemon::new().await.unwrap();
        let transaction_id = daemon.create_transaction().await.unwrap();
        
        let success = daemon.install_packages(
            &transaction_id,
            vec!["test-package".to_string()],
        ).await.unwrap();
        
        assert!(success);
    }
    
    #[tokio::test]
    async fn test_security_authorization() {
        let security = SecurityManager::new().unwrap();
        
        let authorized = security.authorize_package_install(
            1000,
            &["test-package".to_string()],
        ).await.unwrap();
        
        // Should require authentication
        assert!(!authorized);
    }
}
```

### **6.2 Integration Tests**
```rust
#[tokio::test]
async fn test_full_workflow() {
    // Start daemon
    let daemon_handle = tokio::spawn(run_daemon());
    
    // Wait for daemon to be ready
    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
    
    // Test client operations
    let client = AptOstreeClient::new().await.unwrap();
    
    // Create transaction
    let transaction_id = client.create_transaction().await.unwrap();
    
    // Install package
    let success = client.install_packages(
        &transaction_id,
        vec!["test-package".to_string()],
    ).await.unwrap();
    
    assert!(success);
    
    // Commit transaction
    let committed = client.commit_transaction(&transaction_id).await.unwrap();
    assert!(committed);
    
    // Cleanup
    daemon_handle.abort();
}
```

### **6.3 System Tests**
```rust
#[tokio::test]
async fn test_ostree_integration() {
    // Test in real OSTree environment
    let ostree_manager = OstreeManager::new(PathBuf::from("/")).await.unwrap();
    
    // Test deployment listing
    let deployments = ostree_manager.list_deployments().await.unwrap();
    assert!(!deployments.is_empty());
    
    // Test booted deployment
    let booted = ostree_manager.get_booted_deployment().await.unwrap();
    assert!(booted.is_some());
}

#[tokio::test]
async fn test_apt_integration() {
    // Test APT package resolution
    let apt_manager = AptManager::new().await.unwrap();
    
    // Test dependency resolution
    let deps = apt_manager.resolve_package_dependencies("curl").await.unwrap();
    assert!(!deps.is_empty());
}
```

## 📊 **Implementation Timeline & Milestones**

| Week | Phase | Focus | Deliverables | Success Criteria |
|------|-------|-------|--------------|------------------|
| 1-2  | Foundation | Project structure, dependencies, DBus interface | Basic daemon skeleton, DBus interface definition | Daemon compiles and starts |
| 2-3  | Core Implementation | Transaction management, OSTree operations, APT integration | Working daemon with basic operations | Can create transactions and perform basic operations |
| 3-4  | Security | Polkit integration, privilege management, security policies | Secure daemon with proper authorization | All privileged operations require authentication |
| 4-5  | Client Integration | DBus client, updated CLI, full communication | Full client-daemon communication | CLI commands work through daemon |
| 5-6  | System Integration | Systemd services, configuration, installation | Production-ready daemon | Daemon runs as system service |
| 6    | Testing | Unit tests, integration tests, system validation | Validated and tested system | All tests pass, system stable |

## 🎯 **Key Success Metrics**

### **Functional Requirements**
- ✅ All rpm-ostree equivalent commands implemented
- ✅ Full DBus interface compatibility
- ✅ Secure privilege escalation
- ✅ Transaction-based operations
- ✅ Progress monitoring and reporting

### **Performance Requirements**
- 🚀 Transaction startup < 100ms
- 🚀 Package installation < 5s per package
- 🚀 System upgrade < 2 minutes
- 🚀 Memory usage < 100MB
- 🚀 CPU usage < 5% during idle

### **Reliability Requirements**
- 🔒 99.9% uptime
- 🔒 Automatic error recovery
- 🔒 Transaction rollback on failure
- 🔒 Graceful degradation
- 🔒 Comprehensive logging

## 🚨 **Risk Mitigation**

### **Technical Risks**
1. **DBus Complexity**: Mitigated by thorough testing and incremental implementation
2. **Security Vulnerabilities**: Mitigated by Polkit integration and privilege isolation
3. **Performance Issues**: Mitigated by async operations and efficient data structures
4. **Integration Challenges**: Mitigated by modular design and clear interfaces

### **Operational Risks**
1. **System Instability**: Mitigated by transaction-based operations and rollback
2. **User Experience**: Mitigated by progress reporting and clear error messages
3. **Maintenance Overhead**: Mitigated by comprehensive testing and documentation
4. **Deployment Complexity**: Mitigated by automated installation scripts

## 🔮 **Future Enhancements**

### **Phase 7: Advanced Features (Week 7-8)**
1. **Live Updates**: Apply changes without reboot
2. **Delta Updates**: Efficient update delivery
3. **Rollback Points**: Multiple rollback targets
4. **Package Variants**: Alternative package versions

### **Phase 8: Performance & Scale (Week 9-10)**
1. **Parallel Operations**: Concurrent package processing
2. **Caching System**: Intelligent result caching
3. **Network Optimization**: Efficient repository access
4. **Resource Management**: Dynamic resource allocation

### **Phase 9: Monitoring & Analytics (Week 11-12)**
1. **System Metrics**: Performance monitoring
2. **Usage Analytics**: User behavior tracking
3. **Predictive Updates**: Smart update scheduling
4. **Health Checks**: System health monitoring

This comprehensive plan provides a solid foundation for implementing a production-ready daemon that maintains full compatibility with the rpm-ostree ecosystem while leveraging the strengths of the Debian/Ubuntu package management system.