P2: Service-aware upgrade coordination (stop/start service safely)

[Kinin-Code-Offical]

Closes #27

Summary

• Makes install/update service-aware: if the Windows Service is running, stop it before replacing the proxy binary and restart it afterwards.
• Hardens proxy downloads by writing to a temp file, verifying checksum, then atomically replacing the target exe.

Local tests

• npm ci (PASS)
• npm run lint (PASS)
• npm test (PASS)
• npm run build (PASS)
• npm run docs:check (PASS)

Rollback

• Revert this PR.

Summary by Sourcery

Make proxy installation and update service-aware and harden the proxy download process with checksum-verified, atomic replacement.

New Features:

• Add service-aware behavior to install and update commands by stopping a running Windows service before updating the proxy and restarting it afterward when applicable.

Enhancements:

• Improve proxy download robustness by using a temporary file, verifying its checksum, and atomically moving it into place, with cleanup on failure.

[sourcery-ai]

Reviewer's Guide

Coordinates proxy install/update with the Windows Service by stopping it before modifying the proxy binary and attempting a restart afterward, and hardens proxy downloads by using a temporary file with checksum verification before atomically replacing the final executable.

Sequence diagram for service-aware proxy installation workflow

sequenceDiagram
    actor User
    participant CLI as InstallCommand
    participant Service as WindowsService
    participant Proxy as ProxyProcess
    participant Updater as UpdaterModule

    User->>CLI: run install
    CLI->>Service: isServiceInstalled
    Service-->>CLI: boolean
    CLI->>Service: isServiceRunning (if installed)
    Service-->>CLI: boolean serviceWasRunning
    alt serviceWasRunning
        CLI->>Service: stopService
        Service-->>CLI: stopped
    end

    CLI->>Proxy: isRunning
    Proxy-->>CLI: boolean
    alt proxyRunning
        CLI->>Proxy: stopProxy
        Proxy-->>CLI: stopped
    end

    CLI->>Updater: getLatestVersion (optional)
    Updater-->>CLI: version
    CLI->>Updater: downloadProxy(version, targetPath)
    Updater-->>CLI: success or error

    alt install success
        CLI-->>User: log Installation complete
    else install failure
        CLI-->>User: log Installation failed
        CLI->>CLI: process.exit(1)
    end

    opt serviceWasRunning and stopService succeeded
        CLI->>Service: startService (in finally block)
        Service-->>CLI: started or error
        alt restart error
            CLI-->>User: log Failed to restart Windows Service
        end
    end

Loading

Sequence diagram for hardened proxy download and atomic replacement

sequenceDiagram
    participant Caller as UpdaterCaller
    participant Updater as UpdaterModule
    participant FS as FileSystem
    participant HTTP as Axios
    participant Logger as Logger

    Caller->>Updater: downloadProxy(version, targetPath)
    Updater->>FS: ensureDir(dirname(targetPath))
    FS-->>Updater: ok

    Updater->>FS: remove(`${targetPath}.download`)
    FS-->>Updater: ok
    Updater->>FS: createWriteStream(tmpPath)
    FS-->>Updater: writer

    Updater->>HTTP: GET downloadUrl (stream)
    HTTP-->>Updater: responseStream

    Updater->>FS: pipe responseStream.data to writer
    Updater->>Updater: await writer finish
    Updater->>Logger: info Download complete

    Updater->>Logger: info Verifying checksum
    Updater->>Updater: verifyChecksum(tmpPath, expectedChecksum)
    Updater-->>Updater: isValid
    alt checksum ok
        Updater->>Logger: info Checksum verified
        Updater->>FS: move(tmpPath, targetPath, overwrite=true)
        FS-->>Updater: ok
        Updater-->>Caller: success
    else checksum failed or other error
        Updater->>Logger: warn Failed to download/verify proxy
        Updater->>FS: remove(tmpPath)
        FS-->>Updater: ok
        Updater-->>Caller: throw error
    end

Loading

Class diagram for updated updater and service-aware commands

classDiagram
    class UpdaterModule {
        +downloadProxy(version string, targetPath string) Promise~void~
        +getLatestVersion() Promise~string~
        -verifyChecksum(filePath string, expectedChecksum string) Promise~boolean~
    }

    class InstallCommandModule {
        +installCommand Command
    }

    class UpdateCommandModule {
        +updateCommand Command
    }

    class ServiceModule {
        +isServiceInstalled() Promise~boolean~
        +isServiceRunning() Promise~boolean~
        +startService() Promise~void~
        +stopService() Promise~void~
    }

    class ProxyModule {
        +isRunning() Promise~boolean~
        +stopProxy() Promise~void~
    }

    class LoggerModule {
        +info(message string, meta any) void
        +warn(message string, meta any) void
        +error(message string, meta any) void
    }

    InstallCommandModule --> UpdaterModule : uses
    InstallCommandModule --> ServiceModule : coordinates
    InstallCommandModule --> ProxyModule : coordinates
    InstallCommandModule --> LoggerModule : logs

    UpdateCommandModule --> UpdaterModule : uses
    UpdateCommandModule --> ServiceModule : coordinates
    UpdateCommandModule --> ProxyModule : coordinates
    UpdateCommandModule --> LoggerModule : logs

    UpdaterModule --> LoggerModule : logs

Loading

File-Level Changes

Change	Details	Files
Harden proxy binary download and checksum verification using a temporary file and atomic replace.	Write downloaded proxy data to a temporary .download file instead of the final target path Pipe the HTTP response stream into the temporary file and wait for the write to finish Run checksum verification against the temporary file and, on success, move it over the target path with overwrite enabled for an atomic replacement On any download or verification error, log a generic proxy download/verify failure, remove the temporary file, and rethrow the error	src/core/updater.ts
Make proxy installation service-aware by stopping a running Windows Service before install and attempting to restart it afterward.	Query whether the Windows Service is installed and currently running at the start of the install command If the service is running, stop it before stopping any running proxy process and performing the download/install Track whether the service was actually stopped so the finally block can attempt a restart only in that case In the finally block, attempt to restart the Windows Service and log a warning if restart fails without failing the whole command	src/commands/install.ts
Make proxy updates service-aware by stopping a running Windows Service before update and attempting to restart it afterward.	Query whether the Windows Service is installed and currently running at the start of the update command If the service is running, stop it before stopping any running proxy process and performing the download/update Track whether the service was actually stopped so the finally block can attempt a restart only in that case In the finally block, attempt to restart the Windows Service and log a warning if restart fails without failing the whole command	src/commands/update.ts

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#27	Ensure the installer coordinates with the Windows Service by stopping the service before installing/upgrading the proxy binary.	✅
#27	Ensure the installer safely restarts the Windows Service after the install/upgrade attempt completes.	✅

Possibly linked issues

• P2: Service-aware upgrade coordination (stop/start service safely) #27: PR implements the service-aware stop/start of the Windows Service during install/update exactly as the issue requests.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The service stop/start logic in installCommand and updateCommand is nearly identical; consider extracting this into a shared helper (e.g., withServiceStopped(fn)) to reduce duplication and keep behavior consistent between commands.
• In downloadProxy, you currently only attach error handling to the write stream; it would be safer to also handle errors on the HTTP response stream (e.g., responseStream.data.on('error', ...)) to ensure the temporary file is cleaned up if the download stream fails before the writer emits an error.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The service stop/start logic in `installCommand` and `updateCommand` is nearly identical; consider extracting this into a shared helper (e.g., `withServiceStopped(fn)`) to reduce duplication and keep behavior consistent between commands.
- In `downloadProxy`, you currently only attach error handling to the write stream; it would be safer to also handle errors on the HTTP response stream (e.g., `responseStream.data.on('error', ...)`) to ensure the temporary file is cleaned up if the download stream fails before the `writer` emits an error.

## Individual Comments

### Comment 1
<location> `src/core/updater.ts:64-68` </location>
<code_context>
+        const tmpPath = `${targetPath}.download`;
+        await fs.remove(tmpPath);
+
+        const writer = fs.createWriteStream(tmpPath);
         const responseStream = await axios({
             url: downloadUrl,
             method: 'GET',
             responseType: 'stream'
         });

-        responseStream.data.pipe(writer);
-
-        await new Promise((resolve, reject) => {
</code_context>

<issue_to_address>
**issue (bug_risk):** Handle errors from the HTTP response stream to avoid hanging on download failures.

The awaited promise only subscribes to `writer` events, so errors from `responseStream.data` are ignored. If the readable stream errors, the writable may never emit `finish`/`error`, leaving `downloadProxy` stuck on failed requests.

Add an `error` listener on `responseStream.data` that rejects the promise (and/or closes `writer`), or use `stream.pipeline` (optionally `promisified`) to handle backpressure and propagate errors in one place.
</issue_to_address>

### Comment 2
<location> `src/commands/install.ts:11-20` </location>
<code_context>
     .description('Download and install Cloud SQL Proxy')
     .option('-v, --version <version>', 'Specific version to install')
     .action(async (options) => {
+        const serviceInstalled = await isServiceInstalled();
+        const serviceWasRunning = serviceInstalled && await isServiceRunning();
+        let serviceStopped = false;
</code_context>

<issue_to_address>
**suggestion:** Consider extracting the repeated Windows service stop/start logic into a shared helper.

This lifecycle (`isServiceInstalled` → `isServiceRunning` → `stopService` → `startService`, with `serviceWasRunning`/`serviceStopped` and logging) is duplicated in both `install` and `update`. A shared helper (e.g., taking an async callback to run while the service is stopped) would reduce duplication and keep service-management behavior consistent as it evolves.

Suggested implementation:

```typescript
import { getLatestVersion, downloadProxy } from '../core/updater.js';
import { logger } from '../core/logger.js';
import { isRunning, stopProxy } from '../core/proxy.js';
import { isServiceInstalled, isServiceRunning, startService, stopService } from '../system/service.js';

async function withServiceStoppedDuring(
    phase: string,
    fn: () => Promise<void>,
): Promise<void> {
    const serviceInstalled = await isServiceInstalled();
    const serviceWasRunning = serviceInstalled && await isServiceRunning();
    let serviceStopped = false;

    try {
        if (serviceWasRunning) {
            logger.info(`Stopping Windows Service before ${phase}...`);
            await stopService();
            serviceStopped = true;
        }

        await fn();
    } finally {
        if (serviceStopped) {
            logger.info(`Starting Windows Service after ${phase}...`);
            await startService();
        }
    }
}

```

```typescript
export const installCommand = new Command('install')
    .description('Download and install Cloud SQL Proxy')
    .option('-v, --version <version>', 'Specific version to install')
    .action(async (options) => {
        await withServiceStoppedDuring('installation', async () => {
            if (await isRunning()) {
                logger.info('Stopping running proxy before installation...');

```

Because only part of the file is visible, you’ll need to:

1. **Inside `installCommand`**  
   - Move all the existing install logic that should run while the service is stopped (everything that currently follows the `if (await isRunning()) { ... }` block and is inside the same `try` as the `stopService` call) into the callback passed to `withServiceStoppedDuring('installation', async () => { ... })`.
   - Remove the original `try { ... } finally { ... }` that manages `serviceStopped` and calls `startService()`; that is now handled by `withServiceStoppedDuring`.

2. **In the `update` command (likely in the same file or a sibling command file)**
   - Identify the duplicated Windows service lifecycle logic:
     - `const serviceInstalled = await isServiceInstalled();`
     - `const serviceWasRunning = serviceInstalled && await isServiceRunning();`
     - `let serviceStopped = false;`
     - `stopService()` / `startService()` and related logging.
   - Replace that block with `await withServiceStoppedDuring('update', async () => { /* existing update logic */ });`, moving the update logic into the callback and removing the now-unnecessary local service lifecycle code.

3. **Logging messages**
   - If the `update` command uses slightly different log messages today (e.g., “before update” vs another wording), adjust the `phase` string argument (`'update'`, `'installation'`, etc.) or, if needed, extend `withServiceStoppedDuring` to accept custom log messages while preserving shared behavior.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Handle errors from the HTTP response stream to avoid hanging on download failures.

The awaited promise only subscribes to writer events, so errors from responseStream.data are ignored. If the readable stream errors, the writable may never emit finish/error, leaving downloadProxy stuck on failed requests.

Add an error listener on responseStream.data that rejects the promise (and/or closes writer), or use stream.pipeline (optionally promisified) to handle backpressure and propagate errors in one place.

[Copilot]

Pull request overview

This pull request adds service-aware upgrade coordination for the Cloud SQL Proxy Windows service, ensuring safe stop/start operations during install and update commands. The changes also harden the proxy download process by using atomic file operations.

Key changes:

• Enhanced download process with temporary file staging, checksum verification, and atomic file replacement
• Added service-aware logic to install and update commands that stops the Windows Service before replacing the binary and restarts it afterwards
• Improved error handling and cleanup for failed download/verification operations

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/core/updater.ts	Hardens download process by writing to temporary file, verifying checksum, then atomically moving to target location with improved error handling
src/commands/update.ts	Adds service-aware update logic that stops Windows Service before update and restarts it in finally block to maintain system state
src/commands/install.ts	Adds service-aware installation logic that stops Windows Service before installation and restarts it in finally block to maintain system state

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped.