Migration Runbook: External Agent To Garcard
Scope
Move from another desktop polkit agent (for example polkit-kde-agent-1, lxqt-policykit-agent, mate-polkit) to garcard.
Preconditions
garcardandgarcardctlare installed or runnable from this workspace.- You have a user session with access to polkit prompts.
- Existing external polkit agent service is known.
Steps
- Stop and disable the existing agent for the user session.
- Example:
systemctl --user disable --now lxqt-policykit-agent.servicesystemctl --user disable --now polkit-kde-authentication-agent-1.service
- Example:
- Install and enable
garcarduser service.install -Dm644 garcard.service ~/.config/systemd/user/garcard.servicesystemctl --user daemon-reloadsystemctl --user enable --now garcard.service
- Verify control plane reachability.
garcardctl pinggarcardctl statusgarcardctl diagnose
- Trigger an auth challenge.
pkcheck --allow-user-interaction --process $$ --action-id com.mesonbuild.install.run
- Validate lifecycle controls.
garcardctl auth-summarygarcardctl temp-listgarcardctl temp-revoke-all
Success Criteria
- Only garcard owns the active auth-agent role in session.
- Prompt appears and accepts valid credentials.
garcardctllifecycle commands respond without permission/socket errors.
Rollback
- Disable garcard user service:
systemctl --user disable --now garcard.service
- Re-enable prior agent service:
systemctl --user enable --now <previous-agent>.service
- Re-run
pkcheck --allow-user-interaction ...to confirm prior behavior is restored.
View source
| 1 | # Migration Runbook: External Agent To Garcard |
| 2 | |
| 3 | ## Scope |
| 4 | Move from another desktop polkit agent (for example `polkit-kde-agent-1`, `lxqt-policykit-agent`, `mate-polkit`) to `garcard`. |
| 5 | |
| 6 | ## Preconditions |
| 7 | 1. `garcard` and `garcardctl` are installed or runnable from this workspace. |
| 8 | 2. You have a user session with access to polkit prompts. |
| 9 | 3. Existing external polkit agent service is known. |
| 10 | |
| 11 | ## Steps |
| 12 | 1. Stop and disable the existing agent for the user session. |
| 13 | - Example: |
| 14 | - `systemctl --user disable --now lxqt-policykit-agent.service` |
| 15 | - `systemctl --user disable --now polkit-kde-authentication-agent-1.service` |
| 16 | 2. Install and enable `garcard` user service. |
| 17 | - `install -Dm644 garcard.service ~/.config/systemd/user/garcard.service` |
| 18 | - `systemctl --user daemon-reload` |
| 19 | - `systemctl --user enable --now garcard.service` |
| 20 | 3. Verify control plane reachability. |
| 21 | - `garcardctl ping` |
| 22 | - `garcardctl status` |
| 23 | - `garcardctl diagnose` |
| 24 | 4. Trigger an auth challenge. |
| 25 | - `pkcheck --allow-user-interaction --process $$ --action-id com.mesonbuild.install.run` |
| 26 | 5. Validate lifecycle controls. |
| 27 | - `garcardctl auth-summary` |
| 28 | - `garcardctl temp-list` |
| 29 | - `garcardctl temp-revoke-all` |
| 30 | |
| 31 | ## Success Criteria |
| 32 | 1. Only garcard owns the active auth-agent role in session. |
| 33 | 2. Prompt appears and accepts valid credentials. |
| 34 | 3. `garcardctl` lifecycle commands respond without permission/socket errors. |
| 35 | |
| 36 | ## Rollback |
| 37 | 1. Disable garcard user service: |
| 38 | - `systemctl --user disable --now garcard.service` |
| 39 | 2. Re-enable prior agent service: |
| 40 | - `systemctl --user enable --now <previous-agent>.service` |
| 41 | 3. Re-run `pkcheck --allow-user-interaction ...` to confirm prior behavior is restored. |