From 543198e73060e390aa4512264c1daddc91661e90 Mon Sep 17 00:00:00 2001
From: Logan Fick <logan@logal.dev>
Date: Sun, 18 Jan 2026 10:08:57 -0500
Subject: [PATCH] Added command logging and refactored execution helpers.

---
 lib/core/common.sh       | 51 ++++++++++++++++++++++++++++++++++++++++
 lib/core/error.sh        | 10 ++++----
 lib/core/logging.sh      |  7 ++++++
 lib/desktop/kde.sh       |  8 +++----
 lib/disk/filesystem.sh   |  8 +++----
 lib/disk/luks.sh         | 14 ++++-------
 lib/system/base.sh       | 17 ++++----------
 lib/system/bootloader.sh |  8 +++----
 lib/system/locale.sh     |  8 +++----
 lib/system/network.sh    |  2 +-
 lib/system/security.sh   | 22 ++++++++---------
 lib/system/user.sh       | 12 +++++-----
 12 files changed, 107 insertions(+), 60 deletions(-)

diff --git a/lib/core/common.sh b/lib/core/common.sh
index e13a7e5..baf853d 100644
--- a/lib/core/common.sh
+++ b/lib/core/common.sh
@@ -54,7 +54,9 @@ print_info() {
 
 # Run a command with gray background for its output
 # Use this for commands that produce visible output (fdisk, pacstrap, pacman, etc.)
+# Logs the command before execution for auditing
 run_visible_cmd() {
+    log_cmd "$@"
     echo -ne "${COLOR_BG_GRAY}"
     "$@"
     local exit_code=$?
@@ -62,6 +64,55 @@ run_visible_cmd() {
     return $exit_code
 }
 
+# Run a command with piped input and gray background for its output
+# Logs the command (without the piped input) before execution
+# Arguments:
+#   $1 - input to pipe to the command
+#   $@ - command and arguments
+run_piped_cmd() {
+    local input="$1"
+    shift
+    log_cmd "$@"
+    echo -ne "${COLOR_BG_GRAY}"
+    echo -n "$input" | "$@"
+    local exit_code=$?
+    echo -e "${COLOR_RESET}"
+    return $exit_code
+}
+
+# Run a command with logging only (no visual wrapper)
+# Use for commands that need stdout preserved (pipes, redirections)
+run_cmd() {
+    log_cmd "$@"
+    "$@"
+}
+
+# Run a command that is allowed to fail
+# Logs the command, suppresses stderr, and always returns success
+# Use for cleanup commands where failure is acceptable
+run_cmd_allow_fail() {
+    log_cmd "$@"
+    "$@" 2>/dev/null || true
+}
+
+# Run a command in the chroot environment with logging
+# Use for commands that don't produce visible output
+run_cmd_in_chroot() {
+    log_cmd arch-chroot "${MOUNT_POINT}" "$@"
+    arch-chroot "${MOUNT_POINT}" "$@"
+}
+
+# Run a command in the chroot environment with gray background
+# Use for commands that produce visible output (pacman, mkinitcpio, etc.)
+run_visible_cmd_in_chroot() {
+    log_cmd arch-chroot "${MOUNT_POINT}" "$@"
+    echo -ne "${COLOR_BG_GRAY}"
+    arch-chroot "${MOUNT_POINT}" "$@"
+    local exit_code=$?
+    echo -e "${COLOR_RESET}"
+    return $exit_code
+}
+
 # Print an installation step/phase header with progress indicator
 print_step() {
     local step="$1"
diff --git a/lib/core/error.sh b/lib/core/error.sh
index 2116f93..f88f90c 100644
--- a/lib/core/error.sh
+++ b/lib/core/error.sh
@@ -65,12 +65,12 @@ cleanup_on_error() {
     print_warning "Cleaning up after error..."
 
     # Unmount filesystems (ignore errors)
-    umount -R "${MOUNT_POINT}" 2>/dev/null || true
+    run_cmd_allow_fail umount -R "${MOUNT_POINT}"
 
     # Close LUKS containers (ignore errors)
-    cryptsetup close cryptroot 2>/dev/null || true
-    cryptsetup close cryptroot-primary 2>/dev/null || true
-    cryptsetup close cryptroot-secondary 2>/dev/null || true
+    run_cmd_allow_fail cryptsetup close cryptroot
+    run_cmd_allow_fail cryptsetup close cryptroot-primary
+    run_cmd_allow_fail cryptsetup close cryptroot-secondary
 
     print "Cleanup complete. You may retry the installation."
 }
@@ -91,6 +91,7 @@ safe_run() {
     local description="$1"
     shift
 
+    log_cmd "$@"
     print "  $description..."
     if ! "$@"; then
         print_error "Failed: $description"
@@ -108,6 +109,7 @@ retry() {
     local delay="$2"
     shift 2
 
+    log_cmd "$@"
     local attempt=1
     while [ $attempt -le $max_attempts ]; do
         if "$@"; then
diff --git a/lib/core/logging.sh b/lib/core/logging.sh
index 010b46e..cef0a9e 100644
--- a/lib/core/logging.sh
+++ b/lib/core/logging.sh
@@ -55,6 +55,13 @@ init_logging() {
     echo ""
 }
 
+# Log a command before execution
+# Arguments:
+#   $@ - command and arguments to log
+log_cmd() {
+    echo -e "\033[0;35m[CMD]\033[0m $*"
+}
+
 # Copy log file to installed system
 finalize_logging() {
     local final_log="${MOUNT_POINT}${LOG_FILE}"
diff --git a/lib/desktop/kde.sh b/lib/desktop/kde.sh
index c8aa4b4..7bec6ec 100644
--- a/lib/desktop/kde.sh
+++ b/lib/desktop/kde.sh
@@ -31,9 +31,9 @@ copy_desktop_skel() {
     local username="$1"
     local home_dir="${MOUNT_POINT}/home/${username}"
 
-    cp -r "${HOME_SKEL_DESKTOP_DIR}/." "${home_dir}/"
-    rm -f "${home_dir}/.gitkeep"
-    chown -R 1000:1000 "${home_dir}"
+    run_visible_cmd cp -r "${HOME_SKEL_DESKTOP_DIR}/." "${home_dir}/"
+    run_visible_cmd rm -f "${home_dir}/.gitkeep"
+    run_visible_cmd chown -R 1000:1000 "${home_dir}"
 }
 
 # Full KDE installation
@@ -45,5 +45,5 @@ install_kde() {
     install_kde_packages
     chroot_systemd_enable sddm.service
     copy_desktop_skel "$username"
-    chroot_run usermod -aG wireshark "$username"
+    run_cmd_in_chroot usermod -aG wireshark "$username"
 }
diff --git a/lib/disk/filesystem.sh b/lib/disk/filesystem.sh
index 9ba2db8..0a2bfb1 100644
--- a/lib/disk/filesystem.sh
+++ b/lib/disk/filesystem.sh
@@ -118,14 +118,14 @@ mount_root_filesystem() {
 
     case "$filesystem" in
         "ext4")
-            mount -o "noatime,discard" /dev/mapper/cryptroot "${MOUNT_POINT}"
+            run_visible_cmd mount -o "noatime,discard" /dev/mapper/cryptroot "${MOUNT_POINT}"
             ;;
 
         *)
             if [ "$storage_mode" = "raid1" ]; then
-                mount -o "noatime,discard=async" /dev/mapper/cryptroot-primary "${MOUNT_POINT}"
+                run_visible_cmd mount -o "noatime,discard=async" /dev/mapper/cryptroot-primary "${MOUNT_POINT}"
             else
-                mount -o "noatime,discard=async" /dev/mapper/cryptroot "${MOUNT_POINT}"
+                run_visible_cmd mount -o "noatime,discard=async" /dev/mapper/cryptroot "${MOUNT_POINT}"
             fi
             ;;
     esac
@@ -137,7 +137,7 @@ mount_root_filesystem() {
 mount_efi_partition() {
     local efi_partition="$1"
 
-    mount --mkdir -o "fmask=0077,dmask=0077" "$efi_partition" "${MOUNT_POINT}/boot"
+    run_visible_cmd mount --mkdir -o "fmask=0077,dmask=0077" "$efi_partition" "${MOUNT_POINT}/boot"
 }
 
 # Format and mount all filesystems
diff --git a/lib/disk/luks.sh b/lib/disk/luks.sh
index 847f635..56f34de 100644
--- a/lib/disk/luks.sh
+++ b/lib/disk/luks.sh
@@ -33,9 +33,7 @@ setup_luks_encryption() {
 
     print "Setting up encryption on ${partition}..."
 
-    # Wrapped manually (not using run_visible_cmd) due to piped password input
-    echo -ne "${COLOR_BG_GRAY}"
-    echo -n "$password" | cryptsetup luksFormat \
+    run_piped_cmd "$password" cryptsetup luksFormat \
         --type "$LUKS_TYPE" \
         --cipher "$LUKS_CIPHER" \
         --hash "$LUKS_HASH" \
@@ -47,7 +45,6 @@ setup_luks_encryption() {
         --use-urandom \
         --key-file - \
         "$partition"
-    echo -e "${COLOR_RESET}"
 }
 
 # Open (unlock) a LUKS container
@@ -62,14 +59,11 @@ open_luks_container() {
 
     print "Unlocking ${partition}..."
 
-    # Wrapped manually (not using run_visible_cmd) due to piped password input
-    echo -ne "${COLOR_BG_GRAY}"
-    echo -n "$password" | cryptsetup open \
+    run_piped_cmd "$password" cryptsetup open \
         --allow-discards \
         --key-file - \
         "$partition" \
         "$mapper_name"
-    echo -e "${COLOR_RESET}"
 }
 
 # Get the UUID of a LUKS container
@@ -80,7 +74,7 @@ open_luks_container() {
 get_luks_uuid() {
     local partition="$1"
 
-    cryptsetup luksDump "$partition" | grep 'UUID:' | awk '{print $2}'
+    run_cmd cryptsetup luksDump "$partition" | grep 'UUID:' | awk '{print $2}'
 }
 
 # Close a LUKS container
@@ -89,7 +83,7 @@ get_luks_uuid() {
 close_luks_container() {
     local mapper_name="$1"
 
-    cryptsetup close "$mapper_name" 2>/dev/null || true
+    run_cmd_allow_fail cryptsetup close "$mapper_name"
 }
 
 # Prompt for encryption password with confirmation
diff --git a/lib/system/base.sh b/lib/system/base.sh
index 1df7ad3..41997bd 100644
--- a/lib/system/base.sh
+++ b/lib/system/base.sh
@@ -20,21 +20,14 @@
 # - Runs pacstrap with base packages defined in defaults.conf
 # - Detects CPU vendor and installs appropriate microcode (Intel/AMD)
 # - Generates /etc/fstab with UUIDs
-# - Provides chroot helper functions for running commands in new system
+# - Provides high-level chroot helpers for common operations
 # - Copies configuration files from installer to target system
 
-# Run a command in the chroot environment
-# Arguments:
-#   $@ - command and arguments
-chroot_run() {
-    arch-chroot "${MOUNT_POINT}" "$@"
-}
-
 # Install packages in the chroot environment using pacman
 # Arguments:
 #   $@ - package names
 chroot_pacman_install() {
-    run_visible_cmd chroot_run pacman --noconfirm -S "$@"
+    run_visible_cmd_in_chroot pacman --noconfirm -S "$@"
 }
 
 # Enable systemd units in the chroot environment
@@ -44,7 +37,7 @@ chroot_systemd_enable() {
     for unit in "$@"; do
         print "Enabling ${unit}..."
     done
-    run_visible_cmd chroot_run systemctl enable "$@"
+    run_visible_cmd_in_chroot systemctl enable "$@"
 }
 
 # Install base Arch Linux packages
@@ -97,11 +90,11 @@ install_microcode() {
 # Generate /etc/fstab
 generate_fstab() {
     print "Generating /etc/fstab..."
-    genfstab -U "${MOUNT_POINT}" >> "${MOUNT_POINT}/etc/fstab"
+    run_cmd genfstab -U "${MOUNT_POINT}" >> "${MOUNT_POINT}/etc/fstab"
 }
 
 # Copy configuration files from installer to target system
 copy_config_files() {
     print "Installing default configuration files..."
-    cp -r "${CONFIG_SRC_DIR}" "${MOUNT_POINT}"
+    run_visible_cmd cp -r "${CONFIG_SRC_DIR}" "${MOUNT_POINT}"
 }
diff --git a/lib/system/bootloader.sh b/lib/system/bootloader.sh
index 29b1714..3c50863 100644
--- a/lib/system/bootloader.sh
+++ b/lib/system/bootloader.sh
@@ -25,7 +25,7 @@
 # Install systemd-boot bootloader
 install_bootloader() {
     print "Installing bootloader..."
-    run_visible_cmd chroot_run bootctl install
+    run_visible_cmd_in_chroot bootctl install
 }
 
 # Create boot entry for single-disk installation
@@ -34,7 +34,7 @@ install_bootloader() {
 create_boot_entry_single() {
     local luks_uuid="$1"
 
-    chroot_run sh -c "cat > /boot/loader/entries/arch.conf" <<EOF
+    run_cmd_in_chroot sh -c "cat > /boot/loader/entries/arch.conf" <<EOF
 title   Arch Linux
 linux   /vmlinuz-linux
 initrd  /initramfs-linux.img
@@ -50,7 +50,7 @@ create_boot_entry_raid1() {
     local luks_uuid_1="$1"
     local luks_uuid_2="$2"
 
-    chroot_run sh -c "cat > /boot/loader/entries/arch.conf" <<EOF
+    run_cmd_in_chroot sh -c "cat > /boot/loader/entries/arch.conf" <<EOF
 title   Arch Linux
 linux   /vmlinuz-linux
 initrd  /initramfs-linux.img
@@ -73,7 +73,7 @@ create_boot_entry() {
 
 # Configure loader.conf timeout
 configure_loader() {
-    chroot_run sed -i '/^#timeout 3/s/^#//' /boot/loader/loader.conf
+    run_cmd_in_chroot sed -i '/^#timeout 3/s/^#//' /boot/loader/loader.conf
 }
 
 # Full bootloader setup
diff --git a/lib/system/locale.sh b/lib/system/locale.sh
index efda127..c4cb0d9 100644
--- a/lib/system/locale.sh
+++ b/lib/system/locale.sh
@@ -23,9 +23,9 @@
 configure_locale() {
     print "Setting up locale..."
 
-    chroot_run sed -i '/^#.*en_US.UTF-8 UTF-8/s/^#//' /etc/locale.gen
-    run_visible_cmd chroot_run locale-gen
-    chroot_run systemd-firstboot --locale=en_US.UTF-8
+    run_cmd_in_chroot sed -i '/^#.*en_US.UTF-8 UTF-8/s/^#//' /etc/locale.gen
+    run_visible_cmd_in_chroot locale-gen
+    run_cmd_in_chroot systemd-firstboot --locale=en_US.UTF-8
 }
 
 # Run interactive firstboot setup for timezone, keymap, hostname
@@ -33,7 +33,7 @@ run_firstboot() {
     print "Entering first time setup..."
     print "Your keymap is probably 'us' and the time zone is probably 'America/New_York'."
 
-    run_visible_cmd chroot_run systemd-firstboot --prompt
+    run_visible_cmd_in_chroot systemd-firstboot --prompt
 }
 
 # Full locale and timezone setup
diff --git a/lib/system/network.sh b/lib/system/network.sh
index 088f46b..202e517 100644
--- a/lib/system/network.sh
+++ b/lib/system/network.sh
@@ -58,7 +58,7 @@ configure_mirrorlist() {
 # Enable systemd-resolved and configure resolv.conf symlink
 enable_resolved() {
     chroot_systemd_enable systemd-resolved.service
-    ln -sf ../run/systemd/resolve/stub-resolv.conf "${MOUNT_POINT}/etc/resolv.conf"
+    run_visible_cmd ln -sf ../run/systemd/resolve/stub-resolv.conf "${MOUNT_POINT}/etc/resolv.conf"
 }
 
 # Prompt and install iwd for Wi-Fi support
diff --git a/lib/system/security.sh b/lib/system/security.sh
index 23a454b..ae7d680 100644
--- a/lib/system/security.sh
+++ b/lib/system/security.sh
@@ -32,8 +32,8 @@ configure_initramfs() {
     local default_line="HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap sd-vconsole block filesystems fsck)"
     local new_line="HOOKS=(systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)"
 
-    chroot_run sed -i "s|^${default_line}|${new_line}|" /etc/mkinitcpio.conf
-    run_visible_cmd chroot_run mkinitcpio -P
+    run_cmd_in_chroot sed -i "s|^${default_line}|${new_line}|" /etc/mkinitcpio.conf
+    run_visible_cmd_in_chroot mkinitcpio -P
 }
 
 # Enable BTRFS scrub timer if using BTRFS filesystem
@@ -50,13 +50,13 @@ enable_btrfs_scrub() {
 # Configure sudo access for wheel group
 configure_sudo() {
     print "Enabling sudo access for wheel group..."
-    chroot_run sed -i "s|^# %wheel ALL=(ALL:ALL) ALL|%wheel ALL=(ALL:ALL) ALL|" /etc/sudoers
+    run_cmd_in_chroot sed -i "s|^# %wheel ALL=(ALL:ALL) ALL|%wheel ALL=(ALL:ALL) ALL|" /etc/sudoers
 }
 
 # Disable root account login
 disable_root() {
     print "Disabling root account..."
-    chroot_run passwd -l root
+    run_cmd_in_chroot passwd -l root
 }
 
 # Configure SSH server
@@ -67,15 +67,15 @@ configure_ssh() {
 
     print "Setting up and enabling OpenSSH server..."
 
-    chroot_run sed -i "s|PLACEHOLDER|${username}|" /etc/ssh/sshd_config
-    run_visible_cmd chroot_run ssh-keygen -t ed25519 -C "" -N "" -f /etc/ssh/ssh_host_ed25519_key
+    run_cmd_in_chroot sed -i "s|PLACEHOLDER|${username}|" /etc/ssh/sshd_config
+    run_visible_cmd_in_chroot ssh-keygen -t ed25519 -C "" -N "" -f /etc/ssh/ssh_host_ed25519_key
     chroot_systemd_enable sshd.service
 }
 
 # Display SSH host key fingerprint
 show_ssh_fingerprint() {
     print "Public SSH key fingerprint of this host:"
-    run_visible_cmd chroot_run ssh-keygen -lvf /etc/ssh/ssh_host_ed25519_key.pub
+    run_visible_cmd_in_chroot ssh-keygen -lvf /etc/ssh/ssh_host_ed25519_key.pub
 }
 
 # Install custom CA certificates from certs directory
@@ -92,9 +92,9 @@ install_ca_certificates() {
         cert_name=$(basename "$cert")
         print "Adding ${cert_name} to system CA store..."
 
-        cp "$cert" "${MOUNT_POINT}/${cert_name}"
-        chroot_run trust anchor --store "/${cert_name}"
-        chroot_run rm "/${cert_name}"
+        run_visible_cmd cp "$cert" "${MOUNT_POINT}/${cert_name}"
+        run_cmd_in_chroot trust anchor --store "/${cert_name}"
+        run_cmd_in_chroot rm "/${cert_name}"
     done
 }
 
@@ -104,7 +104,7 @@ configure_usbguard() {
     print "When ready to proceed, press enter."
     read -r
 
-    chroot_run sh -c "usbguard generate-policy > /etc/usbguard/rules.conf"
+    run_cmd_in_chroot sh -c "usbguard generate-policy > /etc/usbguard/rules.conf"
     chroot_systemd_enable usbguard.service
 }
 
diff --git a/lib/system/user.sh b/lib/system/user.sh
index 92b0d4e..5b01d7d 100644
--- a/lib/system/user.sh
+++ b/lib/system/user.sh
@@ -47,9 +47,9 @@ copy_home_skel() {
     local username="$1"
     local home_dir="${MOUNT_POINT}/home/${username}"
 
-    cp -r "${HOME_SKEL_DIR}/." "${home_dir}/"
-    rm -f "${home_dir}/.gitkeep"
-    chown -R 1000:1000 "${home_dir}"
+    run_visible_cmd cp -r "${HOME_SKEL_DIR}/." "${home_dir}/"
+    run_visible_cmd rm -f "${home_dir}/.gitkeep"
+    run_visible_cmd chown -R 1000:1000 "${home_dir}"
 }
 
 # Create a user account
@@ -61,9 +61,9 @@ create_user() {
     local display_name="${2:-}"
 
     if [[ -n "$display_name" ]]; then
-        chroot_run useradd -m -G wheel -c "$display_name" "$username"
+        run_cmd_in_chroot useradd -m -G wheel -c "$display_name" "$username"
     else
-        chroot_run useradd -m -G wheel "$username"
+        run_cmd_in_chroot useradd -m -G wheel "$username"
     fi
     copy_home_skel "$username"
 }
@@ -75,7 +75,7 @@ set_user_password() {
     local username="$1"
 
     print "Please set the password for your new account."
-    chroot_run passwd "$username"
+    run_visible_cmd_in_chroot passwd "$username"
 }
 
 # Full user setup