From 7ee6993b8ec56747f15a2edcd0e42124321caf95 Mon Sep 17 00:00:00 2001
From: Marius Andra <marius.andra@gmail.com>
Date: Wed, 17 Jun 2026 15:25:56 +0000
Subject: [PATCH] Run agent service install outside agent sandbox

---
 backend/app/tasks/deploy_agent.py            | 11 ++++---
 backend/app/tasks/tests/test_deploy_agent.py | 33 ++++++++++++++++++++
 2 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/backend/app/tasks/deploy_agent.py b/backend/app/tasks/deploy_agent.py
index 614b015cb..d4e8cbfbb 100644
--- a/backend/app/tasks/deploy_agent.py
+++ b/backend/app/tasks/deploy_agent.py
@@ -601,12 +601,15 @@ async def _setup_agent_service(self) -> None:
         )
 
         # Activate system-wide
+        service_source = shlex.quote(f"{self._release_dir()}/frameos_agent.service")
+        service_destination = shlex.quote("/etc/systemd/system/frameos_agent.service")
         await self.exec_command(
-            f"sudo cp {self._release_dir()}/frameos_agent.service "
-            "/etc/systemd/system/frameos_agent.service"
+            self._sudo_system_command(
+                f"cp {service_source} {service_destination} && "
+                f"chown root:root {service_destination} && "
+                f"chmod 644 {service_destination}"
+            )
         )
-        await self.exec_command("sudo chown root:root /etc/systemd/system/frameos_agent.service")
-        await self.exec_command("sudo chmod 644 /etc/systemd/system/frameos_agent.service")
 
     async def _verify_agent_transport(self, label: str) -> None:
         output: list[str] = []
diff --git a/backend/app/tasks/tests/test_deploy_agent.py b/backend/app/tasks/tests/test_deploy_agent.py
index 2944425e3..9648732c3 100644
--- a/backend/app/tasks/tests/test_deploy_agent.py
+++ b/backend/app/tasks/tests/test_deploy_agent.py
@@ -388,6 +388,39 @@ async def test_remount_root_ro_does_not_raise_on_failure(tmp_path: Path):
     assert any("stays read-write" in message for _level, message in deployer.logs)
 
 
+@pytest.mark.asyncio
+async def test_setup_agent_service_uses_system_command_for_agent_transport(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+):
+    uploads: list[str] = []
+
+    async def fake_upload_file(_db, _redis, _frame, remote_path, _data, **_kwargs):
+        uploads.append(remote_path)
+
+    deploy_agent_module = importlib.import_module("app.tasks.deploy_agent")
+    monkeypatch.setattr(deploy_agent_module, "upload_file", fake_upload_file)
+
+    deployer = FakeAgentDeployer(tmp_path)
+    deployer.remote_transport = "agent"
+    deployer.frame.ssh_user = "root"
+
+    await deployer._setup_agent_service()
+
+    assert uploads == [f"{deployer._release_dir()}/frameos_agent.service"]
+    install_commands = [
+        command
+        for command in deployer.commands
+        if "/etc/systemd/system/frameos_agent.service" in command
+    ]
+    assert len(install_commands) == 1
+    assert "systemd-run" in install_commands[0]
+    assert "cp " in install_commands[0]
+    assert "chown root:root" in install_commands[0]
+    assert "chmod 644" in install_commands[0]
+    assert not install_commands[0].startswith("sudo cp ")
+
+
 @pytest.mark.asyncio
 async def test_wait_for_agent_release_requires_new_running_process(
     tmp_path: Path,