Fix smoke test JSON parsing and set unattended defaults

docs/workflow.md

@@ -101,4 +101,4 @@ Use the helper:
 - Keep `RESCUE.md` in `/root` and `/home/dietpi` only (not in `/var/www`).
 - Prep enforces a password change for `dietpi` on first login; set `PIKIT_FORCE_PASSWORD_CHANGE=0` to skip.
 - After the password change, a one‑time SSH hardening tip is shown on login.
-- End-user defaults: auto updates off, stable release channel; both can be changed in the dashboard.
+- End-user defaults: OS security unattended upgrades on; Pi-Kit updater auto-check on stable channel, auto-apply off (user can change in dashboard).

pikit-smoke-test.sh

@@ -14,6 +14,7 @@ PIKIT_API_URL="${PIKIT_API_URL:-http://127.0.0.1:4000}"
 LOCAL_ONLY=0
 ERRORS=0
 WARNINGS=0
+REMOTE_MODE=0
 
 usage() {
   cat <<'USAGE'
@@ -76,6 +77,10 @@ remote_cmd() {
   fi
 }
 
+extract_json_line() {
+  awk 'BEGIN{found=0} /^[[:space:]]*[{[]/ {print; found=1; exit} END{if(!found) exit 0}'
+}
+
 json_get() {
   local key="$1"
   if command -v python3 >/dev/null 2>&1; then
@@ -131,6 +136,13 @@ check_api() {
     status FAIL "API not reachable: $url"
     return
   fi
+  if [ "$REMOTE_MODE" -eq 1 ]; then
+    body="$(printf "%s\n" "$body" | extract_json_line)"
+  fi
+  if [ -z "$body" ]; then
+    status FAIL "API response empty or not JSON"
+    return
+  fi
   if command -v python3 >/dev/null 2>&1; then
     if printf "%s" "$body" | python3 - <<'PY'
 import json, sys
@@ -160,6 +172,13 @@ check_firstboot() {
     status FAIL "firstboot API not reachable"
     return
   fi
+  if [ "$REMOTE_MODE" -eq 1 ]; then
+    body="$(printf "%s\n" "$body" | extract_json_line)"
+  fi
+  if [ -z "$body" ]; then
+    status FAIL "firstboot status invalid or missing"
+    return
+  fi
   state="$(printf "%s" "$body" | json_get "state" || true)"
   error_present="$(printf "%s" "$body" | json_get "error_present" || true)"
   if [ -z "$state" ]; then
@@ -211,6 +230,9 @@ finalize() {
 
 main() {
   parse_args "$@"
+  if [ "$LOCAL_ONLY" -eq 0 ] && ! is_dietpi; then
+    REMOTE_MODE=1
+  fi
 
   section "HTTP/HTTPS"
   check_http "$PIKIT_HTTP_URL" "HTTP"

systemd/pikit-firstboot.sh

@@ -15,6 +15,7 @@ WEB_ASSETS="/var/www/pikit-web/assets"
 PROFILE_FILE="/etc/pikit/profile.json"
 MOTD_FILE="/etc/motd"
 FIRSTBOOT_CONF="/etc/pikit/firstboot.conf"
+APT_UA_OVERRIDE="/etc/apt/apt.conf.d/51pikit-unattended.conf"
 
 STEPS=(
   "Preparing system"
@@ -48,6 +49,28 @@ skip_updates() {
   return 1
 }
 
+configure_unattended_defaults() {
+  if [ -f "$APT_UA_OVERRIDE" ]; then
+    log "Unattended-upgrades config already present; skipping defaults."
+    return
+  fi
+  if ! command -v python3 >/dev/null 2>&1; then
+    log "python3 missing; skipping unattended-upgrades defaults."
+    return
+  fi
+  PYTHONPATH=/usr/local/bin python3 - <<'PY'
+import sys
+try:
+    from pikit_api.auto_updates import set_updates_config
+except Exception as e:
+    print(f"pikit_api unavailable: {e}")
+    sys.exit(0)
+
+set_updates_config({"enable": True, "scope": "security"})
+PY
+  log "Unattended-upgrades defaults applied (security-only)."
+}
+
 write_state() {
   local state="$1"
   local current="$2"
@@ -236,6 +259,7 @@ fi
 finish_step 3
 
 begin_step 4
+configure_unattended_defaults
 if [ -f "$PROFILE_FILE" ] && command -v ufw >/dev/null 2>&1; then
   python3 - <<'PY' > /tmp/pikit-profile-ports.txt
 import json