fix(plugin): _sync_dir をユーザ編集保護セマンティクスに変更

前コミットの rsync 同期は inode は保つが、ユーザがプラグイン配下で編集
したファイル (`compose.yml`, `env` 等) や独自に置いたファイル (`.env`,
ログ等) をそのまま上書き / 削除していた。これは旧 rmtree+copytree と
同等の data-loss セマンティクスで、UX 改善としては不十分。

挙動を以下の保守的なものに置き換える:

| src | dst | content | action |
|---|---|---|---|
| 存在 | 無し | - | コピー (added) |
| 存在 | 存在 | 同じ | no-op |
| 存在 | 存在 | 違う | dst 維持、src を `<name>.new` に並置 (kept_local) |
| 無し | 存在 | - | dst 残す (preserved_orphans) |

これにより:

- `.env` 等 upstream に無いファイルは保持
- ユーザが手で書き換えた `compose.yml` も保持、upstream 版は
  `compose.yml.new` として手元で diff/merge できる
- 内容が変わっていなければ `.new` も生成されない (ノイズなし)
- 既存の `.new` (前回の sync で残った) は次回 sync 時に再生成 (常に
  最新の upstream を反映)
- ファイル/dir/symlink の type mismatch は upstream 側を `.new` 経由で
  並置 (ユーザ側を壊さない)

`copy_plugin()` は同期後に `kept_local` / `preserved_orphans` 件数を
ログ出力し、ユーザに `.new` の存在と "merge の余地" を伝える。

NOTE: `plugin.yml` もユーザ編集として扱われるため、ユーザが意図せず
触っていた場合 registry に古い version が記録され得る。実害は表示が
古くなるだけで、`.new` が並置されるので気付ける。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: takemi-ohama

lib/devbase/plugin/installer.py

@@ -1,10 +1,12 @@
 """Plugin installer - handles install/uninstall operations"""
 
+import hashlib
 import os
 import shutil
 import subprocess
 import tempfile
 import yaml
+from dataclasses import dataclass, field
 from pathlib import Path
 from typing import Optional
 
@@ -268,39 +270,108 @@ def _replace_entry(path: Path) -> None:
         shutil.rmtree(path)
 
 
-def _sync_dir(src: Path, dst: Path) -> None:
-    """rsync-like merge: make ``dst``'s contents match ``src``'s.
+def _hash_file(path: Path) -> str:
+    """Return the SHA-256 hex digest of a regular file's contents."""
+    h = hashlib.sha256()
+    with path.open('rb') as f:
+        for chunk in iter(lambda: f.read(65536), b''):
+            h.update(chunk)
+    return h.hexdigest()
 
-    Preserves the inode of ``dst`` and of any subdirectories that exist in
-    both ``src`` and ``dst``. Compared to ``rmtree(dst) + copytree(src, dst)``,
-    a process whose CWD is inside ``dst`` (or a subdir present in both) keeps
-    a valid CWD across this operation — important when the user is working
-    inside a ``projects/<name>`` symlink that resolves into the plugin tree.
+
+@dataclass
+class _SyncReport:
+    """Summary of an in-place plugin sync, surfaced to users after update."""
+    added: list[Path] = field(default_factory=list)
+    updated: list[Path] = field(default_factory=list)
+    kept_local: list[Path] = field(default_factory=list)
+    preserved_orphans: list[Path] = field(default_factory=list)
+
+
+def _sync_dir(src: Path, dst: Path, report: _SyncReport, rel: Path = Path('.')) -> None:
+    """Conservatively sync ``src`` → ``dst``, preserving user edits.
+
+    Semantics (per file in src/dst):
+
+    | src | dst | content | action |
+    |---|---|---|---|
+    | exists | missing |  -  | copy from src (record as ``added``) |
+    | exists | exists  | same | no-op |
+    | exists | exists  | differ | keep dst, write src as ``<name>.new`` (``kept_local``) |
+    | missing | exists |  -  | leave dst alone (``preserved_orphans``) |
+
+    Preserves the inode of ``dst`` and of subdirectories present in both — a
+    user whose CWD lives inside ``dst`` (typically via a ``projects/<name>``
+    symlink resolving into the plugin tree) keeps a valid CWD across updates.
+
+    User-only files (orphans) and user-edited files are never destroyed.
     """
     dst.mkdir(parents=True, exist_ok=True)
 
     src_entries = {e.name: e for e in src.iterdir()}
     dst_entries = {e.name: e for e in dst.iterdir()}
 
     for name, dst_entry in dst_entries.items():
-        if name not in src_entries:
+        if name in src_entries:
+            continue
+        if name.endswith('.new'):
+            # `.new` is our own conflict marker — refresh, don't preserve.
             _replace_entry(dst_entry)
+            continue
+        report.preserved_orphans.append(rel / name)
 
     for name, src_entry in src_entries.items():
         dst_entry = dst / name
+        sub_rel = rel / name
         if src_entry.is_symlink():
             link_target = os.readlink(src_entry)
+            if dst_entry.is_symlink() and os.readlink(dst_entry) == link_target:
+                continue
             if dst_entry.is_symlink() or dst_entry.exists():
-                _replace_entry(dst_entry)
-            os.symlink(link_target, dst_entry)
+                # Conflict: leave user's, drop upstream alongside as `.new` symlink.
+                new_dst = dst_entry.with_name(dst_entry.name + '.new')
+                if new_dst.is_symlink() or new_dst.exists():
+                    _replace_entry(new_dst)
+                os.symlink(link_target, new_dst)
+                report.kept_local.append(sub_rel)
+            else:
+                os.symlink(link_target, dst_entry)
+                report.added.append(sub_rel)
         elif src_entry.is_dir():
-            if dst_entry.exists() and not dst_entry.is_dir():
-                _replace_entry(dst_entry)
-            _sync_dir(src_entry, dst_entry)
+            if dst_entry.is_symlink() or (dst_entry.exists() and not dst_entry.is_dir()):
+                # Type mismatch: user has a file/symlink where upstream has a dir.
+                # Drop upstream alongside as `<name>.new/`.
+                new_dst = dst_entry.with_name(dst_entry.name + '.new')
+                if new_dst.is_symlink() or (new_dst.exists() and not new_dst.is_dir()):
+                    _replace_entry(new_dst)
+                _sync_dir(src_entry, new_dst, report, sub_rel)
+                report.kept_local.append(sub_rel)
+            else:
+                already_existed = dst_entry.is_dir()
+                _sync_dir(src_entry, dst_entry, report, sub_rel)
+                if not already_existed:
+                    report.added.append(sub_rel)
         else:
-            if dst_entry.is_symlink() or (dst_entry.exists() and dst_entry.is_dir()):
-                _replace_entry(dst_entry)
-            shutil.copy2(src_entry, dst_entry)
+            if not dst_entry.exists() and not dst_entry.is_symlink():
+                shutil.copy2(src_entry, dst_entry)
+                report.added.append(sub_rel)
+                continue
+            if dst_entry.is_symlink() or dst_entry.is_dir():
+                # Type mismatch: user has a symlink/dir where upstream has a file.
+                new_dst = dst_entry.with_name(dst_entry.name + '.new')
+                if new_dst.is_symlink() or new_dst.exists():
+                    _replace_entry(new_dst)
+                shutil.copy2(src_entry, new_dst)
+                report.kept_local.append(sub_rel)
+                continue
+            # Both are regular files — compare content.
+            if _hash_file(src_entry) == _hash_file(dst_entry):
+                continue
+            new_dst = dst_entry.with_name(dst_entry.name + '.new')
+            if new_dst.is_symlink() or new_dst.exists():
+                _replace_entry(new_dst)
+            shutil.copy2(src_entry, new_dst)
+            report.kept_local.append(sub_rel)
 
 
 def copy_plugin(
@@ -312,10 +383,11 @@ def copy_plugin(
 ) -> None:
     """Install or update a plugin from a cloned repo into ``plugins/``.
 
-    For updates, the existing plugin directory inode is preserved by
-    syncing contents in place (rsync-like) instead of rmtree+copytree.
-    This avoids invalidating any shell or editor whose CWD is inside the
-    plugin (typically via a ``projects/<name>`` symlink).
+    For updates, contents are synced in place (preserving directory inodes
+    and user-edited files) instead of rmtree+copytree. User-edited files
+    are kept as-is; the upstream version of a conflicting file is dropped
+    alongside with a ``.new`` suffix for the user to diff/merge manually.
+    Files present only in the user's working tree (orphans) are preserved.
 
     Raises PluginError on failure.
     """
@@ -329,7 +401,22 @@ def copy_plugin(
         shutil.copytree(plugin_path, dest)
     elif dest.exists():
         logger.info("Updating existing plugin '%s'", name)
-        _sync_dir(plugin_path, dest)
+        report = _SyncReport()
+        _sync_dir(plugin_path, dest, report)
+        if report.kept_local:
+            logger.warning(
+                "  %d local edit(s) kept; upstream saved as .new alongside:",
+                len(report.kept_local),
+            )
+            for p in report.kept_local[:10]:
+                logger.warning("    - %s (upstream: %s.new)", p, p.name)
+            if len(report.kept_local) > 10:
+                logger.warning("    ... and %d more", len(report.kept_local) - 10)
+        if report.preserved_orphans:
+            logger.info(
+                "  %d local-only file(s) preserved (not in upstream)",
+                len(report.preserved_orphans),
+            )
     else:
         shutil.copytree(plugin_path, dest)