@agentsoc/beacon 0.0.3 → 0.0.5

package/README.md

@@ -98,7 +98,7 @@ Install the background service daemon (systemd on Linux, launchd on macOS):
 sudo beacon install
 ```
 
-On macOS the plist is written under `/Library/LaunchDaemons/`, and on Linux the unit file goes under `/etc/systemd/system/`—both require root, so use `sudo`. If `sudo` cannot find `beacon` (for example with nvm), run `sudo env "PATH=$PATH" beacon install` or invoke the CLI with the full path to the global binary.
+On macOS the plist is written under `/Library/LaunchDaemons/`, and on Linux the unit file goes under `/etc/systemd/system/`—both require root, so use `sudo`. The service is configured to **run as your login user** (via `SUDO_USER` when you use `sudo`), so it uses the same config directory as `beacon config`—not root’s home. If `sudo` cannot find `beacon` (for example with nvm), run `sudo env "PATH=$PATH" beacon install` or invoke the CLI with the full path to the global binary.
 
 ### Status and stats
 
@@ -110,7 +110,7 @@ beacon status
 
 Use `beacon status --json` for machine-readable output (includes `validateKeyUrl` on errors).
 
-After successful batches, the CLI updates **`stats.json`** next to your config (same config directory as `config.json`—for example `~/Library/Application Support/agentsoc-beacon/` on macOS). The file tracks `logsForwarded`, `batchesSucceeded`, `batchesFailed`, optional `lastError`, and `updatedAt`. If the beacon runs as another user (e.g. root), that user’s config directory holds the stats file.
+After successful batches, the CLI updates **`stats.json`** next to your config (same config directory as `config.json`—for example `~/Library/Application Support/agentsoc-beacon/` on macOS). The file tracks `logsForwarded`, `batchesSucceeded`, `batchesFailed`, optional `lastError`, and `updatedAt`. The background service runs as the installing user (see Install Service above), so stats stay alongside your user config.
 
 The marketing site’s product demo terminal runs through **`beacon status`** so visitors can see a sample of this output.
 

package/dist/cli.js

@@ -60,7 +60,8 @@ program
         await installService();
     }
     catch (err) {
-        console.error("[beacon] Install failed:", err);
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`[beacon] Install failed:\n\n${message}\n`);
         process.exit(1);
     }
 });

package/dist/service-install.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"service-install.d.ts","sourceRoot":"","sources":["../src/service-install.ts"],"names":[],"mappings":"AAKA,wBAAsB,cAAc,kBAgEnC"}
+{"version":3,"file":"service-install.d.ts","sourceRoot":"","sources":["../src/service-install.ts"],"names":[],"mappings":"AA4IA,wBAAsB,cAAc,kBA4EnC"}

package/dist/service-install.js

@@ -1,7 +1,131 @@
+import { constants as fsConstants } from 'node:fs';
 import fs from 'node:fs/promises';
+import os from 'node:os';
 import path from 'node:path';
-import { execSync } from 'node:child_process';
+import { execFileSync, execSync } from 'node:child_process';
 import { BEACON_CONFIG_REQUIRED_MESSAGE, loadConfig } from './config.js';
+const PERMISSION_DENIED_HINT = `That location is only writable as root. Run the same command with sudo, for example:
+
+  sudo beacon install
+
+You will be prompted for your administrator password.`;
+function permissionDeniedInstallError(destPath) {
+    return new Error(`Cannot install the system service: permission denied for ${path.dirname(destPath)}.\n\n${PERMISSION_DENIED_HINT}`);
+}
+async function assertServiceInstallWritable(destPath) {
+    const dir = path.dirname(destPath);
+    try {
+        await fs.access(dir, fsConstants.W_OK);
+    }
+    catch (e) {
+        const code = e && typeof e === 'object' && 'code' in e
+            ? e.code
+            : undefined;
+        if (code === 'EACCES' || code === 'EPERM') {
+            throw permissionDeniedInstallError(destPath);
+        }
+        throw e;
+    }
+}
+async function writeServiceFile(destPath, contents) {
+    try {
+        await fs.writeFile(destPath, contents, 'utf8');
+    }
+    catch (e) {
+        const code = e && typeof e === 'object' && 'code' in e
+            ? e.code
+            : undefined;
+        if (code === 'EACCES' || code === 'EPERM') {
+            throw permissionDeniedInstallError(destPath);
+        }
+        throw e;
+    }
+}
+/** launchd does not use your shell PATH — use an absolute interpreter path. */
+function resolveLaunchdRunner() {
+    const isBun = process.execPath.endsWith('bun') || process.execPath.endsWith('bun.exe');
+    if (isBun) {
+        return process.execPath;
+    }
+    const base = path.basename(process.execPath);
+    if (/^node(\.exe)?$/i.test(base)) {
+        return process.execPath;
+    }
+    try {
+        const nodePath = execFileSync('/usr/bin/which', ['node'], {
+            encoding: 'utf8',
+        }).trim();
+        if (nodePath) {
+            return nodePath;
+        }
+    }
+    catch {
+        // fall through
+    }
+    return 'node';
+}
+function launchctlBootoutSystem(plistPath, label) {
+    try {
+        execFileSync('launchctl', ['bootout', 'system', plistPath], {
+            stdio: 'ignore',
+        });
+        return;
+    }
+    catch {
+        // try service target (older registration style)
+    }
+    try {
+        execFileSync('launchctl', ['bootout', `system/${label}`], {
+            stdio: 'ignore',
+        });
+    }
+    catch {
+        // not loaded yet
+    }
+}
+/**
+ * Config and stats paths use os.homedir(). A LaunchDaemon/systemd unit runs as root by
+ * default, which points at /var/root (macOS) or /root — not the user who ran `beacon config`.
+ * Prefer SUDO_USER from `sudo`; otherwise the current login user when not root.
+ */
+function resolveDaemonRunAsUsername() {
+    const sudoUser = process.env.SUDO_USER?.trim();
+    if (sudoUser) {
+        return sudoUser;
+    }
+    const uid = typeof process.getuid === 'function' ? process.getuid() : -1;
+    if (uid !== 0) {
+        try {
+            return os.userInfo().username;
+        }
+        catch {
+            // fall through
+        }
+    }
+    throw new Error('Cannot determine which user account should run the beacon daemon. ' +
+        'Config is stored under that user\'s home directory. ' +
+        'Run install from your normal account with sudo, e.g. `sudo beacon install`, not from a root-only shell.');
+}
+function escapePlistString(s) {
+    return s
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+}
+function launchctlBootstrapSystem(plistPath) {
+    try {
+        execFileSync('launchctl', ['bootstrap', 'system', plistPath], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'inherit', 'pipe'],
+        });
+    }
+    catch (e) {
+        const err = e;
+        const detail = err.stderr?.toString('utf8').trim() ?? '';
+        const suffix = detail ? `\n${detail}` : '';
+        throw new Error(`launchctl bootstrap failed for ${plistPath}.${suffix}\n\nTry:\n  sudo launchctl bootout system ${plistPath}\n  sudo beacon install`);
+    }
+}
 export async function installService() {
     const config = await loadConfig();
     // Service units do not inherit the install shell's env — key must be saved in config.
@@ -13,12 +137,14 @@ export async function installService() {
     const cliPath = path.resolve(process.argv[1]);
     const command = `${runner} ${cliPath} run`;
     if (process.platform === 'linux') {
+        const runAs = resolveDaemonRunAsUsername();
         const serviceUnit = `[Unit]
 Description=AgentSOC Syslog Beacon
 After=network.target
 
 [Service]
 Type=simple
+User=${runAs}
 ExecStart=${command}
 Restart=always
 RestartSec=10
@@ -28,22 +154,28 @@ Environment=NODE_ENV=production
 WantedBy=multi-user.target
 `;
         const dest = '/etc/systemd/system/syslog-beacon.service';
-        await fs.writeFile(dest, serviceUnit, 'utf8');
+        await assertServiceInstallWritable(dest);
+        await writeServiceFile(dest, serviceUnit);
         execSync('systemctl daemon-reload');
         execSync('systemctl enable syslog-beacon');
         execSync('systemctl start syslog-beacon');
         console.log('[syslog-beacon] Installed systemd service');
     }
     else if (process.platform === 'darwin') {
+        const label = 'com.agentsoc.syslog-beacon';
+        const runAs = escapePlistString(resolveDaemonRunAsUsername());
+        const launchdRunner = resolveLaunchdRunner();
         const plist = `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
     <key>Label</key>
-    <string>com.agentsoc.syslog-beacon</string>
+    <string>${label}</string>
+    <key>UserName</key>
+    <string>${runAs}</string>
     <key>ProgramArguments</key>
     <array>
-        <string>${runner}</string>
+        <string>${launchdRunner}</string>
         <string>${cliPath}</string>
         <string>run</string>
     </array>
@@ -54,9 +186,13 @@ WantedBy=multi-user.target
 </dict>
 </plist>
 `;
-        const dest = '/Library/LaunchDaemons/com.agentsoc.syslog-beacon.plist';
-        await fs.writeFile(dest, plist, 'utf8');
-        execSync(`launchctl load -w ${dest}`);
+        const dest = `/Library/LaunchDaemons/${label}.plist`;
+        await assertServiceInstallWritable(dest);
+        launchctlBootoutSystem(dest, label);
+        await writeServiceFile(dest, plist);
+        execFileSync('chown', ['root:wheel', dest], { stdio: 'inherit' });
+        await fs.chmod(dest, 0o644);
+        launchctlBootstrapSystem(dest);
         console.log('[syslog-beacon] Installed launchd service');
     }
     else if (process.platform === 'win32') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentsoc/beacon",
-  "version": "0.0.3",
+  "version": "0.0.5",
   "description": "Lightweight, background-running log forwarder (beacon) for AgentSOC",
   "type": "module",
   "bin": {