@ebowwa/seedinstallation 0.3.0 → 0.4.1

package/dist/index.js

@@ -1,10 +1,943 @@
-export { clone } from "./clone.js";
-export { sudo, pkgInstall, writeFile, service, serviceEnable } from "./sudo.js";
-// Runtime installation (Bun, Node, PATH, symlinks)
-export { installBun, addSystemPath, symlink, linkBinaries, getBunVersion, commandExists, } from "./runtime.js";
-// Systemd service management
-export { generateServiceUnit, createServiceUnit, enableService, disableService, startService, stopService, restartService, reloadService, getServiceStatus, enableAndStartService, serviceExists, getServiceLogs, } from "./systemd.js";
-// Device-code authentication flow (Doppler, GitHub, Tailscale)
-export { deviceAuth, isAuthed, cleanupDeviceAuth, stripAnsi, dopplerConfig, githubConfig, tailscaleConfig, } from "./device-auth.js";
-// Bootstrap status tracking and polling
-export { getBootstrapStatus, parseBootstrapStatus, initBootstrap, startPhase, completePhase, failPhase, completeBootstrap, failBootstrap, checkMarker, setMarker, removeMarker, waitForBootstrap, waitForMarker, } from "./bootstrap.js";
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// sudo.ts
+var exports_sudo = {};
+__export(exports_sudo, {
+  writeFile: () => writeFile,
+  sudo: () => sudo,
+  serviceEnable: () => serviceEnable,
+  service: () => service,
+  pkgInstall: () => pkgInstall,
+  exec: () => exec
+});
+async function sudo(cmd, opts) {
+  const parts = Array.isArray(cmd) ? cmd : cmd.split(/\s+/);
+  const envPrefix = opts.env ? Object.entries(opts.env).map(([k, v]) => `${k}=${shellEscape(v)}`) : [];
+  const sudoCmd = ["sudo", ...envPrefix, ...parts];
+  return exec(sudoCmd, opts);
+}
+async function pkgInstall(packages, opts) {
+  const pm = opts.pm ?? "apt";
+  const envOverride = {
+    ...opts.env,
+    ...opts.nonInteractive !== false ? { DEBIAN_FRONTEND: "noninteractive" } : {}
+  };
+  await sudo(updateCmd[pm], { ...opts, env: envOverride, quiet: true });
+  return sudo([...installCmd[pm], ...packages], {
+    ...opts,
+    env: envOverride
+  });
+}
+async function writeFile(path, content, opts) {
+  const op = opts.append ? "-a" : "";
+  const teeCmd = `tee ${op} ${shellEscape(path)}`.trim();
+  const result = await execPipe(content, ["sudo", teeCmd], opts);
+  if (result.ok && opts.mode) {
+    await sudo(["chmod", opts.mode, path], opts);
+  }
+  if (result.ok && opts.owner) {
+    await sudo(["chown", opts.owner, path], opts);
+  }
+  return result;
+}
+async function service(name, action, opts) {
+  return sudo(["systemctl", action, name], opts);
+}
+async function serviceEnable(name, opts) {
+  return sudo(["systemctl", "enable", "--now", name], opts);
+}
+function buildSshPrefix(ctx) {
+  const parts = ["ssh", "-F", "/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null"];
+  if (ctx.keyPath)
+    parts.push("-i", ctx.keyPath);
+  else if (ctx.key)
+    parts.push("-i", ctx.key);
+  if (ctx.port)
+    parts.push("-p", String(ctx.port));
+  parts.push(`${ctx.user ?? "root"}@${ctx.host}`);
+  return parts;
+}
+async function exec(args, opts) {
+  const ctx = opts.context ?? { type: "local" };
+  const finalArgs = ctx.type === "ssh" ? [...buildSshPrefix(ctx), args.map(shellEscape).join(" ")] : args;
+  const proc = Bun.spawn(finalArgs, {
+    stdout: "pipe",
+    stderr: "pipe",
+    timeout: opts.timeout ?? 30000
+  });
+  const exitCode = await proc.exited;
+  const stdout = opts.quiet ? "" : await new Response(proc.stdout).text();
+  const stderr = await new Response(proc.stderr).text();
+  return { stdout, stderr, exitCode, ok: exitCode === 0 };
+}
+async function execPipe(input, args, opts) {
+  const ctx = opts.context ?? { type: "local" };
+  if (ctx.type === "ssh") {
+    const sshPrefix = buildSshPrefix(ctx);
+    const remoteCmd = args.join(" ");
+    const fullArgs = [...sshPrefix, remoteCmd];
+    const proc2 = Bun.spawn(fullArgs, {
+      stdin: new TextEncoder().encode(input),
+      stdout: "pipe",
+      stderr: "pipe",
+      timeout: opts.timeout ?? 30000
+    });
+    const exitCode2 = await proc2.exited;
+    const stdout2 = opts.quiet ? "" : await new Response(proc2.stdout).text();
+    const stderr2 = await new Response(proc2.stderr).text();
+    return { stdout: stdout2, stderr: stderr2, exitCode: exitCode2, ok: exitCode2 === 0 };
+  }
+  const proc = Bun.spawn(["sh", "-c", args.join(" ")], {
+    stdin: new TextEncoder().encode(input),
+    stdout: "pipe",
+    stderr: "pipe",
+    timeout: opts.timeout ?? 30000
+  });
+  const exitCode = await proc.exited;
+  const stdout = opts.quiet ? "" : await new Response(proc.stdout).text();
+  const stderr = await new Response(proc.stderr).text();
+  return { stdout, stderr, exitCode, ok: exitCode === 0 };
+}
+function shellEscape(s) {
+  if (/^[a-zA-Z0-9._\-\/=:@]+$/.test(s))
+    return s;
+  return `'${s.replace(/'/g, "'\\''")}'`;
+}
+var installCmd, updateCmd;
+var init_sudo = __esm(() => {
+  installCmd = {
+    apt: ["apt-get", "install", "-y"],
+    dnf: ["dnf", "install", "-y"],
+    apk: ["apk", "add", "--no-cache"]
+  };
+  updateCmd = {
+    apt: ["apt-get", "update", "-qq"],
+    dnf: ["dnf", "check-update"],
+    apk: ["apk", "update"]
+  };
+});
+
+// clone.ts
+async function clone(opts) {
+  const { repo, dest, ref, depth, sparse, cwd } = opts;
+  const repoName = dest ?? repoNameFrom(repo);
+  const targetDir = cwd ? `${cwd}/${repoName}` : repoName;
+  const args = ["git", "clone"];
+  if (depth)
+    args.push("--depth", String(depth));
+  if (ref && !sparse)
+    args.push("--branch", ref);
+  if (sparse)
+    args.push("--no-checkout", "--filter=blob:none");
+  args.push(repo, targetDir);
+  await run(args, cwd);
+  if (sparse) {
+    await run(["git", "sparse-checkout", "init", "--cone"], targetDir);
+    await run(["git", "sparse-checkout", "set", ...sparse], targetDir);
+    if (ref) {
+      await run(["git", "checkout", ref], targetDir);
+    } else {
+      await run(["git", "checkout"], targetDir);
+    }
+  }
+  const commit = (await run(["git", "rev-parse", "--short", "HEAD"], targetDir)).trim();
+  const checkedRef = (await run(["git", "rev-parse", "--abbrev-ref", "HEAD"], targetDir)).trim();
+  const absPath = (await run(["git", "rev-parse", "--show-toplevel"], targetDir)).trim();
+  return { path: absPath, ref: checkedRef, commit };
+}
+function repoNameFrom(url) {
+  return url.replace(/\.git$/, "").split("/").pop();
+}
+async function run(args, cwd) {
+  const proc = Bun.spawn(args, {
+    cwd,
+    stdout: "pipe",
+    stderr: "pipe"
+  });
+  const exitCode = await proc.exited;
+  const stdout = await new Response(proc.stdout).text();
+  if (exitCode !== 0) {
+    const stderr = await new Response(proc.stderr).text();
+    throw new Error(`${args.join(" ")} failed (exit ${exitCode}): ${stderr}`);
+  }
+  return stdout;
+}
+
+// runtime.ts
+async function exec2(args, opts) {
+  const sudo2 = await Promise.resolve().then(() => (init_sudo(), exports_sudo)).then((m) => m.sudo);
+  return sudo2(args, opts);
+}
+async function installBun(opts = {}) {
+  const installCmd2 = opts.version ? `curl -fsSL https://bun.sh/install | bash -s "bun-${opts.version}"` : `curl -fsSL https://bun.sh/install | bash`;
+  await execShell(installCmd2, opts);
+  if (opts.systemWide) {
+    const bunPath = opts.installDir ?? "/root/.bun";
+    await addSystemPath(`${bunPath}/bin`, opts);
+  }
+}
+async function addSystemPath(dir, opts = {}) {
+  const { writeFile: writeFile2 } = await Promise.resolve().then(() => (init_sudo(), exports_sudo));
+  const target = opts.target ?? "system";
+  const position = opts.position ?? "prepend";
+  const existingPath = target === "system" ? await getSystemPath(opts) : await getUserPath(opts);
+  const paths = existingPath.split(":");
+  if (paths.includes(dir)) {
+    return;
+  }
+  const newPath = position === "prepend" ? `${dir}:${existingPath}` : `${existingPath}:${dir}`;
+  if (target === "system") {
+    const content = `PATH="${newPath}"
+`;
+    await writeFile2("/etc/environment", content, { ...opts, append: false });
+  } else {
+    const exportLine = `
+export PATH="${newPath}"
+`;
+    await writeFile2("/root/.bashrc", exportLine, { ...opts, append: true });
+  }
+}
+async function getSystemPath(opts) {
+  const result = await exec2(["grep", "^PATH=", "/etc/environment"], { ...opts, quiet: true });
+  if (result.ok && result.stdout) {
+    const match = result.stdout.match(/^PATH="([^"]+)"/);
+    if (match?.[1])
+      return match[1];
+  }
+  return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
+}
+async function getUserPath(opts) {
+  const result = await exec2(["bash", "-lc", "echo $PATH"], { ...opts, quiet: true });
+  return result.stdout.trim();
+}
+async function symlink(source, target, opts = {}) {
+  const args = ["ln", "-s"];
+  if (opts.force)
+    args.push("-f");
+  args.push(source, target);
+  await exec2(args, opts);
+}
+async function linkBinaries(sourceDir, opts = {}) {
+  const result = await exec2(["ls", "-1", sourceDir], { ...opts, quiet: true });
+  if (!result.ok)
+    return;
+  const binaries = result.stdout.trim().split(`
+`).filter(Boolean);
+  for (const bin of binaries) {
+    const source = `${sourceDir}/${bin}`;
+    const target = `/usr/local/bin/${bin}`;
+    await symlink(source, target, { ...opts, force: true });
+  }
+}
+async function getBunVersion(opts) {
+  const result = await exec2(["bash", "-lc", "bun --version"], { ...opts, quiet: true });
+  if (result.ok) {
+    return result.stdout.trim();
+  }
+  return null;
+}
+async function commandExists(cmd, opts) {
+  const result = await exec2(["which", cmd], { ...opts, quiet: true });
+  return result.ok;
+}
+async function execShell(cmd, opts) {
+  const result = await exec2(["bash", "-lc", cmd], opts);
+  if (!result.ok) {
+    throw new Error(`Shell command failed: ${result.stderr}`);
+  }
+}
+
+// systemd.ts
+async function exec3(args, opts) {
+  const { sudo: sudo2 } = await Promise.resolve().then(() => (init_sudo(), exports_sudo));
+  return sudo2(args, opts);
+}
+async function writeFile2(path, content, opts) {
+  const { writeFile: wf } = await Promise.resolve().then(() => (init_sudo(), exports_sudo));
+  return wf(path, content, opts);
+}
+var systemdCheckCache = null;
+async function hasSystemd(opts) {
+  if (systemdCheckCache) {
+    return systemdCheckCache;
+  }
+  const sudoOpts = opts ?? { context: { type: "local" } };
+  const whichResult = await exec3(["which", "systemctl"], {
+    ...sudoOpts,
+    quiet: true,
+    env: sudoOpts.env
+  });
+  if (!whichResult.ok || !whichResult.stdout.trim()) {
+    const result2 = {
+      available: false,
+      reason: "not_found",
+      message: "systemctl command not found - systemd is not installed or not in PATH"
+    };
+    systemdCheckCache = result2;
+    return result2;
+  }
+  const runningResult = await exec3(["systemctl", "is-system-running"], {
+    ...sudoOpts,
+    quiet: true,
+    env: sudoOpts.env
+  });
+  if (runningResult.ok && runningResult.stdout.trim() !== "") {
+    const result2 = {
+      available: true,
+      message: "systemd is available and running"
+    };
+    systemdCheckCache = result2;
+    return result2;
+  }
+  const dirResult = await exec3(["test", "-d", "/run/systemd/system"], {
+    ...sudoOpts,
+    quiet: true,
+    env: sudoOpts.env
+  });
+  if (dirResult.ok) {
+    const result2 = {
+      available: true,
+      message: "systemd detected via /run/systemd/system (container environment)"
+    };
+    systemdCheckCache = result2;
+    return result2;
+  }
+  const result = {
+    available: false,
+    reason: "not_running",
+    message: "systemd is not available on this system (container/initless environment)"
+  };
+  systemdCheckCache = result;
+  return result;
+}
+function clearSystemdCache() {
+  systemdCheckCache = null;
+}
+function generateServiceUnit(name, opts) {
+  const lines = [];
+  lines.push("[Unit]");
+  lines.push(`Description=${opts.description}`);
+  if (opts.after?.length) {
+    lines.push(`After=${opts.after.join(" ")}`);
+  }
+  if (opts.wants?.length) {
+    lines.push(`Wants=${opts.wants.join(" ")}`);
+  }
+  lines.push("");
+  lines.push("[Service]");
+  if (opts.type)
+    lines.push(`Type=${opts.type}`);
+  lines.push(`User=${opts.user ?? "root"}`);
+  if (opts.group)
+    lines.push(`Group=${opts.group}`);
+  lines.push(`WorkingDirectory=${opts.workingDirectory}`);
+  lines.push(`ExecStart=${opts.execStart}`);
+  if (opts.execStartPre?.length) {
+    opts.execStartPre.forEach((cmd, i) => {
+      lines.push(`ExecStartPre${i > 0 ? `=${i}` : ""}=${cmd}`);
+    });
+  }
+  if (opts.execStopPost?.length) {
+    opts.execStopPost.forEach((cmd, i) => {
+      lines.push(`ExecStopPost${i > 0 ? `=${i}` : ""}=${cmd}`);
+    });
+  }
+  if (opts.restart)
+    lines.push(`Restart=${opts.restart}`);
+  if (opts.restartSec)
+    lines.push(`RestartSec=${opts.restartSec}`);
+  if (opts.environment) {
+    Object.entries(opts.environment).forEach(([k, v]) => {
+      lines.push(`Environment="${k}=${v}"`);
+    });
+  }
+  if (opts.environmentFile) {
+    lines.push(`EnvironmentFile=${opts.environmentFile}`);
+  }
+  if (opts.standardOutput)
+    lines.push(`StandardOutput=${opts.standardOutput}`);
+  if (opts.standardError)
+    lines.push(`StandardError=${opts.standardError}`);
+  if (opts.nice !== undefined)
+    lines.push(`Nice=${opts.nice}`);
+  if (opts.noNewPrivileges)
+    lines.push("NoNewPrivileges=true");
+  if (opts.privateTmp)
+    lines.push("PrivateTmp=true");
+  if (opts.protectSystem)
+    lines.push(`ProtectSystem=${opts.protectSystem}`);
+  if (opts.protectHome === true)
+    lines.push("ProtectHome=true");
+  else if (opts.protectHome)
+    lines.push(`ProtectHome=${opts.protectHome}`);
+  if (opts.readOnlyPaths?.length)
+    lines.push(`ReadOnlyPaths=${opts.readOnlyPaths.join(" ")}`);
+  if (opts.readWritePaths?.length)
+    lines.push(`ReadWritePaths=${opts.readWritePaths.join(" ")}`);
+  if (opts.restrictRealtime)
+    lines.push("RestrictRealtime=true");
+  if (opts.memoryDenyWriteExecute)
+    lines.push("MemoryDenyWriteExecute=true");
+  if (opts.protectKernelTunables)
+    lines.push("ProtectKernelTunables=true");
+  if (opts.protectKernelModules)
+    lines.push("ProtectKernelModules=true");
+  if (opts.protectControlGroups)
+    lines.push("ProtectControlGroups=true");
+  if (opts.restrictAddressFamilies?.length)
+    lines.push(`RestrictAddressFamilies=${opts.restrictAddressFamilies.join(" ")}`);
+  if (opts.deviceAllow?.length)
+    lines.push(`DeviceAllow=${opts.deviceAllow.join(" ")}`);
+  if (opts.devicePolicy)
+    lines.push(`DevicePolicy=${opts.devicePolicy}`);
+  if (opts.systemCallFilter?.length)
+    lines.push(`SystemCallFilter=${opts.systemCallFilter.join(" ")}`);
+  if (opts.restrictNamespaces === true)
+    lines.push("RestrictNamespaces=true");
+  else if (Array.isArray(opts.restrictNamespaces) && opts.restrictNamespaces.length > 0)
+    lines.push(`RestrictNamespaces=${opts.restrictNamespaces.join(" ")}`);
+  if (opts.personality)
+    lines.push(`Personality=${opts.personality}`);
+  if (opts.lockPersonality)
+    lines.push("LockPersonality=true");
+  if (opts.removeCapability?.length)
+    opts.removeCapability.forEach((cap) => lines.push(`RemoveCapability=${cap}`));
+  if (opts.capabilityBoundingSet?.length)
+    lines.push(`CapabilityBoundingSet=${opts.capabilityBoundingSet.join(" ")}`);
+  if (opts.ambientCapabilities?.length)
+    lines.push(`AmbientCapabilities=${opts.ambientCapabilities.join(" ")}`);
+  if (opts.privateDevices)
+    lines.push("PrivateDevices=true");
+  if (opts.protectKernelLogs)
+    lines.push("ProtectKernelLogs=true");
+  if (opts.extras) {
+    lines.push("");
+    lines.push(opts.extras);
+  }
+  return lines.join(`
+`);
+}
+async function createServiceUnit(name, opts) {
+  const unitPath = `/etc/systemd/system/${name}.service`;
+  const content = generateServiceUnit(name, opts);
+  const writeResult = await writeFile2(unitPath, content, {
+    context: opts.context,
+    mode: "644",
+    env: opts.env,
+    timeout: opts.timeout
+  });
+  if (!writeResult.ok) {
+    return writeResult;
+  }
+  await exec3(["systemctl", "daemon-reload"], opts);
+  return {
+    ...writeResult,
+    unitPath
+  };
+}
+async function enableService(name, opts) {
+  return exec3(["systemctl", "enable", name], opts);
+}
+async function disableService(name, opts) {
+  return exec3(["systemctl", "disable", name], opts);
+}
+async function startService(name, opts) {
+  return exec3(["systemctl", "start", name], opts);
+}
+async function stopService(name, opts) {
+  return exec3(["systemctl", "stop", name], opts);
+}
+async function restartService(name, opts) {
+  return exec3(["systemctl", "restart", name], opts);
+}
+async function reloadService(name, opts) {
+  return exec3(["systemctl", "reload", name], opts);
+}
+async function getServiceStatus(name, opts) {
+  const result = await exec3(["systemctl", "show", name, "--property=LoadState,ActiveState,SubState,MainPID,Description"], {
+    ...opts,
+    quiet: true
+  });
+  if (!result.ok) {
+    return { loaded: false, active: false, subState: "unknown", mainPid: 0, description: "" };
+  }
+  const parse = (key) => {
+    const match = result.stdout.match(new RegExp(`^${key}=(.+)$`, "m"));
+    return match?.[1]?.trim() ?? "";
+  };
+  return {
+    loaded: parse("LoadState") === "loaded",
+    active: parse("ActiveState") === "active",
+    subState: parse("SubState"),
+    mainPid: parseInt(parse("MainPID") || "0", 10),
+    description: parse("Description")
+  };
+}
+async function enableAndStartService(name, opts) {
+  return exec3(["systemctl", "enable", "--now", name], opts);
+}
+async function serviceExists(name, opts) {
+  const result = await exec3(["systemctl", "list-unit-files", name + ".service"], {
+    ...opts,
+    quiet: true
+  });
+  return result.ok && result.stdout.includes(name);
+}
+async function getServiceLogs(name, opts = {}) {
+  const args = ["journalctl", "-u", name, "-n", String(opts.lines ?? 100)];
+  if (opts.since)
+    args.push("--since", opts.since);
+  if (!opts.follow)
+    args.push("-n", String(opts.lines ?? 100));
+  const result = await exec3(args, opts);
+  return result.stdout;
+}
+var SECURITY_PRESETS = {
+  strict: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "strict",
+    protectHome: true,
+    readOnlyPaths: ["/"],
+    readWritePaths: [],
+    restrictRealtime: true,
+    memoryDenyWriteExecute: true,
+    protectKernelTunables: true,
+    protectKernelModules: true,
+    protectControlGroups: true,
+    restrictAddressFamilies: ["AF_UNIX", "AF_INET", "AF_INET6"],
+    devicePolicy: "closed",
+    deviceAllow: [],
+    restrictNamespaces: true,
+    privateDevices: true,
+    protectKernelLogs: true,
+    lockPersonality: true,
+    capabilityBoundingSet: []
+  },
+  standard: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "full",
+    protectHome: true,
+    restrictRealtime: true,
+    memoryDenyWriteExecute: true,
+    protectKernelTunables: true,
+    protectKernelModules: true,
+    protectControlGroups: true,
+    restrictAddressFamilies: ["AF_UNIX", "AF_INET", "AF_INET6"],
+    devicePolicy: "auto",
+    restrictNamespaces: true,
+    privateDevices: true,
+    capabilityBoundingSet: ["CAP_NET_BIND_SERVICE"]
+  },
+  network: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "full",
+    protectHome: true,
+    restrictRealtime: true,
+    protectKernelTunables: true,
+    protectKernelModules: true,
+    protectControlGroups: true,
+    restrictAddressFamilies: ["AF_UNIX", "AF_INET", "AF_INET6"],
+    devicePolicy: "auto",
+    privateDevices: true,
+    capabilityBoundingSet: ["CAP_NET_BIND_SERVICE"],
+    ambientCapabilities: ["CAP_NET_BIND_SERVICE"]
+  },
+  minimal: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "yes",
+    restrictRealtime: true
+  },
+  deviceAccess: {
+    noNewPrivileges: true,
+    privateTmp: true,
+    protectSystem: "full",
+    protectHome: true,
+    restrictRealtime: true,
+    memoryDenyWriteExecute: true,
+    protectKernelTunables: true,
+    protectKernelModules: true,
+    protectControlGroups: true,
+    devicePolicy: "auto",
+    restrictNamespaces: true,
+    privateDevices: false
+  }
+};
+function withSecurityPreset(preset, customOptions) {
+  return {
+    ...SECURITY_PRESETS[preset],
+    ...customOptions
+  };
+}
+async function safeSystemd(operation, options = {}) {
+  const { requireSystemd = true, onNoSystemd, context, env, timeout, quiet } = options;
+  const sudoOpts = context ? { context, env, timeout, quiet } : { context: { type: "local" }, env, timeout, quiet };
+  const check = await hasSystemd(sudoOpts);
+  if (!check.available) {
+    if (onNoSystemd) {
+      await onNoSystemd(check);
+    }
+    if (requireSystemd) {
+      throw new Error(`Systemd required but not available: ${check.message}`);
+    }
+    return;
+  }
+  return operation();
+}
+
+// device-auth.ts
+async function exec4(args, opts) {
+  const { sudo: sudo2 } = await Promise.resolve().then(() => (init_sudo(), exports_sudo));
+  return sudo2(args, opts);
+}
+function stripAnsi(text) {
+  return text.replace(/[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]/g, "");
+}
+async function deviceAuth(config, opts = {}) {
+  const {
+    cli,
+    loginCmd,
+    statusCmd,
+    patterns,
+    logFile,
+    pidFile,
+    statusFlags
+  } = config;
+  const maxAttempts = opts.maxAttempts ?? 60;
+  const intervalMs = opts.intervalMs ?? 2000;
+  const loginCmdStr = loginCmd ?? `${cli} login`;
+  const startResult = await exec4([`bash`, `-lc`, `nohup ${loginCmdStr} > ${logFile} 2>&1 & echo $!`], opts);
+  if (!startResult.ok) {
+    return { success: false, error: `Failed to start login: ${startResult.stderr}` };
+  }
+  const pid = startResult.stdout.trim();
+  if (pidFile) {
+    await exec4(["bash", `-lc`, `echo ${pid} > ${pidFile}`], opts);
+  }
+  await sleep(1000);
+  const extractResult = await exec4(["cat", logFile], { ...opts, quiet: false });
+  const logContent = stripAnsi(extractResult.stdout);
+  const urlMatch = patterns.url.exec(logContent);
+  const codeMatch = patterns.code.exec(logContent);
+  const url = urlMatch?.[1];
+  const code = codeMatch?.[1];
+  if (!url || !code) {
+    return {
+      success: false,
+      error: `Could not extract auth URL/code from log output. Log content:
+${logContent}`
+    };
+  }
+  for (let attempt = 1;attempt <= maxAttempts; attempt++) {
+    const statusCmdStr = statusCmd ?? `${cli} status`;
+    const statusArgs = ["bash", "-lc", statusCmdStr];
+    if (statusFlags?.length)
+      statusArgs.push(...statusFlags);
+    const statusResult = await exec4(statusArgs, { ...opts, quiet: false });
+    const statusOutput = stripAnsi(statusResult.stdout);
+    if (patterns.success.test(statusOutput)) {
+      return {
+        success: true,
+        url,
+        code,
+        status: statusOutput
+      };
+    }
+    opts.onPoll?.(attempt, { success: false, url, code, status: statusOutput });
+    await sleep(intervalMs);
+  }
+  return {
+    success: false,
+    url,
+    code,
+    error: `Login did not complete after ${maxAttempts} attempts. Last status: ${await getStatusOutput(config, opts)}`
+  };
+}
+async function getStatusOutput(config, opts) {
+  const statusCmdStr = config.statusCmd ?? `${config.cli} status`;
+  const result = await exec4(["bash", "-lc", statusCmdStr], { ...opts, quiet: false });
+  return stripAnsi(result.stdout);
+}
+async function isAuthed(config, opts) {
+  const statusCmdStr = config.statusCmd ?? `${config.cli} status`;
+  const result = await exec4(["bash", "-lc", statusCmdStr], { ...opts, quiet: false });
+  const output = stripAnsi(result.stdout);
+  return config.patterns.success.test(output);
+}
+async function cleanupDeviceAuth(config, opts) {
+  if (config.pidFile) {
+    const pidResult = await exec4(["cat", config.pidFile], { ...opts, quiet: true });
+    if (pidResult.ok) {
+      const pid = pidResult.stdout.trim();
+      await exec4(["kill", pid], { ...opts, quiet: true });
+    }
+    await exec4(["rm", "-f", config.pidFile], { ...opts, quiet: true });
+  }
+  await exec4(["rm", "-f", config.logFile], { ...opts, quiet: true });
+}
+var dopplerConfig = {
+  cli: "doppler",
+  loginCmd: "doppler login -y",
+  statusCmd: "doppler configure get token --scope /",
+  patterns: {
+    url: /https:\/\/(?:cli|dashboard)\.doppler\.com\/[a-z\-\/]+/i,
+    code: /(?:Your authentication code is:|Your auth code is:)\s*([A-Z0-9_]+(?:-[A-Z0-9_]+)*)/i,
+    success: /.{10,}/
+  },
+  logFile: "/tmp/doppler-login.log",
+  pidFile: "/tmp/doppler-login.pid"
+};
+var githubConfig = {
+  cli: "gh",
+  loginCmd: "GH_BROWSER=echo sh -c 'gh auth login -p https -h github.com < /dev/null'",
+  statusCmd: "gh auth status",
+  patterns: {
+    url: /(https:\/\/github\.com\/login\/device)/i,
+    code: /one-time code:\s*([A-Z0-9]{4}-[A-Z0-9]{4})/i,
+    success: /Logged in (?:as|to)/i
+  },
+  logFile: "/tmp/gh-login.log",
+  pidFile: "/tmp/gh-login.pid"
+};
+var tailscaleConfig = {
+  cli: "tailscale",
+  loginCmd: "tailscale up --authkey",
+  patterns: {
+    url: /https:\/\/login\.tailscale\.com\/[a-z0-9\/]+/,
+    code: /https:\/\/login\.tailscale\.com\/[a-z0-9\/]+/,
+    success: /Tailscale is running/i
+  },
+  logFile: "/tmp/tailscale-login.log",
+  pidFile: "/tmp/tailscale-login.pid"
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// bootstrap.ts
+async function exec5(args, opts) {
+  const { sudo: sudo2 } = await Promise.resolve().then(() => (init_sudo(), exports_sudo));
+  return sudo2(args, opts);
+}
+async function writeFile3(path, content, opts) {
+  const { writeFile: wf } = await Promise.resolve().then(() => (init_sudo(), exports_sudo));
+  return wf(path, content, opts);
+}
+async function getBootstrapStatus(statusFile, opts) {
+  const result = await exec5(["cat", statusFile], { ...opts, quiet: true });
+  if (!result.ok) {
+    return {
+      status: "pending",
+      phases: {},
+      raw: ""
+    };
+  }
+  return parseBootstrapStatus(result.stdout);
+}
+function parseBootstrapStatus(content) {
+  const phases = {};
+  const data = {};
+  for (const line of content.trim().split(`
+`)) {
+    if (!line || !line.includes("="))
+      continue;
+    const [key, ...valueParts] = line.split("=");
+    const value = valueParts.join("=").trim();
+    data[key] = value;
+  }
+  const status = data.status || "started";
+  const startedAt = data.started_at;
+  const completedAt = data.completed_at;
+  const source = data.source;
+  for (const [key, value] of Object.entries(data)) {
+    if (!key.startsWith("phase."))
+      continue;
+    const parts = key.split(".");
+    if (parts.length < 3)
+      continue;
+    const [, phaseName, field] = parts;
+    if (!phases[phaseName]) {
+      phases[phaseName] = { name: phaseName, status: "pending" };
+    }
+    switch (field) {
+      case "status":
+        phases[phaseName].status = value;
+        break;
+      case "started_at":
+        phases[phaseName].startedAt = value;
+        break;
+      case "completed_at":
+        phases[phaseName].completedAt = value;
+        break;
+      case "error":
+        phases[phaseName].error = value;
+        break;
+    }
+  }
+  return {
+    status,
+    startedAt,
+    completedAt,
+    source,
+    phases,
+    raw: content
+  };
+}
+async function initBootstrap(statusFile, source, opts) {
+  const now = new Date().toISOString();
+  const content = `status=started
+started_at=${now}
+source=${source}
+`;
+  return writeFile3(statusFile, content, opts);
+}
+async function startPhase(statusFile, phase, opts) {
+  const now = new Date().toISOString();
+  const line = `phase.${phase}.status=running
+phase.${phase}.started_at=${now}
+`;
+  return writeFile3(statusFile, line, { ...opts, append: true });
+}
+async function completePhase(statusFile, phase, opts) {
+  const now = new Date().toISOString();
+  const line = `phase.${phase}.status=complete
+phase.${phase}.completed_at=${now}
+`;
+  return writeFile3(statusFile, line, { ...opts, append: true });
+}
+async function failPhase(statusFile, phase, error, opts) {
+  const now = new Date().toISOString();
+  const safeError = error.replace(/\n/g, " ");
+  const line = `phase.${phase}.status=failed
+phase.${phase}.completed_at=${now}
+phase.${phase}.error=${safeError}
+`;
+  return writeFile3(statusFile, line, { ...opts, append: true });
+}
+async function completeBootstrap(statusFile, opts) {
+  const now = new Date().toISOString();
+  const line = `status=complete
+completed_at=${now}
+`;
+  return writeFile3(statusFile, line, { ...opts, append: true });
+}
+async function failBootstrap(statusFile, error, opts) {
+  const now = new Date().toISOString();
+  const safeError = error.replace(/\n/g, " ");
+  const line = `status=failed
+completed_at=${now}
+error=${safeError}
+`;
+  return writeFile3(statusFile, line, { ...opts, append: true });
+}
+async function checkMarker(markerPath, opts) {
+  const result = await exec5(["test", "-f", markerPath, "&&", "echo", "exists"], {
+    ...opts,
+    quiet: true
+  });
+  return result.ok && result.stdout.trim() === "exists";
+}
+async function setMarker(markerPath, opts) {
+  return exec5(["touch", markerPath], opts);
+}
+async function removeMarker(markerPath, opts) {
+  return exec5(["rm", "-f", markerPath], opts);
+}
+async function waitForBootstrap(statusFile, opts = {}) {
+  const maxAttempts = opts.maxAttempts ?? 30;
+  const intervalMs = opts.intervalMs ?? 2000;
+  for (let attempt = 1;attempt <= maxAttempts; attempt++) {
+    const status = await getBootstrapStatus(statusFile, opts);
+    if (status.status === "complete") {
+      return { completed: true, status };
+    }
+    if (status.status === "failed") {
+      return { completed: false, status };
+    }
+    opts.onProgress?.(attempt, status);
+    await sleep2(intervalMs);
+  }
+  const finalStatus = await getBootstrapStatus(statusFile, opts);
+  return { completed: false, status: finalStatus };
+}
+async function waitForMarker(markerPath, opts = {}) {
+  const maxAttempts = opts.maxAttempts ?? 30;
+  const intervalMs = opts.intervalMs ?? 2000;
+  for (let attempt = 1;attempt <= maxAttempts; attempt++) {
+    const exists = await checkMarker(markerPath, opts);
+    if (exists) {
+      return { exists: true, timedOut: false };
+    }
+    opts.onProgress?.(attempt, { status: "running" });
+    await sleep2(intervalMs);
+  }
+  return { exists: false, timedOut: true };
+}
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// index.ts
+init_sudo();
+export {
+  writeFile,
+  waitForMarker,
+  waitForBootstrap,
+  tailscaleConfig,
+  symlink,
+  sudo,
+  stripAnsi,
+  stopService,
+  startService,
+  startPhase,
+  setMarker,
+  serviceExists,
+  serviceEnable,
+  service,
+  safeSystemd,
+  restartService,
+  removeMarker,
+  reloadService,
+  pkgInstall,
+  parseBootstrapStatus,
+  linkBinaries,
+  isAuthed,
+  installBun,
+  initBootstrap,
+  hasSystemd,
+  githubConfig,
+  getServiceStatus,
+  getServiceLogs,
+  getBunVersion,
+  getBootstrapStatus,
+  generateServiceUnit,
+  failPhase,
+  failBootstrap,
+  enableService,
+  enableAndStartService,
+  dopplerConfig,
+  disableService,
+  deviceAuth,
+  createServiceUnit,
+  completePhase,
+  completeBootstrap,
+  commandExists,
+  clone,
+  clearSystemdCache,
+  cleanupDeviceAuth,
+  checkMarker,
+  addSystemPath
+};