@jive-ai/cli 0.0.44 → 0.0.46

package/dist/{service-4H4YceKv.mjs → service-MMjLsA9C.mjs}

@@ -2,21 +2,31 @@ import { E as WS_URL, T as GRAPHQL_API_URL, w as API_URL } from "./index.mjs";
 import fs from "fs/promises";
 import path from "path";
 import os from "os";
-import { exec, spawn } from "child_process";
+import { exec, spawn, spawnSync } from "child_process";
 import { promisify } from "util";
 
 //#region src/lib/service/systemd.ts
 const execAsync$1 = promisify(exec);
+const SERVICE_NAME = "jive-task-runner";
+const SYSTEM_SERVICE_PATH = `/etc/systemd/system/${SERVICE_NAME}.service`;
+const USER_SERVICE_DIR = path.join(os.homedir(), ".config", "systemd", "user");
+const LEGACY_USER_SERVICE_PATH = path.join(USER_SERVICE_DIR, `${SERVICE_NAME}.service`);
+const ENV_DIR = "/etc/jive";
+const ENV_FILE_PATH = `${ENV_DIR}/runner.env`;
 const SERVICE_TEMPLATE = `[Unit]
 Description=Jive Task Runner
 Documentation=https://getjive.app/docs
-After=network-online.target
+After=network-online.target docker.service
 Wants=network-online.target
+Requires=docker.service
 
 [Service]
 Type=simple
+User={{SERVICE_USER}}
+Group={{SERVICE_GROUP}}
+WorkingDirectory={{WORKING_DIRECTORY}}
 ExecStart={{JIVE_BINARY_PATH}} task-runner start
-Restart=on-failure
+Restart=always
 RestartSec=30
 TimeoutStartSec=90
 TimeoutStopSec=30
@@ -24,13 +34,10 @@ StartLimitBurst=5
 StartLimitIntervalSec=10m
 KillMode=mixed
 Environment="PATH={{NODE_BIN_PATH}}:/usr/local/bin:/usr/bin:/bin"
-Environment="JIVE_API_KEY={{JIVE_API_KEY}}"
-Environment="ANTHROPIC_API_KEY={{ANTHROPIC_API_KEY}}"
-Environment="JIVE_TEAM_ID={{JIVE_TEAM_ID}}"
-Environment="JIVE_RUNNER_ID={{JIVE_RUNNER_ID}}"
 Environment="JIVE_API_URL={{JIVE_API_URL}}"
 Environment="JIVE_WS_URL={{JIVE_WS_URL}}"
 Environment="JIVE_GRAPHQL_API_URL={{JIVE_GRAPHQL_API_URL}}"
+EnvironmentFile={{ENV_FILE_PATH}}
 
 StandardOutput=journal
 StandardError=journal
@@ -43,16 +50,64 @@ ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 
 [Install]
-WantedBy=default.target
+WantedBy=multi-user.target
 `;
+/**
+* Check if the current process is running as root (UID 0)
+*/
+function isRunningAsRoot() {
+	return process.getuid?.() === 0;
+}
+/**
+* Re-execute the current command with sudo, preserving PATH and environment.
+* This allows users to just run `jive task-runner install-service` without
+* needing to manually invoke sudo with the correct environment.
+*/
+function reExecWithSudo() {
+	const nodePath = process.execPath;
+	const scriptPath = process.argv[1];
+	const args = process.argv.slice(2);
+	console.log("Root privileges required. Re-running with sudo...\n");
+	const result = spawnSync("sudo", [
+		"--preserve-env=PATH,HOME",
+		`SUDO_USER=${process.env.USER}`,
+		`SUDO_UID=${process.getuid?.() || 1e3}`,
+		`SUDO_GID=${process.getgid?.() || 1e3}`,
+		nodePath,
+		scriptPath,
+		...args
+	], {
+		stdio: "inherit",
+		env: process.env
+	});
+	process.exit(result.status ?? 1);
+}
+/**
+* Get the original user info when running with sudo
+* Returns the user who invoked sudo, not root
+*/
+function getCurrentUser() {
+	return {
+		uid: parseInt(process.env.SUDO_UID || String(process.getuid?.() || 1e3), 10),
+		gid: parseInt(process.env.SUDO_GID || String(process.getgid?.() || 1e3), 10),
+		username: process.env.SUDO_USER || process.env.USER || "jive",
+		homeDir: process.env.SUDO_USER ? `/home/${process.env.SUDO_USER}` : os.homedir()
+	};
+}
 var SystemdServiceManager = class {
-	servicePath;
-	serviceName = "jive-task-runner";
-	constructor() {
-		const homeDir = os.homedir();
-		this.servicePath = path.join(homeDir, ".config", "systemd", "user", `${this.serviceName}.service`);
+	servicePath = SYSTEM_SERVICE_PATH;
+	serviceName = SERVICE_NAME;
+	/**
+	* Check for legacy user service and handle migration.
+	* Call this BEFORE starting any spinners since it may prompt the user.
+	*/
+	async checkAndMigrateLegacyService() {
+		if (!isRunningAsRoot()) reExecWithSudo();
+		await this.migrateFromUserService();
 	}
 	async install() {
+		if (!isRunningAsRoot()) reExecWithSudo();
+		const user = getCurrentUser();
 		const { getRunnerConfig } = await import("./tasks-Py86q1u7.mjs");
 		const { getCredentials } = await import("./config-7rVDmj2u.mjs");
 		const runnerConfig = await getRunnerConfig();
@@ -72,41 +127,86 @@ var SystemdServiceManager = class {
 			if (resolvedPath.includes(pattern)) throw new Error(`Detected unstable path for jive binary: ${resolvedPath}\nThis path contains '${pattern}' which may not persist across reboots.\n\nIf you're using fnm, try:\n  1. Run: fnm exec --using=default -- npm install -g @jive-ai/cli\n  2. Then run install-service again from a fresh terminal`);
 			if (resolvedNodePath.includes(pattern)) throw new Error(`Detected unstable path for node binary: ${resolvedNodePath}\nThis path contains '${pattern}' which may not persist across reboots.\n\nIf you're using fnm, ensure you have a default node version set:\n  fnm default <version>`);
 		}
-		const variables = {
-			JIVE_BINARY_PATH: resolvedPath,
-			NODE_BIN_PATH: nodeBinDir,
+		await this.createEnvironmentFile({
 			JIVE_API_KEY: credentials.token,
 			ANTHROPIC_API_KEY: credentials.anthropicApiKey || "",
 			JIVE_TEAM_ID: runnerConfig.teamId,
-			JIVE_RUNNER_ID: runnerConfig.id.toString(),
+			JIVE_RUNNER_ID: runnerConfig.id.toString()
+		});
+		const variables = {
+			SERVICE_USER: user.username,
+			SERVICE_GROUP: user.username,
+			WORKING_DIRECTORY: user.homeDir,
+			JIVE_BINARY_PATH: resolvedPath,
+			NODE_BIN_PATH: nodeBinDir,
 			JIVE_API_URL: process.env.JIVE_API_URL || API_URL,
 			JIVE_WS_URL: process.env.JIVE_WS_URL || WS_URL,
-			JIVE_GRAPHQL_API_URL: process.env.JIVE_GRAPHQL_API_URL || GRAPHQL_API_URL
+			JIVE_GRAPHQL_API_URL: process.env.JIVE_GRAPHQL_API_URL || GRAPHQL_API_URL,
+			ENV_FILE_PATH
 		};
 		let serviceContent = SERVICE_TEMPLATE;
 		for (const [key, value] of Object.entries(variables)) serviceContent = serviceContent.replace(new RegExp(`{{${key}}}`, "g"), value);
-		const serviceDir = path.dirname(this.servicePath);
-		await fs.mkdir(serviceDir, {
-			recursive: true,
-			mode: 493
-		});
-		const dirMode = (await fs.stat(serviceDir)).mode & 511;
-		if (dirMode > 493) throw new Error(`Systemd user directory has overly permissive permissions: ${dirMode.toString(8)}\nExpected 0755 or stricter. Fix with: chmod 755 ${serviceDir}`);
-		await fs.writeFile(this.servicePath, serviceContent, { mode: 384 });
+		await fs.writeFile(this.servicePath, serviceContent, { mode: 420 });
 		try {
-			await execAsync$1("systemctl --user daemon-reload", { timeout: 3e4 });
-			await execAsync$1(`systemctl --user enable ${this.serviceName}`, { timeout: 3e4 });
+			await execAsync$1("systemctl daemon-reload", { timeout: 3e4 });
+			await execAsync$1(`systemctl enable ${this.serviceName}`, { timeout: 3e4 });
 		} catch (error) {
 			try {
 				await fs.unlink(this.servicePath);
-				await execAsync$1("systemctl --user daemon-reload", { timeout: 3e4 });
+				await fs.unlink(ENV_FILE_PATH);
+				await execAsync$1("systemctl daemon-reload", { timeout: 3e4 });
 			} catch (cleanupError) {
 				console.error("Failed to clean up after installation failure:", cleanupError);
 			}
 			throw new Error(`Service installation failed: ${error.message}\nPartial installation has been rolled back.`);
 		}
 	}
+	/**
+	* Create the environment file with sensitive credentials
+	*/
+	async createEnvironmentFile(vars) {
+		await fs.mkdir(ENV_DIR, {
+			recursive: true,
+			mode: 493
+		});
+		const content = Object.entries(vars).map(([key, value]) => `${key}=${value}`).join("\n") + "\n";
+		await fs.writeFile(ENV_FILE_PATH, content, { mode: 384 });
+	}
+	/**
+	* Check for and migrate from legacy user service
+	*/
+	async migrateFromUserService() {
+		try {
+			await fs.access(LEGACY_USER_SERVICE_PATH);
+		} catch {
+			return;
+		}
+		const { default: prompts } = await import("prompts");
+		console.log("\n⚠  Found existing user service at:");
+		console.log(`   ${LEGACY_USER_SERVICE_PATH}\n`);
+		const { migrate } = await prompts({
+			type: "confirm",
+			name: "migrate",
+			message: "Migrate to system service? (This will remove the old user service)",
+			initial: true
+		});
+		if (!migrate) throw new Error("Migration cancelled. Remove the user service first or choose to migrate.");
+		const user = getCurrentUser();
+		console.log("Stopping and removing legacy user service...");
+		try {
+			await execAsync$1(`sudo -u ${user.username} systemctl --user stop ${this.serviceName}`, { timeout: 3e4 });
+		} catch {}
+		try {
+			await execAsync$1(`sudo -u ${user.username} systemctl --user disable ${this.serviceName}`, { timeout: 3e4 });
+		} catch {}
+		await fs.unlink(LEGACY_USER_SERVICE_PATH);
+		try {
+			await execAsync$1(`sudo -u ${user.username} systemctl --user daemon-reload`, { timeout: 3e4 });
+		} catch {}
+		console.log("Legacy user service removed successfully.\n");
+	}
 	async uninstall() {
+		if (!isRunningAsRoot()) reExecWithSudo();
 		try {
 			await this.stop();
 		} catch (error) {
@@ -114,7 +214,7 @@ var SystemdServiceManager = class {
 			else console.warn(`Warning: Failed to stop service: ${error.message}`);
 		}
 		try {
-			await execAsync$1(`systemctl --user disable ${this.serviceName}`, { timeout: 3e4 });
+			await execAsync$1(`systemctl disable ${this.serviceName}`, { timeout: 3e4 });
 		} catch (error) {
 			if (error.stderr?.includes("No such file") || error.message?.includes("not be found")) {} else if (error.code === "EACCES") console.warn("Warning: Permission denied when disabling service");
 			else console.warn(`Warning: Failed to disable service: ${error.message}`);
@@ -124,16 +224,24 @@ var SystemdServiceManager = class {
 		} catch (error) {
 			if (error.code !== "ENOENT") throw new Error(`Failed to remove service file: ${error.message}`);
 		}
-		await execAsync$1("systemctl --user daemon-reload", { timeout: 3e4 });
+		try {
+			await fs.unlink(ENV_FILE_PATH);
+		} catch (error) {
+			if (error.code !== "ENOENT") console.warn(`Warning: Failed to remove environment file: ${error.message}`);
+		}
+		try {
+			await fs.rmdir(ENV_DIR);
+		} catch {}
+		await execAsync$1("systemctl daemon-reload", { timeout: 3e4 });
 	}
 	async start() {
-		await execAsync$1(`systemctl --user start ${this.serviceName}`, { timeout: 3e4 });
+		await execAsync$1(`systemctl start ${this.serviceName}`, { timeout: 3e4 });
 	}
 	async stop() {
-		await execAsync$1(`systemctl --user stop ${this.serviceName}`, { timeout: 3e4 });
+		await execAsync$1(`systemctl stop ${this.serviceName}`, { timeout: 3e4 });
 	}
 	async restart() {
-		await execAsync$1(`systemctl --user restart ${this.serviceName}`, { timeout: 3e4 });
+		await execAsync$1(`systemctl restart ${this.serviceName}`, { timeout: 3e4 });
 	}
 	async status() {
 		if (!await this.isInstalled()) return {
@@ -142,11 +250,11 @@ var SystemdServiceManager = class {
 			enabled: false
 		};
 		try {
-			const { stdout } = await execAsync$1(`systemctl --user status ${this.serviceName} --no-pager`, { timeout: 3e4 });
+			const { stdout } = await execAsync$1(`systemctl status ${this.serviceName} --no-pager`, { timeout: 3e4 });
 			const running = stdout.includes("Active: active (running)");
 			const pid = this.extractPid(stdout);
 			const uptime = this.extractUptime(stdout);
-			const { stdout: isEnabledOutput } = await execAsync$1(`systemctl --user is-enabled ${this.serviceName}`, { timeout: 3e4 });
+			const { stdout: isEnabledOutput } = await execAsync$1(`systemctl is-enabled ${this.serviceName}`, { timeout: 3e4 });
 			return {
 				installed: true,
 				running,
@@ -155,7 +263,7 @@ var SystemdServiceManager = class {
 				pid
 			};
 		} catch (error) {
-			const { stdout: isEnabledOutput } = await execAsync$1(`systemctl --user is-enabled ${this.serviceName}`, { timeout: 3e4 }).catch(() => ({ stdout: "disabled" }));
+			const { stdout: isEnabledOutput } = await execAsync$1(`systemctl is-enabled ${this.serviceName}`, { timeout: 3e4 }).catch(() => ({ stdout: "disabled" }));
 			return {
 				installed: true,
 				running: false,
@@ -164,11 +272,7 @@ var SystemdServiceManager = class {
 		}
 	}
 	async logs(options) {
-		const args = [
-			"--user",
-			"-u",
-			this.serviceName
-		];
+		const args = ["-u", this.serviceName];
 		if (options?.follow) args.push("-f");
 		if (options?.lines) args.push("-n", options.lines.toString());
 		const logsProcess = spawn("journalctl", args, { stdio: "inherit" });
@@ -240,6 +344,18 @@ async function validateServiceInstallation() {
 	const checks = [];
 	let canInstall = true;
 	let hasWarnings = false;
+	if (!isRunningAsRoot()) {
+		checks.push({
+			name: "Root privileges",
+			status: "warning",
+			message: "Will prompt for sudo password"
+		});
+		hasWarnings = true;
+	} else checks.push({
+		name: "Root privileges",
+		status: "success",
+		message: "Running as root"
+	});
 	try {
 		const { getRunnerConfig } = await import("./tasks-Py86q1u7.mjs");
 		const runnerConfig = await getRunnerConfig();

package/package.json

@@ -1,7 +1,7 @@
 {
   "private": false,
   "name": "@jive-ai/cli",
-  "version": "0.0.44",
+  "version": "0.0.46",
   "main": "index.js",
   "files": [
     "dist",
@@ -15,7 +15,8 @@
     "test": "echo \"Error: no test specified\" && exit 1",
     "typecheck": "tsc --noEmit",
     "build": "tsdown && npm pack && npm install -g jive-ai-cli-*.tgz",
-    "docker:build": "bun run build && .docker/build.sh",
+    "docker:clean": "docker rmi jiveai/task:latest jiveai/task:$npm_package_version",
+    "docker:build": "bun run build && npm run docker:clean && .docker/build.sh",
     "docker:push": ".docker/build.sh --push",
     "prepublishOnly": "npm run typecheck && npm run build"
   },