@openape/cli 0.1.0 → 0.1.2

package/dist/commands/install-proxy.js

@@ -0,0 +1,188 @@
+import { existsSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+import { ask, closePrompt, requireRoot, ensureDir, writeSecureFile, isMacOS, isLinux, run } from '../utils.js';
+const CONFIG_DIR = '/etc/openape-proxy';
+const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
+const LAUNCHD_LABEL = 'ai.openape.proxy';
+const LAUNCHD_PLIST = `/Library/LaunchDaemons/${LAUNCHD_LABEL}.plist`;
+const SYSTEMD_UNIT = '/etc/systemd/system/openape-proxy.service';
+export async function installProxy() {
+    requireRoot();
+    console.log('\n🐾 OpenApe Proxy Installer\n');
+    // Check if bun is available
+    try {
+        run('which bun');
+    }
+    catch {
+        throw new Error('Bun is required but not found. Install it: https://bun.sh');
+    }
+    // Check if already installed
+    if (existsSync(CONFIG_PATH)) {
+        const overwrite = await ask('Config already exists. Overwrite?', 'n');
+        if (overwrite.toLowerCase() !== 'y') {
+            console.log('Aborted.');
+            closePrompt();
+            return;
+        }
+    }
+    // Gather config
+    const idpUrl = await ask('IdP URL', 'https://id.test.openape.at');
+    const agentEmail = await ask('Agent email');
+    const listen = await ask('Listen address', '127.0.0.1:9090');
+    const defaultAction = await ask('Default action (block/request/request-async)', 'block');
+    const auditLog = await ask('Audit log path', '/var/log/openape-proxy/audit.log');
+    console.log('\nConfiguring rules...');
+    console.log('(You can edit the config later at ' + CONFIG_PATH + ')\n');
+    // Generate config
+    const config = `# OpenApe Proxy Configuration
+# Generated by: openape install-proxy
+# Edit this file to add/remove rules. Restart the service after changes.
+
+[proxy]
+listen = "${listen}"
+idp_url = "${idpUrl}"
+agent_email = "${agentEmail}"
+default_action = "${defaultAction}"
+audit_log = "${auditLog}"
+
+# Example rules — customize these for your use case:
+
+# [[allow]]
+# domain = "api.github.com"
+# methods = ["GET"]
+# note = "GitHub API read-only"
+
+# [[deny]]
+# domain = "*.malware.example.com"
+# note = "Known bad domain"
+
+# [[grant_required]]
+# domain = "api.github.com"
+# methods = ["POST", "PUT", "DELETE"]
+# grant_type = "allow_once"
+# note = "GitHub API write operations need approval"
+`;
+    // Write config
+    ensureDir(CONFIG_DIR, 0o700);
+    writeSecureFile(CONFIG_PATH, config);
+    console.log(`✅ Config written to ${CONFIG_PATH}`);
+    // Create audit log directory
+    const auditDir = auditLog.substring(0, auditLog.lastIndexOf('/'));
+    if (auditDir) {
+        ensureDir(auditDir, 0o755);
+        console.log(`✅ Audit log directory created: ${auditDir}`);
+    }
+    // Install proxy source
+    const installDir = '/opt/openape-proxy';
+    ensureDir(installDir, 0o755);
+    // Clone or update proxy source
+    if (existsSync(`${installDir}/package.json`)) {
+        console.log('Updating proxy source...');
+        execSync(`cd ${installDir} && git pull`, { stdio: 'inherit' });
+    }
+    else {
+        console.log('Downloading proxy source...');
+        execSync(`git clone https://github.com/openape-ai/proxy.git ${installDir}`, { stdio: 'inherit' });
+    }
+    // Install dependencies
+    console.log('Installing dependencies...');
+    execSync(`cd ${installDir} && bun install`, { stdio: 'inherit' });
+    // Set up system service
+    if (isMacOS()) {
+        await setupLaunchd(installDir);
+    }
+    else if (isLinux()) {
+        await setupSystemd(installDir);
+    }
+    else {
+        console.log('\n⚠️  Unsupported platform for service setup. Start manually:');
+        console.log(`   cd ${installDir} && bun run src/index.ts --config ${CONFIG_PATH}`);
+    }
+    closePrompt();
+    console.log('\n🎉 OpenApe Proxy installed!\n');
+    console.log(`   Config:    ${CONFIG_PATH}`);
+    console.log(`   Proxy:     ${installDir}`);
+    console.log(`   Audit log: ${auditLog}`);
+    console.log(`   Listening: ${listen}`);
+    console.log(`\n   Edit ${CONFIG_PATH} to configure rules.`);
+    console.log(`   The proxy must be restarted after config changes.\n`);
+    // Quick test
+    try {
+        const port = listen.split(':')[1] || '9090';
+        const host = listen.split(':')[0] || '127.0.0.1';
+        const res = execSync(`curl -s http://${host}:${port}/healthz`, { timeout: 3000, encoding: 'utf-8' });
+        console.log(`   Health check: ${res}`);
+    }
+    catch {
+        console.log('   ⚠️  Health check failed — service may still be starting.');
+    }
+}
+async function setupLaunchd(installDir) {
+    const bunPath = run('which bun');
+    const plist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>${LAUNCHD_LABEL}</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>${bunPath}</string>
+        <string>run</string>
+        <string>${installDir}/src/index.ts</string>
+        <string>--config</string>
+        <string>${CONFIG_PATH}</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <true/>
+    <key>StandardOutPath</key>
+    <string>/var/log/openape-proxy/stdout.log</string>
+    <key>StandardErrorPath</key>
+    <string>/var/log/openape-proxy/stderr.log</string>
+    <key>WorkingDirectory</key>
+    <string>${installDir}</string>
+</dict>
+</plist>`;
+    writeSecureFile(LAUNCHD_PLIST, plist, 0o644);
+    console.log(`✅ launchd service created: ${LAUNCHD_LABEL}`);
+    // Stop if already running
+    try {
+        execSync(`launchctl unload ${LAUNCHD_PLIST}`, { stdio: 'ignore' });
+    }
+    catch { }
+    execSync(`launchctl load ${LAUNCHD_PLIST}`);
+    console.log('✅ Service started');
+}
+async function setupSystemd(installDir) {
+    const bunPath = run('which bun');
+    const unit = `[Unit]
+Description=OpenApe HTTP Proxy
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=${bunPath} run ${installDir}/src/index.ts --config ${CONFIG_PATH}
+WorkingDirectory=${installDir}
+Restart=on-failure
+RestartSec=5
+StandardOutput=journal
+StandardError=journal
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadOnlyPaths=/
+ReadWritePaths=/var/log/openape-proxy
+
+[Install]
+WantedBy=multi-user.target
+`;
+    writeSecureFile(SYSTEMD_UNIT, unit, 0o644);
+    execSync('systemctl daemon-reload');
+    execSync('systemctl enable openape-proxy');
+    execSync('systemctl start openape-proxy');
+    console.log('✅ systemd service created and started: openape-proxy');
+}

package/dist/commands/install-sudo.js

@@ -0,0 +1,86 @@
+import { existsSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+import { ask, closePrompt, requireRoot, ensureDir, writeSecureFile, run } from '../utils.js';
+const CONFIG_DIR = '/etc/apes';
+const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
+const BIN_PATH = '/usr/local/bin/apes';
+export async function installSudo() {
+    requireRoot();
+    console.log('\n🐾 OpenApe Sudo (apes) Installer\n');
+    // Check if already installed
+    if (existsSync(BIN_PATH)) {
+        const overwrite = await ask('apes is already installed. Reinstall?', 'n');
+        if (overwrite.toLowerCase() !== 'y') {
+            console.log('Aborted.');
+            closePrompt();
+            return;
+        }
+    }
+    // Check for Rust toolchain
+    let hasCargo = false;
+    try {
+        run('cargo --version');
+        hasCargo = true;
+    }
+    catch { }
+    if (!hasCargo) {
+        console.log('⚠️  Rust/Cargo not found. Checking for pre-built binary...');
+        // TODO: download pre-built binary from GitHub releases
+        throw new Error('Rust toolchain required to build apes. Install it: https://rustup.rs\n' +
+            'Pre-built binaries will be available in a future release.');
+    }
+    // Build from source
+    const buildDir = '/tmp/openape-sudo-build';
+    if (existsSync(`${buildDir}/.git`)) {
+        console.log('Updating source...');
+        execSync(`cd ${buildDir} && git pull`, { stdio: 'inherit' });
+    }
+    else {
+        console.log('Downloading source...');
+        execSync(`rm -rf ${buildDir}`, { stdio: 'ignore' });
+        execSync(`git clone https://github.com/openape-ai/sudo.git ${buildDir}`, { stdio: 'inherit' });
+    }
+    console.log('Building apes (release mode)...');
+    execSync(`cd ${buildDir} && cargo build --release`, { stdio: 'inherit' });
+    // Install binary with setuid
+    execSync(`cp ${buildDir}/target/release/apes ${BIN_PATH}`);
+    execSync(`chown root:wheel ${BIN_PATH}`);
+    execSync(`chmod u+s ${BIN_PATH}`);
+    console.log(`✅ apes installed at ${BIN_PATH} (setuid root)`);
+    // Config setup
+    if (existsSync(CONFIG_PATH)) {
+        const overwriteConfig = await ask('Config already exists. Overwrite?', 'n');
+        if (overwriteConfig.toLowerCase() !== 'y') {
+            closePrompt();
+            console.log('\n🎉 apes binary updated! Existing config preserved.\n');
+            return;
+        }
+    }
+    const serverUrl = await ask('IdP URL', 'https://id.test.openape.at');
+    const timeoutSecs = await ask('Poll timeout (seconds)', '300');
+    const intervalSecs = await ask('Poll interval (seconds)', '2');
+    const config = `# OpenApe Sudo (apes) Configuration
+# Generated by: openape install-sudo
+
+server_url = "${serverUrl}"
+
+# Agent identity is determined by the key passed via --key flag.
+# Each user provides their own key: apes --key ~/.ssh/id_ed25519 -- <command>
+
+[poll]
+interval_secs = ${intervalSecs}
+timeout_secs = ${timeoutSecs}
+`;
+    ensureDir(CONFIG_DIR, 0o700);
+    writeSecureFile(CONFIG_PATH, config);
+    console.log(`✅ Config written to ${CONFIG_PATH}`);
+    closePrompt();
+    console.log('\n🎉 apes installed!\n');
+    console.log(`   Binary: ${BIN_PATH} (setuid root)`);
+    console.log(`   Config: ${CONFIG_PATH}`);
+    console.log('\n   Next steps:');
+    console.log('   1. Register this agent on the IdP:');
+    console.log(`      sudo apes enroll --server ${serverUrl} --agent-email <email> --agent-name <name> --key <path>`);
+    console.log('   2. Ask your admin to approve the enrollment');
+    console.log('   3. Use it: apes --key ~/.ssh/id_ed25519 --reason "why" -- <command>\n');
+}

package/dist/index.js

@@ -0,0 +1,42 @@
+#!/usr/bin/env node
+import { installProxy } from './commands/install-proxy.js';
+import { installSudo } from './commands/install-sudo.js';
+const command = process.argv[2];
+const HELP = `
+OpenApe CLI — install and manage OpenApe components
+
+Usage: openape <command> [options]
+
+Commands:
+  install-proxy    Install and configure the OpenApe HTTP proxy
+  install-sudo     Install and configure apes (privilege elevation)
+  help             Show this help message
+
+Examples:
+  sudo openape install-proxy
+  sudo openape install-sudo
+`;
+async function main() {
+    switch (command) {
+        case 'install-proxy':
+            await installProxy();
+            break;
+        case 'install-sudo':
+            await installSudo();
+            break;
+        case 'help':
+        case '--help':
+        case '-h':
+        case undefined:
+            console.log(HELP);
+            process.exit(0);
+        default:
+            console.error(`Unknown command: ${command}`);
+            console.log(HELP);
+            process.exit(1);
+    }
+}
+main().catch((err) => {
+    console.error(`\n❌ ${err.message}`);
+    process.exit(1);
+});

package/dist/utils.js

@@ -0,0 +1,57 @@
+import { createInterface } from 'node:readline';
+import { execSync } from 'node:child_process';
+import { existsSync, mkdirSync, writeFileSync, chmodSync, chownSync } from 'node:fs';
+import { platform } from 'node:os';
+const rl = createInterface({ input: process.stdin, output: process.stdout });
+export function ask(question, defaultValue) {
+    const suffix = defaultValue ? ` [${defaultValue}]` : '';
+    return new Promise((resolve) => {
+        rl.question(`${question}${suffix}: `, (answer) => {
+            resolve(answer.trim() || defaultValue || '');
+        });
+    });
+}
+export function closePrompt() {
+    rl.close();
+}
+export function requireRoot() {
+    if (process.getuid?.() !== 0) {
+        throw new Error('This command must be run as root (use sudo)');
+    }
+}
+export function ensureDir(path, mode = 0o755) {
+    if (!existsSync(path)) {
+        mkdirSync(path, { recursive: true });
+    }
+    chmodSync(path, mode);
+}
+export function writeSecureFile(path, content, mode = 0o600) {
+    writeFileSync(path, content, 'utf-8');
+    chmodSync(path, mode);
+    // Ensure root ownership
+    try {
+        chownSync(path, 0, 0);
+    }
+    catch { }
+}
+export function run(cmd) {
+    return execSync(cmd, { encoding: 'utf-8' }).trim();
+}
+export function isMacOS() {
+    return platform() === 'darwin';
+}
+export function isLinux() {
+    return platform() === 'linux';
+}
+export function serviceExists(name) {
+    if (isMacOS()) {
+        return existsSync(`/Library/LaunchDaemons/${name}.plist`);
+    }
+    try {
+        execSync(`systemctl cat ${name}`, { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/package.json

@@ -1,13 +1,16 @@
 {
   "name": "@openape/cli",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "OpenApe CLI — install and manage OpenApe components (proxy, sudo, auth)",
   "type": "module",
   "bin": {
-    "openape": "./src/index.ts"
+    "openape": "dist/index.js"
   },
   "scripts": {
-    "start": "bun run src/index.ts",
+    "build": "tsc",
+    "prepublishOnly": "tsc",
+    "start": "node dist/index.js",
+    "dev": "bun run src/index.ts",
     "typecheck": "tsc --noEmit"
   },
   "keywords": [
@@ -26,7 +29,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/openape-ai/cli.git"
+    "url": "git+https://github.com/openape-ai/cli.git"
   },
   "homepage": "https://openape.at",
   "bugs": {
@@ -43,7 +46,7 @@
     "node": ">=18"
   },
   "files": [
-    "src/",
+    "dist/",
     "README.md",
     "LICENSE"
   ]

package/src/commands/install-proxy.ts

@@ -1,205 +0,0 @@
-import { existsSync } from 'node:fs'
-import { execSync } from 'node:child_process'
-import { ask, closePrompt, requireRoot, ensureDir, writeSecureFile, isMacOS, isLinux, run } from '../utils.js'
-
-const CONFIG_DIR = '/etc/openape-proxy'
-const CONFIG_PATH = `${CONFIG_DIR}/config.toml`
-const LAUNCHD_LABEL = 'ai.openape.proxy'
-const LAUNCHD_PLIST = `/Library/LaunchDaemons/${LAUNCHD_LABEL}.plist`
-const SYSTEMD_UNIT = '/etc/systemd/system/openape-proxy.service'
-
-export async function installProxy(): Promise<void> {
-  requireRoot()
-
-  console.log('\n🐾 OpenApe Proxy Installer\n')
-
-  // Check if bun is available
-  try {
-    run('which bun')
-  } catch {
-    throw new Error('Bun is required but not found. Install it: https://bun.sh')
-  }
-
-  // Check if already installed
-  if (existsSync(CONFIG_PATH)) {
-    const overwrite = await ask('Config already exists. Overwrite?', 'n')
-    if (overwrite.toLowerCase() !== 'y') {
-      console.log('Aborted.')
-      closePrompt()
-      return
-    }
-  }
-
-  // Gather config
-  const idpUrl = await ask('IdP URL', 'https://id.test.openape.at')
-  const agentEmail = await ask('Agent email')
-  const listen = await ask('Listen address', '127.0.0.1:9090')
-  const defaultAction = await ask('Default action (block/request/request-async)', 'block')
-  const auditLog = await ask('Audit log path', '/var/log/openape-proxy/audit.log')
-
-  console.log('\nConfiguring rules...')
-  console.log('(You can edit the config later at ' + CONFIG_PATH + ')\n')
-
-  // Generate config
-  const config = `# OpenApe Proxy Configuration
-# Generated by: openape install-proxy
-# Edit this file to add/remove rules. Restart the service after changes.
-
-[proxy]
-listen = "${listen}"
-idp_url = "${idpUrl}"
-agent_email = "${agentEmail}"
-default_action = "${defaultAction}"
-audit_log = "${auditLog}"
-
-# Example rules — customize these for your use case:
-
-# [[allow]]
-# domain = "api.github.com"
-# methods = ["GET"]
-# note = "GitHub API read-only"
-
-# [[deny]]
-# domain = "*.malware.example.com"
-# note = "Known bad domain"
-
-# [[grant_required]]
-# domain = "api.github.com"
-# methods = ["POST", "PUT", "DELETE"]
-# grant_type = "allow_once"
-# note = "GitHub API write operations need approval"
-`
-
-  // Write config
-  ensureDir(CONFIG_DIR, 0o700)
-  writeSecureFile(CONFIG_PATH, config)
-  console.log(`✅ Config written to ${CONFIG_PATH}`)
-
-  // Create audit log directory
-  const auditDir = auditLog.substring(0, auditLog.lastIndexOf('/'))
-  if (auditDir) {
-    ensureDir(auditDir, 0o755)
-    console.log(`✅ Audit log directory created: ${auditDir}`)
-  }
-
-  // Install proxy source
-  const installDir = '/opt/openape-proxy'
-  ensureDir(installDir, 0o755)
-
-  // Clone or update proxy source
-  if (existsSync(`${installDir}/package.json`)) {
-    console.log('Updating proxy source...')
-    execSync(`cd ${installDir} && git pull`, { stdio: 'inherit' })
-  } else {
-    console.log('Downloading proxy source...')
-    execSync(`git clone https://github.com/openape-ai/proxy.git ${installDir}`, { stdio: 'inherit' })
-  }
-
-  // Install dependencies
-  console.log('Installing dependencies...')
-  execSync(`cd ${installDir} && bun install`, { stdio: 'inherit' })
-
-  // Set up system service
-  if (isMacOS()) {
-    await setupLaunchd(installDir)
-  } else if (isLinux()) {
-    await setupSystemd(installDir)
-  } else {
-    console.log('\n⚠️  Unsupported platform for service setup. Start manually:')
-    console.log(`   cd ${installDir} && bun run src/index.ts --config ${CONFIG_PATH}`)
-  }
-
-  closePrompt()
-
-  console.log('\n🎉 OpenApe Proxy installed!\n')
-  console.log(`   Config:    ${CONFIG_PATH}`)
-  console.log(`   Proxy:     ${installDir}`)
-  console.log(`   Audit log: ${auditLog}`)
-  console.log(`   Listening: ${listen}`)
-  console.log(`\n   Edit ${CONFIG_PATH} to configure rules.`)
-  console.log(`   The proxy must be restarted after config changes.\n`)
-
-  // Quick test
-  try {
-    const port = listen.split(':')[1] || '9090'
-    const host = listen.split(':')[0] || '127.0.0.1'
-    const res = execSync(`curl -s http://${host}:${port}/healthz`, { timeout: 3000, encoding: 'utf-8' })
-    console.log(`   Health check: ${res}`)
-  } catch {
-    console.log('   ⚠️  Health check failed — service may still be starting.')
-  }
-}
-
-async function setupLaunchd(installDir: string): Promise<void> {
-  const bunPath = run('which bun')
-
-  const plist = `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>Label</key>
-    <string>${LAUNCHD_LABEL}</string>
-    <key>ProgramArguments</key>
-    <array>
-        <string>${bunPath}</string>
-        <string>run</string>
-        <string>${installDir}/src/index.ts</string>
-        <string>--config</string>
-        <string>${CONFIG_PATH}</string>
-    </array>
-    <key>RunAtLoad</key>
-    <true/>
-    <key>KeepAlive</key>
-    <true/>
-    <key>StandardOutPath</key>
-    <string>/var/log/openape-proxy/stdout.log</string>
-    <key>StandardErrorPath</key>
-    <string>/var/log/openape-proxy/stderr.log</string>
-    <key>WorkingDirectory</key>
-    <string>${installDir}</string>
-</dict>
-</plist>`
-
-  writeSecureFile(LAUNCHD_PLIST, plist, 0o644)
-  console.log(`✅ launchd service created: ${LAUNCHD_LABEL}`)
-
-  // Stop if already running
-  try { execSync(`launchctl unload ${LAUNCHD_PLIST}`, { stdio: 'ignore' }) } catch {}
-
-  execSync(`launchctl load ${LAUNCHD_PLIST}`)
-  console.log('✅ Service started')
-}
-
-async function setupSystemd(installDir: string): Promise<void> {
-  const bunPath = run('which bun')
-
-  const unit = `[Unit]
-Description=OpenApe HTTP Proxy
-After=network.target
-
-[Service]
-Type=simple
-ExecStart=${bunPath} run ${installDir}/src/index.ts --config ${CONFIG_PATH}
-WorkingDirectory=${installDir}
-Restart=on-failure
-RestartSec=5
-StandardOutput=journal
-StandardError=journal
-
-# Security hardening
-NoNewPrivileges=true
-ProtectSystem=strict
-ProtectHome=true
-ReadOnlyPaths=/
-ReadWritePaths=/var/log/openape-proxy
-
-[Install]
-WantedBy=multi-user.target
-`
-
-  writeSecureFile(SYSTEMD_UNIT, unit, 0o644)
-  execSync('systemctl daemon-reload')
-  execSync('systemctl enable openape-proxy')
-  execSync('systemctl start openape-proxy')
-  console.log('✅ systemd service created and started: openape-proxy')
-}

package/src/commands/install-sudo.ts

@@ -1,102 +0,0 @@
-import { existsSync } from 'node:fs'
-import { execSync } from 'node:child_process'
-import { arch, platform } from 'node:os'
-import { ask, closePrompt, requireRoot, ensureDir, writeSecureFile, run } from '../utils.js'
-
-const CONFIG_DIR = '/etc/apes'
-const CONFIG_PATH = `${CONFIG_DIR}/config.toml`
-const BIN_PATH = '/usr/local/bin/apes'
-
-export async function installSudo(): Promise<void> {
-  requireRoot()
-
-  console.log('\n🐾 OpenApe Sudo (apes) Installer\n')
-
-  // Check if already installed
-  if (existsSync(BIN_PATH)) {
-    const overwrite = await ask('apes is already installed. Reinstall?', 'n')
-    if (overwrite.toLowerCase() !== 'y') {
-      console.log('Aborted.')
-      closePrompt()
-      return
-    }
-  }
-
-  // Check for Rust toolchain
-  let hasCargo = false
-  try {
-    run('cargo --version')
-    hasCargo = true
-  } catch {}
-
-  if (!hasCargo) {
-    console.log('⚠️  Rust/Cargo not found. Checking for pre-built binary...')
-    // TODO: download pre-built binary from GitHub releases
-    throw new Error(
-      'Rust toolchain required to build apes. Install it: https://rustup.rs\n' +
-      'Pre-built binaries will be available in a future release.'
-    )
-  }
-
-  // Build from source
-  const buildDir = '/tmp/openape-sudo-build'
-  if (existsSync(`${buildDir}/.git`)) {
-    console.log('Updating source...')
-    execSync(`cd ${buildDir} && git pull`, { stdio: 'inherit' })
-  } else {
-    console.log('Downloading source...')
-    execSync(`rm -rf ${buildDir}`, { stdio: 'ignore' })
-    execSync(`git clone https://github.com/openape-ai/sudo.git ${buildDir}`, { stdio: 'inherit' })
-  }
-
-  console.log('Building apes (release mode)...')
-  execSync(`cd ${buildDir} && cargo build --release`, { stdio: 'inherit' })
-
-  // Install binary with setuid
-  execSync(`cp ${buildDir}/target/release/apes ${BIN_PATH}`)
-  execSync(`chown root:wheel ${BIN_PATH}`)
-  execSync(`chmod u+s ${BIN_PATH}`)
-  console.log(`✅ apes installed at ${BIN_PATH} (setuid root)`)
-
-  // Config setup
-  if (existsSync(CONFIG_PATH)) {
-    const overwriteConfig = await ask('Config already exists. Overwrite?', 'n')
-    if (overwriteConfig.toLowerCase() !== 'y') {
-      closePrompt()
-      console.log('\n🎉 apes binary updated! Existing config preserved.\n')
-      return
-    }
-  }
-
-  const serverUrl = await ask('IdP URL', 'https://id.test.openape.at')
-  const timeoutSecs = await ask('Poll timeout (seconds)', '300')
-  const intervalSecs = await ask('Poll interval (seconds)', '2')
-
-  const config = `# OpenApe Sudo (apes) Configuration
-# Generated by: openape install-sudo
-
-server_url = "${serverUrl}"
-
-# Agent identity is determined by the key passed via --key flag.
-# Each user provides their own key: apes --key ~/.ssh/id_ed25519 -- <command>
-
-[poll]
-interval_secs = ${intervalSecs}
-timeout_secs = ${timeoutSecs}
-`
-
-  ensureDir(CONFIG_DIR, 0o700)
-  writeSecureFile(CONFIG_PATH, config)
-  console.log(`✅ Config written to ${CONFIG_PATH}`)
-
-  closePrompt()
-
-  console.log('\n🎉 apes installed!\n')
-  console.log(`   Binary: ${BIN_PATH} (setuid root)`)
-  console.log(`   Config: ${CONFIG_PATH}`)
-  console.log('\n   Next steps:')
-  console.log('   1. Register this agent on the IdP:')
-  console.log(`      sudo apes enroll --server ${serverUrl} --agent-email <email> --agent-name <name> --key <path>`)
-  console.log('   2. Ask your admin to approve the enrollment')
-  console.log('   3. Use it: apes --key ~/.ssh/id_ed25519 --reason "why" -- <command>\n')
-}

package/src/index.ts

@@ -1,47 +0,0 @@
-#!/usr/bin/env bun
-import { parseArgs } from 'node:util'
-import { installProxy } from './commands/install-proxy.js'
-import { installSudo } from './commands/install-sudo.js'
-
-const command = process.argv[2]
-
-const HELP = `
-OpenApe CLI — install and manage OpenApe components
-
-Usage: openape <command> [options]
-
-Commands:
-  install-proxy    Install and configure the OpenApe HTTP proxy
-  install-sudo     Install and configure apes (privilege elevation)
-  help             Show this help message
-
-Examples:
-  sudo openape install-proxy
-  sudo openape install-sudo
-`
-
-async function main() {
-  switch (command) {
-    case 'install-proxy':
-      await installProxy()
-      break
-    case 'install-sudo':
-      await installSudo()
-      break
-    case 'help':
-    case '--help':
-    case '-h':
-    case undefined:
-      console.log(HELP)
-      process.exit(0)
-    default:
-      console.error(`Unknown command: ${command}`)
-      console.log(HELP)
-      process.exit(1)
-  }
-}
-
-main().catch((err) => {
-  console.error(`\n❌ ${err.message}`)
-  process.exit(1)
-})

package/src/utils.ts

@@ -1,63 +0,0 @@
-import { createInterface } from 'node:readline'
-import { execSync } from 'node:child_process'
-import { existsSync, mkdirSync, writeFileSync, chmodSync, chownSync } from 'node:fs'
-import { platform } from 'node:os'
-
-const rl = createInterface({ input: process.stdin, output: process.stdout })
-
-export function ask(question: string, defaultValue?: string): Promise<string> {
-  const suffix = defaultValue ? ` [${defaultValue}]` : ''
-  return new Promise((resolve) => {
-    rl.question(`${question}${suffix}: `, (answer) => {
-      resolve(answer.trim() || defaultValue || '')
-    })
-  })
-}
-
-export function closePrompt(): void {
-  rl.close()
-}
-
-export function requireRoot(): void {
-  if (process.getuid?.() !== 0) {
-    throw new Error('This command must be run as root (use sudo)')
-  }
-}
-
-export function ensureDir(path: string, mode: number = 0o755): void {
-  if (!existsSync(path)) {
-    mkdirSync(path, { recursive: true })
-  }
-  chmodSync(path, mode)
-}
-
-export function writeSecureFile(path: string, content: string, mode: number = 0o600): void {
-  writeFileSync(path, content, 'utf-8')
-  chmodSync(path, mode)
-  // Ensure root ownership
-  try { chownSync(path, 0, 0) } catch {}
-}
-
-export function run(cmd: string): string {
-  return execSync(cmd, { encoding: 'utf-8' }).trim()
-}
-
-export function isMacOS(): boolean {
-  return platform() === 'darwin'
-}
-
-export function isLinux(): boolean {
-  return platform() === 'linux'
-}
-
-export function serviceExists(name: string): boolean {
-  if (isMacOS()) {
-    return existsSync(`/Library/LaunchDaemons/${name}.plist`)
-  }
-  try {
-    execSync(`systemctl cat ${name}`, { stdio: 'ignore' })
-    return true
-  } catch {
-    return false
-  }
-}