@openape/cli 0.1.2 → 0.1.4

package/README.md

@@ -1,52 +1,61 @@
 # @openape/cli
 
-Install and manage OpenApe components.
+Install and manage OpenApe components — proxy, sudo (`apes`), and more.
 
 ## Usage
 
+### With traditional sudo
+
 ```bash
-# Install the HTTP proxy (grant-controlled outbound traffic)
-sudo npx @openape/cli install-proxy
+sudo npx @openape/cli install-proxy \
+  --idp-url https://id.openape.at \
+  --agent-email bot@example.com
 
-# Install apes (privilege elevation via grants)
-sudo npx @openape/cli install-sudo
+sudo npx @openape/cli install-sudo \
+  --idp-url https://id.openape.at
 ```
 
-## Commands
+### With apes (agent-friendly, grant-approved)
 
-### `install-proxy`
+```bash
+apes -- npx @openape/cli install-proxy \
+  --idp-url https://id.openape.at \
+  --agent-email bot@example.com
+```
 
-Installs the OpenApe HTTP proxy as a system service:
+The CLI itself has no knowledge of `apes` — it just writes files and sets up services. `apes` wraps it for privilege elevation with human-approved grants.
 
-- Creates `/etc/openape-proxy/config.toml` (root-only, `600`)
-- Downloads proxy source to `/opt/openape-proxy`
-- Sets up launchd (macOS) or systemd (Linux) service
-- Starts the proxy
+## Commands
 
-The proxy runs as a system service. Agents send HTTP requests through it.
-The config is **not accessible to agents** — only root can modify it.
+### `install-proxy`
 
-### `install-sudo`
+Installs the [OpenApe HTTP Proxy](https://github.com/openape-ai/proxy).
 
-Builds and installs `apes` (OpenApe Sudo):
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--idp-url` | ✅ | — | Identity Provider URL |
+| `--agent-email` | ✅ | — | Agent email identity |
+| `--listen` | | `127.0.0.1:9090` | Listen address |
+| `--default-action` | | `block` | `block`, `request`, or `request-async` |
+| `--audit-log` | | `/var/log/openape-proxy/audit.log` | Audit log path |
+| `--force` | | | Overwrite existing config |
 
-- Builds from source via Cargo (Rust toolchain required)
-- Installs to `/usr/local/bin/apes` with setuid bit
-- Creates `/etc/apes/config.toml` (root-only, `600`)
+### `install-sudo`
 
-After installation, register the agent on the IdP with `apes enroll`.
+Installs [apes](https://github.com/openape-ai/sudo) (OpenApe privilege elevation). Requires Rust toolchain.
 
-## Security
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--idp-url` | ✅ | — | Identity Provider URL |
+| `--poll-timeout` | | `300` | Grant poll timeout (seconds) |
+| `--poll-interval` | | `2` | Grant poll interval (seconds) |
+| `--force` | | | Overwrite existing binary/config |
 
-Both installers create root-owned config files that agents cannot modify.
-This is by design — the security boundary between agent and config must be
-enforced by the OS file permission system.
+## Requirements
 
-| Path | Owner | Mode | Purpose |
-|------|-------|------|---------|
-| `/etc/openape-proxy/config.toml` | root | `600` | Proxy rules |
-| `/etc/apes/config.toml` | root | `600` | apes config |
-| `/usr/local/bin/apes` | root | `4755` (setuid) | Privilege elevation |
+- **install-proxy**: [Bun](https://bun.sh) runtime
+- **install-sudo**: [Rust](https://rustup.rs) toolchain
+- Root privileges (via `sudo` or `apes`)
 
 ## License
 

package/dist/commands/install-proxy-apes.js

@@ -0,0 +1,162 @@
+import { existsSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+import { writeFileSync } from 'node:fs';
+import { parseArgs } from 'node:util';
+import { ask, closePrompt, isMacOS } from '../utils.js';
+const CONFIG_DIR = '/etc/openape-proxy';
+const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
+const INSTALL_DIR = '/opt/openape-proxy';
+const LAUNCHD_LABEL = 'ai.openape.proxy';
+const LAUNCHD_PLIST = `/Library/LaunchDaemons/${LAUNCHD_LABEL}.plist`;
+function apes(reason, cmd) {
+    const keyPaths = [
+        `${process.env.HOME}/.ssh/id_ed25519`,
+        `${process.env.HOME}/.ssh/id_ecdsa`,
+        `${process.env.HOME}/.ssh/id_rsa`,
+    ];
+    const keyPath = keyPaths.find(p => existsSync(p));
+    if (!keyPath) {
+        throw new Error('No SSH key found. apes needs --key to authenticate.');
+    }
+    console.log(`\n🔐 Requesting grant: ${reason}`);
+    execSync(`apes --key ${keyPath} --reason "${reason}" -- ${cmd}`, {
+        stdio: 'inherit',
+    });
+}
+export async function installProxyApes() {
+    // Check apes is installed
+    try {
+        execSync('which apes', { stdio: 'ignore' });
+    }
+    catch {
+        throw new Error('apes is not installed. Run: sudo npx @openape/cli install-sudo');
+    }
+    // Parse flags for non-interactive mode
+    const { values: flags } = parseArgs({
+        args: process.argv.slice(3),
+        options: {
+            'idp-url': { type: 'string' },
+            'agent-email': { type: 'string' },
+            'listen': { type: 'string' },
+            'default-action': { type: 'string' },
+            'audit-log': { type: 'string' },
+            'via-apes': { type: 'boolean' },
+        },
+        strict: false,
+    });
+    const interactive = !flags['agent-email'];
+    console.log('\n🐾 OpenApe Proxy Installer (via apes)\n');
+    console.log('Each privileged step requires approval from your admin.\n');
+    let idpUrl, agentEmail, listen, defaultAction, auditLog;
+    if (interactive) {
+        idpUrl = await ask('IdP URL', 'https://id.test.openape.at');
+        agentEmail = await ask('Agent email');
+        listen = await ask('Listen address', '127.0.0.1:9090');
+        defaultAction = await ask('Default action (block/request/request-async)', 'block');
+        auditLog = await ask('Audit log path', '/var/log/openape-proxy/audit.log');
+        closePrompt();
+    }
+    else {
+        idpUrl = flags['idp-url'] || 'https://id.test.openape.at';
+        agentEmail = flags['agent-email'];
+        listen = flags['listen'] || '127.0.0.1:9090';
+        defaultAction = flags['default-action'] || 'block';
+        auditLog = flags['audit-log'] || '/var/log/openape-proxy/audit.log';
+        console.log(`  IdP:     ${idpUrl}`);
+        console.log(`  Agent:   ${agentEmail}`);
+        console.log(`  Listen:  ${listen}`);
+        console.log(`  Default: ${defaultAction}`);
+        console.log(`  Audit:   ${auditLog}`);
+    }
+    // Generate config locally in /tmp
+    const config = `# OpenApe Proxy Configuration
+# Generated by: openape install-proxy --via-apes
+
+[proxy]
+listen = "${listen}"
+idp_url = "${idpUrl}"
+agent_email = "${agentEmail}"
+default_action = "${defaultAction}"
+audit_log = "${auditLog}"
+
+# Add your rules below:
+
+# [[allow]]
+# domain = "api.github.com"
+# methods = ["GET"]
+# note = "GitHub read-only"
+
+# [[deny]]
+# domain = "*.malware.example.com"
+# note = "Blocked"
+
+# [[grant_required]]
+# domain = "api.github.com"
+# methods = ["POST", "PUT", "DELETE"]
+# grant_type = "allow_once"
+# note = "Needs approval"
+`;
+    const tmpConfig = '/tmp/openape-proxy-config.toml';
+    writeFileSync(tmpConfig, config);
+    console.log(`\n📝 Config prepared at ${tmpConfig}`);
+    // Step 1: Create config directory
+    apes('Create OpenApe Proxy config directory', `mkdir -p ${CONFIG_DIR}`);
+    apes('Set permissions on config directory', `chmod 700 ${CONFIG_DIR}`);
+    // Step 2: Copy config
+    apes('Install proxy config', `cp ${tmpConfig} ${CONFIG_PATH}`);
+    apes('Secure proxy config (root-only)', `chmod 600 ${CONFIG_PATH}`);
+    // Step 3: Create audit log directory
+    const auditDir = auditLog.substring(0, auditLog.lastIndexOf('/'));
+    if (auditDir) {
+        apes('Create audit log directory', `mkdir -p ${auditDir}`);
+    }
+    // Step 4: Clone/update proxy source
+    if (existsSync(`${INSTALL_DIR}/package.json`)) {
+        apes('Update proxy source', `git -C ${INSTALL_DIR} pull`);
+    }
+    else {
+        apes('Download proxy source', `git clone https://github.com/openape-ai/proxy.git ${INSTALL_DIR}`);
+    }
+    // Step 5: Install dependencies
+    const bunPath = execSync('which bun', { encoding: 'utf-8' }).trim();
+    apes('Install proxy dependencies', `${bunPath} install --cwd ${INSTALL_DIR}`);
+    // Step 6: Set up system service
+    if (isMacOS()) {
+        const plist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>${LAUNCHD_LABEL}</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>${bunPath}</string>
+        <string>run</string>
+        <string>${INSTALL_DIR}/src/index.ts</string>
+        <string>--config</string>
+        <string>${CONFIG_PATH}</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <true/>
+    <key>StandardOutPath</key>
+    <string>/var/log/openape-proxy/stdout.log</string>
+    <key>StandardErrorPath</key>
+    <string>/var/log/openape-proxy/stderr.log</string>
+    <key>WorkingDirectory</key>
+    <string>${INSTALL_DIR}</string>
+</dict>
+</plist>`;
+        const tmpPlist = '/tmp/openape-proxy-launchd.plist';
+        writeFileSync(tmpPlist, plist);
+        apes('Install launchd service', `cp ${tmpPlist} ${LAUNCHD_PLIST}`);
+        apes('Load proxy service', `launchctl load ${LAUNCHD_PLIST}`);
+    }
+    console.log('\n🎉 OpenApe Proxy installed via apes!\n');
+    console.log(`   Config:    ${CONFIG_PATH}`);
+    console.log(`   Proxy:     ${INSTALL_DIR}`);
+    console.log(`   Audit log: ${auditLog}`);
+    console.log(`   Listening: ${listen}`);
+    console.log('\n   Every step was approved by your admin. 🔐\n');
+}

package/dist/commands/install-proxy.js

@@ -1,42 +1,36 @@
 import { existsSync } from 'node:fs';
 import { execSync } from 'node:child_process';
-import { ask, closePrompt, requireRoot, ensureDir, writeSecureFile, isMacOS, isLinux, run } from '../utils.js';
+import { requireRoot, ensureDir, writeSecureFile, isMacOS, isLinux, run, parseFlags, requireFlag } from '../utils.js';
 const CONFIG_DIR = '/etc/openape-proxy';
 const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
+const INSTALL_DIR = '/opt/openape-proxy';
 const LAUNCHD_LABEL = 'ai.openape.proxy';
 const LAUNCHD_PLIST = `/Library/LaunchDaemons/${LAUNCHD_LABEL}.plist`;
 const SYSTEMD_UNIT = '/etc/systemd/system/openape-proxy.service';
-export async function installProxy() {
+export async function installProxy(args) {
     requireRoot();
+    const flags = parseFlags(args);
+    const idpUrl = requireFlag(flags, 'idp-url');
+    const agentEmail = requireFlag(flags, 'agent-email');
+    const listen = flags['listen'] || '127.0.0.1:9090';
+    const defaultAction = flags['default-action'] || 'block';
+    const auditLog = flags['audit-log'] || '/var/log/openape-proxy/audit.log';
+    const force = flags['force'] === true;
     console.log('\n🐾 OpenApe Proxy Installer\n');
-    // Check if bun is available
+    // Check bun
     try {
         run('which bun');
     }
     catch {
         throw new Error('Bun is required but not found. Install it: https://bun.sh');
     }
-    // Check if already installed
-    if (existsSync(CONFIG_PATH)) {
-        const overwrite = await ask('Config already exists. Overwrite?', 'n');
-        if (overwrite.toLowerCase() !== 'y') {
-            console.log('Aborted.');
-            closePrompt();
-            return;
-        }
+    // Check existing config
+    if (existsSync(CONFIG_PATH) && !force) {
+        throw new Error(`Config already exists at ${CONFIG_PATH}. Use --force to overwrite.`);
     }
-    // Gather config
-    const idpUrl = await ask('IdP URL', 'https://id.test.openape.at');
-    const agentEmail = await ask('Agent email');
-    const listen = await ask('Listen address', '127.0.0.1:9090');
-    const defaultAction = await ask('Default action (block/request/request-async)', 'block');
-    const auditLog = await ask('Audit log path', '/var/log/openape-proxy/audit.log');
-    console.log('\nConfiguring rules...');
-    console.log('(You can edit the config later at ' + CONFIG_PATH + ')\n');
     // Generate config
     const config = `# OpenApe Proxy Configuration
 # Generated by: openape install-proxy
-# Edit this file to add/remove rules. Restart the service after changes.
 
 [proxy]
 listen = "${listen}"
@@ -45,7 +39,7 @@ agent_email = "${agentEmail}"
 default_action = "${defaultAction}"
 audit_log = "${auditLog}"
 
-# Example rules — customize these for your use case:
+# Rules — customize for your use case:
 
 # [[allow]]
 # domain = "api.github.com"
@@ -60,64 +54,48 @@ audit_log = "${auditLog}"
 # domain = "api.github.com"
 # methods = ["POST", "PUT", "DELETE"]
 # grant_type = "allow_once"
-# note = "GitHub API write operations need approval"
+# note = "GitHub API writes need approval"
 `;
     // Write config
     ensureDir(CONFIG_DIR, 0o700);
     writeSecureFile(CONFIG_PATH, config);
-    console.log(`✅ Config written to ${CONFIG_PATH}`);
-    // Create audit log directory
+    console.log(`✅ Config: ${CONFIG_PATH}`);
+    // Audit log dir
     const auditDir = auditLog.substring(0, auditLog.lastIndexOf('/'));
     if (auditDir) {
         ensureDir(auditDir, 0o755);
-        console.log(`✅ Audit log directory created: ${auditDir}`);
+        console.log(`✅ Audit log dir: ${auditDir}`);
     }
-    // Install proxy source
-    const installDir = '/opt/openape-proxy';
-    ensureDir(installDir, 0o755);
-    // Clone or update proxy source
-    if (existsSync(`${installDir}/package.json`)) {
+    // Clone/update proxy source
+    ensureDir(INSTALL_DIR, 0o755);
+    if (existsSync(`${INSTALL_DIR}/package.json`)) {
         console.log('Updating proxy source...');
-        execSync(`cd ${installDir} && git pull`, { stdio: 'inherit' });
+        execSync(`cd ${INSTALL_DIR} && git pull`, { stdio: 'inherit' });
     }
     else {
         console.log('Downloading proxy source...');
-        execSync(`git clone https://github.com/openape-ai/proxy.git ${installDir}`, { stdio: 'inherit' });
+        execSync(`git clone https://github.com/openape-ai/proxy.git ${INSTALL_DIR}`, { stdio: 'inherit' });
     }
-    // Install dependencies
     console.log('Installing dependencies...');
-    execSync(`cd ${installDir} && bun install`, { stdio: 'inherit' });
-    // Set up system service
+    execSync(`cd ${INSTALL_DIR} && bun install`, { stdio: 'inherit' });
+    // System service
     if (isMacOS()) {
-        await setupLaunchd(installDir);
+        setupLaunchd();
     }
     else if (isLinux()) {
-        await setupSystemd(installDir);
+        setupSystemd();
     }
     else {
-        console.log('\n⚠️  Unsupported platform for service setup. Start manually:');
-        console.log(`   cd ${installDir} && bun run src/index.ts --config ${CONFIG_PATH}`);
+        console.log(`\n⚠️  Manual start: cd ${INSTALL_DIR} && bun run src/index.ts --config ${CONFIG_PATH}`);
     }
-    closePrompt();
     console.log('\n🎉 OpenApe Proxy installed!\n');
-    console.log(`   Config:    ${CONFIG_PATH}`);
-    console.log(`   Proxy:     ${installDir}`);
-    console.log(`   Audit log: ${auditLog}`);
-    console.log(`   Listening: ${listen}`);
-    console.log(`\n   Edit ${CONFIG_PATH} to configure rules.`);
-    console.log(`   The proxy must be restarted after config changes.\n`);
-    // Quick test
-    try {
-        const port = listen.split(':')[1] || '9090';
-        const host = listen.split(':')[0] || '127.0.0.1';
-        const res = execSync(`curl -s http://${host}:${port}/healthz`, { timeout: 3000, encoding: 'utf-8' });
-        console.log(`   Health check: ${res}`);
-    }
-    catch {
-        console.log('   ⚠️  Health check failed — service may still be starting.');
-    }
+    console.log(`   Config:  ${CONFIG_PATH}`);
+    console.log(`   Source:  ${INSTALL_DIR}`);
+    console.log(`   Listen:  ${listen}`);
+    console.log(`   Audit:   ${auditLog}`);
+    console.log(`\n   Edit ${CONFIG_PATH} to configure rules, then restart the service.\n`);
 }
-async function setupLaunchd(installDir) {
+function setupLaunchd() {
     const bunPath = run('which bun');
     const plist = `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -129,7 +107,7 @@ async function setupLaunchd(installDir) {
     <array>
         <string>${bunPath}</string>
         <string>run</string>
-        <string>${installDir}/src/index.ts</string>
+        <string>${INSTALL_DIR}/src/index.ts</string>
         <string>--config</string>
         <string>${CONFIG_PATH}</string>
     </array>
@@ -142,20 +120,18 @@ async function setupLaunchd(installDir) {
     <key>StandardErrorPath</key>
     <string>/var/log/openape-proxy/stderr.log</string>
     <key>WorkingDirectory</key>
-    <string>${installDir}</string>
+    <string>${INSTALL_DIR}</string>
 </dict>
 </plist>`;
     writeSecureFile(LAUNCHD_PLIST, plist, 0o644);
-    console.log(`✅ launchd service created: ${LAUNCHD_LABEL}`);
-    // Stop if already running
     try {
         execSync(`launchctl unload ${LAUNCHD_PLIST}`, { stdio: 'ignore' });
     }
     catch { }
     execSync(`launchctl load ${LAUNCHD_PLIST}`);
-    console.log('✅ Service started');
+    console.log(`✅ launchd service: ${LAUNCHD_LABEL}`);
 }
-async function setupSystemd(installDir) {
+function setupSystemd() {
     const bunPath = run('which bun');
     const unit = `[Unit]
 Description=OpenApe HTTP Proxy
@@ -163,18 +139,13 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart=${bunPath} run ${installDir}/src/index.ts --config ${CONFIG_PATH}
-WorkingDirectory=${installDir}
+ExecStart=${bunPath} run ${INSTALL_DIR}/src/index.ts --config ${CONFIG_PATH}
+WorkingDirectory=${INSTALL_DIR}
 Restart=on-failure
 RestartSec=5
-StandardOutput=journal
-StandardError=journal
-
-# Security hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true
-ReadOnlyPaths=/
 ReadWritePaths=/var/log/openape-proxy
 
 [Install]
@@ -184,5 +155,5 @@ WantedBy=multi-user.target
     execSync('systemctl daemon-reload');
     execSync('systemctl enable openape-proxy');
     execSync('systemctl start openape-proxy');
-    console.log('✅ systemd service created and started: openape-proxy');
+    console.log('✅ systemd service: openape-proxy');
 }

package/dist/commands/install-sudo.js

@@ -1,31 +1,26 @@
 import { existsSync } from 'node:fs';
 import { execSync } from 'node:child_process';
-import { ask, closePrompt, requireRoot, ensureDir, writeSecureFile, run } from '../utils.js';
+import { requireRoot, ensureDir, writeSecureFile, run, parseFlags, requireFlag } from '../utils.js';
 const CONFIG_DIR = '/etc/apes';
 const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
 const BIN_PATH = '/usr/local/bin/apes';
-export async function installSudo() {
+export async function installSudo(args) {
     requireRoot();
+    const flags = parseFlags(args);
+    const idpUrl = requireFlag(flags, 'idp-url');
+    const pollTimeout = flags['poll-timeout'] || '300';
+    const pollInterval = flags['poll-interval'] || '2';
+    const force = flags['force'] === true;
     console.log('\n🐾 OpenApe Sudo (apes) Installer\n');
-    // Check if already installed
-    if (existsSync(BIN_PATH)) {
-        const overwrite = await ask('apes is already installed. Reinstall?', 'n');
-        if (overwrite.toLowerCase() !== 'y') {
-            console.log('Aborted.');
-            closePrompt();
-            return;
-        }
+    // Check existing binary
+    if (existsSync(BIN_PATH) && !force) {
+        throw new Error(`apes already installed at ${BIN_PATH}. Use --force to reinstall.`);
     }
-    // Check for Rust toolchain
-    let hasCargo = false;
+    // Check Rust toolchain
     try {
         run('cargo --version');
-        hasCargo = true;
     }
-    catch { }
-    if (!hasCargo) {
-        console.log('⚠️  Rust/Cargo not found. Checking for pre-built binary...');
-        // TODO: download pre-built binary from GitHub releases
+    catch {
         throw new Error('Rust toolchain required to build apes. Install it: https://rustup.rs\n' +
             'Pre-built binaries will be available in a future release.');
     }
@@ -46,41 +41,33 @@ export async function installSudo() {
     execSync(`cp ${buildDir}/target/release/apes ${BIN_PATH}`);
     execSync(`chown root:wheel ${BIN_PATH}`);
     execSync(`chmod u+s ${BIN_PATH}`);
-    console.log(`✅ apes installed at ${BIN_PATH} (setuid root)`);
-    // Config setup
-    if (existsSync(CONFIG_PATH)) {
-        const overwriteConfig = await ask('Config already exists. Overwrite?', 'n');
-        if (overwriteConfig.toLowerCase() !== 'y') {
-            closePrompt();
-            console.log('\n🎉 apes binary updated! Existing config preserved.\n');
-            return;
-        }
+    console.log(`✅ Binary: ${BIN_PATH} (setuid root)`);
+    // Config
+    if (existsSync(CONFIG_PATH) && !force) {
+        console.log(`ℹ️  Config preserved: ${CONFIG_PATH}`);
     }
-    const serverUrl = await ask('IdP URL', 'https://id.test.openape.at');
-    const timeoutSecs = await ask('Poll timeout (seconds)', '300');
-    const intervalSecs = await ask('Poll interval (seconds)', '2');
-    const config = `# OpenApe Sudo (apes) Configuration
+    else {
+        const config = `# OpenApe Sudo (apes) Configuration
 # Generated by: openape install-sudo
 
-server_url = "${serverUrl}"
+server_url = "${idpUrl}"
 
 # Agent identity is determined by the key passed via --key flag.
 # Each user provides their own key: apes --key ~/.ssh/id_ed25519 -- <command>
 
 [poll]
-interval_secs = ${intervalSecs}
-timeout_secs = ${timeoutSecs}
+interval_secs = ${pollInterval}
+timeout_secs = ${pollTimeout}
 `;
-    ensureDir(CONFIG_DIR, 0o700);
-    writeSecureFile(CONFIG_PATH, config);
-    console.log(`✅ Config written to ${CONFIG_PATH}`);
-    closePrompt();
+        ensureDir(CONFIG_DIR, 0o700);
+        writeSecureFile(CONFIG_PATH, config);
+        console.log(`✅ Config: ${CONFIG_PATH}`);
+    }
     console.log('\n🎉 apes installed!\n');
     console.log(`   Binary: ${BIN_PATH} (setuid root)`);
     console.log(`   Config: ${CONFIG_PATH}`);
     console.log('\n   Next steps:');
-    console.log('   1. Register this agent on the IdP:');
-    console.log(`      sudo apes enroll --server ${serverUrl} --agent-email <email> --agent-name <name> --key <path>`);
-    console.log('   2. Ask your admin to approve the enrollment');
-    console.log('   3. Use it: apes --key ~/.ssh/id_ed25519 --reason "why" -- <command>\n');
+    console.log(`   1. Enroll: apes enroll --server ${idpUrl} --agent-email <email> --agent-name <name> --key <path>`);
+    console.log('   2. Admin approves enrollment');
+    console.log('   3. Use: apes --key ~/.ssh/id_ed25519 --reason "why" -- <command>\n');
 }

package/dist/index.js

@@ -2,27 +2,46 @@
 import { installProxy } from './commands/install-proxy.js';
 import { installSudo } from './commands/install-sudo.js';
 const command = process.argv[2];
+const args = process.argv.slice(3);
 const HELP = `
 OpenApe CLI — install and manage OpenApe components
 
-Usage: openape <command> [options]
+Usage: openape <command> [flags]
 
 Commands:
-  install-proxy    Install and configure the OpenApe HTTP proxy
-  install-sudo     Install and configure apes (privilege elevation)
-  help             Show this help message
+  install-proxy   Install the OpenApe HTTP proxy
+  install-sudo    Install apes privilege elevation binary
+
+Elevation:
+  sudo openape install-proxy ...       # traditional sudo
+  apes -- npx @openape/cli install-proxy ...  # agent-friendly, grant-approved
+
+install-proxy flags:
+  --idp-url <url>         IdP URL (required)
+  --agent-email <email>   Agent email (required)
+  --listen <addr>         Listen address (default: 127.0.0.1:9090)
+  --default-action <act>  Default action: block|request|request-async (default: block)
+  --audit-log <path>      Audit log path (default: /var/log/openape-proxy/audit.log)
+  --force                 Overwrite existing config
+
+install-sudo flags:
+  --idp-url <url>         IdP URL (required)
+  --poll-timeout <secs>   Poll timeout in seconds (default: 300)
+  --poll-interval <secs>  Poll interval in seconds (default: 2)
+  --force                 Overwrite existing config/binary
 
 Examples:
-  sudo openape install-proxy
-  sudo openape install-sudo
+  sudo openape install-proxy --idp-url https://id.openape.at --agent-email bot@example.com
+  apes -- npx @openape/cli install-proxy --idp-url https://id.openape.at --agent-email bot@example.com
+  sudo openape install-sudo --idp-url https://id.openape.at
 `;
 async function main() {
     switch (command) {
         case 'install-proxy':
-            await installProxy();
+            await installProxy(args);
             break;
         case 'install-sudo':
-            await installSudo();
+            await installSudo(args);
             break;
         case 'help':
         case '--help':

package/dist/utils.js

@@ -1,22 +1,9 @@
-import { createInterface } from 'node:readline';
 import { execSync } from 'node:child_process';
 import { existsSync, mkdirSync, writeFileSync, chmodSync, chownSync } from 'node:fs';
 import { platform } from 'node:os';
-const rl = createInterface({ input: process.stdin, output: process.stdout });
-export function ask(question, defaultValue) {
-    const suffix = defaultValue ? ` [${defaultValue}]` : '';
-    return new Promise((resolve) => {
-        rl.question(`${question}${suffix}: `, (answer) => {
-            resolve(answer.trim() || defaultValue || '');
-        });
-    });
-}
-export function closePrompt() {
-    rl.close();
-}
 export function requireRoot() {
     if (process.getuid?.() !== 0) {
-        throw new Error('This command must be run as root (use sudo)');
+        throw new Error('This command must be run as root. Use: sudo npx @openape/cli ... or: apes -- npx @openape/cli ...');
     }
 }
 export function ensureDir(path, mode = 0o755) {
@@ -28,7 +15,6 @@ export function ensureDir(path, mode = 0o755) {
 export function writeSecureFile(path, content, mode = 0o600) {
     writeFileSync(path, content, 'utf-8');
     chmodSync(path, mode);
-    // Ensure root ownership
     try {
         chownSync(path, 0, 0);
     }
@@ -43,15 +29,28 @@ export function isMacOS() {
 export function isLinux() {
     return platform() === 'linux';
 }
-export function serviceExists(name) {
-    if (isMacOS()) {
-        return existsSync(`/Library/LaunchDaemons/${name}.plist`);
-    }
-    try {
-        execSync(`systemctl cat ${name}`, { stdio: 'ignore' });
-        return true;
+export function parseFlags(args) {
+    const flags = {};
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg.startsWith('--')) {
+            const key = arg.slice(2);
+            const next = args[i + 1];
+            if (next && !next.startsWith('--')) {
+                flags[key] = next;
+                i++;
+            }
+            else {
+                flags[key] = true;
+            }
+        }
     }
-    catch {
-        return false;
+    return flags;
+}
+export function requireFlag(flags, name) {
+    const val = flags[name];
+    if (!val || val === true) {
+        throw new Error(`Missing required flag: --${name}`);
     }
+    return val;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openape/cli",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "OpenApe CLI — install and manage OpenApe components (proxy, sudo, auth)",
   "type": "module",
   "bin": {