@openape/cli 0.1.3 → 0.2.0

package/README.md

@@ -1,52 +1,61 @@
 # @openape/cli
 
-Install and manage OpenApe components.
+Install and manage OpenApe components — proxy, sudo (`apes`), and more.
 
 ## Usage
 
+### With traditional sudo
+
 ```bash
-# Install the HTTP proxy (grant-controlled outbound traffic)
-sudo npx @openape/cli install-proxy
+sudo npx @openape/cli install-proxy \
+  --idp-url https://id.openape.at \
+  --agent-email bot@example.com
 
-# Install apes (privilege elevation via grants)
-sudo npx @openape/cli install-sudo
+sudo npx @openape/cli install-sudo \
+  --idp-url https://id.openape.at
 ```
 
-## Commands
+### With apes (agent-friendly, grant-approved)
 
-### `install-proxy`
+```bash
+apes -- npx @openape/cli install-proxy \
+  --idp-url https://id.openape.at \
+  --agent-email bot@example.com
+```
 
-Installs the OpenApe HTTP proxy as a system service:
+The CLI itself has no knowledge of `apes` — it just writes files and sets up services. `apes` wraps it for privilege elevation with human-approved grants.
 
-- Creates `/etc/openape-proxy/config.toml` (root-only, `600`)
-- Downloads proxy source to `/opt/openape-proxy`
-- Sets up launchd (macOS) or systemd (Linux) service
-- Starts the proxy
+## Commands
 
-The proxy runs as a system service. Agents send HTTP requests through it.
-The config is **not accessible to agents** — only root can modify it.
+### `install-proxy`
 
-### `install-sudo`
+Installs the [OpenApe HTTP Proxy](https://github.com/openape-ai/proxy).
 
-Builds and installs `apes` (OpenApe Sudo):
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--idp-url` | ✅ | — | Identity Provider URL |
+| `--agent-email` | ✅ | — | Agent email identity |
+| `--listen` | | `127.0.0.1:9090` | Listen address |
+| `--default-action` | | `block` | `block`, `request`, or `request-async` |
+| `--audit-log` | | `/var/log/openape-proxy/audit.log` | Audit log path |
+| `--force` | | | Overwrite existing config |
 
-- Builds from source via Cargo (Rust toolchain required)
-- Installs to `/usr/local/bin/apes` with setuid bit
-- Creates `/etc/apes/config.toml` (root-only, `600`)
+### `install-sudo`
 
-After installation, register the agent on the IdP with `apes enroll`.
+Installs [apes](https://github.com/openape-ai/sudo) (OpenApe privilege elevation). Requires Rust toolchain.
 
-## Security
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--idp-url` | ✅ | — | Identity Provider URL |
+| `--poll-timeout` | | `300` | Grant poll timeout (seconds) |
+| `--poll-interval` | | `2` | Grant poll interval (seconds) |
+| `--force` | | | Overwrite existing binary/config |
 
-Both installers create root-owned config files that agents cannot modify.
-This is by design — the security boundary between agent and config must be
-enforced by the OS file permission system.
+## Requirements
 
-| Path | Owner | Mode | Purpose |
-|------|-------|------|---------|
-| `/etc/openape-proxy/config.toml` | root | `600` | Proxy rules |
-| `/etc/apes/config.toml` | root | `600` | apes config |
-| `/usr/local/bin/apes` | root | `4755` (setuid) | Privilege elevation |
+- **install-proxy**: [Bun](https://bun.sh) runtime
+- **install-sudo**: [Rust](https://rustup.rs) toolchain
+- Root privileges (via `sudo` or `apes`)
 
 ## License
 

package/dist/commands/install-proxy.js

@@ -1,42 +1,36 @@
 import { existsSync } from 'node:fs';
 import { execSync } from 'node:child_process';
-import { ask, closePrompt, requireRoot, ensureDir, writeSecureFile, isMacOS, isLinux, run } from '../utils.js';
+import { requireRoot, ensureDir, writeSecureFile, isMacOS, isLinux, run, parseFlags, requireFlag } from '../utils.js';
 const CONFIG_DIR = '/etc/openape-proxy';
 const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
+const INSTALL_DIR = '/opt/openape-proxy';
 const LAUNCHD_LABEL = 'ai.openape.proxy';
 const LAUNCHD_PLIST = `/Library/LaunchDaemons/${LAUNCHD_LABEL}.plist`;
 const SYSTEMD_UNIT = '/etc/systemd/system/openape-proxy.service';
-export async function installProxy() {
+export async function installProxy(args) {
     requireRoot();
+    const flags = parseFlags(args);
+    const idpUrl = requireFlag(flags, 'idp-url');
+    const agentEmail = requireFlag(flags, 'agent-email');
+    const listen = flags['listen'] || '127.0.0.1:9090';
+    const defaultAction = flags['default-action'] || 'block';
+    const auditLog = flags['audit-log'] || '/var/log/openape-proxy/audit.log';
+    const force = flags['force'] === true;
     console.log('\n🐾 OpenApe Proxy Installer\n');
-    // Check if bun is available
+    // Check bun
     try {
         run('which bun');
     }
     catch {
         throw new Error('Bun is required but not found. Install it: https://bun.sh');
     }
-    // Check if already installed
-    if (existsSync(CONFIG_PATH)) {
-        const overwrite = await ask('Config already exists. Overwrite?', 'n');
-        if (overwrite.toLowerCase() !== 'y') {
-            console.log('Aborted.');
-            closePrompt();
-            return;
-        }
+    // Check existing config
+    if (existsSync(CONFIG_PATH) && !force) {
+        throw new Error(`Config already exists at ${CONFIG_PATH}. Use --force to overwrite.`);
     }
-    // Gather config
-    const idpUrl = await ask('IdP URL', 'https://id.test.openape.at');
-    const agentEmail = await ask('Agent email');
-    const listen = await ask('Listen address', '127.0.0.1:9090');
-    const defaultAction = await ask('Default action (block/request/request-async)', 'block');
-    const auditLog = await ask('Audit log path', '/var/log/openape-proxy/audit.log');
-    console.log('\nConfiguring rules...');
-    console.log('(You can edit the config later at ' + CONFIG_PATH + ')\n');
     // Generate config
     const config = `# OpenApe Proxy Configuration
 # Generated by: openape install-proxy
-# Edit this file to add/remove rules. Restart the service after changes.
 
 [proxy]
 listen = "${listen}"
@@ -45,7 +39,7 @@ agent_email = "${agentEmail}"
 default_action = "${defaultAction}"
 audit_log = "${auditLog}"
 
-# Example rules — customize these for your use case:
+# Rules — customize for your use case:
 
 # [[allow]]
 # domain = "api.github.com"
@@ -60,64 +54,44 @@ audit_log = "${auditLog}"
 # domain = "api.github.com"
 # methods = ["POST", "PUT", "DELETE"]
 # grant_type = "allow_once"
-# note = "GitHub API write operations need approval"
+# note = "GitHub API writes need approval"
 `;
     // Write config
     ensureDir(CONFIG_DIR, 0o700);
     writeSecureFile(CONFIG_PATH, config);
-    console.log(`✅ Config written to ${CONFIG_PATH}`);
-    // Create audit log directory
+    console.log(`✅ Config: ${CONFIG_PATH}`);
+    // Audit log dir
     const auditDir = auditLog.substring(0, auditLog.lastIndexOf('/'));
     if (auditDir) {
         ensureDir(auditDir, 0o755);
-        console.log(`✅ Audit log directory created: ${auditDir}`);
+        console.log(`✅ Audit log dir: ${auditDir}`);
     }
-    // Install proxy source
-    const installDir = '/opt/openape-proxy';
-    ensureDir(installDir, 0o755);
-    // Clone or update proxy source
-    if (existsSync(`${installDir}/package.json`)) {
-        console.log('Updating proxy source...');
-        execSync(`cd ${installDir} && git pull`, { stdio: 'inherit' });
+    // Install proxy via npm/bun (no git needed)
+    ensureDir(INSTALL_DIR, 0o755);
+    console.log('Installing @openape/proxy via bun...');
+    if (!existsSync(`${INSTALL_DIR}/package.json`)) {
+        execSync(`cd ${INSTALL_DIR} && bun init -y`, { stdio: 'pipe' });
     }
-    else {
-        console.log('Downloading proxy source...');
-        execSync(`git clone https://github.com/openape-ai/proxy.git ${installDir}`, { stdio: 'inherit' });
-    }
-    // Install dependencies
-    console.log('Installing dependencies...');
-    execSync(`cd ${installDir} && bun install`, { stdio: 'inherit' });
-    // Set up system service
+    execSync(`cd ${INSTALL_DIR} && bun add @openape/proxy`, { stdio: 'inherit' });
+    console.log(`✅ Proxy installed: ${INSTALL_DIR}`);
+    // System service
     if (isMacOS()) {
-        await setupLaunchd(installDir);
+        setupLaunchd();
     }
     else if (isLinux()) {
-        await setupSystemd(installDir);
+        setupSystemd();
     }
     else {
-        console.log('\n⚠️  Unsupported platform for service setup. Start manually:');
-        console.log(`   cd ${installDir} && bun run src/index.ts --config ${CONFIG_PATH}`);
+        console.log(`\n⚠️  Manual start: cd ${INSTALL_DIR} && bunx openape-proxy --config ${CONFIG_PATH}`);
     }
-    closePrompt();
     console.log('\n🎉 OpenApe Proxy installed!\n');
-    console.log(`   Config:    ${CONFIG_PATH}`);
-    console.log(`   Proxy:     ${installDir}`);
-    console.log(`   Audit log: ${auditLog}`);
-    console.log(`   Listening: ${listen}`);
-    console.log(`\n   Edit ${CONFIG_PATH} to configure rules.`);
-    console.log(`   The proxy must be restarted after config changes.\n`);
-    // Quick test
-    try {
-        const port = listen.split(':')[1] || '9090';
-        const host = listen.split(':')[0] || '127.0.0.1';
-        const res = execSync(`curl -s http://${host}:${port}/healthz`, { timeout: 3000, encoding: 'utf-8' });
-        console.log(`   Health check: ${res}`);
-    }
-    catch {
-        console.log('   ⚠️  Health check failed — service may still be starting.');
-    }
+    console.log(`   Config:  ${CONFIG_PATH}`);
+    console.log(`   Source:  ${INSTALL_DIR}`);
+    console.log(`   Listen:  ${listen}`);
+    console.log(`   Audit:   ${auditLog}`);
+    console.log(`\n   Edit ${CONFIG_PATH} to configure rules, then restart the service.\n`);
 }
-async function setupLaunchd(installDir) {
+function setupLaunchd() {
     const bunPath = run('which bun');
     const plist = `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -129,7 +103,7 @@ async function setupLaunchd(installDir) {
     <array>
         <string>${bunPath}</string>
         <string>run</string>
-        <string>${installDir}/src/index.ts</string>
+        <string>${INSTALL_DIR}/node_modules/@openape/proxy/src/index.ts</string>
         <string>--config</string>
         <string>${CONFIG_PATH}</string>
     </array>
@@ -142,20 +116,18 @@ async function setupLaunchd(installDir) {
     <key>StandardErrorPath</key>
     <string>/var/log/openape-proxy/stderr.log</string>
     <key>WorkingDirectory</key>
-    <string>${installDir}</string>
+    <string>${INSTALL_DIR}</string>
 </dict>
 </plist>`;
     writeSecureFile(LAUNCHD_PLIST, plist, 0o644);
-    console.log(`✅ launchd service created: ${LAUNCHD_LABEL}`);
-    // Stop if already running
     try {
         execSync(`launchctl unload ${LAUNCHD_PLIST}`, { stdio: 'ignore' });
     }
     catch { }
     execSync(`launchctl load ${LAUNCHD_PLIST}`);
-    console.log('✅ Service started');
+    console.log(`✅ launchd service: ${LAUNCHD_LABEL}`);
 }
-async function setupSystemd(installDir) {
+function setupSystemd() {
     const bunPath = run('which bun');
     const unit = `[Unit]
 Description=OpenApe HTTP Proxy
@@ -163,18 +135,13 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart=${bunPath} run ${installDir}/src/index.ts --config ${CONFIG_PATH}
-WorkingDirectory=${installDir}
+ExecStart=${bunPath} run ${INSTALL_DIR}/node_modules/@openape/proxy/src/index.ts --config ${CONFIG_PATH}
+WorkingDirectory=${INSTALL_DIR}
 Restart=on-failure
 RestartSec=5
-StandardOutput=journal
-StandardError=journal
-
-# Security hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true
-ReadOnlyPaths=/
 ReadWritePaths=/var/log/openape-proxy
 
 [Install]
@@ -184,5 +151,5 @@ WantedBy=multi-user.target
     execSync('systemctl daemon-reload');
     execSync('systemctl enable openape-proxy');
     execSync('systemctl start openape-proxy');
-    console.log('✅ systemd service created and started: openape-proxy');
+    console.log('✅ systemd service: openape-proxy');
 }

package/dist/commands/install-sudo.js

@@ -1,44 +1,123 @@
 import { existsSync } from 'node:fs';
 import { execSync } from 'node:child_process';
-import { ask, closePrompt, requireRoot, ensureDir, writeSecureFile, run } from '../utils.js';
+import { arch, platform } from 'node:os';
+import { requireRoot, ensureDir, writeSecureFile, run, parseFlags, requireFlag } from '../utils.js';
 const CONFIG_DIR = '/etc/apes';
 const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
 const BIN_PATH = '/usr/local/bin/apes';
-export async function installSudo() {
+const REPO = 'openape-ai/sudo';
+export async function installSudo(args) {
     requireRoot();
+    const flags = parseFlags(args);
+    const idpUrl = requireFlag(flags, 'idp-url');
+    const pollTimeout = flags['poll-timeout'] || '300';
+    const pollInterval = flags['poll-interval'] || '2';
+    const force = flags['force'] === true;
     console.log('\n🐾 OpenApe Sudo (apes) Installer\n');
-    // Check if already installed
-    if (existsSync(BIN_PATH)) {
-        const overwrite = await ask('apes is already installed. Reinstall?', 'n');
-        if (overwrite.toLowerCase() !== 'y') {
-            console.log('Aborted.');
-            closePrompt();
-            return;
+    // Check existing binary
+    if (existsSync(BIN_PATH) && !force) {
+        throw new Error(`apes already installed at ${BIN_PATH}. Use --force to reinstall.`);
+    }
+    // Try GitHub Release first, fall back to source build
+    const installed = await tryGitHubRelease();
+    if (!installed) {
+        console.log('No pre-built binary available. Building from source...');
+        buildFromSource();
+    }
+    // Config
+    if (existsSync(CONFIG_PATH) && !force) {
+        console.log(`ℹ️  Config preserved: ${CONFIG_PATH}`);
+    }
+    else {
+        const config = `# OpenApe Sudo (apes) Configuration
+# Generated by: openape install-sudo
+
+server_url = "${idpUrl}"
+
+# Agent identity is determined by the key passed via --key flag.
+# Each user provides their own key: apes --key ~/.ssh/id_ed25519 -- <command>
+
+[poll]
+interval_secs = ${pollInterval}
+timeout_secs = ${pollTimeout}
+`;
+        ensureDir(CONFIG_DIR, 0o700);
+        writeSecureFile(CONFIG_PATH, config);
+        console.log(`✅ Config: ${CONFIG_PATH}`);
+    }
+    console.log('\n🎉 apes installed!\n');
+    console.log(`   Binary: ${BIN_PATH} (setuid root)`);
+    console.log(`   Config: ${CONFIG_PATH}`);
+    console.log('\n   Next steps:');
+    console.log(`   1. Enroll: apes enroll --server ${idpUrl} --agent-email <email> --agent-name <name> --key <path>`);
+    console.log('   2. Admin approves enrollment');
+    console.log('   3. Use: apes --key ~/.ssh/id_ed25519 --reason "why" -- <command>\n');
+}
+function getAssetName() {
+    const os = platform();
+    const cpu = arch();
+    const osMap = { darwin: 'apple-darwin', linux: 'unknown-linux-gnu' };
+    const archMap = { arm64: 'aarch64', x64: 'x86_64' };
+    const osStr = osMap[os];
+    const archStr = archMap[cpu];
+    if (!osStr || !archStr) {
+        throw new Error(`Unsupported platform: ${os}-${cpu}`);
+    }
+    return `apes-${archStr}-${osStr}`;
+}
+async function tryGitHubRelease() {
+    try {
+        // Check if gh CLI is available
+        run('which gh');
+    }
+    catch {
+        console.log('GitHub CLI (gh) not found — skipping release download.');
+        return false;
+    }
+    try {
+        const assetName = getAssetName();
+        console.log(`Looking for pre-built binary: ${assetName}...`);
+        // Download latest release asset
+        const tmpBin = '/tmp/apes-download';
+        execSync(`gh release download --repo ${REPO} --pattern "${assetName}" --output ${tmpBin} --clobber`, {
+            stdio: 'pipe',
+            timeout: 30000,
+        });
+        if (!existsSync(tmpBin)) {
+            return false;
         }
+        // Install
+        execSync(`cp ${tmpBin} ${BIN_PATH}`);
+        execSync(`chown root:wheel ${BIN_PATH}`);
+        execSync(`chmod u+s ${BIN_PATH}`);
+        execSync(`rm -f ${tmpBin}`);
+        console.log(`✅ Binary (pre-built): ${BIN_PATH} (setuid root)`);
+        return true;
+    }
+    catch {
+        console.log('No pre-built binary found for this platform.');
+        return false;
     }
-    // Check for Rust toolchain
-    let hasCargo = false;
+}
+function buildFromSource() {
+    // Check Rust toolchain
     try {
         run('cargo --version');
-        hasCargo = true;
     }
-    catch { }
-    if (!hasCargo) {
-        console.log('⚠️  Rust/Cargo not found. Checking for pre-built binary...');
-        // TODO: download pre-built binary from GitHub releases
+    catch {
         throw new Error('Rust toolchain required to build apes. Install it: https://rustup.rs\n' +
-            'Pre-built binaries will be available in a future release.');
+            'Or create a GitHub Release with pre-built binaries.');
     }
-    // Build from source
     const buildDir = '/tmp/openape-sudo-build';
     if (existsSync(`${buildDir}/.git`)) {
         console.log('Updating source...');
+        execSync(`git config --global --add safe.directory ${buildDir}`, { stdio: 'ignore' });
         execSync(`cd ${buildDir} && git pull`, { stdio: 'inherit' });
     }
     else {
         console.log('Downloading source...');
         execSync(`rm -rf ${buildDir}`, { stdio: 'ignore' });
-        execSync(`git clone https://github.com/openape-ai/sudo.git ${buildDir}`, { stdio: 'inherit' });
+        execSync(`git clone https://github.com/${REPO}.git ${buildDir}`, { stdio: 'inherit' });
     }
     console.log('Building apes (release mode)...');
     execSync(`cd ${buildDir} && cargo build --release`, { stdio: 'inherit' });
@@ -46,41 +125,5 @@ export async function installSudo() {
     execSync(`cp ${buildDir}/target/release/apes ${BIN_PATH}`);
     execSync(`chown root:wheel ${BIN_PATH}`);
     execSync(`chmod u+s ${BIN_PATH}`);
-    console.log(`✅ apes installed at ${BIN_PATH} (setuid root)`);
-    // Config setup
-    if (existsSync(CONFIG_PATH)) {
-        const overwriteConfig = await ask('Config already exists. Overwrite?', 'n');
-        if (overwriteConfig.toLowerCase() !== 'y') {
-            closePrompt();
-            console.log('\n🎉 apes binary updated! Existing config preserved.\n');
-            return;
-        }
-    }
-    const serverUrl = await ask('IdP URL', 'https://id.test.openape.at');
-    const timeoutSecs = await ask('Poll timeout (seconds)', '300');
-    const intervalSecs = await ask('Poll interval (seconds)', '2');
-    const config = `# OpenApe Sudo (apes) Configuration
-# Generated by: openape install-sudo
-
-server_url = "${serverUrl}"
-
-# Agent identity is determined by the key passed via --key flag.
-# Each user provides their own key: apes --key ~/.ssh/id_ed25519 -- <command>
-
-[poll]
-interval_secs = ${intervalSecs}
-timeout_secs = ${timeoutSecs}
-`;
-    ensureDir(CONFIG_DIR, 0o700);
-    writeSecureFile(CONFIG_PATH, config);
-    console.log(`✅ Config written to ${CONFIG_PATH}`);
-    closePrompt();
-    console.log('\n🎉 apes installed!\n');
-    console.log(`   Binary: ${BIN_PATH} (setuid root)`);
-    console.log(`   Config: ${CONFIG_PATH}`);
-    console.log('\n   Next steps:');
-    console.log('   1. Register this agent on the IdP:');
-    console.log(`      sudo apes enroll --server ${serverUrl} --agent-email <email> --agent-name <name> --key <path>`);
-    console.log('   2. Ask your admin to approve the enrollment');
-    console.log('   3. Use it: apes --key ~/.ssh/id_ed25519 --reason "why" -- <command>\n');
+    console.log(`✅ Binary (built): ${BIN_PATH} (setuid root)`);
 }

package/dist/index.js

@@ -1,36 +1,47 @@
 #!/usr/bin/env node
 import { installProxy } from './commands/install-proxy.js';
-import { installProxyApes } from './commands/install-proxy-apes.js';
 import { installSudo } from './commands/install-sudo.js';
 const command = process.argv[2];
+const args = process.argv.slice(3);
 const HELP = `
 OpenApe CLI — install and manage OpenApe components
 
-Usage: openape <command> [options]
+Usage: openape <command> [flags]
 
 Commands:
-  install-proxy              Install the OpenApe HTTP proxy (requires sudo)
-  install-proxy --via-apes   Install the proxy using apes for elevation (no sudo needed!)
-  install-sudo               Install apes privilege elevation (requires sudo)
-  help                       Show this help message
+  install-proxy   Install the OpenApe HTTP proxy
+  install-sudo    Install apes privilege elevation binary
+
+Elevation:
+  sudo openape install-proxy ...       # traditional sudo
+  apes -- npx @openape/cli install-proxy ...  # agent-friendly, grant-approved
+
+install-proxy flags:
+  --idp-url <url>         IdP URL (required)
+  --agent-email <email>   Agent email (required)
+  --listen <addr>         Listen address (default: 127.0.0.1:9090)
+  --default-action <act>  Default action: block|request|request-async (default: block)
+  --audit-log <path>      Audit log path (default: /var/log/openape-proxy/audit.log)
+  --force                 Overwrite existing config
+
+install-sudo flags:
+  --idp-url <url>         IdP URL (required)
+  --poll-timeout <secs>   Poll timeout in seconds (default: 300)
+  --poll-interval <secs>  Poll interval in seconds (default: 2)
+  --force                 Overwrite existing config/binary
 
 Examples:
-  sudo openape install-proxy          # traditional sudo
-  openape install-proxy --via-apes    # agent-friendly, each step approved
-  sudo openape install-sudo
+  sudo openape install-proxy --idp-url https://id.openape.at --agent-email bot@example.com
+  apes -- npx @openape/cli install-proxy --idp-url https://id.openape.at --agent-email bot@example.com
+  sudo openape install-sudo --idp-url https://id.openape.at
 `;
 async function main() {
     switch (command) {
         case 'install-proxy':
-            if (process.argv.includes('--via-apes')) {
-                await installProxyApes();
-            }
-            else {
-                await installProxy();
-            }
+            await installProxy(args);
             break;
         case 'install-sudo':
-            await installSudo();
+            await installSudo(args);
             break;
         case 'help':
         case '--help':

package/dist/utils.js

@@ -1,22 +1,9 @@
-import { createInterface } from 'node:readline';
 import { execSync } from 'node:child_process';
 import { existsSync, mkdirSync, writeFileSync, chmodSync, chownSync } from 'node:fs';
 import { platform } from 'node:os';
-const rl = createInterface({ input: process.stdin, output: process.stdout });
-export function ask(question, defaultValue) {
-    const suffix = defaultValue ? ` [${defaultValue}]` : '';
-    return new Promise((resolve) => {
-        rl.question(`${question}${suffix}: `, (answer) => {
-            resolve(answer.trim() || defaultValue || '');
-        });
-    });
-}
-export function closePrompt() {
-    rl.close();
-}
 export function requireRoot() {
     if (process.getuid?.() !== 0) {
-        throw new Error('This command must be run as root (use sudo)');
+        throw new Error('This command must be run as root. Use: sudo npx @openape/cli ... or: apes -- npx @openape/cli ...');
     }
 }
 export function ensureDir(path, mode = 0o755) {
@@ -28,7 +15,6 @@ export function ensureDir(path, mode = 0o755) {
 export function writeSecureFile(path, content, mode = 0o600) {
     writeFileSync(path, content, 'utf-8');
     chmodSync(path, mode);
-    // Ensure root ownership
     try {
         chownSync(path, 0, 0);
     }
@@ -43,15 +29,28 @@ export function isMacOS() {
 export function isLinux() {
     return platform() === 'linux';
 }
-export function serviceExists(name) {
-    if (isMacOS()) {
-        return existsSync(`/Library/LaunchDaemons/${name}.plist`);
-    }
-    try {
-        execSync(`systemctl cat ${name}`, { stdio: 'ignore' });
-        return true;
+export function parseFlags(args) {
+    const flags = {};
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg.startsWith('--')) {
+            const key = arg.slice(2);
+            const next = args[i + 1];
+            if (next && !next.startsWith('--')) {
+                flags[key] = next;
+                i++;
+            }
+            else {
+                flags[key] = true;
+            }
+        }
     }
-    catch {
-        return false;
+    return flags;
+}
+export function requireFlag(flags, name) {
+    const val = flags[name];
+    if (!val || val === true) {
+        throw new Error(`Missing required flag: --${name}`);
     }
+    return val;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openape/cli",
-  "version": "0.1.3",
+  "version": "0.2.0",
   "description": "OpenApe CLI — install and manage OpenApe components (proxy, sudo, auth)",
   "type": "module",
   "bin": {

package/dist/commands/install-proxy-apes.js

@@ -1,135 +0,0 @@
-import { existsSync } from 'node:fs';
-import { execSync } from 'node:child_process';
-import { writeFileSync } from 'node:fs';
-import { ask, closePrompt, isMacOS } from '../utils.js';
-const CONFIG_DIR = '/etc/openape-proxy';
-const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
-const INSTALL_DIR = '/opt/openape-proxy';
-const LAUNCHD_LABEL = 'ai.openape.proxy';
-const LAUNCHD_PLIST = `/Library/LaunchDaemons/${LAUNCHD_LABEL}.plist`;
-function apes(reason, cmd) {
-    // Find apes key — prefer user's SSH key
-    const keyPaths = [
-        `${process.env.HOME}/.ssh/id_ed25519`,
-        `${process.env.HOME}/.ssh/id_ecdsa`,
-        `${process.env.HOME}/.ssh/id_rsa`,
-    ];
-    const keyPath = keyPaths.find(p => existsSync(p));
-    if (!keyPath) {
-        throw new Error('No SSH key found. apes needs --key to authenticate.');
-    }
-    console.log(`\n🔐 Requesting grant: ${reason}`);
-    execSync(`apes --key ${keyPath} --reason "${reason}" -- ${cmd}`, {
-        stdio: 'inherit',
-    });
-}
-export async function installProxyApes() {
-    // Check apes is installed
-    try {
-        execSync('which apes', { stdio: 'ignore' });
-    }
-    catch {
-        throw new Error('apes is not installed. Run: sudo npx @openape/cli install-sudo');
-    }
-    console.log('\n🐾 OpenApe Proxy Installer (via apes)\n');
-    console.log('This installer uses apes for privilege elevation.');
-    console.log('Each privileged step requires approval from your admin.\n');
-    // Gather config interactively (no root needed)
-    const idpUrl = await ask('IdP URL', 'https://id.test.openape.at');
-    const agentEmail = await ask('Agent email');
-    const listen = await ask('Listen address', '127.0.0.1:9090');
-    const defaultAction = await ask('Default action (block/request/request-async)', 'block');
-    const auditLog = await ask('Audit log path', '/var/log/openape-proxy/audit.log');
-    closePrompt();
-    // Generate config locally in /tmp
-    const config = `# OpenApe Proxy Configuration
-# Generated by: openape install-proxy --via-apes
-
-[proxy]
-listen = "${listen}"
-idp_url = "${idpUrl}"
-agent_email = "${agentEmail}"
-default_action = "${defaultAction}"
-audit_log = "${auditLog}"
-
-# Add your rules below:
-
-# [[allow]]
-# domain = "api.github.com"
-# methods = ["GET"]
-# note = "GitHub read-only"
-
-# [[deny]]
-# domain = "*.malware.example.com"
-# note = "Blocked"
-
-# [[grant_required]]
-# domain = "api.github.com"
-# methods = ["POST", "PUT", "DELETE"]
-# grant_type = "allow_once"
-# note = "Needs approval"
-`;
-    const tmpConfig = '/tmp/openape-proxy-config.toml';
-    writeFileSync(tmpConfig, config);
-    console.log(`\n📝 Config prepared at ${tmpConfig}`);
-    // Step 1: Create config directory
-    apes('Create OpenApe Proxy config directory', `mkdir -p ${CONFIG_DIR}`);
-    apes('Set permissions on config directory', `chmod 700 ${CONFIG_DIR}`);
-    // Step 2: Copy config
-    apes('Install proxy config', `cp ${tmpConfig} ${CONFIG_PATH}`);
-    apes('Secure proxy config (root-only)', `chmod 600 ${CONFIG_PATH}`);
-    // Step 3: Create audit log directory
-    const auditDir = auditLog.substring(0, auditLog.lastIndexOf('/'));
-    if (auditDir) {
-        apes('Create audit log directory', `mkdir -p ${auditDir}`);
-    }
-    // Step 4: Clone/update proxy source
-    if (existsSync(`${INSTALL_DIR}/package.json`)) {
-        apes('Update proxy source', `git -C ${INSTALL_DIR} pull`);
-    }
-    else {
-        apes('Download proxy source', `git clone https://github.com/openape-ai/proxy.git ${INSTALL_DIR}`);
-    }
-    // Step 5: Install dependencies
-    const bunPath = execSync('which bun', { encoding: 'utf-8' }).trim();
-    apes('Install proxy dependencies', `${bunPath} install --cwd ${INSTALL_DIR}`);
-    // Step 6: Set up system service
-    if (isMacOS()) {
-        const plist = `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>Label</key>
-    <string>${LAUNCHD_LABEL}</string>
-    <key>ProgramArguments</key>
-    <array>
-        <string>${bunPath}</string>
-        <string>run</string>
-        <string>${INSTALL_DIR}/src/index.ts</string>
-        <string>--config</string>
-        <string>${CONFIG_PATH}</string>
-    </array>
-    <key>RunAtLoad</key>
-    <true/>
-    <key>KeepAlive</key>
-    <true/>
-    <key>StandardOutPath</key>
-    <string>/var/log/openape-proxy/stdout.log</string>
-    <key>StandardErrorPath</key>
-    <string>/var/log/openape-proxy/stderr.log</string>
-    <key>WorkingDirectory</key>
-    <string>${INSTALL_DIR}</string>
-</dict>
-</plist>`;
-        const tmpPlist = '/tmp/openape-proxy-launchd.plist';
-        writeFileSync(tmpPlist, plist);
-        apes('Install launchd service', `cp ${tmpPlist} ${LAUNCHD_PLIST}`);
-        apes('Load proxy service', `launchctl load ${LAUNCHD_PLIST}`);
-    }
-    console.log('\n🎉 OpenApe Proxy installed via apes!\n');
-    console.log(`   Config:    ${CONFIG_PATH}`);
-    console.log(`   Proxy:     ${INSTALL_DIR}`);
-    console.log(`   Audit log: ${auditLog}`);
-    console.log(`   Listening: ${listen}`);
-    console.log('\n   Every step was approved by your admin. 🔐\n');
-}