@openape/cli 0.1.4 → 0.2.1

package/dist/commands/install-proxy.js

@@ -66,18 +66,14 @@ audit_log = "${auditLog}"
         ensureDir(auditDir, 0o755);
         console.log(`✅ Audit log dir: ${auditDir}`);
     }
-    // Clone/update proxy source
+    // Install proxy via npm/bun (no git needed)
     ensureDir(INSTALL_DIR, 0o755);
-    if (existsSync(`${INSTALL_DIR}/package.json`)) {
-        console.log('Updating proxy source...');
-        execSync(`cd ${INSTALL_DIR} && git pull`, { stdio: 'inherit' });
+    console.log('Installing @openape/proxy via bun...');
+    if (!existsSync(`${INSTALL_DIR}/package.json`)) {
+        execSync(`cd ${INSTALL_DIR} && bun init -y`, { stdio: 'pipe' });
     }
-    else {
-        console.log('Downloading proxy source...');
-        execSync(`git clone https://github.com/openape-ai/proxy.git ${INSTALL_DIR}`, { stdio: 'inherit' });
-    }
-    console.log('Installing dependencies...');
-    execSync(`cd ${INSTALL_DIR} && bun install`, { stdio: 'inherit' });
+    execSync(`cd ${INSTALL_DIR} && bun add @openape/proxy`, { stdio: 'inherit' });
+    console.log(`✅ Proxy installed: ${INSTALL_DIR}`);
     // System service
     if (isMacOS()) {
         setupLaunchd();
@@ -86,7 +82,7 @@ audit_log = "${auditLog}"
         setupSystemd();
     }
     else {
-        console.log(`\n⚠️  Manual start: cd ${INSTALL_DIR} && bun run src/index.ts --config ${CONFIG_PATH}`);
+        console.log(`\n⚠️  Manual start: cd ${INSTALL_DIR} && bunx openape-proxy --config ${CONFIG_PATH}`);
     }
     console.log('\n🎉 OpenApe Proxy installed!\n');
     console.log(`   Config:  ${CONFIG_PATH}`);
@@ -107,7 +103,7 @@ function setupLaunchd() {
     <array>
         <string>${bunPath}</string>
         <string>run</string>
-        <string>${INSTALL_DIR}/src/index.ts</string>
+        <string>${INSTALL_DIR}/node_modules/@openape/proxy/src/index.ts</string>
         <string>--config</string>
         <string>${CONFIG_PATH}</string>
     </array>
@@ -139,7 +135,7 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart=${bunPath} run ${INSTALL_DIR}/src/index.ts --config ${CONFIG_PATH}
+ExecStart=${bunPath} run ${INSTALL_DIR}/node_modules/@openape/proxy/src/index.ts --config ${CONFIG_PATH}
 WorkingDirectory=${INSTALL_DIR}
 Restart=on-failure
 RestartSec=5

package/dist/commands/install-sudo.js

@@ -1,13 +1,14 @@
 import { existsSync } from 'node:fs';
 import { execSync } from 'node:child_process';
-import { requireRoot, ensureDir, writeSecureFile, run, parseFlags, requireFlag } from '../utils.js';
+import { arch, platform } from 'node:os';
+import { requireRoot, ensureDir, writeSecureFile, run, parseFlags } from '../utils.js';
 const CONFIG_DIR = '/etc/apes';
 const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
 const BIN_PATH = '/usr/local/bin/apes';
+const REPO = 'openape-ai/sudo';
 export async function installSudo(args) {
     requireRoot();
     const flags = parseFlags(args);
-    const idpUrl = requireFlag(flags, 'idp-url');
     const pollTimeout = flags['poll-timeout'] || '300';
     const pollInterval = flags['poll-interval'] || '2';
     const force = flags['force'] === true;
@@ -16,32 +17,12 @@ export async function installSudo(args) {
     if (existsSync(BIN_PATH) && !force) {
         throw new Error(`apes already installed at ${BIN_PATH}. Use --force to reinstall.`);
     }
-    // Check Rust toolchain
-    try {
-        run('cargo --version');
-    }
-    catch {
-        throw new Error('Rust toolchain required to build apes. Install it: https://rustup.rs\n' +
-            'Pre-built binaries will be available in a future release.');
-    }
-    // Build from source
-    const buildDir = '/tmp/openape-sudo-build';
-    if (existsSync(`${buildDir}/.git`)) {
-        console.log('Updating source...');
-        execSync(`cd ${buildDir} && git pull`, { stdio: 'inherit' });
-    }
-    else {
-        console.log('Downloading source...');
-        execSync(`rm -rf ${buildDir}`, { stdio: 'ignore' });
-        execSync(`git clone https://github.com/openape-ai/sudo.git ${buildDir}`, { stdio: 'inherit' });
+    // Try GitHub Release first, fall back to source build
+    const installed = await tryGitHubRelease();
+    if (!installed) {
+        console.log('No pre-built binary available. Building from source...');
+        buildFromSource();
     }
-    console.log('Building apes (release mode)...');
-    execSync(`cd ${buildDir} && cargo build --release`, { stdio: 'inherit' });
-    // Install binary with setuid
-    execSync(`cp ${buildDir}/target/release/apes ${BIN_PATH}`);
-    execSync(`chown root:wheel ${BIN_PATH}`);
-    execSync(`chmod u+s ${BIN_PATH}`);
-    console.log(`✅ Binary: ${BIN_PATH} (setuid root)`);
     // Config
     if (existsSync(CONFIG_PATH) && !force) {
         console.log(`ℹ️  Config preserved: ${CONFIG_PATH}`);
@@ -50,14 +31,19 @@ export async function installSudo(args) {
         const config = `# OpenApe Sudo (apes) Configuration
 # Generated by: openape install-sudo
 
-server_url = "${idpUrl}"
-
 # Agent identity is determined by the key passed via --key flag.
-# Each user provides their own key: apes --key ~/.ssh/id_ed25519 -- <command>
+# Agents are registered via: apes enroll --server <idp-url> --agent-email <email> --agent-name <name> --key <path>
+# Each enrolled agent gets a [[agents]] entry below automatically.
 
 [poll]
 interval_secs = ${pollInterval}
 timeout_secs = ${pollTimeout}
+
+# Agents are added here by 'apes enroll':
+# [[agents]]
+# name = "my-agent"
+# public_key = "ssh-ed25519 AAAA..."
+# server_url = "https://id.example.com"
 `;
         ensureDir(CONFIG_DIR, 0o700);
         writeSecureFile(CONFIG_PATH, config);
@@ -67,7 +53,81 @@ timeout_secs = ${pollTimeout}
     console.log(`   Binary: ${BIN_PATH} (setuid root)`);
     console.log(`   Config: ${CONFIG_PATH}`);
     console.log('\n   Next steps:');
-    console.log(`   1. Enroll: apes enroll --server ${idpUrl} --agent-email <email> --agent-name <name> --key <path>`);
+    console.log('   1. Enroll: apes enroll --server <idp-url> --agent-email <email> --agent-name <name> --key <path>');
     console.log('   2. Admin approves enrollment');
     console.log('   3. Use: apes --key ~/.ssh/id_ed25519 --reason "why" -- <command>\n');
 }
+function getAssetName() {
+    const os = platform();
+    const cpu = arch();
+    const osMap = { darwin: 'apple-darwin', linux: 'unknown-linux-gnu' };
+    const archMap = { arm64: 'aarch64', x64: 'x86_64' };
+    const osStr = osMap[os];
+    const archStr = archMap[cpu];
+    if (!osStr || !archStr) {
+        throw new Error(`Unsupported platform: ${os}-${cpu}`);
+    }
+    return `apes-${archStr}-${osStr}`;
+}
+async function tryGitHubRelease() {
+    try {
+        // Check if gh CLI is available
+        run('which gh');
+    }
+    catch {
+        console.log('GitHub CLI (gh) not found — skipping release download.');
+        return false;
+    }
+    try {
+        const assetName = getAssetName();
+        console.log(`Looking for pre-built binary: ${assetName}...`);
+        // Download latest release asset
+        const tmpBin = '/tmp/apes-download';
+        execSync(`gh release download --repo ${REPO} --pattern "${assetName}" --output ${tmpBin} --clobber`, {
+            stdio: 'pipe',
+            timeout: 30000,
+        });
+        if (!existsSync(tmpBin)) {
+            return false;
+        }
+        // Install
+        execSync(`cp ${tmpBin} ${BIN_PATH}`);
+        execSync(`chown root:wheel ${BIN_PATH}`);
+        execSync(`chmod u+s ${BIN_PATH}`);
+        execSync(`rm -f ${tmpBin}`);
+        console.log(`✅ Binary (pre-built): ${BIN_PATH} (setuid root)`);
+        return true;
+    }
+    catch {
+        console.log('No pre-built binary found for this platform.');
+        return false;
+    }
+}
+function buildFromSource() {
+    // Check Rust toolchain
+    try {
+        run('cargo --version');
+    }
+    catch {
+        throw new Error('Rust toolchain required to build apes. Install it: https://rustup.rs\n' +
+            'Or create a GitHub Release with pre-built binaries.');
+    }
+    const buildDir = '/tmp/openape-sudo-build';
+    if (existsSync(`${buildDir}/.git`)) {
+        console.log('Updating source...');
+        execSync(`git config --global --add safe.directory ${buildDir}`, { stdio: 'ignore' });
+        execSync(`cd ${buildDir} && git pull`, { stdio: 'inherit' });
+    }
+    else {
+        console.log('Downloading source...');
+        execSync(`rm -rf ${buildDir}`, { stdio: 'ignore' });
+        execSync(`git clone https://github.com/${REPO}.git ${buildDir}`, { stdio: 'inherit' });
+    }
+    console.log('Building apes (release mode)...');
+    execSync(`cd ${buildDir} && cargo build --release`, { stdio: 'inherit' });
+    // Install binary with setuid
+    execSync(`cp ${buildDir}/target/release/apes ${BIN_PATH}`);
+    execSync(`chown root:wheel ${BIN_PATH}`);
+    execSync(`chmod u+s ${BIN_PATH}`);
+    console.log(`✅ Binary (built): ${BIN_PATH} (setuid root)`);
+}

package/dist/index.js

@@ -25,15 +25,15 @@ install-proxy flags:
   --force                 Overwrite existing config
 
 install-sudo flags:
-  --idp-url <url>         IdP URL (required)
   --poll-timeout <secs>   Poll timeout in seconds (default: 300)
   --poll-interval <secs>  Poll interval in seconds (default: 2)
-  --force                 Overwrite existing config/binary
+  --force                 Overwrite existing binary/config
 
 Examples:
   sudo openape install-proxy --idp-url https://id.openape.at --agent-email bot@example.com
   apes -- npx @openape/cli install-proxy --idp-url https://id.openape.at --agent-email bot@example.com
-  sudo openape install-sudo --idp-url https://id.openape.at
+  sudo openape install-sudo
+  # Then enroll: apes enroll --server https://id.openape.at --agent-email bot@example.com --agent-name "My Agent" --key ~/.ssh/id_ed25519
 `;
 async function main() {
     switch (command) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openape/cli",
-  "version": "0.1.4",
+  "version": "0.2.1",
   "description": "OpenApe CLI — install and manage OpenApe components (proxy, sudo, auth)",
   "type": "module",
   "bin": {

package/dist/commands/install-proxy-apes.js

@@ -1,162 +0,0 @@
-import { existsSync } from 'node:fs';
-import { execSync } from 'node:child_process';
-import { writeFileSync } from 'node:fs';
-import { parseArgs } from 'node:util';
-import { ask, closePrompt, isMacOS } from '../utils.js';
-const CONFIG_DIR = '/etc/openape-proxy';
-const CONFIG_PATH = `${CONFIG_DIR}/config.toml`;
-const INSTALL_DIR = '/opt/openape-proxy';
-const LAUNCHD_LABEL = 'ai.openape.proxy';
-const LAUNCHD_PLIST = `/Library/LaunchDaemons/${LAUNCHD_LABEL}.plist`;
-function apes(reason, cmd) {
-    const keyPaths = [
-        `${process.env.HOME}/.ssh/id_ed25519`,
-        `${process.env.HOME}/.ssh/id_ecdsa`,
-        `${process.env.HOME}/.ssh/id_rsa`,
-    ];
-    const keyPath = keyPaths.find(p => existsSync(p));
-    if (!keyPath) {
-        throw new Error('No SSH key found. apes needs --key to authenticate.');
-    }
-    console.log(`\n🔐 Requesting grant: ${reason}`);
-    execSync(`apes --key ${keyPath} --reason "${reason}" -- ${cmd}`, {
-        stdio: 'inherit',
-    });
-}
-export async function installProxyApes() {
-    // Check apes is installed
-    try {
-        execSync('which apes', { stdio: 'ignore' });
-    }
-    catch {
-        throw new Error('apes is not installed. Run: sudo npx @openape/cli install-sudo');
-    }
-    // Parse flags for non-interactive mode
-    const { values: flags } = parseArgs({
-        args: process.argv.slice(3),
-        options: {
-            'idp-url': { type: 'string' },
-            'agent-email': { type: 'string' },
-            'listen': { type: 'string' },
-            'default-action': { type: 'string' },
-            'audit-log': { type: 'string' },
-            'via-apes': { type: 'boolean' },
-        },
-        strict: false,
-    });
-    const interactive = !flags['agent-email'];
-    console.log('\n🐾 OpenApe Proxy Installer (via apes)\n');
-    console.log('Each privileged step requires approval from your admin.\n');
-    let idpUrl, agentEmail, listen, defaultAction, auditLog;
-    if (interactive) {
-        idpUrl = await ask('IdP URL', 'https://id.test.openape.at');
-        agentEmail = await ask('Agent email');
-        listen = await ask('Listen address', '127.0.0.1:9090');
-        defaultAction = await ask('Default action (block/request/request-async)', 'block');
-        auditLog = await ask('Audit log path', '/var/log/openape-proxy/audit.log');
-        closePrompt();
-    }
-    else {
-        idpUrl = flags['idp-url'] || 'https://id.test.openape.at';
-        agentEmail = flags['agent-email'];
-        listen = flags['listen'] || '127.0.0.1:9090';
-        defaultAction = flags['default-action'] || 'block';
-        auditLog = flags['audit-log'] || '/var/log/openape-proxy/audit.log';
-        console.log(`  IdP:     ${idpUrl}`);
-        console.log(`  Agent:   ${agentEmail}`);
-        console.log(`  Listen:  ${listen}`);
-        console.log(`  Default: ${defaultAction}`);
-        console.log(`  Audit:   ${auditLog}`);
-    }
-    // Generate config locally in /tmp
-    const config = `# OpenApe Proxy Configuration
-# Generated by: openape install-proxy --via-apes
-
-[proxy]
-listen = "${listen}"
-idp_url = "${idpUrl}"
-agent_email = "${agentEmail}"
-default_action = "${defaultAction}"
-audit_log = "${auditLog}"
-
-# Add your rules below:
-
-# [[allow]]
-# domain = "api.github.com"
-# methods = ["GET"]
-# note = "GitHub read-only"
-
-# [[deny]]
-# domain = "*.malware.example.com"
-# note = "Blocked"
-
-# [[grant_required]]
-# domain = "api.github.com"
-# methods = ["POST", "PUT", "DELETE"]
-# grant_type = "allow_once"
-# note = "Needs approval"
-`;
-    const tmpConfig = '/tmp/openape-proxy-config.toml';
-    writeFileSync(tmpConfig, config);
-    console.log(`\n📝 Config prepared at ${tmpConfig}`);
-    // Step 1: Create config directory
-    apes('Create OpenApe Proxy config directory', `mkdir -p ${CONFIG_DIR}`);
-    apes('Set permissions on config directory', `chmod 700 ${CONFIG_DIR}`);
-    // Step 2: Copy config
-    apes('Install proxy config', `cp ${tmpConfig} ${CONFIG_PATH}`);
-    apes('Secure proxy config (root-only)', `chmod 600 ${CONFIG_PATH}`);
-    // Step 3: Create audit log directory
-    const auditDir = auditLog.substring(0, auditLog.lastIndexOf('/'));
-    if (auditDir) {
-        apes('Create audit log directory', `mkdir -p ${auditDir}`);
-    }
-    // Step 4: Clone/update proxy source
-    if (existsSync(`${INSTALL_DIR}/package.json`)) {
-        apes('Update proxy source', `git -C ${INSTALL_DIR} pull`);
-    }
-    else {
-        apes('Download proxy source', `git clone https://github.com/openape-ai/proxy.git ${INSTALL_DIR}`);
-    }
-    // Step 5: Install dependencies
-    const bunPath = execSync('which bun', { encoding: 'utf-8' }).trim();
-    apes('Install proxy dependencies', `${bunPath} install --cwd ${INSTALL_DIR}`);
-    // Step 6: Set up system service
-    if (isMacOS()) {
-        const plist = `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>Label</key>
-    <string>${LAUNCHD_LABEL}</string>
-    <key>ProgramArguments</key>
-    <array>
-        <string>${bunPath}</string>
-        <string>run</string>
-        <string>${INSTALL_DIR}/src/index.ts</string>
-        <string>--config</string>
-        <string>${CONFIG_PATH}</string>
-    </array>
-    <key>RunAtLoad</key>
-    <true/>
-    <key>KeepAlive</key>
-    <true/>
-    <key>StandardOutPath</key>
-    <string>/var/log/openape-proxy/stdout.log</string>
-    <key>StandardErrorPath</key>
-    <string>/var/log/openape-proxy/stderr.log</string>
-    <key>WorkingDirectory</key>
-    <string>${INSTALL_DIR}</string>
-</dict>
-</plist>`;
-        const tmpPlist = '/tmp/openape-proxy-launchd.plist';
-        writeFileSync(tmpPlist, plist);
-        apes('Install launchd service', `cp ${tmpPlist} ${LAUNCHD_PLIST}`);
-        apes('Load proxy service', `launchctl load ${LAUNCHD_PLIST}`);
-    }
-    console.log('\n🎉 OpenApe Proxy installed via apes!\n');
-    console.log(`   Config:    ${CONFIG_PATH}`);
-    console.log(`   Proxy:     ${INSTALL_DIR}`);
-    console.log(`   Audit log: ${auditLog}`);
-    console.log(`   Listening: ${listen}`);
-    console.log('\n   Every step was approved by your admin. 🔐\n');
-}