@vantaloom/runtime-linux-x64 0.3.10 → 0.5.0

package/VERSION

@@ -1 +1 @@
-532507a
+782bb79

package/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vantaloom/cli",
-  "version": "0.3.10",
+  "version": "0.5.0",
   "private": false,
   "type": "module",
   "description": "Vantaloom local runtime manager.",

package/cli/src/cli.mjs

@@ -11,10 +11,16 @@ import {
   writeFileSync,
 } from "node:fs"
 import { cp, writeFile } from "node:fs/promises"
+import { createHash } from "node:crypto"
 import os from "node:os"
 import path from "node:path"
 import { fileURLToPath } from "node:url"
 
+// The mesh binaries the privileged service holds open while running. On Windows
+// a file copy can't overwrite them in place, so the lock-safe `apply` path swaps
+// them after stopping the service.
+const WINDOWS_MESH_BINARIES = ["easytier-core.exe", "easytier-cli.exe", "wintun.dll", "Packet.dll", "WinDivert64.sys", "vantaloom-mesh.exe"]
+
 const cliRoot = path.resolve(fileURLToPath(import.meta.url), "..", "..")
 const repoCandidate = path.resolve(cliRoot, "..", "..")
 const installedConfigPath = path.join(cliRoot, "config.json")
@@ -99,6 +105,9 @@ export async function main(argv) {
     case "path":
       printPaths(options)
       return
+    case "uninstall":
+      await uninstallRuntime(options)
+      return
     case "help":
     case "-h":
     case "--help":
@@ -122,6 +131,8 @@ async function installFromSource(options) {
     noStart: options.noStart,
     sourceRoot,
     update: options.update,
+    withMesh: options.withMesh,
+    skipMesh: options.skipMesh,
   })
 
   console.log(`${options.update ? "updated" : "installed"} Vantaloom: ${prefix}`)
@@ -136,6 +147,8 @@ async function installFromPackage(options) {
   const version = await applyPackage(packageRoot, prefix, {
     noStart: options.noStart,
     update: options.update,
+    withMesh: options.withMesh,
+    skipMesh: options.skipMesh,
   })
 
   console.log(`${options.update ? "updated" : "installed"} Vantaloom: ${prefix}`)
@@ -189,6 +202,9 @@ async function buildRuntimePackage(sourceRoot, packageRoot, options) {
   buildGo(sourceRoot, buildBin, "vantaloom-api", platform)
   buildGo(sourceRoot, buildBin, "vantaloom-agent", platform)
   buildGo(sourceRoot, buildBin, "vantaloomctl", platform)
+  // Privileged EasyTier sidecar (runs the mesh node as a service on Windows/macOS).
+  // Pure-Go (no CGO), so it cross-compiles cleanly for every target.
+  buildGo(sourceRoot, buildBin, "vantaloom-mesh", platform)
   // Tray app requires CGO (systray), only buildable natively on Windows.
   if (platform.startsWith("win32") && process.platform === "win32") {
     try {
@@ -196,6 +212,9 @@ async function buildRuntimePackage(sourceRoot, packageRoot, options) {
     } catch { /* optional: skip if systray build fails */ }
   }
 
+  // Bundle the EasyTier mesh binaries (P2P virtual network) for the target platform.
+  await copyEasyTier(sourceRoot, buildBin, platform)
+
   if (options.buildWeb) {
     runPnpm(["--filter", "vantaloom-app", "build"], { cwd: sourceRoot })
   }
@@ -207,6 +226,45 @@ async function buildRuntimePackage(sourceRoot, packageRoot, options) {
   return { platform, version }
 }
 
+// copyEasyTier bundles the vendored EasyTier binaries (easytier-core/easytier-cli,
+// plus wintun.dll on Windows) for the target platform into the package bin/ dir.
+async function copyEasyTier(sourceRoot, buildBin, platform) {
+  const vendorMap = {
+    "win32-x64": "windows-x86_64",
+    "darwin-arm64": "macos-aarch64",
+    "linux-x64": "linux-x86_64",
+  }
+  const vendorName = vendorMap[platform]
+  if (!vendorName) {
+    console.warn(`  warning: no EasyTier mapping for ${platform}; mesh disabled for this platform`)
+    return
+  }
+  const srcDir = path.join(sourceRoot, "vendor", "easytier", vendorName, `easytier-${vendorName}`)
+  if (!existsSync(srcDir)) {
+    console.warn(`  warning: EasyTier binaries not found at ${srcDir}; run vendor download first`)
+    return
+  }
+  const isWin = platform.startsWith("win32")
+  // Packet.dll + WinDivert64.sys are REQUIRED: easytier-core.exe statically
+  // imports Packet.dll, so without it the process dies at launch with
+  // STATUS_DLL_NOT_FOUND (0xC0000135) before writing any log. wintun.dll is the
+  // TUN backend. easytier-cli.exe does not need Packet.dll (it still launches).
+  const files = isWin
+    ? ["easytier-core.exe", "easytier-cli.exe", "wintun.dll", "Packet.dll", "WinDivert64.sys"]
+    : ["easytier-core", "easytier-cli"]
+  let copied = 0
+  for (const f of files) {
+    const src = path.join(srcDir, f)
+    if (!existsSync(src)) {
+      console.warn(`  warning: EasyTier file missing: ${f}`)
+      continue
+    }
+    await cp(src, path.join(buildBin, f), { force: true })
+    copied++
+  }
+  console.log(`  bundled EasyTier ${vendorName} (${copied} files)`)
+}
+
 async function applyPackage(packageRoot, prefix, options) {
   assertRuntimePackage(packageRoot)
 
@@ -227,6 +285,14 @@ async function applyPackage(packageRoot, prefix, options) {
   // don't write tray.pid, so vantaloomctl stop won't find them).
   killTrayProcess(prefix)
 
+  // On Windows the privileged mesh service holds its binaries open, so we can't
+  // wipe or overwrite them with a plain copy. Detect that up front: if the
+  // service is running, skip those files in the bin/ copy (the elevated `apply`
+  // swaps them after stopping the service).
+  const meshLocked =
+    process.platform === "win32" &&
+    meshServiceRunning(path.join(packageRoot, "bin"), "win32")
+
   // Copy package contents to install prefix
   for (const name of ["bin", "web", "cli"]) {
     const src = path.join(packageRoot, name)
@@ -235,12 +301,15 @@ async function applyPackage(packageRoot, prefix, options) {
       console.error(`  warning: package missing ${name}/ directory`)
       continue
     }
-    removeKnownPath(dst, prefix)
-    await cp(src, dst, {
-      recursive: true,
-      force: true,
-      dereference: false,
-    })
+    const copyOpts = { recursive: true, force: true, dereference: false }
+    if (name === "bin" && meshLocked) {
+      // Overwrite in place (don't wipe — that would fail on the locked files) and
+      // skip the mesh binaries the running service holds open.
+      copyOpts.filter = (s) => !WINDOWS_MESH_BINARIES.includes(path.basename(s))
+    } else {
+      removeKnownPath(dst, prefix)
+    }
+    await cp(src, dst, copyOpts)
   }
 
   // Ensure binaries are executable on Unix (cross-compiled from Windows they lose +x)
@@ -252,6 +321,28 @@ async function applyPackage(packageRoot, prefix, options) {
     }
   }
 
+  // Linux: grant easytier-core the TUN capability so the unprivileged runtime can
+  // bring up the mesh virtual network. This is the one privileged step of the
+  // install (a single sudo); the app itself stays unprivileged.
+  ensureLinuxMeshCapabilities(binDir)
+
+  // Windows/macOS: register (or lock-safely update) the privileged mesh service
+  // that runs easytier-core. This is the one elevation of the install on those
+  // platforms. Skipped for --no-start and gated to avoid prompting on every
+  // source rebuild (see ensureMeshService).
+  if (!options.noStart) {
+    ensureMeshService(packageRoot, prefix, {
+      sourceInstall: Boolean(options.sourceRoot),
+      withMesh: Boolean(options.withMesh),
+      skipMesh: Boolean(options.skipMesh),
+    })
+  }
+
+  // Make the runtime start at login/boot (per-user, no elevation). Idempotent.
+  if (!options.noStart && !options.skipAutostart) {
+    enableRuntimeAutostart(prefix)
+  }
+
   // Verify vantaloomctl binary exists before trying to run it
   const ctlBin = path.join(prefix, "bin", binaryName("vantaloomctl"))
   if (!existsSync(ctlBin)) {
@@ -292,6 +383,340 @@ async function applyPackage(packageRoot, prefix, options) {
   return version
 }
 
+// ensureLinuxMeshCapabilities grants easytier-core the network capabilities it
+// needs to create a TUN device, so the unprivileged Vantaloom runtime can bring
+// up the EasyTier mesh without running as root. Re-run on every update because
+// replacing the binary clears file capabilities. Non-fatal: if it can't elevate
+// or setcap is missing, mesh just falls back to the Hub relay.
+function ensureLinuxMeshCapabilities(binDir) {
+  if (process.platform !== "linux") {
+    return
+  }
+  const core = path.join(binDir, "easytier-core")
+  if (!existsSync(core)) {
+    console.warn("  mesh: easytier-core not bundled; skipping TUN capability setup")
+    return
+  }
+  const caps = "cap_net_admin,cap_net_bind_service+ep"
+  const isRoot = typeof process.getuid === "function" && process.getuid() === 0
+  console.log(`  mesh: granting TUN capability to easytier-core${isRoot ? "" : " (sudo)"} ...`)
+  const result = isRoot
+    ? spawnSync("setcap", [caps, core], { stdio: "inherit" })
+    : spawnSync("sudo", ["setcap", caps, core], { stdio: "inherit" })
+  if (result.error || result.status !== 0) {
+    console.warn(
+      "  mesh: could not set capabilities (P2P will fall back to the Hub relay).\n" +
+      `        enable it manually with:  sudo setcap ${caps} ${core}\n` +
+      "        (needs the 'setcap' tool, e.g. apt install libcap2-bin)"
+    )
+  }
+}
+
+// ensureMeshService registers (or lock-safely updates) the privileged EasyTier
+// sidecar service on Windows/macOS — the one elevation of the install on those
+// platforms. Linux uses setcap instead (see ensureLinuxMeshCapabilities).
+//
+// To keep the source/dev rebuild loop frictionless it only elevates when the
+// work is actually needed (service missing, or the mesh binaries changed) and,
+// for source installs, defers to a printed one-liner unless --with-mesh is set.
+function ensureMeshService(packageRoot, prefix, opts) {
+  const platform = process.platform
+  if (platform !== "win32" && platform !== "darwin") return // Linux: setcap path
+  if (opts.skipMesh) return
+
+  const pkgBin = path.join(packageRoot, "bin")
+  const meshExe = path.join(pkgBin, binaryName("vantaloom-mesh"))
+  if (!existsSync(meshExe)) return // sidecar not bundled
+
+  if (!meshServiceNeedsApply(pkgBin, path.join(prefix, "bin"), platform)) {
+    return // installed binaries current and service already managing them
+  }
+
+  if (opts.sourceInstall && !opts.withMesh) {
+    printMeshManualHint(prefix, platform)
+    return
+  }
+
+  if (platform === "win32") {
+    elevateWindowsMeshApply(pkgBin, prefix)
+  } else {
+    elevateDarwinMeshInstall(prefix)
+  }
+}
+
+// meshServiceNeedsApply reports whether the privileged service has to be
+// (re)applied: true if the installed mesh binaries are missing/outdated, or if
+// the service isn't currently up.
+function meshServiceNeedsApply(pkgBin, installBin, platform) {
+  // On Windows compare every lockable mesh file (incl. Packet.dll/WinDivert/wintun)
+  // so a missing or changed support DLL also triggers a (re)apply.
+  const names = platform === "win32"
+    ? WINDOWS_MESH_BINARIES
+    : [binaryName("vantaloom-mesh"), binaryName("easytier-core")]
+  for (const name of names) {
+    const installed = path.join(installBin, name)
+    if (!existsSync(installed)) return true
+    const staged = path.join(pkgBin, name)
+    if (existsSync(staged) && fileSha(staged) !== fileSha(installed)) return true
+  }
+  return !meshServiceRunning(pkgBin, platform)
+}
+
+// meshServiceRunning queries the OS service state via the (unprivileged) mesh
+// `status` command. binDir is where to find the vantaloom-mesh binary to run.
+function meshServiceRunning(binDir, platform) {
+  const exe = path.join(binDir, binaryName("vantaloom-mesh"))
+  if (!existsSync(exe)) return false
+  const r = spawnSync(exe, ["status"], { encoding: "utf8" })
+  if (r.error || typeof r.stdout !== "string") return false
+  const out = r.stdout.toLowerCase()
+  if (platform === "win32") return out.includes("running")
+  return r.status === 0 && !out.includes("not loaded") && !out.includes("not installed")
+}
+
+function fileSha(file) {
+  return createHash("sha256").update(readFileSync(file)).digest("hex")
+}
+
+// elevateWindowsMeshApply runs the lock-safe `apply` elevated (one UAC prompt).
+// It launches from the package copy so it can overwrite the installed binary.
+function elevateWindowsMeshApply(pkgBin, prefix) {
+  const exe = path.join(pkgBin, "vantaloom-mesh.exe")
+  console.log("  mesh: registering privileged P2P service (UAC prompt) ...")
+  const argList = ["apply", "--pkg-bin", pkgBin, "--install-dir", prefix].map(psQuote).join(",")
+  const ps = `$ErrorActionPreference='Stop'; $p = Start-Process -FilePath ${psQuote(exe)} -ArgumentList ${argList} -Verb RunAs -Wait -PassThru; exit $p.ExitCode`
+  const r = spawnSync("powershell", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "inherit" })
+  if (r.error || r.status !== 0) {
+    const installed = path.join(prefix, "bin", "vantaloom-mesh.exe")
+    console.warn("  mesh: service registration was cancelled or failed; P2P falls back to the Hub relay.")
+    console.warn(`        enable it later (as Administrator):  "${installed}" install --install-dir "${prefix}"`)
+  } else {
+    console.log("  mesh: privileged P2P service active")
+  }
+}
+
+// elevateDarwinMeshInstall registers the LaunchDaemon via sudo (one prompt). The
+// runtime already copied the fresh binary into place; install reloads the daemon.
+function elevateDarwinMeshInstall(prefix) {
+  const exe = path.join(prefix, "bin", "vantaloom-mesh")
+  console.log("  mesh: registering privileged P2P service (sudo) ...")
+  const r = spawnSync("sudo", [exe, "install", "--install-dir", prefix], { stdio: "inherit" })
+  if (r.error || r.status !== 0) {
+    console.warn("  mesh: LaunchDaemon registration failed; P2P falls back to the Hub relay.")
+    console.warn(`        enable it later:  sudo "${exe}" install --install-dir "${prefix}"`)
+  } else {
+    console.log("  mesh: privileged P2P service active")
+  }
+}
+
+function printMeshManualHint(prefix, platform) {
+  console.log("  mesh: P2P service not auto-registered for source installs.")
+  if (platform === "win32") {
+    const exe = path.join(prefix, "bin", "vantaloom-mesh.exe")
+    console.log(`        enable it once (as Administrator):  "${exe}" install --install-dir "${prefix}"`)
+    console.log("        or re-run install/update with --with-mesh")
+  } else {
+    const exe = path.join(prefix, "bin", "vantaloom-mesh")
+    console.log(`        enable it once:  sudo "${exe}" install --install-dir "${prefix}"`)
+    console.log("        or re-run install/update with --with-mesh")
+  }
+}
+
+// psQuote wraps a value as a PowerShell single-quoted string literal.
+function psQuote(value) {
+  return "'" + String(value).replace(/'/g, "''") + "'"
+}
+
+// uninstallRuntime tears down a local install: stop the runtime, remove the
+// privileged mesh service (elevated), then delete the install directory.
+async function uninstallRuntime(options) {
+  const prefix = safeDirectory(options.prefix ?? defaultPrefix())
+  if (!existsSync(prefix)) {
+    console.log(`Vantaloom is not installed at ${prefix}`)
+    return
+  }
+  console.log(`Uninstalling Vantaloom from ${prefix} ...`)
+
+  // 1. Stop the runtime (api/agent/web/tray). Best-effort.
+  const ctlBin = path.join(prefix, "bin", binaryName("vantaloomctl"))
+  if (existsSync(ctlBin)) {
+    spawnSync(ctlBin, ["stop", "--prefix", prefix], { stdio: "inherit" })
+  }
+  killTrayProcess(prefix)
+
+  // 2. Remove the privileged mesh service (releases TUN adapter + file locks).
+  removeMeshService(prefix, options)
+
+  // 2b. Remove the login-autostart entry (lives outside the install dir).
+  disableRuntimeAutostart()
+
+  // 3. Delete the install directory.
+  try {
+    const parent = path.dirname(prefix)
+    removeKnownPath(prefix, parent)
+    console.log(`removed ${prefix}`)
+  } catch (error) {
+    console.warn(`  could not remove ${prefix}: ${error.message}`)
+    console.warn("  some files may still be locked; re-run after closing Vantaloom processes.")
+  }
+
+  console.log("Vantaloom uninstalled.")
+  console.log("note: the install dir was left out of PATH edits; remove the bin/ entry from your shell profile if you added it.")
+}
+
+function removeMeshService(prefix, options) {
+  const platform = process.platform
+  if (platform !== "win32" && platform !== "darwin") return // Linux: nothing registered
+  const exe = path.join(prefix, "bin", binaryName("vantaloom-mesh"))
+  if (!existsSync(exe)) return
+  if (options.skipMesh) return
+
+  if (platform === "win32") {
+    if (!meshServiceRunningOrInstalled(path.join(prefix, "bin"))) return
+    console.log("  mesh: removing privileged P2P service (UAC prompt) ...")
+    const ps = `$ErrorActionPreference='Stop'; $p = Start-Process -FilePath ${psQuote(exe)} -ArgumentList 'uninstall' -Verb RunAs -Wait -PassThru; exit $p.ExitCode`
+    const r = spawnSync("powershell", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "inherit" })
+    if (r.error || r.status !== 0) {
+      console.warn(`  mesh: could not remove service; run manually (as Administrator):  "${exe}" uninstall`)
+    }
+  } else {
+    console.log("  mesh: removing privileged P2P service (sudo) ...")
+    const r = spawnSync("sudo", [exe, "uninstall"], { stdio: "inherit" })
+    if (r.error || r.status !== 0) {
+      console.warn(`  mesh: could not remove service; run manually:  sudo "${exe}" uninstall`)
+    }
+  }
+}
+
+// meshServiceRunningOrInstalled reports whether the Windows service exists at
+// all (running or stopped), so uninstall only prompts for elevation when there
+// is actually something to remove.
+function meshServiceRunningOrInstalled(binDir) {
+  const exe = path.join(binDir, "vantaloom-mesh.exe")
+  if (!existsSync(exe)) return false
+  const r = spawnSync(exe, ["status"], { encoding: "utf8" })
+  if (r.error || typeof r.stdout !== "string") return false
+  return !r.stdout.toLowerCase().includes("not installed")
+}
+
+// ── Runtime login-autostart (no elevation) ──
+// Start the local runtime (api/agent/web/tray) at login/boot using only
+// per-user mechanisms — no UAC/sudo. This is separate from the privileged mesh
+// service: the mesh sidecar autostarts via the OS service manager; this brings
+// up the unprivileged runtime that joins the mesh and serves the local API.
+
+const AUTOSTART_LABEL = "online.timefiles.vantaloom.runtime"
+// PowerShell HKCU: drive path. Set-ItemProperty handles values with spaces and
+// embedded quotes cleanly (reg.exe's /d escaping is brittle), and the Run key is
+// not blocked by Controlled Folder Access the way the Startup folder is.
+const WINDOWS_RUN_KEY = "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+const WINDOWS_RUN_VALUE = "Vantaloom"
+
+function enableRuntimeAutostart(prefix) {
+  try {
+    if (process.platform === "win32") {
+      // A .vbs launches the runtime with a hidden window (no console flash); the
+      // HKCU Run key runs it at login without elevation.
+      const launcher = path.join(prefix, "vantaloom.cmd")
+      const vbsPath = path.join(prefix, "autostart.vbs")
+      const vbs = `' Vantaloom runtime autostart (hidden)\r\nCreateObject("WScript.Shell").Run """${launcher}"" start", 0, False\r\n`
+      writeFileSync(vbsPath, vbs)
+      const result = spawnSync(
+        "powershell",
+        [
+          "-NoProfile",
+          "-NonInteractive",
+          "-Command",
+          `Set-ItemProperty -Path '${WINDOWS_RUN_KEY}' -Name '${WINDOWS_RUN_VALUE}' -Value 'wscript.exe "${vbsPath}"'`,
+        ],
+        { stdio: "ignore" }
+      )
+      if (result.error || result.status !== 0) {
+        console.warn("  autostart: could not register login entry (HKCU Run)")
+      } else {
+        console.log("  autostart: enabled (login Run key)")
+      }
+      return
+    }
+    if (process.platform === "darwin") {
+      const launcher = path.join(prefix, "vantaloom")
+      const dir = path.join(os.homedir(), "Library", "LaunchAgents")
+      mkdirSync(dir, { recursive: true })
+      const plistPath = path.join(dir, `${AUTOSTART_LABEL}.plist`)
+      // RunAtLoad only (no KeepAlive): `vantaloom start` spawns detached and exits.
+      const plist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0"><dict>
+  <key>Label</key><string>${AUTOSTART_LABEL}</string>
+  <key>ProgramArguments</key><array><string>${launcher}</string><string>start</string></array>
+  <key>RunAtLoad</key><true/>
+</dict></plist>
+`
+      writeFileSync(plistPath, plist)
+      spawnSync("launchctl", ["unload", plistPath], { stdio: "ignore" })
+      spawnSync("launchctl", ["load", "-w", plistPath], { stdio: "ignore" })
+      console.log("  autostart: enabled (LaunchAgent)")
+      return
+    }
+    // Linux: user systemd unit + linger (no root).
+    const launcher = path.join(prefix, "vantaloom")
+    const dir = path.join(os.homedir(), ".config", "systemd", "user")
+    mkdirSync(dir, { recursive: true })
+    const unit = `[Unit]
+Description=Vantaloom local runtime
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=${launcher} start
+ExecStop=${launcher} stop
+
+[Install]
+WantedBy=default.target
+`
+    writeFileSync(path.join(dir, "vantaloom-runtime.service"), unit)
+    spawnSync("loginctl", ["enable-linger"], { stdio: "ignore" })
+    spawnSync("systemctl", ["--user", "daemon-reload"], { stdio: "ignore" })
+    spawnSync("systemctl", ["--user", "enable", "vantaloom-runtime.service"], { stdio: "ignore" })
+    console.log("  autostart: enabled (systemd user unit)")
+  } catch (error) {
+    console.warn(`  autostart: could not enable (${error.message})`)
+  }
+}
+
+function disableRuntimeAutostart() {
+  try {
+    if (process.platform === "win32") {
+      // Remove the Run-key entry; the autostart.vbs lives in the install dir and
+      // is deleted with it.
+      spawnSync(
+        "powershell",
+        ["-NoProfile", "-NonInteractive", "-Command", `Remove-ItemProperty -Path '${WINDOWS_RUN_KEY}' -Name '${WINDOWS_RUN_VALUE}' -ErrorAction SilentlyContinue`],
+        { stdio: "ignore" }
+      )
+      return
+    }
+    if (process.platform === "darwin") {
+      const plistPath = path.join(os.homedir(), "Library", "LaunchAgents", `${AUTOSTART_LABEL}.plist`)
+      if (existsSync(plistPath)) {
+        spawnSync("launchctl", ["unload", "-w", plistPath], { stdio: "ignore" })
+        rmSync(plistPath, { force: true })
+      }
+      return
+    }
+    const unit = path.join(os.homedir(), ".config", "systemd", "user", "vantaloom-runtime.service")
+    if (existsSync(unit)) {
+      spawnSync("systemctl", ["--user", "disable", "vantaloom-runtime.service"], { stdio: "ignore" })
+      rmSync(unit, { force: true })
+      spawnSync("systemctl", ["--user", "daemon-reload"], { stdio: "ignore" })
+    }
+  } catch (error) {
+    console.warn(`  autostart: could not disable (${error.message})`)
+  }
+}
+
 async function syncFromNpmRegistry(options, action) {
   const prefix = safeDirectory(options.prefix ?? defaultPrefix())
   const installedConfig = readInstalledConfig(prefix)
@@ -329,6 +754,8 @@ async function syncFromNpmRegistry(options, action) {
       runtimeVersion: options.runtimeVersion ? resolved.version : "latest",
       npmRegistry: resolved.registry,
       update: action === "update",
+      withMesh: options.withMesh,
+      skipMesh: options.skipMesh,
     })
 
     console.log(`${action === "update" ? "updated" : "installed"} Vantaloom: ${prefix}`)
@@ -372,6 +799,8 @@ async function syncFromRelease(options, action) {
       noStart: options.noStart,
       sourceRoot: installedConfig.sourceRoot,
       update: action === "update",
+      withMesh: options.withMesh,
+      skipMesh: options.skipMesh,
     })
 
     console.log(`${action === "update" ? "updated" : "installed"} Vantaloom: ${prefix}`)
@@ -970,6 +1399,15 @@ function parseOptions(args) {
       case "local":
         options.local = true
         break
+      case "with-mesh":
+        options.withMesh = true
+        break
+      case "skip-mesh":
+        options.skipMesh = true
+        break
+      case "skip-autostart":
+        options.skipAutostart = true
+        break
       case "no-strict-ssl":
         options.noStrictSsl = true
         break
@@ -1184,17 +1622,23 @@ function printHelp() {
   console.log(`Vantaloom CLI
 
 Usage:
-  vantaloom install  [--prefix <dir>] [--runtime-version <version>] [--npm-registry <url>] [--package <dir>] [--no-start]
-  vantaloom install  --local [--prefix <dir>] [--source <repo>] [--build-web] [--no-start]
-  vantaloom update   [--prefix <dir>] [--runtime-version <version>] [--npm-registry <url>] [--no-start]
-  vantaloom update   --local [--prefix <dir>] [--source <repo>] [--build-web] [--no-start]
-  vantaloom package  [--source <repo>] [--output <dir>] [--build-web] [--archive] [--npm-package] [--target <platform>]
-  vantaloom start    [--prefix <dir>] [--component all|api|agent|web]
-  vantaloom stop     [--prefix <dir>] [--component all|api|agent|web]
-  vantaloom restart  [--prefix <dir>] [--component all|api|agent|web]
-  vantaloom status   [--prefix <dir>]
-  vantaloom ports    [--prefix <dir>]
-  vantaloom path     [--prefix <dir>] [--source <repo>]
+  vantaloom install   [--prefix <dir>] [--runtime-version <version>] [--npm-registry <url>] [--package <dir>] [--no-start] [--with-mesh|--skip-mesh]
+  vantaloom install   --local [--prefix <dir>] [--source <repo>] [--build-web] [--no-start] [--with-mesh]
+  vantaloom update    [--prefix <dir>] [--runtime-version <version>] [--npm-registry <url>] [--no-start] [--with-mesh|--skip-mesh]
+  vantaloom update    --local [--prefix <dir>] [--source <repo>] [--build-web] [--no-start] [--with-mesh]
+  vantaloom uninstall [--prefix <dir>] [--skip-mesh]
+  vantaloom package   [--source <repo>] [--output <dir>] [--build-web] [--archive] [--npm-package] [--target <platform>]
+  vantaloom start     [--prefix <dir>] [--component all|api|agent|web]
+  vantaloom stop      [--prefix <dir>] [--component all|api|agent|web]
+  vantaloom restart   [--prefix <dir>] [--component all|api|agent|web]
+  vantaloom status    [--prefix <dir>]
+  vantaloom ports     [--prefix <dir>]
+  vantaloom path      [--prefix <dir>] [--source <repo>]
   vantaloom platform
+
+Mesh (P2P) service:
+  Windows/macOS register a privileged EasyTier service at install (one UAC/sudo prompt).
+  Linux grants TUN capability via setcap instead. Use --skip-mesh to opt out,
+  or --with-mesh to force registration during a --local source install.
 `)
 }

package/manifest.json

@@ -1,8 +1,8 @@
 {
   "name": "Vantaloom Local Runtime",
-  "version": "532507a",
+  "version": "782bb79",
   "platform": "linux-x64",
-  "updatedAt": "2026-05-30T19:05:27.306Z",
+  "updatedAt": "2026-05-31T23:50:33.696Z",
   "components": [
     "api",
     "agent",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vantaloom/runtime-linux-x64",
-  "version": "0.3.10",
+  "version": "0.5.0",
   "private": false,
   "description": "Vantaloom local runtime for linux-x64.",
   "type": "module",