openpalm 0.10.2 → 0.11.0-beta.2

package/src/main.ts

@@ -1,12 +1,90 @@
 #!/usr/bin/env bun
 import { defineCommand, runCommand, runMain } from 'citty';
+import { join } from 'node:path';
 import cliPkg from '../package.json' with { type: 'json' };
+import { resolveConfigDir } from '@openpalm/lib';
 
 // Re-export public API used by tests and external consumers
 export { detectHostInfo } from './lib/host-info.ts';
 export type { HostInfo } from './lib/host-info.ts';
-export { upsertEnvValue, resolveRequestedImageTag, reconcileStackEnvImageTag } from './lib/env.ts';
-export { bootstrapInstall } from './commands/install.ts';
+
+const SUBCOMMAND_NAMES = new Set([
+  'install', 'uninstall', 'update', 'self-update', 'addon',
+  'start', 'stop', 'restart', 'logs', 'status', 'service',
+  'validate', 'scan', 'rollback', 'automations',
+  '--help', '-h', 'help',
+]);
+
+interface BareRunOpts {
+  port?: number;
+  open?: boolean;
+}
+
+/**
+ * Probe the assistant container's healthcheck to decide whether the stack
+ * is already up. We hit the assistant's published host port (default 3800,
+ * overridable via OP_ASSISTANT_PORT) rather than introspect Docker so this
+ * works without docker socket access and respects whatever overrides are
+ * active.
+ */
+async function isAssistantHealthy(): Promise<boolean> {
+  const port = process.env.OP_ASSISTANT_PORT ?? '3800';
+  try {
+    const res = await fetch(`http://127.0.0.1:${port}/health`, {
+      signal: AbortSignal.timeout(1500),
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Smart default: `openpalm` (no subcommand) detects state and does the
+ * right thing automatically.
+ *
+ *  - Not installed → runs the install flow (seeds OP_HOME, spawns wizard)
+ *  - Installed, stack down → starts the stack
+ *  - Installed, stack up → starts the UI host server (foreground)
+ *
+ * The UI server runs in the foreground until SIGINT/SIGTERM. This is
+ * the canonical way to "run OpenPalm" — no separate `ui`/`admin`
+ * subcommand.
+ */
+async function autoRun(opts: BareRunOpts = {}): Promise<void> {
+  const stackEnv = join(resolveConfigDir(), 'stack', 'stack.env');
+  const isInstalled = await Bun.file(stackEnv).exists();
+
+  if (!isInstalled) {
+    const { bootstrapInstall, resolveDefaultInstallRef } = await import('./commands/install.ts') as any;
+    const version: string = typeof resolveDefaultInstallRef === 'function'
+      ? await resolveDefaultInstallRef()
+      : (cliPkg.version ? `v${cliPkg.version}` : 'main');
+    await bootstrapInstall({
+      force: false,
+      version,
+      noStart: false,
+      noOpen: opts.open === false,
+    });
+    return;
+  }
+
+  // Ensure the stack is up. Skip when the assistant is already healthy —
+  // calling `docker compose up -d` would otherwise recreate containers
+  // (when compose config differs, e.g. dev overlays add port bindings)
+  // and tear down test/dev port mappings.
+  const stackAlreadyUp = await isAssistantHealthy();
+  if (!stackAlreadyUp) {
+    const { runStartAction } = await import('./commands/start.ts');
+    await runStartAction([]).catch((err) => {
+      console.warn(`Warning: failed to ensure stack is running: ${err instanceof Error ? err.message : String(err)}`);
+    });
+  }
+
+  // Start the UI host server in the foreground (blocks until SIGINT/SIGTERM).
+  const { startUIServer } = await import('./lib/ui-server.ts');
+  await startUIServer({ port: opts.port, open: opts.open });
+}
 
 export const mainCommand = defineCommand({
   meta: {
@@ -14,14 +92,23 @@ export const mainCommand = defineCommand({
     version: cliPkg.version,
     description: 'OpenPalm CLI — install and manage a self-hosted OpenPalm stack',
   },
+  args: {
+    port: {
+      type: 'string',
+      description: 'UI server port (default: 3880 or OP_HOST_UI_PORT)',
+    },
+    open: {
+      type: 'boolean',
+      description: 'Open browser after start (use --no-open to skip)',
+      default: true,
+    },
+  },
   subCommands: {
     install: () => import('./commands/install.ts').then((m) => m.default),
     uninstall: () => import('./commands/uninstall.ts').then((m) => m.default),
     update: () => import('./commands/update.ts').then((m) => m.default),
-    upgrade: () => import('./commands/upgrade.ts').then((m) => m.default),
     'self-update': () => import('./commands/self-update.ts').then((m) => m.default),
     addon: () => import('./commands/addon.ts').then((m) => m.default),
-    admin: () => import('./commands/admin.ts').then((m) => m.default),
     start: () => import('./commands/start.ts').then((m) => m.default),
     stop: () => import('./commands/stop.ts').then((m) => m.default),
     restart: () => import('./commands/restart.ts').then((m) => m.default),
@@ -31,18 +118,55 @@ export const mainCommand = defineCommand({
     validate: () => import('./commands/validate.ts').then((m) => m.default),
     scan: () => import('./commands/scan.ts').then((m) => m.default),
     rollback: () => import('./commands/rollback.ts').then((m) => m.default),
+    automations: () => import('./commands/automations.ts').then((m) => m.default),
   },
 });
 
+/** Parse `--port`/`--no-open` from a bare-command argv. */
+function parseBareArgs(argv: string[]): BareRunOpts {
+  const opts: BareRunOpts = {};
+  for (let i = 0; i < argv.length; i++) {
+    if (argv[i] === '--port' && argv[i + 1]) {
+      opts.port = Number(argv[++i]);
+    } else if (argv[i]?.startsWith('--port=')) {
+      opts.port = Number(argv[i]!.split('=')[1]);
+    } else if (argv[i] === '--no-open') {
+      opts.open = false;
+    }
+  }
+  return opts;
+}
+
 /**
  * Programmatic entry point for tests and embedding.
- * Uses runCommand directly (not runMain) to avoid the process.exit(1) wrapper
- * and process.argv manipulation.
+ *
+ * No-subcommand behaviour: autoRun() detects state and does the right thing.
+ * Subcommand: route through citty.
  */
 export async function main(argv = process.argv.slice(2)): Promise<void> {
+  if (argv.length === 1 && (argv[0] === '--version' || argv[0] === '-v')) {
+    console.log(cliPkg.version);
+    return;
+  }
+
+  const hasSubcommand = argv.length > 0 && SUBCOMMAND_NAMES.has(argv[0]!);
+  if (!hasSubcommand) {
+    await autoRun(parseBareArgs(argv));
+    return;
+  }
+
   await runCommand(mainCommand, { rawArgs: argv });
 }
 
 if (import.meta.main) {
-  await runMain(mainCommand);
+  const argv = process.argv.slice(2);
+  if (argv.length === 0 || !SUBCOMMAND_NAMES.has(argv[0]!)) {
+    if (argv[0] === '--version' || argv[0] === '-v') {
+      console.log(cliPkg.version);
+    } else {
+      await autoRun(parseBareArgs(argv));
+    }
+  } else {
+    await runMain(mainCommand);
+  }
 }

package/e2e/start-wizard-server.ts

@@ -1,59 +0,0 @@
-/**
- * Bun-only launcher for the CLI setup wizard server.
- *
- * Called from Playwright tests as a child process:
- *   bun run packages/cli/e2e/start-wizard-server.ts <port>
- *
- * Starts the wizard server on the given port with a temp config directory
- * so tests do not affect real dev state. Prints "WIZARD_READY:<port>" to
- * stdout when listening, which the Playwright test waits for.
- */
-import { createSetupServer } from "../src/setup-wizard/server.ts";
-import { mkdirSync, writeFileSync } from "node:fs";
-
-const port = parseInt(Bun.argv[2] || "18100", 10);
-const tmpBase = `/tmp/openpalm-wizard-test-${port}`;
-
-// Create minimal directory structure so the server can start.
-// API endpoints that need real files are mocked at the browser level
-// by Playwright's page.route(), so these dirs just prevent crashes.
-mkdirSync(`${tmpBase}/config`, { recursive: true });
-mkdirSync(`${tmpBase}/config/automations`, { recursive: true });
-mkdirSync(`${tmpBase}/data`, { recursive: true });
-mkdirSync(`${tmpBase}/data/assistant`, { recursive: true });
-mkdirSync(`${tmpBase}/registry/automations`, { recursive: true });
-mkdirSync(`${tmpBase}/stack`, { recursive: true });
-mkdirSync(`${tmpBase}/vault/stack`, { recursive: true });
-mkdirSync(`${tmpBase}/vault/user`, { recursive: true });
-
-writeFileSync(`${tmpBase}/vault/stack/stack.env`, "OP_SETUP_COMPLETE=false\n");
-writeFileSync(`${tmpBase}/vault/user/user.env`, "# test\n");
-
-// Seed minimal asset files so performSetup() can read them if invoked
-writeFileSync(`${tmpBase}/stack/core.compose.yml`, "services:\n  admin:\n    image: admin:latest\n");
-writeFileSync(`${tmpBase}/data/assistant/opencode.jsonc`, '{"$schema":"https://opencode.ai/config.json"}\n');
-writeFileSync(`${tmpBase}/data/assistant/AGENTS.md`, "# Agents\n");
-writeFileSync(`${tmpBase}/vault/user/user.env.schema`, "OP_ADMIN_TOKEN=string\n");
-writeFileSync(`${tmpBase}/vault/stack/stack.env.schema`, "OP_IMAGE_TAG=string\n");
-writeFileSync(`${tmpBase}/registry/automations/cleanup-logs.yml`, "name: cleanup-logs\nschedule: daily\n");
-writeFileSync(`${tmpBase}/registry/automations/cleanup-data.yml`, "name: cleanup-data\nschedule: weekly\n");
-writeFileSync(`${tmpBase}/registry/automations/validate-config.yml`, "name: validate-config\nschedule: hourly\n");
-
-// Override state/config home so the server doesn't touch real dirs.
-process.env.OP_HOME = tmpBase;
-
-const { server } = createSetupServer(port, {
-	configDir: `${tmpBase}/config`,
-});
-
-console.log(`WIZARD_READY:${port}`);
-
-// Keep alive until killed
-process.on("SIGTERM", () => {
-	server.stop();
-	process.exit(0);
-});
-process.on("SIGINT", () => {
-	server.stop();
-	process.exit(0);
-});

package/src/commands/admin.ts

@@ -1,43 +0,0 @@
-import { defineCommand } from 'citty';
-import { listEnabledAddonIds } from '@openpalm/lib';
-import { ensureValidState } from '../lib/cli-state.ts';
-import { runAddonDisableAction, runAddonEnableAction } from './addon.ts';
-
-async function runAdminStatusAction(): Promise<void> {
-  const state = ensureValidState();
-  const enabled = listEnabledAddonIds(state.homeDir).includes('admin');
-  console.log(enabled ? 'Admin addon is enabled.' : 'Admin addon is disabled.');
-}
-
-const enableCmd = defineCommand({
-  meta: { name: 'enable', description: 'Enable the admin addon' },
-  async run() {
-    await runAddonEnableAction('admin');
-  },
-});
-
-const disableCmd = defineCommand({
-  meta: { name: 'disable', description: 'Disable the admin addon' },
-  async run() {
-    await runAddonDisableAction('admin');
-  },
-});
-
-const statusCmd = defineCommand({
-  meta: { name: 'status', description: 'Show whether the admin addon is enabled' },
-  async run() {
-    await runAdminStatusAction();
-  },
-});
-
-export default defineCommand({
-  meta: {
-    name: 'admin',
-    description: 'Enable, disable, or inspect the admin addon',
-  },
-  subCommands: {
-    enable: enableCmd,
-    disable: disableCmd,
-    status: statusCmd,
-  },
-});

package/src/commands/install-services.test.ts

@@ -1,13 +0,0 @@
-import { describe, expect, it } from 'bun:test';
-import { buildDeployStatusEntries } from './install-services.ts';
-
-describe('install service helpers', () => {
-  it('builds deploy status entries for the install service list', () => {
-    const services = ['memory', 'assistant'];
-
-    expect(buildDeployStatusEntries(services, 'pending', 'Waiting...')).toEqual([
-      { service: 'memory', status: 'pending', label: 'Waiting...' },
-      { service: 'assistant', status: 'pending', label: 'Waiting...' },
-    ]);
-  });
-});

package/src/commands/install-services.ts

@@ -1,9 +0,0 @@
-export type DeployStatusState = 'pending' | 'pulling' | 'error';
-
-export function buildDeployStatusEntries(
-  services: string[],
-  status: DeployStatusState,
-  label: string,
-): Array<{ service: string; status: DeployStatusState; label: string }> {
-  return services.map(service => ({ service, status, label }));
-}

package/src/commands/upgrade.ts

@@ -1,12 +0,0 @@
-import { defineCommand } from 'citty';
-import { runUpgradeAction } from './update.ts';
-
-export default defineCommand({
-  meta: {
-    name: 'upgrade',
-    description: 'Refresh stack assets, pull latest images, and recreate containers',
-  },
-  async run() {
-    await runUpgradeAction();
-  },
-});

package/src/lib/embedded-assets.ts

@@ -1,115 +0,0 @@
-/**
- * Core assets embedded at build time via Bun text imports.
- *
- * Source of truth is .openpalm/ at the repo root. Bun inlines the file
- * contents at compile time so they're available in compiled binaries
- * without downloading from GitHub.
- */
-
-// @ts-ignore — Bun text import
-import coreCompose from "../../../../.openpalm/stack/core.compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import userEnvSchema from "../../../../.openpalm/vault/user/user.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import stackEnvSchema from "../../../../.openpalm/vault/stack/stack.env.schema" with { type: "text" };
-
-// Addon compose files
-// @ts-ignore — Bun text import
-import adminCompose from "../../../../.openpalm/registry/addons/admin/compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import adminSchema from "../../../../.openpalm/registry/addons/admin/.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import chatCompose from "../../../../.openpalm/registry/addons/chat/compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import chatSchema from "../../../../.openpalm/registry/addons/chat/.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import apiCompose from "../../../../.openpalm/registry/addons/api/compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import apiSchema from "../../../../.openpalm/registry/addons/api/.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import discordCompose from "../../../../.openpalm/registry/addons/discord/compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import discordSchema from "../../../../.openpalm/registry/addons/discord/.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import slackCompose from "../../../../.openpalm/registry/addons/slack/compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import slackSchema from "../../../../.openpalm/registry/addons/slack/.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import ollamaCompose from "../../../../.openpalm/registry/addons/ollama/compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import ollamaSchema from "../../../../.openpalm/registry/addons/ollama/.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import voiceCompose from "../../../../.openpalm/registry/addons/voice/compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import voiceSchema from "../../../../.openpalm/registry/addons/voice/.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import openvikingCompose from "../../../../.openpalm/registry/addons/openviking/compose.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import openvikingSchema from "../../../../.openpalm/registry/addons/openviking/.env.schema" with { type: "text" };
-// @ts-ignore — Bun text import
-import openvikingConfig from "../../../../.openpalm/registry/addons/openviking/config/ov.conf" with { type: "text" };
-// @ts-ignore — Bun text import
-import memoryConfigTemplate from "../../../../.openpalm/config/memory/memory.conf.json" with { type: "text" };
-// @ts-ignore — Bun text import
-import cleanupLogsAutomation from "../../../../.openpalm/registry/automations/cleanup-logs.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import cleanupDataAutomation from "../../../../.openpalm/registry/automations/cleanup-data.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import validateConfigAutomation from "../../../../.openpalm/registry/automations/validate-config.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import healthCheckAutomation from "../../../../.openpalm/registry/automations/health-check.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import promptAssistantAutomation from "../../../../.openpalm/registry/automations/prompt-assistant.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import updateContainersAutomation from "../../../../.openpalm/registry/automations/update-containers.yml" with { type: "text" };
-// @ts-ignore — Bun text import
-import assistantDailyBriefingAutomation from "../../../../.openpalm/registry/automations/assistant-daily-briefing.yml" with { type: "text" };
-
-export const EMBEDDED_ASSETS: Record<string, string> = {
-  "stack/core.compose.yml": coreCompose,
-  "registry/addons/admin/compose.yml": adminCompose,
-  "registry/addons/admin/.env.schema": adminSchema,
-  "registry/addons/chat/compose.yml": chatCompose,
-  "registry/addons/chat/.env.schema": chatSchema,
-  "registry/addons/api/compose.yml": apiCompose,
-  "registry/addons/api/.env.schema": apiSchema,
-  "registry/addons/discord/compose.yml": discordCompose,
-  "registry/addons/discord/.env.schema": discordSchema,
-  "registry/addons/slack/compose.yml": slackCompose,
-  "registry/addons/slack/.env.schema": slackSchema,
-  "registry/addons/ollama/compose.yml": ollamaCompose,
-  "registry/addons/ollama/.env.schema": ollamaSchema,
-  "registry/addons/voice/compose.yml": voiceCompose,
-  "registry/addons/voice/.env.schema": voiceSchema,
-  "registry/addons/openviking/compose.yml": openvikingCompose,
-  "registry/addons/openviking/.env.schema": openvikingSchema,
-  "registry/addons/openviking/config/ov.conf": openvikingConfig,
-  "config/memory/memory.conf.json": memoryConfigTemplate,
-  "registry/automations/cleanup-logs.yml": cleanupLogsAutomation,
-  "registry/automations/cleanup-data.yml": cleanupDataAutomation,
-  "registry/automations/validate-config.yml": validateConfigAutomation,
-  "registry/automations/health-check.yml": healthCheckAutomation,
-  "registry/automations/prompt-assistant.yml": promptAssistantAutomation,
-  "registry/automations/update-containers.yml": updateContainersAutomation,
-  "registry/automations/assistant-daily-briefing.yml": assistantDailyBriefingAutomation,
-  "vault/user/user.env.schema": userEnvSchema,
-  "vault/stack/stack.env.schema": stackEnvSchema,
-};
-
-/**
- * Seed critical assets from embedded content (compiled into the Bun binary).
- * Only writes files that don't already exist — never overwrites user edits.
- *
- * CLI-only — the admin reads assets from the filesystem at runtime.
- */
-import { existsSync, mkdirSync, writeFileSync } from "node:fs";
-import { dirname, join } from "node:path";
-
-export function seedEmbeddedAssets(homeDir: string): void {
-  for (const [relPath, content] of Object.entries(EMBEDDED_ASSETS)) {
-    const targetPath = join(homeDir, relPath);
-    if (existsSync(targetPath)) continue;
-    mkdirSync(dirname(targetPath), { recursive: true });
-    writeFileSync(targetPath, content);
-  }
-}

package/src/lib/varlock.ts

@@ -1,126 +0,0 @@
-import { copyFile, mkdir, mkdtemp, unlink } from 'node:fs/promises';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-
-const VARLOCK_VERSION = '0.4.0';
-
-const VARLOCK_CHECKSUMS: Record<string, string> = {
-  'varlock-linux-x64.tar.gz': '820295b271cece2679b2b9701b5285ce39354fc2f35797365fa36c70125f51ab',
-  'varlock-linux-arm64.tar.gz': 'e830baaa901b6389ecf281bdd2449bfaf7586e91fd3a7a038ec06f78e6fa92f8',
-  'varlock-macos-x64.tar.gz': 'e6abf0d97da8ff7c98b0e9044a8b71f48fbf74a0d7bfc2543a81575a07b7a03b',
-  'varlock-macos-arm64.tar.gz': '228e4c2666b9fa50a83a8713a848e7a0f0044d7fd7c9d441d43e6ebccad2f4a3',
-};
-
-function varlockArtifactName(): string {
-  const platformMap: Record<string, string> = {
-    linux: 'linux',
-    darwin: 'macos',
-  };
-  const archMap: Record<string, string> = {
-    x64: 'x64',
-    arm64: 'arm64',
-  };
-
-  const os = platformMap[process.platform];
-  const arch = archMap[process.arch];
-
-  if (!os || !arch) {
-    throw new Error(
-      `Unsupported platform/arch for varlock: ${process.platform}/${process.arch}. ` +
-        `Supported: linux/x64, linux/arm64, darwin/x64, darwin/arm64.`,
-    );
-  }
-
-  return `varlock-${os}-${arch}.tar.gz`;
-}
-
-/**
- * Co-locate a schema and env file in a temp directory so varlock can discover them.
- */
-export async function prepareVarlockDir(schemaPath: string, envPath: string): Promise<string> {
-  const dir = await mkdtemp(join(tmpdir(), 'varlock-'));
-  await copyFile(schemaPath, join(dir, '.env.schema'));
-  await copyFile(envPath, join(dir, '.env'));
-  return dir;
-}
-
-/**
- * Downloads varlock binary and caches it in ~/.cache/openpalm/bin/.
- * Skips download if binary already exists.
- */
-export async function ensureVarlock(): Promise<string> {
-  const { resolveCacheHome } = await import('@openpalm/lib');
-  const binDir = join(resolveCacheHome(), 'bin');
-  const varlockBin = join(binDir, 'varlock');
-
-  if (await Bun.file(varlockBin).exists()) {
-    return varlockBin;
-  }
-
-  await mkdir(binDir, { recursive: true });
-
-  const artifact = varlockArtifactName();
-  const expectedHash = VARLOCK_CHECKSUMS[artifact];
-  if (!expectedHash) {
-    throw new Error(
-      `No SHA-256 checksum on record for ${artifact}. ` +
-        `Cannot verify download integrity.`,
-    );
-  }
-
-  const tarballUrl = `https://github.com/dmno-dev/varlock/releases/download/varlock%40${VARLOCK_VERSION}/${artifact}`;
-  const tarballPath = join(binDir, 'varlock.tar.gz');
-
-  const response = await fetch(tarballUrl, { signal: AbortSignal.timeout(60_000) });
-  if (!response.ok) {
-    throw new Error(`Failed to download varlock tarball (HTTP ${response.status} ${response.statusText})`);
-  }
-  await Bun.write(tarballPath, response);
-
-  const hasher = new Bun.CryptoHasher('sha256');
-  hasher.update(await Bun.file(tarballPath).arrayBuffer());
-  const actualHash = hasher.digest('hex');
-  if (actualHash !== expectedHash) {
-    try { await unlink(tarballPath); } catch { /* best effort */ }
-    throw new Error(
-      `varlock tarball SHA-256 verification failed — download may be corrupted.\n` +
-        `  Expected: ${expectedHash}\n` +
-        `  Actual:   ${actualHash}`,
-    );
-  }
-
-  const extractProc = Bun.spawn(
-    ['tar', 'xzf', tarballPath, '--strip-components=1', '-C', binDir],
-    {
-      env: { ...process.env, HOME: process.env.HOME ?? '' },
-      stdout: 'inherit',
-      stderr: 'inherit',
-    },
-  );
-  const extractCode = await extractProc.exited;
-  if (extractCode !== 0) {
-    throw new Error(`Failed to extract varlock tarball (tar exited with code ${extractCode})`);
-  }
-
-  try { await unlink(tarballPath); } catch { /* best effort */ }
-
-  const chmodProc = Bun.spawn(['chmod', '+x', varlockBin]);
-  const chmodCode = await chmodProc.exited;
-  if (chmodCode !== 0) {
-    throw new Error(`chmod +x failed for varlock binary (exit code ${chmodCode})`);
-  }
-
-  // macOS: clear quarantine flag and ad-hoc codesign so Gatekeeper does not kill the binary
-  if (process.platform === 'darwin') {
-    const xattr = Bun.spawn(['xattr', '-cr', varlockBin], { stdout: 'ignore', stderr: 'ignore' });
-    await xattr.exited;
-    const codesign = Bun.spawn(['codesign', '--force', '--sign', '-', varlockBin], { stdout: 'ignore', stderr: 'ignore' });
-    await codesign.exited;
-  }
-
-  if (!(await Bun.file(varlockBin).exists())) {
-    throw new Error(`varlock binary not found at ${varlockBin} after install`);
-  }
-
-  return varlockBin;
-}