patchrelay 0.14.0 → 0.14.1

package/README.md

@@ -150,14 +150,14 @@ patchrelay init https://patchrelay.example.com
 
 `patchrelay init` requires the public HTTPS origin up front because Linear needs a fixed webhook URL and OAuth callback URL for this PatchRelay instance.
 
-It creates the local config, env file, and user service units:
+It creates the local config, env file, and system service units:
 
 - `~/.config/patchrelay/runtime.env`
 - `~/.config/patchrelay/service.env`
 - `~/.config/patchrelay/patchrelay.json`
-- `~/.config/systemd/user/patchrelay.service`
-- `~/.config/systemd/user/patchrelay-reload.service`
-- `~/.config/systemd/user/patchrelay.path`
+- `/etc/systemd/system/patchrelay.service`
+- `/etc/systemd/system/patchrelay-reload.service`
+- `/etc/systemd/system/patchrelay.path`
 
 The generated `patchrelay.json` is intentionally minimal, and `patchrelay init` prints the webhook URL, OAuth callback URL, and the Linear app values you need next.
 

package/dist/build-info.json

@@ -1,6 +1,6 @@
 {
   "service": "patchrelay",
-  "version": "0.14.0",
-  "commit": "e8b5806460ef",
-  "builtAt": "2026-03-25T09:41:38.220Z"
+  "version": "0.14.1",
+  "commit": "ceb28a181ab2",
+  "builtAt": "2026-03-25T11:27:52.659Z"
 }

package/dist/cli/commands/project.js

@@ -1,5 +1,5 @@
 import { loadConfig } from "../../config.js";
-import { installUserServiceUnits, upsertProjectInConfig } from "../../install.js";
+import { installServiceUnits, upsertProjectInConfig } from "../../install.js";
 import { hasHelpFlag, parseCsvFlag } from "../args.js";
 import { runConnectFlow, parseTimeoutSeconds } from "../connect-flow.js";
 import { CliUsageError } from "../errors.js";
@@ -30,7 +30,7 @@ export async function handleProjectCommand(params) {
         issueKeyPrefixes: parseCsvFlag(params.parsed.flags.get("issue-prefix")),
         linearTeamIds: parseCsvFlag(params.parsed.flags.get("team-id")),
     });
-    const serviceUnits = await installUserServiceUnits();
+    const serviceUnits = await installServiceUnits();
     const noConnect = params.parsed.flags.get("no-connect") === true;
     const lines = [
         `Config file: ${result.configPath}`,
@@ -66,7 +66,7 @@ export async function handleProjectCommand(params) {
         return 0;
     }
     const { runPreflight } = await import("../../preflight.js");
-    const report = await runPreflight(fullConfig);
+    const report = await runPreflight(fullConfig, { skipServiceCheck: true });
     const failedChecks = report.checks.filter((check) => check.status === "fail");
     if (failedChecks.length > 0) {
         if (params.json) {

package/dist/cli/commands/setup.js

@@ -1,5 +1,5 @@
-import { getDefaultConfigPath, getDefaultRuntimeEnvPath, getDefaultServiceEnvPath, getSystemdUserPathUnitPath, getSystemdUserReloadUnitPath, getSystemdUserUnitPath, } from "../../runtime-paths.js";
-import { initializePatchRelayHome, installUserServiceUnits } from "../../install.js";
+import { getDefaultConfigPath, getDefaultRuntimeEnvPath, getDefaultServiceEnvPath, getSystemdPathUnitPath, getSystemdReloadUnitPath, getSystemdUnitPath, } from "../../runtime-paths.js";
+import { initializePatchRelayHome, installServiceUnits } from "../../install.js";
 import { formatJson } from "../formatters/json.js";
 import { writeOutput } from "../output.js";
 import { installServiceCommands, restartServiceCommands, runServiceCommands, tryManageService } from "../service-commands.js";
@@ -20,7 +20,7 @@ export async function handleInitCommand(params) {
             force: params.parsed.flags.get("force") === true,
             publicBaseUrl,
         });
-        const serviceUnits = await installUserServiceUnits({ force: params.parsed.flags.get("force") === true });
+        const serviceUnits = await installServiceUnits({ force: params.parsed.flags.get("force") === true });
         const serviceState = await tryManageService(params.runInteractive, installServiceCommands());
         writeOutput(params.stdout, params.json
             ? formatJson({ ...result, serviceUnits, serviceState })
@@ -43,7 +43,7 @@ export async function handleInitCommand(params) {
                 "Created with defaults:",
                 `- Config file contains only machine-level essentials such as server.public_base_url`,
                 `- Database, logs, bind address, and worktree roots use built-in defaults`,
-                `- The user service and config watcher are installed for you`,
+                `- The system service and config watcher are installed for you`,
                 "",
                 "Register the app in Linear:",
                 "- Open Linear Settings > API > Applications",
@@ -85,7 +85,7 @@ export async function handleInitCommand(params) {
 }
 export async function handleInstallServiceCommand(params) {
     try {
-        const result = await installUserServiceUnits({ force: params.parsed.flags.get("force") === true });
+        const result = await installServiceUnits({ force: params.parsed.flags.get("force") === true });
         const writeOnly = params.parsed.flags.get("write-only") === true;
         if (!writeOnly) {
             await runServiceCommands(params.runInteractive, installServiceCommands());
@@ -100,8 +100,8 @@ export async function handleInstallServiceCommand(params) {
                 `Service env: ${result.serviceEnvPath}`,
                 `Config file: ${result.configPath}`,
                 writeOnly
-                    ? "Service units written. Start them with: systemctl --user daemon-reload && systemctl --user enable --now patchrelay.path && systemctl --user enable patchrelay.service && systemctl --user reload-or-restart patchrelay.service"
-                    : "PatchRelay user service and config watcher are installed and running.",
+                    ? "Service units written. Start them with: sudo systemctl daemon-reload && sudo systemctl enable --now patchrelay.path && sudo systemctl enable patchrelay.service && sudo systemctl reload-or-restart patchrelay.service"
+                    : "PatchRelay system service and config watcher are installed and running.",
                 "After package updates, run: patchrelay restart-service",
             ].join("\n") + "\n");
         return 0;
@@ -117,15 +117,15 @@ export async function handleRestartServiceCommand(params) {
         writeOutput(params.stdout, params.json
             ? formatJson({
                 service: "patchrelay",
-                unitPath: getSystemdUserUnitPath(),
-                reloadUnitPath: getSystemdUserReloadUnitPath(),
-                pathUnitPath: getSystemdUserPathUnitPath(),
+                unitPath: getSystemdUnitPath(),
+                reloadUnitPath: getSystemdReloadUnitPath(),
+                pathUnitPath: getSystemdPathUnitPath(),
                 runtimeEnvPath: getDefaultRuntimeEnvPath(),
                 serviceEnvPath: getDefaultServiceEnvPath(),
                 configPath: getDefaultConfigPath(),
                 restarted: true,
             })
-            : "Reloaded systemd user units and reload-or-restart was requested for PatchRelay.\n");
+            : "Reloaded systemd units and reload-or-restart was requested for PatchRelay.\n");
         return 0;
     }
     catch (error) {

package/dist/cli/help.js

@@ -23,7 +23,7 @@ export function rootHelpText() {
         "  PatchRelay already defaults the local bind address, database path, log path, worktree",
         "  root, and Codex runner settings. In the normal",
         "  case you only need the public URL, the required secrets, and at least one project.",
-        "  `patchrelay init` installs the user service and config watcher, and `project apply`",
+        "  `patchrelay init` installs the system service and config watcher, and `project apply`",
         "  upserts the repo config and reuses or starts the Linear connection flow.",
         "",
         "Commands:",
@@ -32,8 +32,8 @@ export function rootHelpText() {
         "  project apply <id> <repo-path> [--issue-prefix <prefixes>] [--team-id <ids>] [--no-connect] [--no-open] [--timeout <seconds>] [--json]",
         "                                                          Upsert one local repository and connect it to Linear when ready",
         "  doctor [--json]                                         Check secrets, paths, git, and codex",
-        "  install-service [--force] [--write-only] [--json]      Reinstall the systemd user service and watcher",
-        "  restart-service [--json]                               Reload-or-restart the systemd user service",
+        "  install-service [--force] [--write-only] [--json]      Reinstall the systemd system service and watcher",
+        "  restart-service [--json]                               Reload-or-restart the systemd system service",
         "  connect [--project <projectId>] [--no-open] [--timeout <seconds>] [--json]",
         "                                                          Advanced: start or reuse a Linear installation directly",
         "  installations [--json]                                 Show connected Linear installations",

package/dist/cli/service-commands.js

@@ -17,15 +17,15 @@ export async function tryManageService(runner, commands) {
 }
 export function installServiceCommands() {
     return [
-        { command: "systemctl", args: ["--user", "daemon-reload"] },
-        { command: "systemctl", args: ["--user", "enable", "--now", "patchrelay.path"] },
-        { command: "systemctl", args: ["--user", "enable", "patchrelay.service"] },
-        { command: "systemctl", args: ["--user", "reload-or-restart", "patchrelay.service"] },
+        { command: "sudo", args: ["systemctl", "daemon-reload"] },
+        { command: "sudo", args: ["systemctl", "enable", "--now", "patchrelay.path"] },
+        { command: "sudo", args: ["systemctl", "enable", "patchrelay.service"] },
+        { command: "sudo", args: ["systemctl", "reload-or-restart", "patchrelay.service"] },
     ];
 }
 export function restartServiceCommands() {
     return [
-        { command: "systemctl", args: ["--user", "daemon-reload"] },
-        { command: "systemctl", args: ["--user", "reload-or-restart", "patchrelay.service"] },
+        { command: "sudo", args: ["systemctl", "daemon-reload"] },
+        { command: "sudo", args: ["systemctl", "reload-or-restart", "patchrelay.service"] },
     ];
 }

package/dist/install.js

@@ -3,7 +3,7 @@ import { basename, dirname } from "node:path";
 import { existsSync } from "node:fs";
 import { mkdir, readFile, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
-import { getDefaultConfigPath, getDefaultDatabasePath, getDefaultRuntimeEnvPath, getDefaultServiceEnvPath, getDefaultLogPath, getDefaultWebhookArchiveDir, getPatchRelayConfigDir, getPatchRelayDataDir, getPatchRelayStateDir, getSystemdUserPathUnitPath, getSystemdUserReloadUnitPath, getSystemdUserUnitPath, readBundledAsset, } from "./runtime-paths.js";
+import { getDefaultConfigPath, getDefaultDatabasePath, getDefaultRuntimeEnvPath, getDefaultServiceEnvPath, getDefaultLogPath, getDefaultWebhookArchiveDir, getPatchRelayConfigDir, getPatchRelayDataDir, getPatchRelayStateDir, getSystemdPathUnitPath, getSystemdReloadUnitPath, getSystemdUnitPath, readBundledAsset, } from "./runtime-paths.js";
 import { loadConfig } from "./config.js";
 import { enforceArbitraryFilePermissions } from "./file-permissions.js";
 import { ensureAbsolutePath } from "./utils.js";
@@ -175,11 +175,11 @@ export async function initializePatchRelayHome(options) {
             : {}),
     };
 }
-export async function installUserServiceUnits(options) {
+export async function installServiceUnits(options) {
     const force = options?.force ?? false;
-    const unitPath = getSystemdUserUnitPath();
-    const reloadUnitPath = getSystemdUserReloadUnitPath();
-    const pathUnitPath = getSystemdUserPathUnitPath();
+    const unitPath = getSystemdUnitPath();
+    const reloadUnitPath = getSystemdReloadUnitPath();
+    const pathUnitPath = getSystemdPathUnitPath();
     const serviceStatus = await writeTemplateFile(unitPath, renderTemplate(readBundledAsset("infra/patchrelay.service")), force);
     const reloadStatus = await writeTemplateFile(reloadUnitPath, renderTemplate(readBundledAsset("infra/patchrelay-reload.service")), force);
     const pathStatus = await writeTemplateFile(pathUnitPath, renderTemplate(readBundledAsset("infra/patchrelay.path")), force);

package/dist/preflight.js

@@ -2,34 +2,15 @@ import { accessSync, constants, existsSync, mkdirSync, statSync } from "node:fs"
 import path from "node:path";
 import { runPatchRelayMigrations } from "./db/migrations.js";
 import { SqliteConnection } from "./db/shared.js";
-import { resolveSecret } from "./resolve-secret.js";
 import { execCommand } from "./utils.js";
 export async function runPreflight(config, options) {
     const connectivity = options?.connectivity ?? true;
+    const skipServiceCheck = options?.skipServiceCheck ?? false;
     const checks = [];
-    if (!config.linear.webhookSecret) {
-        checks.push(fail("linear", "LINEAR_WEBHOOK_SECRET is missing"));
-    }
-    else {
-        checks.push(pass("linear", "Linear webhook secret is configured"));
-    }
-    if (!config.linear.oauth.clientId) {
-        checks.push(fail("linear_oauth", "LINEAR_OAUTH_CLIENT_ID is missing"));
-    }
-    else {
-        checks.push(pass("linear_oauth", `Linear OAuth is configured with actor=${config.linear.oauth.actor}`));
-    }
-    if (!config.linear.oauth.clientSecret) {
-        checks.push(fail("linear_oauth", "LINEAR_OAUTH_CLIENT_SECRET is missing"));
-    }
-    else {
-        checks.push(pass("linear_oauth", "Linear OAuth client secret is configured"));
-    }
-    if (!config.linear.tokenEncryptionKey) {
-        checks.push(fail("linear_oauth", "PATCHRELAY_TOKEN_ENCRYPTION_KEY is missing"));
-    }
-    else {
-        checks.push(pass("linear_oauth", "Token encryption key is configured"));
+    // Secrets are managed by systemd credstore — the CLI cannot read them directly.
+    // Instead, query the running service's readiness endpoint to verify secrets are loaded.
+    if (!skipServiceCheck) {
+        checks.push(await checkServiceReadiness(config));
     }
     if (config.linear.oauth.actor === "app") {
         const scopes = new Set(config.linear.oauth.scopes);
@@ -84,24 +65,44 @@ export async function runPreflight(config, options) {
     }
     checks.push(await checkExecutable("git", config.runner.gitBin));
     checks.push(await checkExecutable("codex", config.runner.codex.bin));
-    // Connectivity checks — verify secrets actually work against live APIs.
+    // Connectivity checks — verify external APIs are reachable.
     // Skipped when graphqlUrl uses a non-routable domain (.example, .test, .invalid).
     const skipConnectivity = !connectivity || isNonRoutableDomain(config.linear.graphqlUrl);
     if (!skipConnectivity) {
-        if (config.linear.oauth.clientId && config.linear.oauth.clientSecret) {
-            checks.push(await checkLinearApi(config.linear.graphqlUrl));
-        }
-        const ghAppId = process.env.PATCHRELAY_GITHUB_APP_ID;
-        const ghAppKey = resolveSecret("github-app-pem", "PATCHRELAY_GITHUB_APP_PRIVATE_KEY");
-        if (ghAppId && ghAppKey) {
-            checks.push(await checkGitHubApp(ghAppId, ghAppKey));
-        }
+        checks.push(await checkLinearApi(config.linear.graphqlUrl));
     }
     return {
         checks,
         ok: checks.every((check) => check.status !== "fail"),
     };
 }
+async function checkServiceReadiness(config) {
+    const host = config.server.bind === "0.0.0.0" ? "127.0.0.1" : config.server.bind;
+    const url = `http://${host}:${config.server.port}${config.server.readinessPath}`;
+    try {
+        const response = await fetch(url, { signal: AbortSignal.timeout(3000) });
+        const body = await response.json();
+        if (response.ok && body.ready) {
+            const parts = ["Service is running and ready"];
+            if (body.version)
+                parts[0] += ` (v${body.version})`;
+            if (body.codexStarted)
+                parts.push("codex started");
+            if (body.linearConnected)
+                parts.push("Linear connected");
+            return pass("service", parts.join(", "));
+        }
+        const issues = [];
+        if (!body.codexStarted)
+            issues.push("codex not started");
+        if (!body.linearConnected)
+            issues.push("Linear not connected");
+        return warn("service", `Service is running but not ready: ${issues.join(", ") || "unknown reason"}`);
+    }
+    catch {
+        return fail("service", `Service is not reachable at ${url} — is it running? (sudo systemctl status patchrelay)`);
+    }
+}
 async function checkLinearApi(graphqlUrl) {
     try {
         const response = await fetch(graphqlUrl, {
@@ -119,44 +120,6 @@ async function checkLinearApi(graphqlUrl) {
         return fail("linear_api", `Linear GraphQL API is unreachable at ${graphqlUrl}: ${formatError(error)}`);
     }
 }
-async function checkGitHubApp(appId, privateKey) {
-    try {
-        const { createSign } = await import("node:crypto");
-        const now = Math.floor(Date.now() / 1000);
-        const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" })).toString("base64url");
-        const payload = Buffer.from(JSON.stringify({ iat: now - 60, exp: now + 120, iss: appId })).toString("base64url");
-        const signer = createSign("RSA-SHA256");
-        signer.update(`${header}.${payload}`);
-        let signature;
-        try {
-            signature = signer.sign(privateKey, "base64url");
-        }
-        catch (error) {
-            return fail("github_app", `GitHub App private key is invalid: ${formatError(error)}`);
-        }
-        const jwt = `${header}.${payload}.${signature}`;
-        const response = await fetch("https://api.github.com/app", {
-            headers: {
-                Authorization: `Bearer ${jwt}`,
-                Accept: "application/vnd.github+json",
-                "X-GitHub-Api-Version": "2022-11-28",
-            },
-            signal: AbortSignal.timeout(5000),
-        });
-        if (response.ok) {
-            const app = await response.json();
-            const label = app.slug ?? app.name ?? appId;
-            return pass("github_app", `GitHub App authenticated as "${label}"`);
-        }
-        if (response.status === 401) {
-            return fail("github_app", "GitHub App authentication failed — check APP_ID and private key");
-        }
-        return warn("github_app", `GitHub App API returned ${response.status}`);
-    }
-    catch (error) {
-        return fail("github_app", `GitHub API is unreachable: ${formatError(error)}`);
-    }
-}
 function checkDatabaseHealth(config) {
     const checks = [];
     let connection;

package/dist/runtime-paths.js

@@ -14,7 +14,7 @@ export function getPatchRelayPathLayout() {
     const serviceEnvPath = path.join(configDir, "service.env");
     const stateDir = path.join(xdgStateHome, "patchrelay");
     const shareDir = path.join(xdgDataHome, "patchrelay");
-    const systemdUserDir = path.join(xdgConfigHome, "systemd", "user");
+    const systemdDir = process.env.PATCHRELAY_SYSTEMD_DIR ?? "/etc/systemd/system";
     return {
         homeDir,
         configDir,
@@ -25,10 +25,10 @@ export function getPatchRelayPathLayout() {
         shareDir,
         databasePath: ensureAbsolutePath(process.env.PATCHRELAY_DB_PATH ?? path.join(stateDir, "patchrelay.sqlite")),
         logFilePath: ensureAbsolutePath(process.env.PATCHRELAY_LOG_FILE ?? path.join(stateDir, "patchrelay.log")),
-        systemdUserDir,
-        systemdUnitPath: path.join(systemdUserDir, "patchrelay.service"),
-        systemdReloadUnitPath: path.join(systemdUserDir, "patchrelay-reload.service"),
-        systemdPathUnitPath: path.join(systemdUserDir, "patchrelay.path"),
+        systemdDir,
+        systemdUnitPath: path.join(systemdDir, "patchrelay.service"),
+        systemdReloadUnitPath: path.join(systemdDir, "patchrelay-reload.service"),
+        systemdPathUnitPath: path.join(systemdDir, "patchrelay.path"),
     };
 }
 export function getPatchRelayConfigDir() {
@@ -58,13 +58,13 @@ export function getDefaultLogPath() {
 export function getDefaultWebhookArchiveDir() {
     return path.join(getPatchRelayStateDir(), "webhooks");
 }
-export function getSystemdUserUnitPath() {
+export function getSystemdUnitPath() {
     return getPatchRelayPathLayout().systemdUnitPath;
 }
-export function getSystemdUserReloadUnitPath() {
+export function getSystemdReloadUnitPath() {
     return getPatchRelayPathLayout().systemdReloadUnitPath;
 }
-export function getSystemdUserPathUnitPath() {
+export function getSystemdPathUnitPath() {
     return getPatchRelayPathLayout().systemdPathUnitPath;
 }
 export function getPackageRoot() {

package/infra/patchrelay-reload.service

@@ -1,6 +1,6 @@
 [Unit]
-Description=PatchRelay reload helper (systemd user service)
+Description=PatchRelay reload helper
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/env systemctl --user reload-or-restart patchrelay.service
+ExecStart=/usr/bin/env systemctl reload-or-restart patchrelay.service

package/infra/patchrelay.path

@@ -10,4 +10,4 @@ TriggerLimitIntervalSec=5
 TriggerLimitBurst=1
 
 [Install]
-WantedBy=default.target
+WantedBy=multi-user.target

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "patchrelay",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "license": "MIT",
   "type": "module",
   "repository": {