Telegram-approved temporary broad NOPASSWD sudoers window for personal macOS agents
Project description
sudo-request
sudo-request v1 is a personal macOS tool for agent workflows that get blocked
by sudo prompts.
It does not emulate sudo -v and it does not store a sudo password. A root
daemon waits for Telegram approval, then briefly installs a broad sudoers
exception for the requesting local user:
USER ALL=(ALL) NOPASSWD: ALL
The original command is still executed by the user-level CLI, not by the root daemon.
This is intentionally broad. While the window is open, any same-user process can use passwordless sudo. v1 is for personal development machines, not multi-user or managed security environments.
Commands
sudo-request run -- <command> [args...]
sudo-request status
sudo-request cancel <request-id>
sudo-request doctor
sudo-request daemon --foreground
sudo-request update-itself [--source <checkout>] [--window-seconds N]
sudo-request cleanup
sudo sudo-request install
sudo sudo-request uninstall
sudo sudo-request install-daemon
sudo sudo-request uninstall-daemon
Install
install is the low-level root operation. update-itself is the normal
approval-based way to refresh an installed copy from a source checkout.
From this source checkout:
sudo uv run sudo-request install
After the package is published, a package-based install can also be started from an installed or ephemeral package command:
sudo uvx --from sudo-request sudo-request install
This copies the tool to /usr/local/libexec/sudo-request, writes a PATH wrapper
at /usr/local/bin/sudo-request, and installs a launchd daemon.
After install:
sudo-request init
sudo-request doctor
sudo-request run -- /bin/echo ok
Install only writes the root-owned tool files and launchd daemon. Telegram
approval is not usable until the user-level config is created with
sudo-request init.
Reinstall from the checkout when the installed copy should be updated:
uv run sudo-request update-itself
If running from the installed command instead of the source checkout, pass the checkout explicitly:
sudo-request update-itself --source <absolute_path_to_sudo-request_checkout>
During reinstall the daemon may restart before the CLI can send its final close request. If cleanup already happened, this is reported as:
sudo-request: error status=daemon_unreachable request_id=<id> action=close_request broad_rule=not_installed error_type=<error> message=<detail>
See docs/operations.md for the detailed update flow, post-update verification, and sudo-request command patterns.
Uninstall:
sudo sudo-request uninstall
Config
The recommended setup path is:
sudo-request init
It creates ~/.config/sudo-request/config.toml and the Telegram bot token file.
If config already exists, init reports the existing path and prompts again;
press Enter to keep an existing token or allowed user id, or enter a new value
to overwrite it. The resulting config has this shape:
telegram_bot_token_file = "~/.config/sudo-request/telegram_bot_token"
telegram_allowed_user_ids = [123456789]
approval_timeout_seconds = 90
approval_wait_heartbeat_seconds = 10
broad_window_seconds_default = 30
broad_window_seconds_max = 300
Put the Telegram bot token in:
~/.config/sudo-request/telegram_bot_token
Development
uv run sudo-request doctor
uv run python -m unittest discover -s tests
scripts/e2e-smoke.sh
Common local workflows are also available through Task:
task --list
task release:check
task install-source
task verify-installed
task uninstall
Detailed project-maintenance docs live under docs/:
Agent Skill
Agents that support local skills can use
skills/sudo-request-run/SKILL.md for the
safe command patterns and broad-mode warnings needed to run sudo-required work
through sudo-request.
License
MIT. See LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sudo_request-0.1.2.tar.gz.
File metadata
- Download URL: sudo_request-0.1.2.tar.gz
- Upload date:
- Size: 24.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.6 {"installer":{"name":"uv","version":"0.11.6","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7b1e76af1fe4fdb3c8e0daff0804f9bfba458682830375c530cfb69bb88fbe6c
|
|
| MD5 |
d3187a57d37e3bf68d88cca854017a95
|
|
| BLAKE2b-256 |
98e1d977dabc89f7455d78f56909619c62791d69ff56ebafab23b22a3e66cd5c
|
File details
Details for the file sudo_request-0.1.2-py3-none-any.whl.
File metadata
- Download URL: sudo_request-0.1.2-py3-none-any.whl
- Upload date:
- Size: 35.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.6 {"installer":{"name":"uv","version":"0.11.6","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
abe5fe177e83c012c6ef9fff9ed0c158b751578441faff62afd0349e97603717
|
|
| MD5 |
9d707e14e38e1a68ad4ef2a3c77a4208
|
|
| BLAKE2b-256 |
6df49b8a3c4bce61dce132308b47c4985b42fa5beb9ab013460cf8210941ba6d
|
