Full Code of artginzburg/sudo-touchid for AI

Repository: artginzburg/sudo-touchid
Branch: main
Commit: c3e1046fdd90
Files: 14
Total size: 34.0 KB

Directory structure:
gitextract_pgmr0z7t/

├── .github/
│   └── workflows/
│       └── makefile.yml
├── .gitignore
├── Brewfile
├── Brewfile.lock.json
├── LICENSE
├── Makefile
├── README.md
├── com.user.sudo-touchid.plist
├── docs/
│   └── LEGACY_MACOS.md
├── install.sh
├── res/
│   ├── icon.psd
│   ├── preview.psd
│   └── repository-open-graph.psd
└── sudo-touchid.sh

================================================
FILE CONTENTS
================================================

================================================
FILE: .github/workflows/makefile.yml
================================================
name: Makefile CI

on:
  - push
  - pull_request

jobs:
  test:
    runs-on: macos-latest

    steps:
      - name: Checkout 🛎️
        uses: actions/checkout@v3
        with:
          fetch-depth: 1

      - name: Install dependencies
        run: make

      - name: Run check
        run: make check


================================================
FILE: .gitignore
================================================
.DS_Store


================================================
FILE: Brewfile
================================================
brew "shellcheck"


================================================
FILE: Brewfile.lock.json
================================================
{
  "entries": {
    "brew": {
      "shellcheck": {
        "version": "0.8.0",
        "bottle": {
          "rebuild": 0,
          "root_url": "https://ghcr.io/v2/homebrew/core",
          "files": {
            "arm64_monterey": {
              "cellar": ":any_skip_relocation",
              "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:625466bcd245a36da12ee088877d582c7e9fec1622418d1165a7d7d8f204ecc3",
              "sha256": "625466bcd245a36da12ee088877d582c7e9fec1622418d1165a7d7d8f204ecc3"
            },
            "arm64_big_sur": {
              "cellar": ":any_skip_relocation",
              "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:883ba5ee45554568cd1ce106dc6c090ec0745f576a4a6708332de951b03c7423",
              "sha256": "883ba5ee45554568cd1ce106dc6c090ec0745f576a4a6708332de951b03c7423"
            },
            "monterey": {
              "cellar": ":any_skip_relocation",
              "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:cfd8c8e8d8927dfd4b83593f539690a6083b075b0a1ff8a66578e8bb810d3db9",
              "sha256": "cfd8c8e8d8927dfd4b83593f539690a6083b075b0a1ff8a66578e8bb810d3db9"
            },
            "big_sur": {
              "cellar": ":any_skip_relocation",
              "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:d88edc1ae7db555ec5da01d4a1272da8260eb62073d2cdfa5fa3dce37d51fbe6",
              "sha256": "d88edc1ae7db555ec5da01d4a1272da8260eb62073d2cdfa5fa3dce37d51fbe6"
            },
            "catalina": {
              "cellar": ":any_skip_relocation",
              "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:24a67cd4f2b66a02cb77a1c705d7dcf25b4410209435a0b1136398da1fa6f766",
              "sha256": "24a67cd4f2b66a02cb77a1c705d7dcf25b4410209435a0b1136398da1fa6f766"
            },
            "x86_64_linux": {
              "cellar": ":any_skip_relocation",
              "url": "https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:961b2f3d75cf86dd5bc767cf689eee8f8e88bb30d716cf208b4bb89d61e5a553",
              "sha256": "961b2f3d75cf86dd5bc767cf689eee8f8e88bb30d716cf208b4bb89d61e5a553"
            }
          }
        }
      }
    }
  },
  "system": {
    "macos": {
      "big_sur": {
        "HOMEBREW_VERSION": "3.4.2",
        "HOMEBREW_PREFIX": "/usr/local",
        "Homebrew/homebrew-core": "c746b78fadadd6573727169a48868826b880f80f",
        "CLT": "13.2.0.0.1.1638488800",
        "Xcode": "13.2.1",
        "macOS": "11.6.2"
      }
    }
  }
}


================================================
FILE: LICENSE
================================================
Eclipse Public License - v 2.0

    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE
    PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION
    OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.

1. DEFINITIONS

"Contribution" means:

  a) in the case of the initial Contributor, the initial content
     Distributed under this Agreement, and

  b) in the case of each subsequent Contributor:
     i) changes to the Program, and
     ii) additions to the Program;
  where such changes and/or additions to the Program originate from
  and are Distributed by that particular Contributor. A Contribution
  "originates" from a Contributor if it was added to the Program by
  such Contributor itself or anyone acting on such Contributor's behalf.
  Contributions do not include changes or additions to the Program that
  are not Modified Works.

"Contributor" means any person or entity that Distributes the Program.

"Licensed Patents" mean patent claims licensable by a Contributor which
are necessarily infringed by the use or sale of its Contribution alone
or when combined with the Program.

"Program" means the Contributions Distributed in accordance with this
Agreement.

"Recipient" means anyone who receives the Program under this Agreement
or any Secondary License (as applicable), including Contributors.

"Derivative Works" shall mean any work, whether in Source Code or other
form, that is based on (or derived from) the Program and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship.

"Modified Works" shall mean any work in Source Code or other form that
results from an addition to, deletion from, or modification of the
contents of the Program, including, for purposes of clarity any new file
in Source Code form that contains any contents of the Program. Modified
Works shall not include works that contain only declarations,
interfaces, types, classes, structures, or files of the Program solely
in each case in order to link to, bind by name, or subclass the Program
or Modified Works thereof.

"Distribute" means the acts of a) distributing or b) making available
in any manner that enables the transfer of a copy.

"Source Code" means the form of a Program preferred for making
modifications, including but not limited to software source code,
documentation source, and configuration files.

"Secondary License" means either the GNU General Public License,
Version 2.0, or any later versions of that license, including any
exceptions or additional permissions as identified by the initial
Contributor.

2. GRANT OF RIGHTS

  a) Subject to the terms of this Agreement, each Contributor hereby
  grants Recipient a non-exclusive, worldwide, royalty-free copyright
  license to reproduce, prepare Derivative Works of, publicly display,
  publicly perform, Distribute and sublicense the Contribution of such
  Contributor, if any, and such Derivative Works.

  b) Subject to the terms of this Agreement, each Contributor hereby
  grants Recipient a non-exclusive, worldwide, royalty-free patent
  license under Licensed Patents to make, use, sell, offer to sell,
  import and otherwise transfer the Contribution of such Contributor,
  if any, in Source Code or other form. This patent license shall
  apply to the combination of the Contribution and the Program if, at
  the time the Contribution is added by the Contributor, such addition
  of the Contribution causes such combination to be covered by the
  Licensed Patents. The patent license shall not apply to any other
  combinations which include the Contribution. No hardware per se is
  licensed hereunder.

  c) Recipient understands that although each Contributor grants the
  licenses to its Contributions set forth herein, no assurances are
  provided by any Contributor that the Program does not infringe the
  patent or other intellectual property rights of any other entity.
  Each Contributor disclaims any liability to Recipient for claims
  brought by any other entity based on infringement of intellectual
  property rights or otherwise. As a condition to exercising the
  rights and licenses granted hereunder, each Recipient hereby
  assumes sole responsibility to secure any other intellectual
  property rights needed, if any. For example, if a third party
  patent license is required to allow Recipient to Distribute the
  Program, it is Recipient's responsibility to acquire that license
  before distributing the Program.

  d) Each Contributor represents that to its knowledge it has
  sufficient copyright rights in its Contribution, if any, to grant
  the copyright license set forth in this Agreement.

  e) Notwithstanding the terms of any Secondary License, no
  Contributor makes additional grants to any Recipient (other than
  those set forth in this Agreement) as a result of such Recipient's
  receipt of the Program under the terms of a Secondary License
  (if permitted under the terms of Section 3).

3. REQUIREMENTS

3.1 If a Contributor Distributes the Program in any form, then:

  a) the Program must also be made available as Source Code, in
  accordance with section 3.2, and the Contributor must accompany
  the Program with a statement that the Source Code for the Program
  is available under this Agreement, and informs Recipients how to
  obtain it in a reasonable manner on or through a medium customarily
  used for software exchange; and

  b) the Contributor may Distribute the Program under a license
  different than this Agreement, provided that such license:
     i) effectively disclaims on behalf of all other Contributors all
     warranties and conditions, express and implied, including
     warranties or conditions of title and non-infringement, and
     implied warranties or conditions of merchantability and fitness
     for a particular purpose;

     ii) effectively excludes on behalf of all other Contributors all
     liability for damages, including direct, indirect, special,
     incidental and consequential damages, such as lost profits;

     iii) does not attempt to limit or alter the recipients' rights
     in the Source Code under section 3.2; and

     iv) requires any subsequent distribution of the Program by any
     party to be under a license that satisfies the requirements
     of this section 3.

3.2 When the Program is Distributed as Source Code:

  a) it must be made available under this Agreement, or if the
  Program (i) is combined with other material in a separate file or
  files made available under a Secondary License, and (ii) the initial
  Contributor attached to the Source Code the notice described in
  Exhibit A of this Agreement, then the Program may be made available
  under the terms of such Secondary Licenses, and

  b) a copy of this Agreement must be included with each copy of
  the Program.

3.3 Contributors may not remove or alter any copyright, patent,
trademark, attribution notices, disclaimers of warranty, or limitations
of liability ("notices") contained within the Program from any copy of
the Program which they Distribute, provided that Contributors may add
their own appropriate notices.

4. COMMERCIAL DISTRIBUTION

Commercial distributors of software may accept certain responsibilities
with respect to end users, business partners and the like. While this
license is intended to facilitate the commercial use of the Program,
the Contributor who includes the Program in a commercial product
offering should do so in a manner which does not create potential
liability for other Contributors. Therefore, if a Contributor includes
the Program in a commercial product offering, such Contributor
("Commercial Contributor") hereby agrees to defend and indemnify every
other Contributor ("Indemnified Contributor") against any losses,
damages and costs (collectively "Losses") arising from claims, lawsuits
and other legal actions brought by a third party against the Indemnified
Contributor to the extent caused by the acts or omissions of such
Commercial Contributor in connection with its distribution of the Program
in a commercial product offering. The obligations in this section do not
apply to any claims or Losses relating to any actual or alleged
intellectual property infringement. In order to qualify, an Indemnified
Contributor must: a) promptly notify the Commercial Contributor in
writing of such claim, and b) allow the Commercial Contributor to control,
and cooperate with the Commercial Contributor in, the defense and any
related settlement negotiations. The Indemnified Contributor may
participate in any such claim at its own expense.

For example, a Contributor might include the Program in a commercial
product offering, Product X. That Contributor is then a Commercial
Contributor. If that Commercial Contributor then makes performance
claims, or offers warranties related to Product X, those performance
claims and warranties are such Commercial Contributor's responsibility
alone. Under this section, the Commercial Contributor would have to
defend claims against the other Contributors related to those performance
claims and warranties, and if a court requires any other Contributor to
pay any damages as a result, the Commercial Contributor must pay
those damages.

5. NO WARRANTY

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT
PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS"
BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF
TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Each Recipient is solely responsible for determining the
appropriateness of using and distributing the Program and assumes all
risks associated with its exercise of rights under this Agreement,
including but not limited to the risks and costs of program errors,
compliance with applicable laws, damage to or loss of data, programs
or equipment, and unavailability or interruption of operations.

6. DISCLAIMER OF LIABILITY

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT
PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS
SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST
PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE
EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

7. GENERAL

If any provision of this Agreement is invalid or unenforceable under
applicable law, it shall not affect the validity or enforceability of
the remainder of the terms of this Agreement, and without further
action by the parties hereto, such provision shall be reformed to the
minimum extent necessary to make such provision valid and enforceable.

If Recipient institutes patent litigation against any entity
(including a cross-claim or counterclaim in a lawsuit) alleging that the
Program itself (excluding combinations of the Program with other software
or hardware) infringes such Recipient's patent(s), then such Recipient's
rights granted under Section 2(b) shall terminate as of the date such
litigation is filed.

All Recipient's rights under this Agreement shall terminate if it
fails to comply with any of the material terms or conditions of this
Agreement and does not cure such failure in a reasonable period of
time after becoming aware of such noncompliance. If all Recipient's
rights under this Agreement terminate, Recipient agrees to cease use
and distribution of the Program as soon as reasonably practicable.
However, Recipient's obligations under this Agreement and any licenses
granted by Recipient relating to the Program shall continue and survive.

Everyone is permitted to copy and distribute copies of this Agreement,
but in order to avoid inconsistency the Agreement is copyrighted and
may only be modified in the following manner. The Agreement Steward
reserves the right to publish new versions (including revisions) of
this Agreement from time to time. No one other than the Agreement
Steward has the right to modify this Agreement. The Eclipse Foundation
is the initial Agreement Steward. The Eclipse Foundation may assign the
responsibility to serve as the Agreement Steward to a suitable separate
entity. Each new version of the Agreement will be given a distinguishing
version number. The Program (including Contributions) may always be
Distributed subject to the version of the Agreement under which it was
received. In addition, after a new version of the Agreement is published,
Contributor may elect to Distribute the Program (including its
Contributions) under the new version.

Except as expressly stated in Sections 2(a) and 2(b) above, Recipient
receives no rights or licenses to the intellectual property of any
Contributor under this Agreement, whether expressly, by implication,
estoppel or otherwise. All rights in the Program not expressly granted
under this Agreement are reserved. Nothing in this Agreement is intended
to be enforceable by any entity that is not a Contributor or Recipient.
No third-party beneficiary rights are created under this Agreement.

Exhibit A - Form of Secondary Licenses Notice

"This Source Code may also be made available under the following
Secondary Licenses when the conditions for such availability set forth
in the Eclipse Public License, v. 2.0 are satisfied: {name license(s),
version(s), and exceptions or additional permissions here}."

  Simply including a copy of this Agreement, including this Exhibit A
  is not sufficient to license the Source Code under Secondary Licenses.

  If it is not possible or desirable to put the notice in a particular
  file, then You may include the notice in a location (such as a LICENSE
  file in a relevant directory) where a recipient would be likely to
  look for such a notice.

  You may add additional accurate notices of copyright ownership.


================================================
FILE: Makefile
================================================
.PHONY: bundle check

bundle:
	brew bundle

check:
	shellcheck sudo-touchid.sh


================================================
FILE: README.md
================================================
<img height="128" src="res/icon.png" alt="Icon" align="left" />

# sudo-touchid

[![Downloads](https://img.shields.io/github/downloads/artginzburg/sudo-touchid/total?color=teal)](https://github.com/artginzburg/sudo-touchid/releases)
[![Donate](https://img.shields.io/badge/buy%20me%20a%20coffee-donate-white)](https://github.com/artginzburg/sudo-touchid?sponsor=1)

<div align="right">

Native and reliable [**TouchID**](https://support.apple.com/en-gb/guide/mac-help/mchl16fbf90a/mac) support for `sudo`

</div>

## Try it out <sub> &nbsp; <sup> &nbsp; without installing</sup></sub>

```powershell
curl -sL git.io/sudo-touch-id | sh
```

Now `sudo` is great, just like Safari — with your fingerprint in Terminal.

> <sup>Don't worry, you can also [reverse](#usage) it</sup>

<div align="center">

<sub><sub>Result:</sub></sub>

<img alt="Preview" src="./res/preview.png" width="500vmin" />

<sub>Just type <a href="https://git.io/sudotouchid"><code>git.io/sudotouchid</code></a> to go here.</sub>

</div>

### Features

- Fast & reliable
- Written in Bash — no dependencies
- **pam_reattach support** for tmux/screen compatibility (GUI session reattachment)
- **Supports modern and legacy systems:** For macOS 13 and below, see [LEGACY_MACOS.md][legacy]

<br />

## Install

### Via [🍺 Homebrew](https://brew.sh/)

```bash
brew install artginzburg/tap/sudo-touchid
```

> Check out [the formula](https://github.com/artginzburg/homebrew-tap/blob/main/Formula/sudo-touchid.rb) if you're interested

<br />

## Usage

Copy and run this command:

```bash
sudo-touchid
```

It adds TouchID to sudo configuration, or migrates an existing legacy configuration if you're upgrading from macOS 13 or below.

```bash
# Usage:
sudo-touchid [options]
             [-v,  --version]   # Output installed version
             [-d,  --disable]   # Remove TouchID from sudo config
             [--with-reattach]  # Include pam_reattach.so for tmux/screen support
             [--migrate]        # Migrate from legacy configuration
             [--verbose]        # Show detailed output
             [-q,  --quiet]     # Show minimal output (errors only)
             [-y,  --yes]       # Skip confirmation prompts (non-interactive mode)
```

if not installed, can be used via [`curl`][curl] <sup>bundled with macOS</sup>

```bash
sh <( curl -sL git.io/sudo-touch-id )
```

> Accepts the same arguments, like -d or -v.

<br />

### Why?

- **Productivity:** Automates TouchID setup
- **Lightweight:** Small Bash script, no builds or Xcode required
- **Reliable:** Persistent configuration across system updates

<br />

## How does it work?

**For macOS 14+:**

- Creates `/etc/pam.d/sudo_local` with TouchID configuration
- Never modifies system-managed `/etc/pam.d/sudo` file

**All versions:**

- Has a `--disable` (`-d`) option that removes all TouchID configurations.
- Optional `--with-reattach` for GUI session reattachment support
- Creates backup files during migration
- Automatically detects and migrates legacy configurations

### Manual installation

Just save `sudo-touchid.sh` as `/usr/local/bin/sudo-touchid` with execute permissions

> See [LEGACY_MACOS.md][legacy] for additional considerations on older systems

<br />

## Related

- **tmux/screen support:** [pam_reattach](https://github.com/fabianishere/pam_reattach) module (built-in via `--with-reattach`)
- **Apple Watch support:** [pam_watchid](https://github.com/biscuitehh/pam-watchid) module
- **Disable password prompt:** Change `%admin ALL=(ALL) ALL` to `%admin ALL=(ALL) NOPASSWD: ALL` in `/etc/sudoers`

[curl]: https://curl.se
[legacy]: ./docs/LEGACY_MACOS.md


================================================
FILE: com.user.sudo-touchid.plist
================================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.user.sudo-touchid</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/bin/sudo-touchid</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
        <key>KeepAlive</key>
        <false/>
    </dict>
</plist>


================================================
FILE: docs/LEGACY_MACOS.md
================================================
# Legacy macOS Support (macOS 13 and below)

> **Note:** For macOS Ventura and prior, full installation is necessary to preserve TouchID for `sudo` through system updates.

## Install

### Via [🍺 Homebrew](https://brew.sh/) (Recommended)

```powershell
brew install artginzburg/tap/sudo-touchid
sudo brew services start sudo-touchid
```

> Check out [the formula](https://github.com/artginzburg/homebrew-tap/blob/main/Formula/sudo-touchid.rb) if you're interested

### Using [`curl`][curl]

```bash
curl -sL git.io/sudo-touchid | sh
```

## How it works

- Adds `auth sufficient pam_tid.so` to the top of `/etc/pam.d/sudo` file (following [@cabel's advice](https://twitter.com/cabel/status/931292107372838912)).
- Creates a backup file named `sudo.bak`.
- Optional `--with-reattach` flag adds `pam_reattach.so` before `pam_tid.so` for tmux/screen support.

## Why?

macOS updates reset `/etc/pam.d/sudo`, so previously users had to manually edit the file after each upgrade. This tool automates the process by:

1. Making the `sudo-touchid` command available.
2. Auto-running on every system launch using a simple [`launchd`](https://www.launchd.info) daemon, so that when a macOS update erases the custom `sudo` configuration, `sudo-touchid` fixes it again.

### Manual installation

1. Save `sudo-touchid.sh` as `/usr/local/bin/sudo-touchid` with execute permissions
2. Save `com.user.sudo-touchid.plist` to `/Library/LaunchDaemons/` for auto-run on boot
3. Customize paths in the `.plist` file if needed

[curl]: https://curl.se


================================================
FILE: install.sh
================================================
curl -# https://raw.githubusercontent.com/artginzburg/sudo-touchid/main/sudo-touchid.sh -o /usr/local/bin/sudo-touchid && chmod +x /usr/local/bin/sudo-touchid && sudo curl -# https://raw.githubusercontent.com/artginzburg/sudo-touchid/main/com.user.sudo-touchid.plist -o /Library/LaunchDaemons/com.user.sudo-touchid.plist && /usr/local/bin/sudo-touchid


================================================
FILE: sudo-touchid.sh
================================================
#!/bin/bash

VERSION=0.5
readable_name='[TouchID for sudo]'
executable_name='sudo-touchid'

# Verbosity control
VERBOSE=false
QUIET=false
AUTO_YES=false

# PAM configuration
PAM_TOUCHID='auth       sufficient     pam_tid.so'
PAM_REATTACH_PATH='/opt/homebrew/lib/pam/pam_reattach.so'
PAM_REATTACH="auth       optional       $PAM_REATTACH_PATH"

# File paths
SUDO_PATH='/etc/pam.d/sudo'
SUDO_LOCAL_PATH='/etc/pam.d/sudo_local'
LEGACY_PAM_FILE='/etc/pam.d/sudo_touchid'

usage() {
  cat <<EOF

  Usage: $executable_name [options]
    Running without options adds TouchID parameter to sudo configuration, or migrates an existing legacy configuration if you have upgraded from macOS 13 or below.

  Options:
    -d,  --disable     Remove TouchID from sudo config
    --with-reattach    Include pam_reattach.so for GUI session reattachment
    --migrate          Migrate from legacy configuration to new system

    --verbose          Show detailed output
    -q,  --quiet       Show minimal output (errors only)
    -y,  --yes         Skip confirmation prompts (non-interactive mode)

    -v,  --version     Output version
    -h,  --help        This message.

EOF
}

# Source: https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh
getc() {
  local save_state
  save_state="$(/bin/stty -g)"
  /bin/stty raw -echo
  IFS='' read -r -n 1 -d '' "$@"
  /bin/stty "${save_state}"
}
wait_for_user() {
  if [[ "$AUTO_YES" == true ]]; then
    verbose_echo "Auto-confirming (--yes flag)"
    return 0
  fi

  local c
  echo
  echo "Press RETURN to continue or any other key to abort"
  getc c
  # we test for \r and \n because some stuff does \r instead
  if ! [[ "${c}" == $'\r' || "${c}" == $'\n' ]]; then
    exit 1
  fi
}
# Source end.

# Utility functions

# Output functions for verbosity control
verbose_echo() {
  [[ "$VERBOSE" == true ]] && echo "$@"
}

status_echo() {
  [[ "$QUIET" != true ]] && echo "$@"
}

error_echo() {
  echo "$@" >&2
}

detect_os_version() {
  sw_vers -productVersion | cut -d. -f1
}


create_pam_content() {
  local include_reattach="$1"

  echo "# TouchID for sudo - created by $executable_name v$VERSION"

  if [[ "$include_reattach" == "true" ]]; then
    echo "$PAM_REATTACH"
  fi

  echo "$PAM_TOUCHID"
}


install_file() {
  local content="$1"
  local target_path="$2"
  local permissions="$3"

  local temp_file
  temp_file=$(mktemp 2>/dev/null)

  if [[ -z "$temp_file" ]]; then
    error_echo "Error: Unable to create temporary file. Check /tmp directory permissions and available space."
    error_echo "Please ensure /tmp exists, is writable, and has sufficient space."
    return 1
  fi

  if ! echo "$content" > "$temp_file" 2>/dev/null; then
    error_echo "Error: Unable to write to temporary file. Check /tmp directory permissions and available space."
    error_echo "Please ensure /tmp exists, is writable, and has sufficient space."
    rm -f "$temp_file" 2>/dev/null
    return 1
  fi

  if sudo install -m "$permissions" "$temp_file" "$target_path"; then
    rm -f "$temp_file"
    return 0
  else
    rm -f "$temp_file"
    return 1
  fi
}

check_legacy_configuration() {
  [[ -f "$LEGACY_PAM_FILE" ]] || grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null
}

migrate_legacy_configuration() {
  status_echo "Migrating from legacy TouchID configuration..."

  local major_version
  major_version=$(detect_os_version)

  # Remove legacy PAM file if it exists
  if [[ -f "$LEGACY_PAM_FILE" ]]; then
    sudo rm -f "$LEGACY_PAM_FILE"
    verbose_echo "Removed legacy PAM file: $LEGACY_PAM_FILE"
  fi


  # Remove TouchID and pam_reattach from /etc/pam.d/sudo if present
  if grep -q "pam_tid.so\|pam_reattach.so" "$SUDO_PATH" 2>/dev/null; then
    sudo cp "$SUDO_PATH" "$SUDO_PATH.bak"
    sudo sed -i '.bak' '/pam_tid\.so/d' "$SUDO_PATH"
    sudo sed -i '.bak' '/pam_reattach\.so/d' "$SUDO_PATH"
    verbose_echo "Removed TouchID configuration from $SUDO_PATH (backup saved as $SUDO_PATH.bak)"
  fi

  status_echo "Legacy configuration removed successfully."
}

sudo_touchid_pamlocal_install() {
  local include_reattach="$1"

  verbose_echo "Installing TouchID configuration for macOS 14+"

  # Create PAM configuration for sudo_local
  local pam_content
  pam_content=$(create_pam_content "$include_reattach")

  if ! install_file "$pam_content" "$SUDO_LOCAL_PATH" "644"; then
    error_echo "Error: Failed to create $SUDO_LOCAL_PATH"
    return 1
  fi

  verbose_echo "Created $SUDO_LOCAL_PATH"
  status_echo
  status_echo "$readable_name enabled successfully for macOS 14+."
  verbose_echo "Note: If TouchID for sudo stops working, you can disable it with: $executable_name --disable"

  return 0
}

sudo_touchid_legacy_install() {
  local include_reattach="$1"

  verbose_echo "Installing TouchID configuration for macOS ≤13"

  # Check if already configured
  if grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null; then
    status_echo "$readable_name seems to be enabled already"
    return 0
  fi

  # Add TouchID to sudo file using sed
  local nl=$'\n'
  local touch_pam_line="$PAM_TOUCHID"

  if [[ "$include_reattach" == "true" ]] && check_reattach_available; then
    # Insert both pam_reattach and pam_tid after first comment
    sudo sed -E -i ".bak" "1s/^(#.*)$/\1\\${nl}$PAM_REATTACH\\${nl}$touch_pam_line/" "$SUDO_PATH"
  else
    # Insert only pam_tid after first comment
    sudo sed -E -i ".bak" "1s/^(#.*)$/\1\\${nl}$touch_pam_line/" "$SUDO_PATH"
  fi

  verbose_echo "Created a backup file at $SUDO_PATH.bak"
  status_echo
  status_echo "$readable_name enabled successfully."

  return 0
}

check_reattach_available() {
  [[ -f "$PAM_REATTACH_PATH" ]]
}

check_brew_available() {
  command -v brew >/dev/null 2>&1
}

install_pam_reattach() {
  if ! check_brew_available; then
    error_echo "Error: Homebrew is required to install pam-reattach but is not available."
    error_echo "Please install Homebrew first: https://brew.sh"
    return 1
  fi

  status_echo "pam_reattach.so is required for --with-reattach but not found."
  status_echo "Install pam-reattach using Homebrew?"
  wait_for_user

  verbose_echo "Installing pam-reattach..."
  if brew install pam-reattach; then
    status_echo "$readable_name pam-reattach installed successfully."
    return 0
  else
    error_echo "$readable_name Failed to install pam-reattach."
    return 1
  fi
}

sudo_touchid_install() {
  local include_reattach="$1"
  local major_version
  major_version=$(detect_os_version)

  # Check for migration from legacy configuration
  if check_legacy_configuration; then
    status_echo "Legacy TouchID configuration detected. Migrating to new secure method..."
    if migrate_legacy_configuration; then
      # After migration, verify legacy configuration is removed
      if check_legacy_configuration; then
        error_echo "Error: Legacy configuration still detected after migration. Aborting to prevent infinite loop."
        return 1
      else
        verbose_echo "Migration completed. Re-running installation with new method..."
        sudo_touchid_install "$include_reattach"
        return $?
      fi
    else
      return 1
    fi
  fi

  # Check if already installed
  if [[ "$major_version" -ge 14 && -f "$SUDO_LOCAL_PATH" ]]; then
    if [[ "$include_reattach" == "true" ]] && ! check_reattach_available; then
      if ! install_pam_reattach; then
        return 1
      fi
    fi

    # Check if user wants pam_reattach but it's not installed
    if [[ "$include_reattach" == "true" ]] && check_reattach_available && ! grep -q "pam_reattach.so" "$SUDO_LOCAL_PATH" 2>/dev/null; then
      error_echo "$readable_name is installed but without pam_reattach support."
      error_echo "Please run --disable first, then reinstall with --with-reattach."
      return 1
    fi
    status_echo "$readable_name appears to be already installed."
    return 0
  elif [[ "$major_version" -lt 14 ]] && grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null; then
    if [[ "$include_reattach" == "true" ]] && ! check_reattach_available; then
      if ! install_pam_reattach; then
        return 1
      fi
    fi

    # Check if user wants pam_reattach but it's not installed
    if [[ "$include_reattach" == "true" ]] && check_reattach_available && ! grep -q "pam_reattach.so" "$SUDO_PATH" 2>/dev/null; then
      error_echo "$readable_name is installed but without pam_reattach support."
      error_echo "Please run --disable first, then reinstall with --with-reattach."
      return 1
    fi
    status_echo "$readable_name appears to be already installed."
    return 0
  fi

  # Check for pam_reattach if requested
  if [[ "$include_reattach" == "true" ]] && ! check_reattach_available; then
    if ! install_pam_reattach; then
      return 1
    fi
  fi

  if [[ "$major_version" -ge 14 ]]; then
    sudo_touchid_pamlocal_install "$include_reattach"
  else
    sudo_touchid_legacy_install "$include_reattach"
  fi
}

sudo_touchid_disable() {
  local major_version
  major_version=$(detect_os_version)

  # Check what configurations exist
  local has_config=0

  if [[ -f "$SUDO_LOCAL_PATH" ]] || [[ -f "$LEGACY_PAM_FILE" ]] || grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null; then
    has_config=1
  fi

  if [[ $has_config -eq 0 ]]; then
    status_echo "$readable_name seems to be already disabled"
    return 0
  fi

  # Show what will be removed
  verbose_echo "The following TouchID configurations will be removed:"
  verbose_echo

  if [[ -f "$SUDO_LOCAL_PATH" ]]; then
    verbose_echo "  - $SUDO_LOCAL_PATH"
  fi

  if [[ -f "$LEGACY_PAM_FILE" ]]; then
    verbose_echo "  - $LEGACY_PAM_FILE"
  fi

  if [[ "$VERBOSE" == "true" ]] && grep -q "pam_tid.so" "$SUDO_PATH" 2>/dev/null; then
    echo "  - TouchID line from $SUDO_PATH"
    echo
    echo "Your $SUDO_PATH will look like this after removal:"
    echo "----------------------------------------"
    grep -v "pam_tid.so" "$SUDO_PATH" | grep -v "pam_reattach.so"
    echo "----------------------------------------"
  fi

  wait_for_user

  # Now proceed with removal
  local files_removed=0

  # Remove sudo_local file (macOS 14+)
  if [[ -f "$SUDO_LOCAL_PATH" ]]; then
    sudo rm -f "$SUDO_LOCAL_PATH"
    verbose_echo "Removed $SUDO_LOCAL_PATH"
    files_removed=$((files_removed + 1))
  fi

  # Remove legacy PAM file
  if [[ -f "$LEGACY_PAM_FILE" ]]; then
    sudo rm -f "$LEGACY_PAM_FILE"
    verbose_echo "Removed $LEGACY_PAM_FILE"
    files_removed=$((files_removed + 1))
  fi

  # Check for legacy configuration in /etc/pam.d/sudo
  if grep -q "pam_tid.so\|pam_reattach.so" "$SUDO_PATH" 2>/dev/null; then
    sudo cp "$SUDO_PATH" "$SUDO_PATH.bak"
    sudo sed -i '.bak' '/pam_tid\.so/d' "$SUDO_PATH"
    sudo sed -i '.bak' '/pam_reattach\.so/d' "$SUDO_PATH"
    verbose_echo "Removed TouchID configuration from $SUDO_PATH (backup saved as $SUDO_PATH.bak)"
    files_removed=$((files_removed + 1))
  fi

  status_echo
  status_echo "$readable_name has been disabled."
}


sudo_touchid() {
  local include_reattach="false"
  local action="install"

  for opt in "${@}"; do
    case "$opt" in
    -v | --version)
      echo "v$VERSION"
      return 0
      ;;
    -d | --disable)
      action="disable"
      ;;
    --with-reattach)
      include_reattach="true"
      ;;
    --migrate)
      action="migrate"
      ;;
    --verbose)
      VERBOSE=true
      ;;
    -q | --quiet)
      QUIET=true
      ;;
    -y | --yes)
      AUTO_YES=true
      ;;
    -h | --help)
      usage
      return 0
      ;;
    *)
      echo "Unknown option: $opt"
      usage
      return 1
      ;;
    esac
  done

  case "$action" in
  install)
    sudo_touchid_install "$include_reattach"
    ;;
  disable)
    sudo_touchid_disable
    ;;
  migrate)
    migrate_legacy_configuration
    ;;
  esac
}

sudo_touchid "${@}"