[
  {
    "path": ".github/workflows/makefile.yml",
    "content": "name: Makefile CI\n\non:\n  - push\n  - pull_request\n\njobs:\n  test:\n    runs-on: macos-latest\n\n    steps:\n      - name: Checkout 🛎️\n        uses: actions/checkout@v3\n        with:\n          fetch-depth: 1\n\n      - name: Install dependencies\n        run: make\n\n      - name: Run check\n        run: make check\n"
  },
  {
    "path": ".gitignore",
    "content": ".DS_Store\n"
  },
  {
    "path": "Brewfile",
    "content": "brew \"shellcheck\"\n"
  },
  {
    "path": "Brewfile.lock.json",
    "content": "{\n  \"entries\": {\n    \"brew\": {\n      \"shellcheck\": {\n        \"version\": \"0.8.0\",\n        \"bottle\": {\n          \"rebuild\": 0,\n          \"root_url\": \"https://ghcr.io/v2/homebrew/core\",\n          \"files\": {\n            \"arm64_monterey\": {\n              \"cellar\": \":any_skip_relocation\",\n              \"url\": \"https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:625466bcd245a36da12ee088877d582c7e9fec1622418d1165a7d7d8f204ecc3\",\n              \"sha256\": \"625466bcd245a36da12ee088877d582c7e9fec1622418d1165a7d7d8f204ecc3\"\n            },\n            \"arm64_big_sur\": {\n              \"cellar\": \":any_skip_relocation\",\n              \"url\": \"https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:883ba5ee45554568cd1ce106dc6c090ec0745f576a4a6708332de951b03c7423\",\n              \"sha256\": \"883ba5ee45554568cd1ce106dc6c090ec0745f576a4a6708332de951b03c7423\"\n            },\n            \"monterey\": {\n              \"cellar\": \":any_skip_relocation\",\n              \"url\": \"https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:cfd8c8e8d8927dfd4b83593f539690a6083b075b0a1ff8a66578e8bb810d3db9\",\n              \"sha256\": \"cfd8c8e8d8927dfd4b83593f539690a6083b075b0a1ff8a66578e8bb810d3db9\"\n            },\n            \"big_sur\": {\n              \"cellar\": \":any_skip_relocation\",\n              \"url\": \"https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:d88edc1ae7db555ec5da01d4a1272da8260eb62073d2cdfa5fa3dce37d51fbe6\",\n              \"sha256\": \"d88edc1ae7db555ec5da01d4a1272da8260eb62073d2cdfa5fa3dce37d51fbe6\"\n            },\n            \"catalina\": {\n              \"cellar\": \":any_skip_relocation\",\n              \"url\": \"https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:24a67cd4f2b66a02cb77a1c705d7dcf25b4410209435a0b1136398da1fa6f766\",\n              \"sha256\": \"24a67cd4f2b66a02cb77a1c705d7dcf25b4410209435a0b1136398da1fa6f766\"\n            },\n            \"x86_64_linux\": {\n              \"cellar\": \":any_skip_relocation\",\n              \"url\": \"https://ghcr.io/v2/homebrew/core/shellcheck/blobs/sha256:961b2f3d75cf86dd5bc767cf689eee8f8e88bb30d716cf208b4bb89d61e5a553\",\n              \"sha256\": \"961b2f3d75cf86dd5bc767cf689eee8f8e88bb30d716cf208b4bb89d61e5a553\"\n            }\n          }\n        }\n      }\n    }\n  },\n  \"system\": {\n    \"macos\": {\n      \"big_sur\": {\n        \"HOMEBREW_VERSION\": \"3.4.2\",\n        \"HOMEBREW_PREFIX\": \"/usr/local\",\n        \"Homebrew/homebrew-core\": \"c746b78fadadd6573727169a48868826b880f80f\",\n        \"CLT\": \"13.2.0.0.1.1638488800\",\n        \"Xcode\": \"13.2.1\",\n        \"macOS\": \"11.6.2\"\n      }\n    }\n  }\n}\n"
  },
  {
    "path": "LICENSE",
    "content": "Eclipse Public License - v 2.0\n\n    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n    PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n    OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.\n\n1. DEFINITIONS\n\n\"Contribution\" means:\n\n  a) in the case of the initial Contributor, the initial content\n     Distributed under this Agreement, and\n\n  b) in the case of each subsequent Contributor:\n     i) changes to the Program, and\n     ii) additions to the Program;\n  where such changes and/or additions to the Program originate from\n  and are Distributed by that particular Contributor. A Contribution\n  \"originates\" from a Contributor if it was added to the Program by\n  such Contributor itself or anyone acting on such Contributor's behalf.\n  Contributions do not include changes or additions to the Program that\n  are not Modified Works.\n\n\"Contributor\" means any person or entity that Distributes the Program.\n\n\"Licensed Patents\" mean patent claims licensable by a Contributor which\nare necessarily infringed by the use or sale of its Contribution alone\nor when combined with the Program.\n\n\"Program\" means the Contributions Distributed in accordance with this\nAgreement.\n\n\"Recipient\" means anyone who receives the Program under this Agreement\nor any Secondary License (as applicable), including Contributors.\n\n\"Derivative Works\" shall mean any work, whether in Source Code or other\nform, that is based on (or derived from) the Program and for which the\neditorial revisions, annotations, elaborations, or other modifications\nrepresent, as a whole, an original work of authorship.\n\n\"Modified Works\" shall mean any work in Source Code or other form that\nresults from an addition to, deletion from, or modification of the\ncontents of the Program, including, for purposes of clarity any new file\nin Source Code form that contains any contents of the Program. Modified\nWorks shall not include works that contain only declarations,\ninterfaces, types, classes, structures, or files of the Program solely\nin each case in order to link to, bind by name, or subclass the Program\nor Modified Works thereof.\n\n\"Distribute\" means the acts of a) distributing or b) making available\nin any manner that enables the transfer of a copy.\n\n\"Source Code\" means the form of a Program preferred for making\nmodifications, including but not limited to software source code,\ndocumentation source, and configuration files.\n\n\"Secondary License\" means either the GNU General Public License,\nVersion 2.0, or any later versions of that license, including any\nexceptions or additional permissions as identified by the initial\nContributor.\n\n2. GRANT OF RIGHTS\n\n  a) Subject to the terms of this Agreement, each Contributor hereby\n  grants Recipient a non-exclusive, worldwide, royalty-free copyright\n  license to reproduce, prepare Derivative Works of, publicly display,\n  publicly perform, Distribute and sublicense the Contribution of such\n  Contributor, if any, and such Derivative Works.\n\n  b) Subject to the terms of this Agreement, each Contributor hereby\n  grants Recipient a non-exclusive, worldwide, royalty-free patent\n  license under Licensed Patents to make, use, sell, offer to sell,\n  import and otherwise transfer the Contribution of such Contributor,\n  if any, in Source Code or other form. This patent license shall\n  apply to the combination of the Contribution and the Program if, at\n  the time the Contribution is added by the Contributor, such addition\n  of the Contribution causes such combination to be covered by the\n  Licensed Patents. The patent license shall not apply to any other\n  combinations which include the Contribution. No hardware per se is\n  licensed hereunder.\n\n  c) Recipient understands that although each Contributor grants the\n  licenses to its Contributions set forth herein, no assurances are\n  provided by any Contributor that the Program does not infringe the\n  patent or other intellectual property rights of any other entity.\n  Each Contributor disclaims any liability to Recipient for claims\n  brought by any other entity based on infringement of intellectual\n  property rights or otherwise. As a condition to exercising the\n  rights and licenses granted hereunder, each Recipient hereby\n  assumes sole responsibility to secure any other intellectual\n  property rights needed, if any. For example, if a third party\n  patent license is required to allow Recipient to Distribute the\n  Program, it is Recipient's responsibility to acquire that license\n  before distributing the Program.\n\n  d) Each Contributor represents that to its knowledge it has\n  sufficient copyright rights in its Contribution, if any, to grant\n  the copyright license set forth in this Agreement.\n\n  e) Notwithstanding the terms of any Secondary License, no\n  Contributor makes additional grants to any Recipient (other than\n  those set forth in this Agreement) as a result of such Recipient's\n  receipt of the Program under the terms of a Secondary License\n  (if permitted under the terms of Section 3).\n\n3. REQUIREMENTS\n\n3.1 If a Contributor Distributes the Program in any form, then:\n\n  a) the Program must also be made available as Source Code, in\n  accordance with section 3.2, and the Contributor must accompany\n  the Program with a statement that the Source Code for the Program\n  is available under this Agreement, and informs Recipients how to\n  obtain it in a reasonable manner on or through a medium customarily\n  used for software exchange; and\n\n  b) the Contributor may Distribute the Program under a license\n  different than this Agreement, provided that such license:\n     i) effectively disclaims on behalf of all other Contributors all\n     warranties and conditions, express and implied, including\n     warranties or conditions of title and non-infringement, and\n     implied warranties or conditions of merchantability and fitness\n     for a particular purpose;\n\n     ii) effectively excludes on behalf of all other Contributors all\n     liability for damages, including direct, indirect, special,\n     incidental and consequential damages, such as lost profits;\n\n     iii) does not attempt to limit or alter the recipients' rights\n     in the Source Code under section 3.2; and\n\n     iv) requires any subsequent distribution of the Program by any\n     party to be under a license that satisfies the requirements\n     of this section 3.\n\n3.2 When the Program is Distributed as Source Code:\n\n  a) it must be made available under this Agreement, or if the\n  Program (i) is combined with other material in a separate file or\n  files made available under a Secondary License, and (ii) the initial\n  Contributor attached to the Source Code the notice described in\n  Exhibit A of this Agreement, then the Program may be made available\n  under the terms of such Secondary Licenses, and\n\n  b) a copy of this Agreement must be included with each copy of\n  the Program.\n\n3.3 Contributors may not remove or alter any copyright, patent,\ntrademark, attribution notices, disclaimers of warranty, or limitations\nof liability (\"notices\") contained within the Program from any copy of\nthe Program which they Distribute, provided that Contributors may add\ntheir own appropriate notices.\n\n4. COMMERCIAL DISTRIBUTION\n\nCommercial distributors of software may accept certain responsibilities\nwith respect to end users, business partners and the like. While this\nlicense is intended to facilitate the commercial use of the Program,\nthe Contributor who includes the Program in a commercial product\noffering should do so in a manner which does not create potential\nliability for other Contributors. Therefore, if a Contributor includes\nthe Program in a commercial product offering, such Contributor\n(\"Commercial Contributor\") hereby agrees to defend and indemnify every\nother Contributor (\"Indemnified Contributor\") against any losses,\ndamages and costs (collectively \"Losses\") arising from claims, lawsuits\nand other legal actions brought by a third party against the Indemnified\nContributor to the extent caused by the acts or omissions of such\nCommercial Contributor in connection with its distribution of the Program\nin a commercial product offering. The obligations in this section do not\napply to any claims or Losses relating to any actual or alleged\nintellectual property infringement. In order to qualify, an Indemnified\nContributor must: a) promptly notify the Commercial Contributor in\nwriting of such claim, and b) allow the Commercial Contributor to control,\nand cooperate with the Commercial Contributor in, the defense and any\nrelated settlement negotiations. The Indemnified Contributor may\nparticipate in any such claim at its own expense.\n\nFor example, a Contributor might include the Program in a commercial\nproduct offering, Product X. That Contributor is then a Commercial\nContributor. If that Commercial Contributor then makes performance\nclaims, or offers warranties related to Product X, those performance\nclaims and warranties are such Commercial Contributor's responsibility\nalone. Under this section, the Commercial Contributor would have to\ndefend claims against the other Contributors related to those performance\nclaims and warranties, and if a court requires any other Contributor to\npay any damages as a result, the Commercial Contributor must pay\nthose damages.\n\n5. NO WARRANTY\n\nEXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT\nPERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN \"AS IS\"\nBASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR\nIMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF\nTITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR\nPURPOSE. Each Recipient is solely responsible for determining the\nappropriateness of using and distributing the Program and assumes all\nrisks associated with its exercise of rights under this Agreement,\nincluding but not limited to the risks and costs of program errors,\ncompliance with applicable laws, damage to or loss of data, programs\nor equipment, and unavailability or interruption of operations.\n\n6. DISCLAIMER OF LIABILITY\n\nEXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT\nPERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS\nSHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,\nEXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST\nPROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN\nCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\nARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE\nEXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGES.\n\n7. GENERAL\n\nIf any provision of this Agreement is invalid or unenforceable under\napplicable law, it shall not affect the validity or enforceability of\nthe remainder of the terms of this Agreement, and without further\naction by the parties hereto, such provision shall be reformed to the\nminimum extent necessary to make such provision valid and enforceable.\n\nIf Recipient institutes patent litigation against any entity\n(including a cross-claim or counterclaim in a lawsuit) alleging that the\nProgram itself (excluding combinations of the Program with other software\nor hardware) infringes such Recipient's patent(s), then such Recipient's\nrights granted under Section 2(b) shall terminate as of the date such\nlitigation is filed.\n\nAll Recipient's rights under this Agreement shall terminate if it\nfails to comply with any of the material terms or conditions of this\nAgreement and does not cure such failure in a reasonable period of\ntime after becoming aware of such noncompliance. If all Recipient's\nrights under this Agreement terminate, Recipient agrees to cease use\nand distribution of the Program as soon as reasonably practicable.\nHowever, Recipient's obligations under this Agreement and any licenses\ngranted by Recipient relating to the Program shall continue and survive.\n\nEveryone is permitted to copy and distribute copies of this Agreement,\nbut in order to avoid inconsistency the Agreement is copyrighted and\nmay only be modified in the following manner. The Agreement Steward\nreserves the right to publish new versions (including revisions) of\nthis Agreement from time to time. No one other than the Agreement\nSteward has the right to modify this Agreement. The Eclipse Foundation\nis the initial Agreement Steward. The Eclipse Foundation may assign the\nresponsibility to serve as the Agreement Steward to a suitable separate\nentity. Each new version of the Agreement will be given a distinguishing\nversion number. The Program (including Contributions) may always be\nDistributed subject to the version of the Agreement under which it was\nreceived. In addition, after a new version of the Agreement is published,\nContributor may elect to Distribute the Program (including its\nContributions) under the new version.\n\nExcept as expressly stated in Sections 2(a) and 2(b) above, Recipient\nreceives no rights or licenses to the intellectual property of any\nContributor under this Agreement, whether expressly, by implication,\nestoppel or otherwise. All rights in the Program not expressly granted\nunder this Agreement are reserved. Nothing in this Agreement is intended\nto be enforceable by any entity that is not a Contributor or Recipient.\nNo third-party beneficiary rights are created under this Agreement.\n\nExhibit A - Form of Secondary Licenses Notice\n\n\"This Source Code may also be made available under the following\nSecondary Licenses when the conditions for such availability set forth\nin the Eclipse Public License, v. 2.0 are satisfied: {name license(s),\nversion(s), and exceptions or additional permissions here}.\"\n\n  Simply including a copy of this Agreement, including this Exhibit A\n  is not sufficient to license the Source Code under Secondary Licenses.\n\n  If it is not possible or desirable to put the notice in a particular\n  file, then You may include the notice in a location (such as a LICENSE\n  file in a relevant directory) where a recipient would be likely to\n  look for such a notice.\n\n  You may add additional accurate notices of copyright ownership.\n"
  },
  {
    "path": "Makefile",
    "content": ".PHONY: bundle check\n\nbundle:\n\tbrew bundle\n\ncheck:\n\tshellcheck sudo-touchid.sh\n"
  },
  {
    "path": "README.md",
    "content": "<img height=\"128\" src=\"res/icon.png\" alt=\"Icon\" align=\"left\" />\n\n# sudo-touchid\n\n[![Downloads](https://img.shields.io/github/downloads/artginzburg/sudo-touchid/total?color=teal)](https://github.com/artginzburg/sudo-touchid/releases)\n[![Donate](https://img.shields.io/badge/buy%20me%20a%20coffee-donate-white)](https://github.com/artginzburg/sudo-touchid?sponsor=1)\n\n<div align=\"right\">\n\nNative and reliable [**TouchID**](https://support.apple.com/en-gb/guide/mac-help/mchl16fbf90a/mac) support for `sudo`\n\n</div>\n\n## Try it out <sub> &nbsp; <sup> &nbsp; without installing</sup></sub>\n\n```powershell\ncurl -sL git.io/sudo-touch-id | sh\n```\n\nNow `sudo` is great, just like Safari — with your fingerprint in Terminal.\n\n> <sup>Don't worry, you can also [reverse](#usage) it</sup>\n\n<div align=\"center\">\n\n<sub><sub>Result:</sub></sub>\n\n<img alt=\"Preview\" src=\"./res/preview.png\" width=\"500vmin\" />\n\n<sub>Just type <a href=\"https://git.io/sudotouchid\"><code>git.io/sudotouchid</code></a> to go here.</sub>\n\n</div>\n\n### Features\n\n- Fast & reliable\n- Written in Bash — no dependencies\n- **pam_reattach support** for tmux/screen compatibility (GUI session reattachment)\n- **Supports modern and legacy systems:** For macOS 13 and below, see [LEGACY_MACOS.md][legacy]\n\n<br />\n\n## Install\n\n### Via [🍺 Homebrew](https://brew.sh/)\n\n```bash\nbrew install artginzburg/tap/sudo-touchid\n```\n\n> Check out [the formula](https://github.com/artginzburg/homebrew-tap/blob/main/Formula/sudo-touchid.rb) if you're interested\n\n<br />\n\n## Usage\n\nCopy and run this command:\n\n```bash\nsudo-touchid\n```\n\nIt adds TouchID to sudo configuration, or migrates an existing legacy configuration if you're upgrading from macOS 13 or below.\n\n```bash\n# Usage:\nsudo-touchid [options]\n             [-v,  --version]   # Output installed version\n             [-d,  --disable]   # Remove TouchID from sudo config\n             [--with-reattach]  # Include pam_reattach.so for tmux/screen support\n             [--migrate]        # Migrate from legacy configuration\n             [--verbose]        # Show detailed output\n             [-q,  --quiet]     # Show minimal output (errors only)\n             [-y,  --yes]       # Skip confirmation prompts (non-interactive mode)\n```\n\nif not installed, can be used via [`curl`][curl] <sup>bundled with macOS</sup>\n\n```bash\nsh <( curl -sL git.io/sudo-touch-id )\n```\n\n> Accepts the same arguments, like -d or -v.\n\n<br />\n\n### Why?\n\n- **Productivity:** Automates TouchID setup\n- **Lightweight:** Small Bash script, no builds or Xcode required\n- **Reliable:** Persistent configuration across system updates\n\n<br />\n\n## How does it work?\n\n**For macOS 14+:**\n\n- Creates `/etc/pam.d/sudo_local` with TouchID configuration\n- Never modifies system-managed `/etc/pam.d/sudo` file\n\n**All versions:**\n\n- Has a `--disable` (`-d`) option that removes all TouchID configurations.\n- Optional `--with-reattach` for GUI session reattachment support\n- Creates backup files during migration\n- Automatically detects and migrates legacy configurations\n\n### Manual installation\n\nJust save `sudo-touchid.sh` as `/usr/local/bin/sudo-touchid` with execute permissions\n\n> See [LEGACY_MACOS.md][legacy] for additional considerations on older systems\n\n<br />\n\n## Related\n\n- **tmux/screen support:** [pam_reattach](https://github.com/fabianishere/pam_reattach) module (built-in via `--with-reattach`)\n- **Apple Watch support:** [pam_watchid](https://github.com/biscuitehh/pam-watchid) module\n- **Disable password prompt:** Change `%admin ALL=(ALL) ALL` to `%admin ALL=(ALL) NOPASSWD: ALL` in `/etc/sudoers`\n\n[curl]: https://curl.se\n[legacy]: ./docs/LEGACY_MACOS.md\n"
  },
  {
    "path": "com.user.sudo-touchid.plist",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n    <dict>\n        <key>Label</key>\n        <string>com.user.sudo-touchid</string>\n        <key>ProgramArguments</key>\n        <array>\n            <string>/usr/local/bin/sudo-touchid</string>\n        </array>\n        <key>RunAtLoad</key>\n        <true/>\n        <key>KeepAlive</key>\n        <false/>\n    </dict>\n</plist>\n"
  },
  {
    "path": "docs/LEGACY_MACOS.md",
    "content": "# Legacy macOS Support (macOS 13 and below)\n\n> **Note:** For macOS Ventura and prior, full installation is necessary to preserve TouchID for `sudo` through system updates.\n\n## Install\n\n### Via [🍺 Homebrew](https://brew.sh/) (Recommended)\n\n```powershell\nbrew install artginzburg/tap/sudo-touchid\nsudo brew services start sudo-touchid\n```\n\n> Check out [the formula](https://github.com/artginzburg/homebrew-tap/blob/main/Formula/sudo-touchid.rb) if you're interested\n\n### Using [`curl`][curl]\n\n```bash\ncurl -sL git.io/sudo-touchid | sh\n```\n\n## How it works\n\n- Adds `auth sufficient pam_tid.so` to the top of `/etc/pam.d/sudo` file (following [@cabel's advice](https://twitter.com/cabel/status/931292107372838912)).\n- Creates a backup file named `sudo.bak`.\n- Optional `--with-reattach` flag adds `pam_reattach.so` before `pam_tid.so` for tmux/screen support.\n\n## Why?\n\nmacOS updates reset `/etc/pam.d/sudo`, so previously users had to manually edit the file after each upgrade. This tool automates the process by:\n\n1. Making the `sudo-touchid` command available.\n2. Auto-running on every system launch using a simple [`launchd`](https://www.launchd.info) daemon, so that when a macOS update erases the custom `sudo` configuration, `sudo-touchid` fixes it again.\n\n### Manual installation\n\n1. Save `sudo-touchid.sh` as `/usr/local/bin/sudo-touchid` with execute permissions\n2. Save `com.user.sudo-touchid.plist` to `/Library/LaunchDaemons/` for auto-run on boot\n3. Customize paths in the `.plist` file if needed\n\n[curl]: https://curl.se\n"
  },
  {
    "path": "install.sh",
    "content": "curl -# https://raw.githubusercontent.com/artginzburg/sudo-touchid/main/sudo-touchid.sh -o /usr/local/bin/sudo-touchid && chmod +x /usr/local/bin/sudo-touchid && sudo curl -# https://raw.githubusercontent.com/artginzburg/sudo-touchid/main/com.user.sudo-touchid.plist -o /Library/LaunchDaemons/com.user.sudo-touchid.plist && /usr/local/bin/sudo-touchid\n"
  },
  {
    "path": "sudo-touchid.sh",
    "content": "#!/bin/bash\n\nVERSION=0.5\nreadable_name='[TouchID for sudo]'\nexecutable_name='sudo-touchid'\n\n# Verbosity control\nVERBOSE=false\nQUIET=false\nAUTO_YES=false\n\n# PAM configuration\nPAM_TOUCHID='auth       sufficient     pam_tid.so'\nPAM_REATTACH_PATH='/opt/homebrew/lib/pam/pam_reattach.so'\nPAM_REATTACH=\"auth       optional       $PAM_REATTACH_PATH\"\n\n# File paths\nSUDO_PATH='/etc/pam.d/sudo'\nSUDO_LOCAL_PATH='/etc/pam.d/sudo_local'\nLEGACY_PAM_FILE='/etc/pam.d/sudo_touchid'\n\nusage() {\n  cat <<EOF\n\n  Usage: $executable_name [options]\n    Running without options adds TouchID parameter to sudo configuration, or migrates an existing legacy configuration if you have upgraded from macOS 13 or below.\n\n  Options:\n    -d,  --disable     Remove TouchID from sudo config\n    --with-reattach    Include pam_reattach.so for GUI session reattachment\n    --migrate          Migrate from legacy configuration to new system\n\n    --verbose          Show detailed output\n    -q,  --quiet       Show minimal output (errors only)\n    -y,  --yes         Skip confirmation prompts (non-interactive mode)\n\n    -v,  --version     Output version\n    -h,  --help        This message.\n\nEOF\n}\n\n# Source: https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh\ngetc() {\n  local save_state\n  save_state=\"$(/bin/stty -g)\"\n  /bin/stty raw -echo\n  IFS='' read -r -n 1 -d '' \"$@\"\n  /bin/stty \"${save_state}\"\n}\nwait_for_user() {\n  if [[ \"$AUTO_YES\" == true ]]; then\n    verbose_echo \"Auto-confirming (--yes flag)\"\n    return 0\n  fi\n\n  local c\n  echo\n  echo \"Press RETURN to continue or any other key to abort\"\n  getc c\n  # we test for \\r and \\n because some stuff does \\r instead\n  if ! [[ \"${c}\" == $'\\r' || \"${c}\" == $'\\n' ]]; then\n    exit 1\n  fi\n}\n# Source end.\n\n# Utility functions\n\n# Output functions for verbosity control\nverbose_echo() {\n  [[ \"$VERBOSE\" == true ]] && echo \"$@\"\n}\n\nstatus_echo() {\n  [[ \"$QUIET\" != true ]] && echo \"$@\"\n}\n\nerror_echo() {\n  echo \"$@\" >&2\n}\n\ndetect_os_version() {\n  sw_vers -productVersion | cut -d. -f1\n}\n\n\ncreate_pam_content() {\n  local include_reattach=\"$1\"\n\n  echo \"# TouchID for sudo - created by $executable_name v$VERSION\"\n\n  if [[ \"$include_reattach\" == \"true\" ]]; then\n    echo \"$PAM_REATTACH\"\n  fi\n\n  echo \"$PAM_TOUCHID\"\n}\n\n\ninstall_file() {\n  local content=\"$1\"\n  local target_path=\"$2\"\n  local permissions=\"$3\"\n\n  local temp_file\n  temp_file=$(mktemp 2>/dev/null)\n\n  if [[ -z \"$temp_file\" ]]; then\n    error_echo \"Error: Unable to create temporary file. Check /tmp directory permissions and available space.\"\n    error_echo \"Please ensure /tmp exists, is writable, and has sufficient space.\"\n    return 1\n  fi\n\n  if ! echo \"$content\" > \"$temp_file\" 2>/dev/null; then\n    error_echo \"Error: Unable to write to temporary file. Check /tmp directory permissions and available space.\"\n    error_echo \"Please ensure /tmp exists, is writable, and has sufficient space.\"\n    rm -f \"$temp_file\" 2>/dev/null\n    return 1\n  fi\n\n  if sudo install -m \"$permissions\" \"$temp_file\" \"$target_path\"; then\n    rm -f \"$temp_file\"\n    return 0\n  else\n    rm -f \"$temp_file\"\n    return 1\n  fi\n}\n\ncheck_legacy_configuration() {\n  [[ -f \"$LEGACY_PAM_FILE\" ]] || grep -q \"pam_tid.so\" \"$SUDO_PATH\" 2>/dev/null\n}\n\nmigrate_legacy_configuration() {\n  status_echo \"Migrating from legacy TouchID configuration...\"\n\n  local major_version\n  major_version=$(detect_os_version)\n\n  # Remove legacy PAM file if it exists\n  if [[ -f \"$LEGACY_PAM_FILE\" ]]; then\n    sudo rm -f \"$LEGACY_PAM_FILE\"\n    verbose_echo \"Removed legacy PAM file: $LEGACY_PAM_FILE\"\n  fi\n\n\n  # Remove TouchID and pam_reattach from /etc/pam.d/sudo if present\n  if grep -q \"pam_tid.so\\|pam_reattach.so\" \"$SUDO_PATH\" 2>/dev/null; then\n    sudo cp \"$SUDO_PATH\" \"$SUDO_PATH.bak\"\n    sudo sed -i '.bak' '/pam_tid\\.so/d' \"$SUDO_PATH\"\n    sudo sed -i '.bak' '/pam_reattach\\.so/d' \"$SUDO_PATH\"\n    verbose_echo \"Removed TouchID configuration from $SUDO_PATH (backup saved as $SUDO_PATH.bak)\"\n  fi\n\n  status_echo \"Legacy configuration removed successfully.\"\n}\n\nsudo_touchid_pamlocal_install() {\n  local include_reattach=\"$1\"\n\n  verbose_echo \"Installing TouchID configuration for macOS 14+\"\n\n  # Create PAM configuration for sudo_local\n  local pam_content\n  pam_content=$(create_pam_content \"$include_reattach\")\n\n  if ! install_file \"$pam_content\" \"$SUDO_LOCAL_PATH\" \"644\"; then\n    error_echo \"Error: Failed to create $SUDO_LOCAL_PATH\"\n    return 1\n  fi\n\n  verbose_echo \"Created $SUDO_LOCAL_PATH\"\n  status_echo\n  status_echo \"$readable_name enabled successfully for macOS 14+.\"\n  verbose_echo \"Note: If TouchID for sudo stops working, you can disable it with: $executable_name --disable\"\n\n  return 0\n}\n\nsudo_touchid_legacy_install() {\n  local include_reattach=\"$1\"\n\n  verbose_echo \"Installing TouchID configuration for macOS ≤13\"\n\n  # Check if already configured\n  if grep -q \"pam_tid.so\" \"$SUDO_PATH\" 2>/dev/null; then\n    status_echo \"$readable_name seems to be enabled already\"\n    return 0\n  fi\n\n  # Add TouchID to sudo file using sed\n  local nl=$'\\n'\n  local touch_pam_line=\"$PAM_TOUCHID\"\n\n  if [[ \"$include_reattach\" == \"true\" ]] && check_reattach_available; then\n    # Insert both pam_reattach and pam_tid after first comment\n    sudo sed -E -i \".bak\" \"1s/^(#.*)$/\\1\\\\${nl}$PAM_REATTACH\\\\${nl}$touch_pam_line/\" \"$SUDO_PATH\"\n  else\n    # Insert only pam_tid after first comment\n    sudo sed -E -i \".bak\" \"1s/^(#.*)$/\\1\\\\${nl}$touch_pam_line/\" \"$SUDO_PATH\"\n  fi\n\n  verbose_echo \"Created a backup file at $SUDO_PATH.bak\"\n  status_echo\n  status_echo \"$readable_name enabled successfully.\"\n\n  return 0\n}\n\ncheck_reattach_available() {\n  [[ -f \"$PAM_REATTACH_PATH\" ]]\n}\n\ncheck_brew_available() {\n  command -v brew >/dev/null 2>&1\n}\n\ninstall_pam_reattach() {\n  if ! check_brew_available; then\n    error_echo \"Error: Homebrew is required to install pam-reattach but is not available.\"\n    error_echo \"Please install Homebrew first: https://brew.sh\"\n    return 1\n  fi\n\n  status_echo \"pam_reattach.so is required for --with-reattach but not found.\"\n  status_echo \"Install pam-reattach using Homebrew?\"\n  wait_for_user\n\n  verbose_echo \"Installing pam-reattach...\"\n  if brew install pam-reattach; then\n    status_echo \"$readable_name pam-reattach installed successfully.\"\n    return 0\n  else\n    error_echo \"$readable_name Failed to install pam-reattach.\"\n    return 1\n  fi\n}\n\nsudo_touchid_install() {\n  local include_reattach=\"$1\"\n  local major_version\n  major_version=$(detect_os_version)\n\n  # Check for migration from legacy configuration\n  if check_legacy_configuration; then\n    status_echo \"Legacy TouchID configuration detected. Migrating to new secure method...\"\n    if migrate_legacy_configuration; then\n      # After migration, verify legacy configuration is removed\n      if check_legacy_configuration; then\n        error_echo \"Error: Legacy configuration still detected after migration. Aborting to prevent infinite loop.\"\n        return 1\n      else\n        verbose_echo \"Migration completed. Re-running installation with new method...\"\n        sudo_touchid_install \"$include_reattach\"\n        return $?\n      fi\n    else\n      return 1\n    fi\n  fi\n\n  # Check if already installed\n  if [[ \"$major_version\" -ge 14 && -f \"$SUDO_LOCAL_PATH\" ]]; then\n    if [[ \"$include_reattach\" == \"true\" ]] && ! check_reattach_available; then\n      if ! install_pam_reattach; then\n        return 1\n      fi\n    fi\n\n    # Check if user wants pam_reattach but it's not installed\n    if [[ \"$include_reattach\" == \"true\" ]] && check_reattach_available && ! grep -q \"pam_reattach.so\" \"$SUDO_LOCAL_PATH\" 2>/dev/null; then\n      error_echo \"$readable_name is installed but without pam_reattach support.\"\n      error_echo \"Please run --disable first, then reinstall with --with-reattach.\"\n      return 1\n    fi\n    status_echo \"$readable_name appears to be already installed.\"\n    return 0\n  elif [[ \"$major_version\" -lt 14 ]] && grep -q \"pam_tid.so\" \"$SUDO_PATH\" 2>/dev/null; then\n    if [[ \"$include_reattach\" == \"true\" ]] && ! check_reattach_available; then\n      if ! install_pam_reattach; then\n        return 1\n      fi\n    fi\n\n    # Check if user wants pam_reattach but it's not installed\n    if [[ \"$include_reattach\" == \"true\" ]] && check_reattach_available && ! grep -q \"pam_reattach.so\" \"$SUDO_PATH\" 2>/dev/null; then\n      error_echo \"$readable_name is installed but without pam_reattach support.\"\n      error_echo \"Please run --disable first, then reinstall with --with-reattach.\"\n      return 1\n    fi\n    status_echo \"$readable_name appears to be already installed.\"\n    return 0\n  fi\n\n  # Check for pam_reattach if requested\n  if [[ \"$include_reattach\" == \"true\" ]] && ! check_reattach_available; then\n    if ! install_pam_reattach; then\n      return 1\n    fi\n  fi\n\n  if [[ \"$major_version\" -ge 14 ]]; then\n    sudo_touchid_pamlocal_install \"$include_reattach\"\n  else\n    sudo_touchid_legacy_install \"$include_reattach\"\n  fi\n}\n\nsudo_touchid_disable() {\n  local major_version\n  major_version=$(detect_os_version)\n\n  # Check what configurations exist\n  local has_config=0\n\n  if [[ -f \"$SUDO_LOCAL_PATH\" ]] || [[ -f \"$LEGACY_PAM_FILE\" ]] || grep -q \"pam_tid.so\" \"$SUDO_PATH\" 2>/dev/null; then\n    has_config=1\n  fi\n\n  if [[ $has_config -eq 0 ]]; then\n    status_echo \"$readable_name seems to be already disabled\"\n    return 0\n  fi\n\n  # Show what will be removed\n  verbose_echo \"The following TouchID configurations will be removed:\"\n  verbose_echo\n\n  if [[ -f \"$SUDO_LOCAL_PATH\" ]]; then\n    verbose_echo \"  - $SUDO_LOCAL_PATH\"\n  fi\n\n  if [[ -f \"$LEGACY_PAM_FILE\" ]]; then\n    verbose_echo \"  - $LEGACY_PAM_FILE\"\n  fi\n\n  if [[ \"$VERBOSE\" == \"true\" ]] && grep -q \"pam_tid.so\" \"$SUDO_PATH\" 2>/dev/null; then\n    echo \"  - TouchID line from $SUDO_PATH\"\n    echo\n    echo \"Your $SUDO_PATH will look like this after removal:\"\n    echo \"----------------------------------------\"\n    grep -v \"pam_tid.so\" \"$SUDO_PATH\" | grep -v \"pam_reattach.so\"\n    echo \"----------------------------------------\"\n  fi\n\n  wait_for_user\n\n  # Now proceed with removal\n  local files_removed=0\n\n  # Remove sudo_local file (macOS 14+)\n  if [[ -f \"$SUDO_LOCAL_PATH\" ]]; then\n    sudo rm -f \"$SUDO_LOCAL_PATH\"\n    verbose_echo \"Removed $SUDO_LOCAL_PATH\"\n    files_removed=$((files_removed + 1))\n  fi\n\n  # Remove legacy PAM file\n  if [[ -f \"$LEGACY_PAM_FILE\" ]]; then\n    sudo rm -f \"$LEGACY_PAM_FILE\"\n    verbose_echo \"Removed $LEGACY_PAM_FILE\"\n    files_removed=$((files_removed + 1))\n  fi\n\n  # Check for legacy configuration in /etc/pam.d/sudo\n  if grep -q \"pam_tid.so\\|pam_reattach.so\" \"$SUDO_PATH\" 2>/dev/null; then\n    sudo cp \"$SUDO_PATH\" \"$SUDO_PATH.bak\"\n    sudo sed -i '.bak' '/pam_tid\\.so/d' \"$SUDO_PATH\"\n    sudo sed -i '.bak' '/pam_reattach\\.so/d' \"$SUDO_PATH\"\n    verbose_echo \"Removed TouchID configuration from $SUDO_PATH (backup saved as $SUDO_PATH.bak)\"\n    files_removed=$((files_removed + 1))\n  fi\n\n  status_echo\n  status_echo \"$readable_name has been disabled.\"\n}\n\n\nsudo_touchid() {\n  local include_reattach=\"false\"\n  local action=\"install\"\n\n  for opt in \"${@}\"; do\n    case \"$opt\" in\n    -v | --version)\n      echo \"v$VERSION\"\n      return 0\n      ;;\n    -d | --disable)\n      action=\"disable\"\n      ;;\n    --with-reattach)\n      include_reattach=\"true\"\n      ;;\n    --migrate)\n      action=\"migrate\"\n      ;;\n    --verbose)\n      VERBOSE=true\n      ;;\n    -q | --quiet)\n      QUIET=true\n      ;;\n    -y | --yes)\n      AUTO_YES=true\n      ;;\n    -h | --help)\n      usage\n      return 0\n      ;;\n    *)\n      echo \"Unknown option: $opt\"\n      usage\n      return 1\n      ;;\n    esac\n  done\n\n  case \"$action\" in\n  install)\n    sudo_touchid_install \"$include_reattach\"\n    ;;\n  disable)\n    sudo_touchid_disable\n    ;;\n  migrate)\n    migrate_legacy_configuration\n    ;;\n  esac\n}\n\nsudo_touchid \"${@}\"\n"
  }
]