agent-vault/install.sh at main · Infisical/agent-vault · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#!/bin/sh
set -e

# Agent Vault installer
# Usage: curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh
#
# Supports: macOS (Intel + Apple Silicon), Linux (amd64 + arm64)
# Works for both fresh install and upgrade.
#
# Privacy: on successful install, sends an anonymous ping with OS, arch,
# and version only — no identifiers, no IP retention. Opt out with:
#   curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | AGENT_VAULT_NO_TELEMETRY=1 sh

REPO="Infisical/agent-vault"
INSTALL_DIR="/usr/local/bin"
DATA_DIR="$HOME/.agent-vault"
PID_FILE="$DATA_DIR/agent-vault.pid"
DB_FILE="$DATA_DIR/agent-vault.db"

# HTTPS-only on initial request and on any redirect; refuse legacy TLS.
# Defends against an HTTP redirect-downgrade on the supply-chain path.
CURL_HARDEN="--proto =https --proto-redir =https --tlsv1.2"

# ── Helpers ──────────────────────────────────────────────────────────────────

info()  { printf '  %s\n' "$*"; }
warn()  { printf '  [warn] %s\n' "$*" >&2; }
error() { printf '  [error] %s\n' "$*" >&2; exit 1; }

cleanup() {
    if [ -n "$TMP_DIR" ] && [ -d "$TMP_DIR" ]; then
        rm -rf "$TMP_DIR"
    fi
}
trap cleanup EXIT

need_cmd() {
    if ! command -v "$1" > /dev/null 2>&1; then
        error "Required command '$1' not found. Please install it and try again."
    fi
}

# Use sudo only if we don't have write permission to INSTALL_DIR.
maybe_sudo() {
    if [ -w "$INSTALL_DIR" ]; then
        "$@"
    else
        info "Elevated permissions required to write to $INSTALL_DIR"
        sudo "$@"
    fi
}

# ── Detect platform ─────────────────────────────────────────────────────────

detect_os() {
    case "$(uname -s)" in
        Darwin) echo "darwin" ;;
        Linux)  echo "linux" ;;
        *)      error "Unsupported operating system: $(uname -s). This installer supports macOS and Linux." ;;
    esac
}

detect_arch() {
    case "$(uname -m)" in
        x86_64|amd64)   echo "amd64" ;;
        arm64|aarch64)  echo "arm64" ;;
        *)              error "Unsupported architecture: $(uname -m). This installer supports x86_64 and arm64." ;;
    esac
}

# ── Main ─────────────────────────────────────────────────────────────────────

main() {
    need_cmd curl
    need_cmd tar
    need_cmd uname

    OS="$(detect_os)"
    ARCH="$(detect_arch)"

    info "Detected platform: ${OS}/${ARCH}"

    # ── Check for existing installation ──────────────────────────────────

    EXISTING_VERSION=""
    SERVER_WAS_RUNNING=false

    if command -v agent-vault > /dev/null 2>&1; then
        EXISTING_VERSION="$(agent-vault version 2>/dev/null || echo "unknown")"
        info "Existing installation found: ${EXISTING_VERSION}"

        # ── Stop running server ──────────────────────────────────────────
        if [ -f "$PID_FILE" ]; then
            PID="$(cat "$PID_FILE" 2>/dev/null || echo "")"
            if [ -n "$PID" ] && kill -0 "$PID" 2>/dev/null; then
                info "Stopping running server (PID ${PID})..."
                agent-vault server stop 2>/dev/null || true
                # Wait up to 10 seconds for the process to exit
                i=0
                while [ $i -lt 20 ] && kill -0 "$PID" 2>/dev/null; do
                    sleep 0.5
                    i=$((i + 1))
                done
                if kill -0 "$PID" 2>/dev/null; then
                    warn "Server did not stop within 10 seconds. Proceeding anyway."
                else
                    info "Server stopped."
                    SERVER_WAS_RUNNING=true
                fi
            fi
        fi

        # ── Back up database ─────────────────────────────────────────────
        if [ -f "$DB_FILE" ]; then
            TIMESTAMP="$(date +%Y%m%d-%H%M%S)"
            BACKUP_FILE="${DB_FILE}.backup-${TIMESTAMP}"
            info "Backing up database to ${BACKUP_FILE}"
            cp "$DB_FILE" "$BACKUP_FILE"
            # Also back up WAL and SHM files if they exist
            [ -f "${DB_FILE}-wal" ] && cp "${DB_FILE}-wal" "${BACKUP_FILE}-wal"
            [ -f "${DB_FILE}-shm" ] && cp "${DB_FILE}-shm" "${BACKUP_FILE}-shm"
        fi
    fi

    # ── Fetch latest version ─────────────────────────────────────────────

    info "Fetching latest release..."
    # shellcheck disable=SC2086 # CURL_HARDEN is a flag list — word-splitting is intentional
    LATEST="$(curl $CURL_HARDEN -fsSL "https://api.github.com/repos/${REPO}/releases/latest" \
        | grep '"tag_name"' | head -1 | sed 's/.*"tag_name":[[:space:]]*"v\{0,1\}\([^"]*\)".*/\1/')"

    if [ -z "$LATEST" ]; then
        error "Could not determine the latest release version. Check your internet connection or try again later."
    fi

    info "Latest version: v${LATEST}"

    # ── Download and extract ─────────────────────────────────────────────

    ARCHIVE="agent-vault_${LATEST}_${OS}_${ARCH}.tar.gz"
    URL="https://github.com/${REPO}/releases/download/v${LATEST}/${ARCHIVE}"

    TMP_DIR="$(mktemp -d)"
    info "Downloading ${ARCHIVE}..."

    # shellcheck disable=SC2086 # CURL_HARDEN is a flag list — word-splitting is intentional
    if ! curl $CURL_HARDEN -fSL --progress-bar -o "${TMP_DIR}/${ARCHIVE}" "$URL"; then
        error "Download failed. The release may not include a binary for ${OS}/${ARCH}."
    fi

    info "Extracting..."
    tar xzf "${TMP_DIR}/${ARCHIVE}" -C "$TMP_DIR"

    if [ ! -f "${TMP_DIR}/agent-vault" ]; then
        error "Archive did not contain the expected 'agent-vault' binary."
    fi

    chmod +x "${TMP_DIR}/agent-vault"

    # ── Install ──────────────────────────────────────────────────────────

    maybe_sudo mv "${TMP_DIR}/agent-vault" "${INSTALL_DIR}/agent-vault"

    # ── Verify ───────────────────────────────────────────────────────────

    INSTALLED_VERSION="$(agent-vault version 2>/dev/null || echo "")"
    if [ -z "$INSTALLED_VERSION" ]; then
        warn "Could not verify installed binary."
        if [ -n "$BACKUP_FILE" ]; then
            warn "A database backup was saved at: ${BACKUP_FILE}"
        fi
        error "Installation may have failed. Check that ${INSTALL_DIR} is in your PATH."
    fi

    echo ""
    info "Agent Vault ${INSTALLED_VERSION} installed successfully."

    if [ -n "$EXISTING_VERSION" ] && [ "$EXISTING_VERSION" != "unknown" ]; then
        info "Upgraded from ${EXISTING_VERSION}"
        if [ -n "$BACKUP_FILE" ]; then
            info "Database backup: ${BACKUP_FILE}"
        fi
    fi

    if [ "$SERVER_WAS_RUNNING" = true ]; then
        echo ""
        info "The server was stopped for the upgrade."
        info "Run 'agent-vault server' to start it again."
        info "Database migrations (if any) will run automatically on startup."
    fi

    # Anonymous completion beacon. No PII, no identifiers.
    # Opt out: AGENT_VAULT_NO_TELEMETRY=1
    if [ -z "$AGENT_VAULT_NO_TELEMETRY" ]; then
        EVENT="install"
        if [ -n "$EXISTING_VERSION" ] && [ "$EXISTING_VERSION" != "unknown" ]; then
            EVENT="upgrade"
        fi
        # shellcheck disable=SC2086 # CURL_HARDEN is a flag list — word-splitting is intentional
        curl $CURL_HARDEN -fsS -m 3 "https://get.agent-vault.dev/ok?os=${OS}&arch=${ARCH}&v=${LATEST}&event=${EVENT}" >/dev/null 2>&1 || true
    fi
}

main "$@"