Conversation
…ers install The sudoers fragment for --apple-power-enabled was working but the README install was a 5-line sed/visudo/install dance. New make targets collapse it to one command each: make install-powermetrics-sudo make uninstall-powermetrics-sudo The install target renders the __LLMKUBE_USER__ placeholder for the current user, syntax-checks via 'visudo -cf' (refuses to install malformed files rather than break sudo), and atomically installs to /etc/sudoers.d/llmkube-powermetrics with 0440 root:wheel ownership. The granted command is then echoed back via 'sudo -ln | grep powermetrics' so the operator can verify exactly what was authorized. Privilege model is unchanged: pinned argv, single binary, opt-in. The make target only collapses the keystrokes; it does not hide anything. README still documents the fully manual install for operators who want to inspect each step. Signed-off-by: Christopher Maher <chris@mahercode.io>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two Makefile targets so the NOPASSWD sudoers install for `--apple-power-enabled` is a one-liner instead of a 5-line shell incantation:
Why
PR #334 shipped the Apple power gauges and a security-audited sudoers fragment, but the README install steps were:
```bash
TMP=$(mktemp)
sed "s/LLMKUBE_USER/$(whoami)/" deployment/macos/sudoers.d/llmkube-powermetrics > "$TMP"
sudo visudo -cf "$TMP"
sudo install -m 0440 -o root -g wheel "$TMP" /etc/sudoers.d/llmkube-powermetrics
rm "$TMP"
```
That's a friction wall for a feature most users will only ever opt into to feed InferCost. Make targets reduce it to one command without hiding anything: sudo still prompts (consent visible), the granted command is read back via `sudo -ln | grep powermetrics` so the operator can verify scope, and the README still documents the fully manual install for inspection.
What's in it
Privilege model
Unchanged. Pinned argv (`/usr/bin/powermetrics --samplers cpu_power,gpu_power -i [0-9]*` only), single binary, opt-in via `--apple-power-enabled` flag. The make target collapses keystrokes; it does not change what's granted.
Test plan