Skip to main content

yespapa init

Initialize YesPaPa on a new machine. 
yespapa init [--host-name <name>]
Options:
  • --host-name <name> — Custom name for this host (default: system hostname)
Steps:
  1. Generates a 160-bit TOTP seed
  2. Sets a master key (min 8 characters)
  3. Optionally pairs with the YesPaPa mobile app via remote server
  4. Displays a QR code for your authenticator app
  5. Verifies TOTP code (3 attempts)
  6. Creates ~/.yespapa/ directory with SQLite database
  7. Injects shell interceptors into .zshrc / .bashrc
  8. Seeds default deny-list rules (10 patterns)
  9. Starts the daemon in the background
Remote server pairing: When prompted to pair with the mobile app, the init flow asks for:
  • Remote server typesupabase (default) or selfhosted. Choose selfhosted if you are running your own backend that implements the YesPaPa protocol.
  • Remote server URL — The URL of the remote server. Defaults can be overridden with the YESPAPA_DEFAULT_REMOTE_URL environment variable.
  • Remote server key — The anonymous/public key for the remote server. Defaults can be overridden with the YESPAPA_DEFAULT_REMOTE_KEY environment variable.
The init flow will:
  • Connect and authenticate with the remote server
  • Register this host
  • Display a standard otpauth:// QR code (scannable by any TOTP app)
  • Display a pairing QR code / deep link for the YesPaPa mobile app (yespapa://pair?...)
  • Store remote config in the local database

yespapa status

Show the current state of YesPaPa. 
yespapa status
Output includes:
  • Host name
  • Daemon status (running/stopped, PID)
  • Socket status (active/not found)
  • Interceptor status (installed/not installed)
  • Remote server status (configured/offline)
  • Pending commands count
  • Active auto-bypasses count
  • Recent commands (last 5)

yespapa rules

Manage interception rules.

yespapa rules list

yespapa rules list
Shows all configured rules (deny-list and allow-list) with their patterns, types, and bundles.

yespapa rules add

yespapa rules add --pattern <glob> --type <deny|allow> [--bundle <name>]
Options:
  • --pattern <glob> — Glob pattern to match commands (e.g., rm -rf *, docker rm *)
  • --type <deny|allow> — Whether to intercept (deny) or skip (allow)
  • --bundle <name> — Category name (destructive, git-rewrite, privilege, network, process)

yespapa rules remove

yespapa rules remove --id <rule-id>

yespapa bypass

Manage auto-bypass (grace periods).

yespapa bypass activate

yespapa bypass activate --scope <scope> --duration <duration>
Requires TOTP code or master key. Options:
  • --scope <scope>all or a bundle name (destructive, git-rewrite, privilege, network, process)
  • --duration <duration>1h, 24h, or 7d

yespapa bypass list

yespapa bypass list
Shows active auto-bypasses with scope, remaining time, and ID.

yespapa bypass revoke

yespapa bypass revoke [--id <bypass-id>]
Requires TOTP code or master key. Revokes a specific bypass or all if --id is omitted.

yespapa test

Send a test command to verify mobile app connectivity. 
yespapa test
Connects to the remote server, inserts a test command, and waits for you to approve/deny from the mobile app. Verifies the full push notification pipeline.

yespapa config

Manage YesPaPa configuration. Changes require TOTP or master key authentication.

yespapa config list

yespapa config list
Shows all config keys with current values, defaults, and descriptions.

yespapa config get

yespapa config get <key>
Get a single config value.

yespapa config set

yespapa config set <key> <value>
Set a config value (requires TOTP or master key). Restart the daemon after changes. Available config keys:
KeyDefaultDescription
allow_password_bypasstrueAllow master key as TOTP bypass for command approval
default_timeout120Approval timeout in seconds (0 = wait forever)
allow_sudo_bypasstrueAuto-approve sudo commands (false = require TOTP)
allow_remote_execfalseEnable yespapa exec for programmatic access

yespapa exec

Execute a command through the YesPaPa gateway programmatically. 
yespapa exec [--justification <reason>] [--timeout <seconds>] -- <command>
Disabled by default. Enable with yespapa config set allow_remote_exec true. Options:
  • --justification <reason> — Reason for running this command (displayed to approver)
  • --timeout <seconds> — Timeout in seconds (0 = wait forever, default: 0)
Output: Structured JSON events on stderr for agent consumption.

yespapa approve

Approve a pending command by ID. 
yespapa approve <command_id>
Requires TOTP code or master key. Useful for approving commands from another terminal.

yespapa uninstall

Remove YesPaPa from this machine. 
yespapa uninstall
Requires TOTP code or master key. Removes:
  • Shell interceptors from profile files
  • Daemon process
  • ~/.yespapa/ directory and database
  • Unix socket

Environment Variables

VariableDescription
YESPAPA_DEBUGLegacy — JSON events are now always emitted on stderr
YESPAPA_DEFAULT_REMOTE_URLOverride the default remote server URL (used during yespapa init)
YESPAPA_DEFAULT_REMOTE_KEYOverride the default remote server key (used during yespapa init)
REMOTE_URLRemote server URL (set during init)
REMOTE_KEYRemote server anonymous key (set during init)