Offline TOTP Control Gate (Inner Ring)
The core of YesPaPa. Works with zero infrastructure, zero network, zero accounts.- Shell interception — Aliases dangerous commands (
rm,chmod,kill,git push --force, etc.) to route through the YesPaPa daemon before execution - TOTP authentication — RFC 6238 compliant. Works with any standard authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator)
- Pattern-based rules — Configurable deny-list and allow-list with glob patterns and bundle categories (destructive, git-rewrite, privilege, network, process)
- Master key recovery — Set a master key during init for recovery if you lose your authenticator
- Tamper detection — Heartbeat every 30s checks that shell interceptors are still active. If an agent removes them, they’re automatically re-injected
- Uninstall protection —
yespapa uninstallrequires TOTP or master key. Agents cannot remove their own guardrails
YesPaPa Mobile App (Outer Ring)
Adds push notifications and one-tap approvals on top of the TOTP gate. Optional, always free.- Push notifications — Get notified on your phone when a command is intercepted. Uses Expo Push Notifications (APNs for iOS, FCM for Android)
- One-tap approve/deny — Approve or deny commands directly from the notification or the app’s Command Queue screen
- Approve with message — Send a message back to the agent along with your approval (e.g., “only delete the dist folder, not src”)
- Multi-host support — Pair multiple machines to a single phone. Each host shows its own TOTP code and command queue
- QR pairing — Single QR scan pairs the mobile app and transfers the TOTP seed in one operation
Auto-Bypass (Grace Periods)
Temporarily skip TOTP prompts for approved scopes.- Scoped bypasses — Bypass all commands, or only specific bundles (destructive, git-rewrite, etc.)
- Time-limited — 1 hour, 24 hours, or 7 days. Cryptographically enforced expiry
- HMAC-signed tokens — Grace tokens are signed with the TOTP seed. Cannot be forged or extended without the seed
- Remote sync — Grace periods sync between daemon and mobile app. Activate from your phone, enforce on your machine
- Revocable — Revoke any bypass instantly from CLI or mobile app
Self-Hosting
Run your own remote server for maximum security and control.- Open protocol — The daemon-to-remote communication protocol is documented and backend-agnostic
- Docker reference implementation — Full standalone server with Express, WebSocket, SQLite, and JWT authentication
- Supabase reference implementation — Full SQL migrations, RLS policies, and Edge Functions provided
- Default hosted option — A free hosted remote server is provided by default. No setup required
- Zero-trust architecture — Even with a self-hosted server, every approval is validated locally with TOTP. The server cannot forge approvals
CLI
Full-featured command-line interface:yespapa init— Initialize on a new machineyespapa status— Show current stateyespapa rules list|add|remove— Manage interception rulesyespapa bypass activate|list|revoke— Manage auto-bypassesyespapa config list|get|set— Manage configuration (timeout, sudo bypass, etc.)yespapa exec— Programmatic command execution (disabled by default)yespapa approve— Approve a pending command from another terminalyespapa test— Send a test command to verify mobile app connectivityyespapa uninstall— Remove YesPaPa (requires TOTP)