> ## Documentation Index
> Fetch the complete documentation index at: https://docs.yespapa.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Features

> Full feature overview of YesPaPa's TOTP gate, mobile app, and self-hosting

## Offline TOTP Control Gate (Inner Ring)

The core of YesPaPa. Works with zero infrastructure, zero network, zero accounts.

* **Shell interception** — Aliases dangerous commands (`rm`, `chmod`, `kill`, `git push --force`, etc.) to route through the YesPaPa daemon before execution
* **TOTP authentication** — RFC 6238 compliant. Works with any standard authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator)
* **Pattern-based rules** — Configurable deny-list and allow-list with glob patterns and bundle categories (destructive, git-rewrite, privilege, network, process)
* **Master key recovery** — Set a master key during init for recovery if you lose your authenticator
* **Tamper detection** — Heartbeat every 30s checks that shell interceptors are still active. If an agent removes them, they're automatically re-injected
* **Uninstall protection** — `yespapa uninstall` requires TOTP or master key. Agents cannot remove their own guardrails

## YesPaPa Mobile App (Outer Ring)

Adds push notifications and one-tap approvals on top of the TOTP gate. Optional, always free. [Download at get.yespapa.app](https://get.yespapa.app).

* **Push notifications** — Get notified on your phone when a command is intercepted. Uses Expo Push Notifications (APNs for iOS, FCM for Android)
* **One-tap approve/deny** — Approve or deny commands directly from the notification or the app's Command Queue screen
* **Approve with message** — Send a message back to the agent along with your approval (e.g., "only delete the dist folder, not src")
* **Multi-host support** — Pair multiple machines to a single phone. Each host shows its own TOTP code and command queue
* **QR pairing** — Single QR scan pairs the mobile app and transfers the TOTP seed in one operation

## Auto-Bypass (Grace Periods)

Temporarily skip TOTP prompts for approved scopes.

* **Scoped bypasses** — Bypass all commands, or only specific bundles (destructive, git-rewrite, etc.)
* **Time-limited** — 1 hour, 24 hours, or 7 days. Cryptographically enforced expiry
* **HMAC-signed tokens** — Grace tokens are signed with the TOTP seed. Cannot be forged or extended without the seed
* **Remote sync** — Grace periods sync between daemon and mobile app. Activate from your phone, enforce on your machine
* **Revocable** — Revoke any bypass instantly from CLI or mobile app

## Self-Hosting

Run your own remote server for maximum security and control.

* **Open protocol** — The daemon-to-remote communication protocol is documented and backend-agnostic
* **Docker reference implementation** — Full standalone server with Express, WebSocket, SQLite, and JWT authentication
* **Supabase reference implementation** — Full SQL migrations, RLS policies, and Edge Functions provided
* **Default hosted option** — A free hosted remote server is provided by default. No setup required
* **Zero-trust architecture** — Even with a self-hosted server, every approval is validated locally with TOTP. The server cannot forge approvals

## CLI

Full-featured command-line interface:

* `yespapa init` — Initialize on a new machine
* `yespapa status` — Show current state
* `yespapa rules list|add|remove` — Manage interception rules
* `yespapa bypass activate|list|revoke` — Manage auto-bypasses
* `yespapa config list|get|set` — Manage configuration (timeout, sudo bypass, etc.)
* `yespapa exec` — Programmatic command execution (disabled by default)
* `yespapa approve` — Approve a pending command from another terminal
* `yespapa test` — Send a test command to verify mobile app connectivity
* `yespapa uninstall` — Remove YesPaPa (requires TOTP)

See [CLI Reference](/cli-reference) for details.