Fix some scripting issues

installer/scripts/darwin_build_installer.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+# Get the directory where this script is located
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+INSTALLER_ROOT="${SCRIPT_DIR}/.."
+
+echo "=== Building Safe Chain Installer for macOS ==="
+
+# Ensure we are in the installer directory
+cd "${INSTALLER_ROOT}"
+
+# Install dependencies
+echo "Installing build dependencies..."
+npm install
+
+# Build the binary and installer using the Node.js build script
+echo "Building binary and installer..."
+node build.js --platform=macos
+
+echo "Done."

installer/scripts/darwin_postinstall.sh

@@ -12,32 +12,32 @@ mkdir -p /usr/local/bin
 cp "${INSTALL_LOCATION}/safe-chain" /usr/local/bin/safe-chain
 chmod +x /usr/local/bin/safe-chain
 
-# Setup certificate directory in user's home
-# The proxy will use ~/.safe-chain/certs/ so we need to ensure it exists
-# and install the certificate from there
-# Get the actual user (not root) who invoked the installer
-# When using 'installer' command, SUDO_USER is not set, so we use the console user
-ACTUAL_USER=$(stat -f '%Su' /dev/console)
-
-# Get the home directory of the actual user
-USER_HOME=$(eval echo "~${ACTUAL_USER}")
-
-CERT_DIR="${USER_HOME}/.safe-chain/certs"
+# Setup system-wide certificate directory
+# We use a shared location so we don't need to worry about which user is running the agent
+CERT_DIR="/usr/local/share/safe-chain/certs"
 mkdir -p "${CERT_DIR}"
-# Set ownership immediately after creating directory
-chown -R "${ACTUAL_USER}:staff" "${USER_HOME}/.safe-chain"
 
 # Generate certificate if it doesn't exist
-# This ensures the same cert is used by both the proxy and system trust store
 if [ ! -f "${CERT_DIR}/ca-cert.pem" ]; then
   echo "Generating Safe Chain CA certificate..."
-  # Run as the actual user with their HOME set, not root
-  sudo -u "${ACTUAL_USER}" HOME="${USER_HOME}" /usr/local/bin/safe-chain generate-cert --output "${CERT_DIR}"
+  # Run as root (installer context) - no need to switch users
+  /usr/local/bin/safe-chain _generate-cert --output "${CERT_DIR}"
 fi
 
-# Set correct ownership (important since installer runs as root)
-# Do this AFTER generating certificates so they get the right ownership too
-chown -R "${ACTUAL_USER}:staff" "${USER_HOME}/.safe-chain"
+# Set permissions so any user can read the certs (required for the agent to load them)
+# Directory is executable/readable by all
+chmod 755 "/usr/local/share/safe-chain"
+chmod 755 "${CERT_DIR}"
+
+# PUBLIC Certificate: Readable by everyone (644)
+chmod 644 "${CERT_DIR}/ca-cert.pem"
+
+# PRIVATE Key: Readable ONLY by the owner (600)
+# This is critical for security.
+chmod 600 "${CERT_DIR}/ca-key.pem"
+
+# Ensure the actual user owns the files so the agent (running as user) can read them
+chown -R "${ACTUAL_USER}:staff" "/usr/local/share/safe-chain"
 
 # Install certificate in system trust store
 echo "Installing Safe Chain CA certificate in system trust store..."
@@ -52,9 +52,15 @@ fi
 # Start safe-chain as a background service
 echo "Starting Safe Chain proxy service..."
 
+# Get the actual user to install the LaunchAgent in their home
+# (We still need this for the LaunchAgent, but not for file permissions)
+ACTUAL_USER=$(stat -f '%Su' /dev/console)
+USER_HOME=$(eval echo "~${ACTUAL_USER}")
+
 # Create LaunchAgent for auto-start on login
 LAUNCH_AGENT_DIR="${USER_HOME}/Library/LaunchAgents"
 mkdir -p "${LAUNCH_AGENT_DIR}"
+chown "${ACTUAL_USER}:staff" "${LAUNCH_AGENT_DIR}"
 
 PLIST_PATH="${LAUNCH_AGENT_DIR}/com.aikido.safe-chain.plist"
 cat > "${PLIST_PATH}" << EOF
@@ -77,6 +83,8 @@ cat > "${PLIST_PATH}" << EOF
         <string>http://localhost:8080</string>
         <key>NODE_EXTRA_CA_CERTS</key>
         <string>${CERT_DIR}/ca-cert.pem</string>
+        <key>SAFE_CHAIN_CERT_DIR</key>
+        <string>${CERT_DIR}</string>
     </dict>
     <key>RunAtLoad</key>
     <true/>
@@ -93,9 +101,6 @@ EOF
 # Set correct ownership for plist
 chown "${ACTUAL_USER}:staff" "${PLIST_PATH}"
 
-# Set correct ownership for plist
-chown "${ACTUAL_USER}:staff" "${PLIST_PATH}"
-
 # Load the LaunchAgent to start the service now
 # Need to run as the actual user, not root
 sudo -u "${ACTUAL_USER}" launchctl load "${PLIST_PATH}" 2>/dev/null || true

installer/scripts/darwin_uninstall.sh

@@ -3,36 +3,54 @@ set -e
 
 echo "Uninstalling Safe Chain..."
 
-USER_HOME="${HOME}"
-if [ -z "${USER_HOME}" ]; then
-  USER_HOME=~
+# Get the actual user
+if [ -n "${SUDO_USER}" ]; then
+  ACTUAL_USER="${SUDO_USER}"
+else
+  ACTUAL_USER=$(stat -f '%Su' /dev/console)
 fi
 
+# Get the home directory of the actual user
+USER_HOME=$(eval echo "~${ACTUAL_USER}")
+
+echo "Detected user: ${ACTUAL_USER}"
+echo "User home: ${USER_HOME}"
+
 # Stop and unload the LaunchAgent
 PLIST_PATH="${USER_HOME}/Library/LaunchAgents/com.aikido.safe-chain.plist"
+SERVICE_LABEL="com.aikido.safe-chain"
+
+echo "Stopping Safe Chain service..."
 if [ -f "${PLIST_PATH}" ]; then
-  echo "Stopping Safe Chain service..."
-  launchctl unload "${PLIST_PATH}" 2>/dev/null || true
+  # Run launchctl as the user
+  sudo -u "${ACTUAL_USER}" launchctl unload "${PLIST_PATH}" 2>/dev/null || true
   rm -f "${PLIST_PATH}"
 fi
 
+# Ensure service is removed even if plist is gone
+sudo -u "${ACTUAL_USER}" launchctl remove "${SERVICE_LABEL}" 2>/dev/null || true
+
 # Remove system-wide environment variables
 echo "Removing proxy environment variables..."
-launchctl unsetenv HTTPS_PROXY 2>/dev/null || true
-launchctl unsetenv GLOBAL_AGENT_HTTP_PROXY 2>/dev/null || true
-launchctl unsetenv NODE_EXTRA_CA_CERTS 2>/dev/null || true
+# Run launchctl as the user
+sudo -u "${ACTUAL_USER}" launchctl unsetenv HTTPS_PROXY 2>/dev/null || true
+sudo -u "${ACTUAL_USER}" launchctl unsetenv GLOBAL_AGENT_HTTP_PROXY 2>/dev/null || true
+sudo -u "${ACTUAL_USER}" launchctl unsetenv NODE_EXTRA_CA_CERTS 2>/dev/null || true
 
 # Remove binary
 rm -f /usr/local/bin/safe-chain
 
 # Remove certificate from system keychain
-CERT_PATH="${USER_HOME}/.safe-chain/certs/ca-cert.pem"
-if [ -f "${CERT_PATH}" ]; then
+CERT_DIR="/usr/local/share/safe-chain/certs"
+if [ -f "${CERT_DIR}/ca-cert.pem" ]; then
   echo "Removing certificate from system trust store..."
   # Find and delete the certificate by common name
   security delete-certificate -c "safe-chain proxy" /Library/Keychains/System.keychain 2>/dev/null || true
 fi
 
+# Remove system-wide configuration and certificates
+rm -rf /usr/local/share/safe-chain
+
 # Optionally remove the .safe-chain directory (commented out to preserve user data)
 # echo "Remove ~/.safe-chain directory? (y/N)"
 # read -r response

installer/scripts/linux_build_installer.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+echo "=== Building Safe Chain Installer for Linux ==="
+echo "TODO: Implement Linux installer build"
+echo "This is a placeholder script."
+exit 0

installer/scripts/windows_build_installer.bat

@@ -0,0 +1,5 @@
+@echo off
+echo === Building Safe Chain Installer for Windows ===
+echo TODO: Implement Windows installer build
+echo This is a placeholder script.
+exit /b 0