Remove sudo requirement from setup command

- Update CLAUDE.md documentation to remove sudo prefix from setup examples
- Add velo group check to doctor command for better diagnostics
- Fix setup to remove old sudoers file before creating new one (prevents ownership issues)
- Set proper ownership (root:root) for sudoers file
- Update error messages to suggest setup without sudo prefix

All tests passing after changes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: elitan

CLAUDE.md

@@ -3,7 +3,7 @@
 - never create markdown (`.md`) files after you are done. Never!
 - never use emojis unless told to do so.
 - i know i'm absolutly right. no need to tell me.
-- **NEVER use sudo when running velo commands** (except for the one-time `sudo velo setup` command). After setup, all commands run without sudo using ZFS delegation and Docker permissions.
+- **NEVER use sudo when running velo commands**. After setup, all commands run without sudo using ZFS delegation and Docker permissions.
 
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 
@@ -30,16 +30,19 @@ bun install
 # Build the CLI
 bun run build
 
-# Run directly (development)
+# Link for development (one-time setup)
+bun link
+
+# After linking, just rebuild to update the binary
+bun run build  # The symlink automatically points to updated dist/velo
+
+# Run directly (development, without building)
 bun run src/index.ts
 # or
 bun run dev
 
-# Install globally
-sudo cp dist/velo /usr/local/bin/
-
 # Setup permissions (one-time, required before use)
-sudo velo setup
+velo setup
 
 # Run tests (cleans up first, then runs in parallel)
 bun run test           # Runs all tests via ./scripts/test.sh
@@ -239,7 +242,7 @@ Naming validation: Only `[a-zA-Z0-9_-]+` allowed for project/branch names
 
 **One-time setup required:**
 ```bash
-sudo velo setup
+velo setup
 ```
 
 This command:
@@ -329,7 +332,7 @@ When modifying branching logic:
 - Docker must be running with socket at `/var/run/docker.sock`
 - Bun runtime required (not Node.js)
 - ZFS pool must exist before running setup (auto-detected)
-- One-time permission setup required (`sudo velo setup`)
+- One-time permission setup required (`velo setup`)
 - Mount/unmount operations require sudo due to Linux kernel CAP_SYS_ADMIN requirement
 - Port allocation is dynamic via Docker (automatically assigns available ports)
 - Credentials stored in plain text in state.json (TODO: encrypt)

src/commands/doctor.ts

@@ -59,6 +59,7 @@ export async function doctorCommand() {
     await checkDockerInstalled(),
     await checkDockerRunning(),
     await checkDockerPermissions(),
+    await checkVeloGroup(),
     await checkDockerImages(),
   ];
   allResults.push(...dockerResults);
@@ -136,7 +137,7 @@ function printSummary(allResults: CheckResult[]) {
     console.log('✗ Issues detected. Please fix the failed checks above.');
     console.log();
     console.log('Common fixes:');
-    console.log(`  • Run setup: sudo ${CLI_NAME} setup`);
+    console.log(`  • Run setup: ${CLI_NAME} setup`);
     console.log('  • Create ZFS pool: sudo zpool create tank /dev/sdb');
     console.log('  • Log out and back in (for group changes)');
   } else if (warnings > 0) {
@@ -331,7 +332,7 @@ async function checkZFSPermissions(): Promise<CheckResult> {
         status: 'fail',
         message: 'ZFS permissions not configured',
         details: [
-          `Run setup: sudo ${CLI_NAME} setup`,
+          `Run setup: ${CLI_NAME} setup`,
           'This grants ZFS delegation permissions to your user',
         ],
       };
@@ -474,6 +475,46 @@ async function checkDockerPermissions(): Promise<CheckResult> {
   }
 }
 
+async function checkVeloGroup(): Promise<CheckResult> {
+  try {
+    // Skip check if running as root
+    if (process.getuid && process.getuid() === 0) {
+      return {
+        name: `${CLI_NAME} Group`,
+        status: 'warn',
+        message: 'Running as root - group check skipped',
+      };
+    }
+
+    const groups = await $`groups`.text();
+    const hasVeloGroup = groups.includes(CLI_NAME);
+
+    if (hasVeloGroup) {
+      return {
+        name: `${CLI_NAME} Group`,
+        status: 'pass',
+        message: `User in ${CLI_NAME} group`,
+      };
+    } else {
+      return {
+        name: `${CLI_NAME} Group`,
+        status: 'fail',
+        message: `Not in ${CLI_NAME} group`,
+        details: [
+          `Run setup: ${CLI_NAME} setup`,
+          'Then log out and back in',
+        ],
+      };
+    }
+  } catch (error) {
+    return {
+      name: `${CLI_NAME} Group`,
+      status: 'fail',
+      message: 'Unable to check group membership',
+    };
+  }
+}
+
 async function checkDockerImages(): Promise<CheckResult> {
   try {
     const docker = new DockerManager();

src/commands/setup.ts

@@ -182,6 +182,14 @@ export async function setupCommand() {
   console.log(chalk.bold('[5/5]'), 'Installing sudoers configuration...');
 
   try {
+    // Remove old sudoers file if it exists (to avoid ownership issues)
+    const sudoersPath = `/etc/sudoers.d/${CLI_NAME}`;
+    try {
+      await $`sudo rm -f ${sudoersPath}`.quiet();
+    } catch (error) {
+      // Ignore errors if file doesn't exist
+    }
+
     // Create group if needed
     try {
       await $`getent group ${CLI_NAME}`.quiet();
@@ -207,7 +215,6 @@ export async function setupCommand() {
     const homeDir = await $`getent passwd ${actualUser}`.text().then(s => s.trim().split(':')[5]);
 
     // Create sudoers file
-    const sudoersPath = `/etc/sudoers.d/${CLI_NAME}`;
     const sudoersContent = `# ${TOOL_NAME} - PostgreSQL database branching tool
 # This file grants minimal sudo permissions for required operations
 
@@ -234,6 +241,7 @@ export async function setupCommand() {
     const tmpFile = `/tmp/${CLI_NAME}-sudoers-${Date.now()}`;
     await fs.writeFile(tmpFile, sudoersContent);
     await $`sudo mv ${tmpFile} ${sudoersPath}`;
+    await $`sudo chown root:root ${sudoersPath}`;
     await $`sudo chmod 0440 ${sudoersPath}`;
 
     // Verify sudoers syntax

src/utils/zfs-permissions.ts

@@ -87,14 +87,14 @@ export async function validateZFSPermissions(pool: string, datasetBase: string):
     console.error();
     console.error(chalk.bold('To fix this, run the one-time setup:'));
     console.error();
-    console.error(chalk.cyan(`  sudo ${CLI_NAME} setup`));
+    console.error(chalk.cyan(`  ${CLI_NAME} setup`));
     console.error();
     console.error(chalk.dim('This will grant the necessary ZFS permissions to your user account.'));
     console.error(chalk.dim(`Dataset: ${pool}/${datasetBase}`));
     console.error(chalk.dim(`User: ${username}`));
     console.error();
 
-    throw new Error(`ZFS permissions not configured. Run: sudo ${CLI_NAME} setup`);
+    throw new Error(`ZFS permissions not configured. Run: ${CLI_NAME} setup`);
   }
 }
 
@@ -134,13 +134,13 @@ export async function validateDockerPermissions(): Promise<void> {
     console.error();
     console.error(chalk.bold('To fix this, run the one-time setup:'));
     console.error();
-    console.error(chalk.cyan(`  sudo ${CLI_NAME} setup`));
+    console.error(chalk.cyan(`  ${CLI_NAME} setup`));
     console.error();
     console.error(chalk.dim('Then log out and log back in for the docker group to take effect.'));
     console.error(chalk.dim(`User: ${username}`));
     console.error();
 
-    throw new Error(`Docker permissions not configured. Run: sudo ${CLI_NAME} setup and re-login.`);
+    throw new Error(`Docker permissions not configured. Run: ${CLI_NAME} setup and re-login.`);
   }
 }