@openape/ape-agent 2.10.0 → 2.11.0

package/dist/service-bridge-main.mjs

@@ -33,15 +33,15 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 
 // ../../packages/apes/dist/chunk-OBF7IMQ2.js
-import { homedir } from "os";
-import { join } from "path";
-var CONFIG_DIR, AUTH_FILE, CONFIG_FILE;
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+var CONFIG_DIR2, AUTH_FILE, CONFIG_FILE;
 var init_chunk_OBF7IMQ2 = __esm({
   "../../packages/apes/dist/chunk-OBF7IMQ2.js"() {
     "use strict";
-    CONFIG_DIR = join(homedir(), ".config", "apes");
-    AUTH_FILE = join(CONFIG_DIR, "auth.json");
-    CONFIG_FILE = join(CONFIG_DIR, "config.toml");
+    CONFIG_DIR2 = join2(homedir2(), ".config", "apes");
+    AUTH_FILE = join2(CONFIG_DIR2, "auth.json");
+    CONFIG_FILE = join2(CONFIG_DIR2, "config.toml");
   }
 });
 
@@ -1080,20 +1080,9 @@ import process4 from "process";
 import { randomUUID } from "crypto";
 import process3 from "process";
 
-// ../../packages/apes/dist/chunk-BA2V3BBO.js
-init_chunk_OBF7IMQ2();
-
-// ../../node_modules/.pnpm/citty@0.2.2/node_modules/citty/dist/index.mjs
-import { parseArgs as parseArgs$1 } from "util";
-function defineCommand(def) {
-  return def;
-}
-
-// ../../packages/shapes/dist/index.js
-import { createHash } from "crypto";
-import { existsSync as existsSync2, readdirSync, readFileSync } from "fs";
-import { homedir as homedir2 } from "os";
-import { basename, join as join2 } from "path";
+// ../../packages/apes/dist/chunk-3LH4FT4R.js
+import { homedir } from "os";
+import { dirname, join } from "path";
 
 // ../../packages/core/dist/index.js
 import * as jose from "jose";
@@ -1154,6 +1143,27 @@ async function assertPublicUrl(rawUrl, opts = {}) {
   return url;
 }
 
+// ../../packages/apes/dist/chunk-3LH4FT4R.js
+var CONFIG_DIR = join(homedir(), ".config", "openape");
+var SECRETS_DIR = join(CONFIG_DIR, "secrets.d");
+var X25519_KEY_PATH = join(CONFIG_DIR, "agent-x25519.key");
+var X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`;
+
+// ../../packages/apes/dist/chunk-BA2V3BBO.js
+init_chunk_OBF7IMQ2();
+
+// ../../node_modules/.pnpm/citty@0.2.2/node_modules/citty/dist/index.mjs
+import { parseArgs as parseArgs$1 } from "util";
+function defineCommand(def) {
+  return def;
+}
+
+// ../../packages/shapes/dist/index.js
+import { createHash } from "crypto";
+import { existsSync as existsSync2, readdirSync, readFileSync } from "fs";
+import { homedir as homedir22 } from "os";
+import { basename, join as join22 } from "path";
+
 // ../../packages/grants/dist/index.js
 function normalizeSelector(selector) {
   if (!selector)
@@ -2545,9 +2555,9 @@ function digest(content) {
 }
 function adapterDirs() {
   return [
-    join2(process.cwd(), ".openape", "shapes", "adapters"),
-    join2(homedir2(), ".openape", "shapes", "adapters"),
-    join2("/etc", "openape", "shapes", "adapters")
+    join22(process.cwd(), ".openape", "shapes", "adapters"),
+    join22(homedir22(), ".openape", "shapes", "adapters"),
+    join22("/etc", "openape", "shapes", "adapters")
   ];
 }
 function findByExecutable(executable) {
@@ -2557,7 +2567,7 @@ function findByExecutable(executable) {
     try {
       const files = readdirSync(dir).filter((f3) => f3.endsWith(".toml"));
       for (const file of files) {
-        const path = join2(dir, file);
+        const path = join22(dir, file);
         const content = readFileSync(path, "utf-8");
         const match = content.match(/^\s*executable\s*=\s*"([^"]+)"/m);
         if (match && match[1] === executable)
@@ -2574,7 +2584,7 @@ function resolveAdapterPath(cliId, explicitPath) {
       return explicitPath;
     throw new Error(`Adapter file not found: ${explicitPath}`);
   }
-  const candidates = adapterDirs().map((dir) => join2(dir, `${cliId}.toml`));
+  const candidates = adapterDirs().map((dir) => join22(dir, `${cliId}.toml`));
   const match = candidates.find((path) => existsSync2(path));
   if (match)
     return match;
@@ -2695,391 +2705,781 @@ init_chunk_OBF7IMQ2();
 
 // ../../packages/agent-runtime/dist/index.js
 import { spawn } from "child_process";
-import { mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
-import { homedir as homedir3 } from "os";
-import { dirname, normalize, resolve } from "path";
-import { homedir as homedir22 } from "os";
+import { mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { homedir as homedir4 } from "os";
+import { dirname as dirname2, normalize, resolve } from "path";
+import { homedir as homedir24 } from "os";
 import { resolve as resolve2 } from "path";
 import process2 from "process";
 import { execFileSync } from "child_process";
+import { readFileSync as readFileSync23 } from "fs";
+import { homedir as homedir32 } from "os";
+import { join as join4 } from "path";
 import { execFileSync as execFileSync2 } from "child_process";
-var DEFAULT_TIMEOUT_MS = 5 * 60 * 1e3;
-var MAX_STDIO_BYTES = 64 * 1024;
-var BIN = "ape-shell";
-function capStdio(s2) {
-  const buf = Buffer.from(s2, "utf8");
-  if (buf.byteLength <= MAX_STDIO_BYTES) return s2;
-  return `${buf.subarray(0, MAX_STDIO_BYTES).toString("utf8")}
-[truncated to ${MAX_STDIO_BYTES} bytes]`;
+
+// ../../packages/cli-auth/dist/index.js
+import { ofetch } from "ofetch";
+import { existsSync, mkdirSync, readFileSync as readFileSync2, readdirSync as readdirSync2, unlinkSync, writeFileSync } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
+import { ofetch as ofetch3 } from "ofetch";
+import { Buffer as Buffer2 } from "buffer";
+import { sign } from "crypto";
+import { existsSync as existsSync22, readFileSync as readFileSync22 } from "fs";
+import { homedir as homedir23 } from "os";
+import { join as join23 } from "path";
+import { ofetch as ofetch2 } from "ofetch";
+import { Buffer as Buffer3 } from "buffer";
+import { createPrivateKey } from "crypto";
+import { ofetch as ofetch4 } from "ofetch";
+import { ofetch as ofetch5 } from "ofetch";
+function getConfigDir(authHome) {
+  if (authHome) return join3(authHome, ".config", "apes");
+  const override = process.env.OPENAPE_CLI_AUTH_HOME;
+  if (override) return override;
+  return join3(homedir3(), ".config", "apes");
 }
-function runApeShell(cmd, timeoutMs = DEFAULT_TIMEOUT_MS, cwd) {
-  const bypass = process.env.OPENAPE_BYPASS_APE_SHELL === "1";
-  const [execBin, execArgs] = bypass ? ["/bin/bash", ["-c", cmd]] : [BIN, ["-c", cmd]];
-  return new Promise((resolveResult) => {
-    const child = spawn(execBin, execArgs, {
-      env: { ...process.env, APE_WAIT: "1" },
-      stdio: ["ignore", "pipe", "pipe"],
-      ...cwd ? { cwd } : {}
-    });
-    let stdout2 = "";
-    let stderr = "";
-    let timedOut = false;
-    let spawnError = null;
-    child.stdout.on("data", (chunk) => {
-      stdout2 += chunk.toString("utf8");
-    });
-    child.stderr.on("data", (chunk) => {
-      stderr += chunk.toString("utf8");
-    });
-    child.on("error", (err) => {
-      spawnError = err;
-    });
-    const timer = setTimeout(() => {
-      timedOut = true;
-      child.kill("SIGTERM");
-      setTimeout(() => {
-        try {
-          child.kill("SIGKILL");
-        } catch {
-        }
-      }, 5e3);
-    }, timeoutMs);
-    child.on("close", (code) => {
-      clearTimeout(timer);
-      if (spawnError) {
-        resolveResult({
-          stdout: "",
-          stderr: "",
-          exit_code: -1,
-          error: spawnError.message,
-          hint: `Could not exec '${execBin}'. The agent host needs @openape/apes installed globally so ape-shell is on PATH (or set OPENAPE_BYPASS_APE_SHELL=1 to skip the gated shell entirely \u2014 meant for the OpenApe pod where the container IS the sandbox).`
-        });
-        return;
-      }
-      resolveResult({
-        stdout: capStdio(stdout2),
-        stderr: capStdio(stderr),
-        exit_code: code ?? -1,
-        ...timedOut ? { timed_out: true } : {}
-      });
-    });
-  });
+function getAuthFile(authHome) {
+  return join3(getConfigDir(authHome), "auth.json");
 }
-var DEFAULTS = { DEFAULT_TIMEOUT_MS };
-var bashTools = [
-  {
-    name: "bash",
-    description: "Run a shell command on the agent host. Every invocation goes through the OpenApe DDISA grant cycle \u2014 auto-approved if the owner has a matching YOLO scope, otherwise the owner gets a push notification to approve. Runs as the agent's macOS user, so file/network access is limited to what that user can see. Returns stdout, stderr, and exit code. For repeated command patterns ask the owner to set up a YOLO scope so approvals don't pile up.",
-    parameters: {
-      type: "object",
-      properties: {
-        cmd: {
-          type: "string",
-          description: "Shell command to run, e.g. `ls -la ~/Documents`, `git status`, `curl -fsSL https://example.com`. The whole string is passed to `bash -c`; quote internally as needed."
-        },
-        timeout_ms: {
-          type: "number",
-          description: "Wall-clock cap for the whole approval-and-run cycle in milliseconds. Default 300000 (5 min). Approval waits count against this budget."
-        }
-      },
-      required: ["cmd"]
-    },
-    execute: async (args) => {
-      const a2 = args;
-      if (typeof a2.cmd !== "string" || a2.cmd.trim() === "") {
-        throw new Error("cmd must be a non-empty string");
-      }
-      const timeout = typeof a2.timeout_ms === "number" && a2.timeout_ms > 0 ? a2.timeout_ms : DEFAULTS.DEFAULT_TIMEOUT_MS;
-      return await runApeShell(a2.cmd, timeout);
-    }
+function getSpTokensDir() {
+  return join3(getConfigDir(), "sp-tokens");
+}
+function ensureConfigDir(authHome) {
+  const dir = getConfigDir(authHome);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 448 });
   }
-];
-var MAX_BYTES = 1024 * 1024;
-function jailPath(input) {
-  if (typeof input !== "string" || input === "") {
-    throw new Error("path must be a non-empty string");
+}
+function ensureSpTokensDir() {
+  ensureConfigDir();
+  const dir = getSpTokensDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 448 });
   }
-  const home = homedir3();
-  const candidate = input.startsWith("~/") ? resolve(home, input.slice(2)) : input.startsWith("/") ? normalize(input) : resolve(home, input);
-  if (candidate !== home && !candidate.startsWith(`${home}/`)) {
-    throw new Error(`path "${input}" resolves outside the agent's home`);
+}
+function loadIdpAuth(authHome) {
+  const file = getAuthFile(authHome);
+  if (!existsSync(file)) return null;
+  try {
+    const raw = readFileSync2(file, "utf-8");
+    if (!raw.trim()) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
   }
-  return candidate;
 }
-var fileTools = [
-  {
-    name: "file.read",
-    description: "Read a UTF-8 file from the agent's home directory ($HOME). Capped at 1MB. Path traversal blocked.",
-    parameters: {
-      type: "object",
-      properties: {
-        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME). `..` segments are rejected." }
-      },
-      required: ["path"]
-    },
-    execute: async (args) => {
-      const a2 = args;
-      const p = jailPath(a2.path);
-      const content = readFileSync2(p, "utf8");
-      if (Buffer.byteLength(content, "utf8") > MAX_BYTES) {
-        return { path: p, truncated: true, content: content.slice(0, MAX_BYTES) };
-      }
-      return { path: p, truncated: false, content };
-    }
-  },
-  {
-    name: "file.write",
-    description: "Write a UTF-8 file under the agent's home directory. Creates parent dirs as needed. 1MB max.",
-    parameters: {
-      type: "object",
-      properties: {
-        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME)." },
-        content: { type: "string", description: "File body. Existing files are overwritten." }
-      },
-      required: ["path", "content"]
-    },
-    execute: async (args) => {
-      const a2 = args;
-      if (typeof a2.content !== "string") throw new Error("content must be a string");
-      if (Buffer.byteLength(a2.content, "utf8") > MAX_BYTES) {
-        throw new Error(`content exceeds ${MAX_BYTES} byte cap`);
-      }
-      const p = jailPath(a2.path);
-      mkdirSync(dirname(p), { recursive: true });
-      writeFileSync(p, a2.content, { encoding: "utf8" });
-      return { path: p, bytes: Buffer.byteLength(a2.content, "utf8") };
-    }
-  },
-  {
-    name: "file.edit",
-    description: "Replace an exact substring in a file under the agent's home directory. Prefer this over file.write for edits \u2014 it touches only the changed region instead of rewriting the whole file. `old_string` must appear exactly once unless `replace_all` is true. Path traversal blocked, 1MB max.",
-    parameters: {
-      type: "object",
-      properties: {
-        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME)." },
-        old_string: { type: "string", description: "Exact text to replace. Include enough surrounding context to be unique unless replace_all is set." },
-        new_string: { type: "string", description: "Replacement text. Must differ from old_string." },
-        replace_all: { type: "boolean", description: "Replace every occurrence instead of requiring a unique match. Default false." }
-      },
-      required: ["path", "old_string", "new_string"]
-    },
-    execute: async (args) => {
-      const a2 = args;
-      if (typeof a2.old_string !== "string" || a2.old_string === "") {
-        throw new Error("old_string must be a non-empty string");
-      }
-      if (typeof a2.new_string !== "string") {
-        throw new TypeError("new_string must be a string");
-      }
-      if (a2.old_string === a2.new_string) {
-        throw new Error("old_string and new_string are identical \u2014 nothing to change");
-      }
-      const replaceAll = a2.replace_all === true;
-      const p = jailPath(a2.path);
-      const before = readFileSync2(p, "utf8");
-      const occurrences = before.split(a2.old_string).length - 1;
-      if (occurrences === 0) {
-        throw new Error("old_string not found in file");
-      }
-      if (occurrences > 1 && !replaceAll) {
-        throw new Error(`old_string occurs ${occurrences} times \u2014 pass replace_all:true or add surrounding context to make it unique`);
-      }
-      const after = replaceAll ? before.split(a2.old_string).join(a2.new_string) : before.replace(a2.old_string, a2.new_string);
-      if (Buffer.byteLength(after, "utf8") > MAX_BYTES) {
-        throw new Error(`result exceeds ${MAX_BYTES} byte cap`);
+function saveIdpAuth(auth, authHome) {
+  ensureConfigDir(authHome);
+  const file = getAuthFile(authHome);
+  let extra = {};
+  if (existsSync(file)) {
+    try {
+      const raw = readFileSync2(file, "utf-8");
+      if (raw.trim()) {
+        const prev = JSON.parse(raw);
+        for (const key of Object.keys(prev)) {
+          if (!(key in auth)) {
+            extra[key] = prev[key];
+          }
+        }
       }
-      writeFileSync(p, after, { encoding: "utf8" });
-      return { path: p, replacements: replaceAll ? occurrences : 1 };
+    } catch {
+      extra = {};
     }
   }
-];
-var BRANCH_RE = /^[\w./-]{1,200}$/;
-var ID_RE = /^\d{1,12}$/;
-function shq(s2) {
-  return `'${String(s2).replace(/'/g, "'\\''")}'`;
+  const merged = { ...extra, ...auth };
+  writeFileSync(file, JSON.stringify(merged, null, 2), { mode: 384 });
 }
-function assertBranch(v2) {
-  if (typeof v2 !== "string" || !BRANCH_RE.test(v2)) {
-    throw new Error("branch must match ^[A-Za-z0-9._/-]{1,200}$");
-  }
-  return v2;
+function audToFilename(aud) {
+  return aud.replace(/[^\w.-]/g, "_");
 }
-function assertId(v2) {
-  if (typeof v2 !== "string" && typeof v2 !== "number") throw new Error("id required");
-  const s2 = String(v2);
-  if (!ID_RE.test(s2)) throw new Error("id must be a number");
-  return s2;
+function spTokenPath(aud) {
+  return join3(getSpTokensDir(), `${audToFilename(aud)}.json`);
 }
-var githubAdapter = {
-  id: "github",
-  matchesRemote: (url) => /github\.com/i.test(url),
-  prCreate: (i2) => {
-    const head = assertBranch(i2.head);
-    const parts = ["gh", "pr", "create", "--title", shq(i2.title), "--body", shq(i2.body), "--head", shq(head)];
-    if (i2.base !== void 0) parts.push("--base", shq(assertBranch(i2.base)));
-    return parts.join(" ");
-  },
-  prMerge: (i2) => {
-    const ref = String(i2.ref);
-    const refTok = ID_RE.test(ref) ? ref : assertBranch(ref);
-    const parts = ["gh", "pr", "merge", shq(refTok)];
-    if (i2.squash === true) parts.push("--squash");
-    if (i2.auto) parts.push("--auto");
-    if (i2.deleteBranch) parts.push("--delete-branch");
-    return parts.join(" ");
-  },
-  prStatus: (ref) => {
-    const r3 = String(ref);
-    const refTok = ID_RE.test(r3) ? r3 : assertBranch(r3);
-    return `gh pr view ${shq(refTok)} --json state,mergeStateStatus,statusCheckRollup,reviewDecision`;
-  },
-  issueGet: (ref, repo) => `gh issue view ${assertId(ref)}${repo ? ` --repo ${shq(repo)}` : ""} --json number,title,body,labels`
+function loadSpToken(aud) {
+  const path = spTokenPath(aud);
+  if (!existsSync(path)) return null;
+  try {
+    const raw = readFileSync2(path, "utf-8");
+    if (!raw.trim()) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function saveSpToken(token) {
+  ensureSpTokensDir();
+  writeFileSync(spTokenPath(token.aud), JSON.stringify(token, null, 2), { mode: 384 });
+}
+var AuthError = class extends Error {
+  status;
+  hint;
+  constructor(status, message, hint) {
+    super(hint ? `${message}
+${hint}` : message);
+    this.name = "AuthError";
+    this.status = status;
+    this.hint = hint;
+  }
 };
-var azureAdapter = {
-  id: "azure",
-  matchesRemote: (url) => /dev\.azure\.com|visualstudio\.com/i.test(url),
-  prCreate: (i2) => {
-    const head = assertBranch(i2.head);
-    const parts = ["az", "repos", "pr", "create", "--title", shq(i2.title), "--description", shq(i2.body), "--source-branch", shq(head)];
-    if (i2.base !== void 0) parts.push("--target-branch", shq(assertBranch(i2.base)));
-    return parts.join(" ");
-  },
-  prMerge: (i2) => {
-    const id = assertId(i2.ref);
-    const parts = ["az", "repos", "pr", "update", "--id", id];
-    if (i2.auto) parts.push("--auto-complete", "true");
-    else parts.push("--status", "completed");
-    if (i2.squash === true) parts.push("--merge-commit-message-style", "squash");
-    if (i2.deleteBranch) parts.push("--delete-source-branch", "true");
-    return parts.join(" ");
-  },
-  prStatus: (ref) => `az repos pr show --id ${assertId(ref)}`,
-  // Azure work items are org/project-scoped, not repo-scoped, so `repo`
-  // doesn't apply here — the caller's `az` config (defaults.organization/
-  // project) resolves it.
-  issueGet: (ref, _repo) => `az boards work-item show --id ${assertId(ref)}`
+var NotLoggedInError = class extends AuthError {
+  constructor(hint) {
+    super(
+      401,
+      "Not logged in",
+      hint ?? "Run `apes login <email>` once on this device to authenticate against the OpenApe IdP."
+    );
+    this.name = "NotLoggedInError";
+  }
 };
-var registry = /* @__PURE__ */ new Map([
-  [githubAdapter.id, githubAdapter],
-  [azureAdapter.id, azureAdapter]
-]);
-function listForges() {
-  return [...registry.keys()];
+async function exchangeForSpToken(idpAuth, request, now = Math.floor(Date.now() / 1e3)) {
+  const url = `${request.endpoint.replace(/\/$/, "")}/api/cli/exchange`;
+  let response;
+  try {
+    response = await ofetch(url, {
+      method: "POST",
+      body: {
+        subject_token: idpAuth.access_token,
+        ...request.scopes ? { scopes: request.scopes } : {}
+      }
+    });
+  } catch (err) {
+    const status = err.status ?? err.statusCode ?? 0;
+    const data = err.data;
+    const title = data?.title ?? `Token exchange failed (HTTP ${status})`;
+    const hint = status === 401 ? `IdP token rejected at ${url}. Try \`apes login\` again \u2014 token may be expired or audience-mismatched.` : data?.detail;
+    throw new AuthError(status, title, hint);
+  }
+  if (!response.access_token) {
+    throw new AuthError(0, `Exchange response from ${url} missing access_token`);
+  }
+  const expiresAt = response.expires_at ?? (response.expires_in ? now + response.expires_in : now + 3600);
+  const token = {
+    endpoint: request.endpoint,
+    aud: response.aud ?? request.aud,
+    access_token: response.access_token,
+    expires_at: expiresAt,
+    ...request.scopes ? { scopes: request.scopes } : {},
+    issued_from_idp_iat: now
+  };
+  saveSpToken(token);
+  return token;
 }
-function getForge(id) {
-  const a2 = registry.get(id);
-  if (!a2) {
-    throw new Error(`unknown forge '${id}'. Registered: ${listForges().join(", ")}. Add one with registerForge().`);
+var OPENSSH_MAGIC = "openssh-key-v1\0";
+function loadEd25519PrivateKey(pem) {
+  if (pem.includes("BEGIN OPENSSH PRIVATE KEY")) {
+    return parseOpenSSHEd25519(pem);
   }
-  return a2;
+  return createPrivateKey(pem);
 }
-function detectForge(remoteUrl) {
-  if (typeof remoteUrl !== "string" || remoteUrl === "") {
-    throw new Error("remote URL required to detect forge");
+function parseOpenSSHEd25519(pem) {
+  const b64 = pem.replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, "").replace(/-----END OPENSSH PRIVATE KEY-----/, "").replace(/\s/g, "");
+  const buf = Buffer3.from(b64, "base64");
+  let offset = 0;
+  const magic = buf.subarray(0, OPENSSH_MAGIC.length).toString("ascii");
+  if (magic !== OPENSSH_MAGIC) {
+    throw new Error("Not an OpenSSH private key");
   }
-  for (const a2 of registry.values()) {
-    if (a2.matchesRemote(remoteUrl)) return a2.id;
+  offset += OPENSSH_MAGIC.length;
+  const cipherLen = buf.readUInt32BE(offset);
+  offset += 4;
+  const cipher = buf.subarray(offset, offset + cipherLen).toString();
+  offset += cipherLen;
+  if (cipher !== "none") {
+    throw new Error(`Encrypted keys not supported (cipher: ${cipher}). Decrypt first with: ssh-keygen -p -f <key>`);
   }
-  throw new Error(`no forge adapter matches remote: ${remoteUrl}. Registered: ${listForges().join(", ")}. Register one with registerForge() (e.g. GitLab/Bitbucket/Gitea).`);
+  const kdfLen = buf.readUInt32BE(offset);
+  offset += 4;
+  offset += kdfLen;
+  const kdfOptsLen = buf.readUInt32BE(offset);
+  offset += 4;
+  offset += kdfOptsLen;
+  const numKeys = buf.readUInt32BE(offset);
+  offset += 4;
+  if (numKeys !== 1) {
+    throw new Error(`Expected 1 key, got ${numKeys}`);
+  }
+  const pubSectionLen = buf.readUInt32BE(offset);
+  offset += 4;
+  offset += pubSectionLen;
+  const privSectionLen = buf.readUInt32BE(offset);
+  offset += 4;
+  const privSection = buf.subarray(offset, offset + privSectionLen);
+  let pOffset = 0;
+  const check1 = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  const check2 = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  if (check1 !== check2) {
+    throw new Error("Check integers mismatch \u2014 key may be corrupted or encrypted");
+  }
+  const keyTypeLen = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  const keyType = privSection.subarray(pOffset, pOffset + keyTypeLen).toString();
+  pOffset += keyTypeLen;
+  if (keyType !== "ssh-ed25519") {
+    throw new Error(`Expected ssh-ed25519, got ${keyType}`);
+  }
+  const pubKeyLen = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  const pubKey = privSection.subarray(pOffset, pOffset + pubKeyLen);
+  pOffset += pubKeyLen;
+  const privKeyLen = privSection.readUInt32BE(pOffset);
+  pOffset += 4;
+  const privKeyData = privSection.subarray(pOffset, pOffset + privKeyLen);
+  const seed = privKeyData.subarray(0, 32);
+  return createPrivateKey({
+    key: { kty: "OKP", crv: "Ed25519", d: seed.toString("base64url"), x: pubKey.toString("base64url") },
+    format: "jwk"
+  });
 }
-function buildPrCreate(input) {
-  return getForge(input.forge).prCreate(input);
+async function getEndpoints(idp) {
+  let disco = {};
+  try {
+    disco = await ofetch2(`${idp}/.well-known/openid-configuration`);
+  } catch {
+  }
+  return {
+    challenge: disco.ddisa_agent_challenge_endpoint ?? `${idp}/api/agent/challenge`,
+    authenticate: disco.ddisa_agent_authenticate_endpoint ?? `${idp}/api/agent/authenticate`
+  };
 }
-function buildPrMerge(input) {
-  return getForge(input.forge).prMerge(input);
+function resolveKeyPath(p) {
+  if (p.startsWith("~")) return join23(homedir23(), p.slice(1));
+  return p;
 }
-function buildPrStatus(forge, ref) {
-  return getForge(forge).prStatus(ref);
+function findSigningKey(auth) {
+  const candidates = [];
+  if (auth.key_path) candidates.push(resolveKeyPath(auth.key_path));
+  candidates.push(join23(homedir23(), ".ssh", "id_ed25519"));
+  for (const p of candidates) {
+    if (existsSync22(p)) {
+      try {
+        return { keyPath: p, keyContent: readFileSync22(p, "utf-8") };
+      } catch {
+      }
+    }
+  }
+  return null;
 }
-function buildIssueGet(forge, ref, repo) {
-  return getForge(forge).issueGet(ref, repo);
+async function refreshAgentToken(auth, now = Math.floor(Date.now() / 1e3)) {
+  const key = findSigningKey(auth);
+  if (!key) return null;
+  let privateKey;
+  try {
+    privateKey = loadEd25519PrivateKey(key.keyContent);
+  } catch {
+    return null;
+  }
+  let endpoints;
+  try {
+    endpoints = await getEndpoints(auth.idp);
+  } catch {
+    return null;
+  }
+  let challenge;
+  try {
+    const resp = await ofetch2(endpoints.challenge, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: { agent_id: auth.email }
+    });
+    challenge = resp.challenge;
+  } catch {
+    return null;
+  }
+  let signature;
+  try {
+    signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
+  } catch {
+    return null;
+  }
+  let authResp;
+  try {
+    authResp = await ofetch2(endpoints.authenticate, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: { agent_id: auth.email, challenge, signature }
+    });
+  } catch {
+    return null;
+  }
+  return {
+    ...auth,
+    access_token: authResp.token,
+    expires_at: now + (authResp.expires_in || 3600),
+    key_path: auth.key_path ?? key.keyPath
+  };
 }
-function resolveForge(a2) {
-  if (typeof a2.forge === "string" && a2.forge !== "") return a2.forge;
-  if (typeof a2.remote === "string") return detectForge(a2.remote);
-  throw new Error("provide a forge id (e.g. github, azure, or a registered adapter) or a remote URL to detect it");
+var EXPIRY_SKEW_SECONDS = 30;
+async function getTokenEndpoint(idp) {
+  try {
+    const disco = await ofetch3(`${idp}/.well-known/openid-configuration`);
+    if (disco.token_endpoint) return disco.token_endpoint;
+  } catch {
+  }
+  return `${idp}/token`;
 }
-var forgeParam = { type: "string", description: "Target forge id (github, azure, or a registered adapter). Omit to auto-detect from `remote`." };
-var remoteParam = { type: "string", description: "git remote URL \u2014 used to auto-detect the forge when `forge` is omitted." };
-var forgeTools = [
+async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3), authHome) {
+  const auth = loadIdpAuth(authHome);
+  if (!auth) {
+    throw new NotLoggedInError();
+  }
+  if (auth.expires_at > now + EXPIRY_SKEW_SECONDS) {
+    return auth;
+  }
+  if (!auth.refresh_token) {
+    const refreshed = await refreshAgentToken(auth, now);
+    if (refreshed) {
+      saveIdpAuth(refreshed, authHome);
+      return refreshed;
+    }
+    throw new NotLoggedInError(
+      `IdP token expired at ${new Date(auth.expires_at * 1e3).toISOString()} and no refresh_token is stored. Run \`apes login\` again.`
+    );
+  }
+  const tokenEndpoint = await getTokenEndpoint(auth.idp);
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: auth.refresh_token
+  });
+  let response;
+  try {
+    response = await ofetch3(tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+  } catch (err) {
+    const status = err.status ?? err.statusCode ?? 0;
+    if (status === 400 || status === 401) {
+      saveIdpAuth({ ...auth, refresh_token: void 0 }, authHome);
+      throw new NotLoggedInError(
+        `Refresh token rejected by ${auth.idp}. Run \`apes login\` again.`
+      );
+    }
+    throw new AuthError(
+      0,
+      `Network error refreshing IdP token at ${tokenEndpoint}`,
+      `Underlying: ${err.message ?? err}`
+    );
+  }
+  if (!response.access_token) {
+    throw new AuthError(0, `IdP refresh response missing access_token (endpoint: ${tokenEndpoint})`);
+  }
+  const next = {
+    ...auth,
+    access_token: response.access_token,
+    refresh_token: response.refresh_token ?? auth.refresh_token,
+    expires_at: now + (response.expires_in ?? 3600)
+  };
+  saveIdpAuth(next, authHome);
+  return next;
+}
+var SP_TOKEN_SKEW_SECONDS = 60;
+async function getAuthorizedBearer(opts) {
+  const now = Math.floor(Date.now() / 1e3);
+  if (!opts.forceRefresh) {
+    const cached = loadSpToken(opts.aud);
+    if (cached && cached.expires_at > now + SP_TOKEN_SKEW_SECONDS) {
+      return `Bearer ${cached.access_token}`;
+    }
+  }
+  const idpAuth = await ensureFreshIdpAuth(now);
+  const sp = await exchangeForSpToken(idpAuth, {
+    endpoint: opts.endpoint,
+    aud: opts.aud,
+    ...opts.scopes ? { scopes: opts.scopes } : {}
+  }, now);
+  return `Bearer ${sp.access_token}`;
+}
+
+// ../../packages/agent-runtime/dist/index.js
+var DEFAULT_TIMEOUT_MS = 5 * 60 * 1e3;
+var MAX_STDIO_BYTES = 64 * 1024;
+var BIN = "ape-shell";
+function capStdio(s2) {
+  const buf = Buffer.from(s2, "utf8");
+  if (buf.byteLength <= MAX_STDIO_BYTES) return s2;
+  return `${buf.subarray(0, MAX_STDIO_BYTES).toString("utf8")}
+[truncated to ${MAX_STDIO_BYTES} bytes]`;
+}
+function runApeShell(cmd, timeoutMs = DEFAULT_TIMEOUT_MS, cwd) {
+  const bypass = process.env.OPENAPE_BYPASS_APE_SHELL === "1";
+  const [execBin, execArgs] = bypass ? ["/bin/bash", ["-c", cmd]] : [BIN, ["-c", cmd]];
+  return new Promise((resolveResult) => {
+    const child = spawn(execBin, execArgs, {
+      env: { ...process.env, APE_WAIT: "1" },
+      stdio: ["ignore", "pipe", "pipe"],
+      ...cwd ? { cwd } : {}
+    });
+    let stdout2 = "";
+    let stderr = "";
+    let timedOut = false;
+    let spawnError = null;
+    child.stdout.on("data", (chunk) => {
+      stdout2 += chunk.toString("utf8");
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString("utf8");
+    });
+    child.on("error", (err) => {
+      spawnError = err;
+    });
+    const timer = setTimeout(() => {
+      timedOut = true;
+      child.kill("SIGTERM");
+      setTimeout(() => {
+        try {
+          child.kill("SIGKILL");
+        } catch {
+        }
+      }, 5e3);
+    }, timeoutMs);
+    child.on("close", (code) => {
+      clearTimeout(timer);
+      if (spawnError) {
+        resolveResult({
+          stdout: "",
+          stderr: "",
+          exit_code: -1,
+          error: spawnError.message,
+          hint: `Could not exec '${execBin}'. The agent host needs @openape/apes installed globally so ape-shell is on PATH (or set OPENAPE_BYPASS_APE_SHELL=1 to skip the gated shell entirely \u2014 meant for the OpenApe pod where the container IS the sandbox).`
+        });
+        return;
+      }
+      resolveResult({
+        stdout: capStdio(stdout2),
+        stderr: capStdio(stderr),
+        exit_code: code ?? -1,
+        ...timedOut ? { timed_out: true } : {}
+      });
+    });
+  });
+}
+var DEFAULTS = { DEFAULT_TIMEOUT_MS };
+var bashTools = [
   {
-    name: "forge.pr.create",
-    description: "Open a pull request on GitHub (gh) or Azure DevOps (az). Gated via the DDISA grant cycle. Provider chosen by `forge` or auto-detected from `remote`.",
+    name: "bash",
+    description: "Run a shell command on the agent host. Every invocation goes through the OpenApe DDISA grant cycle \u2014 auto-approved if the owner has a matching YOLO scope, otherwise the owner gets a push notification to approve. Runs as the agent's macOS user, so file/network access is limited to what that user can see. Returns stdout, stderr, and exit code. For repeated command patterns ask the owner to set up a YOLO scope so approvals don't pile up.",
     parameters: {
       type: "object",
       properties: {
-        forge: forgeParam,
-        remote: remoteParam,
-        title: { type: "string", description: "PR title." },
-        body: { type: "string", description: "PR description / body." },
-        head: { type: "string", description: "Source branch." },
-        base: { type: "string", description: "Target branch. Omit for the repo default." }
+        cmd: {
+          type: "string",
+          description: "Shell command to run, e.g. `ls -la ~/Documents`, `git status`, `curl -fsSL https://example.com`. The whole string is passed to `bash -c`; quote internally as needed."
+        },
+        timeout_ms: {
+          type: "number",
+          description: "Wall-clock cap for the whole approval-and-run cycle in milliseconds. Default 300000 (5 min). Approval waits count against this budget."
+        }
       },
-      required: ["title", "body", "head"]
+      required: ["cmd"]
     },
     execute: async (args) => {
       const a2 = args;
-      const cmd = buildPrCreate({ forge: resolveForge(a2), title: a2.title, body: a2.body, head: a2.head, base: a2.base });
-      return await runApeShell(cmd);
+      if (typeof a2.cmd !== "string" || a2.cmd.trim() === "") {
+        throw new Error("cmd must be a non-empty string");
+      }
+      const timeout = typeof a2.timeout_ms === "number" && a2.timeout_ms > 0 ? a2.timeout_ms : DEFAULTS.DEFAULT_TIMEOUT_MS;
+      return await runApeShell(a2.cmd, timeout);
     }
-  },
+  }
+];
+var MAX_BYTES = 1024 * 1024;
+var extraReadRoots = /* @__PURE__ */ new Set();
+function isUnder(candidate, root) {
+  return candidate === root || candidate.startsWith(`${root}/`);
+}
+function jailPath(input, opts = {}) {
+  if (typeof input !== "string" || input === "") {
+    throw new Error("path must be a non-empty string");
+  }
+  const home = homedir4();
+  const candidate = input.startsWith("~/") ? resolve(home, input.slice(2)) : input.startsWith("/") ? normalize(input) : resolve(home, input);
+  if (isUnder(candidate, home)) return candidate;
+  if (opts.allowReadRoots) {
+    for (const root of extraReadRoots) {
+      if (isUnder(candidate, root)) return candidate;
+    }
+  }
+  throw new Error(`path "${input}" resolves outside the agent's home`);
+}
+var fileTools = [
   {
-    name: "forge.pr.merge",
-    description: 'Merge a PR \u2014 or with auto=true, arm "merge when checks pass" (gh --auto / az auto-complete) so the platform merges only on green CI. Gated. Never bypasses required checks (branch protection is the server-side gate).',
+    name: "file.read",
+    description: "Read a UTF-8 file from the agent's home directory ($HOME) or a bundled skill directory (e.g. a skill's SKILL.md). Capped at 1MB. Path traversal blocked.",
     parameters: {
       type: "object",
       properties: {
-        forge: forgeParam,
-        remote: remoteParam,
-        ref: { type: "string", description: "GitHub: PR number or branch. Azure: PR id." },
-        auto: { type: "boolean", description: "Arm merge-when-green instead of immediate merge. Recommended." },
-        squash: { type: "boolean", description: "Squash-merge. Default true." },
-        delete_branch: { type: "boolean", description: "Delete the source branch after merge." }
+        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME). `..` segments are rejected." }
       },
-      required: ["ref"]
+      required: ["path"]
     },
     execute: async (args) => {
       const a2 = args;
-      const cmd = buildPrMerge({ forge: resolveForge(a2), ref: a2.ref, auto: a2.auto, squash: a2.squash, deleteBranch: a2.delete_branch });
-      return await runApeShell(cmd);
+      const p = jailPath(a2.path, { allowReadRoots: true });
+      const content = readFileSync3(p, "utf8");
+      if (Buffer.byteLength(content, "utf8") > MAX_BYTES) {
+        return { path: p, truncated: true, content: content.slice(0, MAX_BYTES) };
+      }
+      return { path: p, truncated: false, content };
     }
   },
   {
-    name: "forge.pr.status",
-    description: "Fetch a PR's state + checks + review decision. Gated (read).",
+    name: "file.write",
+    description: "Write a UTF-8 file under the agent's home directory. Creates parent dirs as needed. 1MB max.",
     parameters: {
       type: "object",
-      properties: { forge: forgeParam, remote: remoteParam, ref: { type: "string", description: "PR number/branch (GitHub) or id (Azure)." } },
-      required: ["ref"]
+      properties: {
+        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME)." },
+        content: { type: "string", description: "File body. Existing files are overwritten." }
+      },
+      required: ["path", "content"]
     },
     execute: async (args) => {
       const a2 = args;
-      return await runApeShell(buildPrStatus(resolveForge(a2), a2.ref));
+      if (typeof a2.content !== "string") throw new Error("content must be a string");
+      if (Buffer.byteLength(a2.content, "utf8") > MAX_BYTES) {
+        throw new Error(`content exceeds ${MAX_BYTES} byte cap`);
+      }
+      const p = jailPath(a2.path);
+      mkdirSync2(dirname2(p), { recursive: true });
+      writeFileSync2(p, a2.content, { encoding: "utf8" });
+      return { path: p, bytes: Buffer.byteLength(a2.content, "utf8") };
     }
   },
   {
-    name: "forge.issue.get",
-    description: "Fetch an issue (GitHub) or work-item (Azure) \u2014 title, body, labels. Gated (read). Use to turn an assigned task into a coding run.",
+    name: "file.edit",
+    description: "Replace an exact substring in a file under the agent's home directory. Prefer this over file.write for edits \u2014 it touches only the changed region instead of rewriting the whole file. `old_string` must appear exactly once unless `replace_all` is true. Path traversal blocked, 1MB max.",
     parameters: {
       type: "object",
-      properties: { forge: forgeParam, remote: remoteParam, ref: { type: "string", description: "Issue number (GitHub) or work-item id (Azure)." } },
-      required: ["ref"]
+      properties: {
+        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME)." },
+        old_string: { type: "string", description: "Exact text to replace. Include enough surrounding context to be unique unless replace_all is set." },
+        new_string: { type: "string", description: "Replacement text. Must differ from old_string." },
+        replace_all: { type: "boolean", description: "Replace every occurrence instead of requiring a unique match. Default false." }
+      },
+      required: ["path", "old_string", "new_string"]
     },
     execute: async (args) => {
       const a2 = args;
-      const repo = typeof a2.remote === "string" ? a2.remote : void 0;
-      return await runApeShell(buildIssueGet(resolveForge(a2), a2.ref, repo));
+      if (typeof a2.old_string !== "string" || a2.old_string === "") {
+        throw new Error("old_string must be a non-empty string");
+      }
+      if (typeof a2.new_string !== "string") {
+        throw new TypeError("new_string must be a string");
+      }
+      if (a2.old_string === a2.new_string) {
+        throw new Error("old_string and new_string are identical \u2014 nothing to change");
+      }
+      const replaceAll = a2.replace_all === true;
+      const p = jailPath(a2.path);
+      const before = readFileSync3(p, "utf8");
+      const occurrences = before.split(a2.old_string).length - 1;
+      if (occurrences === 0) {
+        throw new Error("old_string not found in file");
+      }
+      if (occurrences > 1 && !replaceAll) {
+        throw new Error(`old_string occurs ${occurrences} times \u2014 pass replace_all:true or add surrounding context to make it unique`);
+      }
+      const after = replaceAll ? before.split(a2.old_string).join(a2.new_string) : before.replace(a2.old_string, a2.new_string);
+      if (Buffer.byteLength(after, "utf8") > MAX_BYTES) {
+        throw new Error(`result exceeds ${MAX_BYTES} byte cap`);
+      }
+      writeFileSync2(p, after, { encoding: "utf8" });
+      return { path: p, replacements: replaceAll ? occurrences : 1 };
     }
   }
 ];
-function jailedRoot(envVar, fallbackName) {
-  const home = homedir22();
-  const raw = process2.env[envVar];
-  const dir = raw ? resolve2(raw) : resolve2(home, fallbackName);
-  if (dir !== home && !dir.startsWith(`${home}/`)) {
-    throw new Error(`${envVar} (${dir}) must resolve inside the agent's home`);
-  }
-  return dir;
+var BRANCH_RE = /^[\w./-]{1,200}$/;
+var ID_RE = /^\d{1,12}$/;
+function shq(s2) {
+  return `'${String(s2).replace(/'/g, "'\\''")}'`;
+}
+function assertBranch(v2) {
+  if (typeof v2 !== "string" || !BRANCH_RE.test(v2)) {
+    throw new Error("branch must match ^[A-Za-z0-9._/-]{1,200}$");
+  }
+  return v2;
+}
+function assertId(v2) {
+  if (typeof v2 !== "string" && typeof v2 !== "number") throw new Error("id required");
+  const s2 = String(v2);
+  if (!ID_RE.test(s2)) throw new Error("id must be a number");
+  return s2;
+}
+var githubAdapter = {
+  id: "github",
+  matchesRemote: (url) => /github\.com/i.test(url),
+  prCreate: (i2) => {
+    const head = assertBranch(i2.head);
+    const parts = ["gh", "pr", "create", "--title", shq(i2.title), "--body", shq(i2.body), "--head", shq(head)];
+    if (i2.base !== void 0) parts.push("--base", shq(assertBranch(i2.base)));
+    return parts.join(" ");
+  },
+  prMerge: (i2) => {
+    const ref = String(i2.ref);
+    const refTok = ID_RE.test(ref) ? ref : assertBranch(ref);
+    const parts = ["gh", "pr", "merge", shq(refTok)];
+    if (i2.squash === true) parts.push("--squash");
+    if (i2.auto) parts.push("--auto");
+    if (i2.deleteBranch) parts.push("--delete-branch");
+    return parts.join(" ");
+  },
+  prStatus: (ref) => {
+    const r3 = String(ref);
+    const refTok = ID_RE.test(r3) ? r3 : assertBranch(r3);
+    return `gh pr view ${shq(refTok)} --json state,mergeStateStatus,statusCheckRollup,reviewDecision`;
+  },
+  issueGet: (ref, repo) => `gh issue view ${assertId(ref)}${repo ? ` --repo ${shq(repo)}` : ""} --json number,title,body,labels`
+};
+var azureAdapter = {
+  id: "azure",
+  matchesRemote: (url) => /dev\.azure\.com|visualstudio\.com/i.test(url),
+  prCreate: (i2) => {
+    const head = assertBranch(i2.head);
+    const parts = ["az", "repos", "pr", "create", "--title", shq(i2.title), "--description", shq(i2.body), "--source-branch", shq(head)];
+    if (i2.base !== void 0) parts.push("--target-branch", shq(assertBranch(i2.base)));
+    return parts.join(" ");
+  },
+  prMerge: (i2) => {
+    const id = assertId(i2.ref);
+    const parts = ["az", "repos", "pr", "update", "--id", id];
+    if (i2.auto) parts.push("--auto-complete", "true");
+    else parts.push("--status", "completed");
+    if (i2.squash === true) parts.push("--merge-commit-message-style", "squash");
+    if (i2.deleteBranch) parts.push("--delete-source-branch", "true");
+    return parts.join(" ");
+  },
+  prStatus: (ref) => `az repos pr show --id ${assertId(ref)}`,
+  // Azure work items are org/project-scoped, not repo-scoped, so `repo`
+  // doesn't apply here — the caller's `az` config (defaults.organization/
+  // project) resolves it.
+  issueGet: (ref, _repo) => `az boards work-item show --id ${assertId(ref)}`
+};
+var registry = /* @__PURE__ */ new Map([
+  [githubAdapter.id, githubAdapter],
+  [azureAdapter.id, azureAdapter]
+]);
+function listForges() {
+  return [...registry.keys()];
+}
+function getForge(id) {
+  const a2 = registry.get(id);
+  if (!a2) {
+    throw new Error(`unknown forge '${id}'. Registered: ${listForges().join(", ")}. Add one with registerForge().`);
+  }
+  return a2;
+}
+function detectForge(remoteUrl) {
+  if (typeof remoteUrl !== "string" || remoteUrl === "") {
+    throw new Error("remote URL required to detect forge");
+  }
+  for (const a2 of registry.values()) {
+    if (a2.matchesRemote(remoteUrl)) return a2.id;
+  }
+  throw new Error(`no forge adapter matches remote: ${remoteUrl}. Registered: ${listForges().join(", ")}. Register one with registerForge() (e.g. GitLab/Bitbucket/Gitea).`);
+}
+function buildPrCreate(input) {
+  return getForge(input.forge).prCreate(input);
+}
+function buildPrMerge(input) {
+  return getForge(input.forge).prMerge(input);
+}
+function buildPrStatus(forge, ref) {
+  return getForge(forge).prStatus(ref);
+}
+function buildIssueGet(forge, ref, repo) {
+  return getForge(forge).issueGet(ref, repo);
+}
+function resolveForge(a2) {
+  if (typeof a2.forge === "string" && a2.forge !== "") return a2.forge;
+  if (typeof a2.remote === "string") return detectForge(a2.remote);
+  throw new Error("provide a forge id (e.g. github, azure, or a registered adapter) or a remote URL to detect it");
+}
+var forgeParam = { type: "string", description: "Target forge id (github, azure, or a registered adapter). Omit to auto-detect from `remote`." };
+var remoteParam = { type: "string", description: "git remote URL \u2014 used to auto-detect the forge when `forge` is omitted." };
+var forgeTools = [
+  {
+    name: "forge.pr.create",
+    description: "Open a pull request on GitHub (gh) or Azure DevOps (az). Gated via the DDISA grant cycle. Provider chosen by `forge` or auto-detected from `remote`.",
+    parameters: {
+      type: "object",
+      properties: {
+        forge: forgeParam,
+        remote: remoteParam,
+        title: { type: "string", description: "PR title." },
+        body: { type: "string", description: "PR description / body." },
+        head: { type: "string", description: "Source branch." },
+        base: { type: "string", description: "Target branch. Omit for the repo default." }
+      },
+      required: ["title", "body", "head"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const cmd = buildPrCreate({ forge: resolveForge(a2), title: a2.title, body: a2.body, head: a2.head, base: a2.base });
+      return await runApeShell(cmd);
+    }
+  },
+  {
+    name: "forge.pr.merge",
+    description: 'Merge a PR \u2014 or with auto=true, arm "merge when checks pass" (gh --auto / az auto-complete) so the platform merges only on green CI. Gated. Never bypasses required checks (branch protection is the server-side gate).',
+    parameters: {
+      type: "object",
+      properties: {
+        forge: forgeParam,
+        remote: remoteParam,
+        ref: { type: "string", description: "GitHub: PR number or branch. Azure: PR id." },
+        auto: { type: "boolean", description: "Arm merge-when-green instead of immediate merge. Recommended." },
+        squash: { type: "boolean", description: "Squash-merge. Default true." },
+        delete_branch: { type: "boolean", description: "Delete the source branch after merge." }
+      },
+      required: ["ref"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const cmd = buildPrMerge({ forge: resolveForge(a2), ref: a2.ref, auto: a2.auto, squash: a2.squash, deleteBranch: a2.delete_branch });
+      return await runApeShell(cmd);
+    }
+  },
+  {
+    name: "forge.pr.status",
+    description: "Fetch a PR's state + checks + review decision. Gated (read).",
+    parameters: {
+      type: "object",
+      properties: { forge: forgeParam, remote: remoteParam, ref: { type: "string", description: "PR number/branch (GitHub) or id (Azure)." } },
+      required: ["ref"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      return await runApeShell(buildPrStatus(resolveForge(a2), a2.ref));
+    }
+  },
+  {
+    name: "forge.issue.get",
+    description: "Fetch an issue (GitHub) or work-item (Azure) \u2014 title, body, labels. Gated (read). Use to turn an assigned task into a coding run.",
+    parameters: {
+      type: "object",
+      properties: { forge: forgeParam, remote: remoteParam, ref: { type: "string", description: "Issue number (GitHub) or work-item id (Azure)." } },
+      required: ["ref"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const repo = typeof a2.remote === "string" ? a2.remote : void 0;
+      return await runApeShell(buildIssueGet(resolveForge(a2), a2.ref, repo));
+    }
+  }
+];
+function jailedRoot(envVar, fallbackName) {
+  const home = homedir24();
+  const raw = process2.env[envVar];
+  const dir = raw ? resolve2(raw) : resolve2(home, fallbackName);
+  if (dir !== home && !dir.startsWith(`${home}/`)) {
+    throw new Error(`${envVar} (${dir}) must resolve inside the agent's home`);
+  }
+  return dir;
 }
 function workRoot() {
   return jailedRoot("OPENAPE_CODING_WORK_DIR", "work");
@@ -3106,7 +3506,7 @@ function resolveRepo(repo) {
   if (typeof repo !== "string" || repo === "") {
     throw new Error("repo must be a non-empty string (URL or path under $HOME)");
   }
-  const home = homedir22();
+  const home = homedir24();
   if (URL_RE.test(repo)) {
     const tail = repo.replace(/\.git$/, "").replace(/[/:]+$/, "");
     const parts = tail.split(/[/:]/).filter(Boolean).slice(-2);
@@ -3361,6 +3761,99 @@ var mailTools = [
     }
   }
 ];
+function troopBase() {
+  return (process.env.OPENAPE_TROOP_URL ?? "https://troop.openape.ai").replace(/\/+$/, "");
+}
+function readAgentToken() {
+  const path = process.env.OPENAPE_CLI_AUTH_HOME ? join4(process.env.OPENAPE_CLI_AUTH_HOME, "auth.json") : join4(homedir32(), ".config", "apes", "auth.json");
+  const auth = JSON.parse(readFileSync23(path, "utf8"));
+  if (!auth.access_token) throw new Error(`no access_token in ${path}`);
+  return auth.access_token;
+}
+async function exchangeBearer(base, scope) {
+  const res = await fetch(`${base}/api/cli/exchange`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ subject_token: readAgentToken(), scopes: [scope] })
+  });
+  if (!res.ok) {
+    throw new Error(`token exchange ${res.status} \u2014 ${(await res.text().catch(() => "")).slice(0, 200)} (does this agent hold the ${scope} scope?)`);
+  }
+  return (await res.json()).access_token;
+}
+var spawnTools = [
+  {
+    name: "agent.spawn",
+    description: "Spawn a worker agent on the nest via troop, tiering its compute by task difficulty: pick `model` (gpt-5.4-mini | gpt-5.4 | gpt-5.5) and `reasoning_effort` (minimal | low | medium | high) \u2014 quick-win = cheap+low, research/architecture = gpt-5.5+high. Optionally attach a `recipe_ref` so the worker runs a known persona. Returns the spawn intent id. Use multiple calls to fan out several workers in parallel.",
+    parameters: {
+      type: "object",
+      properties: {
+        name: { type: "string", description: "unique worker name, /^[a-z][a-z0-9-]{0,23}$/" },
+        model: { type: "string", description: "gpt-5.4-mini | gpt-5.4 | gpt-5.5" },
+        reasoning_effort: { type: "string", description: "minimal | low | medium | high" },
+        recipe_ref: { type: "string", description: "optional recipe, e.g. github.com/openape-ai/agent-catalog/backend-engineer@v0.2.0" },
+        system_prompt: { type: "string", description: "optional system prompt / task brief" }
+      },
+      required: ["name"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const base = troopBase();
+      let bearer;
+      try {
+        bearer = await exchangeBearer(base, "troop:spawn-agent");
+      } catch (err) {
+        return `spawn failed: ${err instanceof Error ? err.message : String(err)}`;
+      }
+      const body = { name: a2.name };
+      if (a2.model) body.bridge_model = a2.model;
+      if (a2.reasoning_effort) body.bridge_reasoning_effort = a2.reasoning_effort;
+      if (a2.system_prompt) body.system_prompt = a2.system_prompt;
+      if (a2.recipe_ref) body.recipe = { repo_ref: a2.recipe_ref, params: {} };
+      const spRes = await fetch(`${base}/api/agents/spawn-intent`, {
+        method: "POST",
+        headers: { "content-type": "application/json", authorization: `Bearer ${bearer}` },
+        body: JSON.stringify(body)
+      });
+      if (!spRes.ok) {
+        return `spawn failed: spawn-intent ${spRes.status} \u2014 ${(await spRes.text().catch(() => "")).slice(0, 200)}`;
+      }
+      const sp = await spRes.json();
+      return `spawned worker "${a2.name}" (model=${a2.model ?? "default"}, reasoning=${a2.reasoning_effort ?? "default"}); intent=${sp.intent_id ?? "?"}`;
+    }
+  },
+  {
+    name: "agent.destroy",
+    description: "Destroy a worker agent on the nest (full teardown: OS user, IdP, bridge). The PM calls this after collecting an ephemeral worker's result, so workers do not linger idle. Requires the troop:destroy-agent scope.",
+    parameters: {
+      type: "object",
+      properties: {
+        name: { type: "string", description: "the worker agent name to destroy" }
+      },
+      required: ["name"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const base = troopBase();
+      let bearer;
+      try {
+        bearer = await exchangeBearer(base, "troop:destroy-agent");
+      } catch (err) {
+        return `destroy failed: ${err instanceof Error ? err.message : String(err)}`;
+      }
+      const res = await fetch(`${base}/api/agents/destroy-intent`, {
+        method: "POST",
+        headers: { "content-type": "application/json", authorization: `Bearer ${bearer}` },
+        body: JSON.stringify({ name: a2.name })
+      });
+      if (!res.ok) {
+        return `destroy failed: destroy-intent ${res.status} \u2014 ${(await res.text().catch(() => "")).slice(0, 200)}`;
+      }
+      const d2 = await res.json();
+      return `destroying worker "${a2.name}"; intent=${d2.intent_id ?? "?"}`;
+    }
+  }
+];
 function ape(args) {
   try {
     return execFileSync2("ape-tasks", args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
@@ -3397,14 +3890,17 @@ var tasksTools = [
   },
   {
     name: "tasks.create",
-    description: "Create a new ape-task on the owner's task list at tasks.openape.ai.",
+    description: "Create a new ape-task at tasks.openape.ai. Pass `team` (the team id) to file it on a shared team board, and `assignee` (an email) to delegate it to a teammate.",
     parameters: {
       type: "object",
       properties: {
         title: { type: "string" },
         notes: { type: "string" },
         priority: { type: "string", enum: ["low", "med", "high"] },
-        due_at: { type: "string", description: "ISO date or +Nh/+Nd shorthand." }
+        due_at: { type: "string", description: "ISO date or +Nh/+Nd shorthand." },
+        team: { type: "string", description: "Team id to file the task on (required when you belong to a team)." },
+        assignee: { type: "string", description: "Email of the teammate to assign the task to." },
+        dedup_key: { type: "string", description: "Stable id for the source (e.g. a mail Message-ID). If an open task with this key already exists, no duplicate is created \u2014 pass it for recurring triage so the same item is not filed twice." }
       },
       required: ["title"]
     },
@@ -3414,6 +3910,9 @@ var tasksTools = [
       if (a2.notes) argv2.push("--notes", a2.notes);
       if (a2.priority) argv2.push("--priority", a2.priority);
       if (a2.due_at) argv2.push("--due", a2.due_at);
+      if (a2.team) argv2.push("--team", a2.team);
+      if (a2.assignee) argv2.push("--assignee", a2.assignee);
+      if (a2.dedup_key) argv2.push("--dedup-key", a2.dedup_key);
       const out = ape(argv2);
       try {
         return JSON.parse(out);
@@ -3438,6 +3937,83 @@ var timeTools = [
     }
   }
 ];
+var TROOP = "https://troop.openape.ai";
+var RESOURCES = ["objectives", "reports", "members", "cost-snapshots", "overview"];
+function pathFor(resource, orgId) {
+  const id = encodeURIComponent(orgId);
+  return resource === "overview" ? `/api/orgs/${id}` : `/api/orgs/${id}/${resource}`;
+}
+var OBJECTIVE_STATUS = ["planned", "in_progress", "done", "abandoned"];
+var troopTools = [
+  {
+    name: "troop.company.read",
+    description: "Read your troop company data on troop.openape.ai. resource: objectives | reports | members | cost-snapshots | overview (vision+budget). Read-only.",
+    parameters: {
+      type: "object",
+      properties: {
+        resource: { type: "string", enum: [...RESOURCES], description: "Which company resource to read." },
+        org_id: { type: "string", description: "Your company (org) id." }
+      },
+      required: ["resource", "org_id"]
+    },
+    execute: async (args) => {
+      const { resource, org_id } = args ?? {};
+      if (!resource || !RESOURCES.includes(resource)) {
+        throw new Error(`troop.company.read: unknown resource '${resource}' (expected ${RESOURCES.join(" | ")})`);
+      }
+      if (!org_id) throw new Error("troop.company.read: org_id is required");
+      const bearer = await getAuthorizedBearer({ endpoint: TROOP, aud: "troop.openape.ai" });
+      const res = await fetch(`${TROOP}${pathFor(resource, org_id)}`, {
+        headers: { authorization: bearer }
+      });
+      if (!res.ok) {
+        throw new Error(`troop.company.read ${resource} \u2192 ${res.status}: ${(await res.text()).slice(0, 200)}`);
+      }
+      return JSON.stringify(await res.json());
+    }
+  },
+  {
+    name: "troop.objective.upsert",
+    description: "Create or update a company objective on troop.openape.ai. Pass objective_id to update an existing one; omit it to create. Authenticated as the agent (acting for the owner).",
+    parameters: {
+      type: "object",
+      properties: {
+        org_id: { type: "string", description: "Your company (org) id." },
+        objective_id: { type: "string", description: "Omit to create; pass to update an existing objective." },
+        title: { type: "string" },
+        description: { type: "string" },
+        status: { type: "string", enum: [...OBJECTIVE_STATUS] },
+        target_date: { type: "number", description: "Unix seconds, or null to clear." }
+      },
+      required: ["org_id"]
+    },
+    execute: async (args) => {
+      const a2 = args ?? {};
+      if (!a2.org_id) throw new Error("troop.objective.upsert: org_id is required");
+      if (a2.status && !OBJECTIVE_STATUS.includes(a2.status)) {
+        throw new Error(`troop.objective.upsert: bad status '${a2.status}'`);
+      }
+      if (!a2.objective_id && !a2.title) throw new Error("troop.objective.upsert: title is required to create an objective");
+      const bearer = await getAuthorizedBearer({ endpoint: TROOP, aud: "troop.openape.ai" });
+      const id = encodeURIComponent(a2.org_id);
+      const body = {};
+      if (a2.title !== void 0) body.title = a2.title;
+      if (a2.description !== void 0) body.description = a2.description;
+      if (a2.status !== void 0) body.status = a2.status;
+      if (a2.target_date !== void 0) body.target_date = a2.target_date;
+      const url = a2.objective_id ? `${TROOP}/api/orgs/${id}/objectives/${encodeURIComponent(a2.objective_id)}` : `${TROOP}/api/orgs/${id}/objectives`;
+      const res = await fetch(url, {
+        method: a2.objective_id ? "PATCH" : "POST",
+        headers: { authorization: bearer, "content-type": "application/json" },
+        body: JSON.stringify(body)
+      });
+      if (!res.ok) {
+        throw new Error(`troop.objective.upsert \u2192 ${res.status}: ${(await res.text()).slice(0, 200)}`);
+      }
+      return JSON.stringify(await res.json());
+    }
+  }
+];
 var CWD_RE = /^[\w./-]{1,256}$/;
 async function runVerify(cwd, command, timeoutMs) {
   if (typeof cwd !== "string" || !CWD_RE.test(cwd)) {
@@ -3484,7 +4060,9 @@ var ALL_TOOLS = [
   ...bashTools,
   ...gitWorktreeTools,
   ...verifyTools,
-  ...forgeTools
+  ...forgeTools,
+  ...spawnTools,
+  ...troopTools
 ];
 var TOOLS = Object.fromEntries(
   ALL_TOOLS.map((t2) => [t2.name, t2])
@@ -3497,509 +4075,214 @@ function taskTools(names) {
     if (!tool) missing.push(name);
     else out.push(tool);
   }
-  if (missing.length > 0) {
-    throw new Error(`unknown tool(s): ${missing.join(", ")}`);
-  }
-  return out;
-}
-function asOpenAiTools(tools) {
-  return tools.map((t2) => ({
-    type: "function",
-    function: { name: wireToolName(t2.name), description: t2.description, parameters: t2.parameters }
-  }));
-}
-function wireToolName(local) {
-  return local.replace(/\./g, "_");
-}
-function localToolName(wire) {
-  for (const t2 of Object.values(TOOLS)) {
-    if (wireToolName(t2.name) === wire) return t2.name;
-  }
-  return wire;
-}
-function previewJson(value, max = 500) {
-  let s2;
-  try {
-    s2 = JSON.stringify(value);
-  } catch {
-    s2 = String(value);
-  }
-  return s2.length > max ? `${s2.slice(0, max)}\u2026` : s2;
-}
-async function aggregateChatStream(res) {
-  if (!res.body) throw new Error("LiteLLM streaming response had no body");
-  const reader = res.body.getReader();
-  const decoder = new TextDecoder();
-  let buf = "";
-  let content = "";
-  const toolCalls = /* @__PURE__ */ new Map();
-  let finishReason;
-  while (true) {
-    const { value, done } = await reader.read();
-    if (done) break;
-    buf += decoder.decode(value, { stream: true });
-    while (true) {
-      const nl = buf.indexOf("\n");
-      if (nl === -1) break;
-      const line = buf.slice(0, nl).trim();
-      buf = buf.slice(nl + 1);
-      if (!line.startsWith("data:")) continue;
-      const payload = line.slice(5).trim();
-      if (!payload || payload === "[DONE]") continue;
-      let chunk;
-      try {
-        chunk = JSON.parse(payload);
-      } catch {
-        continue;
-      }
-      const ch0 = chunk.choices?.[0];
-      const delta = ch0?.delta;
-      if (delta?.content) content += delta.content;
-      if (delta?.tool_calls) {
-        for (const tc of delta.tool_calls) {
-          const idx = tc.index ?? 0;
-          const existing = toolCalls.get(idx) ?? { id: "", type: "function", function: { name: "", arguments: "" } };
-          if (tc.id) existing.id = tc.id;
-          if (tc.function?.name) existing.function.name = tc.function.name;
-          if (tc.function?.arguments) existing.function.arguments += tc.function.arguments;
-          toolCalls.set(idx, existing);
-        }
-      }
-      if (ch0?.finish_reason) finishReason = ch0.finish_reason;
-    }
-  }
-  const message = { role: "assistant", content: content || null };
-  if (toolCalls.size > 0) message.tool_calls = Array.from(toolCalls.values());
-  return { choices: [{ message, finish_reason: finishReason }] };
-}
-async function runLoop(opts) {
-  const fetchFn = opts.fetchImpl ?? fetch;
-  const trace = [];
-  const messages = [
-    { role: "system", content: opts.systemPrompt },
-    ...opts.history ?? [],
-    { role: "user", content: opts.userMessage }
-  ];
-  const tools = asOpenAiTools(opts.tools);
-  for (let step = 1; step <= opts.maxSteps; step++) {
-    const requestBody = {
-      model: opts.config.model,
-      messages,
-      ...tools.length > 0 ? { tools, tool_choice: "auto" } : {},
-      ...opts.streamAggregate ? { stream: true } : {}
-    };
-    const res = await fetchFn(`${opts.config.apiBase}/chat/completions`, {
-      method: "POST",
-      headers: {
-        "authorization": `Bearer ${opts.config.apiKey}`,
-        "content-type": "application/json"
-      },
-      body: JSON.stringify(requestBody)
-    });
-    if (!res.ok) {
-      const text = await res.text().catch(() => "");
-      throw new Error(`LiteLLM ${res.status}: ${text.slice(0, 500)}`);
-    }
-    const data = opts.streamAggregate ? await aggregateChatStream(res) : await res.json();
-    const choice = data.choices?.[0];
-    if (!choice) throw new Error("LiteLLM response had no choices");
-    const assistant = choice.message;
-    messages.push(assistant);
-    if (assistant.content) opts.handlers?.onTextDelta?.(assistant.content);
-    trace.push({
-      step,
-      type: "assistant",
-      preview: previewJson({ content: assistant.content, tool_calls: assistant.tool_calls?.length ?? 0 })
-    });
-    if (!assistant.tool_calls || assistant.tool_calls.length === 0) {
-      const result2 = {
-        status: "ok",
-        finalMessage: assistant.content,
-        stepCount: step,
-        trace
-      };
-      opts.handlers?.onDone?.(result2);
-      return result2;
-    }
-    for (const call of assistant.tool_calls) {
-      const wireName = call.function.name;
-      const localName = localToolName(wireName);
-      const tool = opts.tools.find((t2) => t2.name === localName);
-      let parsedArgs;
-      try {
-        parsedArgs = JSON.parse(call.function.arguments);
-      } catch {
-        parsedArgs = {};
-      }
-      opts.handlers?.onToolCall?.({ name: localName, args: parsedArgs });
-      trace.push({ step, type: "tool_call", tool: localName, preview: previewJson(parsedArgs) });
-      let result2;
-      let isError = false;
-      if (!tool) {
-        result2 = `unknown tool: ${localName}`;
-        isError = true;
-      } else {
-        try {
-          result2 = await tool.execute(parsedArgs);
-        } catch (err) {
-          result2 = err?.message ?? String(err);
-          isError = true;
-        }
-      }
-      if (isError) {
-        opts.handlers?.onToolError?.({ name: localName, error: String(result2) });
-        trace.push({ step, type: "tool_error", tool: localName, preview: previewJson(result2) });
-      } else {
-        opts.handlers?.onToolResult?.({ name: localName, result: result2 });
-        trace.push({ step, type: "tool_result", tool: localName, preview: previewJson(result2) });
-      }
-      messages.push({
-        role: "tool",
-        tool_call_id: call.id,
-        name: wireToolName(localName),
-        content: typeof result2 === "string" ? result2 : JSON.stringify(result2)
-      });
-    }
-  }
-  const result = {
-    status: "error",
-    finalMessage: `max_steps (${opts.maxSteps}) reached without completion`,
-    stepCount: opts.maxSteps,
-    trace
-  };
-  opts.handlers?.onDone?.(result);
-  return result;
-}
-var RPC_SESSION_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_INSTRUCTIONS = [
-  "Work in the provided worktree. When done:",
-  "- ensure the verification command passes (no PR on red)",
-  "- open a PR that references this issue",
-  "- leave risk-path / agent-judged-risky changes for human approval"
-].join("\n");
-var DIFF_CAP = 60 * 1024;
-var DIFF_CAP2 = 48 * 1024;
-var RISK_SYSTEM = [
-  "You are a security/risk classifier for an autonomous coding agent.",
-  "Given a diff + changed file paths, decide whether merging it WITHOUT a human is risky.",
-  "Risky = touches authentication, authorization, secrets/credentials, payment, data migrations,",
-  "deploy/release/CI config, cryptography, deletion of data, or anything whose failure is hard to",
-  "reverse in production. Routine code/tests/docs/refactors are NOT risky.",
-  'Respond ONLY as JSON: {"risky": boolean, "reason": string}.'
-].join(" ");
-var REVIEW_SYSTEM = [
-  "You are a code reviewer for an autonomous coding agent.",
-  "Given a PR diff, decide whether it is correct, safe, and complete enough to auto-merge.",
-  "Approve only if you would be comfortable shipping it without further human review.",
-  "Block if you see bugs, missing tests, security issues, or incomplete work.",
-  'Respond ONLY as JSON: {"approved": boolean, "reason": string}.'
-].join(" ");
-
-// ../../packages/cli-auth/dist/index.js
-import { ofetch } from "ofetch";
-import { existsSync, mkdirSync as mkdirSync2, readFileSync as readFileSync3, readdirSync as readdirSync2, unlinkSync, writeFileSync as writeFileSync2 } from "fs";
-import { homedir as homedir4 } from "os";
-import { join as join3 } from "path";
-import { ofetch as ofetch3 } from "ofetch";
-import { Buffer as Buffer2 } from "buffer";
-import { sign } from "crypto";
-import { existsSync as existsSync22, readFileSync as readFileSync22 } from "fs";
-import { homedir as homedir23 } from "os";
-import { join as join22 } from "path";
-import { ofetch as ofetch2 } from "ofetch";
-import { Buffer as Buffer3 } from "buffer";
-import { createPrivateKey } from "crypto";
-import { ofetch as ofetch4 } from "ofetch";
-import { ofetch as ofetch5 } from "ofetch";
-function getConfigDir() {
-  const override = process.env.OPENAPE_CLI_AUTH_HOME;
-  if (override) return override;
-  return join3(homedir4(), ".config", "apes");
-}
-function getAuthFile() {
-  return join3(getConfigDir(), "auth.json");
-}
-function ensureConfigDir() {
-  const dir = getConfigDir();
-  if (!existsSync(dir)) {
-    mkdirSync2(dir, { recursive: true, mode: 448 });
-  }
-}
-function loadIdpAuth() {
-  const file = getAuthFile();
-  if (!existsSync(file)) return null;
-  try {
-    const raw = readFileSync3(file, "utf-8");
-    if (!raw.trim()) return null;
-    return JSON.parse(raw);
-  } catch {
-    return null;
-  }
-}
-function saveIdpAuth(auth) {
-  ensureConfigDir();
-  const file = getAuthFile();
-  let extra = {};
-  if (existsSync(file)) {
-    try {
-      const raw = readFileSync3(file, "utf-8");
-      if (raw.trim()) {
-        const prev = JSON.parse(raw);
-        for (const key of Object.keys(prev)) {
-          if (!(key in auth)) {
-            extra[key] = prev[key];
-          }
-        }
-      }
-    } catch {
-      extra = {};
-    }
-  }
-  const merged = { ...extra, ...auth };
-  writeFileSync2(file, JSON.stringify(merged, null, 2), { mode: 384 });
-}
-var AuthError = class extends Error {
-  status;
-  hint;
-  constructor(status, message, hint) {
-    super(hint ? `${message}
-${hint}` : message);
-    this.name = "AuthError";
-    this.status = status;
-    this.hint = hint;
-  }
-};
-var NotLoggedInError = class extends AuthError {
-  constructor(hint) {
-    super(
-      401,
-      "Not logged in",
-      hint ?? "Run `apes login <email>` once on this device to authenticate against the OpenApe IdP."
-    );
-    this.name = "NotLoggedInError";
-  }
-};
-var OPENSSH_MAGIC = "openssh-key-v1\0";
-function loadEd25519PrivateKey(pem) {
-  if (pem.includes("BEGIN OPENSSH PRIVATE KEY")) {
-    return parseOpenSSHEd25519(pem);
-  }
-  return createPrivateKey(pem);
-}
-function parseOpenSSHEd25519(pem) {
-  const b64 = pem.replace(/-----BEGIN OPENSSH PRIVATE KEY-----/, "").replace(/-----END OPENSSH PRIVATE KEY-----/, "").replace(/\s/g, "");
-  const buf = Buffer3.from(b64, "base64");
-  let offset = 0;
-  const magic = buf.subarray(0, OPENSSH_MAGIC.length).toString("ascii");
-  if (magic !== OPENSSH_MAGIC) {
-    throw new Error("Not an OpenSSH private key");
-  }
-  offset += OPENSSH_MAGIC.length;
-  const cipherLen = buf.readUInt32BE(offset);
-  offset += 4;
-  const cipher = buf.subarray(offset, offset + cipherLen).toString();
-  offset += cipherLen;
-  if (cipher !== "none") {
-    throw new Error(`Encrypted keys not supported (cipher: ${cipher}). Decrypt first with: ssh-keygen -p -f <key>`);
-  }
-  const kdfLen = buf.readUInt32BE(offset);
-  offset += 4;
-  offset += kdfLen;
-  const kdfOptsLen = buf.readUInt32BE(offset);
-  offset += 4;
-  offset += kdfOptsLen;
-  const numKeys = buf.readUInt32BE(offset);
-  offset += 4;
-  if (numKeys !== 1) {
-    throw new Error(`Expected 1 key, got ${numKeys}`);
-  }
-  const pubSectionLen = buf.readUInt32BE(offset);
-  offset += 4;
-  offset += pubSectionLen;
-  const privSectionLen = buf.readUInt32BE(offset);
-  offset += 4;
-  const privSection = buf.subarray(offset, offset + privSectionLen);
-  let pOffset = 0;
-  const check1 = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  const check2 = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  if (check1 !== check2) {
-    throw new Error("Check integers mismatch \u2014 key may be corrupted or encrypted");
-  }
-  const keyTypeLen = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  const keyType = privSection.subarray(pOffset, pOffset + keyTypeLen).toString();
-  pOffset += keyTypeLen;
-  if (keyType !== "ssh-ed25519") {
-    throw new Error(`Expected ssh-ed25519, got ${keyType}`);
-  }
-  const pubKeyLen = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  const pubKey = privSection.subarray(pOffset, pOffset + pubKeyLen);
-  pOffset += pubKeyLen;
-  const privKeyLen = privSection.readUInt32BE(pOffset);
-  pOffset += 4;
-  const privKeyData = privSection.subarray(pOffset, pOffset + privKeyLen);
-  const seed = privKeyData.subarray(0, 32);
-  return createPrivateKey({
-    key: { kty: "OKP", crv: "Ed25519", d: seed.toString("base64url"), x: pubKey.toString("base64url") },
-    format: "jwk"
-  });
-}
-async function getEndpoints(idp) {
-  let disco = {};
-  try {
-    disco = await ofetch2(`${idp}/.well-known/openid-configuration`);
-  } catch {
-  }
-  return {
-    challenge: disco.ddisa_agent_challenge_endpoint ?? `${idp}/api/agent/challenge`,
-    authenticate: disco.ddisa_agent_authenticate_endpoint ?? `${idp}/api/agent/authenticate`
-  };
-}
-function resolveKeyPath(p) {
-  if (p.startsWith("~")) return join22(homedir23(), p.slice(1));
-  return p;
-}
-function findSigningKey(auth) {
-  const candidates = [];
-  if (auth.key_path) candidates.push(resolveKeyPath(auth.key_path));
-  candidates.push(join22(homedir23(), ".ssh", "id_ed25519"));
-  for (const p of candidates) {
-    if (existsSync22(p)) {
-      try {
-        return { keyPath: p, keyContent: readFileSync22(p, "utf-8") };
-      } catch {
-      }
-    }
-  }
-  return null;
-}
-async function refreshAgentToken(auth, now = Math.floor(Date.now() / 1e3)) {
-  const key = findSigningKey(auth);
-  if (!key) return null;
-  let privateKey;
-  try {
-    privateKey = loadEd25519PrivateKey(key.keyContent);
-  } catch {
-    return null;
-  }
-  let endpoints;
-  try {
-    endpoints = await getEndpoints(auth.idp);
-  } catch {
-    return null;
-  }
-  let challenge;
-  try {
-    const resp = await ofetch2(endpoints.challenge, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: { agent_id: auth.email }
-    });
-    challenge = resp.challenge;
-  } catch {
-    return null;
-  }
-  let signature;
-  try {
-    signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
-  } catch {
-    return null;
+  if (missing.length > 0) {
+    throw new Error(`unknown tool(s): ${missing.join(", ")}`);
   }
-  let authResp;
-  try {
-    authResp = await ofetch2(endpoints.authenticate, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: { agent_id: auth.email, challenge, signature }
-    });
-  } catch {
-    return null;
+  return out;
+}
+function asOpenAiTools(tools) {
+  return tools.map((t2) => ({
+    type: "function",
+    function: { name: wireToolName(t2.name), description: t2.description, parameters: t2.parameters }
+  }));
+}
+function wireToolName(local) {
+  return local.replace(/\./g, "_");
+}
+function localToolName(wire) {
+  for (const t2 of Object.values(TOOLS)) {
+    if (wireToolName(t2.name) === wire) return t2.name;
   }
-  return {
-    ...auth,
-    access_token: authResp.token,
-    expires_at: now + (authResp.expires_in || 3600),
-    key_path: auth.key_path ?? key.keyPath
-  };
+  return wire;
 }
-var EXPIRY_SKEW_SECONDS = 30;
-async function getTokenEndpoint(idp) {
+function previewJson(value, max = 500) {
+  let s2;
   try {
-    const disco = await ofetch3(`${idp}/.well-known/openid-configuration`);
-    if (disco.token_endpoint) return disco.token_endpoint;
+    s2 = JSON.stringify(value);
   } catch {
+    s2 = String(value);
   }
-  return `${idp}/token`;
+  return s2.length > max ? `${s2.slice(0, max)}\u2026` : s2;
 }
-async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
-  const auth = loadIdpAuth();
-  if (!auth) {
-    throw new NotLoggedInError();
-  }
-  if (auth.expires_at > now + EXPIRY_SKEW_SECONDS) {
-    return auth;
-  }
-  if (!auth.refresh_token) {
-    const refreshed = await refreshAgentToken(auth, now);
-    if (refreshed) {
-      saveIdpAuth(refreshed);
-      return refreshed;
+async function aggregateChatStream(res) {
+  if (!res.body) throw new Error("LiteLLM streaming response had no body");
+  const reader = res.body.getReader();
+  const decoder = new TextDecoder();
+  let buf = "";
+  let content = "";
+  const toolCalls = /* @__PURE__ */ new Map();
+  let finishReason;
+  while (true) {
+    const { value, done } = await reader.read();
+    if (done) break;
+    buf += decoder.decode(value, { stream: true });
+    while (true) {
+      const nl = buf.indexOf("\n");
+      if (nl === -1) break;
+      const line = buf.slice(0, nl).trim();
+      buf = buf.slice(nl + 1);
+      if (!line.startsWith("data:")) continue;
+      const payload = line.slice(5).trim();
+      if (!payload || payload === "[DONE]") continue;
+      let chunk;
+      try {
+        chunk = JSON.parse(payload);
+      } catch {
+        continue;
+      }
+      const ch0 = chunk.choices?.[0];
+      const delta = ch0?.delta;
+      if (delta?.content) content += delta.content;
+      if (delta?.tool_calls) {
+        for (const tc of delta.tool_calls) {
+          const idx = tc.index ?? 0;
+          const existing = toolCalls.get(idx) ?? { id: "", type: "function", function: { name: "", arguments: "" } };
+          if (tc.id) existing.id = tc.id;
+          if (tc.function?.name) existing.function.name = tc.function.name;
+          if (tc.function?.arguments) existing.function.arguments += tc.function.arguments;
+          toolCalls.set(idx, existing);
+        }
+      }
+      if (ch0?.finish_reason) finishReason = ch0.finish_reason;
     }
-    throw new NotLoggedInError(
-      `IdP token expired at ${new Date(auth.expires_at * 1e3).toISOString()} and no refresh_token is stored. Run \`apes login\` again.`
-    );
   }
-  const tokenEndpoint = await getTokenEndpoint(auth.idp);
-  const body = new URLSearchParams({
-    grant_type: "refresh_token",
-    refresh_token: auth.refresh_token
-  });
-  let response;
-  try {
-    response = await ofetch3(tokenEndpoint, {
+  const message = { role: "assistant", content: content || null };
+  if (toolCalls.size > 0) message.tool_calls = Array.from(toolCalls.values());
+  return { choices: [{ message, finish_reason: finishReason }] };
+}
+async function runLoop(opts) {
+  const fetchFn = opts.fetchImpl ?? fetch;
+  const trace = [];
+  const messages = [
+    { role: "system", content: opts.systemPrompt },
+    ...opts.history ?? [],
+    { role: "user", content: opts.userMessage }
+  ];
+  const tools = asOpenAiTools(opts.tools);
+  for (let step = 1; step <= opts.maxSteps; step++) {
+    const requestBody = {
+      model: opts.config.model,
+      messages,
+      ...opts.config.reasoningEffort ? { reasoning_effort: opts.config.reasoningEffort } : {},
+      ...tools.length > 0 ? { tools, tool_choice: "auto" } : {},
+      ...opts.streamAggregate ? { stream: true } : {}
+    };
+    const res = await fetchFn(`${opts.config.apiBase}/chat/completions`, {
       method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: body.toString()
+      headers: {
+        "authorization": `Bearer ${opts.config.apiKey}`,
+        "content-type": "application/json"
+      },
+      body: JSON.stringify(requestBody)
     });
-  } catch (err) {
-    const status = err.status ?? err.statusCode ?? 0;
-    if (status === 400 || status === 401) {
-      saveIdpAuth({ ...auth, refresh_token: void 0 });
-      throw new NotLoggedInError(
-        `Refresh token rejected by ${auth.idp}. Run \`apes login\` again.`
-      );
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(`LiteLLM ${res.status}: ${text.slice(0, 500)}`);
+    }
+    const data = opts.streamAggregate ? await aggregateChatStream(res) : await res.json();
+    const choice = data.choices?.[0];
+    if (!choice) throw new Error("LiteLLM response had no choices");
+    const assistant = choice.message;
+    messages.push(assistant);
+    if (assistant.content) opts.handlers?.onTextDelta?.(assistant.content);
+    trace.push({
+      step,
+      type: "assistant",
+      preview: previewJson({ content: assistant.content, tool_calls: assistant.tool_calls?.length ?? 0 })
+    });
+    if (!assistant.tool_calls || assistant.tool_calls.length === 0) {
+      const result2 = {
+        status: "ok",
+        finalMessage: assistant.content,
+        stepCount: step,
+        trace
+      };
+      opts.handlers?.onDone?.(result2);
+      return result2;
+    }
+    for (const call of assistant.tool_calls) {
+      const wireName = call.function.name;
+      const localName = localToolName(wireName);
+      const tool = opts.tools.find((t2) => t2.name === localName);
+      let parsedArgs;
+      try {
+        parsedArgs = JSON.parse(call.function.arguments);
+      } catch {
+        parsedArgs = {};
+      }
+      opts.handlers?.onToolCall?.({ name: localName, args: parsedArgs });
+      trace.push({ step, type: "tool_call", tool: localName, preview: previewJson(parsedArgs) });
+      let result2;
+      let isError = false;
+      if (!tool) {
+        result2 = `unknown tool: ${localName}`;
+        isError = true;
+      } else {
+        try {
+          result2 = await tool.execute(parsedArgs);
+        } catch (err) {
+          result2 = err?.message ?? String(err);
+          isError = true;
+        }
+      }
+      if (isError) {
+        opts.handlers?.onToolError?.({ name: localName, error: String(result2) });
+        trace.push({ step, type: "tool_error", tool: localName, preview: previewJson(result2) });
+      } else {
+        opts.handlers?.onToolResult?.({ name: localName, result: result2 });
+        trace.push({ step, type: "tool_result", tool: localName, preview: previewJson(result2) });
+      }
+      messages.push({
+        role: "tool",
+        tool_call_id: call.id,
+        name: wireToolName(localName),
+        content: typeof result2 === "string" ? result2 : JSON.stringify(result2)
+      });
     }
-    throw new AuthError(
-      0,
-      `Network error refreshing IdP token at ${tokenEndpoint}`,
-      `Underlying: ${err.message ?? err}`
-    );
-  }
-  if (!response.access_token) {
-    throw new AuthError(0, `IdP refresh response missing access_token (endpoint: ${tokenEndpoint})`);
   }
-  const next = {
-    ...auth,
-    access_token: response.access_token,
-    refresh_token: response.refresh_token ?? auth.refresh_token,
-    expires_at: now + (response.expires_in ?? 3600)
+  const result = {
+    status: "error",
+    finalMessage: `max_steps (${opts.maxSteps}) reached without completion`,
+    stepCount: opts.maxSteps,
+    trace
   };
-  saveIdpAuth(next);
-  return next;
+  opts.handlers?.onDone?.(result);
+  return result;
 }
+var RPC_SESSION_TTL_MS = 60 * 60 * 1e3;
+var DEFAULT_INSTRUCTIONS = [
+  "Work in the provided worktree. When done:",
+  "- ensure the verification command passes (no PR on red)",
+  "- open a PR that references this issue",
+  "- leave risk-path / agent-judged-risky changes for human approval"
+].join("\n");
+var DIFF_CAP = 60 * 1024;
+var DIFF_CAP2 = 48 * 1024;
+var RISK_SYSTEM = [
+  "You are a security/risk classifier for an autonomous coding agent.",
+  "Given a diff + changed file paths, decide whether merging it WITHOUT a human is risky.",
+  "Risky = touches authentication, authorization, secrets/credentials, payment, data migrations,",
+  "deploy/release/CI config, cryptography, deletion of data, or anything whose failure is hard to",
+  "reverse in production. Routine code/tests/docs/refactors are NOT risky.",
+  'Respond ONLY as JSON: {"risky": boolean, "reason": string}.'
+].join(" ");
+var REVIEW_SYSTEM = [
+  "You are a code reviewer for an autonomous coding agent.",
+  "Given a PR diff, decide whether it is correct, safe, and complete enough to auto-merge.",
+  "Approve only if you would be comfortable shipping it without further human review.",
+  "Block if you see bugs, missing tests, security issues, or incomplete work.",
+  'Respond ONLY as JSON: {"approved": boolean, "reason": string}.'
+].join(" ");
 
 // src/identity.ts
 import { existsSync as existsSync3, readFileSync as readFileSync4 } from "fs";
 import { homedir as homedir6 } from "os";
-import { join as join4 } from "path";
-function authPath() {
-  return join4(homedir6(), ".config", "apes", "auth.json");
+import { join as join6 } from "path";
+function authPath(home) {
+  return join6(home, ".config", "apes", "auth.json");
 }
-function readAgentIdentity() {
-  const path = authPath();
+function readAgentIdentity(home = homedir6()) {
+  const path = authPath(home);
   if (!existsSync3(path)) {
     throw new Error(`agent identity not found at ${path}`);
   }
@@ -4016,6 +4299,20 @@ function readAgentIdentity() {
   return { email: parsed.email, ownerEmail, idp: parsed.idp };
 }
 
+// src/llm-gateway-key.ts
+async function resolveLlmGatewayKey(base, fallback, log2, exchange = getAuthorizedBearer) {
+  if (!base.includes("llms.openape.ai"))
+    return fallback;
+  try {
+    const u3 = new URL(base);
+    const bearer = await exchange({ endpoint: u3.origin, aud: u3.host });
+    return bearer.replace(/^Bearer\s+/i, "");
+  } catch (err) {
+    log2(`llm gateway token exchange failed (keeping current key): ${err instanceof Error ? err.message : String(err)}`);
+    return fallback;
+  }
+}
+
 // src/service-bridge.ts
 function textArtifact(text) {
   return { artifactId: randomUUID(), parts: [{ kind: "text", text }] };
@@ -4060,8 +4357,10 @@ async function pollOnce(deps) {
   let artifact;
   try {
     const spec = parseTaskSpec(task);
+    const apiKey = deps.refreshApiKey ? await deps.refreshApiKey() : deps.config.apiKey;
+    const config = { ...deps.config, apiKey, ...spec.model ? { model: spec.model } : {} };
     const result = await deps.runLoopImpl({
-      config: spec.model ? { ...deps.config, model: spec.model } : deps.config,
+      config,
       userMessage: spec.userMessage,
       systemPrompt: spec.systemPrompt,
       tools: taskTools(spec.tools ?? []),
@@ -4117,6 +4416,7 @@ async function runService() {
     fetchImpl: fetch,
     runLoopImpl: runLoop,
     config: { apiBase: cfg.apiBase, apiKey: cfg.apiKey, model: cfg.model },
+    refreshApiKey: () => resolveLlmGatewayKey(cfg.apiBase, cfg.apiKey, log),
     maxSteps: cfg.maxSteps,
     log
   };