@openape/apes 0.11.1 → 0.12.0

package/dist/{chunk-M2NBHR2E.js.map → chunk-OFIVF6NH.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/notifications.ts","../src/shell/apes-self-dispatch.ts"],"sourcesContent":["import { spawn } from 'node:child_process'\nimport consola from 'consola'\nimport { quote } from 'shell-quote'\nimport { loadConfig } from './config'\n\nexport interface PendingGrantInfo {\n  grantId: string\n  approveUrl: string\n  command: string\n  audience: string\n  host: string\n}\n\n/**\n * Resolve the notification command for pending grants. Checks (in order):\n *   1. `APES_NOTIFY_PENDING_COMMAND` env var (highest priority — lets\n *      parent programs like openclaw override per invocation)\n *   2. `[notifications] pending_command` in ~/.config/apes/config.toml\n *\n * Returns undefined if no notification command is configured.\n */\nfunction resolvePendingCommand(): string | undefined {\n  if (process.env.APES_NOTIFY_PENDING_COMMAND)\n    return process.env.APES_NOTIFY_PENDING_COMMAND\n\n  const config = loadConfig()\n  return config.notifications?.pending_command\n}\n\n/**\n * Escape a value for safe embedding inside a single-quoted shell string.\n * We use `shell-quote` to produce a safe literal, then strip the outer\n * quoting because the template substitution embeds the value inside the\n * user's command template which is itself passed to `sh -c`.\n */\nfunction shellEscape(value: string): string {\n  // quote() wraps in single quotes and escapes internal single quotes\n  // e.g. \"it's\" → \"'it'\\\\''s'\"\n  // We return the raw escaped form so it's safe inside sh -c.\n  return quote([value])\n}\n\n/**\n * Substitute template variables in the notification command.\n * All values are shell-escaped to prevent injection.\n */\nfunction renderTemplate(template: string, info: PendingGrantInfo): string {\n  return template\n    .replace(/\\{grant_id\\}/g, shellEscape(info.grantId))\n    .replace(/\\{approve_url\\}/g, shellEscape(info.approveUrl))\n    .replace(/\\{command\\}/g, shellEscape(info.command))\n    .replace(/\\{audience\\}/g, shellEscape(info.audience))\n    .replace(/\\{host\\}/g, shellEscape(info.host))\n}\n\n/**\n * Send a notification that a grant is awaiting human approval.\n *\n * This is **fire-and-forget**: the notification subprocess runs detached\n * and unref'd so it cannot block the grant flow. A 10-second timeout\n * kills it if it hangs (e.g. network issue reaching Telegram API).\n *\n * Only fires when a notification command is configured. Silently returns\n * if not — the grant flow must never depend on notifications.\n *\n * Only call this when the grant **actually requires waiting** (new grant\n * with pending status). Do NOT call when:\n * - An existing timed/always grant was reused (no human action needed)\n * - The grant was instantly approved (no waiting phase)\n */\nexport function notifyGrantPending(info: PendingGrantInfo): void {\n  const template = resolvePendingCommand()\n  if (!template)\n    return\n\n  const rendered = renderTemplate(template, info)\n\n  try {\n    const child = spawn('sh', ['-c', rendered], {\n      detached: true,\n      stdio: 'ignore',\n      env: { ...process.env },\n    })\n\n    // Don't let the notification process keep the parent alive\n    child.unref()\n\n    // Kill after 10 seconds if it hasn't exited\n    const timeout = setTimeout(() => {\n      try {\n        child.kill('SIGKILL')\n      }\n      catch {}\n    }, 10_000)\n    timeout.unref()\n\n    child.on('exit', () => clearTimeout(timeout))\n  }\n  catch (err) {\n    // Never let notification failure break the grant flow\n    consola.debug('Notification command failed:', err)\n  }\n}\n","import { basename } from 'node:path'\nimport type { ParsedShellCommand } from '../shapes/shell-parser.js'\n\n/**\n * Subset of `apes` subcommands that remain grant-gated even when invoked\n * as self-dispatches from inside an ape-shell context. These are the\n * three categories where the shell-grant layer adds real security value\n * that isn't duplicated by server-side auth gates or local-file-only\n * semantics:\n *\n *   - `run`   — spawns arbitrary executables, the core of the grant system\n *   - `fetch` — forwards the bearer token to a user-specified URL\n *   - `mcp`   — binds a network port and serves a persistent API\n *\n * Every other `apes <subcmd>` either reads state, mutates the user's own\n * local config, or talks to the IdP through endpoints that are already\n * scoped by the auth token — gating them in the shell is redundant\n * friction, and under 0.9.0's async-default grant flow it actively\n * breaks `apes grants run <id>` via recursion (the polling call itself\n * creates a new grant, cascading indefinitely).\n *\n * This is the single source of truth shared by both dispatch paths:\n *   - Interactive REPL: `shell/grant-dispatch.ts` → `requestGrantForShellLine`\n *   - One-shot `ape-shell -c`: `commands/run.ts` → `runShellMode` (which\n *     receives the bash-c-wrapped command after `rewriteApeShellArgs`\n *     rewrites `ape-shell -c \"<cmd>\"` into `apes run --shell -- bash -c <cmd>`)\n *\n * Keep this list in sync with the blocklist snapshot test in\n * `shell-grant-dispatch.test.ts` — the tripwire that forces a review\n * decision whenever a new top-level apes subcommand is added.\n */\nexport const APES_GATED_SUBCOMMANDS = new Set(['run', 'fetch', 'mcp'])\n\n/**\n * Returns true if the parsed shell command is an `apes <subcmd>`\n * invocation that should bypass the grant flow entirely. Non-apes\n * binaries, compound lines (pipes, &&, etc.), and subcommands in\n * `APES_GATED_SUBCOMMANDS` all return false so they stay on the normal\n * grant path.\n *\n * The caller (either `requestGrantForShellLine` for the REPL path or\n * `runShellMode` for the one-shot path) is responsible for parsing the\n * input string and passing the resulting ParsedShellCommand here.\n */\nexport function isApesSelfDispatch(parsed: ParsedShellCommand | null | undefined): boolean {\n  if (!parsed || parsed.isCompound)\n    return false\n  const invokedName = basename(parsed.executable)\n  if (invokedName !== 'apes' && invokedName !== 'apes.js')\n    return false\n  const subCommand = parsed.argv[0]\n  if (!subCommand)\n    return false\n  return !APES_GATED_SUBCOMMANDS.has(subCommand)\n}\n\n/**\n * Result of checking a parsed shell command for a leading `sudo` token.\n * The `reason` doubles as a ready-to-print error message so the REPL\n * and one-shot paths emit byte-identical text.\n */\nexport interface SudoRejection {\n  reason: string\n}\n\n/**\n * Returns a rejection hint if the parsed line is a simple, non-compound\n * command whose leading executable is `sudo`. `sudo` is not available\n * inside ape-shell (the wrapper user is not in /etc/sudoers by design),\n * so agents and humans should use the explicit\n * `apes run --as root -- <cmd>` flow which routes through the escapes\n * setuid binary.\n *\n * Compound lines (pipes, &&, etc.) return null so the downstream\n * session-grant path can still negotiate a grant and bash surfaces the\n * real sudo error. We only short-circuit the leading-sudo case which is\n * the agent footgun.\n *\n * Shared by both dispatch paths:\n *   - Interactive REPL: `shell/grant-dispatch.ts` → `requestGrantForShellLine`\n *   - One-shot `ape-shell -c`: `commands/run.ts` → `runShellMode`\n */\nexport function checkSudoRejection(parsed: ParsedShellCommand | null | undefined): SudoRejection | null {\n  if (!parsed || parsed.isCompound) return null\n  if (basename(parsed.executable) !== 'sudo') return null\n  const rest = parsed.argv.join(' ').trim()\n  const hint = rest.length > 0\n    ? `apes run --as root -- ${rest}`\n    : 'apes run --as root -- <cmd>'\n  return {\n    reason: `sudo is not available in ape-shell. Use \\`${hint}\\` for privileged commands.`,\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,aAAa;AACtB,OAAO,aAAa;AACpB,SAAS,aAAa;AAmBtB,SAAS,wBAA4C;AACnD,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AAErB,QAAM,SAAS,WAAW;AAC1B,SAAO,OAAO,eAAe;AAC/B;AAQA,SAAS,YAAY,OAAuB;AAI1C,SAAO,MAAM,CAAC,KAAK,CAAC;AACtB;AAMA,SAAS,eAAe,UAAkB,MAAgC;AACxE,SAAO,SACJ,QAAQ,iBAAiB,YAAY,KAAK,OAAO,CAAC,EAClD,QAAQ,oBAAoB,YAAY,KAAK,UAAU,CAAC,EACxD,QAAQ,gBAAgB,YAAY,KAAK,OAAO,CAAC,EACjD,QAAQ,iBAAiB,YAAY,KAAK,QAAQ,CAAC,EACnD,QAAQ,aAAa,YAAY,KAAK,IAAI,CAAC;AAChD;AAiBO,SAAS,mBAAmB,MAA8B;AAC/D,QAAM,WAAW,sBAAsB;AACvC,MAAI,CAAC;AACH;AAEF,QAAM,WAAW,eAAe,UAAU,IAAI;AAE9C,MAAI;AACF,UAAM,QAAQ,MAAM,MAAM,CAAC,MAAM,QAAQ,GAAG;AAAA,MAC1C,UAAU;AAAA,MACV,OAAO;AAAA,MACP,KAAK,EAAE,GAAG,QAAQ,IAAI;AAAA,IACxB,CAAC;AAGD,UAAM,MAAM;AAGZ,UAAM,UAAU,WAAW,MAAM;AAC/B,UAAI;AACF,cAAM,KAAK,SAAS;AAAA,MACtB,QACM;AAAA,MAAC;AAAA,IACT,GAAG,GAAM;AACT,YAAQ,MAAM;AAEd,UAAM,GAAG,QAAQ,MAAM,aAAa,OAAO,CAAC;AAAA,EAC9C,SACO,KAAK;AAEV,YAAQ,MAAM,gCAAgC,GAAG;AAAA,EACnD;AACF;;;ACtGA,SAAS,gBAAgB;AA+BlB,IAAM,yBAAyB,oBAAI,IAAI,CAAC,OAAO,SAAS,KAAK,CAAC;AAa9D,SAAS,mBAAmB,QAAwD;AACzF,MAAI,CAAC,UAAU,OAAO;AACpB,WAAO;AACT,QAAM,cAAc,SAAS,OAAO,UAAU;AAC9C,MAAI,gBAAgB,UAAU,gBAAgB;AAC5C,WAAO;AACT,QAAM,aAAa,OAAO,KAAK,CAAC;AAChC,MAAI,CAAC;AACH,WAAO;AACT,SAAO,CAAC,uBAAuB,IAAI,UAAU;AAC/C;AA4BO,SAAS,mBAAmB,QAAqE;AACtG,MAAI,CAAC,UAAU,OAAO,WAAY,QAAO;AACzC,MAAI,SAAS,OAAO,UAAU,MAAM,OAAQ,QAAO;AACnD,QAAM,OAAO,OAAO,KAAK,KAAK,GAAG,EAAE,KAAK;AACxC,QAAM,OAAO,KAAK,SAAS,IACvB,yBAAyB,IAAI,KAC7B;AACJ,SAAO;AAAA,IACL,QAAQ,6CAA6C,IAAI;AAAA,EAC3D;AACF;","names":[]}
+{"version":3,"sources":["../src/notifications.ts","../src/shell/apes-self-dispatch.ts"],"sourcesContent":["import { spawn } from 'node:child_process'\nimport consola from 'consola'\nimport { quote } from 'shell-quote'\nimport { loadConfig } from './config'\n\nexport interface PendingGrantInfo {\n  grantId: string\n  approveUrl: string\n  command: string\n  audience: string\n  host: string\n}\n\n/**\n * Resolve the notification command for pending grants. Checks (in order):\n *   1. `APES_NOTIFY_PENDING_COMMAND` env var (highest priority — lets\n *      parent programs like openclaw override per invocation)\n *   2. `[notifications] pending_command` in ~/.config/apes/config.toml\n *\n * Returns undefined if no notification command is configured.\n */\nfunction resolvePendingCommand(): string | undefined {\n  if (process.env.APES_NOTIFY_PENDING_COMMAND)\n    return process.env.APES_NOTIFY_PENDING_COMMAND\n\n  const config = loadConfig()\n  return config.notifications?.pending_command\n}\n\n/**\n * Escape a value for safe embedding inside a single-quoted shell string.\n * We use `shell-quote` to produce a safe literal, then strip the outer\n * quoting because the template substitution embeds the value inside the\n * user's command template which is itself passed to `sh -c`.\n */\nfunction shellEscape(value: string): string {\n  // quote() wraps in single quotes and escapes internal single quotes\n  // e.g. \"it's\" → \"'it'\\\\''s'\"\n  // We return the raw escaped form so it's safe inside sh -c.\n  return quote([value])\n}\n\n/**\n * Substitute template variables in the notification command.\n * All values are shell-escaped to prevent injection.\n */\nfunction renderTemplate(template: string, info: PendingGrantInfo): string {\n  return template\n    .replace(/\\{grant_id\\}/g, shellEscape(info.grantId))\n    .replace(/\\{approve_url\\}/g, shellEscape(info.approveUrl))\n    .replace(/\\{command\\}/g, shellEscape(info.command))\n    .replace(/\\{audience\\}/g, shellEscape(info.audience))\n    .replace(/\\{host\\}/g, shellEscape(info.host))\n}\n\n/**\n * Send a notification that a grant is awaiting human approval.\n *\n * This is **fire-and-forget**: the notification subprocess runs detached\n * and unref'd so it cannot block the grant flow. A 10-second timeout\n * kills it if it hangs (e.g. network issue reaching Telegram API).\n *\n * Only fires when a notification command is configured. Silently returns\n * if not — the grant flow must never depend on notifications.\n *\n * Only call this when the grant **actually requires waiting** (new grant\n * with pending status). Do NOT call when:\n * - An existing timed/always grant was reused (no human action needed)\n * - The grant was instantly approved (no waiting phase)\n */\nexport function notifyGrantPending(info: PendingGrantInfo): void {\n  const template = resolvePendingCommand()\n  if (!template)\n    return\n\n  const rendered = renderTemplate(template, info)\n\n  try {\n    const child = spawn('sh', ['-c', rendered], {\n      detached: true,\n      stdio: 'ignore',\n      env: { ...process.env },\n    })\n\n    // Don't let the notification process keep the parent alive\n    child.unref()\n\n    // Kill after 10 seconds if it hasn't exited\n    const timeout = setTimeout(() => {\n      try {\n        child.kill('SIGKILL')\n      }\n      catch {}\n    }, 10_000)\n    timeout.unref()\n\n    child.on('exit', () => clearTimeout(timeout))\n  }\n  catch (err) {\n    // Never let notification failure break the grant flow\n    consola.debug('Notification command failed:', err)\n  }\n}\n","import { basename } from 'node:path'\nimport type { ParsedShellCommand } from '../shapes/shell-parser.js'\n\n/**\n * Subset of `apes` subcommands that remain grant-gated even when invoked\n * as self-dispatches from inside an ape-shell context. These are the\n * three categories where the shell-grant layer adds real security value\n * that isn't duplicated by server-side auth gates or local-file-only\n * semantics:\n *\n *   - `run`   — spawns arbitrary executables, the core of the grant system\n *   - `fetch` — forwards the bearer token to a user-specified URL\n *   - `mcp`   — binds a network port and serves a persistent API\n *\n * Every other `apes <subcmd>` either reads state, mutates the user's own\n * local config, or talks to the IdP through endpoints that are already\n * scoped by the auth token — gating them in the shell is redundant\n * friction, and under 0.9.0's async-default grant flow it actively\n * breaks `apes grants run <id>` via recursion (the polling call itself\n * creates a new grant, cascading indefinitely).\n *\n * This is the single source of truth shared by both dispatch paths:\n *   - Interactive REPL: `shell/grant-dispatch.ts` → `requestGrantForShellLine`\n *   - One-shot `ape-shell -c`: `commands/run.ts` → `runShellMode` (which\n *     receives the bash-c-wrapped command after `rewriteApeShellArgs`\n *     rewrites `ape-shell -c \"<cmd>\"` into `apes run --shell -- bash -c <cmd>`)\n *\n * Keep this list in sync with the blocklist snapshot test in\n * `shell-grant-dispatch.test.ts` — the tripwire that forces a review\n * decision whenever a new top-level apes subcommand is added.\n */\nexport const APES_GATED_SUBCOMMANDS = new Set(['run', 'fetch', 'mcp'])\n\n/**\n * Returns true if the parsed shell command is an `apes <subcmd>`\n * invocation that should bypass the grant flow entirely. Non-apes\n * binaries, compound lines (pipes, &&, etc.), and subcommands in\n * `APES_GATED_SUBCOMMANDS` all return false so they stay on the normal\n * grant path.\n *\n * The caller (either `requestGrantForShellLine` for the REPL path or\n * `runShellMode` for the one-shot path) is responsible for parsing the\n * input string and passing the resulting ParsedShellCommand here.\n */\nexport function isApesSelfDispatch(parsed: ParsedShellCommand | null | undefined): boolean {\n  if (!parsed || parsed.isCompound)\n    return false\n  const invokedName = basename(parsed.executable)\n  if (invokedName !== 'apes' && invokedName !== 'apes.js')\n    return false\n  const subCommand = parsed.argv[0]\n  if (!subCommand)\n    return false\n  if (!APES_GATED_SUBCOMMANDS.has(subCommand))\n    return true\n  // `apes run --as <user>` has its own internal escapes-audience grant\n  // flow (runAdapterMode delegates to runAudienceMode('escapes', ...)).\n  // Double-gating it through the ape-shell session-grant layer would\n  // fall through to a generic session grant that never reaches escapes.\n  // Let it self-dispatch so the inner apes process handles elevation.\n  if (subCommand === 'run' && parsed.argv.includes('--as'))\n    return true\n  return false\n}\n\n/**\n * Result of checking a parsed shell command for a leading `sudo` token.\n * The `reason` doubles as a ready-to-print error message so the REPL\n * and one-shot paths emit byte-identical text.\n */\nexport interface SudoRejection {\n  reason: string\n}\n\n/**\n * Returns a rejection hint if the parsed line is a simple, non-compound\n * command whose leading executable is `sudo`. `sudo` is not available\n * inside ape-shell (the wrapper user is not in /etc/sudoers by design),\n * so agents and humans should use the explicit\n * `apes run --as root -- <cmd>` flow which routes through the escapes\n * setuid binary.\n *\n * Compound lines (pipes, &&, etc.) return null so the downstream\n * session-grant path can still negotiate a grant and bash surfaces the\n * real sudo error. We only short-circuit the leading-sudo case which is\n * the agent footgun.\n *\n * Shared by both dispatch paths:\n *   - Interactive REPL: `shell/grant-dispatch.ts` → `requestGrantForShellLine`\n *   - One-shot `ape-shell -c`: `commands/run.ts` → `runShellMode`\n */\nexport function checkSudoRejection(parsed: ParsedShellCommand | null | undefined): SudoRejection | null {\n  if (!parsed || parsed.isCompound) return null\n  if (basename(parsed.executable) !== 'sudo') return null\n  const rest = parsed.argv.join(' ').trim()\n  const hint = rest.length > 0\n    ? `apes run --as root -- ${rest}`\n    : 'apes run --as root -- <cmd>'\n  return {\n    reason: `sudo is not available in ape-shell. Use \\`${hint}\\` for privileged commands.`,\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,aAAa;AACtB,OAAO,aAAa;AACpB,SAAS,aAAa;AAmBtB,SAAS,wBAA4C;AACnD,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AAErB,QAAM,SAAS,WAAW;AAC1B,SAAO,OAAO,eAAe;AAC/B;AAQA,SAAS,YAAY,OAAuB;AAI1C,SAAO,MAAM,CAAC,KAAK,CAAC;AACtB;AAMA,SAAS,eAAe,UAAkB,MAAgC;AACxE,SAAO,SACJ,QAAQ,iBAAiB,YAAY,KAAK,OAAO,CAAC,EAClD,QAAQ,oBAAoB,YAAY,KAAK,UAAU,CAAC,EACxD,QAAQ,gBAAgB,YAAY,KAAK,OAAO,CAAC,EACjD,QAAQ,iBAAiB,YAAY,KAAK,QAAQ,CAAC,EACnD,QAAQ,aAAa,YAAY,KAAK,IAAI,CAAC;AAChD;AAiBO,SAAS,mBAAmB,MAA8B;AAC/D,QAAM,WAAW,sBAAsB;AACvC,MAAI,CAAC;AACH;AAEF,QAAM,WAAW,eAAe,UAAU,IAAI;AAE9C,MAAI;AACF,UAAM,QAAQ,MAAM,MAAM,CAAC,MAAM,QAAQ,GAAG;AAAA,MAC1C,UAAU;AAAA,MACV,OAAO;AAAA,MACP,KAAK,EAAE,GAAG,QAAQ,IAAI;AAAA,IACxB,CAAC;AAGD,UAAM,MAAM;AAGZ,UAAM,UAAU,WAAW,MAAM;AAC/B,UAAI;AACF,cAAM,KAAK,SAAS;AAAA,MACtB,QACM;AAAA,MAAC;AAAA,IACT,GAAG,GAAM;AACT,YAAQ,MAAM;AAEd,UAAM,GAAG,QAAQ,MAAM,aAAa,OAAO,CAAC;AAAA,EAC9C,SACO,KAAK;AAEV,YAAQ,MAAM,gCAAgC,GAAG;AAAA,EACnD;AACF;;;ACtGA,SAAS,gBAAgB;AA+BlB,IAAM,yBAAyB,oBAAI,IAAI,CAAC,OAAO,SAAS,KAAK,CAAC;AAa9D,SAAS,mBAAmB,QAAwD;AACzF,MAAI,CAAC,UAAU,OAAO;AACpB,WAAO;AACT,QAAM,cAAc,SAAS,OAAO,UAAU;AAC9C,MAAI,gBAAgB,UAAU,gBAAgB;AAC5C,WAAO;AACT,QAAM,aAAa,OAAO,KAAK,CAAC;AAChC,MAAI,CAAC;AACH,WAAO;AACT,MAAI,CAAC,uBAAuB,IAAI,UAAU;AACxC,WAAO;AAMT,MAAI,eAAe,SAAS,OAAO,KAAK,SAAS,MAAM;AACrD,WAAO;AACT,SAAO;AACT;AA4BO,SAAS,mBAAmB,QAAqE;AACtG,MAAI,CAAC,UAAU,OAAO,WAAY,QAAO;AACzC,MAAI,SAAS,OAAO,UAAU,MAAM,OAAQ,QAAO;AACnD,QAAM,OAAO,OAAO,KAAK,KAAK,GAAG,EAAE,KAAK;AACxC,QAAM,OAAO,KAAK,SAAS,IACvB,yBAAyB,IAAI,KAC7B;AACJ,SAAO;AAAA,IACL,QAAQ,6CAA6C,IAAI;AAAA,EAC3D;AACF;","names":[]}

package/dist/cli.js

@@ -12,10 +12,12 @@ import {
   checkSudoRejection,
   isApesSelfDispatch,
   notifyGrantPending
-} from "./chunk-M2NBHR2E.js";
+} from "./chunk-OFIVF6NH.js";
 import {
   ApiError,
+  GENERIC_OPERATION_ID,
   apiFetch,
+  buildGenericResolved,
   buildStructuredCliGrantRequest,
   createShapesGrant,
   extractOption,
@@ -40,21 +42,23 @@ import {
   resolveCapabilityRequest,
   resolveCommand,
   resolveFromGrant,
+  resolveGenericOrReject,
   searchAdapters,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-U4CI2RBO.js";
+} from "./chunk-O7GSG3OE.js";
 import {
   AUTH_FILE,
   CONFIG_DIR,
   clearAuth,
   getAuthToken,
   getIdpUrl,
+  isGenericFallbackEnabled,
   loadAuth,
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-6JSOSD7R.js";
+} from "./chunk-6GPSKAMU.js";
 
 // src/cli.ts
 import consola27 from "consola";
@@ -1187,15 +1191,24 @@ var runGrantCommand = defineCommand12({
     const hasOpenApeCliDetail = authDetails.some((d) => d?.type === "openape_cli");
     const isShapesGrant = hasOpenApeCliDetail || audience === "shapes";
     if (isShapesGrant) {
+      const isGenericGrant = authDetails.some((d) => d?.operation_id === GENERIC_OPERATION_ID);
       let resolved;
-      try {
-        resolved = await resolveFromGrant(grant);
-      } catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        throw new CliError(`Cannot re-resolve grant: ${msg}`);
+      if (isGenericGrant) {
+        const argv = grant.request?.command ?? [];
+        if (argv.length === 0)
+          throw new CliError(`Generic grant ${grant.id} is missing command argv`);
+        const cliId = authDetails.find((d) => d?.operation_id === GENERIC_OPERATION_ID)?.cli_id ?? argv[0];
+        resolved = await buildGenericResolved(cliId, argv);
+      } else {
+        try {
+          resolved = await resolveFromGrant(grant);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          throw new CliError(`Cannot re-resolve grant: ${msg}`);
+        }
       }
       const token = await fetchGrantToken(idp, grant.id);
-      await verifyAndExecute(token, resolved);
+      await verifyAndExecute(token, resolved, grant.id);
       return;
     }
     if (audience === "escapes") {
@@ -2244,7 +2257,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
     if (existingGrantId) {
       consola19.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token = await fetchGrantToken(idp, existingGrantId);
-      await verifyAndExecute(token, resolved);
+      await verifyAndExecute(token, resolved, existingGrantId);
       return true;
     }
   } catch {
@@ -2275,7 +2288,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
     if (status !== "approved")
       throw new CliError(`Grant ${status}`);
     const token = await fetchGrantToken(idp, grant.id);
-    await verifyAndExecute(token, resolved);
+    await verifyAndExecute(token, resolved, grant.id);
     return true;
   }
   printPendingGrantInfo(grant, idp);
@@ -2311,6 +2324,11 @@ function extractPositionals(rawArgs) {
   }
   return positionals;
 }
+function printGenericWarning(cliId) {
+  process.stderr.write(`\u26A0 No shape registered for \`${cliId}\`.
+`);
+  process.stderr.write("Generic mode active \u2014 single-use grant will be required.\n");
+}
 async function runAdapterMode(command, rawArgs, args) {
   const idp = getIdpUrl(args.idp);
   if (!idp)
@@ -2320,15 +2338,28 @@ async function runAdapterMode(command, rawArgs, args) {
     return;
   }
   const adapterOpt = extractOption(rawArgs, "adapter");
-  const loaded = loadAdapter(command[0], adapterOpt);
-  const resolved = await resolveCommand(loaded, command);
+  const cliId = command[0];
+  let resolved;
+  try {
+    const loaded = loadAdapter(cliId, adapterOpt);
+    resolved = await resolveCommand(loaded, command);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    const isNoAdapter = message.startsWith("No adapter found for ");
+    if (!isNoAdapter)
+      throw err;
+    resolved = await resolveGenericOrReject(cliId, command, {
+      genericEnabled: isGenericFallbackEnabled()
+    });
+    printGenericWarning(cliId);
+  }
   const approval = args.approval ?? "once";
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
       consola19.info(`Reusing existing grant: ${existingGrantId}`);
       const token = await fetchGrantToken(idp, existingGrantId);
-      await verifyAndExecute(token, resolved);
+      await verifyAndExecute(token, resolved, existingGrantId);
       return;
     }
   } catch {
@@ -2355,7 +2386,7 @@ async function runAdapterMode(command, rawArgs, args) {
     if (status !== "approved")
       throw new Error(`Grant ${status}`);
     const token = await fetchGrantToken(idp, grant.id);
-    await verifyAndExecute(token, resolved);
+    await verifyAndExecute(token, resolved, grant.id);
     return;
   }
   printPendingGrantInfo(grant, idp);
@@ -2692,7 +2723,7 @@ var mcpCommand = defineCommand26({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-TGIP55VI.js");
+    const { startMcpServer } = await import("./server-UXLNYVMG.js");
     await startMcpServer(transport, port);
   }
 });
@@ -3184,7 +3215,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.11.1" : "0.0.0";
+  const version = true ? "0.12.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -3386,10 +3417,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.11.1"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.12.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.11.1"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.12.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -3404,7 +3435,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-OF2YGFMR.js");
+    const { runInteractiveShell } = await import("./orchestrator-EHFFTEL5.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -3447,7 +3478,7 @@ var configCommand = defineCommand33({
 var main = defineCommand33({
   meta: {
     name: "apes",
-    version: "0.11.1",
+    version: "0.12.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {