@openape/apes 0.15.1 → 0.16.0

package/dist/cli.js

@@ -61,7 +61,7 @@ import {
 } from "./chunk-6GPSKAMU.js";
 
 // src/cli.ts
-import consola32 from "consola";
+import consola33 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -91,7 +91,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand39, runMain } from "citty";
+import { defineCommand as defineCommand41, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer } from "buffer";
@@ -1820,7 +1820,7 @@ function buildDestroyTeardownScript(input) {
   return `#!/bin/bash
 # Best-effort teardown. set -u catches typos; we deliberately do NOT use -e
 # because pkill / launchctl are allowed to fail when the user has no live
-# sessions, and dscl -delete is allowed to fail when the user is already gone.
+# sessions.
 set -u
 
 NAME=${shQuote(name)}
@@ -1837,7 +1837,32 @@ if [ -d "$HOME_DIR" ] && [ "$HOME_DIR" != "/" ] && [ "$HOME_DIR" != "" ]; then
   rm -rf "$HOME_DIR"
 fi
 
-dscl . -delete "/Users/$NAME" 2>/dev/null || true
+# Delete the user record. \`sysadminctl -deleteUser\` is the canonical macOS
+# API and removes Open Directory metadata that \`dscl . -delete\` leaves
+# behind. Fall back to dscl if sysadminctl isn't available or rejects the
+# user. Surface a clear error if both fail \u2014 silent failure here is what
+# left orphaned dscl records on previous spawn/destroy round-trips.
+if command -v sysadminctl >/dev/null 2>&1; then
+  if sysadminctl -deleteUser "$NAME" 2>/dev/null; then
+    :
+  elif dscl . -read "/Users/$NAME" >/dev/null 2>&1; then
+    dscl . -delete "/Users/$NAME" || {
+      echo "ERROR: failed to delete user record /Users/$NAME" >&2
+      exit 1
+    }
+  fi
+elif dscl . -read "/Users/$NAME" >/dev/null 2>&1; then
+  dscl . -delete "/Users/$NAME" || {
+    echo "ERROR: failed to delete user record /Users/$NAME" >&2
+    exit 1
+  }
+fi
+
+# Verify the record is actually gone.
+if dscl . -read "/Users/$NAME" >/dev/null 2>&1; then
+  echo "ERROR: user record /Users/$NAME still exists after teardown" >&2
+  exit 1
+fi
 
 echo "OK destroyed $NAME"
 `;
@@ -1998,6 +2023,18 @@ ${consequences.join("\n")}`);
         throw new CliExit(0);
       }
     }
+    if (idpExists) {
+      const id = encodeURIComponent(idpAgent.email);
+      if (args.soft) {
+        await apiFetch(`/api/my-agents/${id}`, { method: "PATCH", body: { isActive: false }, idp });
+        consola18.success(`Deactivated IdP agent ${idpAgent.email}`);
+      } else {
+        await apiFetch(`/api/my-agents/${id}`, { method: "DELETE", idp });
+        consola18.success(`Deleted IdP agent ${idpAgent.email}`);
+      }
+    } else {
+      consola18.info("No IdP agent to remove (skipped).");
+    }
     if (osUserExists) {
       const apes = whichBinary("apes");
       if (!apes) {
@@ -2021,18 +2058,6 @@ ${consequences.join("\n")}`);
     } else if (!args["keep-os-user"] && isDarwin()) {
       consola18.info("No macOS user to remove (skipped).");
     }
-    if (idpExists) {
-      const id = encodeURIComponent(idpAgent.email);
-      if (args.soft) {
-        await apiFetch(`/api/my-agents/${id}`, { method: "PATCH", body: { isActive: false }, idp });
-        consola18.success(`Deactivated IdP agent ${idpAgent.email}`);
-      } else {
-        await apiFetch(`/api/my-agents/${id}`, { method: "DELETE", idp });
-        consola18.success(`Deleted IdP agent ${idpAgent.email}`);
-      }
-    } else {
-      consola18.info("No IdP agent to remove (skipped).");
-    }
     consola18.success(`Destroyed ${name}.`);
   }
 });
@@ -3626,7 +3651,7 @@ var mcpCommand = defineCommand32({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-VZ325IPS.js");
+    const { startMcpServer } = await import("./server-NZMLYPN4.js");
     await startMcpServer(transport, port);
   }
 });
@@ -3977,11 +4002,131 @@ var registerUserCommand = defineCommand35({
   }
 });
 
-// src/commands/dns-check.ts
+// src/commands/utils/index.ts
+import { defineCommand as defineCommand37 } from "citty";
+
+// src/commands/utils/dig.ts
 import { defineCommand as defineCommand36 } from "citty";
 import consola30 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var dnsCheckCommand = defineCommand36({
+var digCommand = defineCommand36({
+  meta: {
+    name: "dig",
+    description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
+  },
+  args: {
+    target: {
+      type: "positional",
+      description: "Domain (example.com) or email (alice@example.com)",
+      required: true
+    },
+    json: {
+      type: "boolean",
+      description: "Machine-readable JSON output"
+    }
+  },
+  async run({ args }) {
+    const raw = String(args.target).trim();
+    const at = raw.indexOf("@");
+    const domain = at >= 0 ? raw.slice(at + 1) : raw;
+    const localPart = at >= 0 ? raw.slice(0, at) : null;
+    if (!domain || !/^[a-z0-9.-]+\.[a-z]{2,}$/i.test(domain)) {
+      throw new CliError(`Invalid domain: ${domain}`);
+    }
+    const result = {
+      input: raw,
+      domain,
+      localPart,
+      ddisa: { found: false }
+    };
+    const ddisa = await resolveDDISA2(domain);
+    if (ddisa) {
+      result.ddisa = {
+        found: true,
+        idp: ddisa.idp,
+        version: ddisa.version,
+        mode: ddisa.mode,
+        priority: ddisa.priority
+      };
+      try {
+        const resp = await fetch(`${ddisa.idp}/.well-known/openid-configuration`);
+        if (resp.ok) {
+          const disco = await resp.json();
+          result.idpDiscovery = {
+            ok: true,
+            status: resp.status,
+            issuer: typeof disco.issuer === "string" ? disco.issuer : void 0,
+            ddisaVersion: typeof disco.ddisa_version === "string" ? disco.ddisa_version : void 0,
+            authMethods: Array.isArray(disco.ddisa_auth_methods_supported) ? disco.ddisa_auth_methods_supported : void 0,
+            grantTypes: Array.isArray(disco.openape_grant_types_supported) ? disco.openape_grant_types_supported : void 0
+          };
+        } else {
+          result.idpDiscovery = { ok: false, status: resp.status };
+        }
+      } catch (err) {
+        result.idpDiscovery = { ok: false };
+        result.hint = `IdP at ${ddisa.idp} unreachable: ${err instanceof Error ? err.message : String(err)}`;
+      }
+    } else {
+      result.hint = `No DDISA record. Add a TXT record:
+  _ddisa.${domain}  TXT  "v=ddisa1 idp=https://id.${domain}; mode=open"`;
+    }
+    if (args.json) {
+      process.stdout.write(`${JSON.stringify(result, null, 2)}
+`);
+      if (!result.ddisa.found || result.idpDiscovery?.ok === false) process.exit(1);
+      return;
+    }
+    console.log(`Target: ${raw}`);
+    if (localPart) console.log(`  user:   ${localPart}`);
+    console.log(`  domain: ${domain}`);
+    console.log("");
+    if (!result.ddisa.found) {
+      consola30.warn(`No DDISA record at _ddisa.${domain}`);
+      if (result.hint) console.log(`
+${result.hint}`);
+      throw new CliError(`No DDISA record found for ${domain}`);
+    }
+    consola30.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
+    console.log(`  IdP URL:  ${result.ddisa.idp}`);
+    if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
+    if (result.ddisa.priority !== void 0) console.log(`  Priority: ${result.ddisa.priority}`);
+    console.log("");
+    if (!result.idpDiscovery) {
+      return;
+    }
+    if (result.idpDiscovery.ok) {
+      consola30.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
+      if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
+      if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
+      if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
+    } else {
+      consola30.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      if (result.hint) console.log(`
+${result.hint}`);
+      throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
+    }
+  }
+});
+
+// src/commands/utils/index.ts
+var utilsCommand = defineCommand37({
+  meta: {
+    name: "utils",
+    description: "Admin/diagnostic utilities (dig, \u2026)"
+  },
+  subCommands: {
+    dig: digCommand
+  }
+});
+
+// src/commands/dns-check.ts
+import { defineCommand as defineCommand38 } from "citty";
+import consola31 from "consola";
+import { resolveDDISA as resolveDDISA3 } from "@openape/core";
+var dnsCheckCommand = defineCommand38({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -3995,16 +4140,16 @@ var dnsCheckCommand = defineCommand36({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola30.start(`Checking _ddisa.${domain}...`);
+    consola31.start(`Checking _ddisa.${domain}...`);
     try {
-      const result = await resolveDDISA2(domain);
+      const result = await resolveDDISA3(domain);
       if (!result) {
         console.log("");
         console.log("To set up DDISA, add a DNS TXT record:");
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola30.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola31.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -4013,14 +4158,14 @@ var dnsCheckCommand = defineCommand36({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola30.start(`Verifying IdP at ${result.idp}...`);
+      consola31.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola30.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola31.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola30.success(`IdP is reachable`);
+      consola31.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -4038,7 +4183,7 @@ var dnsCheckCommand = defineCommand36({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand37 } from "citty";
+import { defineCommand as defineCommand39 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -4074,7 +4219,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.15.1" : "0.0.0";
+  const version = true ? "0.16.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -4137,7 +4282,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand37({
+var healthCommand = defineCommand39({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -4155,8 +4300,8 @@ var healthCommand = defineCommand37({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand38 } from "citty";
-import consola31 from "consola";
+import { defineCommand as defineCommand40 } from "citty";
+import consola32 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -4206,7 +4351,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand38({
+var workflowsCommand = defineCommand40({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -4227,7 +4372,7 @@ var workflowsCommand = defineCommand38({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola31.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola32.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -4276,10 +4421,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.15.1"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.16.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.15.1"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.16.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -4303,7 +4448,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand39({
+var grantsCommand = defineCommand41({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -4324,7 +4469,7 @@ var grantsCommand = defineCommand39({
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand39({
+var configCommand = defineCommand41({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -4334,10 +4479,10 @@ var configCommand = defineCommand39({
     set: configSetCommand
   }
 });
-var main = defineCommand39({
+var main = defineCommand41({
   meta: {
     name: "apes",
-    version: "0.15.1",
+    version: "0.16.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -4345,6 +4490,7 @@ var main = defineCommand39({
     enroll: enrollCommand,
     "register-user": registerUserCommand,
     "dns-check": dnsCheckCommand,
+    utils: utilsCommand,
     login: loginCommand,
     logout: logoutCommand,
     whoami: whoamiCommand,
@@ -4367,13 +4513,13 @@ runMain(main).catch((err) => {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola32.error(err.message);
+    consola33.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola32.error(err);
+    consola33.error(err);
   } else {
-    consola32.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola33.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });