@openape/apes 0.15.2 → 0.17.0

package/dist/cli.js

@@ -61,7 +61,7 @@ import {
 } from "./chunk-6GPSKAMU.js";
 
 // src/cli.ts
-import consola32 from "consola";
+import consola33 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -91,7 +91,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand39, runMain } from "citty";
+import { defineCommand as defineCommand41, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer } from "buffer";
@@ -147,29 +147,44 @@ async function resolveLoginInputs(flags) {
     );
   }
   let idp;
+  let idpSource;
   if (flags.idp) {
     idp = flags.idp;
+    idpSource = "flag";
   } else if (process.env.APES_IDP) {
     idp = process.env.APES_IDP;
+    idpSource = "env";
   } else if (process.env.GRAPES_IDP) {
     idp = process.env.GRAPES_IDP;
+    idpSource = "env";
     consola.warn(
       "GRAPES_IDP is deprecated, use APES_IDP instead. GRAPES_IDP support will be removed in a future release."
     );
   } else if (config.defaults?.idp) {
     idp = config.defaults.idp;
-  } else if (email && email.includes("@")) {
+    idpSource = "config";
+  }
+  let ddisaIdp;
+  let ddisaDomain;
+  if (email && email.includes("@")) {
     const domain = email.split("@")[1];
+    ddisaDomain = domain;
     try {
       const record = await resolveDDISA(domain);
-      if (record?.idp) {
-        idp = record.idp;
-        consola.info(`Discovered IdP via DDISA (_ddisa.${domain}): ${idp}`);
-      }
+      if (record?.idp) ddisaIdp = record.idp;
     } catch {
     }
   }
-  return { keyPath, email, idp };
+  if (!idp && ddisaIdp && ddisaDomain) {
+    idp = ddisaIdp;
+    idpSource = "ddisa";
+    consola.info(`Discovered IdP via DDISA (_ddisa.${ddisaDomain}): ${idp}`);
+  }
+  let ddisaMismatch;
+  if (idp && ddisaIdp && ddisaDomain && idp !== ddisaIdp && idpSource !== "ddisa") {
+    ddisaMismatch = { dnsIdp: ddisaIdp, chosenIdp: idp, domain: ddisaDomain };
+  }
+  return { keyPath, email, idp, ddisaMismatch };
 }
 
 // src/commands/auth/login.ts
@@ -181,6 +196,11 @@ var loginCommand = defineCommand({
     description: "Authenticate with an OpenApe IdP"
   },
   args: {
+    user: {
+      type: "positional",
+      required: false,
+      description: "Agent email (e.g. patrick@hofmann.eco). Extracted from <key>.pub comment if omitted."
+    },
     idp: {
       type: "string",
       description: "IdP URL (e.g. https://id.openape.at). Auto-discovered via DDISA DNS if omitted."
@@ -191,24 +211,52 @@ var loginCommand = defineCommand({
     },
     email: {
       type: "string",
-      description: "Agent email. Extracted from <key>.pub comment if omitted."
+      description: "Same as the positional email \u2014 flag form for backwards compatibility."
     },
     browser: {
       type: "boolean",
       description: "Force browser (PKCE) login even if an SSH key exists"
+    },
+    force: {
+      type: "boolean",
+      description: "Override DDISA mismatch warnings (use with care)"
     }
   },
   async run({ args }) {
+    const emailArg = typeof args.user === "string" && args.user.includes("@") ? args.user : typeof args.email === "string" ? args.email : void 0;
     const resolved = await resolveLoginInputs({
       key: args.key,
       idp: args.idp,
-      email: args.email,
+      email: emailArg,
       browser: args.browser
     });
+    if (resolved.ddisaMismatch && !args.force) {
+      const { dnsIdp, chosenIdp, domain } = resolved.ddisaMismatch;
+      throw new CliError(
+        `IdP mismatch for ${domain}.
+
+  Authoritative DDISA: ${dnsIdp}
+  You selected:        ${chosenIdp}
+
+Logging in against a different IdP than DDISA points to means SPs that
+trust the DDISA-resolved IdP (e.g. preview.openape.ai) will reject the
+resulting token with "IdP mismatch".
+
+Fix one of:
+  \u2022 Drop --idp/APES_IDP/config.defaults.idp \u2014 DDISA will auto-pick ${dnsIdp}
+  \u2022 Update _ddisa.${domain} if ${chosenIdp} is genuinely the correct IdP
+  \u2022 Re-run with --force to authenticate anyway (NOT recommended)`
+      );
+    }
+    if (resolved.ddisaMismatch && args.force) {
+      consola2.warn(
+        `Bypassing DDISA mismatch \u2014 ${resolved.ddisaMismatch.domain} resolves to ${resolved.ddisaMismatch.dnsIdp}, but you forced ${resolved.ddisaMismatch.chosenIdp}.`
+      );
+    }
     if (resolved.keyPath) {
       if (!resolved.email) {
         throw new CliError(
-          `Agent email required for key-based login. Add an email comment to ${resolved.keyPath}.pub (ssh-keygen -C <email>) or pass --email <agent-email>.`
+          `Agent email required for key-based login. Pass it as a positional (\`apes login <email>\`), set --email, or add an email comment to ${resolved.keyPath}.pub via ssh-keygen -C <email>.`
         );
       }
       if (!resolved.idp) {
@@ -3651,7 +3699,7 @@ var mcpCommand = defineCommand32({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-25QMTVUR.js");
+    const { startMcpServer } = await import("./server-YGRMW3OW.js");
     await startMcpServer(transport, port);
   }
 });
@@ -4002,11 +4050,131 @@ var registerUserCommand = defineCommand35({
   }
 });
 
-// src/commands/dns-check.ts
+// src/commands/utils/index.ts
+import { defineCommand as defineCommand37 } from "citty";
+
+// src/commands/utils/dig.ts
 import { defineCommand as defineCommand36 } from "citty";
 import consola30 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var dnsCheckCommand = defineCommand36({
+var digCommand = defineCommand36({
+  meta: {
+    name: "dig",
+    description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
+  },
+  args: {
+    target: {
+      type: "positional",
+      description: "Domain (example.com) or email (alice@example.com)",
+      required: true
+    },
+    json: {
+      type: "boolean",
+      description: "Machine-readable JSON output"
+    }
+  },
+  async run({ args }) {
+    const raw = String(args.target).trim();
+    const at = raw.indexOf("@");
+    const domain = at >= 0 ? raw.slice(at + 1) : raw;
+    const localPart = at >= 0 ? raw.slice(0, at) : null;
+    if (!domain || !/^[a-z0-9.-]+\.[a-z]{2,}$/i.test(domain)) {
+      throw new CliError(`Invalid domain: ${domain}`);
+    }
+    const result = {
+      input: raw,
+      domain,
+      localPart,
+      ddisa: { found: false }
+    };
+    const ddisa = await resolveDDISA2(domain);
+    if (ddisa) {
+      result.ddisa = {
+        found: true,
+        idp: ddisa.idp,
+        version: ddisa.version,
+        mode: ddisa.mode,
+        priority: ddisa.priority
+      };
+      try {
+        const resp = await fetch(`${ddisa.idp}/.well-known/openid-configuration`);
+        if (resp.ok) {
+          const disco = await resp.json();
+          result.idpDiscovery = {
+            ok: true,
+            status: resp.status,
+            issuer: typeof disco.issuer === "string" ? disco.issuer : void 0,
+            ddisaVersion: typeof disco.ddisa_version === "string" ? disco.ddisa_version : void 0,
+            authMethods: Array.isArray(disco.ddisa_auth_methods_supported) ? disco.ddisa_auth_methods_supported : void 0,
+            grantTypes: Array.isArray(disco.openape_grant_types_supported) ? disco.openape_grant_types_supported : void 0
+          };
+        } else {
+          result.idpDiscovery = { ok: false, status: resp.status };
+        }
+      } catch (err) {
+        result.idpDiscovery = { ok: false };
+        result.hint = `IdP at ${ddisa.idp} unreachable: ${err instanceof Error ? err.message : String(err)}`;
+      }
+    } else {
+      result.hint = `No DDISA record. Add a TXT record:
+  _ddisa.${domain}  TXT  "v=ddisa1 idp=https://id.${domain}; mode=open"`;
+    }
+    if (args.json) {
+      process.stdout.write(`${JSON.stringify(result, null, 2)}
+`);
+      if (!result.ddisa.found || result.idpDiscovery?.ok === false) process.exit(1);
+      return;
+    }
+    console.log(`Target: ${raw}`);
+    if (localPart) console.log(`  user:   ${localPart}`);
+    console.log(`  domain: ${domain}`);
+    console.log("");
+    if (!result.ddisa.found) {
+      consola30.warn(`No DDISA record at _ddisa.${domain}`);
+      if (result.hint) console.log(`
+${result.hint}`);
+      throw new CliError(`No DDISA record found for ${domain}`);
+    }
+    consola30.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
+    console.log(`  IdP URL:  ${result.ddisa.idp}`);
+    if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
+    if (result.ddisa.priority !== void 0) console.log(`  Priority: ${result.ddisa.priority}`);
+    console.log("");
+    if (!result.idpDiscovery) {
+      return;
+    }
+    if (result.idpDiscovery.ok) {
+      consola30.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
+      if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
+      if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
+      if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
+    } else {
+      consola30.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      if (result.hint) console.log(`
+${result.hint}`);
+      throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
+    }
+  }
+});
+
+// src/commands/utils/index.ts
+var utilsCommand = defineCommand37({
+  meta: {
+    name: "utils",
+    description: "Admin/diagnostic utilities (dig, \u2026)"
+  },
+  subCommands: {
+    dig: digCommand
+  }
+});
+
+// src/commands/dns-check.ts
+import { defineCommand as defineCommand38 } from "citty";
+import consola31 from "consola";
+import { resolveDDISA as resolveDDISA3 } from "@openape/core";
+var dnsCheckCommand = defineCommand38({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -4020,16 +4188,16 @@ var dnsCheckCommand = defineCommand36({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola30.start(`Checking _ddisa.${domain}...`);
+    consola31.start(`Checking _ddisa.${domain}...`);
     try {
-      const result = await resolveDDISA2(domain);
+      const result = await resolveDDISA3(domain);
       if (!result) {
         console.log("");
         console.log("To set up DDISA, add a DNS TXT record:");
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola30.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola31.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -4038,14 +4206,14 @@ var dnsCheckCommand = defineCommand36({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola30.start(`Verifying IdP at ${result.idp}...`);
+      consola31.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola30.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola31.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola30.success(`IdP is reachable`);
+      consola31.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -4063,7 +4231,7 @@ var dnsCheckCommand = defineCommand36({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand37 } from "citty";
+import { defineCommand as defineCommand39 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -4099,7 +4267,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.15.2" : "0.0.0";
+  const version = true ? "0.17.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -4162,7 +4330,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand37({
+var healthCommand = defineCommand39({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -4180,8 +4348,8 @@ var healthCommand = defineCommand37({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand38 } from "citty";
-import consola31 from "consola";
+import { defineCommand as defineCommand40 } from "citty";
+import consola32 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -4231,7 +4399,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand38({
+var workflowsCommand = defineCommand40({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -4252,7 +4420,7 @@ var workflowsCommand = defineCommand38({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola31.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola32.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -4301,10 +4469,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.15.2"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.17.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.15.2"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.17.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -4328,7 +4496,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand39({
+var grantsCommand = defineCommand41({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -4349,7 +4517,7 @@ var grantsCommand = defineCommand39({
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand39({
+var configCommand = defineCommand41({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -4359,10 +4527,10 @@ var configCommand = defineCommand39({
     set: configSetCommand
   }
 });
-var main = defineCommand39({
+var main = defineCommand41({
   meta: {
     name: "apes",
-    version: "0.15.2",
+    version: "0.17.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -4370,6 +4538,7 @@ var main = defineCommand39({
     enroll: enrollCommand,
     "register-user": registerUserCommand,
     "dns-check": dnsCheckCommand,
+    utils: utilsCommand,
     login: loginCommand,
     logout: logoutCommand,
     whoami: whoamiCommand,
@@ -4392,13 +4561,13 @@ runMain(main).catch((err) => {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola32.error(err.message);
+    consola33.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola32.error(err);
+    consola33.error(err);
   } else {
-    consola32.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola33.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });