@openape/apes 0.16.0 → 0.17.0

package/dist/cli.js

@@ -147,29 +147,44 @@ async function resolveLoginInputs(flags) {
     );
   }
   let idp;
+  let idpSource;
   if (flags.idp) {
     idp = flags.idp;
+    idpSource = "flag";
   } else if (process.env.APES_IDP) {
     idp = process.env.APES_IDP;
+    idpSource = "env";
   } else if (process.env.GRAPES_IDP) {
     idp = process.env.GRAPES_IDP;
+    idpSource = "env";
     consola.warn(
       "GRAPES_IDP is deprecated, use APES_IDP instead. GRAPES_IDP support will be removed in a future release."
     );
   } else if (config.defaults?.idp) {
     idp = config.defaults.idp;
-  } else if (email && email.includes("@")) {
+    idpSource = "config";
+  }
+  let ddisaIdp;
+  let ddisaDomain;
+  if (email && email.includes("@")) {
     const domain = email.split("@")[1];
+    ddisaDomain = domain;
     try {
       const record = await resolveDDISA(domain);
-      if (record?.idp) {
-        idp = record.idp;
-        consola.info(`Discovered IdP via DDISA (_ddisa.${domain}): ${idp}`);
-      }
+      if (record?.idp) ddisaIdp = record.idp;
     } catch {
     }
   }
-  return { keyPath, email, idp };
+  if (!idp && ddisaIdp && ddisaDomain) {
+    idp = ddisaIdp;
+    idpSource = "ddisa";
+    consola.info(`Discovered IdP via DDISA (_ddisa.${ddisaDomain}): ${idp}`);
+  }
+  let ddisaMismatch;
+  if (idp && ddisaIdp && ddisaDomain && idp !== ddisaIdp && idpSource !== "ddisa") {
+    ddisaMismatch = { dnsIdp: ddisaIdp, chosenIdp: idp, domain: ddisaDomain };
+  }
+  return { keyPath, email, idp, ddisaMismatch };
 }
 
 // src/commands/auth/login.ts
@@ -181,6 +196,11 @@ var loginCommand = defineCommand({
     description: "Authenticate with an OpenApe IdP"
   },
   args: {
+    user: {
+      type: "positional",
+      required: false,
+      description: "Agent email (e.g. patrick@hofmann.eco). Extracted from <key>.pub comment if omitted."
+    },
     idp: {
       type: "string",
       description: "IdP URL (e.g. https://id.openape.at). Auto-discovered via DDISA DNS if omitted."
@@ -191,24 +211,52 @@ var loginCommand = defineCommand({
     },
     email: {
       type: "string",
-      description: "Agent email. Extracted from <key>.pub comment if omitted."
+      description: "Same as the positional email \u2014 flag form for backwards compatibility."
     },
     browser: {
       type: "boolean",
       description: "Force browser (PKCE) login even if an SSH key exists"
+    },
+    force: {
+      type: "boolean",
+      description: "Override DDISA mismatch warnings (use with care)"
     }
   },
   async run({ args }) {
+    const emailArg = typeof args.user === "string" && args.user.includes("@") ? args.user : typeof args.email === "string" ? args.email : void 0;
     const resolved = await resolveLoginInputs({
       key: args.key,
       idp: args.idp,
-      email: args.email,
+      email: emailArg,
       browser: args.browser
     });
+    if (resolved.ddisaMismatch && !args.force) {
+      const { dnsIdp, chosenIdp, domain } = resolved.ddisaMismatch;
+      throw new CliError(
+        `IdP mismatch for ${domain}.
+
+  Authoritative DDISA: ${dnsIdp}
+  You selected:        ${chosenIdp}
+
+Logging in against a different IdP than DDISA points to means SPs that
+trust the DDISA-resolved IdP (e.g. preview.openape.ai) will reject the
+resulting token with "IdP mismatch".
+
+Fix one of:
+  \u2022 Drop --idp/APES_IDP/config.defaults.idp \u2014 DDISA will auto-pick ${dnsIdp}
+  \u2022 Update _ddisa.${domain} if ${chosenIdp} is genuinely the correct IdP
+  \u2022 Re-run with --force to authenticate anyway (NOT recommended)`
+      );
+    }
+    if (resolved.ddisaMismatch && args.force) {
+      consola2.warn(
+        `Bypassing DDISA mismatch \u2014 ${resolved.ddisaMismatch.domain} resolves to ${resolved.ddisaMismatch.dnsIdp}, but you forced ${resolved.ddisaMismatch.chosenIdp}.`
+      );
+    }
     if (resolved.keyPath) {
       if (!resolved.email) {
         throw new CliError(
-          `Agent email required for key-based login. Add an email comment to ${resolved.keyPath}.pub (ssh-keygen -C <email>) or pass --email <agent-email>.`
+          `Agent email required for key-based login. Pass it as a positional (\`apes login <email>\`), set --email, or add an email comment to ${resolved.keyPath}.pub via ssh-keygen -C <email>.`
         );
       }
       if (!resolved.idp) {
@@ -3651,7 +3699,7 @@ var mcpCommand = defineCommand32({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-NZMLYPN4.js");
+    const { startMcpServer } = await import("./server-YGRMW3OW.js");
     await startMcpServer(transport, port);
   }
 });
@@ -4219,7 +4267,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.16.0" : "0.0.0";
+  const version = true ? "0.17.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -4421,10 +4469,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.16.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.17.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.16.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.17.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -4482,7 +4530,7 @@ var configCommand = defineCommand41({
 var main = defineCommand41({
   meta: {
     name: "apes",
-    version: "0.16.0",
+    version: "0.17.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {