@openape/apes 0.16.0 → 0.18.0

package/dist/cli.js

@@ -12,11 +12,9 @@ import {
   checkSudoRejection,
   isApesSelfDispatch,
   notifyGrantPending
-} from "./chunk-OFIVF6NH.js";
+} from "./chunk-EDYICCBC.js";
 import {
-  ApiError,
   GENERIC_OPERATION_ID,
-  apiFetch,
   buildGenericResolved,
   buildStructuredCliGrantRequest,
   createShapesGrant,
@@ -28,10 +26,6 @@ import {
   findAdapter,
   findConflictingAdapters,
   findExistingGrant,
-  getAgentAuthenticateEndpoint,
-  getAgentChallengeEndpoint,
-  getDelegationsEndpoint,
-  getGrantsEndpoint,
   getInstalledDigest,
   installAdapter,
   isInstalled,
@@ -46,7 +40,15 @@ import {
   searchAdapters,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-O7GSG3OE.js";
+} from "./chunk-IT6T6AKX.js";
+import {
+  ApiError,
+  apiFetch,
+  getAgentAuthenticateEndpoint,
+  getAgentChallengeEndpoint,
+  getDelegationsEndpoint,
+  getGrantsEndpoint
+} from "./chunk-7NUT2PFT.js";
 import {
   AUTH_FILE,
   CONFIG_DIR,
@@ -58,7 +60,7 @@ import {
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-6GPSKAMU.js";
+} from "./chunk-IDPV5SNB.js";
 
 // src/cli.ts
 import consola33 from "consola";
@@ -147,29 +149,44 @@ async function resolveLoginInputs(flags) {
     );
   }
   let idp;
+  let idpSource;
   if (flags.idp) {
     idp = flags.idp;
+    idpSource = "flag";
   } else if (process.env.APES_IDP) {
     idp = process.env.APES_IDP;
+    idpSource = "env";
   } else if (process.env.GRAPES_IDP) {
     idp = process.env.GRAPES_IDP;
+    idpSource = "env";
     consola.warn(
       "GRAPES_IDP is deprecated, use APES_IDP instead. GRAPES_IDP support will be removed in a future release."
     );
   } else if (config.defaults?.idp) {
     idp = config.defaults.idp;
-  } else if (email && email.includes("@")) {
+    idpSource = "config";
+  }
+  let ddisaIdp;
+  let ddisaDomain;
+  if (email && email.includes("@")) {
     const domain = email.split("@")[1];
+    ddisaDomain = domain;
     try {
       const record = await resolveDDISA(domain);
-      if (record?.idp) {
-        idp = record.idp;
-        consola.info(`Discovered IdP via DDISA (_ddisa.${domain}): ${idp}`);
-      }
+      if (record?.idp) ddisaIdp = record.idp;
     } catch {
     }
   }
-  return { keyPath, email, idp };
+  if (!idp && ddisaIdp && ddisaDomain) {
+    idp = ddisaIdp;
+    idpSource = "ddisa";
+    consola.info(`Discovered IdP via DDISA (_ddisa.${ddisaDomain}): ${idp}`);
+  }
+  let ddisaMismatch;
+  if (idp && ddisaIdp && ddisaDomain && idp !== ddisaIdp && idpSource !== "ddisa") {
+    ddisaMismatch = { dnsIdp: ddisaIdp, chosenIdp: idp, domain: ddisaDomain };
+  }
+  return { keyPath, email, idp, ddisaMismatch };
 }
 
 // src/commands/auth/login.ts
@@ -181,6 +198,11 @@ var loginCommand = defineCommand({
     description: "Authenticate with an OpenApe IdP"
   },
   args: {
+    user: {
+      type: "positional",
+      required: false,
+      description: "Agent email (e.g. patrick@hofmann.eco). Extracted from <key>.pub comment if omitted."
+    },
     idp: {
       type: "string",
       description: "IdP URL (e.g. https://id.openape.at). Auto-discovered via DDISA DNS if omitted."
@@ -191,24 +213,52 @@ var loginCommand = defineCommand({
     },
     email: {
       type: "string",
-      description: "Agent email. Extracted from <key>.pub comment if omitted."
+      description: "Same as the positional email \u2014 flag form for backwards compatibility."
     },
     browser: {
       type: "boolean",
       description: "Force browser (PKCE) login even if an SSH key exists"
+    },
+    force: {
+      type: "boolean",
+      description: "Override DDISA mismatch warnings (use with care)"
     }
   },
   async run({ args }) {
+    const emailArg = typeof args.user === "string" && args.user.includes("@") ? args.user : typeof args.email === "string" ? args.email : void 0;
     const resolved = await resolveLoginInputs({
       key: args.key,
       idp: args.idp,
-      email: args.email,
+      email: emailArg,
       browser: args.browser
     });
+    if (resolved.ddisaMismatch && !args.force) {
+      const { dnsIdp, chosenIdp, domain } = resolved.ddisaMismatch;
+      throw new CliError(
+        `IdP mismatch for ${domain}.
+
+  Authoritative DDISA: ${dnsIdp}
+  You selected:        ${chosenIdp}
+
+Logging in against a different IdP than DDISA points to means SPs that
+trust the DDISA-resolved IdP (e.g. preview.openape.ai) will reject the
+resulting token with "IdP mismatch".
+
+Fix one of:
+  \u2022 Drop --idp/APES_IDP/config.defaults.idp \u2014 DDISA will auto-pick ${dnsIdp}
+  \u2022 Update _ddisa.${domain} if ${chosenIdp} is genuinely the correct IdP
+  \u2022 Re-run with --force to authenticate anyway (NOT recommended)`
+      );
+    }
+    if (resolved.ddisaMismatch && args.force) {
+      consola2.warn(
+        `Bypassing DDISA mismatch \u2014 ${resolved.ddisaMismatch.domain} resolves to ${resolved.ddisaMismatch.dnsIdp}, but you forced ${resolved.ddisaMismatch.chosenIdp}.`
+      );
+    }
     if (resolved.keyPath) {
       if (!resolved.email) {
         throw new CliError(
-          `Agent email required for key-based login. Add an email comment to ${resolved.keyPath}.pub (ssh-keygen -C <email>) or pass --email <agent-email>.`
+          `Agent email required for key-based login. Pass it as a positional (\`apes login <email>\`), set --email, or add an email comment to ${resolved.keyPath}.pub via ssh-keygen -C <email>.`
         );
       }
       if (!resolved.idp) {
@@ -414,7 +464,7 @@ var whoamiCommand = defineCommand3({
     console.log(`IdP:   ${auth.idp}`);
     console.log(`Token: ${isExpired ? "\u26A0 EXPIRED" : "valid"} (until ${expiresAt})`);
     if (isExpired) {
-      consola4.warn("Token is expired. Run `apes login` to re-authenticate.");
+      consola4.warn("Token is expired and could not be auto-refreshed. Run `apes login` to re-authenticate.");
     }
   }
 });
@@ -3651,7 +3701,7 @@ var mcpCommand = defineCommand32({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-NZMLYPN4.js");
+    const { startMcpServer } = await import("./server-RPC46G4J.js");
     await startMcpServer(transport, port);
   }
 });
@@ -4219,7 +4269,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.16.0" : "0.0.0";
+  const version = true ? "0.18.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -4421,10 +4471,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.16.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.18.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.16.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.18.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -4439,7 +4489,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-PUAO57CY.js");
+    const { runInteractiveShell } = await import("./orchestrator-FJVDWH45.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -4482,7 +4532,7 @@ var configCommand = defineCommand41({
 var main = defineCommand41({
   meta: {
     name: "apes",
-    version: "0.16.0",
+    version: "0.18.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -4508,6 +4558,34 @@ var main = defineCommand41({
     workflows: workflowsCommand
   }
 });
+var NO_REFRESH_COMMANDS = /* @__PURE__ */ new Set([
+  "login",
+  "logout",
+  "init",
+  "enroll",
+  "register-user",
+  "dns-check",
+  "utils",
+  "explain",
+  "workflows",
+  "--help",
+  "-h",
+  "help",
+  "--version",
+  "-v"
+]);
+async function maybeRefreshAuth() {
+  const sub = process.argv[2];
+  if (!sub || NO_REFRESH_COMMANDS.has(sub)) return;
+  const { loadAuth: loadAuth2 } = await import("./config-JH2IEPIR.js");
+  if (!loadAuth2()) return;
+  try {
+    const { ensureFreshToken } = await import("./http-JZT4XV5I.js");
+    await ensureFreshToken();
+  } catch {
+  }
+}
+await maybeRefreshAuth();
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {
     process.exit(err.exitCode);