@openape/apes 0.19.0 → 0.21.0

package/dist/cli.js

@@ -96,7 +96,7 @@ function rewriteApeShellArgs(argv, argv0) {
 import { defineCommand as defineCommand44, runMain } from "citty";
 
 // src/commands/auth/login.ts
-import { Buffer } from "buffer";
+import { Buffer as Buffer2 } from "buffer";
 import { execFile } from "child_process";
 import { createServer } from "http";
 import { homedir as homedir2 } from "os";
@@ -394,7 +394,7 @@ async function loginWithKey(idp, keyPath, agentEmail) {
   const { challenge } = await challengeResp.json();
   const keyContent = readFileSync7(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
-  const signature = sign3(null, Buffer.from(challenge), privateKey).toString("base64");
+  const signature = sign3(null, Buffer2.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
   const authResp = await fetch(authenticateUrl, {
     method: "POST",
@@ -1754,7 +1754,7 @@ import { defineCommand as defineCommand20 } from "citty";
 import consola18 from "consola";
 
 // src/lib/agent-bootstrap.ts
-import { Buffer as Buffer2 } from "buffer";
+import { Buffer as Buffer3 } from "buffer";
 import { createPrivateKey, sign } from "crypto";
 var AGENT_NAME_REGEX = /^[a-z][a-z0-9-]{0,23}$/;
 var SSH_ED25519_PREFIX = "ssh-ed25519 ";
@@ -1779,7 +1779,7 @@ async function issueAgentToken(input) {
     throw new Error(`Challenge failed (${challengeResp.status}): ${text}`);
   }
   const { challenge } = await challengeResp.json();
-  const signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
+  const signature = sign(null, Buffer3.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(input.idp);
   const authResp = await fetch(authenticateUrl, {
     method: "POST",
@@ -1811,6 +1811,25 @@ mkdir -p "$HOME_DIR/.claude/hooks"
 cat > "$HOME_DIR/.claude/settings.json" ${shHeredoc(input.claudeSettingsJson)}
 cat > "$HOME_DIR/.claude/hooks/bash-via-ape-shell.sh" ${shHeredoc(input.hookScriptSource)}
 chmod 755 "$HOME_DIR/.claude/hooks/bash-via-ape-shell.sh"
+` : "";
+  const claudeTokenBlock = input.claudeOauthToken ? `
+mkdir -p "$HOME_DIR/.config/openape"
+cat > "$HOME_DIR/.config/openape/claude-token.env" ${shHeredoc(`# Auto-generated by 'apes agents spawn'. chmod 600 \u2014 contains a long-lived
+# Claude Code OAuth token. Rotate by editing this file in place; the
+# .zshenv / .profile source-lines below will pick it up automatically.
+export CLAUDE_CODE_OAUTH_TOKEN=${shQuote(input.claudeOauthToken)}
+`)}
+SOURCE_LINE='[ -f "$HOME/.config/openape/claude-token.env" ] && . "$HOME/.config/openape/claude-token.env"'
+for f in "$HOME_DIR/.zshenv" "$HOME_DIR/.profile"; do
+  touch "$f"
+  if ! grep -qF 'config/openape/claude-token.env' "$f" 2>/dev/null; then
+    {
+      echo ''
+      echo '# OpenApe: load Claude Code OAuth token (added by apes agents spawn)'
+      echo "$SOURCE_LINE"
+    } >> "$f"
+  fi
+done
 ` : "";
   return `#!/bin/bash
 set -euo pipefail
@@ -1854,13 +1873,17 @@ mkdir -p "$HOME_DIR/.ssh" "$HOME_DIR/.config/apes"
 cat > "$HOME_DIR/.ssh/id_ed25519" ${shHeredoc(privatePemForHeredoc.trimEnd())}
 cat > "$HOME_DIR/.ssh/id_ed25519.pub" ${shHeredoc(`${input.publicKeySshLine}`)}
 cat > "$HOME_DIR/.config/apes/auth.json" ${shHeredoc(input.authJson)}
-${claudeBlock}
+${claudeBlock}${claudeTokenBlock}
 chown -R "$NAME:staff" "$HOME_DIR"
 chmod 700 "$HOME_DIR/.ssh"
 chmod 700 "$HOME_DIR/.config"
 chmod 600 "$HOME_DIR/.ssh/id_ed25519"
 chmod 644 "$HOME_DIR/.ssh/id_ed25519.pub"
 chmod 600 "$HOME_DIR/.config/apes/auth.json"
+if [ -f "$HOME_DIR/.config/openape/claude-token.env" ]; then
+  chmod 700 "$HOME_DIR/.config/openape"
+  chmod 600 "$HOME_DIR/.config/openape/claude-token.env"
+fi
 
 echo "OK $NAME uid=$NEXT_UID home=$HOME_DIR"
 `;
@@ -2268,7 +2291,7 @@ import { defineCommand as defineCommand23 } from "citty";
 import consola21 from "consola";
 
 // src/lib/keygen.ts
-import { Buffer as Buffer3 } from "buffer";
+import { Buffer as Buffer4 } from "buffer";
 import { existsSync as existsSync5, mkdirSync, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
 import { generateKeyPairSync } from "crypto";
 import { homedir as homedir4 } from "os";
@@ -2278,11 +2301,11 @@ function resolveKeyPath(p) {
 }
 function buildSshEd25519Line(rawPub) {
   const keyTypeStr = "ssh-ed25519";
-  const keyTypeLen = Buffer3.alloc(4);
+  const keyTypeLen = Buffer4.alloc(4);
   keyTypeLen.writeUInt32BE(keyTypeStr.length);
-  const pubKeyLen = Buffer3.alloc(4);
+  const pubKeyLen = Buffer4.alloc(4);
   pubKeyLen.writeUInt32BE(rawPub.length);
-  const blob = Buffer3.concat([keyTypeLen, Buffer3.from(keyTypeStr), pubKeyLen, rawPub]);
+  const blob = Buffer4.concat([keyTypeLen, Buffer4.from(keyTypeStr), pubKeyLen, rawPub]);
   return `ssh-ed25519 ${blob.toString("base64")}`;
 }
 function readPublicKey(keyPath) {
@@ -2293,7 +2316,7 @@ function readPublicKey(keyPath) {
   const keyContent = readFileSync4(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
-  const pubBytes = Buffer3.from(jwk.x, "base64url");
+  const pubBytes = Buffer4.from(jwk.x, "base64url");
   return buildSshEd25519Line(pubBytes);
 }
 function generateAndSaveKey(keyPath) {
@@ -2306,7 +2329,7 @@ function generateAndSaveKey(keyPath) {
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
   writeFileSync2(resolved, privatePem, { mode: 384 });
   const jwk = publicKey.export({ format: "jwk" });
-  const pubBytes = Buffer3.from(jwk.x, "base64url");
+  const pubBytes = Buffer4.from(jwk.x, "base64url");
   const pubKeyStr = buildSshEd25519Line(pubBytes);
   writeFileSync2(`${resolved}.pub`, `${pubKeyStr}
 `, { mode: 420 });
@@ -2316,7 +2339,7 @@ function generateKeyPairInMemory() {
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
   const jwk = publicKey.export({ format: "jwk" });
-  const pubBytes = Buffer3.from(jwk.x, "base64url");
+  const pubBytes = Buffer4.from(jwk.x, "base64url");
   return {
     privatePem,
     publicSshLine: buildSshEd25519Line(pubBytes)
@@ -2327,7 +2350,7 @@ function generateKeyPairInMemory() {
 var spawnAgentCommand = defineCommand23({
   meta: {
     name: "spawn",
-    description: "Provision a local macOS agent end-to-end (OS user, keypair, IdP agent, ape-shell, Claude hook)"
+    description: "Provision a local macOS agent end-to-end (OS user, keypair, IdP agent, Claude hook)"
   },
   args: {
     name: {
@@ -2337,11 +2360,19 @@ var spawnAgentCommand = defineCommand23({
     },
     shell: {
       type: "string",
-      description: "Override login shell. Default: $(which ape-shell)"
+      description: "Login shell for the macOS user. Default: /bin/zsh. Pass $(which ape-shell) to opt into the grant-mediated REPL as login shell."
     },
     "no-claude-hook": {
       type: "boolean",
       description: "Skip writing ~/.claude/settings.json + the Bash-rewrite hook"
+    },
+    "claude-token": {
+      type: "string",
+      description: "Claude Code OAuth token (sk-ant-oat01-\u2026) from `claude setup-token`. Visible to ps \u2014 prefer --claude-token-stdin in scripts."
+    },
+    "claude-token-stdin": {
+      type: "boolean",
+      description: "Read the Claude Code OAuth token from stdin (paranoid form of --claude-token)."
     }
   },
   async run({ args }) {
@@ -2364,10 +2395,7 @@ var spawnAgentCommand = defineCommand23({
     if (!idp) {
       throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
-    const apeShell = args.shell ?? whichBinary("ape-shell");
-    if (!apeShell) {
-      throw new CliError("`ape-shell` not found on PATH. Install @openape/apes globally first.");
-    }
+    const loginShell = (args.shell ?? "/bin/zsh").toString();
     const apes = whichBinary("apes");
     if (!apes) {
       throw new CliError("`apes` not found on PATH. Install @openape/apes globally first.");
@@ -2378,10 +2406,10 @@ var spawnAgentCommand = defineCommand23({
         "`escapes` not found on PATH. spawn delegates the privileged setup phase to escapes; install it before running spawn."
       );
     }
-    if (!isShellRegistered(apeShell)) {
+    if (!isShellRegistered(loginShell)) {
       throw new CliError(
-        `${apeShell} is not registered in /etc/shells. macOS refuses to set it as a login shell. Run:
-  echo ${apeShell} | sudo tee -a /etc/shells
+        `${loginShell} is not registered in /etc/shells. macOS refuses to set it as a login shell. Run:
+  echo ${loginShell} | sudo tee -a /etc/shells
 and try again.`
       );
     }
@@ -2411,15 +2439,20 @@ and try again.`
         expiresAt: Math.floor(Date.now() / 1e3) + expiresIn
       });
       const includeClaudeHook = !args["no-claude-hook"];
+      const claudeOauthToken = await resolveClaudeToken({
+        flag: typeof args["claude-token"] === "string" ? args["claude-token"] : void 0,
+        fromStdin: !!args["claude-token-stdin"]
+      });
       const script = buildSpawnSetupScript({
         name,
         homeDir,
-        shellPath: apeShell,
+        shellPath: loginShell,
         privateKeyPem: privatePem,
         publicKeySshLine: publicSshLine,
         authJson,
         claudeSettingsJson: includeClaudeHook ? CLAUDE_SETTINGS_JSON : null,
-        hookScriptSource: includeClaudeHook ? BASH_VIA_APE_SHELL_HOOK_SOURCE : null
+        hookScriptSource: includeClaudeHook ? BASH_VIA_APE_SHELL_HOOK_SOURCE : null,
+        claudeOauthToken
       });
       writeFileSync3(scriptPath, script, { mode: 448 });
       consola21.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
@@ -2434,6 +2467,28 @@ and try again.`
     }
   }
 });
+async function resolveClaudeToken(opts) {
+  if (opts.flag && opts.fromStdin) {
+    throw new CliError("Pass --claude-token OR --claude-token-stdin, not both.");
+  }
+  let raw = null;
+  if (typeof opts.flag === "string") {
+    raw = opts.flag.trim();
+  } else if (opts.fromStdin) {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+      chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+    }
+    raw = Buffer.concat(chunks).toString("utf-8").trim();
+  }
+  if (!raw) return null;
+  if (!raw.startsWith("sk-ant-oat01-")) {
+    throw new CliError(
+      `Claude token doesn't look right (expected sk-ant-oat01-\u2026). Run \`claude setup-token\` and paste the resulting token.`
+    );
+  }
+  return raw;
+}
 
 // src/commands/agents/index.ts
 var agentsCommand = defineCommand24({
@@ -3701,7 +3756,7 @@ var mcpCommand = defineCommand32({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-GYHLAJXV.js");
+    const { startMcpServer } = await import("./server-UWKEQDNM.js");
     await startMcpServer(transport, port);
   }
 });
@@ -3861,7 +3916,7 @@ async function initIdP(targetDir) {
 }
 
 // src/commands/enroll.ts
-import { Buffer as Buffer4 } from "buffer";
+import { Buffer as Buffer5 } from "buffer";
 import { existsSync as existsSync7, readFileSync as readFileSync5 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
@@ -3892,7 +3947,7 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       });
       if (challengeResp.ok) {
         const { challenge } = await challengeResp.json();
-        const signature = sign2(null, Buffer4.from(challenge), privateKey).toString("base64");
+        const signature = sign2(null, Buffer5.from(challenge), privateKey).toString("base64");
         const authResp = await fetch(authenticateUrl, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
@@ -4339,7 +4394,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.19.0" : "0.0.0";
+  const version = true ? "0.21.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -4541,10 +4596,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.19.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.21.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.19.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.21.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -4559,7 +4614,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-FJVDWH45.js");
+    const { runInteractiveShell } = await import("./orchestrator-RWTALOSA.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -4602,7 +4657,7 @@ var configCommand = defineCommand44({
 var main = defineCommand44({
   meta: {
     name: "apes",
-    version: "0.19.0",
+    version: "0.21.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {