@openape/apes 0.2.0

package/dist/cli.js

@@ -0,0 +1,1753 @@
+#!/usr/bin/env node
+import {
+  parseDuration
+} from "./chunk-AGHP6MNV.js";
+import {
+  ApiError,
+  apiFetch,
+  clearAuth,
+  getAgentAuthenticateEndpoint,
+  getAgentChallengeEndpoint,
+  getAuthToken,
+  getDelegationsEndpoint,
+  getGrantsEndpoint,
+  getIdpUrl,
+  loadAuth,
+  loadConfig,
+  saveAuth,
+  saveConfig
+} from "./chunk-2JEBWXMI.js";
+
+// src/cli.ts
+import consola19 from "consola";
+import { defineCommand as defineCommand22, runMain } from "citty";
+
+// src/commands/auth/login.ts
+import { Buffer } from "buffer";
+import { execFile } from "child_process";
+import { createServer } from "http";
+import { defineCommand } from "citty";
+import { generateCodeChallenge, generateCodeVerifier } from "@openape/core";
+import consola from "consola";
+var CALLBACK_PORT = 9876;
+var CLIENT_ID = "grapes-cli";
+var loginCommand = defineCommand({
+  meta: {
+    name: "login",
+    description: "Authenticate with an OpenApe IdP"
+  },
+  args: {
+    idp: {
+      type: "string",
+      description: "IdP URL (e.g. https://id.openape.at)"
+    },
+    key: {
+      type: "string",
+      description: "Path to agent private key (agent mode)"
+    },
+    email: {
+      type: "string",
+      description: "Agent email (for DNS discovery)"
+    }
+  },
+  async run({ args }) {
+    const config = loadConfig();
+    const idp = args.idp || process.env.APES_IDP || process.env.GRAPES_IDP || config.defaults?.idp;
+    if (!idp) {
+      consola.error("IdP URL required. Use --idp <url> or set APES_IDP.");
+      return process.exit(1);
+    }
+    if (args.key) {
+      await loginWithKey(idp, args.key, args.email);
+    } else {
+      await loginWithPKCE(idp);
+    }
+  }
+});
+function openBrowser(url) {
+  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+  execFile(cmd, [url], () => {
+  });
+}
+async function loginWithPKCE(idp) {
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = await generateCodeChallenge(codeVerifier);
+  const redirectUri = `http://localhost:${CALLBACK_PORT}/callback`;
+  const state = crypto.randomUUID();
+  const nonce = crypto.randomUUID();
+  const authUrl = new URL(`${idp}/authorize`);
+  authUrl.searchParams.set("response_type", "code");
+  authUrl.searchParams.set("client_id", CLIENT_ID);
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("code_challenge", codeChallenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+  authUrl.searchParams.set("state", state);
+  authUrl.searchParams.set("nonce", nonce);
+  authUrl.searchParams.set("scope", "openid email profile offline_access");
+  const code = await new Promise((resolve, reject) => {
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
+      if (url.pathname === "/callback") {
+        const authCode = url.searchParams.get("code");
+        const error = url.searchParams.get("error");
+        if (error) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end("<h1>Login failed</h1><p>You can close this window.</p>");
+          server.close();
+          reject(new Error(`Auth error: ${error}`));
+          return;
+        }
+        if (authCode) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end("<h1>Login successful!</h1><p>You can close this window.</p>");
+          server.close();
+          resolve(authCode);
+          return;
+        }
+        res.writeHead(400);
+        res.end("Missing code");
+      } else {
+        res.writeHead(404);
+        res.end();
+      }
+    });
+    server.listen(CALLBACK_PORT, () => {
+      consola.info(`Opening browser for login at ${idp}...`);
+      openBrowser(authUrl.toString());
+    });
+    const timeout = setTimeout(() => {
+      server.close();
+      reject(new Error("Login timed out"));
+    }, 3e5);
+    timeout.unref();
+  });
+  const tokenResponse = await fetch(`${idp}/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      code_verifier: codeVerifier,
+      redirect_uri: redirectUri,
+      client_id: CLIENT_ID
+    })
+  });
+  if (!tokenResponse.ok) {
+    const text = await tokenResponse.text();
+    consola.error(`Token exchange failed: ${text}`);
+    return process.exit(1);
+  }
+  const tokens = await tokenResponse.json();
+  const accessToken = tokens.access_token || tokens.id_token || tokens.assertion;
+  if (!accessToken) {
+    consola.error("No access token received");
+    return process.exit(1);
+  }
+  const payload = JSON.parse(atob(accessToken.split(".")[1]));
+  saveAuth({
+    idp,
+    access_token: accessToken,
+    ...tokens.refresh_token ? { refresh_token: tokens.refresh_token } : {},
+    email: payload.email || payload.sub,
+    expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in || 3600)
+  });
+  consola.success(`Logged in as ${payload.email || payload.sub}`);
+}
+async function loginWithKey(idp, keyPath, email) {
+  const { readFileSync } = await import("fs");
+  const { sign } = await import("crypto");
+  const { loadEd25519PrivateKey } = await import("./ssh-key-ABJCJDH7.js");
+  const agentEmail = email;
+  if (!agentEmail) {
+    consola.error("Agent email required for key-based login. Use --email <agent-email>");
+    return process.exit(1);
+  }
+  const challengeUrl = await getAgentChallengeEndpoint(idp);
+  const challengeResp = await fetch(challengeUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ agent_id: agentEmail })
+  });
+  if (!challengeResp.ok) {
+    consola.error(`Challenge failed: ${await challengeResp.text()}`);
+    return process.exit(1);
+  }
+  const { challenge } = await challengeResp.json();
+  const keyContent = readFileSync(keyPath, "utf-8");
+  const privateKey = loadEd25519PrivateKey(keyContent);
+  const signature = sign(null, Buffer.from(challenge), privateKey).toString("base64");
+  const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
+  const authResp = await fetch(authenticateUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      agent_id: agentEmail,
+      challenge,
+      signature
+    })
+  });
+  if (!authResp.ok) {
+    consola.error(`Authentication failed: ${await authResp.text()}`);
+    return process.exit(1);
+  }
+  const { token, expires_in } = await authResp.json();
+  saveAuth({
+    idp,
+    access_token: token,
+    email: agentEmail,
+    expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600)
+  });
+  consola.success(`Logged in as ${agentEmail} (agent)`);
+}
+
+// src/commands/auth/logout.ts
+import { defineCommand as defineCommand2 } from "citty";
+import consola2 from "consola";
+var logoutCommand = defineCommand2({
+  meta: {
+    name: "logout",
+    description: "Clear stored credentials"
+  },
+  run() {
+    clearAuth();
+    consola2.success("Logged out.");
+  }
+});
+
+// src/commands/auth/whoami.ts
+import { defineCommand as defineCommand3 } from "citty";
+import consola3 from "consola";
+var whoamiCommand = defineCommand3({
+  meta: {
+    name: "whoami",
+    description: "Show current identity"
+  },
+  run() {
+    const auth = loadAuth();
+    if (!auth) {
+      consola3.error("Not logged in. Run `apes login` first.");
+      return process.exit(1);
+    }
+    const isAgent = auth.email.includes("agent+");
+    const expiresAt = new Date(auth.expires_at * 1e3).toISOString();
+    console.log(`Email: ${auth.email}`);
+    console.log(`Type:  ${isAgent ? "agent" : "human"}`);
+    console.log(`IdP:   ${auth.idp}`);
+    console.log(`Token valid until: ${expiresAt}`);
+  }
+});
+
+// src/commands/grants/list.ts
+import { defineCommand as defineCommand4 } from "citty";
+import consola4 from "consola";
+var listCommand = defineCommand4({
+  meta: {
+    name: "list",
+    description: "List your grants (as requester)"
+  },
+  args: {
+    status: {
+      type: "string",
+      description: "Filter by status (pending, approved, denied, revoked, used)"
+    },
+    all: {
+      type: "boolean",
+      description: "Show all visible grants (not just your own)",
+      default: false
+    },
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    },
+    limit: {
+      type: "string",
+      description: "Max results (default 20, max 100)"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      consola4.error("No IdP URL configured. Run `apes login` first or pass --idp.");
+      return process.exit(1);
+    }
+    const auth = loadAuth();
+    const grantsUrl = await getGrantsEndpoint(idp);
+    const params = new URLSearchParams();
+    if (args.status)
+      params.set("status", args.status);
+    if (args.limit)
+      params.set("limit", args.limit);
+    const query = params.toString() ? `?${params.toString()}` : "";
+    const response = await apiFetch(`${grantsUrl}${query}`);
+    let grants = response.data;
+    if (!args.all && auth?.email) {
+      grants = grants.filter((g) => g.requester === auth.email);
+    }
+    if (args.json) {
+      console.log(JSON.stringify(args.all ? response : { ...response, data: grants }, null, 2));
+      return;
+    }
+    if (grants.length === 0) {
+      consola4.info(args.all ? "No grants found." : "No grants found. Use --all to see all visible grants.");
+      return;
+    }
+    for (const grant of grants) {
+      const cmd = grant.request?.command?.join(" ") || "(no command)";
+      const type = grant.request?.grant_type || grant.type;
+      console.log(`${grant.id}  ${grant.status.padEnd(8)}  ${type.padEnd(6)}  ${cmd}`);
+      if (grant.request?.reason) {
+        console.log(`  Reason: ${grant.request.reason}`);
+      }
+    }
+    if (response.pagination.has_more) {
+      consola4.info("More results available. Use --limit or pagination cursor.");
+    }
+  }
+});
+
+// src/commands/grants/inbox.ts
+import { defineCommand as defineCommand5 } from "citty";
+import consola5 from "consola";
+var inboxCommand = defineCommand5({
+  meta: {
+    name: "inbox",
+    description: "Show grants awaiting your approval"
+  },
+  args: {
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    },
+    limit: {
+      type: "string",
+      description: "Max results (default 20, max 100)"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      consola5.error("No IdP URL configured. Run `apes login` first.");
+      return process.exit(1);
+    }
+    const auth = loadAuth();
+    if (!auth) {
+      consola5.error("Not logged in. Run `apes login` first.");
+      return process.exit(1);
+    }
+    const grantsUrl = await getGrantsEndpoint(idp);
+    const params = new URLSearchParams();
+    params.set("status", "pending");
+    if (args.limit)
+      params.set("limit", args.limit);
+    const query = `?${params.toString()}`;
+    const response = await apiFetch(`${grantsUrl}${query}`);
+    const grants = response.data.filter((g) => g.requester !== auth.email);
+    if (args.json) {
+      console.log(JSON.stringify({ ...response, data: grants }, null, 2));
+      return;
+    }
+    if (grants.length === 0) {
+      consola5.info("No pending grants to approve.");
+      return;
+    }
+    consola5.info(`${grants.length} grant(s) awaiting approval:
+`);
+    for (const grant of grants) {
+      const cmd = grant.request?.command?.join(" ") || "(no command)";
+      const type = grant.request?.grant_type || grant.type;
+      console.log(`${grant.id}  ${type.padEnd(6)}  from ${grant.requester}`);
+      console.log(`  Command: ${cmd}`);
+      if (grant.request?.reason) {
+        console.log(`  Reason:  ${grant.request.reason}`);
+      }
+      if (grant.created_at) {
+        console.log(`  Created: ${grant.created_at}`);
+      }
+      console.log();
+    }
+    consola5.info("Use `apes grants approve <id>` or `apes grants deny <id>` to respond.");
+  }
+});
+
+// src/commands/grants/status.ts
+import { defineCommand as defineCommand6 } from "citty";
+var statusCommand = defineCommand6({
+  meta: {
+    name: "status",
+    description: "Show grant status"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Grant ID",
+      required: true
+    },
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    const grantsUrl = await getGrantsEndpoint(idp);
+    const grant = await apiFetch(`${grantsUrl}/${args.id}`);
+    if (args.json) {
+      console.log(JSON.stringify(grant, null, 2));
+      return;
+    }
+    console.log(`Grant:     ${grant.id}`);
+    console.log(`Status:    ${grant.status}`);
+    console.log(`Type:      ${grant.type}`);
+    console.log(`Requester: ${grant.requester}`);
+    console.log(`Owner:     ${grant.owner}`);
+    if (grant.approver)
+      console.log(`Approver:  ${grant.approver}`);
+    if (grant.request?.command)
+      console.log(`Command:   ${grant.request.command.join(" ")}`);
+    if (grant.request?.grant_type)
+      console.log(`Approval:  ${grant.request.grant_type}`);
+    if (grant.request?.reason)
+      console.log(`Reason:    ${grant.request.reason}`);
+    if (grant.decided_by)
+      console.log(`Decided by: ${grant.decided_by}`);
+    if (grant.decided_at)
+      console.log(`Decided at: ${grant.decided_at}`);
+    if (grant.expires_at)
+      console.log(`Expires:   ${grant.expires_at}`);
+  }
+});
+
+// src/commands/grants/request.ts
+import { hostname } from "os";
+import { defineCommand as defineCommand7 } from "citty";
+import consola6 from "consola";
+var requestCommand = defineCommand7({
+  meta: {
+    name: "request",
+    description: "Request a new grant"
+  },
+  args: {
+    command: {
+      type: "positional",
+      description: "Command to request permission for",
+      required: true
+    },
+    audience: {
+      type: "string",
+      description: 'Service identifier (e.g. "escapes", "proxy")',
+      required: true
+    },
+    host: {
+      type: "string",
+      description: "Target host (default: system hostname)"
+    },
+    reason: {
+      type: "string",
+      description: "Reason for the request"
+    },
+    approval: {
+      type: "string",
+      description: "Approval type: once, timed, always",
+      default: "once"
+    },
+    duration: {
+      type: "string",
+      description: "Duration for timed grants (e.g. 30m, 1h, 7d)"
+    },
+    "run-as": {
+      type: "string",
+      description: "Execute as this user (e.g. openclaw, root)"
+    },
+    wait: {
+      type: "boolean",
+      description: "Wait for approval",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const auth = loadAuth();
+    if (!auth) {
+      consola6.error("Not logged in. Run `apes login` first.");
+      return process.exit(1);
+    }
+    const idp = getIdpUrl();
+    const grantsUrl = await getGrantsEndpoint(idp);
+    const command = args.command.split(" ");
+    const targetHost = args.host || hostname();
+    const duration = args.duration ? parseDuration(args.duration) : void 0;
+    const grant = await apiFetch(grantsUrl, {
+      method: "POST",
+      body: {
+        requester: auth.email,
+        target_host: targetHost,
+        audience: args.audience,
+        grant_type: args.approval,
+        command,
+        reason: args.reason || command.join(" "),
+        ...duration != null ? { duration } : {},
+        ...args["run-as"] ? { run_as: args["run-as"] } : {}
+      }
+    });
+    consola6.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
+    if (args.wait) {
+      consola6.info("Waiting for approval...");
+      await waitForApproval(grantsUrl, grant.id);
+    }
+  }
+});
+async function waitForApproval(grantsUrl, grantId) {
+  const maxWait = 3e5;
+  const interval = 3e3;
+  const start = Date.now();
+  while (Date.now() - start < maxWait) {
+    const grant = await apiFetch(`${grantsUrl}/${grantId}`);
+    if (grant.status === "approved") {
+      consola6.success("Grant approved!");
+      return;
+    }
+    if (grant.status === "denied") {
+      consola6.error("Grant denied.");
+      return process.exit(1);
+    }
+    if (grant.status === "revoked") {
+      consola6.error("Grant revoked.");
+      return process.exit(1);
+    }
+    await new Promise((r) => setTimeout(r, interval));
+  }
+  consola6.error("Timed out waiting for approval.");
+  return process.exit(1);
+}
+
+// src/commands/grants/request-capability.ts
+import { hostname as hostname2 } from "os";
+import { buildStructuredCliGrantRequest, loadAdapter, resolveCapabilityRequest } from "@openape/shapes";
+import { defineCommand as defineCommand8 } from "citty";
+import consola7 from "consola";
+function parseCapabilityArgs(rawArgs) {
+  const tokens = [...rawArgs];
+  if (tokens[0] === "request-capability") {
+    tokens.shift();
+  }
+  const cliId = tokens.shift();
+  if (!cliId || cliId.startsWith("-")) {
+    throw new Error("Missing CLI identifier");
+  }
+  const resources = [];
+  const selectors = [];
+  const actions = [];
+  let adapter;
+  let idp;
+  let approval = "once";
+  let reason;
+  let duration;
+  let runAs;
+  let wait = false;
+  for (let index = 0; index < tokens.length; index += 1) {
+    const token = tokens[index];
+    const next = tokens[index + 1];
+    switch (token) {
+      case "--resource":
+        if (!next)
+          throw new Error("Missing value for --resource");
+        resources.push(next);
+        index += 1;
+        break;
+      case "--selector":
+        if (!next)
+          throw new Error("Missing value for --selector");
+        selectors.push(next);
+        index += 1;
+        break;
+      case "--action":
+        if (!next)
+          throw new Error("Missing value for --action");
+        actions.push(next);
+        index += 1;
+        break;
+      case "--adapter":
+        if (!next)
+          throw new Error("Missing value for --adapter");
+        adapter = next;
+        index += 1;
+        break;
+      case "--idp":
+        if (!next)
+          throw new Error("Missing value for --idp");
+        idp = next;
+        index += 1;
+        break;
+      case "--approval":
+        if (!next || !["once", "timed", "always"].includes(next)) {
+          throw new Error("Approval must be one of: once, timed, always");
+        }
+        approval = next;
+        index += 1;
+        break;
+      case "--reason":
+        if (!next)
+          throw new Error("Missing value for --reason");
+        reason = next;
+        index += 1;
+        break;
+      case "--duration":
+        if (!next)
+          throw new Error("Missing value for --duration");
+        duration = parseDuration(next);
+        index += 1;
+        break;
+      case "--run-as":
+        if (!next)
+          throw new Error("Missing value for --run-as");
+        runAs = next;
+        index += 1;
+        break;
+      case "--wait":
+        wait = true;
+        break;
+      default:
+        throw new Error(`Unknown argument: ${token}`);
+    }
+  }
+  return {
+    cliId,
+    adapter,
+    idp,
+    approval,
+    reason,
+    duration,
+    runAs,
+    wait,
+    resources,
+    selectors,
+    actions
+  };
+}
+async function waitForApproval2(grantsUrl, grantId) {
+  const maxWait = 3e5;
+  const interval = 3e3;
+  const start = Date.now();
+  while (Date.now() - start < maxWait) {
+    const grant = await apiFetch(`${grantsUrl}/${grantId}`);
+    if (grant.status === "approved") {
+      consola7.success("Grant approved!");
+      return;
+    }
+    if (grant.status === "denied") {
+      consola7.error("Grant denied.");
+      process.exit(1);
+    }
+    if (grant.status === "revoked") {
+      consola7.error("Grant revoked.");
+      process.exit(1);
+    }
+    await new Promise((resolve) => setTimeout(resolve, interval));
+  }
+  consola7.error("Timed out waiting for approval.");
+  process.exit(1);
+}
+var requestCapabilityCommand = defineCommand8({
+  meta: {
+    name: "request-capability",
+    description: "Request a structured CLI capability grant"
+  },
+  async run({ rawArgs }) {
+    const auth = loadAuth();
+    if (!auth) {
+      consola7.error("Not logged in. Run `apes login` first.");
+      return process.exit(1);
+    }
+    const parsed = parseCapabilityArgs(rawArgs);
+    const idp = getIdpUrl(parsed.idp);
+    if (!idp) {
+      consola7.error("No IdP URL configured. Use --idp or log in first.");
+      return process.exit(1);
+    }
+    const loaded = loadAdapter(parsed.cliId, parsed.adapter);
+    const resolved = resolveCapabilityRequest(loaded, {
+      resources: parsed.resources,
+      selectors: parsed.selectors,
+      actions: parsed.actions
+    });
+    const { request } = await buildStructuredCliGrantRequest(resolved, {
+      requester: auth.email,
+      target_host: hostname2(),
+      grant_type: parsed.approval,
+      ...parsed.reason ? { reason: parsed.reason } : {}
+    });
+    if (parsed.duration != null) {
+      request.duration = parsed.duration;
+    }
+    if (parsed.runAs) {
+      request.run_as = parsed.runAs;
+    }
+    const grantsUrl = await getGrantsEndpoint(idp);
+    const grant = await apiFetch(grantsUrl, {
+      method: "POST",
+      idp,
+      body: request
+    });
+    consola7.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
+    if (parsed.wait) {
+      consola7.info("Waiting for approval...");
+      await waitForApproval2(grantsUrl, grant.id);
+    }
+  }
+});
+
+// src/commands/grants/approve.ts
+import { defineCommand as defineCommand9 } from "citty";
+import consola8 from "consola";
+var approveCommand = defineCommand9({
+  meta: {
+    name: "approve",
+    description: "Approve a grant request"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Grant ID",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    const grantsUrl = await getGrantsEndpoint(idp);
+    await apiFetch(`${grantsUrl}/${args.id}/approve`, {
+      method: "POST"
+    });
+    consola8.success(`Grant ${args.id} approved.`);
+  }
+});
+
+// src/commands/grants/deny.ts
+import { defineCommand as defineCommand10 } from "citty";
+import consola9 from "consola";
+var denyCommand = defineCommand10({
+  meta: {
+    name: "deny",
+    description: "Deny a grant request"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Grant ID",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    const grantsUrl = await getGrantsEndpoint(idp);
+    await apiFetch(`${grantsUrl}/${args.id}/deny`, {
+      method: "POST"
+    });
+    consola9.success(`Grant ${args.id} denied.`);
+  }
+});
+
+// src/commands/grants/revoke.ts
+import { defineCommand as defineCommand11 } from "citty";
+import consola10 from "consola";
+var revokeCommand = defineCommand11({
+  meta: {
+    name: "revoke",
+    description: "Revoke a grant"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Grant ID",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    const grantsUrl = await getGrantsEndpoint(idp);
+    await apiFetch(`${grantsUrl}/${args.id}/revoke`, {
+      method: "POST"
+    });
+    consola10.success(`Grant ${args.id} revoked.`);
+  }
+});
+
+// src/commands/grants/token.ts
+import { defineCommand as defineCommand12 } from "citty";
+import consola11 from "consola";
+var tokenCommand = defineCommand12({
+  meta: {
+    name: "token",
+    description: "Get grant token JWT"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Grant ID",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    const grantsUrl = await getGrantsEndpoint(idp);
+    const result = await apiFetch(`${grantsUrl}/${args.id}/token`, {
+      method: "POST"
+    });
+    if (!result.authz_jwt) {
+      consola11.error("No token received. Grant may not be approved.");
+      return process.exit(1);
+    }
+    process.stdout.write(result.authz_jwt);
+  }
+});
+
+// src/commands/grants/delegate.ts
+import { defineCommand as defineCommand13 } from "citty";
+import consola12 from "consola";
+var delegateCommand = defineCommand13({
+  meta: {
+    name: "delegate",
+    description: "Create a delegation"
+  },
+  args: {
+    to: {
+      type: "string",
+      description: "Delegate email (who can act on your behalf)",
+      required: true
+    },
+    at: {
+      type: "string",
+      description: "Service/audience where delegation applies",
+      required: true
+    },
+    scopes: {
+      type: "string",
+      description: "Comma-separated scopes"
+    },
+    approval: {
+      type: "string",
+      description: "Approval type: once, timed, always",
+      default: "once"
+    },
+    expires: {
+      type: "string",
+      description: "Expiration date (ISO 8601)"
+    }
+  },
+  async run({ args }) {
+    const auth = loadAuth();
+    if (!auth) {
+      consola12.error("Not logged in. Run `apes login` first.");
+      return process.exit(1);
+    }
+    const idp = getIdpUrl();
+    const delegationsUrl = await getDelegationsEndpoint(idp);
+    const body = {
+      delegate: args.to,
+      audience: args.at,
+      approval: args.approval
+    };
+    if (args.scopes) {
+      body.scopes = args.scopes.split(",").map((s) => s.trim());
+    }
+    if (args.expires) {
+      body.expires_at = args.expires;
+    }
+    const result = await apiFetch(delegationsUrl, {
+      method: "POST",
+      body
+    });
+    consola12.success(`Delegation created: ${result.id}`);
+    console.log(`  Delegate: ${args.to}`);
+    console.log(`  Audience: ${args.at}`);
+    if (args.scopes)
+      console.log(`  Scopes:   ${args.scopes}`);
+    console.log(`  Approval: ${args.approval}`);
+    if (args.expires)
+      console.log(`  Expires:  ${args.expires}`);
+  }
+});
+
+// src/commands/grants/delegations.ts
+import { defineCommand as defineCommand14 } from "citty";
+import consola13 from "consola";
+var delegationsCommand = defineCommand14({
+  meta: {
+    name: "delegations",
+    description: "List delegations"
+  },
+  args: {
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    const delegationsUrl = await getDelegationsEndpoint(idp);
+    const delegations = await apiFetch(delegationsUrl);
+    if (args.json) {
+      console.log(JSON.stringify(delegations, null, 2));
+      return;
+    }
+    if (delegations.length === 0) {
+      consola13.info("No delegations found.");
+      return;
+    }
+    for (const d of delegations) {
+      const scopes = d.scopes?.join(", ") || "(all)";
+      const expires = d.expires_at ? ` expires ${d.expires_at}` : "";
+      console.log(`${d.id}  ${d.delegator} \u2192 ${d.delegate}  at ${d.audience}  [${scopes}]${expires}`);
+    }
+  }
+});
+
+// src/commands/adapter/index.ts
+import { defineCommand as defineCommand15 } from "citty";
+import consola14 from "consola";
+import {
+  fetchRegistry,
+  findAdapter,
+  findConflictingAdapters,
+  getInstalledDigest,
+  installAdapter,
+  isInstalled,
+  loadAdapter as loadAdapter2,
+  removeAdapter,
+  searchAdapters
+} from "@openape/shapes";
+var adapterCommand = defineCommand15({
+  meta: {
+    name: "adapter",
+    description: "Manage CLI adapters"
+  },
+  subCommands: {
+    list: defineCommand15({
+      meta: {
+        name: "list",
+        description: "List available adapters"
+      },
+      args: {
+        remote: {
+          type: "boolean",
+          description: "List adapters from the remote registry",
+          default: false
+        },
+        json: {
+          type: "boolean",
+          description: "Output as JSON",
+          default: false
+        },
+        refresh: {
+          type: "boolean",
+          description: "Force refresh the registry cache",
+          default: false
+        }
+      },
+      async run({ args }) {
+        const forceRefresh = Boolean(args.refresh);
+        if (args.remote) {
+          const index2 = await fetchRegistry(forceRefresh);
+          if (args.json) {
+            process.stdout.write(`${JSON.stringify(index2.adapters, null, 2)}
+`);
+            return;
+          }
+          consola14.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          for (const a of index2.adapters) {
+            const installed = isInstalled(a.id, false) ? " [installed]" : "";
+            console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
+          }
+          return;
+        }
+        const index = await fetchRegistry(forceRefresh);
+        const local = [];
+        for (const a of index.adapters) {
+          try {
+            const loaded = loadAdapter2(a.id);
+            local.push({ id: a.id, source: loaded.source, digest: loaded.digest });
+          } catch {
+          }
+        }
+        if (args.json) {
+          process.stdout.write(`${JSON.stringify(local, null, 2)}
+`);
+          return;
+        }
+        if (local.length === 0) {
+          consola14.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          return;
+        }
+        for (const a of local) {
+          console.log(`  ${a.id.padEnd(12)} ${a.source}`);
+        }
+      }
+    }),
+    install: defineCommand15({
+      meta: {
+        name: "install",
+        description: "Install an adapter from the registry"
+      },
+      args: {
+        id: {
+          type: "positional",
+          description: "Adapter ID to install",
+          required: true
+        },
+        local: {
+          type: "boolean",
+          description: "Install to project-local .openape/ instead of ~/.openape/",
+          default: false
+        },
+        refresh: {
+          type: "boolean",
+          description: "Force refresh the registry cache",
+          default: false
+        }
+      },
+      async run({ args }) {
+        const id = String(args.id);
+        const local = Boolean(args.local);
+        const index = await fetchRegistry(Boolean(args.refresh));
+        const entry = findAdapter(index, id);
+        if (!entry)
+          throw new Error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+        const conflicts = findConflictingAdapters(entry.executable, id);
+        if (conflicts.length > 0) {
+          for (const c of conflicts) {
+            consola14.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+            consola14.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+          }
+        }
+        const result = await installAdapter(entry, { local });
+        const verb = result.updated ? "Updated" : "Installed";
+        consola14.success(`${verb} ${result.id} \u2192 ${result.path}`);
+        consola14.info(`Digest: ${result.digest}`);
+      }
+    }),
+    remove: defineCommand15({
+      meta: {
+        name: "remove",
+        description: "Remove an installed adapter"
+      },
+      args: {
+        id: {
+          type: "positional",
+          description: "Adapter ID to remove",
+          required: true
+        },
+        local: {
+          type: "boolean",
+          description: "Remove from project-local .openape/",
+          default: false
+        }
+      },
+      async run({ args }) {
+        const id = String(args.id);
+        const local = Boolean(args.local);
+        if (removeAdapter(id, local)) {
+          consola14.success(`Removed adapter: ${id}`);
+        } else {
+          consola14.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+          process.exit(1);
+        }
+      }
+    }),
+    info: defineCommand15({
+      meta: {
+        name: "info",
+        description: "Show detailed adapter information"
+      },
+      args: {
+        id: {
+          type: "positional",
+          description: "Adapter ID",
+          required: true
+        },
+        refresh: {
+          type: "boolean",
+          description: "Force refresh the registry cache",
+          default: false
+        }
+      },
+      async run({ args }) {
+        const id = String(args.id);
+        const index = await fetchRegistry(Boolean(args.refresh));
+        const entry = findAdapter(index, id);
+        if (!entry)
+          throw new Error(`Adapter "${id}" not found in registry`);
+        console.log(`ID:          ${entry.id}`);
+        console.log(`Name:        ${entry.name}`);
+        console.log(`Description: ${entry.description}`);
+        console.log(`Category:    ${entry.category}`);
+        console.log(`Tags:        ${entry.tags.join(", ")}`);
+        console.log(`Author:      ${entry.author}`);
+        console.log(`Executable:  ${entry.executable}`);
+        console.log(`Digest:      ${entry.digest}`);
+        console.log(`Min version: ${entry.min_shapes_version}`);
+        console.log(`URL:         ${entry.download_url}`);
+        const localDigest = getInstalledDigest(id, false);
+        if (localDigest) {
+          const upToDate = localDigest === entry.digest;
+          console.log(`Installed:   yes${upToDate ? " (up to date)" : " (update available)"}`);
+        } else {
+          console.log(`Installed:   no`);
+        }
+      }
+    }),
+    search: defineCommand15({
+      meta: {
+        name: "search",
+        description: "Search adapters in the registry"
+      },
+      args: {
+        query: {
+          type: "positional",
+          description: "Search query",
+          required: true
+        },
+        json: {
+          type: "boolean",
+          description: "Output as JSON",
+          default: false
+        },
+        refresh: {
+          type: "boolean",
+          description: "Force refresh the registry cache",
+          default: false
+        }
+      },
+      async run({ args }) {
+        const query = String(args.query);
+        const index = await fetchRegistry(Boolean(args.refresh));
+        const results = searchAdapters(index, query);
+        if (args.json) {
+          process.stdout.write(`${JSON.stringify(results, null, 2)}
+`);
+          return;
+        }
+        if (results.length === 0) {
+          consola14.info(`No adapters matching "${query}"`);
+          return;
+        }
+        for (const a of results) {
+          console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}`);
+          console.log(`    ${a.description}`);
+        }
+      }
+    }),
+    update: defineCommand15({
+      meta: {
+        name: "update",
+        description: "Update installed adapters"
+      },
+      args: {
+        id: {
+          type: "positional",
+          description: "Adapter ID (omit to update all)"
+        },
+        yes: {
+          type: "boolean",
+          description: "Skip confirmation",
+          default: false
+        },
+        refresh: {
+          type: "boolean",
+          description: "Force refresh the registry cache",
+          default: true
+        }
+      },
+      async run({ args }) {
+        const index = await fetchRegistry(Boolean(args.refresh));
+        const targetId = args.id ? String(args.id) : void 0;
+        const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
+        if (targets.length === 0) {
+          consola14.info("No adapters installed to update.");
+          return;
+        }
+        for (const id of targets) {
+          const entry = findAdapter(index, id);
+          if (!entry) {
+            consola14.warn(`${id}: not found in registry, skipping`);
+            continue;
+          }
+          const localDigest = getInstalledDigest(id, false);
+          if (localDigest === entry.digest) {
+            consola14.info(`${id}: already up to date`);
+            continue;
+          }
+          if (localDigest && !args.yes) {
+            consola14.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola14.info(`  Old: ${localDigest}`);
+            consola14.info(`  New: ${entry.digest}`);
+            consola14.info("  Use --yes to confirm");
+            continue;
+          }
+          const result = await installAdapter(entry);
+          consola14.success(`Updated ${result.id} \u2192 ${result.path}`);
+        }
+      }
+    }),
+    verify: defineCommand15({
+      meta: {
+        name: "verify",
+        description: "Verify installed adapter against registry digest"
+      },
+      args: {
+        id: {
+          type: "positional",
+          description: "Adapter ID",
+          required: true
+        },
+        local: {
+          type: "boolean",
+          description: "Check project-local adapter",
+          default: false
+        },
+        refresh: {
+          type: "boolean",
+          description: "Force refresh the registry cache",
+          default: false
+        }
+      },
+      async run({ args }) {
+        const id = String(args.id);
+        const local = Boolean(args.local);
+        const index = await fetchRegistry(Boolean(args.refresh));
+        const entry = findAdapter(index, id);
+        if (!entry)
+          throw new Error(`Adapter "${id}" not found in registry`);
+        const localDigest = getInstalledDigest(id, local);
+        if (!localDigest)
+          throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+        if (localDigest === entry.digest) {
+          consola14.success(`${id}: digest matches registry`);
+        } else {
+          consola14.error(`${id}: digest mismatch`);
+          console.log(`  Local:    ${localDigest}`);
+          console.log(`  Registry: ${entry.digest}`);
+          process.exit(1);
+        }
+      }
+    })
+  }
+});
+
+// src/commands/run.ts
+import { execFileSync } from "child_process";
+import { hostname as hostname3 } from "os";
+import { defineCommand as defineCommand16 } from "citty";
+import {
+  createShapesGrant,
+  extractOption,
+  extractWrappedCommand,
+  fetchGrantToken,
+  findExistingGrant,
+  loadAdapter as loadAdapter3,
+  resolveCommand,
+  verifyAndExecute,
+  waitForGrantStatus
+} from "@openape/shapes";
+import consola15 from "consola";
+var runCommand = defineCommand16({
+  meta: {
+    name: "run",
+    description: "Execute a grant-secured command"
+  },
+  args: {
+    "approval": {
+      type: "string",
+      description: "Approval type: once, timed, always",
+      default: "once"
+    },
+    "reason": {
+      type: "string",
+      description: "Reason for the grant request"
+    },
+    "adapter": {
+      type: "string",
+      description: "Explicit path to adapter TOML file"
+    },
+    "as": {
+      type: "string",
+      description: "Execute as this user (delegates to escapes)"
+    },
+    "host": {
+      type: "string",
+      description: "Target host (default: system hostname)"
+    },
+    "escapes-path": {
+      type: "string",
+      description: "Path to escapes binary",
+      default: "escapes"
+    },
+    "idp": {
+      type: "string",
+      description: "IdP URL"
+    },
+    "_": {
+      type: "positional",
+      description: "Command to execute (after --)",
+      required: false
+    }
+  },
+  async run({ rawArgs, args }) {
+    const wrappedCommand = extractWrappedCommand(rawArgs ?? []);
+    if (wrappedCommand.length > 0) {
+      await runAdapterMode(wrappedCommand, rawArgs ?? [], args);
+    } else {
+      const positionals = extractPositionals(rawArgs ?? []);
+      if (positionals.length < 2)
+        throw new Error("Usage: apes run -- <cli> <args...>  OR  apes run <audience> <action>");
+      await runAudienceMode(positionals[0], positionals[1], args);
+    }
+  }
+});
+function extractPositionals(rawArgs) {
+  const positionals = [];
+  const delimiter = rawArgs.indexOf("--");
+  const args = delimiter >= 0 ? rawArgs.slice(0, delimiter) : rawArgs;
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "run")
+      continue;
+    if (arg.startsWith("--")) {
+      i++;
+      continue;
+    }
+    positionals.push(arg);
+  }
+  return positionals;
+}
+async function runAdapterMode(command, rawArgs, args) {
+  const idp = getIdpUrl(args.idp);
+  if (!idp)
+    throw new Error("No IdP URL configured. Run `apes login` first or pass --idp.");
+  const adapterOpt = extractOption(rawArgs, "adapter");
+  const loaded = loadAdapter3(command[0], adapterOpt);
+  const resolved = await resolveCommand(loaded, command);
+  const approval = args.approval ?? "once";
+  if (approval !== "once") {
+    try {
+      const existingGrantId = await findExistingGrant(resolved, idp);
+      if (existingGrantId) {
+        consola15.info(`Reusing existing grant: ${existingGrantId}`);
+        const token2 = await fetchGrantToken(idp, existingGrantId);
+        await verifyAndExecute(token2, resolved);
+        return;
+      }
+    } catch {
+    }
+  }
+  const grant = await createShapesGrant(resolved, {
+    idp,
+    approval,
+    ...args.reason ? { reason: args.reason } : {}
+  });
+  consola15.info(`Grant requested: ${grant.id}`);
+  consola15.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  const status = await waitForGrantStatus(idp, grant.id);
+  if (status !== "approved")
+    throw new Error(`Grant ${status}`);
+  const token = await fetchGrantToken(idp, grant.id);
+  await verifyAndExecute(token, resolved);
+}
+async function runAudienceMode(audience, action, args) {
+  const auth = loadAuth();
+  if (!auth) {
+    consola15.error("Not logged in. Run `apes login` first.");
+    return process.exit(1);
+  }
+  const idp = getIdpUrl(args.idp);
+  const grantsUrl = await getGrantsEndpoint(idp);
+  const command = action.split(" ");
+  const targetHost = args.host || hostname3();
+  consola15.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  const grant = await apiFetch(grantsUrl, {
+    method: "POST",
+    body: {
+      requester: auth.email,
+      target_host: targetHost,
+      audience,
+      grant_type: args.approval,
+      command,
+      reason: args.reason || command.join(" "),
+      ...args.as ? { run_as: args.as } : {}
+    }
+  });
+  consola15.success(`Grant requested: ${grant.id}`);
+  consola15.info("Waiting for approval...");
+  const maxWait = 3e5;
+  const interval = 3e3;
+  const start = Date.now();
+  while (Date.now() - start < maxWait) {
+    const status = await apiFetch(`${grantsUrl}/${grant.id}`);
+    if (status.status === "approved") {
+      consola15.success("Grant approved!");
+      break;
+    }
+    if (status.status === "denied" || status.status === "revoked") {
+      consola15.error(`Grant ${status.status}.`);
+      return process.exit(1);
+    }
+    await new Promise((r) => setTimeout(r, interval));
+  }
+  consola15.info("Fetching grant token...");
+  const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
+    method: "POST"
+  });
+  if (audience === "escapes") {
+    consola15.info(`Executing: ${command.join(" ")}`);
+    try {
+      execFileSync(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
+        stdio: "inherit"
+      });
+    } catch (err) {
+      const exitCode = err.status || 1;
+      process.exit(exitCode);
+    }
+  } else {
+    process.stdout.write(authz_jwt);
+  }
+}
+
+// src/commands/explain.ts
+import { defineCommand as defineCommand17 } from "citty";
+import { extractOption as extractOption2, extractWrappedCommand as extractWrappedCommand2, loadAdapter as loadAdapter4, resolveCommand as resolveCommand2 } from "@openape/shapes";
+var explainCommand = defineCommand17({
+  meta: {
+    name: "explain",
+    description: "Show what permission a command would need"
+  },
+  args: {
+    adapter: {
+      type: "string",
+      description: "Explicit path to adapter TOML file"
+    },
+    _: {
+      type: "positional",
+      description: "Wrapped command (after --)",
+      required: false
+    }
+  },
+  async run({ rawArgs }) {
+    const command = extractWrappedCommand2(rawArgs ?? []);
+    if (command.length === 0)
+      throw new Error("Missing wrapped command. Usage: apes explain [--adapter <file>] -- <cli> ...");
+    const adapterOpt = extractOption2(rawArgs ?? [], "adapter");
+    const loaded = loadAdapter4(command[0], adapterOpt);
+    const resolved = await resolveCommand2(loaded, command);
+    process.stdout.write(`${JSON.stringify({
+      adapter: resolved.adapter.cli.id,
+      source: resolved.source,
+      operation: resolved.detail.operation_id,
+      display: resolved.detail.display,
+      permission: resolved.permission,
+      resource_chain: resolved.detail.resource_chain,
+      exact_command: resolved.detail.constraints?.exact_command ?? false,
+      adapter_digest: resolved.digest
+    }, null, 2)}
+`);
+  }
+});
+
+// src/commands/config/get.ts
+import { defineCommand as defineCommand18 } from "citty";
+import consola16 from "consola";
+var configGetCommand = defineCommand18({
+  meta: {
+    name: "get",
+    description: "Get a configuration value"
+  },
+  args: {
+    key: {
+      type: "positional",
+      description: "Config key: idp, email, defaults.idp, defaults.approval, agent.key, agent.email",
+      required: true
+    }
+  },
+  run({ args }) {
+    const key = args.key;
+    switch (key) {
+      case "idp": {
+        const idp = getIdpUrl();
+        if (idp)
+          console.log(idp);
+        else
+          consola16.info("No IdP configured.");
+        break;
+      }
+      case "email": {
+        const auth = loadAuth();
+        if (auth?.email)
+          console.log(auth.email);
+        else
+          consola16.info("Not logged in.");
+        break;
+      }
+      default: {
+        const config = loadConfig();
+        const parts = key.split(".");
+        if (parts.length === 2) {
+          const section = parts[0];
+          const field = parts[1];
+          const sectionObj = config[section];
+          if (sectionObj && field in sectionObj) {
+            console.log(sectionObj[field]);
+          } else {
+            consola16.info(`Key "${key}" not set.`);
+          }
+        } else {
+          consola16.error(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
+          process.exit(1);
+        }
+      }
+    }
+  }
+});
+
+// src/commands/config/set.ts
+import { defineCommand as defineCommand19 } from "citty";
+import consola17 from "consola";
+var configSetCommand = defineCommand19({
+  meta: {
+    name: "set",
+    description: "Set a configuration value"
+  },
+  args: {
+    key: {
+      type: "positional",
+      description: "Config key: defaults.idp, defaults.approval, agent.key, agent.email",
+      required: true
+    },
+    value: {
+      type: "positional",
+      description: "Value to set",
+      required: true
+    }
+  },
+  run({ args }) {
+    const key = args.key;
+    const value = args.value;
+    const config = loadConfig();
+    const parts = key.split(".");
+    if (parts.length !== 2) {
+      consola17.error(`Invalid key: "${key}". Use: defaults.idp, defaults.approval, agent.key, agent.email`);
+      return process.exit(1);
+    }
+    const [section, field] = parts;
+    if (section === "defaults") {
+      config.defaults = config.defaults || {};
+      config.defaults[field] = value;
+    } else if (section === "agent") {
+      config.agent = config.agent || {};
+      config.agent[field] = value;
+    } else {
+      consola17.error(`Unknown section: "${section}". Use: defaults, agent`);
+      return process.exit(1);
+    }
+    saveConfig(config);
+    consola17.success(`Set ${key} = ${value}`);
+  }
+});
+
+// src/commands/fetch/index.ts
+import { defineCommand as defineCommand20 } from "citty";
+import consola18 from "consola";
+async function doRequest(method, url, body, contentType, raw, showHeaders) {
+  const token = getAuthToken();
+  if (!token) {
+    consola18.error("Not authenticated. Run `apes login` first.");
+    return process.exit(1);
+  }
+  const response = await fetch(url, {
+    method,
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": contentType
+    },
+    body: body || void 0
+  });
+  if (showHeaders) {
+    console.log(`HTTP ${response.status} ${response.statusText}`);
+    for (const [key, value] of response.headers.entries()) {
+      console.log(`${key}: ${value}`);
+    }
+    console.log();
+  }
+  const respContentType = response.headers.get("content-type") || "";
+  const text = await response.text();
+  if (raw || !respContentType.includes("json")) {
+    process.stdout.write(text);
+  } else {
+    try {
+      console.log(JSON.stringify(JSON.parse(text), null, 2));
+    } catch {
+      process.stdout.write(text);
+    }
+  }
+  if (!response.ok) {
+    process.exit(1);
+  }
+}
+var fetchCommand = defineCommand20({
+  meta: {
+    name: "fetch",
+    description: "Make authenticated HTTP requests"
+  },
+  subCommands: {
+    get: defineCommand20({
+      meta: {
+        name: "get",
+        description: "GET request with auth token"
+      },
+      args: {
+        url: {
+          type: "positional",
+          description: "URL to fetch",
+          required: true
+        },
+        raw: {
+          type: "boolean",
+          description: "Output raw response body",
+          default: false
+        },
+        headers: {
+          type: "boolean",
+          description: "Show response headers",
+          default: false
+        }
+      },
+      async run({ args }) {
+        await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
+      }
+    }),
+    post: defineCommand20({
+      meta: {
+        name: "post",
+        description: "POST request with auth token"
+      },
+      args: {
+        url: {
+          type: "positional",
+          description: "URL to fetch",
+          required: true
+        },
+        body: {
+          type: "string",
+          description: "Request body (JSON string)"
+        },
+        "content-type": {
+          type: "string",
+          description: "Content-Type header",
+          default: "application/json"
+        },
+        raw: {
+          type: "boolean",
+          description: "Output raw response body",
+          default: false
+        },
+        headers: {
+          type: "boolean",
+          description: "Show response headers",
+          default: false
+        }
+      },
+      async run({ args }) {
+        await doRequest("POST", String(args.url), args.body, String(args["content-type"] || "application/json"), Boolean(args.raw), Boolean(args.headers));
+      }
+    })
+  }
+});
+
+// src/commands/mcp/index.ts
+import { defineCommand as defineCommand21 } from "citty";
+var mcpCommand = defineCommand21({
+  meta: {
+    name: "mcp",
+    description: "Start MCP server for AI agents"
+  },
+  args: {
+    transport: {
+      type: "string",
+      description: "Transport type: stdio or sse",
+      default: "stdio"
+    },
+    port: {
+      type: "string",
+      description: "Port for SSE transport",
+      default: "3001"
+    }
+  },
+  async run({ args }) {
+    const transport = args.transport || "stdio";
+    const port = Number.parseInt(String(args.port), 10);
+    if (transport !== "stdio" && transport !== "sse") {
+      throw new Error('Transport must be "stdio" or "sse"');
+    }
+    const { startMcpServer } = await import("./server-4ZIIWOOP.js");
+    await startMcpServer(transport, port);
+  }
+});
+
+// src/cli.ts
+var debug = process.argv.includes("--debug");
+var grantsCommand = defineCommand22({
+  meta: {
+    name: "grants",
+    description: "Grant management"
+  },
+  subCommands: {
+    list: listCommand,
+    inbox: inboxCommand,
+    status: statusCommand,
+    request: requestCommand,
+    "request-capability": requestCapabilityCommand,
+    approve: approveCommand,
+    deny: denyCommand,
+    revoke: revokeCommand,
+    token: tokenCommand,
+    delegate: delegateCommand,
+    delegations: delegationsCommand
+  }
+});
+var configCommand = defineCommand22({
+  meta: {
+    name: "config",
+    description: "Configuration management"
+  },
+  subCommands: {
+    get: configGetCommand,
+    set: configSetCommand
+  }
+});
+var main = defineCommand22({
+  meta: {
+    name: "apes",
+    version: "0.2.0",
+    description: "Unified CLI for OpenApe"
+  },
+  subCommands: {
+    login: loginCommand,
+    logout: logoutCommand,
+    whoami: whoamiCommand,
+    grants: grantsCommand,
+    run: runCommand,
+    explain: explainCommand,
+    adapter: adapterCommand,
+    config: configCommand,
+    fetch: fetchCommand,
+    mcp: mcpCommand
+  }
+});
+runMain(main).catch((err) => {
+  if (debug) {
+    consola19.error(err);
+  } else {
+    consola19.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+  }
+  process.exit(1);
+});
+//# sourceMappingURL=cli.js.map