@openape/apes 0.20.0 → 0.21.1

package/dist/cli.js

@@ -96,7 +96,7 @@ function rewriteApeShellArgs(argv, argv0) {
 import { defineCommand as defineCommand44, runMain } from "citty";
 
 // src/commands/auth/login.ts
-import { Buffer } from "buffer";
+import { Buffer as Buffer2 } from "buffer";
 import { execFile } from "child_process";
 import { createServer } from "http";
 import { homedir as homedir2 } from "os";
@@ -394,7 +394,7 @@ async function loginWithKey(idp, keyPath, agentEmail) {
   const { challenge } = await challengeResp.json();
   const keyContent = readFileSync7(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
-  const signature = sign3(null, Buffer.from(challenge), privateKey).toString("base64");
+  const signature = sign3(null, Buffer2.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
   const authResp = await fetch(authenticateUrl, {
     method: "POST",
@@ -1754,7 +1754,7 @@ import { defineCommand as defineCommand20 } from "citty";
 import consola18 from "consola";
 
 // src/lib/agent-bootstrap.ts
-import { Buffer as Buffer2 } from "buffer";
+import { Buffer as Buffer3 } from "buffer";
 import { createPrivateKey, sign } from "crypto";
 var AGENT_NAME_REGEX = /^[a-z][a-z0-9-]{0,23}$/;
 var SSH_ED25519_PREFIX = "ssh-ed25519 ";
@@ -1779,7 +1779,7 @@ async function issueAgentToken(input) {
     throw new Error(`Challenge failed (${challengeResp.status}): ${text}`);
   }
   const { challenge } = await challengeResp.json();
-  const signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
+  const signature = sign(null, Buffer3.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(input.idp);
   const authResp = await fetch(authenticateUrl, {
     method: "POST",
@@ -1811,6 +1811,25 @@ mkdir -p "$HOME_DIR/.claude/hooks"
 cat > "$HOME_DIR/.claude/settings.json" ${shHeredoc(input.claudeSettingsJson)}
 cat > "$HOME_DIR/.claude/hooks/bash-via-ape-shell.sh" ${shHeredoc(input.hookScriptSource)}
 chmod 755 "$HOME_DIR/.claude/hooks/bash-via-ape-shell.sh"
+` : "";
+  const claudeTokenBlock = input.claudeOauthToken ? `
+mkdir -p "$HOME_DIR/.config/openape"
+cat > "$HOME_DIR/.config/openape/claude-token.env" ${shHeredoc(`# Auto-generated by 'apes agents spawn'. chmod 600 \u2014 contains a long-lived
+# Claude Code OAuth token. Rotate by editing this file in place; the
+# .zshenv / .profile source-lines below will pick it up automatically.
+export CLAUDE_CODE_OAUTH_TOKEN=${shQuote(input.claudeOauthToken)}
+`)}
+SOURCE_LINE='[ -f "$HOME/.config/openape/claude-token.env" ] && . "$HOME/.config/openape/claude-token.env"'
+for f in "$HOME_DIR/.zshenv" "$HOME_DIR/.profile"; do
+  touch "$f"
+  if ! grep -qF 'config/openape/claude-token.env' "$f" 2>/dev/null; then
+    {
+      echo ''
+      echo '# OpenApe: load Claude Code OAuth token (added by apes agents spawn)'
+      echo "$SOURCE_LINE"
+    } >> "$f"
+  fi
+done
 ` : "";
   return `#!/bin/bash
 set -euo pipefail
@@ -1854,13 +1873,17 @@ mkdir -p "$HOME_DIR/.ssh" "$HOME_DIR/.config/apes"
 cat > "$HOME_DIR/.ssh/id_ed25519" ${shHeredoc(privatePemForHeredoc.trimEnd())}
 cat > "$HOME_DIR/.ssh/id_ed25519.pub" ${shHeredoc(`${input.publicKeySshLine}`)}
 cat > "$HOME_DIR/.config/apes/auth.json" ${shHeredoc(input.authJson)}
-${claudeBlock}
+${claudeBlock}${claudeTokenBlock}
 chown -R "$NAME:staff" "$HOME_DIR"
 chmod 700 "$HOME_DIR/.ssh"
 chmod 700 "$HOME_DIR/.config"
 chmod 600 "$HOME_DIR/.ssh/id_ed25519"
 chmod 644 "$HOME_DIR/.ssh/id_ed25519.pub"
 chmod 600 "$HOME_DIR/.config/apes/auth.json"
+if [ -f "$HOME_DIR/.config/openape/claude-token.env" ]; then
+  chmod 700 "$HOME_DIR/.config/openape"
+  chmod 600 "$HOME_DIR/.config/openape/claude-token.env"
+fi
 
 echo "OK $NAME uid=$NEXT_UID home=$HOME_DIR"
 `;
@@ -2068,6 +2091,11 @@ var destroyAgentCommand = defineCommand20({
       }
       consola18.warn(`About to destroy "${name}":
 ${consequences.join("\n")}`);
+      if (!process.stdin.isTTY) {
+        throw new CliError(
+          "No TTY available for the interactive confirmation. Re-run with --force to skip the prompt (this is the same flag CI uses)."
+        );
+      }
       const confirmed = await consola18.prompt("Proceed?", { type: "confirm", initial: false });
       if (typeof confirmed === "symbol" || !confirmed) {
         throw new CliExit(0);
@@ -2268,7 +2296,7 @@ import { defineCommand as defineCommand23 } from "citty";
 import consola21 from "consola";
 
 // src/lib/keygen.ts
-import { Buffer as Buffer3 } from "buffer";
+import { Buffer as Buffer4 } from "buffer";
 import { existsSync as existsSync5, mkdirSync, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
 import { generateKeyPairSync } from "crypto";
 import { homedir as homedir4 } from "os";
@@ -2278,11 +2306,11 @@ function resolveKeyPath(p) {
 }
 function buildSshEd25519Line(rawPub) {
   const keyTypeStr = "ssh-ed25519";
-  const keyTypeLen = Buffer3.alloc(4);
+  const keyTypeLen = Buffer4.alloc(4);
   keyTypeLen.writeUInt32BE(keyTypeStr.length);
-  const pubKeyLen = Buffer3.alloc(4);
+  const pubKeyLen = Buffer4.alloc(4);
   pubKeyLen.writeUInt32BE(rawPub.length);
-  const blob = Buffer3.concat([keyTypeLen, Buffer3.from(keyTypeStr), pubKeyLen, rawPub]);
+  const blob = Buffer4.concat([keyTypeLen, Buffer4.from(keyTypeStr), pubKeyLen, rawPub]);
   return `ssh-ed25519 ${blob.toString("base64")}`;
 }
 function readPublicKey(keyPath) {
@@ -2293,7 +2321,7 @@ function readPublicKey(keyPath) {
   const keyContent = readFileSync4(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
-  const pubBytes = Buffer3.from(jwk.x, "base64url");
+  const pubBytes = Buffer4.from(jwk.x, "base64url");
   return buildSshEd25519Line(pubBytes);
 }
 function generateAndSaveKey(keyPath) {
@@ -2306,7 +2334,7 @@ function generateAndSaveKey(keyPath) {
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
   writeFileSync2(resolved, privatePem, { mode: 384 });
   const jwk = publicKey.export({ format: "jwk" });
-  const pubBytes = Buffer3.from(jwk.x, "base64url");
+  const pubBytes = Buffer4.from(jwk.x, "base64url");
   const pubKeyStr = buildSshEd25519Line(pubBytes);
   writeFileSync2(`${resolved}.pub`, `${pubKeyStr}
 `, { mode: 420 });
@@ -2316,7 +2344,7 @@ function generateKeyPairInMemory() {
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
   const jwk = publicKey.export({ format: "jwk" });
-  const pubBytes = Buffer3.from(jwk.x, "base64url");
+  const pubBytes = Buffer4.from(jwk.x, "base64url");
   return {
     privatePem,
     publicSshLine: buildSshEd25519Line(pubBytes)
@@ -2342,6 +2370,14 @@ var spawnAgentCommand = defineCommand23({
     "no-claude-hook": {
       type: "boolean",
       description: "Skip writing ~/.claude/settings.json + the Bash-rewrite hook"
+    },
+    "claude-token": {
+      type: "string",
+      description: "Claude Code OAuth token (sk-ant-oat01-\u2026) from `claude setup-token`. Visible to ps \u2014 prefer --claude-token-stdin in scripts."
+    },
+    "claude-token-stdin": {
+      type: "boolean",
+      description: "Read the Claude Code OAuth token from stdin (paranoid form of --claude-token)."
     }
   },
   async run({ args }) {
@@ -2408,6 +2444,10 @@ and try again.`
         expiresAt: Math.floor(Date.now() / 1e3) + expiresIn
       });
       const includeClaudeHook = !args["no-claude-hook"];
+      const claudeOauthToken = await resolveClaudeToken({
+        flag: typeof args["claude-token"] === "string" ? args["claude-token"] : void 0,
+        fromStdin: !!args["claude-token-stdin"]
+      });
       const script = buildSpawnSetupScript({
         name,
         homeDir,
@@ -2416,7 +2456,8 @@ and try again.`
         publicKeySshLine: publicSshLine,
         authJson,
         claudeSettingsJson: includeClaudeHook ? CLAUDE_SETTINGS_JSON : null,
-        hookScriptSource: includeClaudeHook ? BASH_VIA_APE_SHELL_HOOK_SOURCE : null
+        hookScriptSource: includeClaudeHook ? BASH_VIA_APE_SHELL_HOOK_SOURCE : null,
+        claudeOauthToken
       });
       writeFileSync3(scriptPath, script, { mode: 448 });
       consola21.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
@@ -2431,6 +2472,28 @@ and try again.`
     }
   }
 });
+async function resolveClaudeToken(opts) {
+  if (opts.flag && opts.fromStdin) {
+    throw new CliError("Pass --claude-token OR --claude-token-stdin, not both.");
+  }
+  let raw = null;
+  if (typeof opts.flag === "string") {
+    raw = opts.flag.trim();
+  } else if (opts.fromStdin) {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+      chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+    }
+    raw = Buffer.concat(chunks).toString("utf-8").trim();
+  }
+  if (!raw) return null;
+  if (!raw.startsWith("sk-ant-oat01-")) {
+    throw new CliError(
+      `Claude token doesn't look right (expected sk-ant-oat01-\u2026). Run \`claude setup-token\` and paste the resulting token.`
+    );
+  }
+  return raw;
+}
 
 // src/commands/agents/index.ts
 var agentsCommand = defineCommand24({
@@ -3698,7 +3761,7 @@ var mcpCommand = defineCommand32({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-XZHBOWRD.js");
+    const { startMcpServer } = await import("./server-3KAKSSMI.js");
     await startMcpServer(transport, port);
   }
 });
@@ -3858,7 +3921,7 @@ async function initIdP(targetDir) {
 }
 
 // src/commands/enroll.ts
-import { Buffer as Buffer4 } from "buffer";
+import { Buffer as Buffer5 } from "buffer";
 import { existsSync as existsSync7, readFileSync as readFileSync5 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
@@ -3889,7 +3952,7 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       });
       if (challengeResp.ok) {
         const { challenge } = await challengeResp.json();
-        const signature = sign2(null, Buffer4.from(challenge), privateKey).toString("base64");
+        const signature = sign2(null, Buffer5.from(challenge), privateKey).toString("base64");
         const authResp = await fetch(authenticateUrl, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
@@ -4336,7 +4399,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.20.0" : "0.0.0";
+  const version = true ? "0.21.1" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -4538,10 +4601,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.20.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.21.1"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.20.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.21.1"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -4599,7 +4662,7 @@ var configCommand = defineCommand44({
 var main = defineCommand44({
   meta: {
     name: "apes",
-    version: "0.20.0",
+    version: "0.21.1",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {