@openape/apes 0.29.0 → 0.31.0

package/dist/{auth-lock-GPLHRXOM.js → auth-lock-4IRWI3ED.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   CONFIG_DIR
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 
 // src/auth-lock.ts
 import { open, rm, stat } from "fs/promises";
@@ -38,4 +38,4 @@ export {
   acquireAuthLock,
   releaseAuthLock
 };
-//# sourceMappingURL=auth-lock-GPLHRXOM.js.map
+//# sourceMappingURL=auth-lock-4IRWI3ED.js.map

package/dist/{chunk-EDYICCBC.js → chunk-3COOEDPF.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   loadConfig
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 
 // src/notifications.ts
 import { spawn } from "child_process";
@@ -77,4 +77,4 @@ export {
   isApesSelfDispatch,
   checkSudoRejection
 };
-//# sourceMappingURL=chunk-EDYICCBC.js.map
+//# sourceMappingURL=chunk-3COOEDPF.js.map

package/dist/{chunk-IT6T6AKX.js → chunk-DYSFQ26B.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   getGenericAuditLogPath
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 
 // src/shapes/adapters.ts
 import { createHash } from "crypto";
@@ -1212,4 +1212,4 @@ export {
   buildExactCommandGrantRequest,
   buildStructuredCliGrantRequest
 };
-//# sourceMappingURL=chunk-IT6T6AKX.js.map
+//# sourceMappingURL=chunk-DYSFQ26B.js.map

package/dist/{chunk-7NUT2PFT.js → chunk-N3THIFIS.js}

@@ -5,7 +5,7 @@ import {
   loadAuth,
   loadConfig,
   saveAuth
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 
 // src/http.ts
 import consola from "consola";
@@ -104,7 +104,7 @@ async function refreshOAuthToken() {
   const auth = loadAuth();
   if (!auth?.refresh_token)
     return null;
-  const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-GPLHRXOM.js");
+  const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-4IRWI3ED.js");
   const lock = await acquireAuthLock({ timeoutMs: 5e3 });
   if (!lock) {
     return getAuthToken();
@@ -217,4 +217,4 @@ export {
   ensureFreshToken,
   apiFetch
 };
-//# sourceMappingURL=chunk-7NUT2PFT.js.map
+//# sourceMappingURL=chunk-N3THIFIS.js.map

package/dist/{chunk-IDPV5SNB.js → chunk-OBF7IMQ2.js}

@@ -23,7 +23,24 @@ function loadAuth() {
 }
 function saveAuth(data) {
   ensureDir();
-  writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 384 });
+  let extra = {};
+  if (existsSync(AUTH_FILE)) {
+    try {
+      const raw = readFileSync(AUTH_FILE, "utf-8");
+      if (raw.trim()) {
+        const prev = JSON.parse(raw);
+        for (const key of Object.keys(prev)) {
+          if (!(key in data)) {
+            extra[key] = prev[key];
+          }
+        }
+      }
+    } catch {
+      extra = {};
+    }
+  }
+  const merged = { ...extra, ...data };
+  writeFileSync(AUTH_FILE, JSON.stringify(merged, null, 2), { mode: 384 });
 }
 function clearAuth() {
   if (existsSync(AUTH_FILE)) {
@@ -169,4 +186,4 @@ export {
   getAuthToken,
   getRequesterIdentity
 };
-//# sourceMappingURL=chunk-IDPV5SNB.js.map
+//# sourceMappingURL=chunk-OBF7IMQ2.js.map

package/dist/chunk-OBF7IMQ2.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/config.ts"],"sourcesContent":["import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\n\nexport interface AuthData {\n  idp: string\n  access_token: string\n  refresh_token?: string\n  email: string\n  expires_at: number\n  /**\n   * Set by `apes login --key …` (and `apes agents spawn`), absolute\n   * path to the Ed25519 key the agent signs challenges with. Lets\n   * `@openape/cli-auth` refresh agent tokens in-process; see #259.\n   */\n  key_path?: string\n  /**\n   * Email of the human who owns this agent — written by\n   * `apes agents spawn`. The chat-bridge reads it for owner-only\n   * contact handshakes. Optional for human auth.json files.\n   */\n  owner_email?: string\n}\n\nexport interface ApesConfig {\n  defaults?: {\n    idp?: string\n    approval?: string\n    /**\n     * Audience for the `apes run` async info block. `agent` (default)\n     * emits verbose agent-facing instructions with a polling protocol;\n     * `human` emits a short friendly block. Env var `APES_USER` wins.\n     */\n    user?: 'agent' | 'human'\n    /**\n     * Poll interval (seconds) embedded in the agent-mode instructions.\n     * Default 10. Env var `APES_GRANT_POLL_INTERVAL` wins. Stored as a\n     * string in TOML because the hand-rolled parser only handles quoted\n     * values — casting to number happens at read time.\n     */\n    grant_poll_interval_seconds?: string\n    /**\n     * Maximum poll duration (minutes) embedded in the agent-mode\n     * instructions. Default 5. Env var `APES_GRANT_POLL_MAX_MINUTES` wins.\n     */\n    grant_poll_max_minutes?: string\n    /**\n     * Exit code emitted by `apes run` / `ape-shell -c` when the async\n     * default path creates a pending grant. Default `75` (`EX_TEMPFAIL`\n     * from sysexits.h — \"temporary failure, retry later\"). Set to `0`\n     * to restore the pre-0.10.0 exit-0 behaviour. Env var\n     * `APES_ASYNC_EXIT_CODE` wins. Valid range 0–255.\n     */\n    async_exit_code?: string\n  }\n  agent?: {\n    key?: string\n    email?: string\n  }\n  notifications?: {\n    pending_command?: string\n  }\n  /**\n   * Generic-fallback mode: when `apes run -- <cli>` is called with a CLI\n   * that has no registered shape, fall through to a synthetic adapter that\n   * requests a single-use, forced-high-risk grant for the exact argv.\n   * See `shapes/generic.ts`.\n   */\n  generic?: {\n    /**\n     * Master switch. Default `true` (permissive). Set to `false` to restore\n     * the legacy \"No adapter found\" hard-fail. Stored as string in TOML\n     * (hand-parser limitation) and parsed as `value !== 'false'` at read time.\n     */\n    enabled?: string\n    /** Override the audit-log location. Default `~/.config/apes/generic-calls.log`. Tilde-expanded at read time. */\n    audit_log?: string\n  }\n}\n\nconst CONFIG_DIR = join(homedir(), '.config', 'apes')\nconst AUTH_FILE = join(CONFIG_DIR, 'auth.json')\nconst CONFIG_FILE = join(CONFIG_DIR, 'config.toml')\n\nfunction ensureDir() {\n  if (!existsSync(CONFIG_DIR)) {\n    mkdirSync(CONFIG_DIR, { recursive: true })\n  }\n}\n\nexport function loadAuth(): AuthData | null {\n  if (!existsSync(AUTH_FILE))\n    return null\n  try {\n    return JSON.parse(readFileSync(AUTH_FILE, 'utf-8'))\n  }\n  catch {\n    return null\n  }\n}\n\nexport function saveAuth(data: AuthData): void {\n  ensureDir()\n  // Preserve unmodelled fields from any prior version of auth.json\n  // (e.g. older installs of this package, or fields a sibling CLI\n  // wrote). Symmetric with cli-auth's saveIdpAuth — see #257 for the\n  // bridge crash-loop the bare overwrite caused before.\n  let extra: Record<string, unknown> = {}\n  if (existsSync(AUTH_FILE)) {\n    try {\n      const raw = readFileSync(AUTH_FILE, 'utf-8')\n      if (raw.trim()) {\n        const prev = JSON.parse(raw) as Record<string, unknown>\n        for (const key of Object.keys(prev)) {\n          if (!(key in (data as unknown as Record<string, unknown>))) {\n            extra[key] = prev[key]\n          }\n        }\n      }\n    }\n    catch {\n      extra = {}\n    }\n  }\n  const merged = { ...extra, ...data }\n  writeFileSync(AUTH_FILE, JSON.stringify(merged, null, 2), { mode: 0o600 })\n}\n\nexport function clearAuth(): void {\n  if (existsSync(AUTH_FILE)) {\n    writeFileSync(AUTH_FILE, '', { mode: 0o600 })\n  }\n  // Also wipe the [agent] section from config.toml so logout disables\n  // auto-refresh. Preserves [defaults] so the IdP URL stays configured.\n  if (existsSync(CONFIG_FILE)) {\n    const existing = loadConfig()\n    if (existing.agent) {\n      const { agent: _removed, ...rest } = existing\n      saveConfig(rest)\n    }\n  }\n}\n\nexport function loadConfig(): ApesConfig {\n  if (!existsSync(CONFIG_FILE))\n    return {}\n  try {\n    return parseTOML(readFileSync(CONFIG_FILE, 'utf-8'))\n  }\n  catch {\n    return {}\n  }\n}\n\nfunction parseTOML(content: string): ApesConfig {\n  const config: ApesConfig = {}\n  let section = ''\n\n  for (const line of content.split('\\n')) {\n    const trimmed = line.trim()\n    if (!trimmed || trimmed.startsWith('#'))\n      continue\n\n    const sectionMatch = trimmed.match(/^\\[(.+)\\]$/)\n    if (sectionMatch) {\n      section = sectionMatch[1]!\n      continue\n    }\n\n    // Accept quoted strings and bare booleans/tokens — the generic section\n    // uses `enabled = false` (no quotes) which the quoted-only match would\n    // silently drop.\n    const kvQuoted = trimmed.match(/^(\\w+)\\s*=\\s*\"(.*)\"$/)\n    const kvBare = trimmed.match(/^(\\w+)\\s*=\\s*([^\"\\s]\\S*)$/)\n    const kvMatch = kvQuoted ?? kvBare\n    if (kvMatch) {\n      const [, key, value] = kvMatch\n      if (section === 'defaults') {\n        config.defaults = config.defaults || {}\n        ;(config.defaults as Record<string, string>)[key!] = value!\n      }\n      else if (section === 'agent') {\n        config.agent = config.agent || {}\n        ;(config.agent as Record<string, string>)[key!] = value!\n      }\n      else if (section === 'notifications') {\n        config.notifications = config.notifications || {}\n        ;(config.notifications as Record<string, string>)[key!] = value!\n      }\n      else if (section === 'generic') {\n        config.generic = config.generic || {}\n        ;(config.generic as Record<string, string>)[key!] = value!\n      }\n    }\n  }\n\n  return config\n}\n\nexport function saveConfig(config: ApesConfig): void {\n  ensureDir()\n  const lines: string[] = []\n\n  if (config.defaults) {\n    lines.push('[defaults]')\n    for (const [key, value] of Object.entries(config.defaults)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  if (config.agent) {\n    lines.push('[agent]')\n    for (const [key, value] of Object.entries(config.agent)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  if (config.notifications) {\n    lines.push('[notifications]')\n    for (const [key, value] of Object.entries(config.notifications)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  if (config.generic) {\n    lines.push('[generic]')\n    for (const [key, value] of Object.entries(config.generic)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  writeFileSync(CONFIG_FILE, lines.join('\\n'), { mode: 0o600 })\n}\n\n/**\n * Is generic-fallback enabled? Permissive default: `true` unless the user\n * explicitly sets `[generic] enabled = false`.\n */\nexport function isGenericFallbackEnabled(config?: ApesConfig): boolean {\n  const cfg = config ?? loadConfig()\n  const raw = cfg.generic?.enabled\n  if (raw === undefined) return true\n  return raw !== 'false'\n}\n\n/**\n * Resolve the audit-log path for generic calls, expanding `~` to `$HOME`.\n */\nexport function getGenericAuditLogPath(config?: ApesConfig): string {\n  const cfg = config ?? loadConfig()\n  const raw = cfg.generic?.audit_log\n  const path = raw && raw.length > 0\n    ? raw\n    : join(homedir(), '.config', 'apes', 'generic-calls.log')\n  return path.startsWith('~/')\n    ? join(homedir(), path.slice(2))\n    : path\n}\n\nexport function getIdpUrl(explicit?: string): string | null {\n  if (explicit)\n    return explicit\n  if (process.env.APES_IDP)\n    return process.env.APES_IDP\n\n  const auth = loadAuth()\n  if (auth?.idp)\n    return auth.idp\n\n  const config = loadConfig()\n  if (config.defaults?.idp)\n    return config.defaults.idp\n\n  return null\n}\n\nexport function getAuthToken(): string | null {\n  const auth = loadAuth()\n  if (!auth)\n    return null\n\n  // Check expiry (with 30s buffer)\n  if (auth.expires_at && Date.now() / 1000 > auth.expires_at - 30) {\n    return null // expired\n  }\n\n  return auth.access_token\n}\n\nexport function getRequesterIdentity(): string | null {\n  return loadAuth()?.email ?? null\n}\n\nexport { CONFIG_DIR, AUTH_FILE }\n"],"mappings":";;;AAAA,SAAS,YAAY,WAAW,cAAc,qBAAqB;AACnE,SAAS,eAAe;AACxB,SAAS,YAAY;AA8ErB,IAAM,aAAa,KAAK,QAAQ,GAAG,WAAW,MAAM;AACpD,IAAM,YAAY,KAAK,YAAY,WAAW;AAC9C,IAAM,cAAc,KAAK,YAAY,aAAa;AAElD,SAAS,YAAY;AACnB,MAAI,CAAC,WAAW,UAAU,GAAG;AAC3B,cAAU,YAAY,EAAE,WAAW,KAAK,CAAC;AAAA,EAC3C;AACF;AAEO,SAAS,WAA4B;AAC1C,MAAI,CAAC,WAAW,SAAS;AACvB,WAAO;AACT,MAAI;AACF,WAAO,KAAK,MAAM,aAAa,WAAW,OAAO,CAAC;AAAA,EACpD,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEO,SAAS,SAAS,MAAsB;AAC7C,YAAU;AAKV,MAAI,QAAiC,CAAC;AACtC,MAAI,WAAW,SAAS,GAAG;AACzB,QAAI;AACF,YAAM,MAAM,aAAa,WAAW,OAAO;AAC3C,UAAI,IAAI,KAAK,GAAG;AACd,cAAM,OAAO,KAAK,MAAM,GAAG;AAC3B,mBAAW,OAAO,OAAO,KAAK,IAAI,GAAG;AACnC,cAAI,EAAE,OAAQ,OAA8C;AAC1D,kBAAM,GAAG,IAAI,KAAK,GAAG;AAAA,UACvB;AAAA,QACF;AAAA,MACF;AAAA,IACF,QACM;AACJ,cAAQ,CAAC;AAAA,IACX;AAAA,EACF;AACA,QAAM,SAAS,EAAE,GAAG,OAAO,GAAG,KAAK;AACnC,gBAAc,WAAW,KAAK,UAAU,QAAQ,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AAC3E;AAEO,SAAS,YAAkB;AAChC,MAAI,WAAW,SAAS,GAAG;AACzB,kBAAc,WAAW,IAAI,EAAE,MAAM,IAAM,CAAC;AAAA,EAC9C;AAGA,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,WAAW,WAAW;AAC5B,QAAI,SAAS,OAAO;AAClB,YAAM,EAAE,OAAO,UAAU,GAAG,KAAK,IAAI;AACrC,iBAAW,IAAI;AAAA,IACjB;AAAA,EACF;AACF;AAEO,SAAS,aAAyB;AACvC,MAAI,CAAC,WAAW,WAAW;AACzB,WAAO,CAAC;AACV,MAAI;AACF,WAAO,UAAU,aAAa,aAAa,OAAO,CAAC;AAAA,EACrD,QACM;AACJ,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,UAAU,SAA6B;AAC9C,QAAM,SAAqB,CAAC;AAC5B,MAAI,UAAU;AAEd,aAAW,QAAQ,QAAQ,MAAM,IAAI,GAAG;AACtC,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,WAAW,QAAQ,WAAW,GAAG;AACpC;AAEF,UAAM,eAAe,QAAQ,MAAM,YAAY;AAC/C,QAAI,cAAc;AAChB,gBAAU,aAAa,CAAC;AACxB;AAAA,IACF;AAKA,UAAM,WAAW,QAAQ,MAAM,sBAAsB;AACrD,UAAM,SAAS,QAAQ,MAAM,2BAA2B;AACxD,UAAM,UAAU,YAAY;AAC5B,QAAI,SAAS;AACX,YAAM,CAAC,EAAE,KAAK,KAAK,IAAI;AACvB,UAAI,YAAY,YAAY;AAC1B,eAAO,WAAW,OAAO,YAAY,CAAC;AACrC,QAAC,OAAO,SAAoC,GAAI,IAAI;AAAA,MACvD,WACS,YAAY,SAAS;AAC5B,eAAO,QAAQ,OAAO,SAAS,CAAC;AAC/B,QAAC,OAAO,MAAiC,GAAI,IAAI;AAAA,MACpD,WACS,YAAY,iBAAiB;AACpC,eAAO,gBAAgB,OAAO,iBAAiB,CAAC;AAC/C,QAAC,OAAO,cAAyC,GAAI,IAAI;AAAA,MAC5D,WACS,YAAY,WAAW;AAC9B,eAAO,UAAU,OAAO,WAAW,CAAC;AACnC,QAAC,OAAO,QAAmC,GAAI,IAAI;AAAA,MACtD;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,WAAW,QAA0B;AACnD,YAAU;AACV,QAAM,QAAkB,CAAC;AAEzB,MAAI,OAAO,UAAU;AACnB,UAAM,KAAK,YAAY;AACvB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,QAAQ,GAAG;AAC1D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,OAAO;AAChB,UAAM,KAAK,SAAS;AACpB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,eAAe;AACxB,UAAM,KAAK,iBAAiB;AAC5B,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,aAAa,GAAG;AAC/D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,SAAS;AAClB,UAAM,KAAK,WAAW;AACtB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,OAAO,GAAG;AACzD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,gBAAc,aAAa,MAAM,KAAK,IAAI,GAAG,EAAE,MAAM,IAAM,CAAC;AAC9D;AAMO,SAAS,yBAAyB,QAA8B;AACrE,QAAM,MAAM,UAAU,WAAW;AACjC,QAAM,MAAM,IAAI,SAAS;AACzB,MAAI,QAAQ,OAAW,QAAO;AAC9B,SAAO,QAAQ;AACjB;AAKO,SAAS,uBAAuB,QAA6B;AAClE,QAAM,MAAM,UAAU,WAAW;AACjC,QAAM,MAAM,IAAI,SAAS;AACzB,QAAM,OAAO,OAAO,IAAI,SAAS,IAC7B,MACA,KAAK,QAAQ,GAAG,WAAW,QAAQ,mBAAmB;AAC1D,SAAO,KAAK,WAAW,IAAI,IACvB,KAAK,QAAQ,GAAG,KAAK,MAAM,CAAC,CAAC,IAC7B;AACN;AAEO,SAAS,UAAU,UAAkC;AAC1D,MAAI;AACF,WAAO;AACT,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AAErB,QAAM,OAAO,SAAS;AACtB,MAAI,MAAM;AACR,WAAO,KAAK;AAEd,QAAM,SAAS,WAAW;AAC1B,MAAI,OAAO,UAAU;AACnB,WAAO,OAAO,SAAS;AAEzB,SAAO;AACT;AAEO,SAAS,eAA8B;AAC5C,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AAGT,MAAI,KAAK,cAAc,KAAK,IAAI,IAAI,MAAO,KAAK,aAAa,IAAI;AAC/D,WAAO;AAAA,EACT;AAEA,SAAO,KAAK;AACd;AAEO,SAAS,uBAAsC;AACpD,SAAO,SAAS,GAAG,SAAS;AAC9B;","names":[]}

package/dist/cli.js

@@ -12,7 +12,7 @@ import {
   checkSudoRejection,
   isApesSelfDispatch,
   notifyGrantPending
-} from "./chunk-EDYICCBC.js";
+} from "./chunk-3COOEDPF.js";
 import {
   GENERIC_OPERATION_ID,
   buildGenericResolved,
@@ -40,7 +40,7 @@ import {
   searchAdapters,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-IT6T6AKX.js";
+} from "./chunk-DYSFQ26B.js";
 import {
   ApiError,
   apiFetch,
@@ -48,7 +48,7 @@ import {
   getAgentChallengeEndpoint,
   getDelegationsEndpoint,
   getGrantsEndpoint
-} from "./chunk-7NUT2PFT.js";
+} from "./chunk-N3THIFIS.js";
 import {
   AUTH_FILE,
   CONFIG_DIR,
@@ -60,7 +60,7 @@ import {
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 
 // src/cli.ts
 import consola37 from "consola";
@@ -409,13 +409,14 @@ async function loginWithKey(idp, keyPath, agentEmail) {
     throw new CliError(`Authentication failed: ${await authResp.text()}`);
   }
   const { token, expires_in } = await authResp.json();
+  const absoluteKeyPath = resolvePath(keyPath.replace(/^~/, homedir2()));
   saveAuth({
     idp,
     access_token: token,
     email: agentEmail,
-    expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600)
+    expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600),
+    key_path: absoluteKeyPath
   });
-  const absoluteKeyPath = resolvePath(keyPath.replace(/^~/, homedir2()));
   const existingConfig = loadConfig();
   saveConfig({
     ...existingConfig,
@@ -2008,6 +2009,7 @@ function buildAgentAuthJson(input) {
     access_token: input.accessToken,
     email: input.email,
     expires_at: input.expiresAt,
+    key_path: input.keyPath,
     owner_email: input.ownerEmail
   }, null, 2)}
 `;
@@ -2611,22 +2613,10 @@ set -euo pipefail
 
 export PATH="$HOME/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin"
 
-# Refresh IdP token. Agents auth via SSH-key signing \u2014 the cached IdP
-# token has no refresh_token and expires after ~1h. Re-running apes
-# login re-signs against the registered key. Soft-fails to leave the
-# bridge usable on cached token if the IdP is briefly unreachable.
-if [ -f "$HOME/.config/apes/auth.json" ] && command -v apes >/dev/null 2>&1; then
-  agent_email=$(python3 -c "import json,os,sys
-try: print(json.load(open(os.path.expanduser('~/.config/apes/auth.json')))['email'])
-except Exception: sys.exit(1)" 2>/dev/null || true)
-  agent_idp=$(python3 -c "import json,os,sys
-try: print(json.load(open(os.path.expanduser('~/.config/apes/auth.json')))['idp'])
-except Exception: sys.exit(1)" 2>/dev/null || true)
-  if [ -n "$agent_email" ] && [ -n "$agent_idp" ]; then
-    apes login "$agent_email" --idp "$agent_idp" >/dev/null 2>&1 \\
-      || echo "warn: apes login failed for $agent_email; continuing with cached token"
-  fi
-fi
+# Token refresh is in-process via @openape/cli-auth's challenge-response
+# path (auth.json.key_path -> ~/.ssh/id_ed25519). No "apes login" needed
+# at boot \u2014 keeping start.sh slim avoids the rate-limit dance the old
+# refresh hit when KeepAlive crash-restarted the daemon every 1h.
 
 EXT_DIR="$HOME/.pi/agent/extensions"
 mkdir -p "$EXT_DIR"
@@ -2672,7 +2662,7 @@ set +a
 exec openape-chat-bridge
 `;
 }
-function buildBridgePlist(agentName, homeDir) {
+function buildBridgePlist(agentName, homeDir, ownerEmail) {
   const startScript = `${homeDir}/Library/Application Support/openape/bridge/start.sh`;
   const stdoutLog = `${homeDir}/Library/Logs/openape-chat-bridge.log`;
   const stderrLog = `${homeDir}/Library/Logs/openape-chat-bridge.err.log`;
@@ -2707,6 +2697,8 @@ function buildBridgePlist(agentName, homeDir) {
         <string>${homeDir}</string>
         <key>PATH</key>
         <string>${homeDir}/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
+        <key>OPENAPE_OWNER_EMAIL</key>
+        <string>${ownerEmail}</string>
     </dict>
 </dict>
 </plist>
@@ -2816,6 +2808,7 @@ and try again.`
         accessToken: token,
         email: registration.email,
         expiresAt: Math.floor(Date.now() / 1e3) + expiresIn,
+        keyPath: `${homeDir}/.ssh/id_ed25519`,
         ownerEmail: auth.email
       });
       const includeClaudeHook = !args["no-claude-hook"];
@@ -2831,7 +2824,7 @@ and try again.`
         return {
           plistLabel: bridgePlistLabel(name),
           plistPath: bridgePlistPath(name),
-          plistContent: buildBridgePlist(name, homeDir),
+          plistContent: buildBridgePlist(name, homeDir, auth.email),
           startScript: buildBridgeStartScript(),
           envFile: buildBridgeEnvFile(cfg)
         };
@@ -4164,7 +4157,7 @@ var mcpCommand = defineCommand33({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-QGV3ED6I.js");
+    const { startMcpServer } = await import("./server-TBXFWNUV.js");
     await startMcpServer(transport, port);
   }
 });
@@ -4802,7 +4795,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.29.0" : "0.0.0";
+  const version = true ? "0.31.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -5075,10 +5068,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.29.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.31.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.29.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.31.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -5093,7 +5086,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-RWTALOSA.js");
+    const { runInteractiveShell } = await import("./orchestrator-EH6V5ATG.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -5136,7 +5129,7 @@ var configCommand = defineCommand45({
 var main = defineCommand45({
   meta: {
     name: "apes",
-    version: "0.29.0",
+    version: "0.31.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -5182,16 +5175,16 @@ var NO_REFRESH_COMMANDS = /* @__PURE__ */ new Set([
 async function maybeRefreshAuth() {
   const sub = process.argv[2];
   if (!sub || NO_REFRESH_COMMANDS.has(sub)) return;
-  const { loadAuth: loadAuth2 } = await import("./config-JH2IEPIR.js");
+  const { loadAuth: loadAuth2 } = await import("./config-MOB5DJ6H.js");
   if (!loadAuth2()) return;
   try {
-    const { ensureFreshToken } = await import("./http-JZT4XV5I.js");
+    const { ensureFreshToken } = await import("./http-5F7FX4V7.js");
     await ensureFreshToken();
   } catch {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("0.29.0").catch(() => {
+await maybeWarnStaleVersion("0.31.0").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {