@openape/apes 0.3.0 → 0.5.0

package/dist/{ssh-key-ABJCJDH7.js → chunk-KVBHBOED.js}

@@ -73,7 +73,8 @@ function parseOpenSSHEd25519(pem) {
     format: "jwk"
   });
 }
+
 export {
   loadEd25519PrivateKey
 };
-//# sourceMappingURL=ssh-key-ABJCJDH7.js.map
+//# sourceMappingURL=chunk-KVBHBOED.js.map

package/dist/cli.js

@@ -2,6 +2,9 @@
 import {
   parseDuration
 } from "./chunk-AGHP6MNV.js";
+import {
+  loadEd25519PrivateKey
+} from "./chunk-KVBHBOED.js";
 import {
   ApiError,
   apiFetch,
@@ -19,8 +22,8 @@ import {
 } from "./chunk-JNBFNWUF.js";
 
 // src/cli.ts
-import consola19 from "consola";
-import { defineCommand as defineCommand22, runMain } from "citty";
+import consola22 from "consola";
+import { defineCommand as defineCommand25, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer } from "buffer";
@@ -84,7 +87,7 @@ async function loginWithPKCE(idp) {
   authUrl.searchParams.set("state", state);
   authUrl.searchParams.set("nonce", nonce);
   authUrl.searchParams.set("scope", "openid email profile offline_access");
-  const code = await new Promise((resolve, reject) => {
+  const code = await new Promise((resolve2, reject) => {
     const server = createServer((req, res) => {
       const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
       if (url.pathname === "/callback") {
@@ -101,7 +104,7 @@ async function loginWithPKCE(idp) {
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end("<h1>Login successful!</h1><p>You can close this window.</p>");
           server.close();
-          resolve(authCode);
+          resolve2(authCode);
           return;
         }
         res.writeHead(400);
@@ -154,9 +157,9 @@ async function loginWithPKCE(idp) {
   consola.success(`Logged in as ${payload.email || payload.sub}`);
 }
 async function loginWithKey(idp, keyPath, email) {
-  const { readFileSync } = await import("fs");
-  const { sign } = await import("crypto");
-  const { loadEd25519PrivateKey } = await import("./ssh-key-ABJCJDH7.js");
+  const { readFileSync: readFileSync2 } = await import("fs");
+  const { sign: sign2 } = await import("crypto");
+  const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-Q7KG4K25.js");
   const agentEmail = email;
   if (!agentEmail) {
     consola.error("Agent email required for key-based login. Use --email <agent-email>");
@@ -173,9 +176,9 @@ async function loginWithKey(idp, keyPath, email) {
     return process.exit(1);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync(keyPath, "utf-8");
-  const privateKey = loadEd25519PrivateKey(keyContent);
-  const signature = sign(null, Buffer.from(challenge), privateKey).toString("base64");
+  const keyContent = readFileSync2(keyPath, "utf-8");
+  const privateKey = loadEd25519PrivateKey2(keyContent);
+  const signature = sign2(null, Buffer.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
   const authResp = await fetch(authenticateUrl, {
     method: "POST",
@@ -644,7 +647,7 @@ async function waitForApproval2(grantsUrl, grantId) {
       consola7.error("Grant revoked.");
       process.exit(1);
     }
-    await new Promise((resolve) => setTimeout(resolve, interval));
+    await new Promise((resolve2) => setTimeout(resolve2, interval));
   }
   consola7.error("Timed out waiting for approval.");
   process.exit(1);
@@ -654,6 +657,55 @@ var requestCapabilityCommand = defineCommand8({
     name: "request-capability",
     description: "Request a structured CLI capability grant"
   },
+  args: {
+    "cliId": {
+      type: "positional",
+      description: "CLI adapter identifier (e.g. docker, kubectl)",
+      required: true
+    },
+    "resource": {
+      type: "string",
+      description: "Resource scope (repeatable)"
+    },
+    "selector": {
+      type: "string",
+      description: "Selector filter (repeatable)"
+    },
+    "action": {
+      type: "string",
+      description: "Action to permit (repeatable)"
+    },
+    "adapter": {
+      type: "string",
+      description: "Explicit path to adapter TOML file"
+    },
+    "idp": {
+      type: "string",
+      description: "IdP URL"
+    },
+    "approval": {
+      type: "string",
+      description: "Approval type: once, timed, always",
+      default: "once"
+    },
+    "reason": {
+      type: "string",
+      description: "Reason for the request"
+    },
+    "duration": {
+      type: "string",
+      description: "Duration for timed grants (e.g. 30m, 1h, 7d)"
+    },
+    "run-as": {
+      type: "string",
+      description: "Execute as this user (e.g. root)"
+    },
+    "wait": {
+      type: "boolean",
+      description: "Wait for approval before returning",
+      default: false
+    }
+  },
   async run({ rawArgs }) {
     const auth = loadAuth();
     if (!auth) {
@@ -754,22 +806,72 @@ import consola10 from "consola";
 var revokeCommand = defineCommand11({
   meta: {
     name: "revoke",
-    description: "Revoke a grant"
+    description: "Revoke one or more grants"
   },
   args: {
     id: {
       type: "positional",
-      description: "Grant ID",
-      required: true
+      description: "Grant ID(s) to revoke",
+      required: false
+    },
+    allPending: {
+      type: "boolean",
+      description: "Revoke all own pending grants",
+      default: false
     }
   },
   async run({ args }) {
     const idp = getIdpUrl();
     const grantsUrl = await getGrantsEndpoint(idp);
-    await apiFetch(`${grantsUrl}/${args.id}/revoke`, {
-      method: "POST"
-    });
-    consola10.success(`Grant ${args.id} revoked.`);
+    const explicitIds = args.id ? [String(args.id), ...args._].filter(Boolean) : [];
+    if (args.allPending && explicitIds.length > 0) {
+      consola10.error("Use either --all-pending or grant IDs, not both.");
+      return process.exit(1);
+    }
+    let ids;
+    if (args.allPending) {
+      const auth = loadAuth();
+      const response = await apiFetch(
+        `${grantsUrl}?status=pending&limit=100`
+      );
+      const ownPending = auth?.email ? response.data.filter((g) => g.requester === auth.email) : response.data;
+      if (ownPending.length === 0) {
+        consola10.info("No pending grants to revoke.");
+        return;
+      }
+      ids = ownPending.map((g) => g.id);
+      consola10.info(`Found ${ids.length} pending grant(s) to revoke.`);
+    } else if (explicitIds.length > 0) {
+      ids = explicitIds;
+    } else {
+      consola10.error("Provide grant ID(s) or use --all-pending.");
+      return process.exit(1);
+    }
+    if (ids.length === 1) {
+      await apiFetch(`${grantsUrl}/${ids[0]}/revoke`, { method: "POST" });
+      consola10.success(`Grant ${ids[0]} revoked.`);
+      return;
+    }
+    const operations = ids.map((id) => ({ id, action: "revoke" }));
+    const { results } = await apiFetch(
+      `${grantsUrl}/batch`,
+      { method: "POST", body: { operations } }
+    );
+    let succeeded = 0;
+    for (const r of results) {
+      if (r.success) {
+        consola10.success(`Grant ${r.id} revoked.`);
+        succeeded++;
+      } else {
+        consola10.error(`Grant ${r.id}: ${r.error?.title || "Failed"}`);
+      }
+    }
+    if (succeeded < results.length) {
+      consola10.info(`Revoked ${succeeded} of ${results.length} grants.`);
+      process.exit(1);
+    } else {
+      consola10.success(`All ${succeeded} grants revoked.`);
+    }
   }
 });
 
@@ -1355,6 +1457,16 @@ async function runAdapterMode(command, rawArgs, args) {
   });
   consola15.info(`Grant requested: ${grant.id}`);
   consola15.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  if (grant.similar_grants?.similar_grants?.length) {
+    const n = grant.similar_grants.similar_grants.length;
+    consola15.info("");
+    consola15.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    if (grant.similar_grants.widened_details?.length) {
+      const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
+      consola15.info(`  Broader scope: ${wider}`);
+    }
+    consola15.info("");
+  }
   const status = await waitForGrantStatus(idp, grant.id);
   if (status !== "approved")
     throw new Error(`Grant ${status}`);
@@ -1694,14 +1806,392 @@ var mcpCommand = defineCommand21({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-4FD7U4DZ.js");
+    const { startMcpServer } = await import("./server-RJQH5B5F.js");
     await startMcpServer(transport, port);
   }
 });
 
+// src/commands/init/index.ts
+import { existsSync, copyFileSync, writeFileSync } from "fs";
+import { randomBytes } from "crypto";
+import { execFileSync as execFileSync2 } from "child_process";
+import { join } from "path";
+import { defineCommand as defineCommand22 } from "citty";
+import consola19 from "consola";
+var DEFAULT_IDP_URL = "https://id.openape.at";
+async function downloadTemplate(repo, targetDir) {
+  const { downloadTemplate: gigetDownload } = await import("giget");
+  await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
+}
+function installDeps(dir) {
+  const hasLockFile = (name) => existsSync(join(dir, name));
+  if (hasLockFile("pnpm-lock.yaml")) {
+    execFileSync2("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
+  } else if (hasLockFile("bun.lockb")) {
+    execFileSync2("bun", ["install"], { cwd: dir, stdio: "inherit" });
+  } else {
+    execFileSync2("npm", ["install"], { cwd: dir, stdio: "inherit" });
+  }
+}
+async function promptChoice(message, choices) {
+  const result = await consola19.prompt(message, { type: "select", options: choices });
+  if (typeof result === "symbol") {
+    process.exit(0);
+  }
+  return result;
+}
+async function promptText(message, defaultValue) {
+  const result = await consola19.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  if (typeof result === "symbol") {
+    process.exit(0);
+  }
+  return result || defaultValue || "";
+}
+var initCommand = defineCommand22({
+  meta: {
+    name: "init",
+    description: "Scaffold a new OpenApe project"
+  },
+  args: {
+    sp: {
+      type: "boolean",
+      description: "Create a Service Provider app"
+    },
+    idp: {
+      type: "boolean",
+      description: "Create an Identity Provider app"
+    },
+    dir: {
+      type: "positional",
+      description: "Target directory",
+      required: false
+    }
+  },
+  async run({ args }) {
+    let mode;
+    if (args.sp) {
+      mode = "sp";
+    } else if (args.idp) {
+      mode = "idp";
+    } else {
+      const choice = await promptChoice("What do you want to set up?", [
+        "SP \u2014 Add login to my app",
+        "IdP \u2014 Run my own Identity Provider"
+      ]);
+      mode = choice.startsWith("SP") ? "sp" : "idp";
+    }
+    if (mode === "sp") {
+      await initSP(args.dir);
+    } else {
+      await initIdP(args.dir);
+    }
+  }
+});
+async function initSP(targetDir) {
+  const dir = targetDir || "my-app";
+  if (existsSync(join(dir, "package.json"))) {
+    consola19.error(`Directory "${dir}" already contains a project.`);
+    return process.exit(1);
+  }
+  consola19.start("Scaffolding SP starter...");
+  await downloadTemplate("openape-ai/openape-sp-starter", dir);
+  consola19.success("Scaffolded from openape-sp-starter");
+  consola19.start("Installing dependencies...");
+  installDeps(dir);
+  consola19.success("Dependencies installed");
+  const envExample = join(dir, ".env.example");
+  const envFile = join(dir, ".env");
+  if (existsSync(envExample) && !existsSync(envFile)) {
+    copyFileSync(envExample, envFile);
+    consola19.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+  }
+  console.log("");
+  consola19.box([
+    `cd ${dir}`,
+    "npm run dev",
+    "",
+    "Then open http://localhost:3001/login"
+  ].join("\n"));
+}
+async function initIdP(targetDir) {
+  const dir = targetDir || "my-idp";
+  if (existsSync(join(dir, "package.json"))) {
+    consola19.error(`Directory "${dir}" already contains a project.`);
+    return process.exit(1);
+  }
+  const domain = await promptText("Domain for the IdP", "localhost");
+  const storage = await promptChoice("Storage backend", [
+    "memory (dev only, data lost on restart)",
+    "fs (local filesystem)",
+    "s3 (S3-compatible)"
+  ]);
+  const adminEmail = await promptText("Admin email");
+  consola19.start("Scaffolding IdP starter...");
+  await downloadTemplate("openape-ai/openape-idp-starter", dir);
+  consola19.success("Scaffolded from openape-idp-starter");
+  consola19.start("Installing dependencies...");
+  installDeps(dir);
+  consola19.success("Dependencies installed");
+  const sessionSecret = randomBytes(32).toString("hex");
+  const managementToken = randomBytes(32).toString("hex");
+  consola19.success("Secrets generated");
+  const isLocalhost = domain === "localhost";
+  const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
+  const envContent = [
+    "# Generated by apes init --idp",
+    "",
+    `NUXT_OPENAPE_SESSION_SECRET=${sessionSecret}`,
+    `NUXT_OPENAPE_ADMIN_EMAILS=${adminEmail}`,
+    `NUXT_OPENAPE_MANAGEMENT_TOKEN=${managementToken}`,
+    `NUXT_OPENAPE_ISSUER=${origin}`,
+    `NUXT_OPENAPE_RP_NAME=My Identity Provider`,
+    `NUXT_OPENAPE_RP_ID=${domain}`,
+    `NUXT_OPENAPE_RP_ORIGIN=${origin}`
+  ].join("\n");
+  writeFileSync(join(dir, ".env"), envContent + "\n", { mode: 384 });
+  consola19.success(".env created");
+  console.log("");
+  consola19.box([
+    `cd ${dir}`,
+    "npm run dev",
+    "",
+    "Then open http://localhost:3000/admin",
+    "",
+    ...isLocalhost ? [] : [
+      "For production:",
+      `  1. DNS TXT Record: _ddisa.${domain.replace(/^id\./, "")} \u2192 "v=ddisa1 idp=${origin}"`,
+      `  2. Storage: switch to ${storage.includes("s3") ? "s3" : "fs"} in nuxt.config.ts`,
+      "  3. Deploy: vercel deploy"
+    ]
+  ].join("\n"));
+}
+
+// src/commands/enroll.ts
+import { Buffer as Buffer2 } from "buffer";
+import { existsSync as existsSync2, readFileSync, writeFileSync as writeFileSync2, mkdirSync } from "fs";
+import { execFile as execFile2 } from "child_process";
+import { generateKeyPairSync, sign } from "crypto";
+import { dirname, resolve } from "path";
+import { homedir } from "os";
+import { defineCommand as defineCommand23 } from "citty";
+import consola20 from "consola";
+var DEFAULT_IDP_URL2 = "https://id.openape.at";
+var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
+var POLL_INTERVAL = 3e3;
+var POLL_TIMEOUT = 3e5;
+function resolvePath(p) {
+  return resolve(p.replace(/^~/, homedir()));
+}
+function openBrowser2(url) {
+  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+  execFile2(cmd, [url], () => {
+  });
+}
+function readPublicKey(keyPath) {
+  const pubPath = `${keyPath}.pub`;
+  if (existsSync2(pubPath)) {
+    return readFileSync(pubPath, "utf-8").trim();
+  }
+  const keyContent = readFileSync(keyPath, "utf-8");
+  const privateKey = loadEd25519PrivateKey(keyContent);
+  const jwk = privateKey.export({ format: "jwk" });
+  const pubBytes = Buffer2.from(jwk.x, "base64url");
+  const keyTypeStr = "ssh-ed25519";
+  const keyTypeLen = Buffer2.alloc(4);
+  keyTypeLen.writeUInt32BE(keyTypeStr.length);
+  const pubKeyLen = Buffer2.alloc(4);
+  pubKeyLen.writeUInt32BE(pubBytes.length);
+  const blob = Buffer2.concat([keyTypeLen, Buffer2.from(keyTypeStr), pubKeyLen, pubBytes]);
+  return `ssh-ed25519 ${blob.toString("base64")}`;
+}
+function generateAndSaveKey(keyPath) {
+  const resolved = resolvePath(keyPath);
+  const dir = dirname(resolved);
+  if (!existsSync2(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
+  writeFileSync2(resolved, privatePem, { mode: 384 });
+  const jwk = publicKey.export({ format: "jwk" });
+  const pubBytes = Buffer2.from(jwk.x, "base64url");
+  const keyTypeStr = "ssh-ed25519";
+  const keyTypeLen = Buffer2.alloc(4);
+  keyTypeLen.writeUInt32BE(keyTypeStr.length);
+  const pubKeyLen = Buffer2.alloc(4);
+  pubKeyLen.writeUInt32BE(pubBytes.length);
+  const blob = Buffer2.concat([keyTypeLen, Buffer2.from(keyTypeStr), pubKeyLen, pubBytes]);
+  const pubKeyStr = `ssh-ed25519 ${blob.toString("base64")}`;
+  writeFileSync2(`${resolved}.pub`, `${pubKeyStr}
+`, { mode: 420 });
+  return pubKeyStr;
+}
+async function pollForEnrollment(idp, agentEmail, keyPath) {
+  const resolvedKey = resolvePath(keyPath);
+  const keyContent = readFileSync(resolvedKey, "utf-8");
+  const privateKey = loadEd25519PrivateKey(keyContent);
+  const challengeUrl = await getAgentChallengeEndpoint(idp);
+  const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
+  const startTime = Date.now();
+  while (Date.now() - startTime < POLL_TIMEOUT) {
+    try {
+      const challengeResp = await fetch(challengeUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ agent_id: agentEmail })
+      });
+      if (challengeResp.ok) {
+        const { challenge } = await challengeResp.json();
+        const signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
+        const authResp = await fetch(authenticateUrl, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ agent_id: agentEmail, challenge, signature })
+        });
+        if (authResp.ok) {
+          const result = await authResp.json();
+          return { token: result.token, expiresIn: result.expires_in };
+        }
+      }
+    } catch {
+    }
+    await new Promise((resolve2) => setTimeout(resolve2, POLL_INTERVAL));
+  }
+  throw new Error("Enrollment timed out. Please check the browser and try again.");
+}
+var enrollCommand = defineCommand23({
+  meta: {
+    name: "enroll",
+    description: "Enroll an agent with an Identity Provider"
+  },
+  args: {
+    idp: {
+      type: "string",
+      description: `IdP URL (default: ${DEFAULT_IDP_URL2})`
+    },
+    name: {
+      type: "string",
+      description: "Agent name"
+    },
+    key: {
+      type: "string",
+      description: `Path to Ed25519 key (default: ${DEFAULT_KEY_PATH})`
+    }
+  },
+  async run({ args }) {
+    const idp = args.idp || await consola20.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => typeof r === "symbol" ? process.exit(0) : r) || DEFAULT_IDP_URL2;
+    const agentName = args.name || await consola20.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => typeof r === "symbol" ? process.exit(0) : r);
+    if (!agentName) {
+      consola20.error("Agent name is required.");
+      return process.exit(1);
+    }
+    const keyPath = args.key || await consola20.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => typeof r === "symbol" ? process.exit(0) : r) || DEFAULT_KEY_PATH;
+    const resolvedKey = resolvePath(keyPath);
+    let publicKey;
+    if (existsSync2(resolvedKey)) {
+      publicKey = readPublicKey(resolvedKey);
+      consola20.success(`Using existing key ${keyPath}`);
+    } else {
+      consola20.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      publicKey = generateAndSaveKey(keyPath);
+      consola20.success(`Key pair generated at ${keyPath}`);
+    }
+    const encodedKey = encodeURIComponent(publicKey);
+    const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
+    consola20.info("Opening browser for enrollment...");
+    consola20.info(`\u2192 ${idp}/enroll`);
+    openBrowser2(enrollUrl);
+    console.log("");
+    const agentEmail = await consola20.prompt(
+      "Agent email (shown in browser after enrollment)",
+      { type: "text", placeholder: `agent+${agentName}@...` }
+    ).then((r) => typeof r === "symbol" ? process.exit(0) : r);
+    if (!agentEmail) {
+      consola20.error("Agent email is required to verify enrollment.");
+      return process.exit(1);
+    }
+    consola20.start("Verifying enrollment...");
+    const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
+    saveAuth({
+      idp,
+      access_token: token,
+      email: agentEmail,
+      expires_at: Math.floor(Date.now() / 1e3) + (expiresIn || 3600)
+    });
+    const config = loadConfig();
+    config.defaults = { ...config.defaults, idp };
+    config.agent = { key: keyPath, email: agentEmail };
+    saveConfig(config);
+    consola20.success(`Agent enrolled as ${agentEmail}`);
+    consola20.success("Config saved to ~/.config/apes/");
+    console.log("");
+    consola20.info("Verify with: apes whoami");
+  }
+});
+
+// src/commands/dns-check.ts
+import { defineCommand as defineCommand24 } from "citty";
+import consola21 from "consola";
+import { resolveDDISA } from "@openape/core";
+var dnsCheckCommand = defineCommand24({
+  meta: {
+    name: "dns-check",
+    description: "Validate DDISA DNS TXT records for a domain"
+  },
+  args: {
+    domain: {
+      type: "positional",
+      description: "Domain to check (e.g. example.com)",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const domain = args.domain;
+    consola21.start(`Checking _ddisa.${domain}...`);
+    try {
+      const result = await resolveDDISA(domain);
+      if (!result) {
+        consola21.error(`No DDISA record found for ${domain}`);
+        console.log("");
+        console.log("To set up DDISA, add a DNS TXT record:");
+        console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
+        return process.exit(1);
+      }
+      consola21.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      console.log("");
+      console.log(`  Version:  ${result.version || "ddisa1"}`);
+      console.log(`  IdP URL:  ${result.idp}`);
+      if (result.mode)
+        console.log(`  Mode:     ${result.mode}`);
+      if (result.priority !== void 0)
+        console.log(`  Priority: ${result.priority}`);
+      console.log("");
+      consola21.start(`Verifying IdP at ${result.idp}...`);
+      const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
+      if (!discoResp.ok) {
+        consola21.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        return;
+      }
+      const disco = await discoResp.json();
+      consola21.success(`IdP is reachable`);
+      console.log(`  Issuer:   ${disco.issuer}`);
+      console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
+      if (disco.ddisa_auth_methods_supported) {
+        console.log(`  Auth:     ${disco.ddisa_auth_methods_supported.join(", ")}`);
+      }
+      if (disco.openape_grant_types_supported) {
+        console.log(`  Grants:   ${disco.openape_grant_types_supported.join(", ")}`);
+      }
+    } catch (err) {
+      consola21.error(`DNS check failed: ${err instanceof Error ? err.message : String(err)}`);
+      return process.exit(1);
+    }
+  }
+});
+
 // src/cli.ts
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand22({
+var grantsCommand = defineCommand25({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -1720,7 +2210,7 @@ var grantsCommand = defineCommand22({
     delegations: delegationsCommand
   }
 });
-var configCommand = defineCommand22({
+var configCommand = defineCommand25({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -1730,13 +2220,16 @@ var configCommand = defineCommand22({
     set: configSetCommand
   }
 });
-var main = defineCommand22({
+var main = defineCommand25({
   meta: {
     name: "apes",
-    version: "0.3.0",
+    version: "0.5.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
+    init: initCommand,
+    enroll: enrollCommand,
+    "dns-check": dnsCheckCommand,
     login: loginCommand,
     logout: logoutCommand,
     whoami: whoamiCommand,
@@ -1751,9 +2244,9 @@ var main = defineCommand22({
 });
 runMain(main).catch((err) => {
   if (debug) {
-    consola19.error(err);
+    consola22.error(err);
   } else {
-    consola19.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola22.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });