npm - @openape/apes - Versions diffs - 0.30.0 → 0.31.0 - Mend

@openape/apes 0.30.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/dist/{auth-lock-GPLHRXOM.js → auth-lock-4IRWI3ED.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   CONFIG_DIR
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 // src/auth-lock.ts
 import { open, rm, stat } from "fs/promises";
@@ -38,4 +38,4 @@ export {
   acquireAuthLock,
   releaseAuthLock
 };
-//# sourceMappingURL=auth-lock-GPLHRXOM.js.map
+//# sourceMappingURL=auth-lock-4IRWI3ED.js.map

package/dist/{chunk-EDYICCBC.js → chunk-3COOEDPF.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   loadConfig
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 // src/notifications.ts
 import { spawn } from "child_process";
@@ -77,4 +77,4 @@ export {
   isApesSelfDispatch,
   checkSudoRejection
 };
-//# sourceMappingURL=chunk-EDYICCBC.js.map
+//# sourceMappingURL=chunk-3COOEDPF.js.map

package/dist/{chunk-IT6T6AKX.js → chunk-DYSFQ26B.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   getGenericAuditLogPath
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 // src/shapes/adapters.ts
 import { createHash } from "crypto";
@@ -1212,4 +1212,4 @@ export {
   buildExactCommandGrantRequest,
   buildStructuredCliGrantRequest
 };
-//# sourceMappingURL=chunk-IT6T6AKX.js.map
+//# sourceMappingURL=chunk-DYSFQ26B.js.map

package/dist/{chunk-7NUT2PFT.js → chunk-N3THIFIS.js} RENAMED Viewed

@@ -5,7 +5,7 @@ import {
   loadAuth,
   loadConfig,
   saveAuth
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 // src/http.ts
 import consola from "consola";
@@ -104,7 +104,7 @@ async function refreshOAuthToken() {
   const auth = loadAuth();
   if (!auth?.refresh_token)
     return null;
-  const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-GPLHRXOM.js");
+  const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-4IRWI3ED.js");
   const lock = await acquireAuthLock({ timeoutMs: 5e3 });
   if (!lock) {
     return getAuthToken();
@@ -217,4 +217,4 @@ export {
   ensureFreshToken,
   apiFetch
 };
-//# sourceMappingURL=chunk-7NUT2PFT.js.map
+//# sourceMappingURL=chunk-N3THIFIS.js.map

package/dist/{chunk-IDPV5SNB.js → chunk-OBF7IMQ2.js} RENAMED Viewed

@@ -23,7 +23,24 @@ function loadAuth() {
 }
 function saveAuth(data) {
   ensureDir();
-  writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 384 });
+  let extra = {};
+  if (existsSync(AUTH_FILE)) {
+    try {
+      const raw = readFileSync(AUTH_FILE, "utf-8");
+      if (raw.trim()) {
+        const prev = JSON.parse(raw);
+        for (const key of Object.keys(prev)) {
+          if (!(key in data)) {
+            extra[key] = prev[key];
+          }
+        }
+      }
+    } catch {
+      extra = {};
+    }
+  }
+  const merged = { ...extra, ...data };
+  writeFileSync(AUTH_FILE, JSON.stringify(merged, null, 2), { mode: 384 });
 }
 function clearAuth() {
   if (existsSync(AUTH_FILE)) {
@@ -169,4 +186,4 @@ export {
   getAuthToken,
   getRequesterIdentity
 };
-//# sourceMappingURL=chunk-IDPV5SNB.js.map
+//# sourceMappingURL=chunk-OBF7IMQ2.js.map

package/dist/chunk-OBF7IMQ2.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/config.ts"],"sourcesContent":["import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\n\nexport interface AuthData {\n idp: string\n access_token: string\n refresh_token?: string\n email: string\n expires_at: number\n /**\n * Set by `apes login --key …` (and `apes agents spawn`), absolute\n * path to the Ed25519 key the agent signs challenges with. Lets\n * `@openape/cli-auth` refresh agent tokens in-process; see #259.\n */\n key_path?: string\n /**\n * Email of the human who owns this agent — written by\n * `apes agents spawn`. The chat-bridge reads it for owner-only\n * contact handshakes. Optional for human auth.json files.\n */\n owner_email?: string\n}\n\nexport interface ApesConfig {\n defaults?: {\n idp?: string\n approval?: string\n /**\n * Audience for the `apes run` async info block. `agent` (default)\n * emits verbose agent-facing instructions with a polling protocol;\n * `human` emits a short friendly block. Env var `APES_USER` wins.\n */\n user?: 'agent' | 'human'\n /**\n * Poll interval (seconds) embedded in the agent-mode instructions.\n * Default 10. Env var `APES_GRANT_POLL_INTERVAL` wins. Stored as a\n * string in TOML because the hand-rolled parser only handles quoted\n * values — casting to number happens at read time.\n */\n grant_poll_interval_seconds?: string\n /**\n * Maximum poll duration (minutes) embedded in the agent-mode\n * instructions. Default 5. Env var `APES_GRANT_POLL_MAX_MINUTES` wins.\n */\n grant_poll_max_minutes?: string\n /**\n * Exit code emitted by `apes run` / `ape-shell -c` when the async\n * default path creates a pending grant. Default `75` (`EX_TEMPFAIL`\n * from sysexits.h — \"temporary failure, retry later\"). Set to `0`\n * to restore the pre-0.10.0 exit-0 behaviour. Env var\n * `APES_ASYNC_EXIT_CODE` wins. Valid range 0–255.\n */\n async_exit_code?: string\n }\n agent?: {\n key?: string\n email?: string\n }\n notifications?: {\n pending_command?: string\n }\n /**\n * Generic-fallback mode: when `apes run -- <cli>` is called with a CLI\n * that has no registered shape, fall through to a synthetic adapter that\n * requests a single-use, forced-high-risk grant for the exact argv.\n * See `shapes/generic.ts`.\n */\n generic?: {\n /**\n * Master switch. Default `true` (permissive). Set to `false` to restore\n * the legacy \"No adapter found\" hard-fail. Stored as string in TOML\n * (hand-parser limitation) and parsed as `value !== 'false'` at read time.\n */\n enabled?: string\n /** Override the audit-log location. Default `~/.config/apes/generic-calls.log`. Tilde-expanded at read time. */\n audit_log?: string\n }\n}\n\nconst CONFIG_DIR = join(homedir(), '.config', 'apes')\nconst AUTH_FILE = join(CONFIG_DIR, 'auth.json')\nconst CONFIG_FILE = join(CONFIG_DIR, 'config.toml')\n\nfunction ensureDir() {\n if (!existsSync(CONFIG_DIR)) {\n mkdirSync(CONFIG_DIR, { recursive: true })\n }\n}\n\nexport function loadAuth(): AuthData | null {\n if (!existsSync(AUTH_FILE))\n return null\n try {\n return JSON.parse(readFileSync(AUTH_FILE, 'utf-8'))\n }\n catch {\n return null\n }\n}\n\nexport function saveAuth(data: AuthData): void {\n ensureDir()\n // Preserve unmodelled fields from any prior version of auth.json\n // (e.g. older installs of this package, or fields a sibling CLI\n // wrote). Symmetric with cli-auth's saveIdpAuth — see #257 for the\n // bridge crash-loop the bare overwrite caused before.\n let extra: Record<string, unknown> = {}\n if (existsSync(AUTH_FILE)) {\n try {\n const raw = readFileSync(AUTH_FILE, 'utf-8')\n if (raw.trim()) {\n const prev = JSON.parse(raw) as Record<string, unknown>\n for (const key of Object.keys(prev)) {\n if (!(key in (data as unknown as Record<string, unknown>))) {\n extra[key] = prev[key]\n }\n }\n }\n }\n catch {\n extra = {}\n }\n }\n const merged = { ...extra, ...data }\n writeFileSync(AUTH_FILE, JSON.stringify(merged, null, 2), { mode: 0o600 })\n}\n\nexport function clearAuth(): void {\n if (existsSync(AUTH_FILE)) {\n writeFileSync(AUTH_FILE, '', { mode: 0o600 })\n }\n // Also wipe the [agent] section from config.toml so logout disables\n // auto-refresh. Preserves [defaults] so the IdP URL stays configured.\n if (existsSync(CONFIG_FILE)) {\n const existing = loadConfig()\n if (existing.agent) {\n const { agent: _removed, ...rest } = existing\n saveConfig(rest)\n }\n }\n}\n\nexport function loadConfig(): ApesConfig {\n if (!existsSync(CONFIG_FILE))\n return {}\n try {\n return parseTOML(readFileSync(CONFIG_FILE, 'utf-8'))\n }\n catch {\n return {}\n }\n}\n\nfunction parseTOML(content: string): ApesConfig {\n const config: ApesConfig = {}\n let section = ''\n\n for (const line of content.split('\\n')) {\n const trimmed = line.trim()\n if (!trimmed || trimmed.startsWith('#'))\n continue\n\n const sectionMatch = trimmed.match(/^\\[(.+)\\]$/)\n if (sectionMatch) {\n section = sectionMatch[1]!\n continue\n }\n\n // Accept quoted strings and bare booleans/tokens — the generic section\n // uses `enabled = false` (no quotes) which the quoted-only match would\n // silently drop.\n const kvQuoted = trimmed.match(/^(\\w+)\\s*=\\s*\"(.*)\"$/)\n const kvBare = trimmed.match(/^(\\w+)\\s*=\\s*([^\"\\s]\\S*)$/)\n const kvMatch = kvQuoted ?? kvBare\n if (kvMatch) {\n const [, key, value] = kvMatch\n if (section === 'defaults') {\n config.defaults = config.defaults || {}\n ;(config.defaults as Record<string, string>)[key!] = value!\n }\n else if (section === 'agent') {\n config.agent = config.agent || {}\n ;(config.agent as Record<string, string>)[key!] = value!\n }\n else if (section === 'notifications') {\n config.notifications = config.notifications || {}\n ;(config.notifications as Record<string, string>)[key!] = value!\n }\n else if (section === 'generic') {\n config.generic = config.generic || {}\n ;(config.generic as Record<string, string>)[key!] = value!\n }\n }\n }\n\n return config\n}\n\nexport function saveConfig(config: ApesConfig): void {\n ensureDir()\n const lines: string[] = []\n\n if (config.defaults) {\n lines.push('[defaults]')\n for (const [key, value] of Object.entries(config.defaults)) {\n if (value)\n lines.push(`${key} = \"${value}\"`)\n }\n lines.push('')\n }\n\n if (config.agent) {\n lines.push('[agent]')\n for (const [key, value] of Object.entries(config.agent)) {\n if (value)\n lines.push(`${key} = \"${value}\"`)\n }\n lines.push('')\n }\n\n if (config.notifications) {\n lines.push('[notifications]')\n for (const [key, value] of Object.entries(config.notifications)) {\n if (value)\n lines.push(`${key} = \"${value}\"`)\n }\n lines.push('')\n }\n\n if (config.generic) {\n lines.push('[generic]')\n for (const [key, value] of Object.entries(config.generic)) {\n if (value)\n lines.push(`${key} = \"${value}\"`)\n }\n lines.push('')\n }\n\n writeFileSync(CONFIG_FILE, lines.join('\\n'), { mode: 0o600 })\n}\n\n/**\n * Is generic-fallback enabled? Permissive default: `true` unless the user\n * explicitly sets `[generic] enabled = false`.\n */\nexport function isGenericFallbackEnabled(config?: ApesConfig): boolean {\n const cfg = config ?? loadConfig()\n const raw = cfg.generic?.enabled\n if (raw === undefined) return true\n return raw !== 'false'\n}\n\n/**\n * Resolve the audit-log path for generic calls, expanding `~` to `$HOME`.\n */\nexport function getGenericAuditLogPath(config?: ApesConfig): string {\n const cfg = config ?? loadConfig()\n const raw = cfg.generic?.audit_log\n const path = raw && raw.length > 0\n ? raw\n : join(homedir(), '.config', 'apes', 'generic-calls.log')\n return path.startsWith('~/')\n ? join(homedir(), path.slice(2))\n : path\n}\n\nexport function getIdpUrl(explicit?: string): string | null {\n if (explicit)\n return explicit\n if (process.env.APES_IDP)\n return process.env.APES_IDP\n\n const auth = loadAuth()\n if (auth?.idp)\n return auth.idp\n\n const config = loadConfig()\n if (config.defaults?.idp)\n return config.defaults.idp\n\n return null\n}\n\nexport function getAuthToken(): string | null {\n const auth = loadAuth()\n if (!auth)\n return null\n\n // Check expiry (with 30s buffer)\n if (auth.expires_at && Date.now() / 1000 > auth.expires_at - 30) {\n return null // expired\n }\n\n return auth.access_token\n}\n\nexport function getRequesterIdentity(): string | null {\n return loadAuth()?.email ?? null\n}\n\nexport { CONFIG_DIR, AUTH_FILE }\n"],"mappings":";;;AAAA,SAAS,YAAY,WAAW,cAAc,qBAAqB;AACnE,SAAS,eAAe;AACxB,SAAS,YAAY;AA8ErB,IAAM,aAAa,KAAK,QAAQ,GAAG,WAAW,MAAM;AACpD,IAAM,YAAY,KAAK,YAAY,WAAW;AAC9C,IAAM,cAAc,KAAK,YAAY,aAAa;AAElD,SAAS,YAAY;AACnB,MAAI,CAAC,WAAW,UAAU,GAAG;AAC3B,cAAU,YAAY,EAAE,WAAW,KAAK,CAAC;AAAA,EAC3C;AACF;AAEO,SAAS,WAA4B;AAC1C,MAAI,CAAC,WAAW,SAAS;AACvB,WAAO;AACT,MAAI;AACF,WAAO,KAAK,MAAM,aAAa,WAAW,OAAO,CAAC;AAAA,EACpD,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEO,SAAS,SAAS,MAAsB;AAC7C,YAAU;AAKV,MAAI,QAAiC,CAAC;AACtC,MAAI,WAAW,SAAS,GAAG;AACzB,QAAI;AACF,YAAM,MAAM,aAAa,WAAW,OAAO;AAC3C,UAAI,IAAI,KAAK,GAAG;AACd,cAAM,OAAO,KAAK,MAAM,GAAG;AAC3B,mBAAW,OAAO,OAAO,KAAK,IAAI,GAAG;AACnC,cAAI,EAAE,OAAQ,OAA8C;AAC1D,kBAAM,GAAG,IAAI,KAAK,GAAG;AAAA,UACvB;AAAA,QACF;AAAA,MACF;AAAA,IACF,QACM;AACJ,cAAQ,CAAC;AAAA,IACX;AAAA,EACF;AACA,QAAM,SAAS,EAAE,GAAG,OAAO,GAAG,KAAK;AACnC,gBAAc,WAAW,KAAK,UAAU,QAAQ,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AAC3E;AAEO,SAAS,YAAkB;AAChC,MAAI,WAAW,SAAS,GAAG;AACzB,kBAAc,WAAW,IAAI,EAAE,MAAM,IAAM,CAAC;AAAA,EAC9C;AAGA,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,WAAW,WAAW;AAC5B,QAAI,SAAS,OAAO;AAClB,YAAM,EAAE,OAAO,UAAU,GAAG,KAAK,IAAI;AACrC,iBAAW,IAAI;AAAA,IACjB;AAAA,EACF;AACF;AAEO,SAAS,aAAyB;AACvC,MAAI,CAAC,WAAW,WAAW;AACzB,WAAO,CAAC;AACV,MAAI;AACF,WAAO,UAAU,aAAa,aAAa,OAAO,CAAC;AAAA,EACrD,QACM;AACJ,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,UAAU,SAA6B;AAC9C,QAAM,SAAqB,CAAC;AAC5B,MAAI,UAAU;AAEd,aAAW,QAAQ,QAAQ,MAAM,IAAI,GAAG;AACtC,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,WAAW,QAAQ,WAAW,GAAG;AACpC;AAEF,UAAM,eAAe,QAAQ,MAAM,YAAY;AAC/C,QAAI,cAAc;AAChB,gBAAU,aAAa,CAAC;AACxB;AAAA,IACF;AAKA,UAAM,WAAW,QAAQ,MAAM,sBAAsB;AACrD,UAAM,SAAS,QAAQ,MAAM,2BAA2B;AACxD,UAAM,UAAU,YAAY;AAC5B,QAAI,SAAS;AACX,YAAM,CAAC,EAAE,KAAK,KAAK,IAAI;AACvB,UAAI,YAAY,YAAY;AAC1B,eAAO,WAAW,OAAO,YAAY,CAAC;AACrC,QAAC,OAAO,SAAoC,GAAI,IAAI;AAAA,MACvD,WACS,YAAY,SAAS;AAC5B,eAAO,QAAQ,OAAO,SAAS,CAAC;AAC/B,QAAC,OAAO,MAAiC,GAAI,IAAI;AAAA,MACpD,WACS,YAAY,iBAAiB;AACpC,eAAO,gBAAgB,OAAO,iBAAiB,CAAC;AAC/C,QAAC,OAAO,cAAyC,GAAI,IAAI;AAAA,MAC5D,WACS,YAAY,WAAW;AAC9B,eAAO,UAAU,OAAO,WAAW,CAAC;AACnC,QAAC,OAAO,QAAmC,GAAI,IAAI;AAAA,MACtD;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,WAAW,QAA0B;AACnD,YAAU;AACV,QAAM,QAAkB,CAAC;AAEzB,MAAI,OAAO,UAAU;AACnB,UAAM,KAAK,YAAY;AACvB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,QAAQ,GAAG;AAC1D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,OAAO;AAChB,UAAM,KAAK,SAAS;AACpB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,eAAe;AACxB,UAAM,KAAK,iBAAiB;AAC5B,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,aAAa,GAAG;AAC/D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,SAAS;AAClB,UAAM,KAAK,WAAW;AACtB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,OAAO,GAAG;AACzD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,gBAAc,aAAa,MAAM,KAAK,IAAI,GAAG,EAAE,MAAM,IAAM,CAAC;AAC9D;AAMO,SAAS,yBAAyB,QAA8B;AACrE,QAAM,MAAM,UAAU,WAAW;AACjC,QAAM,MAAM,IAAI,SAAS;AACzB,MAAI,QAAQ,OAAW,QAAO;AAC9B,SAAO,QAAQ;AACjB;AAKO,SAAS,uBAAuB,QAA6B;AAClE,QAAM,MAAM,UAAU,WAAW;AACjC,QAAM,MAAM,IAAI,SAAS;AACzB,QAAM,OAAO,OAAO,IAAI,SAAS,IAC7B,MACA,KAAK,QAAQ,GAAG,WAAW,QAAQ,mBAAmB;AAC1D,SAAO,KAAK,WAAW,IAAI,IACvB,KAAK,QAAQ,GAAG,KAAK,MAAM,CAAC,CAAC,IAC7B;AACN;AAEO,SAAS,UAAU,UAAkC;AAC1D,MAAI;AACF,WAAO;AACT,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AAErB,QAAM,OAAO,SAAS;AACtB,MAAI,MAAM;AACR,WAAO,KAAK;AAEd,QAAM,SAAS,WAAW;AAC1B,MAAI,OAAO,UAAU;AACnB,WAAO,OAAO,SAAS;AAEzB,SAAO;AACT;AAEO,SAAS,eAA8B;AAC5C,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AAGT,MAAI,KAAK,cAAc,KAAK,IAAI,IAAI,MAAO,KAAK,aAAa,IAAI;AAC/D,WAAO;AAAA,EACT;AAEA,SAAO,KAAK;AACd;AAEO,SAAS,uBAAsC;AACpD,SAAO,SAAS,GAAG,SAAS;AAC9B;","names":[]}

package/dist/cli.js CHANGED Viewed

@@ -12,7 +12,7 @@ import {
   checkSudoRejection,
   isApesSelfDispatch,
   notifyGrantPending
-} from "./chunk-EDYICCBC.js";
+} from "./chunk-3COOEDPF.js";
 import {
   GENERIC_OPERATION_ID,
   buildGenericResolved,
@@ -40,7 +40,7 @@ import {
   searchAdapters,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-IT6T6AKX.js";
+} from "./chunk-DYSFQ26B.js";
 import {
   ApiError,
   apiFetch,
@@ -48,7 +48,7 @@ import {
   getAgentChallengeEndpoint,
   getDelegationsEndpoint,
   getGrantsEndpoint
-} from "./chunk-7NUT2PFT.js";
+} from "./chunk-N3THIFIS.js";
 import {
   AUTH_FILE,
   CONFIG_DIR,
@@ -60,7 +60,7 @@ import {
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 // src/cli.ts
 import consola37 from "consola";
@@ -409,13 +409,14 @@ async function loginWithKey(idp, keyPath, agentEmail) {
     throw new CliError(`Authentication failed: ${await authResp.text()}`);
   }
   const { token, expires_in } = await authResp.json();
+  const absoluteKeyPath = resolvePath(keyPath.replace(/^~/, homedir2()));
   saveAuth({
     idp,
     access_token: token,
     email: agentEmail,
-    expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600)
+    expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600),
+    key_path: absoluteKeyPath
   });
-  const absoluteKeyPath = resolvePath(keyPath.replace(/^~/, homedir2()));
   const existingConfig = loadConfig();
   saveConfig({
     ...existingConfig,
@@ -2008,6 +2009,7 @@ function buildAgentAuthJson(input) {
     access_token: input.accessToken,
     email: input.email,
     expires_at: input.expiresAt,
+    key_path: input.keyPath,
     owner_email: input.ownerEmail
   }, null, 2)}
 `;
@@ -2611,29 +2613,10 @@ set -euo pipefail
 export PATH="$HOME/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin"
-# Refresh IdP token. Agents auth via SSH-key signing \u2014 the cached IdP
-# token has no refresh_token and expires after ~1h. Re-running apes
-# login re-signs against the registered key. Soft-fails to leave the
-# bridge usable on cached token if the IdP is briefly unreachable.
-if [ -f "$HOME/.config/apes/auth.json" ] && command -v apes >/dev/null 2>&1; then
-  agent_email=$(python3 -c "import json,os,sys
-try: print(json.load(open(os.path.expanduser('~/.config/apes/auth.json')))['email'])
-except Exception: sys.exit(1)" 2>/dev/null || true)
-  agent_idp=$(python3 -c "import json,os,sys
-try: print(json.load(open(os.path.expanduser('~/.config/apes/auth.json')))['idp'])
-except Exception: sys.exit(1)" 2>/dev/null || true)
-  if [ -n "$agent_email" ] && [ -n "$agent_idp" ]; then
-    # Capture full output so the failure mode is debuggable from logs
-    # without needing an interactive grant approval. apes-login should
-    # succeed with the SSH key under ~/.ssh/id_ed25519 written by spawn;
-    # if it doesn't, the cached token carries us until expiry (~1h) and
-    # the daemon will retry on the next launchd restart.
-    login_output=$(apes login "$agent_email" --idp "$agent_idp" 2>&1) || {
-      echo "warn: apes login failed for $agent_email; continuing with cached token" >&2
-      echo "$login_output" | sed 's/^/  apes-login: /' >&2
-    }
-  fi
-fi
+# Token refresh is in-process via @openape/cli-auth's challenge-response
+# path (auth.json.key_path -> ~/.ssh/id_ed25519). No "apes login" needed
+# at boot \u2014 keeping start.sh slim avoids the rate-limit dance the old
+# refresh hit when KeepAlive crash-restarted the daemon every 1h.
 EXT_DIR="$HOME/.pi/agent/extensions"
 mkdir -p "$EXT_DIR"
@@ -2825,6 +2808,7 @@ and try again.`
         accessToken: token,
         email: registration.email,
         expiresAt: Math.floor(Date.now() / 1e3) + expiresIn,
+        keyPath: `${homeDir}/.ssh/id_ed25519`,
         ownerEmail: auth.email
       });
       const includeClaudeHook = !args["no-claude-hook"];
@@ -4173,7 +4157,7 @@ var mcpCommand = defineCommand33({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-43TJLWMB.js");
+    const { startMcpServer } = await import("./server-TBXFWNUV.js");
     await startMcpServer(transport, port);
   }
 });
@@ -4811,7 +4795,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.30.0" : "0.0.0";
+  const version = true ? "0.31.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -5084,10 +5068,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.30.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.31.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.30.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.31.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -5102,7 +5086,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-RWTALOSA.js");
+    const { runInteractiveShell } = await import("./orchestrator-EH6V5ATG.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -5145,7 +5129,7 @@ var configCommand = defineCommand45({
 var main = defineCommand45({
   meta: {
     name: "apes",
-    version: "0.30.0",
+    version: "0.31.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -5191,16 +5175,16 @@ var NO_REFRESH_COMMANDS = /* @__PURE__ */ new Set([
 async function maybeRefreshAuth() {
   const sub = process.argv[2];
   if (!sub || NO_REFRESH_COMMANDS.has(sub)) return;
-  const { loadAuth: loadAuth2 } = await import("./config-JH2IEPIR.js");
+  const { loadAuth: loadAuth2 } = await import("./config-MOB5DJ6H.js");
   if (!loadAuth2()) return;
   try {
-    const { ensureFreshToken } = await import("./http-JZT4XV5I.js");
+    const { ensureFreshToken } = await import("./http-5F7FX4V7.js");
     await ensureFreshToken();
   } catch {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("0.30.0").catch(() => {
+await maybeWarnStaleVersion("0.31.0").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {