@openape/apes 0.30.0 → 0.31.1

package/dist/{config-JH2IEPIR.js → config-MOB5DJ6H.js}

@@ -12,7 +12,7 @@ import {
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 export {
   AUTH_FILE,
   CONFIG_DIR,
@@ -27,4 +27,4 @@ export {
   saveAuth,
   saveConfig
 };
-//# sourceMappingURL=config-JH2IEPIR.js.map
+//# sourceMappingURL=config-MOB5DJ6H.js.map

package/dist/{http-JZT4XV5I.js → http-5F7FX4V7.js}

@@ -8,8 +8,8 @@ import {
   getAgentChallengeEndpoint,
   getDelegationsEndpoint,
   getGrantsEndpoint
-} from "./chunk-7NUT2PFT.js";
-import "./chunk-IDPV5SNB.js";
+} from "./chunk-N3THIFIS.js";
+import "./chunk-OBF7IMQ2.js";
 export {
   ApiError,
   apiFetch,
@@ -20,4 +20,4 @@ export {
   getDelegationsEndpoint,
   getGrantsEndpoint
 };
-//# sourceMappingURL=http-JZT4XV5I.js.map
+//# sourceMappingURL=http-5F7FX4V7.js.map

package/dist/index.d.ts

@@ -243,6 +243,18 @@ interface AuthData {
     refresh_token?: string;
     email: string;
     expires_at: number;
+    /**
+     * Set by `apes login --key …` (and `apes agents spawn`), absolute
+     * path to the Ed25519 key the agent signs challenges with. Lets
+     * `@openape/cli-auth` refresh agent tokens in-process; see #259.
+     */
+    key_path?: string;
+    /**
+     * Email of the human who owns this agent — written by
+     * `apes agents spawn`. The chat-bridge reads it for owner-only
+     * contact handshakes. Optional for human auth.json files.
+     */
+    owner_email?: string;
 }
 interface ApesConfig {
     defaults?: {

package/dist/index.js

@@ -31,12 +31,12 @@ import {
   tryLoadAdapter,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-IT6T6AKX.js";
+} from "./chunk-DYSFQ26B.js";
 import {
   ApiError,
   apiFetch,
   discoverEndpoints
-} from "./chunk-7NUT2PFT.js";
+} from "./chunk-N3THIFIS.js";
 import {
   clearAuth,
   getAuthToken,
@@ -46,7 +46,7 @@ import {
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 export {
   ApiError,
   CliError,

package/dist/{orchestrator-RWTALOSA.js → orchestrator-EH6V5ATG.js}

@@ -3,7 +3,7 @@ import {
   checkSudoRejection,
   isApesSelfDispatch,
   notifyGrantPending
-} from "./chunk-EDYICCBC.js";
+} from "./chunk-3COOEDPF.js";
 import {
   appendAuditLog,
   createShapesGrant,
@@ -14,14 +14,14 @@ import {
   resolveCommand,
   verifyAndConsume,
   waitForGrantStatus
-} from "./chunk-IT6T6AKX.js";
+} from "./chunk-DYSFQ26B.js";
 import {
   apiFetch,
   getGrantsEndpoint
-} from "./chunk-7NUT2PFT.js";
+} from "./chunk-N3THIFIS.js";
 import {
   loadAuth
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 
 // src/shell/orchestrator.ts
 import { hostname } from "os";
@@ -777,4 +777,4 @@ async function runInteractiveShell() {
 export {
   runInteractiveShell
 };
-//# sourceMappingURL=orchestrator-RWTALOSA.js.map
+//# sourceMappingURL=orchestrator-EH6V5ATG.js.map

package/dist/{server-43TJLWMB.js → server-KH5SZIFE.js}

@@ -5,16 +5,16 @@ import {
   loadAdapter,
   resolveCommand,
   verifyAndExecute
-} from "./chunk-IT6T6AKX.js";
+} from "./chunk-DYSFQ26B.js";
 import {
   apiFetch,
   getGrantsEndpoint
-} from "./chunk-7NUT2PFT.js";
+} from "./chunk-N3THIFIS.js";
 import {
   getAuthToken,
   getIdpUrl,
   getRequesterIdentity
-} from "./chunk-IDPV5SNB.js";
+} from "./chunk-OBF7IMQ2.js";
 
 // src/commands/mcp/server.ts
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -303,7 +303,7 @@ function registerAdapterTools(server) {
 async function startMcpServer(transport, port) {
   const server = new McpServer({
     name: "apes",
-    version: true ? "0.30.0" : "0.1.0"
+    version: true ? "0.31.1" : "0.1.0"
   });
   registerStaticTools(server);
   registerAdapterTools(server);
@@ -331,4 +331,4 @@ async function startMcpServer(transport, port) {
 export {
   startMcpServer
 };
-//# sourceMappingURL=server-43TJLWMB.js.map
+//# sourceMappingURL=server-KH5SZIFE.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openape/apes",
-  "version": "0.30.0",
+  "version": "0.31.1",
   "turbo": {
     "tags": [
       "publishable"
@@ -31,9 +31,9 @@
     "@lydell/node-pty": "1.2.0-beta.12",
     "shell-quote": "^1.8.3",
     "zod": "^4.3.6",
-    "@openape/proxy": "0.4.0",
-    "@openape/grants": "0.11.2",
-    "@openape/core": "0.13.2"
+    "@openape/proxy": "0.4.1",
+    "@openape/core": "0.14.0",
+    "@openape/grants": "0.11.3"
   },
   "devDependencies": {
     "@types/node": "^25.3.5",
@@ -44,7 +44,7 @@
     "tsup": "^8.5.1",
     "typescript": "^5.8.2",
     "vitest": "^3.2.4",
-    "@openape/server": "0.3.0"
+    "@openape/server": "0.3.2"
   },
   "license": "MIT",
   "author": "Patrick Hofmann <phofmann@delta-mind.at>",

package/dist/chunk-IDPV5SNB.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/config.ts"],"sourcesContent":["import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\n\nexport interface AuthData {\n  idp: string\n  access_token: string\n  refresh_token?: string\n  email: string\n  expires_at: number\n}\n\nexport interface ApesConfig {\n  defaults?: {\n    idp?: string\n    approval?: string\n    /**\n     * Audience for the `apes run` async info block. `agent` (default)\n     * emits verbose agent-facing instructions with a polling protocol;\n     * `human` emits a short friendly block. Env var `APES_USER` wins.\n     */\n    user?: 'agent' | 'human'\n    /**\n     * Poll interval (seconds) embedded in the agent-mode instructions.\n     * Default 10. Env var `APES_GRANT_POLL_INTERVAL` wins. Stored as a\n     * string in TOML because the hand-rolled parser only handles quoted\n     * values — casting to number happens at read time.\n     */\n    grant_poll_interval_seconds?: string\n    /**\n     * Maximum poll duration (minutes) embedded in the agent-mode\n     * instructions. Default 5. Env var `APES_GRANT_POLL_MAX_MINUTES` wins.\n     */\n    grant_poll_max_minutes?: string\n    /**\n     * Exit code emitted by `apes run` / `ape-shell -c` when the async\n     * default path creates a pending grant. Default `75` (`EX_TEMPFAIL`\n     * from sysexits.h — \"temporary failure, retry later\"). Set to `0`\n     * to restore the pre-0.10.0 exit-0 behaviour. Env var\n     * `APES_ASYNC_EXIT_CODE` wins. Valid range 0–255.\n     */\n    async_exit_code?: string\n  }\n  agent?: {\n    key?: string\n    email?: string\n  }\n  notifications?: {\n    pending_command?: string\n  }\n  /**\n   * Generic-fallback mode: when `apes run -- <cli>` is called with a CLI\n   * that has no registered shape, fall through to a synthetic adapter that\n   * requests a single-use, forced-high-risk grant for the exact argv.\n   * See `shapes/generic.ts`.\n   */\n  generic?: {\n    /**\n     * Master switch. Default `true` (permissive). Set to `false` to restore\n     * the legacy \"No adapter found\" hard-fail. Stored as string in TOML\n     * (hand-parser limitation) and parsed as `value !== 'false'` at read time.\n     */\n    enabled?: string\n    /** Override the audit-log location. Default `~/.config/apes/generic-calls.log`. Tilde-expanded at read time. */\n    audit_log?: string\n  }\n}\n\nconst CONFIG_DIR = join(homedir(), '.config', 'apes')\nconst AUTH_FILE = join(CONFIG_DIR, 'auth.json')\nconst CONFIG_FILE = join(CONFIG_DIR, 'config.toml')\n\nfunction ensureDir() {\n  if (!existsSync(CONFIG_DIR)) {\n    mkdirSync(CONFIG_DIR, { recursive: true })\n  }\n}\n\nexport function loadAuth(): AuthData | null {\n  if (!existsSync(AUTH_FILE))\n    return null\n  try {\n    return JSON.parse(readFileSync(AUTH_FILE, 'utf-8'))\n  }\n  catch {\n    return null\n  }\n}\n\nexport function saveAuth(data: AuthData): void {\n  ensureDir()\n  writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 0o600 })\n}\n\nexport function clearAuth(): void {\n  if (existsSync(AUTH_FILE)) {\n    writeFileSync(AUTH_FILE, '', { mode: 0o600 })\n  }\n  // Also wipe the [agent] section from config.toml so logout disables\n  // auto-refresh. Preserves [defaults] so the IdP URL stays configured.\n  if (existsSync(CONFIG_FILE)) {\n    const existing = loadConfig()\n    if (existing.agent) {\n      const { agent: _removed, ...rest } = existing\n      saveConfig(rest)\n    }\n  }\n}\n\nexport function loadConfig(): ApesConfig {\n  if (!existsSync(CONFIG_FILE))\n    return {}\n  try {\n    return parseTOML(readFileSync(CONFIG_FILE, 'utf-8'))\n  }\n  catch {\n    return {}\n  }\n}\n\nfunction parseTOML(content: string): ApesConfig {\n  const config: ApesConfig = {}\n  let section = ''\n\n  for (const line of content.split('\\n')) {\n    const trimmed = line.trim()\n    if (!trimmed || trimmed.startsWith('#'))\n      continue\n\n    const sectionMatch = trimmed.match(/^\\[(.+)\\]$/)\n    if (sectionMatch) {\n      section = sectionMatch[1]!\n      continue\n    }\n\n    // Accept quoted strings and bare booleans/tokens — the generic section\n    // uses `enabled = false` (no quotes) which the quoted-only match would\n    // silently drop.\n    const kvQuoted = trimmed.match(/^(\\w+)\\s*=\\s*\"(.*)\"$/)\n    const kvBare = trimmed.match(/^(\\w+)\\s*=\\s*([^\"\\s]\\S*)$/)\n    const kvMatch = kvQuoted ?? kvBare\n    if (kvMatch) {\n      const [, key, value] = kvMatch\n      if (section === 'defaults') {\n        config.defaults = config.defaults || {}\n        ;(config.defaults as Record<string, string>)[key!] = value!\n      }\n      else if (section === 'agent') {\n        config.agent = config.agent || {}\n        ;(config.agent as Record<string, string>)[key!] = value!\n      }\n      else if (section === 'notifications') {\n        config.notifications = config.notifications || {}\n        ;(config.notifications as Record<string, string>)[key!] = value!\n      }\n      else if (section === 'generic') {\n        config.generic = config.generic || {}\n        ;(config.generic as Record<string, string>)[key!] = value!\n      }\n    }\n  }\n\n  return config\n}\n\nexport function saveConfig(config: ApesConfig): void {\n  ensureDir()\n  const lines: string[] = []\n\n  if (config.defaults) {\n    lines.push('[defaults]')\n    for (const [key, value] of Object.entries(config.defaults)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  if (config.agent) {\n    lines.push('[agent]')\n    for (const [key, value] of Object.entries(config.agent)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  if (config.notifications) {\n    lines.push('[notifications]')\n    for (const [key, value] of Object.entries(config.notifications)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  if (config.generic) {\n    lines.push('[generic]')\n    for (const [key, value] of Object.entries(config.generic)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  writeFileSync(CONFIG_FILE, lines.join('\\n'), { mode: 0o600 })\n}\n\n/**\n * Is generic-fallback enabled? Permissive default: `true` unless the user\n * explicitly sets `[generic] enabled = false`.\n */\nexport function isGenericFallbackEnabled(config?: ApesConfig): boolean {\n  const cfg = config ?? loadConfig()\n  const raw = cfg.generic?.enabled\n  if (raw === undefined) return true\n  return raw !== 'false'\n}\n\n/**\n * Resolve the audit-log path for generic calls, expanding `~` to `$HOME`.\n */\nexport function getGenericAuditLogPath(config?: ApesConfig): string {\n  const cfg = config ?? loadConfig()\n  const raw = cfg.generic?.audit_log\n  const path = raw && raw.length > 0\n    ? raw\n    : join(homedir(), '.config', 'apes', 'generic-calls.log')\n  return path.startsWith('~/')\n    ? join(homedir(), path.slice(2))\n    : path\n}\n\nexport function getIdpUrl(explicit?: string): string | null {\n  if (explicit)\n    return explicit\n  if (process.env.APES_IDP)\n    return process.env.APES_IDP\n\n  const auth = loadAuth()\n  if (auth?.idp)\n    return auth.idp\n\n  const config = loadConfig()\n  if (config.defaults?.idp)\n    return config.defaults.idp\n\n  return null\n}\n\nexport function getAuthToken(): string | null {\n  const auth = loadAuth()\n  if (!auth)\n    return null\n\n  // Check expiry (with 30s buffer)\n  if (auth.expires_at && Date.now() / 1000 > auth.expires_at - 30) {\n    return null // expired\n  }\n\n  return auth.access_token\n}\n\nexport function getRequesterIdentity(): string | null {\n  return loadAuth()?.email ?? null\n}\n\nexport { CONFIG_DIR, AUTH_FILE }\n"],"mappings":";;;AAAA,SAAS,YAAY,WAAW,cAAc,qBAAqB;AACnE,SAAS,eAAe;AACxB,SAAS,YAAY;AAkErB,IAAM,aAAa,KAAK,QAAQ,GAAG,WAAW,MAAM;AACpD,IAAM,YAAY,KAAK,YAAY,WAAW;AAC9C,IAAM,cAAc,KAAK,YAAY,aAAa;AAElD,SAAS,YAAY;AACnB,MAAI,CAAC,WAAW,UAAU,GAAG;AAC3B,cAAU,YAAY,EAAE,WAAW,KAAK,CAAC;AAAA,EAC3C;AACF;AAEO,SAAS,WAA4B;AAC1C,MAAI,CAAC,WAAW,SAAS;AACvB,WAAO;AACT,MAAI;AACF,WAAO,KAAK,MAAM,aAAa,WAAW,OAAO,CAAC;AAAA,EACpD,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEO,SAAS,SAAS,MAAsB;AAC7C,YAAU;AACV,gBAAc,WAAW,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AACzE;AAEO,SAAS,YAAkB;AAChC,MAAI,WAAW,SAAS,GAAG;AACzB,kBAAc,WAAW,IAAI,EAAE,MAAM,IAAM,CAAC;AAAA,EAC9C;AAGA,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,WAAW,WAAW;AAC5B,QAAI,SAAS,OAAO;AAClB,YAAM,EAAE,OAAO,UAAU,GAAG,KAAK,IAAI;AACrC,iBAAW,IAAI;AAAA,IACjB;AAAA,EACF;AACF;AAEO,SAAS,aAAyB;AACvC,MAAI,CAAC,WAAW,WAAW;AACzB,WAAO,CAAC;AACV,MAAI;AACF,WAAO,UAAU,aAAa,aAAa,OAAO,CAAC;AAAA,EACrD,QACM;AACJ,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,UAAU,SAA6B;AAC9C,QAAM,SAAqB,CAAC;AAC5B,MAAI,UAAU;AAEd,aAAW,QAAQ,QAAQ,MAAM,IAAI,GAAG;AACtC,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,WAAW,QAAQ,WAAW,GAAG;AACpC;AAEF,UAAM,eAAe,QAAQ,MAAM,YAAY;AAC/C,QAAI,cAAc;AAChB,gBAAU,aAAa,CAAC;AACxB;AAAA,IACF;AAKA,UAAM,WAAW,QAAQ,MAAM,sBAAsB;AACrD,UAAM,SAAS,QAAQ,MAAM,2BAA2B;AACxD,UAAM,UAAU,YAAY;AAC5B,QAAI,SAAS;AACX,YAAM,CAAC,EAAE,KAAK,KAAK,IAAI;AACvB,UAAI,YAAY,YAAY;AAC1B,eAAO,WAAW,OAAO,YAAY,CAAC;AACrC,QAAC,OAAO,SAAoC,GAAI,IAAI;AAAA,MACvD,WACS,YAAY,SAAS;AAC5B,eAAO,QAAQ,OAAO,SAAS,CAAC;AAC/B,QAAC,OAAO,MAAiC,GAAI,IAAI;AAAA,MACpD,WACS,YAAY,iBAAiB;AACpC,eAAO,gBAAgB,OAAO,iBAAiB,CAAC;AAC/C,QAAC,OAAO,cAAyC,GAAI,IAAI;AAAA,MAC5D,WACS,YAAY,WAAW;AAC9B,eAAO,UAAU,OAAO,WAAW,CAAC;AACnC,QAAC,OAAO,QAAmC,GAAI,IAAI;AAAA,MACtD;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,WAAW,QAA0B;AACnD,YAAU;AACV,QAAM,QAAkB,CAAC;AAEzB,MAAI,OAAO,UAAU;AACnB,UAAM,KAAK,YAAY;AACvB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,QAAQ,GAAG;AAC1D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,OAAO;AAChB,UAAM,KAAK,SAAS;AACpB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,eAAe;AACxB,UAAM,KAAK,iBAAiB;AAC5B,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,aAAa,GAAG;AAC/D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,SAAS;AAClB,UAAM,KAAK,WAAW;AACtB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,OAAO,GAAG;AACzD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,gBAAc,aAAa,MAAM,KAAK,IAAI,GAAG,EAAE,MAAM,IAAM,CAAC;AAC9D;AAMO,SAAS,yBAAyB,QAA8B;AACrE,QAAM,MAAM,UAAU,WAAW;AACjC,QAAM,MAAM,IAAI,SAAS;AACzB,MAAI,QAAQ,OAAW,QAAO;AAC9B,SAAO,QAAQ;AACjB;AAKO,SAAS,uBAAuB,QAA6B;AAClE,QAAM,MAAM,UAAU,WAAW;AACjC,QAAM,MAAM,IAAI,SAAS;AACzB,QAAM,OAAO,OAAO,IAAI,SAAS,IAC7B,MACA,KAAK,QAAQ,GAAG,WAAW,QAAQ,mBAAmB;AAC1D,SAAO,KAAK,WAAW,IAAI,IACvB,KAAK,QAAQ,GAAG,KAAK,MAAM,CAAC,CAAC,IAC7B;AACN;AAEO,SAAS,UAAU,UAAkC;AAC1D,MAAI;AACF,WAAO;AACT,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AAErB,QAAM,OAAO,SAAS;AACtB,MAAI,MAAM;AACR,WAAO,KAAK;AAEd,QAAM,SAAS,WAAW;AAC1B,MAAI,OAAO,UAAU;AACnB,WAAO,OAAO,SAAS;AAEzB,SAAO;AACT;AAEO,SAAS,eAA8B;AAC5C,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AAGT,MAAI,KAAK,cAAc,KAAK,IAAI,IAAI,MAAO,KAAK,aAAa,IAAI;AAC/D,WAAO;AAAA,EACT;AAEA,SAAO,KAAK;AACd;AAEO,SAAS,uBAAsC;AACpD,SAAO,SAAS,GAAG,SAAS;AAC9B;","names":[]}