@openape/apes 0.31.3 → 1.0.0

package/dist/cli.js

@@ -63,7 +63,7 @@ import {
 } from "./chunk-OBF7IMQ2.js";
 
 // src/cli.ts
-import consola37 from "consola";
+import consola39 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -93,7 +93,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand45, runMain } from "citty";
+import { defineCommand as defineCommand48, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer as Buffer2 } from "buffer";
@@ -306,7 +306,7 @@ async function loginWithPKCE(idp) {
   authUrl.searchParams.set("state", state);
   authUrl.searchParams.set("nonce", nonce);
   authUrl.searchParams.set("scope", "openid email profile offline_access");
-  const code = await new Promise((resolve4, reject) => {
+  const code = await new Promise((resolve5, reject) => {
     const server = createServer((req, res) => {
       const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
       if (url.pathname === "/callback") {
@@ -323,7 +323,7 @@ async function loginWithPKCE(idp) {
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end("<h1>Login successful!</h1><p>You can close this window.</p>");
           server.close();
-          resolve4(authCode);
+          resolve5(authCode);
           return;
         }
         res.writeHead(400);
@@ -379,7 +379,7 @@ async function loginWithPKCE(idp) {
   consola2.success(`Logged in as ${payload.email || payload.sub}`);
 }
 async function loginWithKey(idp, keyPath, agentEmail) {
-  const { readFileSync: readFileSync9 } = await import("fs");
+  const { readFileSync: readFileSync14 } = await import("fs");
   const { sign: sign3 } = await import("crypto");
   const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-YBNNG5K5.js");
   const challengeUrl = await getAgentChallengeEndpoint(idp);
@@ -392,7 +392,7 @@ async function loginWithKey(idp, keyPath, agentEmail) {
     throw new CliError(`Challenge failed: ${await challengeResp.text()}`);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync9(keyPath, "utf-8");
+  const keyContent = readFileSync14(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
   const signature = sign3(null, Buffer2.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -884,7 +884,7 @@ async function waitForApproval2(grantsUrl, grantId) {
     if (grant.status === "revoked") {
       throw new CliError("Grant revoked.");
     }
-    await new Promise((resolve4) => setTimeout(resolve4, interval));
+    await new Promise((resolve5) => setTimeout(resolve5, interval));
   }
   throw new CliError("Timed out waiting for approval.");
 }
@@ -1744,7 +1744,7 @@ var adminCommand = defineCommand19({
 });
 
 // src/commands/agents/index.ts
-import { defineCommand as defineCommand25 } from "citty";
+import { defineCommand as defineCommand28 } from "citty";
 
 // src/commands/agents/allow.ts
 import { execFileSync as execFileSync3 } from "child_process";
@@ -1871,7 +1871,7 @@ mkdir -p "$HOME_DIR/.ssh" "$HOME_DIR/.config/apes"
 cat > "$HOME_DIR/.ssh/id_ed25519" ${shHeredoc(privatePemForHeredoc.trimEnd())}
 cat > "$HOME_DIR/.ssh/id_ed25519.pub" ${shHeredoc(`${input.publicKeySshLine}`)}
 cat > "$HOME_DIR/.config/apes/auth.json" ${shHeredoc(input.authJson)}
-${claudeBlock}${claudeTokenBlock}${buildBridgeBlock(input.bridge)}
+${claudeBlock}${claudeTokenBlock}${buildBridgeBlock(input.bridge)}${buildTroopBlock(input.troop)}
 chown -R "$NAME:staff" "$HOME_DIR"
 chmod 700 "$HOME_DIR/.ssh"
 chmod 700 "$HOME_DIR/.config"
@@ -1884,16 +1884,16 @@ if [ -f "$HOME_DIR/.config/openape/claude-token.env" ]; then
 fi
 
 echo "OK $NAME uid=$NEXT_UID home=$HOME_DIR"
-${buildBridgeBootstrapBlock(input.bridge)}`;
+${buildBridgeBootstrapBlock(input.bridge)}${buildTroopBootstrapBlock(input.troop)}`;
 }
 function buildBridgeBlock(bridge) {
   if (!bridge) return "";
   return `
-mkdir -p "$HOME_DIR/Library/Application Support/openape/bridge" "$HOME_DIR/Library/Logs" "$HOME_DIR/.pi/agent"
-cat > "$HOME_DIR/.pi/agent/.env" ${shHeredoc(bridge.envFile)}
+mkdir -p "$HOME_DIR/Library/Application Support/openape/bridge" "$HOME_DIR/Library/Logs"
+cat > "$HOME_DIR/Library/Application Support/openape/bridge/.env" ${shHeredoc(bridge.envFile)}
 cat > "$HOME_DIR/Library/Application Support/openape/bridge/start.sh" ${shHeredoc(bridge.startScript)}
 chmod 755 "$HOME_DIR/Library/Application Support/openape/bridge/start.sh"
-chmod 600 "$HOME_DIR/.pi/agent/.env"
+chmod 600 "$HOME_DIR/Library/Application Support/openape/bridge/.env"
 
 # System-wide LaunchDaemon \u2014 root-owned, mode 644 (launchd refuses
 # group/world-writable plists). UserName in the plist makes launchd run
@@ -1910,7 +1910,7 @@ echo "==> Installing bridge stack as $NAME via bun (one-time)\u2026"
 su - "$NAME" -c '
 set -euo pipefail
 export PATH="/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:$HOME/.bun/install/global/bin"
-bun add -g @openape/chat-bridge @openape/apes @mariozechner/pi-coding-agent
+bun add -g @openape/chat-bridge @openape/apes
 '
 
 # Bootstrap into the system domain. Spawn already runs as root via
@@ -1921,6 +1921,31 @@ launchctl bootstrap system ${shQuote(bridge.plistPath)} || \\
   echo "warn: bridge bootstrap into system domain failed; check ${bridge.plistPath}"
 `;
 }
+function buildTroopBlock(troop) {
+  if (!troop) return "";
+  return `
+mkdir -p "$HOME_DIR/Library/LaunchAgents" "$HOME_DIR/Library/Logs" "$HOME_DIR/.openape/agent/tasks"
+cat > ${shQuote(troop.plistPath)} ${shHeredoc(troop.plistContent)}
+chmod 644 ${shQuote(troop.plistPath)}
+`;
+}
+function buildTroopBootstrapBlock(troop) {
+  if (!troop) return "";
+  return `
+# Bootstrap the troop sync launchd into the agent's GUI domain so it
+# starts firing every 5 minutes. RunAtLoad in the plist also kicks
+# off an immediate first sync so the agent registers + appears in
+# the troop SP within seconds of spawn finishing.
+echo "==> Installing troop sync launchd as $NAME\u2026"
+su - "$NAME" -c '
+set -euo pipefail
+NAME_UID="$(id -u)"
+launchctl bootout "gui/$NAME_UID/${troop.plistLabel}" 2>/dev/null || true
+launchctl bootstrap "gui/$NAME_UID" ${shQuote(troop.plistPath)} || \\
+  echo "warn: troop sync bootstrap failed; run \\\`apes agents sync\\\` manually as $NAME to register at troop.openape.ai"
+'
+`;
+}
 function buildDestroyTeardownScript(input) {
   const { name, homeDir, adminUser } = input;
   return `#!/bin/bash
@@ -2182,7 +2207,7 @@ function readPasswordSilent(prompt) {
       "No TTY available for the silent password prompt. Set APES_ADMIN_PASSWORD in the environment instead."
     ));
   }
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve5, reject) => {
     process.stdout.write(prompt);
     const wasRaw = process.stdin.isRaw ?? false;
     process.stdin.setRawMode(true);
@@ -2197,7 +2222,7 @@ function readPasswordSilent(prompt) {
         if (ch === "\r" || ch === "\n") {
           cleanup();
           process.stdout.write("\n");
-          resolve4(buf);
+          resolve5(buf);
           return;
         }
         if (code === 3) {
@@ -2492,22 +2517,814 @@ var registerAgentCommand = defineCommand23({
   }
 });
 
-// src/commands/agents/spawn.ts
-import { execFileSync as execFileSync5 } from "child_process";
-import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, writeFileSync as writeFileSync3 } from "fs";
-import { tmpdir as tmpdir2 } from "os";
-import { join as join4 } from "path";
+// src/commands/agents/run.ts
+import { existsSync as existsSync5, readFileSync as readFileSync5 } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join3 } from "path";
 import { defineCommand as defineCommand24 } from "citty";
 import consola22 from "consola";
 
+// src/lib/agent-tools/file.ts
+import { mkdirSync, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { homedir as homedir4 } from "os";
+import { dirname, normalize, resolve as resolve2 } from "path";
+var MAX_BYTES = 1024 * 1024;
+function jailPath(input) {
+  if (typeof input !== "string" || input === "") {
+    throw new Error("path must be a non-empty string");
+  }
+  const home = homedir4();
+  const candidate = input.startsWith("~/") ? resolve2(home, input.slice(2)) : input.startsWith("/") ? normalize(input) : resolve2(home, input);
+  if (candidate !== home && !candidate.startsWith(`${home}/`)) {
+    throw new Error(`path "${input}" resolves outside the agent's home`);
+  }
+  return candidate;
+}
+var fileTools = [
+  {
+    name: "file.read",
+    description: "Read a UTF-8 file from the agent's home directory ($HOME). Capped at 1MB. Path traversal blocked.",
+    parameters: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME). `..` segments are rejected." }
+      },
+      required: ["path"]
+    },
+    execute: async (args) => {
+      const a = args;
+      const p = jailPath(a.path);
+      const content = readFileSync4(p, "utf8");
+      if (Buffer.byteLength(content, "utf8") > MAX_BYTES) {
+        return { path: p, truncated: true, content: content.slice(0, MAX_BYTES) };
+      }
+      return { path: p, truncated: false, content };
+    }
+  },
+  {
+    name: "file.write",
+    description: "Write a UTF-8 file under the agent's home directory. Creates parent dirs as needed. 1MB max.",
+    parameters: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME)." },
+        content: { type: "string", description: "File body. Existing files are overwritten." }
+      },
+      required: ["path", "content"]
+    },
+    execute: async (args) => {
+      const a = args;
+      if (typeof a.content !== "string") throw new Error("content must be a string");
+      if (Buffer.byteLength(a.content, "utf8") > MAX_BYTES) {
+        throw new Error(`content exceeds ${MAX_BYTES} byte cap`);
+      }
+      const p = jailPath(a.path);
+      mkdirSync(dirname(p), { recursive: true });
+      writeFileSync2(p, a.content, { encoding: "utf8" });
+      return { path: p, bytes: Buffer.byteLength(a.content, "utf8") };
+    }
+  }
+];
+
+// src/lib/agent-tools/http.ts
+var MAX_BYTES2 = 1024 * 1024;
+var FORBIDDEN_HEADERS = /* @__PURE__ */ new Set([
+  "host",
+  "authorization",
+  "cookie",
+  "connection",
+  "transfer-encoding",
+  "upgrade",
+  "proxy-authorization"
+]);
+function sanitizeHeaders(input) {
+  if (!input || typeof input !== "object") return {};
+  const out = {};
+  for (const [k, v] of Object.entries(input)) {
+    if (typeof v !== "string") continue;
+    if (FORBIDDEN_HEADERS.has(k.toLowerCase())) continue;
+    out[k] = v;
+  }
+  return out;
+}
+async function readCappedBody(res) {
+  const buf = new Uint8Array(MAX_BYTES2 + 1);
+  let written = 0;
+  const reader = res.body?.getReader();
+  if (!reader) return await res.text();
+  while (true) {
+    const { value, done } = await reader.read();
+    if (done) break;
+    if (written + value.byteLength > MAX_BYTES2) {
+      buf.set(value.subarray(0, MAX_BYTES2 - written), written);
+      written = MAX_BYTES2;
+      try {
+        await reader.cancel();
+      } catch {
+      }
+      break;
+    }
+    buf.set(value, written);
+    written += value.byteLength;
+  }
+  return new TextDecoder().decode(buf.subarray(0, written));
+}
+var httpTools = [
+  {
+    name: "http.get",
+    description: "GET an HTTPS URL and return the response body (capped at 1MB). Useful for reading public APIs, RSS feeds, web pages.",
+    parameters: {
+      type: "object",
+      properties: {
+        url: { type: "string", description: "Absolute HTTPS URL." },
+        headers: { type: "object", description: "Optional headers (Host, Authorization, Cookie are stripped)." }
+      },
+      required: ["url"]
+    },
+    execute: async (args) => {
+      const a = args;
+      if (typeof a.url !== "string" || !a.url.startsWith("http")) {
+        throw new Error("url must be an http(s) URL");
+      }
+      const res = await fetch(a.url, { method: "GET", headers: sanitizeHeaders(a.headers) });
+      const body = await readCappedBody(res);
+      return { status: res.status, headers: Object.fromEntries(res.headers), body };
+    }
+  },
+  {
+    name: "http.post",
+    description: "POST JSON to an HTTPS URL and return the response body (capped at 1MB).",
+    parameters: {
+      type: "object",
+      properties: {
+        url: { type: "string", description: "Absolute HTTPS URL." },
+        body: { description: "JSON-serialisable payload." },
+        headers: { type: "object", description: "Optional headers (Host, Authorization, Cookie are stripped)." }
+      },
+      required: ["url", "body"]
+    },
+    execute: async (args) => {
+      const a = args;
+      if (typeof a.url !== "string" || !a.url.startsWith("http")) {
+        throw new Error("url must be an http(s) URL");
+      }
+      const res = await fetch(a.url, {
+        method: "POST",
+        headers: { "content-type": "application/json", ...sanitizeHeaders(a.headers) },
+        body: JSON.stringify(a.body)
+      });
+      const body = await readCappedBody(res);
+      return { status: res.status, headers: Object.fromEntries(res.headers), body };
+    }
+  }
+];
+
+// src/lib/agent-tools/mail.ts
+import { execFileSync as execFileSync5 } from "child_process";
+function o365(args) {
+  try {
+    return execFileSync5("o365-cli", args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") {
+      throw new Error("o365-cli is not installed on this agent host");
+    }
+    const stderr = typeof e.stderr === "string" ? e.stderr : e.stderr?.toString("utf8");
+    throw new Error(`o365-cli failed: ${stderr ?? e.message ?? err}`);
+  }
+}
+var mailTools = [
+  {
+    name: "mail.list",
+    description: "List recent inbox messages via o365-cli. Optional `unread_only` and `limit`.",
+    parameters: {
+      type: "object",
+      properties: {
+        limit: { type: "integer", minimum: 1, maximum: 100, default: 20 },
+        unread_only: { type: "boolean", default: false }
+      },
+      required: []
+    },
+    execute: async (args) => {
+      const a = args ?? {};
+      const argv = ["mail", "list", "--json", "--limit", String(a.limit ?? 20)];
+      if (a.unread_only) argv.push("--unread");
+      const out = o365(argv);
+      try {
+        return JSON.parse(out);
+      } catch {
+        return { raw: out };
+      }
+    }
+  },
+  {
+    name: "mail.search",
+    description: "Search the inbox via o365-cli using a free-form query string.",
+    parameters: {
+      type: "object",
+      properties: {
+        q: { type: "string" },
+        limit: { type: "integer", minimum: 1, maximum: 100, default: 20 }
+      },
+      required: ["q"]
+    },
+    execute: async (args) => {
+      const a = args;
+      if (typeof a.q !== "string" || a.q.length === 0) throw new Error("q is required");
+      const argv = ["mail", "search", a.q, "--json", "--limit", String(a.limit ?? 20)];
+      const out = o365(argv);
+      try {
+        return JSON.parse(out);
+      } catch {
+        return { raw: out };
+      }
+    }
+  }
+];
+
+// src/lib/agent-tools/tasks.ts
+import { execFileSync as execFileSync6 } from "child_process";
+function ape(args) {
+  try {
+    return execFileSync6("ape-tasks", args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
+  } catch (err) {
+    const e = err;
+    const stderr = typeof e.stderr === "string" ? e.stderr : e.stderr?.toString("utf8");
+    throw new Error(`ape-tasks failed: ${stderr ?? e.message ?? err}`);
+  }
+}
+var tasksTools = [
+  {
+    name: "tasks.list",
+    description: "List the owner's open ape-tasks (the user's personal task list at tasks.openape.ai).",
+    parameters: {
+      type: "object",
+      properties: {
+        status: { type: "string", enum: ["open", "doing", "done", "archived"] },
+        team_id: { type: "string" }
+      },
+      required: []
+    },
+    execute: async (args) => {
+      const a = args ?? {};
+      const argv = ["list", "--json"];
+      if (a.status) argv.push("--status", a.status);
+      if (a.team_id) argv.push("--team", a.team_id);
+      const out = ape(argv);
+      try {
+        return JSON.parse(out);
+      } catch {
+        return { raw: out };
+      }
+    }
+  },
+  {
+    name: "tasks.create",
+    description: "Create a new ape-task on the owner's task list at tasks.openape.ai.",
+    parameters: {
+      type: "object",
+      properties: {
+        title: { type: "string" },
+        notes: { type: "string" },
+        priority: { type: "string", enum: ["low", "med", "high"] },
+        due_at: { type: "string", description: "ISO date or +Nh/+Nd shorthand." }
+      },
+      required: ["title"]
+    },
+    execute: async (args) => {
+      const a = args;
+      const argv = ["new", "--title", a.title, "--json"];
+      if (a.notes) argv.push("--notes", a.notes);
+      if (a.priority) argv.push("--priority", a.priority);
+      if (a.due_at) argv.push("--due", a.due_at);
+      const out = ape(argv);
+      try {
+        return JSON.parse(out);
+      } catch {
+        return { raw: out };
+      }
+    }
+  }
+];
+
+// src/lib/agent-tools/time.ts
+var timeTools = [
+  {
+    name: "time.now",
+    description: "Returns the current UTC date and time as ISO 8601 plus epoch seconds. No inputs.",
+    parameters: { type: "object", properties: {}, required: [] },
+    execute: async () => {
+      const now = /* @__PURE__ */ new Date();
+      return {
+        iso: now.toISOString(),
+        epoch_seconds: Math.floor(now.getTime() / 1e3),
+        timezone_offset_minutes: -now.getTimezoneOffset()
+      };
+    }
+  }
+];
+
+// src/lib/agent-tools/index.ts
+var ALL_TOOLS = [
+  ...timeTools,
+  ...httpTools,
+  ...fileTools,
+  ...tasksTools,
+  ...mailTools
+];
+var TOOLS = Object.fromEntries(
+  ALL_TOOLS.map((t) => [t.name, t])
+);
+function taskTools(names) {
+  const out = [];
+  const missing = [];
+  for (const name of names) {
+    const tool = TOOLS[name];
+    if (!tool) missing.push(name);
+    else out.push(tool);
+  }
+  if (missing.length > 0) {
+    throw new Error(`unknown tool(s): ${missing.join(", ")}`);
+  }
+  return out;
+}
+function asOpenAiTools(tools) {
+  return tools.map((t) => ({
+    type: "function",
+    function: { name: t.name, description: t.description, parameters: t.parameters }
+  }));
+}
+
+// src/lib/agent-runtime.ts
+function previewJson(value, max = 500) {
+  let s;
+  try {
+    s = JSON.stringify(value);
+  } catch {
+    s = String(value);
+  }
+  return s.length > max ? `${s.slice(0, max)}\u2026` : s;
+}
+async function runLoop(opts) {
+  const fetchFn = opts.fetchImpl ?? fetch;
+  const trace = [];
+  const messages = [
+    { role: "system", content: opts.systemPrompt },
+    ...opts.history ?? [],
+    { role: "user", content: opts.userMessage }
+  ];
+  const tools = asOpenAiTools(opts.tools);
+  for (let step = 1; step <= opts.maxSteps; step++) {
+    const res = await fetchFn(`${opts.config.apiBase}/chat/completions`, {
+      method: "POST",
+      headers: {
+        "authorization": `Bearer ${opts.config.apiKey}`,
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        model: opts.config.model,
+        messages,
+        ...tools.length > 0 ? { tools, tool_choice: "auto" } : {}
+      })
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(`LiteLLM ${res.status}: ${text.slice(0, 500)}`);
+    }
+    const data = await res.json();
+    const choice = data.choices?.[0];
+    if (!choice) throw new Error("LiteLLM response had no choices");
+    const assistant = choice.message;
+    messages.push(assistant);
+    if (assistant.content) opts.handlers?.onTextDelta?.(assistant.content);
+    trace.push({
+      step,
+      type: "assistant",
+      preview: previewJson({ content: assistant.content, tool_calls: assistant.tool_calls?.length ?? 0 })
+    });
+    if (!assistant.tool_calls || assistant.tool_calls.length === 0) {
+      const result2 = {
+        status: "ok",
+        finalMessage: assistant.content,
+        stepCount: step,
+        trace
+      };
+      opts.handlers?.onDone?.(result2);
+      return result2;
+    }
+    for (const call of assistant.tool_calls) {
+      const tool = opts.tools.find((t) => t.name === call.function.name);
+      let parsedArgs;
+      try {
+        parsedArgs = JSON.parse(call.function.arguments);
+      } catch {
+        parsedArgs = {};
+      }
+      opts.handlers?.onToolCall?.({ name: call.function.name, args: parsedArgs });
+      trace.push({ step, type: "tool_call", tool: call.function.name, preview: previewJson(parsedArgs) });
+      let result2;
+      let isError = false;
+      if (!tool) {
+        result2 = `unknown tool: ${call.function.name}`;
+        isError = true;
+      } else {
+        try {
+          result2 = await tool.execute(parsedArgs);
+        } catch (err) {
+          result2 = err?.message ?? String(err);
+          isError = true;
+        }
+      }
+      if (isError) {
+        opts.handlers?.onToolError?.({ name: call.function.name, error: String(result2) });
+        trace.push({ step, type: "tool_error", tool: call.function.name, preview: previewJson(result2) });
+      } else {
+        opts.handlers?.onToolResult?.({ name: call.function.name, result: result2 });
+        trace.push({ step, type: "tool_result", tool: call.function.name, preview: previewJson(result2) });
+      }
+      messages.push({
+        role: "tool",
+        tool_call_id: call.id,
+        name: call.function.name,
+        content: typeof result2 === "string" ? result2 : JSON.stringify(result2)
+      });
+    }
+  }
+  const result = {
+    status: "error",
+    finalMessage: `max_steps (${opts.maxSteps}) reached without completion`,
+    stepCount: opts.maxSteps,
+    trace
+  };
+  opts.handlers?.onDone?.(result);
+  return result;
+}
+var RPC_SESSION_TTL_MS = 60 * 60 * 1e3;
+var RpcSessionMap = class {
+  sessions = /* @__PURE__ */ new Map();
+  get(id) {
+    const s = this.sessions.get(id);
+    if (s) s.lastTouched = Date.now();
+    return s;
+  }
+  put(id, s) {
+    s.lastTouched = Date.now();
+    this.sessions.set(id, s);
+  }
+  evictStale() {
+    const cutoff = Date.now() - RPC_SESSION_TTL_MS;
+    for (const [k, v] of this.sessions) {
+      if (v.lastTouched < cutoff) this.sessions.delete(k);
+    }
+  }
+  size() {
+    return this.sessions.size;
+  }
+};
+
+// src/lib/troop-client.ts
+var DEFAULT_TROOP_URL = "https://troop.openape.ai";
+var TroopClient = class {
+  constructor(troopUrl, agentJwt) {
+    this.troopUrl = troopUrl;
+    this.agentJwt = agentJwt;
+  }
+  async request(path2, init) {
+    const res = await fetch(`${this.troopUrl}${path2}`, {
+      ...init,
+      headers: {
+        ...init?.headers ?? {},
+        "Authorization": `Bearer ${this.agentJwt}`,
+        "Content-Type": "application/json"
+      }
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(`troop ${init?.method ?? "GET"} ${path2} failed: ${res.status} ${text}`);
+    }
+    if (res.status === 204) return void 0;
+    return await res.json();
+  }
+  sync(input) {
+    return this.request("/api/agents/me/sync", {
+      method: "POST",
+      body: JSON.stringify({
+        hostname: input.hostname,
+        host_id: input.hostId,
+        owner_email: input.ownerEmail,
+        ...input.pubkeySsh ? { pubkey_ssh: input.pubkeySsh } : {}
+      })
+    });
+  }
+  listTasks() {
+    return this.request("/api/agents/me/tasks");
+  }
+  startRun(taskId) {
+    return this.request("/api/agents/me/runs", {
+      method: "POST",
+      body: JSON.stringify({ task_id: taskId })
+    });
+  }
+  finaliseRun(id, payload) {
+    return this.request(`/api/agents/me/runs/${id}`, {
+      method: "PATCH",
+      body: JSON.stringify(payload)
+    });
+  }
+};
+function resolveTroopUrl(override) {
+  if (override) return override.replace(/\/$/, "");
+  const fromEnv = process.env.OPENAPE_TROOP_URL;
+  if (fromEnv) return fromEnv.replace(/\/$/, "");
+  return DEFAULT_TROOP_URL;
+}
+
+// src/commands/agents/run.ts
+var AUTH_PATH = join3(homedir5(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR = join3(homedir5(), ".openape", "agent", "tasks");
+function readAuth() {
+  if (!existsSync5(AUTH_PATH)) {
+    throw new CliError(`No agent auth found at ${AUTH_PATH}. Run \`apes agents spawn <name>\` first.`);
+  }
+  const parsed = JSON.parse(readFileSync5(AUTH_PATH, "utf8"));
+  if (!parsed.access_token) throw new CliError("auth.json missing access_token");
+  return parsed;
+}
+function readTaskSpec(taskId) {
+  const path2 = join3(TASK_CACHE_DIR, `${taskId}.json`);
+  if (!existsSync5(path2)) {
+    throw new CliError(`No cached task spec at ${path2}. Run \`apes agents sync\` first to pull the task list from troop.`);
+  }
+  return JSON.parse(readFileSync5(path2, "utf8"));
+}
+function readLitellmConfig(model) {
+  const envPath = join3(homedir5(), "litellm", ".env");
+  const env = {};
+  if (existsSync5(envPath)) {
+    for (const line of readFileSync5(envPath, "utf8").split(/\r?\n/)) {
+      const m = line.match(/^([A-Z_]+)=(.*)$/);
+      if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
+    }
+  }
+  for (const k of ["LITELLM_API_KEY", "LITELLM_MASTER_KEY", "LITELLM_BASE_URL"]) {
+    if (process.env[k]) env[k] = process.env[k];
+  }
+  const apiKey = env.LITELLM_API_KEY || env.LITELLM_MASTER_KEY;
+  const apiBase = (env.LITELLM_BASE_URL || "http://127.0.0.1:4000/v1").replace(/\/$/, "");
+  if (!apiKey) {
+    throw new CliError("No LITELLM_API_KEY / LITELLM_MASTER_KEY in ~/litellm/.env or env.");
+  }
+  return { apiBase, apiKey, model: model || "claude-haiku-4-5" };
+}
+var runAgentCommand = defineCommand24({
+  meta: {
+    name: "run",
+    description: "Execute one task (typically launchd-invoked). Reports the run record to troop."
+  },
+  args: {
+    "task-id": {
+      type: "positional",
+      description: "Task ID (slug) to run. The cached spec at ~/.openape/agent/tasks/<id>.json is used.",
+      required: true
+    },
+    "troop-url": {
+      type: "string",
+      description: "Override troop SP base URL."
+    },
+    "model": {
+      type: "string",
+      description: "Override the LLM model name. Default: claude-haiku-4-5."
+    }
+  },
+  async run({ args }) {
+    const taskId = args["task-id"];
+    const auth = readAuth();
+    const spec = readTaskSpec(taskId);
+    const config = readLitellmConfig(args.model);
+    let tools;
+    try {
+      tools = taskTools(spec.tools);
+    } catch (err) {
+      throw new CliError(`task ${taskId}: ${err.message}`);
+    }
+    const troop = new TroopClient(resolveTroopUrl(args["troop-url"]), auth.access_token);
+    const { id: runId } = await troop.startRun(taskId);
+    consola22.info(`Run ${runId} started for task ${taskId}`);
+    try {
+      const result = await runLoop({
+        config,
+        systemPrompt: spec.systemPrompt,
+        // Cron tasks have no prior user message — the task fires by
+        // schedule. We use a synthetic kick-off message; tasks can
+        // ignore it via their system prompt.
+        userMessage: "It is time to run this task. Use your tools as needed and report when done.",
+        tools,
+        maxSteps: spec.maxSteps
+      });
+      await troop.finaliseRun(runId, {
+        status: result.status,
+        final_message: result.finalMessage,
+        step_count: result.stepCount,
+        trace: result.trace
+      });
+      consola22.success(`Run ${runId} ${result.status} (${result.stepCount} steps)`);
+      if (result.status === "error") process.exit(1);
+    } catch (err) {
+      const message = err?.message ?? String(err);
+      await troop.finaliseRun(runId, {
+        status: "error",
+        final_message: message.slice(0, 4e3),
+        step_count: 0,
+        trace: []
+      }).catch(() => {
+      });
+      throw new CliError(`Run ${runId} crashed: ${message}`);
+    }
+  }
+});
+
+// src/commands/agents/serve.ts
+import { existsSync as existsSync6, readFileSync as readFileSync6 } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join4 } from "path";
+import { createInterface } from "readline";
+import { defineCommand as defineCommand25 } from "citty";
+var AUTH_PATH2 = join4(homedir6(), ".config", "apes", "auth.json");
+function readLitellmConfig2(model) {
+  const envPath = join4(homedir6(), "litellm", ".env");
+  const env = {};
+  if (existsSync6(envPath)) {
+    for (const line of readFileSync6(envPath, "utf8").split(/\r?\n/)) {
+      const m = line.match(/^([A-Z_]+)=(.*)$/);
+      if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
+    }
+  }
+  for (const k of ["LITELLM_API_KEY", "LITELLM_MASTER_KEY", "LITELLM_BASE_URL"]) {
+    if (process.env[k]) env[k] = process.env[k];
+  }
+  const apiKey = env.LITELLM_API_KEY || env.LITELLM_MASTER_KEY;
+  const apiBase = (env.LITELLM_BASE_URL || "http://127.0.0.1:4000/v1").replace(/\/$/, "");
+  if (!apiKey) throw new CliError("No LITELLM_API_KEY / LITELLM_MASTER_KEY in ~/litellm/.env or env.");
+  return { apiBase, apiKey, model: model || "claude-haiku-4-5" };
+}
+function emit(event) {
+  process.stdout.write(`${JSON.stringify(event)}
+`);
+}
+var serveAgentCommand = defineCommand25({
+  meta: {
+    name: "serve",
+    description: "Long-running stdio RPC server for chat-bridge subprocess use."
+  },
+  args: {
+    rpc: {
+      type: "boolean",
+      description: "Use the line-delimited JSON RPC protocol on stdio (the only mode for now)."
+    }
+  },
+  async run({ args }) {
+    if (!args.rpc) {
+      throw new CliError("apes agents serve currently only supports --rpc mode");
+    }
+    if (existsSync6(AUTH_PATH2)) {
+      try {
+        JSON.parse(readFileSync6(AUTH_PATH2, "utf8"));
+      } catch {
+      }
+    }
+    const sessions = new RpcSessionMap();
+    const evictTimer = setInterval(() => sessions.evictStale(), 5 * 60 * 1e3);
+    process.on("exit", () => clearInterval(evictTimer));
+    const rl = createInterface({ input: process.stdin, terminal: false });
+    rl.on("line", async (line) => {
+      const trimmed = line.trim();
+      if (!trimmed) return;
+      let msg;
+      try {
+        msg = JSON.parse(trimmed);
+      } catch (err) {
+        emit({ type: "error", message: `invalid JSON: ${err.message}` });
+        return;
+      }
+      if (!msg.session_id || !msg.user_msg) {
+        emit({ type: "error", message: "session_id and user_msg are required" });
+        return;
+      }
+      try {
+        await handleInbound(msg, sessions);
+      } catch (err) {
+        emit({ type: "error", session_id: msg.session_id, message: err?.message ?? String(err) });
+        emit({ type: "done", session_id: msg.session_id, step_count: 0, status: "error" });
+      }
+    });
+    rl.on("close", () => process.exit(0));
+  }
+});
+async function handleInbound(msg, sessions) {
+  const config = readLitellmConfig2(msg.model);
+  const tools = taskTools(msg.tools ?? []);
+  const maxSteps = msg.max_steps ?? 10;
+  let session = sessions.get(msg.session_id);
+  if (!session) {
+    session = {
+      systemPrompt: msg.system_prompt,
+      tools,
+      maxSteps,
+      messages: [],
+      lastTouched: Date.now()
+    };
+    sessions.put(msg.session_id, session);
+  }
+  const result = await runLoop({
+    config,
+    systemPrompt: session.systemPrompt,
+    userMessage: msg.user_msg,
+    tools: session.tools,
+    maxSteps: session.maxSteps,
+    history: session.messages,
+    handlers: {
+      onTextDelta: (delta) => emit({ type: "text_delta", session_id: msg.session_id, delta }),
+      onToolCall: ({ name, args }) => emit({ type: "tool_call", session_id: msg.session_id, name, args }),
+      onToolResult: ({ name, result: result2 }) => emit({ type: "tool_result", session_id: msg.session_id, name, result: result2 }),
+      onToolError: ({ name, error }) => emit({ type: "tool_error", session_id: msg.session_id, name, error })
+    }
+  });
+  session.messages.push({ role: "user", content: msg.user_msg });
+  if (result.finalMessage) {
+    session.messages.push({ role: "assistant", content: result.finalMessage });
+  }
+  emit({
+    type: "done",
+    session_id: msg.session_id,
+    step_count: result.stepCount,
+    status: result.status,
+    final_message: result.finalMessage
+  });
+}
+
+// src/commands/agents/spawn.ts
+import { execFileSync as execFileSync7 } from "child_process";
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, writeFileSync as writeFileSync4 } from "fs";
+import { tmpdir as tmpdir2 } from "os";
+import { join as join6 } from "path";
+import { defineCommand as defineCommand26 } from "citty";
+import consola23 from "consola";
+
+// src/lib/troop-bootstrap.ts
+var SYNC_LABEL_PREFIX = "openape.troop.sync";
+var SYNC_INTERVAL_SECONDS = 300;
+function syncPlistLabel(agentName) {
+  return `${SYNC_LABEL_PREFIX}.${agentName}`;
+}
+function escape(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function buildSyncPlist(input) {
+  const envBlock = input.troopUrl ? `  <key>EnvironmentVariables</key>
+  <dict>
+    <key>HOME</key><string>${escape(input.homeDir)}</string>
+    <key>OPENAPE_TROOP_URL</key><string>${escape(input.troopUrl)}</string>
+  </dict>
+` : `  <key>EnvironmentVariables</key>
+  <dict>
+    <key>HOME</key><string>${escape(input.homeDir)}</string>
+  </dict>
+`;
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${escape(syncPlistLabel(input.agentName))}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${escape(input.apesBin)}</string>
+    <string>agents</string>
+    <string>sync</string>
+  </array>
+  <key>WorkingDirectory</key>
+  <string>${escape(input.homeDir)}</string>
+${envBlock}  <key>StartInterval</key>
+  <integer>${SYNC_INTERVAL_SECONDS}</integer>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>${escape(input.homeDir)}/Library/Logs/openape-troop-sync.log</string>
+  <key>StandardErrorPath</key>
+  <string>${escape(input.homeDir)}/Library/Logs/openape-troop-sync.log</string>
+</dict>
+</plist>
+`;
+}
+
 // src/lib/keygen.ts
 import { Buffer as Buffer4 } from "buffer";
-import { existsSync as existsSync5, mkdirSync, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync7, mkdirSync as mkdirSync2, readFileSync as readFileSync7, writeFileSync as writeFileSync3 } from "fs";
 import { generateKeyPairSync } from "crypto";
-import { homedir as homedir4 } from "os";
-import { dirname, resolve as resolve2 } from "path";
+import { homedir as homedir7 } from "os";
+import { dirname as dirname2, resolve as resolve3 } from "path";
 function resolveKeyPath(p) {
-  return resolve2(p.replace(/^~/, homedir4()));
+  return resolve3(p.replace(/^~/, homedir7()));
 }
 function buildSshEd25519Line(rawPub) {
   const keyTypeStr = "ssh-ed25519";
@@ -2520,10 +3337,10 @@ function buildSshEd25519Line(rawPub) {
 }
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
-  if (existsSync5(pubPath)) {
-    return readFileSync4(pubPath, "utf-8").trim();
+  if (existsSync7(pubPath)) {
+    return readFileSync7(pubPath, "utf-8").trim();
   }
-  const keyContent = readFileSync4(keyPath, "utf-8");
+  const keyContent = readFileSync7(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
   const pubBytes = Buffer4.from(jwk.x, "base64url");
@@ -2531,17 +3348,17 @@ function readPublicKey(keyPath) {
 }
 function generateAndSaveKey(keyPath) {
   const resolved = resolveKeyPath(keyPath);
-  const dir = dirname(resolved);
-  if (!existsSync5(dir)) {
-    mkdirSync(dir, { recursive: true });
+  const dir = dirname2(resolved);
+  if (!existsSync7(dir)) {
+    mkdirSync2(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
-  writeFileSync2(resolved, privatePem, { mode: 384 });
+  writeFileSync3(resolved, privatePem, { mode: 384 });
   const jwk = publicKey.export({ format: "jwk" });
   const pubBytes = Buffer4.from(jwk.x, "base64url");
   const pubKeyStr = buildSshEd25519Line(pubBytes);
-  writeFileSync2(`${resolved}.pub`, `${pubKeyStr}
+  writeFileSync3(`${resolved}.pub`, `${pubKeyStr}
 `, { mode: 420 });
   return pubKeyStr;
 }
@@ -2557,14 +3374,14 @@ function generateKeyPairInMemory() {
 }
 
 // src/lib/llm-bridge.ts
-import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
-import { homedir as homedir5 } from "os";
-import { join as join3 } from "path";
+import { existsSync as existsSync8, readFileSync as readFileSync8 } from "fs";
+import { homedir as homedir8 } from "os";
+import { join as join5 } from "path";
 var PLIST_LABEL_PREFIX = "eco.hofmann.apes.bridge";
-function readLitellmEnv(envPath = join3(homedir5(), "litellm", ".env")) {
-  if (!existsSync6(envPath)) return null;
+function readLitellmEnv(envPath = join5(homedir8(), "litellm", ".env")) {
+  if (!existsSync8(envPath)) return null;
   try {
-    const text = readFileSync5(envPath, "utf8");
+    const text = readFileSync8(envPath, "utf8");
     const out = {};
     for (const line of text.split("\n")) {
       const trimmed = line.trim();
@@ -2618,46 +3435,13 @@ export PATH="$HOME/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin"
 # at boot \u2014 keeping start.sh slim avoids the rate-limit dance the old
 # refresh hit when KeepAlive crash-restarted the daemon every 1h.
 
-EXT_DIR="$HOME/.pi/agent/extensions"
-mkdir -p "$EXT_DIR"
-if [ ! -f "$EXT_DIR/litellm.ts" ]; then
-  cat > "$EXT_DIR/litellm.ts" <<'PI_EXT_EOF'
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-
-const BASE_URL = process.env.LITELLM_BASE_URL ?? "http://127.0.0.1:4000/v1";
-
-export default async function (pi: ExtensionAPI) {
-  pi.registerProvider("litellm", {
-    baseUrl: BASE_URL,
-    apiKey: "LITELLM_API_KEY",
-    api: "openai-completions",
-    models: [
-      {
-        id: "gpt-5.4",
-        name: "ChatGPT 5.4 (Subscription)",
-        reasoning: false,
-        input: ["text", "image"],
-        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-        contextWindow: 200000,
-        maxTokens: 8192,
-      },
-      {
-        id: "gpt-5.3-codex",
-        name: "ChatGPT 5.3 Codex (Subscription)",
-        reasoning: false,
-        input: ["text"],
-        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-        contextWindow: 200000,
-        maxTokens: 8192,
-      },
-    ],
-  });
-}
-PI_EXT_EOF
-fi
+# M6 dropped the third-party LLM-runtime install + extension write
+# that used to live here. The bridge now spawns
+# \`apes agents serve --rpc\` directly (M8) which calls LiteLLM
+# itself, so no third-party extension config is needed.
 
 set -a
-. "$HOME/.pi/agent/.env"
+. "$HOME/Library/Application Support/openape/bridge/.env"
 set +a
 exec openape-chat-bridge
 `;
@@ -2706,7 +3490,7 @@ function buildBridgePlist(agentName, homeDir, ownerEmail) {
 }
 
 // src/commands/agents/spawn.ts
-var spawnAgentCommand = defineCommand24({
+var spawnAgentCommand = defineCommand26({
   meta: {
     name: "spawn",
     description: "Provision a local macOS agent end-to-end (OS user, keypair, IdP agent, Claude hook)"
@@ -2789,15 +3573,15 @@ and try again.`
       throw new CliError(`macOS user "${name}" already exists (uid=${existing.uid ?? "?"}). Refusing to overwrite.`);
     }
     const homeDir = `/Users/${name}`;
-    const scratch = mkdtempSync2(join4(tmpdir2(), `apes-spawn-${name}-`));
-    const scriptPath = join4(scratch, "setup.sh");
+    const scratch = mkdtempSync2(join6(tmpdir2(), `apes-spawn-${name}-`));
+    const scriptPath = join6(scratch, "setup.sh");
     try {
-      consola22.start(`Generating keypair for ${name}\u2026`);
+      consola23.start(`Generating keypair for ${name}\u2026`);
       const { privatePem, publicSshLine } = generateKeyPairInMemory();
-      consola22.start(`Registering agent at ${idp}\u2026`);
+      consola23.start(`Registering agent at ${idp}\u2026`);
       const registration = await registerAgentAtIdp({ name, publicKey: publicSshLine, idp });
-      consola22.success(`Registered as ${registration.email}`);
-      consola22.start("Issuing agent access token\u2026");
+      consola23.success(`Registered as ${registration.email}`);
+      consola23.start("Issuing agent access token\u2026");
       const { token, expiresIn } = await issueAgentToken({
         idp,
         agentEmail: registration.email,
@@ -2829,6 +3613,13 @@ and try again.`
           envFile: buildBridgeEnvFile(cfg)
         };
       })() : null;
+      const troopPlistLabel = `openape.troop.sync.${name}`;
+      const troopPlistPath = `${homeDir}/Library/LaunchAgents/${troopPlistLabel}.plist`;
+      const troop = {
+        plistLabel: troopPlistLabel,
+        plistPath: troopPlistPath,
+        plistContent: buildSyncPlist({ agentName: name, apesBin: apes, homeDir })
+      };
       const script = buildSpawnSetupScript({
         name,
         homeDir,
@@ -2839,16 +3630,18 @@ and try again.`
         claudeSettingsJson: includeClaudeHook ? CLAUDE_SETTINGS_JSON : null,
         hookScriptSource: includeClaudeHook ? BASH_VIA_APE_SHELL_HOOK_SOURCE : null,
         claudeOauthToken,
-        bridge
+        bridge,
+        troop
       });
-      writeFileSync3(scriptPath, script, { mode: 448 });
-      consola22.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
-      consola22.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
-      execFileSync5(apes, ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
-      consola22.success(`Agent ${name} spawned.`);
+      writeFileSync4(scriptPath, script, { mode: 448 });
+      consola23.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
+      consola23.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
+      execFileSync7(apes, ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
+      consola23.success(`Agent ${name} spawned.`);
+      consola23.info(`\u{1F517} Troop: https://troop.openape.ai/agents/${name}`);
       if (args.bridge) {
-        consola22.info(`On first boot, the bridge will send you a contact request from ${registration.email}.`);
-        consola22.info("Open chat.openape.ai and accept it to start chatting with the agent.");
+        consola23.info(`On first boot, the bridge will send you a contact request from ${registration.email}.`);
+        consola23.info("Open chat.openape.ai and accept it to start chatting with the agent.");
       }
       console.log("");
       console.log("Run as the agent with:");
@@ -2881,31 +3674,344 @@ async function resolveClaudeToken(opts) {
   return raw;
 }
 
+// src/commands/agents/sync.ts
+import { existsSync as existsSync9, mkdirSync as mkdirSync4, readFileSync as readFileSync10, writeFileSync as writeFileSync6 } from "fs";
+import { homedir as homedir10 } from "os";
+import { join as join8 } from "path";
+import { defineCommand as defineCommand27 } from "citty";
+import consola24 from "consola";
+
+// src/lib/launchd-reconcile.ts
+import { execFileSync as execFileSync8 } from "child_process";
+import { mkdirSync as mkdirSync3, readdirSync, readFileSync as readFileSync9, unlinkSync, writeFileSync as writeFileSync5 } from "fs";
+import { homedir as homedir9, userInfo as userInfo2 } from "os";
+import { join as join7 } from "path";
+var PLIST_PREFIX = "openape.troop.";
+function plistDir() {
+  return join7(homedir9(), "Library", "LaunchAgents");
+}
+function plistPath(agentName, taskId) {
+  return join7(plistDir(), `${PLIST_PREFIX}${agentName}.${taskId}.plist`);
+}
+function plistLabel(agentName, taskId) {
+  return `${PLIST_PREFIX}${agentName}.${taskId}`;
+}
+function fieldValues(token, range) {
+  const [min, max] = range;
+  if (token === "*") return null;
+  if (token.startsWith("*/")) {
+    const step = Number(token.slice(2));
+    if (!Number.isInteger(step) || step < 1) return [];
+    const values = [];
+    for (let i = min; i <= max; i++) {
+      if (i % step === 0) values.push(i);
+    }
+    return values;
+  }
+  const n = Number(token);
+  return Number.isInteger(n) ? [n] : [];
+}
+function cronToSchedule(expr) {
+  const parts = expr.trim().split(/\s+/);
+  if (parts.length !== 5) return [];
+  const [m, h, dom, mo, dow] = parts;
+  const minutes = fieldValues(m, [0, 59]);
+  const hours = fieldValues(h, [0, 23]);
+  const doms = fieldValues(dom, [1, 31]);
+  const months = fieldValues(mo, [1, 12]);
+  const dows = fieldValues(dow, [0, 7]);
+  const slots = [];
+  const minList = minutes ?? [null];
+  const hourList = hours ?? [null];
+  const domList = doms ?? [null];
+  const monthList = months ?? [null];
+  const dowList = dows ?? [null];
+  for (const M of minList) {
+    for (const H of hourList) {
+      for (const D of domList) {
+        for (const Mo of monthList) {
+          for (const W of dowList) {
+            const slot = {};
+            if (M !== null) slot.Minute = M;
+            if (H !== null) slot.Hour = H;
+            if (D !== null) slot.Day = D;
+            if (Mo !== null) slot.Month = Mo;
+            if (W !== null) slot.Weekday = W === 7 ? 0 : W;
+            slots.push(slot);
+          }
+        }
+      }
+    }
+  }
+  return slots;
+}
+function escape2(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function plistBody(input) {
+  const calendarBlocks = input.schedule.map((slot) => {
+    const lines = [];
+    if (slot.Minute !== void 0) lines.push(`      <key>Minute</key><integer>${slot.Minute}</integer>`);
+    if (slot.Hour !== void 0) lines.push(`      <key>Hour</key><integer>${slot.Hour}</integer>`);
+    if (slot.Day !== void 0) lines.push(`      <key>Day</key><integer>${slot.Day}</integer>`);
+    if (slot.Month !== void 0) lines.push(`      <key>Month</key><integer>${slot.Month}</integer>`);
+    if (slot.Weekday !== void 0) lines.push(`      <key>Weekday</key><integer>${slot.Weekday}</integer>`);
+    return `    <dict>
+${lines.join("\n")}
+    </dict>`;
+  }).join("\n");
+  const calendarKey = input.schedule.length === 1 ? `  <key>StartCalendarInterval</key>
+  <dict>
+${calendarBlocks.replace(/^ {4}/gm, "  ").replace(/^ {2}<dict>\n|\n {2}<\/dict>$/g, "")}
+  </dict>` : `  <key>StartCalendarInterval</key>
+  <array>
+${calendarBlocks}
+  </array>`;
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${escape2(input.label)}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${escape2(input.apesBin)}</string>
+    <string>agents</string>
+    <string>run</string>
+    <string>${escape2(input.taskId)}</string>
+  </array>
+  <key>WorkingDirectory</key>
+  <string>${escape2(input.homeDir)}</string>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>HOME</key>
+    <string>${escape2(input.homeDir)}</string>
+  </dict>
+${calendarKey}
+  <key>StandardOutPath</key>
+  <string>${escape2(input.homeDir)}/Library/Logs/openape-troop-${escape2(input.taskId)}.log</string>
+  <key>StandardErrorPath</key>
+  <string>${escape2(input.homeDir)}/Library/Logs/openape-troop-${escape2(input.taskId)}.log</string>
+</dict>
+</plist>
+`;
+}
+function buildPlistContent(args) {
+  return plistBody({
+    label: plistLabel(args.agentName, args.task.taskId),
+    apesBin: args.apesBin,
+    taskId: args.task.taskId,
+    schedule: cronToSchedule(args.task.cron),
+    homeDir: args.homeDir
+  });
+}
+function uid() {
+  return userInfo2().uid;
+}
+function bootstrap(label, path2) {
+  try {
+    execFileSync8("/bin/launchctl", ["bootout", `gui/${uid()}/${label}`], { stdio: "ignore" });
+  } catch {
+  }
+  execFileSync8("/bin/launchctl", ["bootstrap", `gui/${uid()}`, path2], { stdio: "ignore" });
+}
+function bootout(label) {
+  try {
+    execFileSync8("/bin/launchctl", ["bootout", `gui/${uid()}/${label}`], { stdio: "ignore" });
+  } catch {
+  }
+}
+function reconcile(input) {
+  mkdirSync3(plistDir(), { recursive: true });
+  const present = readdirSync(plistDir()).filter((f) => f.startsWith(`${PLIST_PREFIX}${input.agentName}.`) && f.endsWith(".plist"));
+  const presentTaskIds = new Set(
+    present.map((f) => f.slice(`${PLIST_PREFIX}${input.agentName}.`.length, -".plist".length))
+  );
+  const desiredById = new Map(input.desired.map((t) => [t.taskId, t]));
+  const result = { added: [], updated: [], removed: [], unchanged: [] };
+  for (const taskId of presentTaskIds) {
+    if (!desiredById.has(taskId)) {
+      const path2 = plistPath(input.agentName, taskId);
+      bootout(plistLabel(input.agentName, taskId));
+      try {
+        unlinkSync(path2);
+      } catch {
+      }
+      result.removed.push(taskId);
+    }
+  }
+  for (const task of input.desired) {
+    const path2 = plistPath(input.agentName, task.taskId);
+    const desiredContent = buildPlistContent({
+      agentName: input.agentName,
+      apesBin: input.apesBin,
+      homeDir: input.homeDir,
+      task
+    });
+    let existingContent = "";
+    try {
+      existingContent = readFileSync9(path2, "utf8");
+    } catch {
+    }
+    if (existingContent === desiredContent) {
+      if (task.enabled) bootstrap(plistLabel(input.agentName, task.taskId), path2);
+      else bootout(plistLabel(input.agentName, task.taskId));
+      result.unchanged.push(task.taskId);
+      continue;
+    }
+    writeFileSync5(path2, desiredContent, { mode: 420 });
+    if (task.enabled) bootstrap(plistLabel(input.agentName, task.taskId), path2);
+    else bootout(plistLabel(input.agentName, task.taskId));
+    if (presentTaskIds.has(task.taskId)) result.updated.push(task.taskId);
+    else result.added.push(task.taskId);
+  }
+  return result;
+}
+
+// src/lib/macos-host.ts
+import { execFileSync as execFileSync9 } from "child_process";
+import { hostname as hostname3 } from "os";
+function getHostId() {
+  try {
+    const output = execFileSync9(
+      "/usr/sbin/ioreg",
+      ["-d2", "-c", "IOPlatformExpertDevice"],
+      { encoding: "utf8", timeout: 2e3 }
+    );
+    const match = output.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
+    return match ? match[1].trim().toLowerCase() : "";
+  } catch {
+    return "";
+  }
+}
+function getHostname() {
+  try {
+    return hostname3();
+  } catch {
+    return "";
+  }
+}
+
+// src/commands/agents/sync.ts
+var AUTH_PATH3 = join8(homedir10(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR2 = join8(homedir10(), ".openape", "agent", "tasks");
+function readAuthJson() {
+  if (!existsSync9(AUTH_PATH3)) {
+    throw new CliError(
+      `No agent auth found at ${AUTH_PATH3}. Run \`apes agents spawn <name>\` to provision an agent first.`
+    );
+  }
+  const raw = readFileSync10(AUTH_PATH3, "utf8");
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new CliError(`${AUTH_PATH3} is not valid JSON: ${err.message}`);
+  }
+  if (!parsed.access_token) throw new CliError(`${AUTH_PATH3} is missing access_token`);
+  if (!parsed.email) throw new CliError(`${AUTH_PATH3} is missing email`);
+  if (!parsed.email.startsWith("agent+")) {
+    throw new CliError(
+      `${AUTH_PATH3} email is "${parsed.email}" \u2014 expected an agent+name+domain@idp address. Run \`apes agents spawn\` rather than calling sync from a human user.`
+    );
+  }
+  return parsed;
+}
+function agentNameFromEmail(email) {
+  const m = email.match(/^agent\+([^+]+)\+/);
+  if (!m) throw new CliError(`agent email "${email}" does not match agent+name+domain pattern`);
+  return m[1];
+}
+function findApesBin() {
+  const argv1 = process.argv[1];
+  if (argv1 && existsSync9(argv1)) return argv1;
+  for (const candidate of ["/opt/homebrew/bin/apes", "/usr/local/bin/apes"]) {
+    if (existsSync9(candidate)) return candidate;
+  }
+  throw new CliError("Could not locate the apes binary path for launchd. Set APES_BIN env var to point at it.");
+}
+var syncAgentCommand = defineCommand27({
+  meta: {
+    name: "sync",
+    description: "Pull this agent's task list from troop.openape.ai and reconcile launchd plists"
+  },
+  args: {
+    "troop-url": {
+      type: "string",
+      description: "Override troop SP base URL (default: $OPENAPE_TROOP_URL or https://troop.openape.ai)"
+    }
+  },
+  async run({ args }) {
+    const auth = readAuthJson();
+    const agentName = agentNameFromEmail(auth.email);
+    const troopUrl = resolveTroopUrl(args["troop-url"]);
+    const client = new TroopClient(troopUrl, auth.access_token);
+    const hostId = getHostId();
+    const host = getHostname();
+    if (!hostId) {
+      throw new CliError("Could not read IOPlatformUUID \u2014 is this macOS? Troop sync only works on macOS for v1.");
+    }
+    if (!auth.owner_email) {
+      throw new CliError(`${AUTH_PATH3} is missing owner_email \u2014 re-run \`apes agents spawn\` to update.`);
+    }
+    consola24.start(`Syncing ${agentName} (${host}, hostId ${hostId.slice(0, 8)}\u2026) with ${troopUrl}`);
+    const sync = await client.sync({
+      hostname: host,
+      hostId,
+      ownerEmail: auth.owner_email
+    });
+    consola24.info(sync.first_sync ? "\u2713 first sync \u2014 agent registered" : "\u2713 presence updated");
+    const tasks = await client.listTasks();
+    consola24.info(`Pulled ${tasks.length} task${tasks.length === 1 ? "" : "s"}`);
+    mkdirSync4(TASK_CACHE_DIR2, { recursive: true });
+    for (const task of tasks) {
+      const path2 = join8(TASK_CACHE_DIR2, `${task.taskId}.json`);
+      writeFileSync6(path2, `${JSON.stringify(task, null, 2)}
+`, { mode: 384 });
+    }
+    const apesBin = findApesBin();
+    const result = reconcile({
+      agentName,
+      apesBin,
+      homeDir: homedir10(),
+      desired: tasks
+    });
+    if (result.added.length) consola24.success(`launchd: added ${result.added.join(", ")}`);
+    if (result.updated.length) consola24.success(`launchd: updated ${result.updated.join(", ")}`);
+    if (result.removed.length) consola24.warn(`launchd: removed ${result.removed.join(", ")}`);
+    if (result.unchanged.length) consola24.info(`launchd: ${result.unchanged.length} unchanged`);
+    consola24.success("Sync complete.");
+  }
+});
+
 // src/commands/agents/index.ts
-var agentsCommand = defineCommand25({
+var agentsCommand = defineCommand28({
   meta: {
     name: "agents",
-    description: "Manage owned agents (register, spawn, list, destroy, allow)"
+    description: "Manage owned agents (register, spawn, list, destroy, allow, sync, run, serve)"
   },
   subCommands: {
     register: registerAgentCommand,
     spawn: spawnAgentCommand,
     list: listAgentsCommand,
     destroy: destroyAgentCommand,
-    allow: allowAgentCommand
+    allow: allowAgentCommand,
+    sync: syncAgentCommand,
+    run: runAgentCommand,
+    serve: serveAgentCommand
   }
 });
 
 // src/commands/adapter/index.ts
-import { defineCommand as defineCommand26 } from "citty";
-import consola23 from "consola";
-var adapterCommand = defineCommand26({
+import { defineCommand as defineCommand29 } from "citty";
+import consola25 from "consola";
+var adapterCommand = defineCommand29({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand26({
+    list: defineCommand29({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -2936,7 +4042,7 @@ var adapterCommand = defineCommand26({
 `);
             return;
           }
-          consola23.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola25.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -2958,7 +4064,7 @@ var adapterCommand = defineCommand26({
           return;
         }
         if (local.length === 0) {
-          consola23.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola25.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -2966,7 +4072,7 @@ var adapterCommand = defineCommand26({
         }
       }
     }),
-    install: defineCommand26({
+    install: defineCommand29({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -2995,24 +4101,24 @@ var adapterCommand = defineCommand26({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola23.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola25.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola23.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola23.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola25.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola25.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola23.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola23.info(`Digest: ${result.digest}`);
+          consola25.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola25.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand26({
+    remove: defineCommand29({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -3035,9 +4141,9 @@ var adapterCommand = defineCommand26({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola23.success(`Removed adapter: ${id}`);
+            consola25.success(`Removed adapter: ${id}`);
           } else {
-            consola23.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola25.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -3045,7 +4151,7 @@ var adapterCommand = defineCommand26({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand26({
+    info: defineCommand29({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -3087,7 +4193,7 @@ var adapterCommand = defineCommand26({
         }
       }
     }),
-    search: defineCommand26({
+    search: defineCommand29({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -3119,7 +4225,7 @@ var adapterCommand = defineCommand26({
           return;
         }
         if (results.length === 0) {
-          consola23.info(`No adapters matching "${query}"`);
+          consola25.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -3128,7 +4234,7 @@ var adapterCommand = defineCommand26({
         }
       }
     }),
-    update: defineCommand26({
+    update: defineCommand29({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -3154,33 +4260,33 @@ var adapterCommand = defineCommand26({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola23.info("No adapters installed to update.");
+          consola25.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola23.warn(`${id}: not found in registry, skipping`);
+            consola25.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola23.info(`${id}: already up to date`);
+            consola25.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola23.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola23.info(`  Old: ${localDigest}`);
-            consola23.info(`  New: ${entry.digest}`);
-            consola23.info("  Use --yes to confirm");
+            consola25.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola25.info(`  Old: ${localDigest}`);
+            consola25.info(`  New: ${entry.digest}`);
+            consola25.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola23.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola25.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand26({
+    verify: defineCommand29({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -3213,7 +4319,7 @@ var adapterCommand = defineCommand26({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola23.success(`${id}: digest matches registry`);
+          consola25.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -3225,11 +4331,11 @@ var adapterCommand = defineCommand26({
 });
 
 // src/commands/run.ts
-import { execFileSync as execFileSync6 } from "child_process";
-import { hostname as hostname3 } from "os";
+import { execFileSync as execFileSync10 } from "child_process";
+import { hostname as hostname4 } from "os";
 import { basename } from "path";
-import { defineCommand as defineCommand27 } from "citty";
-import consola24 from "consola";
+import { defineCommand as defineCommand30 } from "citty";
+import consola26 from "consola";
 function shouldWaitForGrant(args) {
   return args.wait === true || process.env.APE_WAIT === "1";
 }
@@ -3266,7 +4372,7 @@ function printPendingGrantInfo(grant, idp) {
   const statusCmd = `apes grants status ${grant.id}`;
   const executeCmd = `apes grants run ${grant.id}`;
   if (mode === "human") {
-    consola24.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
+    consola26.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
     console.log(`  Approve in browser:  ${approveUrl}`);
     console.log(`  Check status:        ${statusCmd}`);
     console.log(`  Run after approval:  ${executeCmd}`);
@@ -3276,7 +4382,7 @@ function printPendingGrantInfo(grant, idp) {
     return;
   }
   const maxMin = getPollMaxMinutes();
-  consola24.success(`Grant ${grant.id} created (pending approval)`);
+  consola26.success(`Grant ${grant.id} created (pending approval)`);
   console.log(`  Approve:   ${approveUrl}`);
   console.log(`  Status:    ${statusCmd} [--json]`);
   console.log(`  Execute:   ${executeCmd} --wait`);
@@ -3298,7 +4404,7 @@ function printPendingGrantInfo(grant, idp) {
   console.log('  Tip: Approve as "timed" or "always" in the browser to let this');
   console.log("  grant be reused on subsequent invocations without re-approval.");
 }
-var runCommand = defineCommand27({
+var runCommand = defineCommand30({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -3387,7 +4493,7 @@ async function runShellMode(command, args) {
   const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
   if (adapterHandled) return;
   const grantsUrl = await getGrantsEndpoint(idp);
-  const targetHost = args.host || hostname3();
+  const targetHost = args.host || hostname4();
   try {
     const grants = await apiFetch(
       `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
@@ -3401,7 +4507,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola24.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola26.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -3421,8 +4527,8 @@ async function runShellMode(command, args) {
     host: targetHost
   });
   if (shouldWaitForGrant(args)) {
-    consola24.info(`Grant requested: ${grant.id}`);
-    consola24.info("Waiting for approval...");
+    consola26.info(`Grant requested: ${grant.id}`);
+    consola26.info("Waiting for approval...");
     const maxWait = 3e5;
     const interval = 3e3;
     const start = Date.now();
@@ -3453,13 +4559,13 @@ async function tryAdapterModeFromShell(command, idp, args) {
   try {
     resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola24.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola26.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola24.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      consola26.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return true;
@@ -3467,7 +4573,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola24.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola26.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
@@ -3475,19 +4581,19 @@ async function tryAdapterModeFromShell(command, idp, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola24.info("");
-    consola24.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola26.info("");
+    consola26.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
   }
   notifyGrantPending({
     grantId: grant.id,
     approveUrl: `${idp}/grant-approval?grant_id=${grant.id}`,
     command: resolved.detail?.display || parsed?.raw || "unknown",
     audience: resolved.adapter?.cli?.audience ?? "shapes",
-    host: args.host || hostname3()
+    host: args.host || hostname4()
   });
   if (shouldWaitForGrant(args)) {
-    consola24.info(`Grant requested: ${grant.id}`);
-    consola24.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola26.info(`Grant requested: ${grant.id}`);
+    consola26.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new CliError(`Grant ${status}`);
@@ -3503,7 +4609,7 @@ function execShellCommand(command) {
     throw new CliError("No command to execute");
   try {
     const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-    execFileSync6(command[0], command.slice(1), {
+    execFileSync10(command[0], command.slice(1), {
       stdio: "inherit",
       env: inheritedEnv
     });
@@ -3561,7 +4667,7 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola24.info(`Reusing existing grant: ${existingGrantId}`);
+      consola26.info(`Reusing existing grant: ${existingGrantId}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return;
@@ -3575,17 +4681,17 @@ async function runAdapterMode(command, rawArgs, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola24.info("");
-    consola24.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola26.info("");
+    consola26.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola24.info(`  Broader scope: ${wider}`);
+      consola26.info(`  Broader scope: ${wider}`);
     }
-    consola24.info("");
+    consola26.info("");
   }
   if (shouldWaitForGrant(args)) {
-    consola24.info(`Grant requested: ${grant.id}`);
-    consola24.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola26.info(`Grant requested: ${grant.id}`);
+    consola26.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new Error(`Grant ${status}`);
@@ -3604,8 +4710,8 @@ async function runAudienceMode(audience, action, args) {
   const idp = getIdpUrl(args.idp);
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
-  const targetHost = args.host || hostname3();
-  consola24.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  const targetHost = args.host || hostname4();
+  consola26.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -3622,9 +4728,9 @@ async function runAudienceMode(audience, action, args) {
     printPendingGrantInfo(grant, idp);
     throw new CliExit(getAsyncExitCode());
   }
-  consola24.success(`Grant requested: ${grant.id}`);
-  consola24.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
-  consola24.info("Waiting for approval...");
+  consola26.success(`Grant requested: ${grant.id}`);
+  consola26.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola26.info("Waiting for approval...");
   const maxWait = 15 * 60 * 1e3;
   const interval = 3e3;
   const start = Date.now();
@@ -3632,7 +4738,7 @@ async function runAudienceMode(audience, action, args) {
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola24.success("Grant approved!");
+      consola26.success("Grant approved!");
       approved = true;
       break;
     }
@@ -3647,15 +4753,15 @@ async function runAudienceMode(audience, action, args) {
       `Grant approval timed out after ${minutes} min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id} \u2014 if approved later, re-run the same \`apes run\` command and it will reuse the grant.`
     );
   }
-  consola24.info("Fetching grant token...");
+  consola26.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola24.info(`Executing: ${command.join(" ")}`);
+    consola26.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-      execFileSync6(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
+      execFileSync10(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
         stdio: "inherit",
         env: inheritedEnv
       });
@@ -3670,8 +4776,8 @@ async function runAudienceMode(audience, action, args) {
 
 // src/commands/proxy.ts
 import { spawn as spawn2 } from "child_process";
-import { defineCommand as defineCommand28 } from "citty";
-import consola25 from "consola";
+import { defineCommand as defineCommand31 } from "citty";
+import consola27 from "consola";
 
 // src/proxy/config.ts
 function buildDefaultProxyConfigToml(opts) {
@@ -3705,10 +4811,10 @@ note = "VPC-internal hostname suffix"
 
 // src/proxy/local-proxy.ts
 import { spawn } from "child_process";
-import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, writeFileSync as writeFileSync4 } from "fs";
+import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, writeFileSync as writeFileSync7 } from "fs";
 import { createRequire } from "module";
 import { tmpdir as tmpdir3 } from "os";
-import { dirname as dirname2, join as join5, resolve as resolve3 } from "path";
+import { dirname as dirname3, join as join9, resolve as resolve4 } from "path";
 var require2 = createRequire(import.meta.url);
 function findProxyBin() {
   const pkgPath = require2.resolve("@openape/proxy/package.json");
@@ -3717,12 +4823,12 @@ function findProxyBin() {
   if (!binRel) {
     throw new Error("@openape/proxy is missing the openape-proxy bin entry");
   }
-  return resolve3(dirname2(pkgPath), binRel);
+  return resolve4(dirname3(pkgPath), binRel);
 }
 async function startEphemeralProxy(configToml) {
-  const tmpDir = mkdtempSync3(join5(tmpdir3(), "openape-proxy-"));
-  const configPath = join5(tmpDir, "config.toml");
-  writeFileSync4(configPath, configToml, { mode: 384 });
+  const tmpDir = mkdtempSync3(join9(tmpdir3(), "openape-proxy-"));
+  const configPath = join9(tmpDir, "config.toml");
+  writeFileSync7(configPath, configToml, { mode: 384 });
   const binPath = findProxyBin();
   const child = spawn(process.execPath, [binPath, "-c", configPath], {
     stdio: ["ignore", "pipe", "pipe"],
@@ -3814,10 +4920,10 @@ function resolveProxyConfigOptions() {
       77
     );
   }
-  consola25.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
+  consola27.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
   return { agentEmail: auth.email, idpUrl: auth.idp, mediated: true };
 }
-var proxyCommand = defineCommand28({
+var proxyCommand = defineCommand31({
   meta: {
     name: "proxy",
     description: "Run a command with HTTPS_PROXY routed through the OpenApe egress proxy."
@@ -3839,12 +4945,12 @@ var proxyCommand = defineCommand28({
     let close = null;
     if (reuseUrl) {
       proxyUrl = reuseUrl;
-      consola25.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
+      consola27.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
     } else {
       const ephemeral = await startEphemeralProxy(buildDefaultProxyConfigToml(resolveProxyConfigOptions()));
       proxyUrl = ephemeral.url;
       close = ephemeral.close;
-      consola25.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
+      consola27.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
     }
     const noProxy = process.env.NO_PROXY ?? process.env.no_proxy ?? "127.0.0.1,localhost";
     const childEnv = {
@@ -3876,7 +4982,7 @@ var proxyCommand = defineCommand28({
         else resolveExit(code ?? 0);
       });
       child.once("error", (err) => {
-        consola25.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
+        consola27.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
         resolveExit(127);
       });
     });
@@ -3890,8 +4996,8 @@ function signalNumber(signal) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand29 } from "citty";
-var explainCommand = defineCommand29({
+import { defineCommand as defineCommand32 } from "citty";
+var explainCommand = defineCommand32({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -3929,9 +5035,9 @@ var explainCommand = defineCommand29({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand30 } from "citty";
-import consola26 from "consola";
-var configGetCommand = defineCommand30({
+import { defineCommand as defineCommand33 } from "citty";
+import consola28 from "consola";
+var configGetCommand = defineCommand33({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -3951,7 +5057,7 @@ var configGetCommand = defineCommand30({
         if (idp)
           console.log(idp);
         else
-          consola26.info("No IdP configured.");
+          consola28.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -3959,7 +5065,7 @@ var configGetCommand = defineCommand30({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola26.info("Not logged in.");
+          consola28.info("Not logged in.");
         break;
       }
       default: {
@@ -3972,7 +5078,7 @@ var configGetCommand = defineCommand30({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola26.info(`Key "${key}" not set.`);
+            consola28.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -3983,9 +5089,9 @@ var configGetCommand = defineCommand30({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand31 } from "citty";
-import consola27 from "consola";
-var configSetCommand = defineCommand31({
+import { defineCommand as defineCommand34 } from "citty";
+import consola29 from "consola";
+var configSetCommand = defineCommand34({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -4021,12 +5127,12 @@ var configSetCommand = defineCommand31({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola27.success(`Set ${key} = ${value}`);
+    consola29.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand32 } from "citty";
+import { defineCommand as defineCommand35 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -4062,13 +5168,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand32({
+var fetchCommand = defineCommand35({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand32({
+    get: defineCommand35({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -4094,7 +5200,7 @@ var fetchCommand = defineCommand32({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand32({
+    post: defineCommand35({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -4133,8 +5239,8 @@ var fetchCommand = defineCommand32({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand33 } from "citty";
-var mcpCommand = defineCommand33({
+import { defineCommand as defineCommand36 } from "citty";
+var mcpCommand = defineCommand36({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -4157,48 +5263,48 @@ var mcpCommand = defineCommand33({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-E26WAGHT.js");
+    const { startMcpServer } = await import("./server-75ZP2KCO.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync as existsSync7, copyFileSync, writeFileSync as writeFileSync5 } from "fs";
+import { existsSync as existsSync10, copyFileSync, writeFileSync as writeFileSync8 } from "fs";
 import { randomBytes } from "crypto";
-import { execFileSync as execFileSync7 } from "child_process";
-import { join as join6 } from "path";
-import { defineCommand as defineCommand34 } from "citty";
-import consola28 from "consola";
+import { execFileSync as execFileSync11 } from "child_process";
+import { join as join10 } from "path";
+import { defineCommand as defineCommand37 } from "citty";
+import consola30 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync7(join6(dir, name));
+  const hasLockFile = (name) => existsSync10(join10(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
-    execFileSync7("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync11("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
-    execFileSync7("bun", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync11("bun", ["install"], { cwd: dir, stdio: "inherit" });
   } else {
-    execFileSync7("npm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync11("npm", ["install"], { cwd: dir, stdio: "inherit" });
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola28.prompt(message, { type: "select", options: choices });
+  const result = await consola30.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola28.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola30.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand34({
+var initCommand = defineCommand37({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -4240,23 +5346,23 @@ var initCommand = defineCommand34({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync7(join6(dir, "package.json"))) {
+  if (existsSync10(join10(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola28.start("Scaffolding SP starter...");
+  consola30.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola28.success("Scaffolded from openape-sp-starter");
-  consola28.start("Installing dependencies...");
+  consola30.success("Scaffolded from openape-sp-starter");
+  consola30.start("Installing dependencies...");
   installDeps(dir);
-  consola28.success("Dependencies installed");
-  const envExample = join6(dir, ".env.example");
-  const envFile = join6(dir, ".env");
-  if (existsSync7(envExample) && !existsSync7(envFile)) {
+  consola30.success("Dependencies installed");
+  const envExample = join10(dir, ".env.example");
+  const envFile = join10(dir, ".env");
+  if (existsSync10(envExample) && !existsSync10(envFile)) {
     copyFileSync(envExample, envFile);
-    consola28.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola30.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola28.box([
+  consola30.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -4265,7 +5371,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync7(join6(dir, "package.json"))) {
+  if (existsSync10(join10(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -4275,15 +5381,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola28.start("Scaffolding IdP starter...");
+  consola30.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola28.success("Scaffolded from openape-idp-starter");
-  consola28.start("Installing dependencies...");
+  consola30.success("Scaffolded from openape-idp-starter");
+  consola30.start("Installing dependencies...");
   installDeps(dir);
-  consola28.success("Dependencies installed");
+  consola30.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola28.success("Secrets generated");
+  consola30.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -4297,11 +5403,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync5(join6(dir, ".env"), `${envContent}
+  writeFileSync8(join10(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola28.success(".env created");
+  consola30.success(".env created");
   console.log("");
-  consola28.box([
+  consola30.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -4318,11 +5424,11 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer5 } from "buffer";
-import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
+import { existsSync as existsSync11, readFileSync as readFileSync11 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
-import { defineCommand as defineCommand35 } from "citty";
-import consola29 from "consola";
+import { defineCommand as defineCommand38 } from "citty";
+import consola31 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
@@ -4334,7 +5440,7 @@ function openBrowser2(url) {
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
   const resolvedKey = resolveKeyPath(keyPath);
-  const keyContent = readFileSync6(resolvedKey, "utf-8");
+  const keyContent = readFileSync11(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -4361,11 +5467,11 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       }
     } catch {
     }
-    await new Promise((resolve4) => setTimeout(resolve4, POLL_INTERVAL));
+    await new Promise((resolve5) => setTimeout(resolve5, POLL_INTERVAL));
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand35({
+var enrollCommand = defineCommand38({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -4385,38 +5491,38 @@ var enrollCommand = defineCommand35({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola29.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola31.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola29.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola31.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola29.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola31.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolveKeyPath(keyPath);
     let publicKey;
-    if (existsSync8(resolvedKey)) {
+    if (existsSync11(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola29.success(`Using existing key ${keyPath}`);
+      consola31.success(`Using existing key ${keyPath}`);
     } else {
-      consola29.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola31.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola29.success(`Key pair generated at ${keyPath}`);
+      consola31.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola29.info("Opening browser for enrollment...");
-    consola29.info(`\u2192 ${idp}/enroll`);
+    consola31.info("Opening browser for enrollment...");
+    consola31.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola29.prompt(
+    const agentEmail = await consola31.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -4426,7 +5532,7 @@ var enrollCommand = defineCommand35({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola29.start("Verifying enrollment...");
+    consola31.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -4438,18 +5544,18 @@ var enrollCommand = defineCommand35({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola29.success(`Agent enrolled as ${agentEmail}`);
-    consola29.success("Config saved to ~/.config/apes/");
+    consola31.success(`Agent enrolled as ${agentEmail}`);
+    consola31.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola29.info("Verify with: apes whoami");
+    consola31.info("Verify with: apes whoami");
   }
 });
 
 // src/commands/register-user.ts
-import { existsSync as existsSync9, readFileSync as readFileSync7 } from "fs";
-import { defineCommand as defineCommand36 } from "citty";
-import consola30 from "consola";
-var registerUserCommand = defineCommand36({
+import { existsSync as existsSync12, readFileSync as readFileSync12 } from "fs";
+import { defineCommand as defineCommand39 } from "citty";
+import consola32 from "consola";
+var registerUserCommand = defineCommand39({
   meta: {
     name: "register-user",
     description: "Register a sub-user with SSH key"
@@ -4485,8 +5591,8 @@ var registerUserCommand = defineCommand36({
       throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
     let publicKey = args.key;
-    if (existsSync9(args.key)) {
-      publicKey = readFileSync7(args.key, "utf-8").trim();
+    if (existsSync12(args.key)) {
+      publicKey = readFileSync12(args.key, "utf-8").trim();
     }
     if (!publicKey.startsWith("ssh-ed25519 ")) {
       throw new CliError("Public key must be in ssh-ed25519 format.");
@@ -4504,18 +5610,18 @@ var registerUserCommand = defineCommand36({
         ...userType ? { type: userType } : {}
       }
     });
-    consola30.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola32.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/utils/index.ts
-import { defineCommand as defineCommand38 } from "citty";
+import { defineCommand as defineCommand41 } from "citty";
 
 // src/commands/utils/dig.ts
-import { defineCommand as defineCommand37 } from "citty";
-import consola31 from "consola";
+import { defineCommand as defineCommand40 } from "citty";
+import consola33 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var digCommand = defineCommand37({
+var digCommand = defineCommand40({
   meta: {
     name: "dig",
     description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
@@ -4588,12 +5694,12 @@ var digCommand = defineCommand37({
     console.log(`  domain: ${domain}`);
     console.log("");
     if (!result.ddisa.found) {
-      consola31.warn(`No DDISA record at _ddisa.${domain}`);
+      consola33.warn(`No DDISA record at _ddisa.${domain}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`No DDISA record found for ${domain}`);
     }
-    consola31.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    consola33.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
     console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
     console.log(`  IdP URL:  ${result.ddisa.idp}`);
     if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
@@ -4603,13 +5709,13 @@ ${result.hint}`);
       return;
     }
     if (result.idpDiscovery.ok) {
-      consola31.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      consola33.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
       if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
       if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
       if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
       if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
     } else {
-      consola31.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      consola33.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
@@ -4618,7 +5724,7 @@ ${result.hint}`);
 });
 
 // src/commands/utils/index.ts
-var utilsCommand = defineCommand38({
+var utilsCommand = defineCommand41({
   meta: {
     name: "utils",
     description: "Admin/diagnostic utilities (dig, \u2026)"
@@ -4629,12 +5735,12 @@ var utilsCommand = defineCommand38({
 });
 
 // src/commands/sessions/index.ts
-import { defineCommand as defineCommand41 } from "citty";
+import { defineCommand as defineCommand44 } from "citty";
 
 // src/commands/sessions/list.ts
-import { defineCommand as defineCommand39 } from "citty";
-import consola32 from "consola";
-var sessionsListCommand = defineCommand39({
+import { defineCommand as defineCommand42 } from "citty";
+import consola34 from "consola";
+var sessionsListCommand = defineCommand42({
   meta: {
     name: "list",
     description: "List your active refresh-token families (one per logged-in device)."
@@ -4652,7 +5758,7 @@ var sessionsListCommand = defineCommand39({
       return;
     }
     if (result.data.length === 0) {
-      consola32.info("No active sessions.");
+      consola34.info("No active sessions.");
       return;
     }
     for (const f of result.data) {
@@ -4664,9 +5770,9 @@ var sessionsListCommand = defineCommand39({
 });
 
 // src/commands/sessions/remove.ts
-import { defineCommand as defineCommand40 } from "citty";
-import consola33 from "consola";
-var sessionsRemoveCommand = defineCommand40({
+import { defineCommand as defineCommand43 } from "citty";
+import consola35 from "consola";
+var sessionsRemoveCommand = defineCommand43({
   meta: {
     name: "remove",
     description: "Revoke one of your active refresh-token families by id."
@@ -4682,12 +5788,12 @@ var sessionsRemoveCommand = defineCommand40({
     const id = String(args.familyId).trim();
     if (!id) throw new CliError("familyId required");
     await apiFetch(`/api/me/sessions/${encodeURIComponent(id)}`, { method: "DELETE" });
-    consola33.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
+    consola35.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
   }
 });
 
 // src/commands/sessions/index.ts
-var sessionsCommand = defineCommand41({
+var sessionsCommand = defineCommand44({
   meta: {
     name: "sessions",
     description: "Manage your active refresh-token sessions across devices"
@@ -4699,10 +5805,10 @@ var sessionsCommand = defineCommand41({
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand42 } from "citty";
-import consola34 from "consola";
+import { defineCommand as defineCommand45 } from "citty";
+import consola36 from "consola";
 import { resolveDDISA as resolveDDISA3 } from "@openape/core";
-var dnsCheckCommand = defineCommand42({
+var dnsCheckCommand = defineCommand45({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -4716,7 +5822,7 @@ var dnsCheckCommand = defineCommand42({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola34.start(`Checking _ddisa.${domain}...`);
+    consola36.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA3(domain);
       if (!result) {
@@ -4725,7 +5831,7 @@ var dnsCheckCommand = defineCommand42({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola34.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola36.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -4734,14 +5840,14 @@ var dnsCheckCommand = defineCommand42({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola34.start(`Verifying IdP at ${result.idp}...`);
+      consola36.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola34.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola36.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola34.success(`IdP is reachable`);
+      consola36.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -4759,7 +5865,7 @@ var dnsCheckCommand = defineCommand42({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand43 } from "citty";
+import { defineCommand as defineCommand46 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -4795,7 +5901,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.31.3" : "0.0.0";
+  const version = true ? "1.0.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -4858,7 +5964,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand43({
+var healthCommand = defineCommand46({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -4876,8 +5982,8 @@ var healthCommand = defineCommand43({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand44 } from "citty";
-import consola35 from "consola";
+import { defineCommand as defineCommand47 } from "citty";
+import consola37 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -4927,7 +6033,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand44({
+var workflowsCommand = defineCommand47({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -4948,7 +6054,7 @@ var workflowsCommand = defineCommand44({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola35.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola37.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -4988,26 +6094,26 @@ var workflowsCommand = defineCommand44({
 });
 
 // src/version-check.ts
-import { existsSync as existsSync10, mkdirSync as mkdirSync2, readFileSync as readFileSync8, writeFileSync as writeFileSync6 } from "fs";
-import { homedir as homedir6 } from "os";
-import { join as join7 } from "path";
-import consola36 from "consola";
+import { existsSync as existsSync13, mkdirSync as mkdirSync5, readFileSync as readFileSync13, writeFileSync as writeFileSync9 } from "fs";
+import { homedir as homedir11 } from "os";
+import { join as join11 } from "path";
+import consola38 from "consola";
 var PACKAGE_NAME = "@openape/apes";
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
-var CACHE_FILE = join7(homedir6(), ".config", "apes", ".version-check.json");
+var CACHE_FILE = join11(homedir11(), ".config", "apes", ".version-check.json");
 function readCache() {
-  if (!existsSync10(CACHE_FILE)) return null;
+  if (!existsSync13(CACHE_FILE)) return null;
   try {
-    return JSON.parse(readFileSync8(CACHE_FILE, "utf-8"));
+    return JSON.parse(readFileSync13(CACHE_FILE, "utf-8"));
   } catch {
     return null;
   }
 }
 function writeCache(entry) {
   try {
-    const dir = join7(homedir6(), ".config", "apes");
-    if (!existsSync10(dir)) mkdirSync2(dir, { recursive: true, mode: 448 });
-    writeFileSync6(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
+    const dir = join11(homedir11(), ".config", "apes");
+    if (!existsSync13(dir)) mkdirSync5(dir, { recursive: true, mode: 448 });
+    writeFileSync9(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
   } catch {
   }
 }
@@ -5036,7 +6142,7 @@ async function fetchLatestVersion() {
 }
 function warnIfBehind(currentVersion, latest) {
   if (compareSemver(currentVersion, latest) < 0) {
-    consola36.warn(
+    consola38.warn(
       `apes ${currentVersion} is behind latest @openape/apes@${latest}. Run \`npm i -g @openape/apes@latest\` to update. (Suppress with APES_NO_UPDATE_CHECK=1.)`
     );
   }
@@ -5068,10 +6174,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.31.3"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.0.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.31.3"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.0.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -5095,7 +6201,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand45({
+var grantsCommand = defineCommand48({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -5116,7 +6222,7 @@ var grantsCommand = defineCommand45({
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand45({
+var configCommand = defineCommand48({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -5126,10 +6232,10 @@ var configCommand = defineCommand45({
     set: configSetCommand
   }
 });
-var main = defineCommand45({
+var main = defineCommand48({
   meta: {
     name: "apes",
-    version: "0.31.3",
+    version: "1.0.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -5184,20 +6290,20 @@ async function maybeRefreshAuth() {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("0.31.3").catch(() => {
+await maybeWarnStaleVersion("1.0.0").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola37.error(err.message);
+    consola39.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola37.error(err);
+    consola39.error(err);
   } else {
-    consola37.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola39.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });