@openape/apes 0.5.5 → 0.6.1

package/dist/cli.js

@@ -1,29 +1,72 @@
 #!/usr/bin/env node
 import {
+  CliError,
+  CliExit,
   parseDuration
-} from "./chunk-AGHP6MNV.js";
+} from "./chunk-ZSJU7IXE.js";
 import {
   loadEd25519PrivateKey
 } from "./chunk-KVBHBOED.js";
 import {
   ApiError,
   apiFetch,
+  buildStructuredCliGrantRequest,
   clearAuth,
+  createShapesGrant,
+  extractOption,
+  extractShellCommandString,
+  extractWrappedCommand,
+  fetchGrantToken,
+  fetchRegistry,
+  findAdapter,
+  findConflictingAdapters,
+  findExistingGrant,
   getAgentAuthenticateEndpoint,
   getAgentChallengeEndpoint,
   getAuthToken,
   getDelegationsEndpoint,
   getGrantsEndpoint,
   getIdpUrl,
+  getInstalledDigest,
+  installAdapter,
+  isInstalled,
+  loadAdapter,
   loadAuth,
   loadConfig,
+  loadOrInstallAdapter,
+  parseShellCommand,
+  removeAdapter,
+  resolveCapabilityRequest,
+  resolveCommand,
   saveAuth,
-  saveConfig
-} from "./chunk-KXESKY4X.js";
+  saveConfig,
+  searchAdapters,
+  verifyAndExecute,
+  waitForGrantStatus
+} from "./chunk-G3Q2TMAI.js";
 
 // src/cli.ts
-import consola22 from "consola";
-import { defineCommand as defineCommand25, runMain } from "citty";
+import consola25 from "consola";
+
+// src/ape-shell.ts
+import path from "path";
+function rewriteApeShellArgs(argv) {
+  const invokedAs = path.basename(argv[1] ?? "");
+  if (invokedAs !== "ape-shell" && invokedAs !== "ape-shell.js")
+    return null;
+  const shellArgs = argv.slice(2);
+  if (shellArgs[0] === "-c" && shellArgs.length > 1) {
+    return { action: "rewrite", argv: [argv[0], argv[1], "run", "--shell", "--", "bash", "-c", ...shellArgs.slice(1)] };
+  }
+  if (shellArgs[0] === "--version")
+    return { action: "version" };
+  if (shellArgs[0] === "--help" || shellArgs[0] === "-h")
+    return { action: "help" };
+  return { action: "error" };
+}
+
+// src/cli.ts
+import { defineCommand as defineCommand31, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer } from "buffer";
@@ -57,8 +100,7 @@ var loginCommand = defineCommand({
     const config = loadConfig();
     const idp = args.idp || process.env.APES_IDP || process.env.GRAPES_IDP || config.defaults?.idp;
     if (!idp) {
-      consola.error("IdP URL required. Use --idp <url> or set APES_IDP.");
-      return process.exit(1);
+      throw new CliError("IdP URL required. Use --idp <url> or set APES_IDP.");
     }
     if (args.key) {
       await loginWithKey(idp, args.key, args.email);
@@ -87,7 +129,7 @@ async function loginWithPKCE(idp) {
   authUrl.searchParams.set("state", state);
   authUrl.searchParams.set("nonce", nonce);
   authUrl.searchParams.set("scope", "openid email profile offline_access");
-  const code = await new Promise((resolve2, reject) => {
+  const code = await new Promise((resolve3, reject) => {
     const server = createServer((req, res) => {
       const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
       if (url.pathname === "/callback") {
@@ -104,7 +146,7 @@ async function loginWithPKCE(idp) {
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end("<h1>Login successful!</h1><p>You can close this window.</p>");
           server.close();
-          resolve2(authCode);
+          resolve3(authCode);
           return;
         }
         res.writeHead(400);
@@ -137,14 +179,12 @@ async function loginWithPKCE(idp) {
   });
   if (!tokenResponse.ok) {
     const text = await tokenResponse.text();
-    consola.error(`Token exchange failed: ${text}`);
-    return process.exit(1);
+    throw new CliError(`Token exchange failed: ${text}`);
   }
   const tokens = await tokenResponse.json();
   const accessToken = tokens.access_token || tokens.id_token || tokens.assertion;
   if (!accessToken) {
-    consola.error("No access token received");
-    return process.exit(1);
+    throw new CliError("No access token received");
   }
   const payload = JSON.parse(atob(accessToken.split(".")[1]));
   saveAuth({
@@ -157,13 +197,12 @@ async function loginWithPKCE(idp) {
   consola.success(`Logged in as ${payload.email || payload.sub}`);
 }
 async function loginWithKey(idp, keyPath, email) {
-  const { readFileSync: readFileSync2 } = await import("fs");
+  const { readFileSync: readFileSync4 } = await import("fs");
   const { sign: sign2 } = await import("crypto");
   const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-Q7KG4K25.js");
   const agentEmail = email;
   if (!agentEmail) {
-    consola.error("Agent email required for key-based login. Use --email <agent-email>");
-    return process.exit(1);
+    throw new CliError("Agent email required for key-based login. Use --email <agent-email>");
   }
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const challengeResp = await fetch(challengeUrl, {
@@ -172,11 +211,10 @@ async function loginWithKey(idp, keyPath, email) {
     body: JSON.stringify({ agent_id: agentEmail })
   });
   if (!challengeResp.ok) {
-    consola.error(`Challenge failed: ${await challengeResp.text()}`);
-    return process.exit(1);
+    throw new CliError(`Challenge failed: ${await challengeResp.text()}`);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync2(keyPath, "utf-8");
+  const keyContent = readFileSync4(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
   const signature = sign2(null, Buffer.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -190,8 +228,7 @@ async function loginWithKey(idp, keyPath, email) {
     })
   });
   if (!authResp.ok) {
-    consola.error(`Authentication failed: ${await authResp.text()}`);
-    return process.exit(1);
+    throw new CliError(`Authentication failed: ${await authResp.text()}`);
   }
   const { token, expires_in } = await authResp.json();
   saveAuth({
@@ -200,7 +237,7 @@ async function loginWithKey(idp, keyPath, email) {
     email: agentEmail,
     expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600)
   });
-  consola.success(`Logged in as ${agentEmail} (agent)`);
+  consola.success(`Logged in as ${agentEmail}`);
 }
 
 // src/commands/auth/logout.ts
@@ -228,8 +265,7 @@ var whoamiCommand = defineCommand3({
   run() {
     const auth = loadAuth();
     if (!auth) {
-      consola3.error("Not logged in. Run `apes login` first.");
-      return process.exit(1);
+      throw new CliError("Not logged in. Run `apes login` first.");
     }
     const isAgent = auth.email.includes("agent+");
     const expiresAt = new Date(auth.expires_at * 1e3).toISOString();
@@ -275,8 +311,7 @@ var listCommand = defineCommand4({
   async run({ args }) {
     const idp = getIdpUrl();
     if (!idp) {
-      consola4.error("No IdP URL configured. Run `apes login` first or pass --idp.");
-      return process.exit(1);
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
     }
     const auth = loadAuth();
     const grantsUrl = await getGrantsEndpoint(idp);
@@ -335,13 +370,11 @@ var inboxCommand = defineCommand5({
   async run({ args }) {
     const idp = getIdpUrl();
     if (!idp) {
-      consola5.error("No IdP URL configured. Run `apes login` first.");
-      return process.exit(1);
+      throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
     const auth = loadAuth();
     if (!auth) {
-      consola5.error("Not logged in. Run `apes login` first.");
-      return process.exit(1);
+      throw new CliError("Not logged in. Run `apes login` first.");
     }
     const grantsUrl = await getGrantsEndpoint(idp);
     const params = new URLSearchParams();
@@ -477,8 +510,7 @@ var requestCommand = defineCommand7({
   async run({ args }) {
     const auth = loadAuth();
     if (!auth) {
-      consola6.error("Not logged in. Run `apes login` first.");
-      return process.exit(1);
+      throw new CliError("Not logged in. Run `apes login` first.");
     }
     const idp = getIdpUrl();
     const grantsUrl = await getGrantsEndpoint(idp);
@@ -516,22 +548,18 @@ async function waitForApproval(grantsUrl, grantId) {
       return;
     }
     if (grant.status === "denied") {
-      consola6.error("Grant denied.");
-      return process.exit(1);
+      throw new CliError("Grant denied.");
     }
     if (grant.status === "revoked") {
-      consola6.error("Grant revoked.");
-      return process.exit(1);
+      throw new CliError("Grant revoked.");
     }
     await new Promise((r) => setTimeout(r, interval));
   }
-  consola6.error("Timed out waiting for approval.");
-  return process.exit(1);
+  throw new CliError("Timed out waiting for approval.");
 }
 
 // src/commands/grants/request-capability.ts
 import { hostname as hostname2 } from "os";
-import { buildStructuredCliGrantRequest, loadAdapter, resolveCapabilityRequest } from "@openape/shapes";
 import { defineCommand as defineCommand8 } from "citty";
 import consola7 from "consola";
 function parseCapabilityArgs(rawArgs) {
@@ -644,17 +672,14 @@ async function waitForApproval2(grantsUrl, grantId) {
       return;
     }
     if (grant.status === "denied") {
-      consola7.error("Grant denied.");
-      process.exit(1);
+      throw new CliError("Grant denied.");
     }
     if (grant.status === "revoked") {
-      consola7.error("Grant revoked.");
-      process.exit(1);
+      throw new CliError("Grant revoked.");
     }
-    await new Promise((resolve2) => setTimeout(resolve2, interval));
+    await new Promise((resolve3) => setTimeout(resolve3, interval));
   }
-  consola7.error("Timed out waiting for approval.");
-  process.exit(1);
+  throw new CliError("Timed out waiting for approval.");
 }
 var requestCapabilityCommand = defineCommand8({
   meta: {
@@ -713,14 +738,12 @@ var requestCapabilityCommand = defineCommand8({
   async run({ rawArgs }) {
     const auth = loadAuth();
     if (!auth) {
-      consola7.error("Not logged in. Run `apes login` first.");
-      return process.exit(1);
+      throw new CliError("Not logged in. Run `apes login` first.");
     }
     const parsed = parseCapabilityArgs(rawArgs);
     const idp = getIdpUrl(parsed.idp);
     if (!idp) {
-      consola7.error("No IdP URL configured. Use --idp or log in first.");
-      return process.exit(1);
+      throw new CliError("No IdP URL configured. Use --idp or log in first.");
     }
     const loaded = loadAdapter(parsed.cliId, parsed.adapter);
     const resolved = resolveCapabilityRequest(loaded, {
@@ -822,6 +845,11 @@ var revokeCommand = defineCommand11({
       type: "boolean",
       description: "Revoke all own pending grants",
       default: false
+    },
+    debug: {
+      type: "boolean",
+      description: "Print debug information (does not include full tokens)",
+      default: false
     }
   },
   async run({ args }) {
@@ -829,25 +857,28 @@ var revokeCommand = defineCommand11({
     const token = getAuthToken();
     const idp = getIdpUrl();
     const grantsUrl = await getGrantsEndpoint(idp);
-    if (process.argv.includes("--debug")) {
+    if (args.debug) {
       consola10.debug(`idp: ${idp}`);
       consola10.debug(`grantsUrl: ${grantsUrl}`);
       consola10.debug(`auth.email: ${auth?.email}`);
       consola10.debug(`auth.expires_at: ${auth?.expires_at} (now: ${Math.floor(Date.now() / 1e3)})`);
       consola10.debug(`getAuthToken(): ${token ? `${token.substring(0, 20)}...` : "NULL"}`);
     }
+    if (!auth || !token) {
+      throw new CliError("Authentication required. Run `apes login` and try again.");
+    }
     const explicitIds = args.id ? [String(args.id), ...args._].filter(Boolean) : [];
     if (args.allPending && explicitIds.length > 0) {
-      consola10.error("Use either --all-pending or grant IDs, not both.");
-      return process.exit(1);
+      throw new CliError("Use either --all-pending or grant IDs, not both.");
     }
     let ids;
     if (args.allPending) {
       const auth2 = loadAuth();
       const response = await apiFetch(
-        `${grantsUrl}?status=pending&limit=100`
+        `${grantsUrl}?status=pending&limit=100`,
+        { token }
       );
-      const ownPending = auth2?.email ? response.data.filter((g) => g.requester === auth2.email) : response.data;
+      const ownPending = auth2?.email ? response.data.filter((g) => g.request?.requester === auth2.email) : response.data;
       if (ownPending.length === 0) {
         consola10.info("No pending grants to revoke.");
         return;
@@ -857,18 +888,17 @@ var revokeCommand = defineCommand11({
     } else if (explicitIds.length > 0) {
       ids = explicitIds;
     } else {
-      consola10.error("Provide grant ID(s) or use --all-pending.");
-      return process.exit(1);
+      throw new CliError("Provide grant ID(s) or use --all-pending.");
     }
     if (ids.length === 1) {
-      await apiFetch(`${grantsUrl}/${ids[0]}/revoke`, { method: "POST", token: token || void 0 });
+      await apiFetch(`${grantsUrl}/${ids[0]}/revoke`, { method: "POST", token });
       consola10.success(`Grant ${ids[0]} revoked.`);
       return;
     }
     const operations = ids.map((id) => ({ id, action: "revoke" }));
     const { results } = await apiFetch(
       `${grantsUrl}/batch`,
-      { method: "POST", body: { operations }, token: token || void 0 }
+      { method: "POST", body: { operations }, token }
     );
     let succeeded = 0;
     for (const r of results) {
@@ -880,8 +910,7 @@ var revokeCommand = defineCommand11({
       }
     }
     if (succeeded < results.length) {
-      consola10.info(`Revoked ${succeeded} of ${results.length} grants.`);
-      process.exit(1);
+      throw new CliError(`Revoked ${succeeded} of ${results.length} grants.`);
     } else {
       consola10.success(`All ${succeeded} grants revoked.`);
     }
@@ -890,7 +919,6 @@ var revokeCommand = defineCommand11({
 
 // src/commands/grants/token.ts
 import { defineCommand as defineCommand12 } from "citty";
-import consola11 from "consola";
 var tokenCommand = defineCommand12({
   meta: {
     name: "token",
@@ -910,8 +938,7 @@ var tokenCommand = defineCommand12({
       method: "POST"
     });
     if (!result.authz_jwt) {
-      consola11.error("No token received. Grant may not be approved.");
-      return process.exit(1);
+      throw new CliError("No token received. Grant may not be approved.");
     }
     process.stdout.write(result.authz_jwt);
   }
@@ -919,7 +946,7 @@ var tokenCommand = defineCommand12({
 
 // src/commands/grants/delegate.ts
 import { defineCommand as defineCommand13 } from "citty";
-import consola12 from "consola";
+import consola11 from "consola";
 var delegateCommand = defineCommand13({
   meta: {
     name: "delegate",
@@ -953,8 +980,7 @@ var delegateCommand = defineCommand13({
   async run({ args }) {
     const auth = loadAuth();
     if (!auth) {
-      consola12.error("Not logged in. Run `apes login` first.");
-      return process.exit(1);
+      throw new CliError("Not logged in. Run `apes login` first.");
     }
     const idp = getIdpUrl();
     const delegationsUrl = await getDelegationsEndpoint(idp);
@@ -973,7 +999,7 @@ var delegateCommand = defineCommand13({
       method: "POST",
       body
     });
-    consola12.success(`Delegation created: ${result.id}`);
+    consola11.success(`Delegation created: ${result.id}`);
     console.log(`  Delegate: ${args.to}`);
     console.log(`  Audience: ${args.at}`);
     if (args.scopes)
@@ -986,7 +1012,7 @@ var delegateCommand = defineCommand13({
 
 // src/commands/grants/delegations.ts
 import { defineCommand as defineCommand14 } from "citty";
-import consola13 from "consola";
+import consola12 from "consola";
 var delegationsCommand = defineCommand14({
   meta: {
     name: "delegations",
@@ -1002,13 +1028,14 @@ var delegationsCommand = defineCommand14({
   async run({ args }) {
     const idp = getIdpUrl();
     const delegationsUrl = await getDelegationsEndpoint(idp);
-    const delegations = await apiFetch(delegationsUrl);
+    const response = await apiFetch(delegationsUrl);
+    const delegations = Array.isArray(response) ? response : response.data;
     if (args.json) {
       console.log(JSON.stringify(delegations, null, 2));
       return;
     }
     if (delegations.length === 0) {
-      consola13.info("No delegations found.");
+      consola12.info("No delegations found.");
       return;
     }
     for (const d of delegations) {
@@ -1019,27 +1046,345 @@ var delegationsCommand = defineCommand14({
   }
 });
 
-// src/commands/adapter/index.ts
+// src/commands/grants/delegation-revoke.ts
 import { defineCommand as defineCommand15 } from "citty";
+import consola13 from "consola";
+var delegationRevokeCommand = defineCommand15({
+  meta: {
+    name: "delegation-revoke",
+    description: "Revoke a delegation"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Delegation ID to revoke",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const delegationsUrl = await getDelegationsEndpoint(idp);
+    const id = String(args.id);
+    const result = await apiFetch(
+      `${delegationsUrl}/${id}`,
+      { method: "DELETE" }
+    );
+    consola13.success(`Delegation ${result.id} revoked.`);
+  }
+});
+
+// src/commands/admin/index.ts
+import { defineCommand as defineCommand18 } from "citty";
+
+// src/commands/admin/users.ts
+import { defineCommand as defineCommand16 } from "citty";
 import consola14 from "consola";
-import {
-  fetchRegistry,
-  findAdapter,
-  findConflictingAdapters,
-  getInstalledDigest,
-  installAdapter,
-  isInstalled,
-  loadAdapter as loadAdapter2,
-  removeAdapter,
-  searchAdapters
-} from "@openape/shapes";
-var adapterCommand = defineCommand15({
+function getManagementToken() {
+  const token = process.env.APES_MANAGEMENT_TOKEN;
+  if (!token) {
+    throw new CliError("Management token required. Set APES_MANAGEMENT_TOKEN environment variable.");
+  }
+  return token;
+}
+var usersListCommand = defineCommand16({
+  meta: {
+    name: "list",
+    description: "List all users"
+  },
+  args: {
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    },
+    limit: {
+      type: "string",
+      description: "Max number of users to return (1-100, default 50)"
+    },
+    cursor: {
+      type: "string",
+      description: "Pagination cursor (email of last item from previous page)"
+    },
+    search: {
+      type: "string",
+      description: "Filter by email or name (case-insensitive)"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const params = new URLSearchParams();
+    if (args.limit) params.set("limit", args.limit);
+    if (args.cursor) params.set("cursor", args.cursor);
+    if (args.search) params.set("search", args.search);
+    const qs = params.toString();
+    const url = qs ? `${idp}/api/admin/users?${qs}` : `${idp}/api/admin/users`;
+    const result = await apiFetch(url, { token });
+    if (args.json) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    if (result.data.length === 0) {
+      consola14.info("No users found.");
+      return;
+    }
+    for (const u of result.data) {
+      const owner = u.owner ? ` (agent of ${u.owner})` : "";
+      const active = u.isActive ? "" : " [inactive]";
+      console.log(`${u.email}  ${u.name}${owner}${active}`);
+    }
+    if (result.pagination.has_more) {
+      consola14.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
+    }
+  }
+});
+var usersCreateCommand = defineCommand16({
+  meta: {
+    name: "create",
+    description: "Create a user"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "User name",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const result = await apiFetch(
+      `${idp}/api/admin/users`,
+      {
+        method: "POST",
+        body: { email: args.email, name: args.name },
+        token
+      }
+    );
+    consola14.success(`User created: ${result.email} (${result.name})`);
+  }
+});
+var usersDeleteCommand = defineCommand16({
+  meta: {
+    name: "delete",
+    description: "Delete a user"
+  },
+  args: {
+    email: {
+      type: "positional",
+      description: "User email",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const email = String(args.email);
+    await apiFetch(`${idp}/api/admin/users/${encodeURIComponent(email)}`, {
+      method: "DELETE",
+      token
+    });
+    consola14.success(`User deleted: ${email}`);
+  }
+});
+
+// src/commands/admin/ssh-keys.ts
+import { existsSync, readFileSync } from "fs";
+import { resolve } from "path";
+import { homedir } from "os";
+import { defineCommand as defineCommand17 } from "citty";
+import consola15 from "consola";
+function getManagementToken2() {
+  const token = process.env.APES_MANAGEMENT_TOKEN;
+  if (!token) {
+    throw new CliError("Management token required. Set APES_MANAGEMENT_TOKEN environment variable.");
+  }
+  return token;
+}
+var sshKeysListCommand = defineCommand17({
+  meta: {
+    name: "list",
+    description: "List SSH keys for a user"
+  },
+  args: {
+    email: {
+      type: "positional",
+      description: "User email",
+      required: true
+    },
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    const email = String(args.email);
+    const keys = await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(email)}/ssh-keys`,
+      { token }
+    );
+    if (args.json) {
+      console.log(JSON.stringify(keys, null, 2));
+      return;
+    }
+    if (keys.length === 0) {
+      consola15.info(`No SSH keys found for ${email}.`);
+      return;
+    }
+    for (const k of keys) {
+      console.log(`${k.keyId}  ${k.name}  ${k.publicKey.substring(0, 40)}...`);
+    }
+  }
+});
+var sshKeysAddCommand = defineCommand17({
+  meta: {
+    name: "add",
+    description: "Add an SSH key for a user"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    key: {
+      type: "string",
+      description: "Path to public key file or key string",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "Key name/label"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    let publicKey = args.key;
+    const resolved = resolve(args.key.replace(/^~/, homedir()));
+    if (existsSync(resolved)) {
+      publicKey = readFileSync(resolved, "utf-8").trim();
+    }
+    const body = { publicKey };
+    if (args.name) {
+      body.name = args.name;
+    }
+    const result = await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(args.email)}/ssh-keys`,
+      {
+        method: "POST",
+        body,
+        token
+      }
+    );
+    consola15.success(`SSH key added: ${result.keyId} (${result.name})`);
+  }
+});
+var sshKeysDeleteCommand = defineCommand17({
+  meta: {
+    name: "delete",
+    description: "Delete an SSH key"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    keyId: {
+      type: "positional",
+      description: "Key ID",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    const keyId = String(args.keyId);
+    await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(args.email)}/ssh-keys/${keyId}`,
+      {
+        method: "DELETE",
+        token
+      }
+    );
+    consola15.success(`SSH key deleted: ${keyId}`);
+  }
+});
+
+// src/commands/admin/index.ts
+var usersCommand = defineCommand18({
+  meta: {
+    name: "users",
+    description: "Manage users"
+  },
+  subCommands: {
+    list: usersListCommand,
+    create: usersCreateCommand,
+    delete: usersDeleteCommand
+  }
+});
+var sshKeysCommand = defineCommand18({
+  meta: {
+    name: "ssh-keys",
+    description: "Manage SSH keys"
+  },
+  subCommands: {
+    list: sshKeysListCommand,
+    add: sshKeysAddCommand,
+    delete: sshKeysDeleteCommand
+  }
+});
+var adminCommand = defineCommand18({
+  meta: {
+    name: "admin",
+    description: "Admin commands (requires APES_MANAGEMENT_TOKEN)"
+  },
+  subCommands: {
+    users: usersCommand,
+    "ssh-keys": sshKeysCommand
+  }
+});
+
+// src/commands/adapter/index.ts
+import { defineCommand as defineCommand19 } from "citty";
+import consola16 from "consola";
+var adapterCommand = defineCommand19({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand15({
+    list: defineCommand19({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -1070,7 +1415,7 @@ var adapterCommand = defineCommand15({
 `);
             return;
           }
-          consola14.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola16.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -1081,7 +1426,7 @@ var adapterCommand = defineCommand15({
         const local = [];
         for (const a of index.adapters) {
           try {
-            const loaded = loadAdapter2(a.id);
+            const loaded = loadAdapter(a.id);
             local.push({ id: a.id, source: loaded.source, digest: loaded.digest });
           } catch {
           }
@@ -1092,7 +1437,7 @@ var adapterCommand = defineCommand15({
           return;
         }
         if (local.length === 0) {
-          consola14.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola16.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -1100,7 +1445,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    install: defineCommand15({
+    install: defineCommand19({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -1129,24 +1474,24 @@ var adapterCommand = defineCommand15({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola14.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola16.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola14.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola14.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola16.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola16.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola14.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola14.info(`Digest: ${result.digest}`);
+          consola16.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola16.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand15({
+    remove: defineCommand19({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -1169,17 +1514,17 @@ var adapterCommand = defineCommand15({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola14.success(`Removed adapter: ${id}`);
+            consola16.success(`Removed adapter: ${id}`);
           } else {
-            consola14.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola16.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
         if (failed)
-          process.exit(1);
+          throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand15({
+    info: defineCommand19({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -1221,7 +1566,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    search: defineCommand15({
+    search: defineCommand19({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -1253,7 +1598,7 @@ var adapterCommand = defineCommand15({
           return;
         }
         if (results.length === 0) {
-          consola14.info(`No adapters matching "${query}"`);
+          consola16.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -1262,7 +1607,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    update: defineCommand15({
+    update: defineCommand19({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -1288,33 +1633,33 @@ var adapterCommand = defineCommand15({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola14.info("No adapters installed to update.");
+          consola16.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola14.warn(`${id}: not found in registry, skipping`);
+            consola16.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola14.info(`${id}: already up to date`);
+            consola16.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola14.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola14.info(`  Old: ${localDigest}`);
-            consola14.info(`  New: ${entry.digest}`);
-            consola14.info("  Use --yes to confirm");
+            consola16.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola16.info(`  Old: ${localDigest}`);
+            consola16.info(`  New: ${entry.digest}`);
+            consola16.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola14.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola16.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand15({
+    verify: defineCommand19({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -1347,12 +1692,11 @@ var adapterCommand = defineCommand15({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola14.success(`${id}: digest matches registry`);
+          consola16.success(`${id}: digest matches registry`);
         } else {
-          consola14.error(`${id}: digest mismatch`);
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
-          process.exit(1);
+          throw new CliError(`${id}: digest mismatch`);
         }
       }
     })
@@ -1362,20 +1706,9 @@ var adapterCommand = defineCommand15({
 // src/commands/run.ts
 import { execFileSync } from "child_process";
 import { hostname as hostname3 } from "os";
-import { defineCommand as defineCommand16 } from "citty";
-import {
-  createShapesGrant,
-  extractOption,
-  extractWrappedCommand,
-  fetchGrantToken,
-  findExistingGrant,
-  loadAdapter as loadAdapter3,
-  resolveCommand,
-  verifyAndExecute,
-  waitForGrantStatus
-} from "@openape/shapes";
-import consola15 from "consola";
-var runCommand = defineCommand16({
+import { defineCommand as defineCommand20 } from "citty";
+import consola17 from "consola";
+var runCommand = defineCommand20({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -1411,6 +1744,11 @@ var runCommand = defineCommand16({
       type: "string",
       description: "IdP URL"
     },
+    "shell": {
+      type: "boolean",
+      description: "Shell mode: use session grant with audience ape-shell",
+      default: false
+    },
     "_": {
       type: "positional",
       description: "Command to execute (after --)",
@@ -1419,6 +1757,10 @@ var runCommand = defineCommand16({
   },
   async run({ rawArgs, args }) {
     const wrappedCommand = extractWrappedCommand(rawArgs ?? []);
+    if (args.shell && wrappedCommand.length > 0) {
+      await runShellMode(wrappedCommand, args);
+      return;
+    }
     if (wrappedCommand.length > 0) {
       await runAdapterMode(wrappedCommand, rawArgs ?? [], args);
     } else {
@@ -1429,6 +1771,113 @@ var runCommand = defineCommand16({
     }
   }
 });
+async function runShellMode(command, args) {
+  const auth = loadAuth();
+  if (!auth)
+    throw new CliError("Not logged in. Run `apes login` first.");
+  const idp = getIdpUrl(args.idp);
+  if (!idp)
+    throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+  const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
+  if (adapterHandled) return;
+  const grantsUrl = await getGrantsEndpoint(idp);
+  const targetHost = args.host || hostname3();
+  try {
+    const grants = await apiFetch(
+      `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
+    );
+    const sessionGrant = grants.data.find(
+      (g) => g.request.audience === "ape-shell" && g.request.target_host === targetHost && g.request.grant_type !== "once"
+    );
+    if (sessionGrant) {
+      execShellCommand(command);
+      return;
+    }
+  } catch {
+  }
+  consola17.info(`Requesting ape-shell session grant on ${targetHost}`);
+  const grant = await apiFetch(grantsUrl, {
+    method: "POST",
+    body: {
+      requester: auth.email,
+      target_host: targetHost,
+      audience: "ape-shell",
+      grant_type: "once",
+      command: command.slice(0, 3),
+      reason: `Shell session: ${command.join(" ").slice(0, 100)}`
+    }
+  });
+  consola17.info(`Grant requested: ${grant.id}`);
+  consola17.info("Waiting for approval...");
+  const maxWait = 3e5;
+  const interval = 3e3;
+  const start = Date.now();
+  while (Date.now() - start < maxWait) {
+    const status = await apiFetch(`${grantsUrl}/${grant.id}`);
+    if (status.status === "approved")
+      break;
+    if (status.status === "denied" || status.status === "revoked")
+      throw new CliError(`Grant ${status.status}.`);
+    await new Promise((r) => setTimeout(r, interval));
+  }
+  execShellCommand(command);
+}
+async function tryAdapterModeFromShell(command, idp, args) {
+  const cmdString = extractShellCommandString(command);
+  if (!cmdString) return false;
+  const parsed = parseShellCommand(cmdString);
+  if (!parsed) return false;
+  if (parsed.isCompound) return false;
+  const loaded = await loadOrInstallAdapter(parsed.executable);
+  if (!loaded) return false;
+  let resolved;
+  try {
+    resolved = await resolveCommand(loaded, [parsed.executable, ...parsed.argv]);
+  } catch (err) {
+    consola17.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    return false;
+  }
+  try {
+    const existingGrantId = await findExistingGrant(resolved, idp);
+    if (existingGrantId) {
+      consola17.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      const token2 = await fetchGrantToken(idp, existingGrantId);
+      await verifyAndExecute(token2, resolved);
+      return true;
+    }
+  } catch {
+  }
+  const approval = args.approval ?? "once";
+  consola17.info(`Requesting grant for: ${resolved.detail.display}`);
+  const grant = await createShapesGrant(resolved, {
+    idp,
+    approval,
+    reason: args.reason || `ape-shell: ${resolved.detail.display}`
+  });
+  consola17.info(`Grant requested: ${grant.id}`);
+  consola17.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  if (grant.similar_grants?.similar_grants?.length) {
+    const n = grant.similar_grants.similar_grants.length;
+    consola17.info("");
+    consola17.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+  }
+  const status = await waitForGrantStatus(idp, grant.id);
+  if (status !== "approved")
+    throw new CliError(`Grant ${status}`);
+  const token = await fetchGrantToken(idp, grant.id);
+  await verifyAndExecute(token, resolved);
+  return true;
+}
+function execShellCommand(command) {
+  if (command.length === 0)
+    throw new CliError("No command to execute");
+  try {
+    execFileSync(command[0], command.slice(1), { stdio: "inherit" });
+  } catch (err) {
+    const exitCode = err.status || 1;
+    throw new CliExit(exitCode);
+  }
+}
 function extractPositionals(rawArgs) {
   const positionals = [];
   const delimiter = rawArgs.indexOf("--");
@@ -1449,14 +1898,18 @@ async function runAdapterMode(command, rawArgs, args) {
   const idp = getIdpUrl(args.idp);
   if (!idp)
     throw new Error("No IdP URL configured. Run `apes login` first or pass --idp.");
+  if (args.as) {
+    await runAudienceMode("escapes", command.join(" "), args);
+    return;
+  }
   const adapterOpt = extractOption(rawArgs, "adapter");
-  const loaded = loadAdapter3(command[0], adapterOpt);
+  const loaded = loadAdapter(command[0], adapterOpt);
   const resolved = await resolveCommand(loaded, command);
   const approval = args.approval ?? "once";
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola15.info(`Reusing existing grant: ${existingGrantId}`);
+      consola17.info(`Reusing existing grant: ${existingGrantId}`);
       const token2 = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token2, resolved);
       return;
@@ -1468,17 +1921,17 @@ async function runAdapterMode(command, rawArgs, args) {
     approval,
     ...args.reason ? { reason: args.reason } : {}
   });
-  consola15.info(`Grant requested: ${grant.id}`);
-  consola15.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola17.info(`Grant requested: ${grant.id}`);
+  consola17.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola15.info("");
-    consola15.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola17.info("");
+    consola17.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola15.info(`  Broader scope: ${wider}`);
+      consola17.info(`  Broader scope: ${wider}`);
     }
-    consola15.info("");
+    consola17.info("");
   }
   const status = await waitForGrantStatus(idp, grant.id);
   if (status !== "approved")
@@ -1489,14 +1942,13 @@ async function runAdapterMode(command, rawArgs, args) {
 async function runAudienceMode(audience, action, args) {
   const auth = loadAuth();
   if (!auth) {
-    consola15.error("Not logged in. Run `apes login` first.");
-    return process.exit(1);
+    throw new CliError("Not logged in. Run `apes login` first.");
   }
   const idp = getIdpUrl(args.idp);
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
   const targetHost = args.host || hostname3();
-  consola15.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  consola17.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -1509,36 +1961,35 @@ async function runAudienceMode(audience, action, args) {
       ...args.as ? { run_as: args.as } : {}
     }
   });
-  consola15.success(`Grant requested: ${grant.id}`);
-  consola15.info("Waiting for approval...");
+  consola17.success(`Grant requested: ${grant.id}`);
+  consola17.info("Waiting for approval...");
   const maxWait = 3e5;
   const interval = 3e3;
   const start = Date.now();
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola15.success("Grant approved!");
+      consola17.success("Grant approved!");
       break;
     }
     if (status.status === "denied" || status.status === "revoked") {
-      consola15.error(`Grant ${status.status}.`);
-      return process.exit(1);
+      throw new CliError(`Grant ${status.status}.`);
     }
     await new Promise((r) => setTimeout(r, interval));
   }
-  consola15.info("Fetching grant token...");
+  consola17.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola15.info(`Executing: ${command.join(" ")}`);
+    consola17.info(`Executing: ${command.join(" ")}`);
     try {
       execFileSync(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
         stdio: "inherit"
       });
     } catch (err) {
       const exitCode = err.status || 1;
-      process.exit(exitCode);
+      throw new CliExit(exitCode);
     }
   } else {
     process.stdout.write(authz_jwt);
@@ -1546,9 +1997,8 @@ async function runAudienceMode(audience, action, args) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand17 } from "citty";
-import { extractOption as extractOption2, extractWrappedCommand as extractWrappedCommand2, loadAdapter as loadAdapter4, resolveCommand as resolveCommand2 } from "@openape/shapes";
-var explainCommand = defineCommand17({
+import { defineCommand as defineCommand21 } from "citty";
+var explainCommand = defineCommand21({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -1565,12 +2015,12 @@ var explainCommand = defineCommand17({
     }
   },
   async run({ rawArgs }) {
-    const command = extractWrappedCommand2(rawArgs ?? []);
+    const command = extractWrappedCommand(rawArgs ?? []);
     if (command.length === 0)
       throw new Error("Missing wrapped command. Usage: apes explain [--adapter <file>] -- <cli> ...");
-    const adapterOpt = extractOption2(rawArgs ?? [], "adapter");
-    const loaded = loadAdapter4(command[0], adapterOpt);
-    const resolved = await resolveCommand2(loaded, command);
+    const adapterOpt = extractOption(rawArgs ?? [], "adapter");
+    const loaded = loadAdapter(command[0], adapterOpt);
+    const resolved = await resolveCommand(loaded, command);
     process.stdout.write(`${JSON.stringify({
       adapter: resolved.adapter.cli.id,
       source: resolved.source,
@@ -1586,9 +2036,9 @@ var explainCommand = defineCommand17({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand18 } from "citty";
-import consola16 from "consola";
-var configGetCommand = defineCommand18({
+import { defineCommand as defineCommand22 } from "citty";
+import consola18 from "consola";
+var configGetCommand = defineCommand22({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -1608,7 +2058,7 @@ var configGetCommand = defineCommand18({
         if (idp)
           console.log(idp);
         else
-          consola16.info("No IdP configured.");
+          consola18.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -1616,7 +2066,7 @@ var configGetCommand = defineCommand18({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola16.info("Not logged in.");
+          consola18.info("Not logged in.");
         break;
       }
       default: {
@@ -1629,11 +2079,10 @@ var configGetCommand = defineCommand18({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola16.info(`Key "${key}" not set.`);
+            consola18.info(`Key "${key}" not set.`);
           }
         } else {
-          consola16.error(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
-          process.exit(1);
+          throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
         }
       }
     }
@@ -1641,9 +2090,9 @@ var configGetCommand = defineCommand18({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand19 } from "citty";
-import consola17 from "consola";
-var configSetCommand = defineCommand19({
+import { defineCommand as defineCommand23 } from "citty";
+import consola19 from "consola";
+var configSetCommand = defineCommand23({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -1666,8 +2115,7 @@ var configSetCommand = defineCommand19({
     const config = loadConfig();
     const parts = key.split(".");
     if (parts.length !== 2) {
-      consola17.error(`Invalid key: "${key}". Use: defaults.idp, defaults.approval, agent.key, agent.email`);
-      return process.exit(1);
+      throw new CliError(`Invalid key: "${key}". Use: defaults.idp, defaults.approval, agent.key, agent.email`);
     }
     const [section, field] = parts;
     if (section === "defaults") {
@@ -1677,22 +2125,19 @@ var configSetCommand = defineCommand19({
       config.agent = config.agent || {};
       config.agent[field] = value;
     } else {
-      consola17.error(`Unknown section: "${section}". Use: defaults, agent`);
-      return process.exit(1);
+      throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola17.success(`Set ${key} = ${value}`);
+    consola19.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand20 } from "citty";
-import consola18 from "consola";
+import { defineCommand as defineCommand24 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
-    consola18.error("Not authenticated. Run `apes login` first.");
-    return process.exit(1);
+    throw new CliError("Not authenticated. Run `apes login` first.");
   }
   const response = await fetch(url, {
     method,
@@ -1721,16 +2166,16 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     }
   }
   if (!response.ok) {
-    process.exit(1);
+    throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand20({
+var fetchCommand = defineCommand24({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand20({
+    get: defineCommand24({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -1756,7 +2201,7 @@ var fetchCommand = defineCommand20({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand20({
+    post: defineCommand24({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -1795,8 +2240,8 @@ var fetchCommand = defineCommand20({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand21 } from "citty";
-var mcpCommand = defineCommand21({
+import { defineCommand as defineCommand25 } from "citty";
+var mcpCommand = defineCommand25({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -1819,25 +2264,25 @@ var mcpCommand = defineCommand21({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-R2EVEMKX.js");
+    const { startMcpServer } = await import("./server-FR6GFS3S.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync, copyFileSync, writeFileSync } from "fs";
+import { existsSync as existsSync2, copyFileSync, writeFileSync } from "fs";
 import { randomBytes } from "crypto";
 import { execFileSync as execFileSync2 } from "child_process";
 import { join } from "path";
-import { defineCommand as defineCommand22 } from "citty";
-import consola19 from "consola";
+import { defineCommand as defineCommand26 } from "citty";
+import consola20 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync(join(dir, name));
+  const hasLockFile = (name) => existsSync2(join(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
     execFileSync2("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
@@ -1847,20 +2292,20 @@ function installDeps(dir) {
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola19.prompt(message, { type: "select", options: choices });
+  const result = await consola20.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
-    process.exit(0);
+    throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola19.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola20.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
-    process.exit(0);
+    throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand22({
+var initCommand = defineCommand26({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -1902,24 +2347,23 @@ var initCommand = defineCommand22({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync(join(dir, "package.json"))) {
-    consola19.error(`Directory "${dir}" already contains a project.`);
-    return process.exit(1);
+  if (existsSync2(join(dir, "package.json"))) {
+    throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola19.start("Scaffolding SP starter...");
+  consola20.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola19.success("Scaffolded from openape-sp-starter");
-  consola19.start("Installing dependencies...");
+  consola20.success("Scaffolded from openape-sp-starter");
+  consola20.start("Installing dependencies...");
   installDeps(dir);
-  consola19.success("Dependencies installed");
+  consola20.success("Dependencies installed");
   const envExample = join(dir, ".env.example");
   const envFile = join(dir, ".env");
-  if (existsSync(envExample) && !existsSync(envFile)) {
+  if (existsSync2(envExample) && !existsSync2(envFile)) {
     copyFileSync(envExample, envFile);
-    consola19.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola20.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola19.box([
+  consola20.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -1928,9 +2372,8 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync(join(dir, "package.json"))) {
-    consola19.error(`Directory "${dir}" already contains a project.`);
-    return process.exit(1);
+  if (existsSync2(join(dir, "package.json"))) {
+    throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
   const storage = await promptChoice("Storage backend", [
@@ -1939,15 +2382,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola19.start("Scaffolding IdP starter...");
+  consola20.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola19.success("Scaffolded from openape-idp-starter");
-  consola19.start("Installing dependencies...");
+  consola20.success("Scaffolded from openape-idp-starter");
+  consola20.start("Installing dependencies...");
   installDeps(dir);
-  consola19.success("Dependencies installed");
+  consola20.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola19.success("Secrets generated");
+  consola20.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -1961,10 +2404,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync(join(dir, ".env"), envContent + "\n", { mode: 384 });
-  consola19.success(".env created");
+  writeFileSync(join(dir, ".env"), `${envContent}
+`, { mode: 384 });
+  consola20.success(".env created");
   console.log("");
-  consola19.box([
+  consola20.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -1981,19 +2425,19 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer2 } from "buffer";
-import { existsSync as existsSync2, readFileSync, writeFileSync as writeFileSync2, mkdirSync } from "fs";
+import { existsSync as existsSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { generateKeyPairSync, sign } from "crypto";
-import { dirname, resolve } from "path";
-import { homedir } from "os";
-import { defineCommand as defineCommand23 } from "citty";
-import consola20 from "consola";
+import { dirname, resolve as resolve2 } from "path";
+import { homedir as homedir2 } from "os";
+import { defineCommand as defineCommand27 } from "citty";
+import consola21 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
 var POLL_TIMEOUT = 3e5;
 function resolvePath(p) {
-  return resolve(p.replace(/^~/, homedir()));
+  return resolve2(p.replace(/^~/, homedir2()));
 }
 function openBrowser2(url) {
   const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
@@ -2002,10 +2446,10 @@ function openBrowser2(url) {
 }
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
-  if (existsSync2(pubPath)) {
-    return readFileSync(pubPath, "utf-8").trim();
+  if (existsSync3(pubPath)) {
+    return readFileSync2(pubPath, "utf-8").trim();
   }
-  const keyContent = readFileSync(keyPath, "utf-8");
+  const keyContent = readFileSync2(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
   const pubBytes = Buffer2.from(jwk.x, "base64url");
@@ -2020,7 +2464,7 @@ function readPublicKey(keyPath) {
 function generateAndSaveKey(keyPath) {
   const resolved = resolvePath(keyPath);
   const dir = dirname(resolved);
-  if (!existsSync2(dir)) {
+  if (!existsSync3(dir)) {
     mkdirSync(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
@@ -2041,7 +2485,7 @@ function generateAndSaveKey(keyPath) {
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
   const resolvedKey = resolvePath(keyPath);
-  const keyContent = readFileSync(resolvedKey, "utf-8");
+  const keyContent = readFileSync2(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -2068,11 +2512,11 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       }
     } catch {
     }
-    await new Promise((resolve2) => setTimeout(resolve2, POLL_INTERVAL));
+    await new Promise((resolve3) => setTimeout(resolve3, POLL_INTERVAL));
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand23({
+var enrollCommand = defineCommand27({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -2092,38 +2536,48 @@ var enrollCommand = defineCommand23({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola20.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => typeof r === "symbol" ? process.exit(0) : r) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola20.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => typeof r === "symbol" ? process.exit(0) : r);
+    const idp = args.idp || await consola21.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+      if (typeof r === "symbol") throw new CliExit(0);
+      return r;
+    }) || DEFAULT_IDP_URL2;
+    const agentName = args.name || await consola21.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+      if (typeof r === "symbol") throw new CliExit(0);
+      return r;
+    });
     if (!agentName) {
-      consola20.error("Agent name is required.");
-      return process.exit(1);
+      throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola20.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => typeof r === "symbol" ? process.exit(0) : r) || DEFAULT_KEY_PATH;
+    const keyPath = args.key || await consola21.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+      if (typeof r === "symbol") throw new CliExit(0);
+      return r;
+    }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolvePath(keyPath);
     let publicKey;
-    if (existsSync2(resolvedKey)) {
+    if (existsSync3(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola20.success(`Using existing key ${keyPath}`);
+      consola21.success(`Using existing key ${keyPath}`);
     } else {
-      consola20.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola21.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola20.success(`Key pair generated at ${keyPath}`);
+      consola21.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola20.info("Opening browser for enrollment...");
-    consola20.info(`\u2192 ${idp}/enroll`);
+    consola21.info("Opening browser for enrollment...");
+    consola21.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola20.prompt(
+    const agentEmail = await consola21.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
-    ).then((r) => typeof r === "symbol" ? process.exit(0) : r);
+    ).then((r) => {
+      if (typeof r === "symbol") throw new CliExit(0);
+      return r;
+    });
     if (!agentEmail) {
-      consola20.error("Agent email is required to verify enrollment.");
-      return process.exit(1);
+      throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola20.start("Verifying enrollment...");
+    consola21.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -2135,18 +2589,81 @@ var enrollCommand = defineCommand23({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola20.success(`Agent enrolled as ${agentEmail}`);
-    consola20.success("Config saved to ~/.config/apes/");
+    consola21.success(`Agent enrolled as ${agentEmail}`);
+    consola21.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola20.info("Verify with: apes whoami");
+    consola21.info("Verify with: apes whoami");
+  }
+});
+
+// src/commands/register-user.ts
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
+import { defineCommand as defineCommand28 } from "citty";
+import consola22 from "consola";
+var registerUserCommand = defineCommand28({
+  meta: {
+    name: "register-user",
+    description: "Register a sub-user with SSH key"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "Email for the new user",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "Name for the new user",
+      required: true
+    },
+    key: {
+      type: "string",
+      description: "Path to SSH public key file or key string",
+      required: true
+    },
+    type: {
+      type: "string",
+      description: "User type: human or agent (default: agent)"
+    }
+  },
+  async run({ args }) {
+    const auth = loadAuth();
+    if (!auth) {
+      throw new CliError("Not authenticated. Run `apes login` first.");
+    }
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first.");
+    }
+    let publicKey = args.key;
+    if (existsSync4(args.key)) {
+      publicKey = readFileSync3(args.key, "utf-8").trim();
+    }
+    if (!publicKey.startsWith("ssh-ed25519 ")) {
+      throw new CliError("Public key must be in ssh-ed25519 format.");
+    }
+    const userType = args.type;
+    if (userType && userType !== "human" && userType !== "agent") {
+      throw new CliError('Type must be "human" or "agent".');
+    }
+    const result = await apiFetch(`${idp}/api/auth/enroll`, {
+      method: "POST",
+      body: {
+        email: args.email,
+        name: args.name,
+        publicKey,
+        ...userType ? { type: userType } : {}
+      }
+    });
+    consola22.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand24 } from "citty";
-import consola21 from "consola";
+import { defineCommand as defineCommand29 } from "citty";
+import consola23 from "consola";
 import { resolveDDISA } from "@openape/core";
-var dnsCheckCommand = defineCommand24({
+var dnsCheckCommand = defineCommand29({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -2160,17 +2677,16 @@ var dnsCheckCommand = defineCommand24({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola21.start(`Checking _ddisa.${domain}...`);
+    consola23.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA(domain);
       if (!result) {
-        consola21.error(`No DDISA record found for ${domain}`);
         console.log("");
         console.log("To set up DDISA, add a DNS TXT record:");
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
-        return process.exit(1);
+        throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola21.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola23.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -2179,14 +2695,14 @@ var dnsCheckCommand = defineCommand24({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola21.start(`Verifying IdP at ${result.idp}...`);
+      consola23.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola21.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola23.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola21.success(`IdP is reachable`);
+      consola23.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -2196,15 +2712,146 @@ var dnsCheckCommand = defineCommand24({
         console.log(`  Grants:   ${disco.openape_grant_types_supported.join(", ")}`);
       }
     } catch (err) {
-      consola21.error(`DNS check failed: ${err instanceof Error ? err.message : String(err)}`);
-      return process.exit(1);
+      throw new CliError(`DNS check failed: ${err instanceof Error ? err.message : String(err)}`);
     }
   }
 });
 
+// src/commands/workflows.ts
+import { defineCommand as defineCommand30 } from "citty";
+import consola24 from "consola";
+
+// src/guides/index.ts
+var guides = [
+  {
+    id: "timed-session",
+    title: "Timed maintenance session",
+    description: "Request a timed grant for multiple commands without per-command approval.",
+    steps: [
+      { description: "Request a timed grant (e.g. 1 hour)", command: "apes run --approval timed -- <your-command>" },
+      { description: "Approve the grant in the browser (link is printed)" },
+      { description: "Subsequent commands reuse the timed grant until it expires" },
+      { note: "Use --approval always for standing permissions (revoke manually when done)" }
+    ]
+  },
+  {
+    id: "agent-onboarding",
+    title: "Onboard a new agent",
+    description: "Register an AI agent with a DDISA identity in under 3 minutes.",
+    steps: [
+      { description: "Initialize a new project (optional)", command: "apes init --sp my-app" },
+      { description: "Enroll the agent at an IdP", command: "apes enroll" },
+      { description: "Verify enrollment", command: "apes whoami" },
+      { description: "Check DNS discovery", command: "apes dns-check" }
+    ]
+  },
+  {
+    id: "delegation",
+    title: "Delegate permissions",
+    description: "Let an agent act on your behalf at a specific service.",
+    steps: [
+      { description: "Create a delegation", command: "apes grants delegate --to agent@example.com --at api.example.com" },
+      { description: "List active delegations", command: "apes grants delegations" },
+      { description: "Revoke when no longer needed", command: "apes grants revoke <delegation-id>" }
+    ]
+  },
+  {
+    id: "privilege-escalation",
+    title: "Run commands as root (escapes)",
+    description: "Execute privileged commands with grant-verified escalation.",
+    steps: [
+      { description: "Request a grant to run a command as root", command: "apes run --as root -- apt-get upgrade" },
+      { description: "Approve the grant in the browser" },
+      { description: "The command executes via escapes with verified authorization" },
+      { note: "escapes must be installed on the target machine (cargo build && sudo make install)" }
+    ]
+  }
+];
+
+// src/commands/workflows.ts
+var workflowsCommand = defineCommand30({
+  meta: {
+    name: "workflows",
+    description: "Discover workflow guides"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Guide ID to show (omit for list)",
+      required: false
+    },
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    }
+  },
+  run({ args }) {
+    if (args.id) {
+      const guide = guides.find((g) => g.id === String(args.id));
+      if (!guide) {
+        consola24.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        throw new CliError(`Guide not found: ${args.id}`);
+      }
+      if (args.json) {
+        console.log(JSON.stringify(guide, null, 2));
+        return;
+      }
+      console.log(`
+  ${guide.title}`);
+      console.log(`  ${guide.description}
+`);
+      for (let i = 0; i < guide.steps.length; i++) {
+        const step = guide.steps[i];
+        if (step.note) {
+          console.log(`  Note: ${step.note}`);
+        } else {
+          console.log(`  ${i + 1}. ${step.description}`);
+          if (step.command) {
+            console.log(`     $ ${step.command}`);
+          }
+        }
+      }
+      console.log();
+      return;
+    }
+    if (args.json) {
+      console.log(JSON.stringify(guides.map((g) => ({ id: g.id, title: g.title, description: g.description })), null, 2));
+      return;
+    }
+    console.log("\n  Workflow Guides\n");
+    for (const guide of guides) {
+      console.log(`  ${guide.id.padEnd(24)} ${guide.title}`);
+    }
+    console.log(`
+  Show a guide: apes workflows <id>
+`);
+  }
+});
+
 // src/cli.ts
+process.stdout.on("error", (err) => {
+  if (err.code === "EPIPE") process.exit(0);
+  throw err;
+});
+var shellRewrite = rewriteApeShellArgs(process.argv);
+if (shellRewrite) {
+  if (shellRewrite.action === "rewrite") {
+    process.argv = shellRewrite.argv;
+  } else if (shellRewrite.action === "version") {
+    console.log(`ape-shell (OpenApe DDISA shell wrapper)`);
+    process.exit(0);
+  } else if (shellRewrite.action === "help") {
+    console.log("Usage: ape-shell -c <command>");
+    console.log("Routes all commands through apes run for grant-based authorization.");
+    process.exit(0);
+  } else {
+    console.error("ape-shell: only -c <command> mode is supported");
+    process.exit(1);
+  }
+}
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand25({
+var grantsCommand = defineCommand31({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -2220,10 +2867,11 @@ var grantsCommand = defineCommand25({
     revoke: revokeCommand,
     token: tokenCommand,
     delegate: delegateCommand,
-    delegations: delegationsCommand
+    delegations: delegationsCommand,
+    "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand25({
+var configCommand = defineCommand31({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -2233,33 +2881,43 @@ var configCommand = defineCommand25({
     set: configSetCommand
   }
 });
-var main = defineCommand25({
+var main = defineCommand31({
   meta: {
     name: "apes",
-    version: "0.5.5",
+    version: "0.6.1",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
     init: initCommand,
     enroll: enrollCommand,
+    "register-user": registerUserCommand,
     "dns-check": dnsCheckCommand,
     login: loginCommand,
     logout: logoutCommand,
     whoami: whoamiCommand,
     grants: grantsCommand,
+    admin: adminCommand,
     run: runCommand,
     explain: explainCommand,
     adapter: adapterCommand,
     config: configCommand,
     fetch: fetchCommand,
-    mcp: mcpCommand
+    mcp: mcpCommand,
+    workflows: workflowsCommand
   }
 });
 runMain(main).catch((err) => {
+  if (err instanceof CliExit) {
+    process.exit(err.exitCode);
+  }
+  if (err instanceof CliError) {
+    consola25.error(err.message);
+    process.exit(err.exitCode);
+  }
   if (debug) {
-    consola22.error(err);
+    consola25.error(err);
   } else {
-    consola22.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola25.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });