@openape/apes 0.6.0 → 0.6.1

package/dist/cli.js

@@ -10,22 +10,63 @@ import {
 import {
   ApiError,
   apiFetch,
+  buildStructuredCliGrantRequest,
   clearAuth,
+  createShapesGrant,
+  extractOption,
+  extractShellCommandString,
+  extractWrappedCommand,
+  fetchGrantToken,
+  fetchRegistry,
+  findAdapter,
+  findConflictingAdapters,
+  findExistingGrant,
   getAgentAuthenticateEndpoint,
   getAgentChallengeEndpoint,
   getAuthToken,
   getDelegationsEndpoint,
   getGrantsEndpoint,
   getIdpUrl,
+  getInstalledDigest,
+  installAdapter,
+  isInstalled,
+  loadAdapter,
   loadAuth,
   loadConfig,
+  loadOrInstallAdapter,
+  parseShellCommand,
+  removeAdapter,
+  resolveCapabilityRequest,
+  resolveCommand,
   saveAuth,
-  saveConfig
-} from "./chunk-KXESKY4X.js";
+  saveConfig,
+  searchAdapters,
+  verifyAndExecute,
+  waitForGrantStatus
+} from "./chunk-G3Q2TMAI.js";
 
 // src/cli.ts
-import consola21 from "consola";
-import { defineCommand as defineCommand26, runMain } from "citty";
+import consola25 from "consola";
+
+// src/ape-shell.ts
+import path from "path";
+function rewriteApeShellArgs(argv) {
+  const invokedAs = path.basename(argv[1] ?? "");
+  if (invokedAs !== "ape-shell" && invokedAs !== "ape-shell.js")
+    return null;
+  const shellArgs = argv.slice(2);
+  if (shellArgs[0] === "-c" && shellArgs.length > 1) {
+    return { action: "rewrite", argv: [argv[0], argv[1], "run", "--shell", "--", "bash", "-c", ...shellArgs.slice(1)] };
+  }
+  if (shellArgs[0] === "--version")
+    return { action: "version" };
+  if (shellArgs[0] === "--help" || shellArgs[0] === "-h")
+    return { action: "help" };
+  return { action: "error" };
+}
+
+// src/cli.ts
+import { defineCommand as defineCommand31, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer } from "buffer";
@@ -88,7 +129,7 @@ async function loginWithPKCE(idp) {
   authUrl.searchParams.set("state", state);
   authUrl.searchParams.set("nonce", nonce);
   authUrl.searchParams.set("scope", "openid email profile offline_access");
-  const code = await new Promise((resolve2, reject) => {
+  const code = await new Promise((resolve3, reject) => {
     const server = createServer((req, res) => {
       const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
       if (url.pathname === "/callback") {
@@ -105,7 +146,7 @@ async function loginWithPKCE(idp) {
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end("<h1>Login successful!</h1><p>You can close this window.</p>");
           server.close();
-          resolve2(authCode);
+          resolve3(authCode);
           return;
         }
         res.writeHead(400);
@@ -156,7 +197,7 @@ async function loginWithPKCE(idp) {
   consola.success(`Logged in as ${payload.email || payload.sub}`);
 }
 async function loginWithKey(idp, keyPath, email) {
-  const { readFileSync: readFileSync2 } = await import("fs");
+  const { readFileSync: readFileSync4 } = await import("fs");
   const { sign: sign2 } = await import("crypto");
   const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-Q7KG4K25.js");
   const agentEmail = email;
@@ -173,7 +214,7 @@ async function loginWithKey(idp, keyPath, email) {
     throw new CliError(`Challenge failed: ${await challengeResp.text()}`);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync2(keyPath, "utf-8");
+  const keyContent = readFileSync4(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
   const signature = sign2(null, Buffer.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -196,7 +237,7 @@ async function loginWithKey(idp, keyPath, email) {
     email: agentEmail,
     expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600)
   });
-  consola.success(`Logged in as ${agentEmail} (agent)`);
+  consola.success(`Logged in as ${agentEmail}`);
 }
 
 // src/commands/auth/logout.ts
@@ -519,7 +560,6 @@ async function waitForApproval(grantsUrl, grantId) {
 
 // src/commands/grants/request-capability.ts
 import { hostname as hostname2 } from "os";
-import { buildStructuredCliGrantRequest, loadAdapter, resolveCapabilityRequest } from "@openape/shapes";
 import { defineCommand as defineCommand8 } from "citty";
 import consola7 from "consola";
 function parseCapabilityArgs(rawArgs) {
@@ -637,7 +677,7 @@ async function waitForApproval2(grantsUrl, grantId) {
     if (grant.status === "revoked") {
       throw new CliError("Grant revoked.");
     }
-    await new Promise((resolve2) => setTimeout(resolve2, interval));
+    await new Promise((resolve3) => setTimeout(resolve3, interval));
   }
   throw new CliError("Timed out waiting for approval.");
 }
@@ -988,7 +1028,8 @@ var delegationsCommand = defineCommand14({
   async run({ args }) {
     const idp = getIdpUrl();
     const delegationsUrl = await getDelegationsEndpoint(idp);
-    const delegations = await apiFetch(delegationsUrl);
+    const response = await apiFetch(delegationsUrl);
+    const delegations = Array.isArray(response) ? response : response.data;
     if (args.json) {
       console.log(JSON.stringify(delegations, null, 2));
       return;
@@ -1005,27 +1046,345 @@ var delegationsCommand = defineCommand14({
   }
 });
 
-// src/commands/adapter/index.ts
+// src/commands/grants/delegation-revoke.ts
 import { defineCommand as defineCommand15 } from "citty";
 import consola13 from "consola";
-import {
-  fetchRegistry,
-  findAdapter,
-  findConflictingAdapters,
-  getInstalledDigest,
-  installAdapter,
-  isInstalled,
-  loadAdapter as loadAdapter2,
-  removeAdapter,
-  searchAdapters
-} from "@openape/shapes";
-var adapterCommand = defineCommand15({
+var delegationRevokeCommand = defineCommand15({
+  meta: {
+    name: "delegation-revoke",
+    description: "Revoke a delegation"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Delegation ID to revoke",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const delegationsUrl = await getDelegationsEndpoint(idp);
+    const id = String(args.id);
+    const result = await apiFetch(
+      `${delegationsUrl}/${id}`,
+      { method: "DELETE" }
+    );
+    consola13.success(`Delegation ${result.id} revoked.`);
+  }
+});
+
+// src/commands/admin/index.ts
+import { defineCommand as defineCommand18 } from "citty";
+
+// src/commands/admin/users.ts
+import { defineCommand as defineCommand16 } from "citty";
+import consola14 from "consola";
+function getManagementToken() {
+  const token = process.env.APES_MANAGEMENT_TOKEN;
+  if (!token) {
+    throw new CliError("Management token required. Set APES_MANAGEMENT_TOKEN environment variable.");
+  }
+  return token;
+}
+var usersListCommand = defineCommand16({
+  meta: {
+    name: "list",
+    description: "List all users"
+  },
+  args: {
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    },
+    limit: {
+      type: "string",
+      description: "Max number of users to return (1-100, default 50)"
+    },
+    cursor: {
+      type: "string",
+      description: "Pagination cursor (email of last item from previous page)"
+    },
+    search: {
+      type: "string",
+      description: "Filter by email or name (case-insensitive)"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const params = new URLSearchParams();
+    if (args.limit) params.set("limit", args.limit);
+    if (args.cursor) params.set("cursor", args.cursor);
+    if (args.search) params.set("search", args.search);
+    const qs = params.toString();
+    const url = qs ? `${idp}/api/admin/users?${qs}` : `${idp}/api/admin/users`;
+    const result = await apiFetch(url, { token });
+    if (args.json) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    if (result.data.length === 0) {
+      consola14.info("No users found.");
+      return;
+    }
+    for (const u of result.data) {
+      const owner = u.owner ? ` (agent of ${u.owner})` : "";
+      const active = u.isActive ? "" : " [inactive]";
+      console.log(`${u.email}  ${u.name}${owner}${active}`);
+    }
+    if (result.pagination.has_more) {
+      consola14.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
+    }
+  }
+});
+var usersCreateCommand = defineCommand16({
+  meta: {
+    name: "create",
+    description: "Create a user"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "User name",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const result = await apiFetch(
+      `${idp}/api/admin/users`,
+      {
+        method: "POST",
+        body: { email: args.email, name: args.name },
+        token
+      }
+    );
+    consola14.success(`User created: ${result.email} (${result.name})`);
+  }
+});
+var usersDeleteCommand = defineCommand16({
+  meta: {
+    name: "delete",
+    description: "Delete a user"
+  },
+  args: {
+    email: {
+      type: "positional",
+      description: "User email",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const email = String(args.email);
+    await apiFetch(`${idp}/api/admin/users/${encodeURIComponent(email)}`, {
+      method: "DELETE",
+      token
+    });
+    consola14.success(`User deleted: ${email}`);
+  }
+});
+
+// src/commands/admin/ssh-keys.ts
+import { existsSync, readFileSync } from "fs";
+import { resolve } from "path";
+import { homedir } from "os";
+import { defineCommand as defineCommand17 } from "citty";
+import consola15 from "consola";
+function getManagementToken2() {
+  const token = process.env.APES_MANAGEMENT_TOKEN;
+  if (!token) {
+    throw new CliError("Management token required. Set APES_MANAGEMENT_TOKEN environment variable.");
+  }
+  return token;
+}
+var sshKeysListCommand = defineCommand17({
+  meta: {
+    name: "list",
+    description: "List SSH keys for a user"
+  },
+  args: {
+    email: {
+      type: "positional",
+      description: "User email",
+      required: true
+    },
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    const email = String(args.email);
+    const keys = await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(email)}/ssh-keys`,
+      { token }
+    );
+    if (args.json) {
+      console.log(JSON.stringify(keys, null, 2));
+      return;
+    }
+    if (keys.length === 0) {
+      consola15.info(`No SSH keys found for ${email}.`);
+      return;
+    }
+    for (const k of keys) {
+      console.log(`${k.keyId}  ${k.name}  ${k.publicKey.substring(0, 40)}...`);
+    }
+  }
+});
+var sshKeysAddCommand = defineCommand17({
+  meta: {
+    name: "add",
+    description: "Add an SSH key for a user"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    key: {
+      type: "string",
+      description: "Path to public key file or key string",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "Key name/label"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    let publicKey = args.key;
+    const resolved = resolve(args.key.replace(/^~/, homedir()));
+    if (existsSync(resolved)) {
+      publicKey = readFileSync(resolved, "utf-8").trim();
+    }
+    const body = { publicKey };
+    if (args.name) {
+      body.name = args.name;
+    }
+    const result = await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(args.email)}/ssh-keys`,
+      {
+        method: "POST",
+        body,
+        token
+      }
+    );
+    consola15.success(`SSH key added: ${result.keyId} (${result.name})`);
+  }
+});
+var sshKeysDeleteCommand = defineCommand17({
+  meta: {
+    name: "delete",
+    description: "Delete an SSH key"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    keyId: {
+      type: "positional",
+      description: "Key ID",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    const keyId = String(args.keyId);
+    await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(args.email)}/ssh-keys/${keyId}`,
+      {
+        method: "DELETE",
+        token
+      }
+    );
+    consola15.success(`SSH key deleted: ${keyId}`);
+  }
+});
+
+// src/commands/admin/index.ts
+var usersCommand = defineCommand18({
+  meta: {
+    name: "users",
+    description: "Manage users"
+  },
+  subCommands: {
+    list: usersListCommand,
+    create: usersCreateCommand,
+    delete: usersDeleteCommand
+  }
+});
+var sshKeysCommand = defineCommand18({
+  meta: {
+    name: "ssh-keys",
+    description: "Manage SSH keys"
+  },
+  subCommands: {
+    list: sshKeysListCommand,
+    add: sshKeysAddCommand,
+    delete: sshKeysDeleteCommand
+  }
+});
+var adminCommand = defineCommand18({
+  meta: {
+    name: "admin",
+    description: "Admin commands (requires APES_MANAGEMENT_TOKEN)"
+  },
+  subCommands: {
+    users: usersCommand,
+    "ssh-keys": sshKeysCommand
+  }
+});
+
+// src/commands/adapter/index.ts
+import { defineCommand as defineCommand19 } from "citty";
+import consola16 from "consola";
+var adapterCommand = defineCommand19({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand15({
+    list: defineCommand19({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -1056,7 +1415,7 @@ var adapterCommand = defineCommand15({
 `);
             return;
           }
-          consola13.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola16.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -1067,7 +1426,7 @@ var adapterCommand = defineCommand15({
         const local = [];
         for (const a of index.adapters) {
           try {
-            const loaded = loadAdapter2(a.id);
+            const loaded = loadAdapter(a.id);
             local.push({ id: a.id, source: loaded.source, digest: loaded.digest });
           } catch {
           }
@@ -1078,7 +1437,7 @@ var adapterCommand = defineCommand15({
           return;
         }
         if (local.length === 0) {
-          consola13.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola16.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -1086,7 +1445,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    install: defineCommand15({
+    install: defineCommand19({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -1115,24 +1474,24 @@ var adapterCommand = defineCommand15({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola13.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola16.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola13.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola13.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola16.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola16.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola13.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola13.info(`Digest: ${result.digest}`);
+          consola16.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola16.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand15({
+    remove: defineCommand19({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -1155,9 +1514,9 @@ var adapterCommand = defineCommand15({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola13.success(`Removed adapter: ${id}`);
+            consola16.success(`Removed adapter: ${id}`);
           } else {
-            consola13.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola16.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -1165,7 +1524,7 @@ var adapterCommand = defineCommand15({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand15({
+    info: defineCommand19({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -1207,7 +1566,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    search: defineCommand15({
+    search: defineCommand19({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -1239,7 +1598,7 @@ var adapterCommand = defineCommand15({
           return;
         }
         if (results.length === 0) {
-          consola13.info(`No adapters matching "${query}"`);
+          consola16.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -1248,7 +1607,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    update: defineCommand15({
+    update: defineCommand19({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -1274,33 +1633,33 @@ var adapterCommand = defineCommand15({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola13.info("No adapters installed to update.");
+          consola16.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola13.warn(`${id}: not found in registry, skipping`);
+            consola16.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola13.info(`${id}: already up to date`);
+            consola16.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola13.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola13.info(`  Old: ${localDigest}`);
-            consola13.info(`  New: ${entry.digest}`);
-            consola13.info("  Use --yes to confirm");
+            consola16.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola16.info(`  Old: ${localDigest}`);
+            consola16.info(`  New: ${entry.digest}`);
+            consola16.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola13.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola16.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand15({
+    verify: defineCommand19({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -1333,7 +1692,7 @@ var adapterCommand = defineCommand15({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola13.success(`${id}: digest matches registry`);
+          consola16.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -1347,20 +1706,9 @@ var adapterCommand = defineCommand15({
 // src/commands/run.ts
 import { execFileSync } from "child_process";
 import { hostname as hostname3 } from "os";
-import { defineCommand as defineCommand16 } from "citty";
-import {
-  createShapesGrant,
-  extractOption,
-  extractWrappedCommand,
-  fetchGrantToken,
-  findExistingGrant,
-  loadAdapter as loadAdapter3,
-  resolveCommand,
-  verifyAndExecute,
-  waitForGrantStatus
-} from "@openape/shapes";
-import consola14 from "consola";
-var runCommand = defineCommand16({
+import { defineCommand as defineCommand20 } from "citty";
+import consola17 from "consola";
+var runCommand = defineCommand20({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -1396,6 +1744,11 @@ var runCommand = defineCommand16({
       type: "string",
       description: "IdP URL"
     },
+    "shell": {
+      type: "boolean",
+      description: "Shell mode: use session grant with audience ape-shell",
+      default: false
+    },
     "_": {
       type: "positional",
       description: "Command to execute (after --)",
@@ -1404,6 +1757,10 @@ var runCommand = defineCommand16({
   },
   async run({ rawArgs, args }) {
     const wrappedCommand = extractWrappedCommand(rawArgs ?? []);
+    if (args.shell && wrappedCommand.length > 0) {
+      await runShellMode(wrappedCommand, args);
+      return;
+    }
     if (wrappedCommand.length > 0) {
       await runAdapterMode(wrappedCommand, rawArgs ?? [], args);
     } else {
@@ -1414,6 +1771,113 @@ var runCommand = defineCommand16({
     }
   }
 });
+async function runShellMode(command, args) {
+  const auth = loadAuth();
+  if (!auth)
+    throw new CliError("Not logged in. Run `apes login` first.");
+  const idp = getIdpUrl(args.idp);
+  if (!idp)
+    throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+  const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
+  if (adapterHandled) return;
+  const grantsUrl = await getGrantsEndpoint(idp);
+  const targetHost = args.host || hostname3();
+  try {
+    const grants = await apiFetch(
+      `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
+    );
+    const sessionGrant = grants.data.find(
+      (g) => g.request.audience === "ape-shell" && g.request.target_host === targetHost && g.request.grant_type !== "once"
+    );
+    if (sessionGrant) {
+      execShellCommand(command);
+      return;
+    }
+  } catch {
+  }
+  consola17.info(`Requesting ape-shell session grant on ${targetHost}`);
+  const grant = await apiFetch(grantsUrl, {
+    method: "POST",
+    body: {
+      requester: auth.email,
+      target_host: targetHost,
+      audience: "ape-shell",
+      grant_type: "once",
+      command: command.slice(0, 3),
+      reason: `Shell session: ${command.join(" ").slice(0, 100)}`
+    }
+  });
+  consola17.info(`Grant requested: ${grant.id}`);
+  consola17.info("Waiting for approval...");
+  const maxWait = 3e5;
+  const interval = 3e3;
+  const start = Date.now();
+  while (Date.now() - start < maxWait) {
+    const status = await apiFetch(`${grantsUrl}/${grant.id}`);
+    if (status.status === "approved")
+      break;
+    if (status.status === "denied" || status.status === "revoked")
+      throw new CliError(`Grant ${status.status}.`);
+    await new Promise((r) => setTimeout(r, interval));
+  }
+  execShellCommand(command);
+}
+async function tryAdapterModeFromShell(command, idp, args) {
+  const cmdString = extractShellCommandString(command);
+  if (!cmdString) return false;
+  const parsed = parseShellCommand(cmdString);
+  if (!parsed) return false;
+  if (parsed.isCompound) return false;
+  const loaded = await loadOrInstallAdapter(parsed.executable);
+  if (!loaded) return false;
+  let resolved;
+  try {
+    resolved = await resolveCommand(loaded, [parsed.executable, ...parsed.argv]);
+  } catch (err) {
+    consola17.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    return false;
+  }
+  try {
+    const existingGrantId = await findExistingGrant(resolved, idp);
+    if (existingGrantId) {
+      consola17.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      const token2 = await fetchGrantToken(idp, existingGrantId);
+      await verifyAndExecute(token2, resolved);
+      return true;
+    }
+  } catch {
+  }
+  const approval = args.approval ?? "once";
+  consola17.info(`Requesting grant for: ${resolved.detail.display}`);
+  const grant = await createShapesGrant(resolved, {
+    idp,
+    approval,
+    reason: args.reason || `ape-shell: ${resolved.detail.display}`
+  });
+  consola17.info(`Grant requested: ${grant.id}`);
+  consola17.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  if (grant.similar_grants?.similar_grants?.length) {
+    const n = grant.similar_grants.similar_grants.length;
+    consola17.info("");
+    consola17.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+  }
+  const status = await waitForGrantStatus(idp, grant.id);
+  if (status !== "approved")
+    throw new CliError(`Grant ${status}`);
+  const token = await fetchGrantToken(idp, grant.id);
+  await verifyAndExecute(token, resolved);
+  return true;
+}
+function execShellCommand(command) {
+  if (command.length === 0)
+    throw new CliError("No command to execute");
+  try {
+    execFileSync(command[0], command.slice(1), { stdio: "inherit" });
+  } catch (err) {
+    const exitCode = err.status || 1;
+    throw new CliExit(exitCode);
+  }
+}
 function extractPositionals(rawArgs) {
   const positionals = [];
   const delimiter = rawArgs.indexOf("--");
@@ -1439,13 +1903,13 @@ async function runAdapterMode(command, rawArgs, args) {
     return;
   }
   const adapterOpt = extractOption(rawArgs, "adapter");
-  const loaded = loadAdapter3(command[0], adapterOpt);
+  const loaded = loadAdapter(command[0], adapterOpt);
   const resolved = await resolveCommand(loaded, command);
   const approval = args.approval ?? "once";
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola14.info(`Reusing existing grant: ${existingGrantId}`);
+      consola17.info(`Reusing existing grant: ${existingGrantId}`);
       const token2 = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token2, resolved);
       return;
@@ -1457,17 +1921,17 @@ async function runAdapterMode(command, rawArgs, args) {
     approval,
     ...args.reason ? { reason: args.reason } : {}
   });
-  consola14.info(`Grant requested: ${grant.id}`);
-  consola14.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola17.info(`Grant requested: ${grant.id}`);
+  consola17.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola14.info("");
-    consola14.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola17.info("");
+    consola17.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola14.info(`  Broader scope: ${wider}`);
+      consola17.info(`  Broader scope: ${wider}`);
     }
-    consola14.info("");
+    consola17.info("");
   }
   const status = await waitForGrantStatus(idp, grant.id);
   if (status !== "approved")
@@ -1484,7 +1948,7 @@ async function runAudienceMode(audience, action, args) {
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
   const targetHost = args.host || hostname3();
-  consola14.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  consola17.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -1497,15 +1961,15 @@ async function runAudienceMode(audience, action, args) {
       ...args.as ? { run_as: args.as } : {}
     }
   });
-  consola14.success(`Grant requested: ${grant.id}`);
-  consola14.info("Waiting for approval...");
+  consola17.success(`Grant requested: ${grant.id}`);
+  consola17.info("Waiting for approval...");
   const maxWait = 3e5;
   const interval = 3e3;
   const start = Date.now();
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola14.success("Grant approved!");
+      consola17.success("Grant approved!");
       break;
     }
     if (status.status === "denied" || status.status === "revoked") {
@@ -1513,12 +1977,12 @@ async function runAudienceMode(audience, action, args) {
     }
     await new Promise((r) => setTimeout(r, interval));
   }
-  consola14.info("Fetching grant token...");
+  consola17.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola14.info(`Executing: ${command.join(" ")}`);
+    consola17.info(`Executing: ${command.join(" ")}`);
     try {
       execFileSync(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
         stdio: "inherit"
@@ -1533,9 +1997,8 @@ async function runAudienceMode(audience, action, args) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand17 } from "citty";
-import { extractOption as extractOption2, extractWrappedCommand as extractWrappedCommand2, loadAdapter as loadAdapter4, resolveCommand as resolveCommand2 } from "@openape/shapes";
-var explainCommand = defineCommand17({
+import { defineCommand as defineCommand21 } from "citty";
+var explainCommand = defineCommand21({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -1552,12 +2015,12 @@ var explainCommand = defineCommand17({
     }
   },
   async run({ rawArgs }) {
-    const command = extractWrappedCommand2(rawArgs ?? []);
+    const command = extractWrappedCommand(rawArgs ?? []);
     if (command.length === 0)
       throw new Error("Missing wrapped command. Usage: apes explain [--adapter <file>] -- <cli> ...");
-    const adapterOpt = extractOption2(rawArgs ?? [], "adapter");
-    const loaded = loadAdapter4(command[0], adapterOpt);
-    const resolved = await resolveCommand2(loaded, command);
+    const adapterOpt = extractOption(rawArgs ?? [], "adapter");
+    const loaded = loadAdapter(command[0], adapterOpt);
+    const resolved = await resolveCommand(loaded, command);
     process.stdout.write(`${JSON.stringify({
       adapter: resolved.adapter.cli.id,
       source: resolved.source,
@@ -1573,9 +2036,9 @@ var explainCommand = defineCommand17({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand18 } from "citty";
-import consola15 from "consola";
-var configGetCommand = defineCommand18({
+import { defineCommand as defineCommand22 } from "citty";
+import consola18 from "consola";
+var configGetCommand = defineCommand22({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -1595,7 +2058,7 @@ var configGetCommand = defineCommand18({
         if (idp)
           console.log(idp);
         else
-          consola15.info("No IdP configured.");
+          consola18.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -1603,7 +2066,7 @@ var configGetCommand = defineCommand18({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola15.info("Not logged in.");
+          consola18.info("Not logged in.");
         break;
       }
       default: {
@@ -1616,7 +2079,7 @@ var configGetCommand = defineCommand18({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola15.info(`Key "${key}" not set.`);
+            consola18.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -1627,9 +2090,9 @@ var configGetCommand = defineCommand18({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand19 } from "citty";
-import consola16 from "consola";
-var configSetCommand = defineCommand19({
+import { defineCommand as defineCommand23 } from "citty";
+import consola19 from "consola";
+var configSetCommand = defineCommand23({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -1665,12 +2128,12 @@ var configSetCommand = defineCommand19({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola16.success(`Set ${key} = ${value}`);
+    consola19.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand20 } from "citty";
+import { defineCommand as defineCommand24 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -1706,13 +2169,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand20({
+var fetchCommand = defineCommand24({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand20({
+    get: defineCommand24({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -1738,7 +2201,7 @@ var fetchCommand = defineCommand20({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand20({
+    post: defineCommand24({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -1777,8 +2240,8 @@ var fetchCommand = defineCommand20({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand21 } from "citty";
-var mcpCommand = defineCommand21({
+import { defineCommand as defineCommand25 } from "citty";
+var mcpCommand = defineCommand25({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -1801,25 +2264,25 @@ var mcpCommand = defineCommand21({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-IYR5LM63.js");
+    const { startMcpServer } = await import("./server-FR6GFS3S.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync, copyFileSync, writeFileSync } from "fs";
+import { existsSync as existsSync2, copyFileSync, writeFileSync } from "fs";
 import { randomBytes } from "crypto";
 import { execFileSync as execFileSync2 } from "child_process";
 import { join } from "path";
-import { defineCommand as defineCommand22 } from "citty";
-import consola17 from "consola";
+import { defineCommand as defineCommand26 } from "citty";
+import consola20 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync(join(dir, name));
+  const hasLockFile = (name) => existsSync2(join(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
     execFileSync2("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
@@ -1829,20 +2292,20 @@ function installDeps(dir) {
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola17.prompt(message, { type: "select", options: choices });
+  const result = await consola20.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola17.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola20.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand22({
+var initCommand = defineCommand26({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -1884,23 +2347,23 @@ var initCommand = defineCommand22({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync(join(dir, "package.json"))) {
+  if (existsSync2(join(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola17.start("Scaffolding SP starter...");
+  consola20.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola17.success("Scaffolded from openape-sp-starter");
-  consola17.start("Installing dependencies...");
+  consola20.success("Scaffolded from openape-sp-starter");
+  consola20.start("Installing dependencies...");
   installDeps(dir);
-  consola17.success("Dependencies installed");
+  consola20.success("Dependencies installed");
   const envExample = join(dir, ".env.example");
   const envFile = join(dir, ".env");
-  if (existsSync(envExample) && !existsSync(envFile)) {
+  if (existsSync2(envExample) && !existsSync2(envFile)) {
     copyFileSync(envExample, envFile);
-    consola17.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola20.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola17.box([
+  consola20.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -1909,7 +2372,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync(join(dir, "package.json"))) {
+  if (existsSync2(join(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -1919,15 +2382,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola17.start("Scaffolding IdP starter...");
+  consola20.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola17.success("Scaffolded from openape-idp-starter");
-  consola17.start("Installing dependencies...");
+  consola20.success("Scaffolded from openape-idp-starter");
+  consola20.start("Installing dependencies...");
   installDeps(dir);
-  consola17.success("Dependencies installed");
+  consola20.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola17.success("Secrets generated");
+  consola20.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -1943,9 +2406,9 @@ async function initIdP(targetDir) {
   ].join("\n");
   writeFileSync(join(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola17.success(".env created");
+  consola20.success(".env created");
   console.log("");
-  consola17.box([
+  consola20.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -1962,19 +2425,19 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer2 } from "buffer";
-import { existsSync as existsSync2, readFileSync, writeFileSync as writeFileSync2, mkdirSync } from "fs";
+import { existsSync as existsSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { generateKeyPairSync, sign } from "crypto";
-import { dirname, resolve } from "path";
-import { homedir } from "os";
-import { defineCommand as defineCommand23 } from "citty";
-import consola18 from "consola";
+import { dirname, resolve as resolve2 } from "path";
+import { homedir as homedir2 } from "os";
+import { defineCommand as defineCommand27 } from "citty";
+import consola21 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
 var POLL_TIMEOUT = 3e5;
 function resolvePath(p) {
-  return resolve(p.replace(/^~/, homedir()));
+  return resolve2(p.replace(/^~/, homedir2()));
 }
 function openBrowser2(url) {
   const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
@@ -1983,10 +2446,10 @@ function openBrowser2(url) {
 }
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
-  if (existsSync2(pubPath)) {
-    return readFileSync(pubPath, "utf-8").trim();
+  if (existsSync3(pubPath)) {
+    return readFileSync2(pubPath, "utf-8").trim();
   }
-  const keyContent = readFileSync(keyPath, "utf-8");
+  const keyContent = readFileSync2(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
   const pubBytes = Buffer2.from(jwk.x, "base64url");
@@ -2001,7 +2464,7 @@ function readPublicKey(keyPath) {
 function generateAndSaveKey(keyPath) {
   const resolved = resolvePath(keyPath);
   const dir = dirname(resolved);
-  if (!existsSync2(dir)) {
+  if (!existsSync3(dir)) {
     mkdirSync(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
@@ -2022,7 +2485,7 @@ function generateAndSaveKey(keyPath) {
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
   const resolvedKey = resolvePath(keyPath);
-  const keyContent = readFileSync(resolvedKey, "utf-8");
+  const keyContent = readFileSync2(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -2049,11 +2512,11 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       }
     } catch {
     }
-    await new Promise((resolve2) => setTimeout(resolve2, POLL_INTERVAL));
+    await new Promise((resolve3) => setTimeout(resolve3, POLL_INTERVAL));
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand23({
+var enrollCommand = defineCommand27({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -2073,38 +2536,38 @@ var enrollCommand = defineCommand23({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola18.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola21.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola18.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola21.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola18.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola21.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolvePath(keyPath);
     let publicKey;
-    if (existsSync2(resolvedKey)) {
+    if (existsSync3(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola18.success(`Using existing key ${keyPath}`);
+      consola21.success(`Using existing key ${keyPath}`);
     } else {
-      consola18.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola21.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola18.success(`Key pair generated at ${keyPath}`);
+      consola21.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola18.info("Opening browser for enrollment...");
-    consola18.info(`\u2192 ${idp}/enroll`);
+    consola21.info("Opening browser for enrollment...");
+    consola21.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola18.prompt(
+    const agentEmail = await consola21.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -2114,7 +2577,7 @@ var enrollCommand = defineCommand23({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola18.start("Verifying enrollment...");
+    consola21.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -2126,18 +2589,81 @@ var enrollCommand = defineCommand23({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola18.success(`Agent enrolled as ${agentEmail}`);
-    consola18.success("Config saved to ~/.config/apes/");
+    consola21.success(`Agent enrolled as ${agentEmail}`);
+    consola21.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola18.info("Verify with: apes whoami");
+    consola21.info("Verify with: apes whoami");
+  }
+});
+
+// src/commands/register-user.ts
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
+import { defineCommand as defineCommand28 } from "citty";
+import consola22 from "consola";
+var registerUserCommand = defineCommand28({
+  meta: {
+    name: "register-user",
+    description: "Register a sub-user with SSH key"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "Email for the new user",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "Name for the new user",
+      required: true
+    },
+    key: {
+      type: "string",
+      description: "Path to SSH public key file or key string",
+      required: true
+    },
+    type: {
+      type: "string",
+      description: "User type: human or agent (default: agent)"
+    }
+  },
+  async run({ args }) {
+    const auth = loadAuth();
+    if (!auth) {
+      throw new CliError("Not authenticated. Run `apes login` first.");
+    }
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first.");
+    }
+    let publicKey = args.key;
+    if (existsSync4(args.key)) {
+      publicKey = readFileSync3(args.key, "utf-8").trim();
+    }
+    if (!publicKey.startsWith("ssh-ed25519 ")) {
+      throw new CliError("Public key must be in ssh-ed25519 format.");
+    }
+    const userType = args.type;
+    if (userType && userType !== "human" && userType !== "agent") {
+      throw new CliError('Type must be "human" or "agent".');
+    }
+    const result = await apiFetch(`${idp}/api/auth/enroll`, {
+      method: "POST",
+      body: {
+        email: args.email,
+        name: args.name,
+        publicKey,
+        ...userType ? { type: userType } : {}
+      }
+    });
+    consola22.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand24 } from "citty";
-import consola19 from "consola";
+import { defineCommand as defineCommand29 } from "citty";
+import consola23 from "consola";
 import { resolveDDISA } from "@openape/core";
-var dnsCheckCommand = defineCommand24({
+var dnsCheckCommand = defineCommand29({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -2151,7 +2677,7 @@ var dnsCheckCommand = defineCommand24({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola19.start(`Checking _ddisa.${domain}...`);
+    consola23.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA(domain);
       if (!result) {
@@ -2160,7 +2686,7 @@ var dnsCheckCommand = defineCommand24({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola19.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola23.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -2169,14 +2695,14 @@ var dnsCheckCommand = defineCommand24({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola19.start(`Verifying IdP at ${result.idp}...`);
+      consola23.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola19.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola23.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola19.success(`IdP is reachable`);
+      consola23.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -2192,8 +2718,8 @@ var dnsCheckCommand = defineCommand24({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand25 } from "citty";
-import consola20 from "consola";
+import { defineCommand as defineCommand30 } from "citty";
+import consola24 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -2243,7 +2769,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand25({
+var workflowsCommand = defineCommand30({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -2264,7 +2790,7 @@ var workflowsCommand = defineCommand25({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola20.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola24.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -2308,8 +2834,24 @@ process.stdout.on("error", (err) => {
   if (err.code === "EPIPE") process.exit(0);
   throw err;
 });
+var shellRewrite = rewriteApeShellArgs(process.argv);
+if (shellRewrite) {
+  if (shellRewrite.action === "rewrite") {
+    process.argv = shellRewrite.argv;
+  } else if (shellRewrite.action === "version") {
+    console.log(`ape-shell (OpenApe DDISA shell wrapper)`);
+    process.exit(0);
+  } else if (shellRewrite.action === "help") {
+    console.log("Usage: ape-shell -c <command>");
+    console.log("Routes all commands through apes run for grant-based authorization.");
+    process.exit(0);
+  } else {
+    console.error("ape-shell: only -c <command> mode is supported");
+    process.exit(1);
+  }
+}
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand26({
+var grantsCommand = defineCommand31({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -2325,10 +2867,11 @@ var grantsCommand = defineCommand26({
     revoke: revokeCommand,
     token: tokenCommand,
     delegate: delegateCommand,
-    delegations: delegationsCommand
+    delegations: delegationsCommand,
+    "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand26({
+var configCommand = defineCommand31({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -2338,20 +2881,22 @@ var configCommand = defineCommand26({
     set: configSetCommand
   }
 });
-var main = defineCommand26({
+var main = defineCommand31({
   meta: {
     name: "apes",
-    version: "0.6.0",
+    version: "0.6.1",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
     init: initCommand,
     enroll: enrollCommand,
+    "register-user": registerUserCommand,
     "dns-check": dnsCheckCommand,
     login: loginCommand,
     logout: logoutCommand,
     whoami: whoamiCommand,
     grants: grantsCommand,
+    admin: adminCommand,
     run: runCommand,
     explain: explainCommand,
     adapter: adapterCommand,
@@ -2366,13 +2911,13 @@ runMain(main).catch((err) => {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola21.error(err.message);
+    consola25.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola21.error(err);
+    consola25.error(err);
   } else {
-    consola21.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola25.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });