@openape/apes 0.6.0 → 0.7.1

package/dist/cli.js

@@ -5,35 +5,154 @@ import {
   parseDuration
 } from "./chunk-ZSJU7IXE.js";
 import {
-  loadEd25519PrivateKey
-} from "./chunk-KVBHBOED.js";
+  loadEd25519PrivateKey,
+  readPublicKeyComment
+} from "./chunk-ION3CWD5.js";
 import {
   ApiError,
   apiFetch,
-  clearAuth,
+  buildStructuredCliGrantRequest,
+  createShapesGrant,
+  extractOption,
+  extractShellCommandString,
+  extractWrappedCommand,
+  fetchGrantToken,
+  fetchRegistry,
+  findAdapter,
+  findConflictingAdapters,
+  findExistingGrant,
   getAgentAuthenticateEndpoint,
   getAgentChallengeEndpoint,
-  getAuthToken,
   getDelegationsEndpoint,
   getGrantsEndpoint,
+  getInstalledDigest,
+  installAdapter,
+  isInstalled,
+  loadAdapter,
+  loadOrInstallAdapter,
+  parseShellCommand,
+  removeAdapter,
+  resolveCapabilityRequest,
+  resolveCommand,
+  searchAdapters,
+  verifyAndExecute,
+  waitForGrantStatus
+} from "./chunk-B32ZQP5K.js";
+import {
+  clearAuth,
+  getAuthToken,
   getIdpUrl,
   loadAuth,
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-KXESKY4X.js";
+} from "./chunk-TBYYREL6.js";
 
 // src/cli.ts
-import consola21 from "consola";
-import { defineCommand as defineCommand26, runMain } from "citty";
+import consola26 from "consola";
+
+// src/ape-shell.ts
+import path from "path";
+function rewriteApeShellArgs(argv, argv0) {
+  const rawInvokedAs = argv[1] ?? "";
+  const dashFromArgv1 = rawInvokedAs.startsWith("-");
+  const dashFromArgv0 = typeof argv0 === "string" && argv0.startsWith("-");
+  const looksLikeLoginShell = dashFromArgv1 || dashFromArgv0;
+  const normalizedInvokedAs = dashFromArgv1 ? rawInvokedAs.slice(1) : rawInvokedAs;
+  const invokedAs = path.basename(normalizedInvokedAs);
+  const wrapperEnv = typeof process !== "undefined" && process.env?.APES_SHELL_WRAPPER === "1";
+  const argvMatch = invokedAs === "ape-shell" || invokedAs === "ape-shell.js";
+  if (!wrapperEnv && !argvMatch)
+    return null;
+  const shellArgs = argv.slice(2);
+  if (shellArgs[0] === "-c" && shellArgs.length > 1) {
+    return { action: "rewrite", argv: [argv[0], argv[1], "run", "--shell", "--", "bash", "-c", ...shellArgs.slice(1)] };
+  }
+  if (shellArgs[0] === "--version" || shellArgs[0] === "-v")
+    return { action: "version" };
+  if (shellArgs[0] === "--help" || shellArgs[0] === "-h")
+    return { action: "help" };
+  if (shellArgs.length === 0 || shellArgs[0] === "-i" || shellArgs[0] === "-l" || shellArgs[0] === "--login" || looksLikeLoginShell) {
+    return { action: "interactive" };
+  }
+  return { action: "error" };
+}
+
+// src/cli.ts
+import { defineCommand as defineCommand31, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer } from "buffer";
 import { execFile } from "child_process";
 import { createServer } from "http";
+import { homedir as homedir2 } from "os";
+import { resolve as resolvePath } from "path";
 import { defineCommand } from "citty";
 import { generateCodeChallenge, generateCodeVerifier } from "@openape/core";
+import consola2 from "consola";
+
+// src/commands/auth/resolve-login.ts
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { resolveDDISA } from "@openape/core";
 import consola from "consola";
+var DEFAULT_KEY = join(homedir(), ".ssh", "id_ed25519");
+async function resolveLoginInputs(flags) {
+  const config = loadConfig();
+  let keyPath;
+  if (!flags.browser) {
+    if (flags.key) {
+      keyPath = flags.key;
+    } else if (process.env.APES_KEY) {
+      keyPath = process.env.APES_KEY;
+      consola.info(`Using key from APES_KEY: ${keyPath}`);
+    } else if (config.agent?.key) {
+      keyPath = config.agent.key;
+      consola.info(`Using key from config: ${keyPath}`);
+    } else if (existsSync(DEFAULT_KEY)) {
+      keyPath = DEFAULT_KEY;
+      consola.info(`Using default key: ${keyPath}`);
+    }
+  }
+  let email;
+  if (flags.email) {
+    email = flags.email;
+  } else if (process.env.APES_EMAIL) {
+    email = process.env.APES_EMAIL;
+  } else if (config.agent?.email) {
+    email = config.agent.email;
+  } else if (keyPath) {
+    const comment = readPublicKeyComment(`${keyPath}.pub`);
+    if (comment && comment.includes("@")) {
+      email = comment;
+      consola.info(`Using email from ${keyPath}.pub comment: ${email}`);
+    }
+  }
+  let idp;
+  if (flags.idp) {
+    idp = flags.idp;
+  } else if (process.env.APES_IDP) {
+    idp = process.env.APES_IDP;
+  } else if (process.env.GRAPES_IDP) {
+    idp = process.env.GRAPES_IDP;
+  } else if (config.defaults?.idp) {
+    idp = config.defaults.idp;
+  } else if (email && email.includes("@")) {
+    const domain = email.split("@")[1];
+    try {
+      const record = await resolveDDISA(domain);
+      if (record?.idp) {
+        idp = record.idp;
+        consola.info(`Discovered IdP via DDISA (_ddisa.${domain}): ${idp}`);
+      }
+    } catch {
+    }
+  }
+  return { keyPath, email, idp };
+}
+
+// src/commands/auth/login.ts
 var CALLBACK_PORT = 9876;
 var CLIENT_ID = "grapes-cli";
 var loginCommand = defineCommand({
@@ -44,27 +163,56 @@ var loginCommand = defineCommand({
   args: {
     idp: {
       type: "string",
-      description: "IdP URL (e.g. https://id.openape.at)"
+      description: "IdP URL (e.g. https://id.openape.at). Auto-discovered via DDISA DNS if omitted."
     },
     key: {
       type: "string",
-      description: "Path to agent private key (agent mode)"
+      description: "Path to agent private key. Defaults to ~/.ssh/id_ed25519 if present."
     },
     email: {
       type: "string",
-      description: "Agent email (for DNS discovery)"
+      description: "Agent email. Extracted from <key>.pub comment if omitted."
+    },
+    browser: {
+      type: "boolean",
+      description: "Force browser (PKCE) login even if an SSH key exists"
     }
   },
   async run({ args }) {
-    const config = loadConfig();
-    const idp = args.idp || process.env.APES_IDP || process.env.GRAPES_IDP || config.defaults?.idp;
-    if (!idp) {
-      throw new CliError("IdP URL required. Use --idp <url> or set APES_IDP.");
-    }
-    if (args.key) {
-      await loginWithKey(idp, args.key, args.email);
+    const resolved = await resolveLoginInputs({
+      key: args.key,
+      idp: args.idp,
+      email: args.email,
+      browser: args.browser
+    });
+    if (resolved.keyPath) {
+      if (!resolved.email) {
+        throw new CliError(
+          `Agent email required for key-based login. Add an email comment to ${resolved.keyPath}.pub (ssh-keygen -C <email>) or pass --email <agent-email>.`
+        );
+      }
+      if (!resolved.idp) {
+        const domain = resolved.email.split("@")[1];
+        throw new CliError(
+          `No IdP found for ${resolved.email}.
+
+There is no DDISA TXT record for ${domain} and no --idp was provided.
+
+Options:
+  \u2022 Run your own IdP (recommended for production)
+    See: https://docs.openape.at
+  \u2022 Publish a DDISA TXT record for your domain:
+    _ddisa.${domain} TXT "v=ddisa1 idp=https://your-idp.example"
+  \u2022 Use OpenApe's free hosted IdP for testing:
+    apes login --idp https://id.openape.at`
+        );
+      }
+      await loginWithKey(resolved.idp, resolved.keyPath, resolved.email);
     } else {
-      await loginWithPKCE(idp);
+      if (!resolved.idp) {
+        throw new CliError("IdP URL required for browser login. Use --idp <url> or set APES_IDP.");
+      }
+      await loginWithPKCE(resolved.idp);
     }
   }
 });
@@ -88,7 +236,7 @@ async function loginWithPKCE(idp) {
   authUrl.searchParams.set("state", state);
   authUrl.searchParams.set("nonce", nonce);
   authUrl.searchParams.set("scope", "openid email profile offline_access");
-  const code = await new Promise((resolve2, reject) => {
+  const code = await new Promise((resolve3, reject) => {
     const server = createServer((req, res) => {
       const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
       if (url.pathname === "/callback") {
@@ -105,7 +253,7 @@ async function loginWithPKCE(idp) {
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end("<h1>Login successful!</h1><p>You can close this window.</p>");
           server.close();
-          resolve2(authCode);
+          resolve3(authCode);
           return;
         }
         res.writeHead(400);
@@ -116,7 +264,12 @@ async function loginWithPKCE(idp) {
       }
     });
     server.listen(CALLBACK_PORT, () => {
-      consola.info(`Opening browser for login at ${idp}...`);
+      console.log("");
+      console.log("Visit the following URL in a browser to authenticate:");
+      console.log("");
+      console.log(`  ${authUrl.toString()}`);
+      console.log("");
+      consola2.info(`Waiting for authentication callback on ${redirectUri} ...`);
       openBrowser(authUrl.toString());
     });
     const timeout = setTimeout(() => {
@@ -153,16 +306,12 @@ async function loginWithPKCE(idp) {
     email: payload.email || payload.sub,
     expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in || 3600)
   });
-  consola.success(`Logged in as ${payload.email || payload.sub}`);
+  consola2.success(`Logged in as ${payload.email || payload.sub}`);
 }
-async function loginWithKey(idp, keyPath, email) {
-  const { readFileSync: readFileSync2 } = await import("fs");
+async function loginWithKey(idp, keyPath, agentEmail) {
+  const { readFileSync: readFileSync4 } = await import("fs");
   const { sign: sign2 } = await import("crypto");
-  const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-Q7KG4K25.js");
-  const agentEmail = email;
-  if (!agentEmail) {
-    throw new CliError("Agent email required for key-based login. Use --email <agent-email>");
-  }
+  const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-YBNNG5K5.js");
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const challengeResp = await fetch(challengeUrl, {
     method: "POST",
@@ -173,7 +322,7 @@ async function loginWithKey(idp, keyPath, email) {
     throw new CliError(`Challenge failed: ${await challengeResp.text()}`);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync2(keyPath, "utf-8");
+  const keyContent = readFileSync4(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
   const signature = sign2(null, Buffer.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -196,12 +345,23 @@ async function loginWithKey(idp, keyPath, email) {
     email: agentEmail,
     expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600)
   });
-  consola.success(`Logged in as ${agentEmail} (agent)`);
+  const absoluteKeyPath = resolvePath(keyPath.replace(/^~/, homedir2()));
+  const existingConfig = loadConfig();
+  saveConfig({
+    ...existingConfig,
+    agent: {
+      ...existingConfig.agent,
+      key: absoluteKeyPath,
+      email: agentEmail
+    }
+  });
+  consola2.success(`Logged in as ${agentEmail}`);
+  consola2.info(`Auto-refresh enabled (key path saved to ~/.config/apes/config.toml)`);
 }
 
 // src/commands/auth/logout.ts
 import { defineCommand as defineCommand2 } from "citty";
-import consola2 from "consola";
+import consola3 from "consola";
 var logoutCommand = defineCommand2({
   meta: {
     name: "logout",
@@ -209,13 +369,13 @@ var logoutCommand = defineCommand2({
   },
   run() {
     clearAuth();
-    consola2.success("Logged out.");
+    consola3.success("Logged out.");
   }
 });
 
 // src/commands/auth/whoami.ts
 import { defineCommand as defineCommand3 } from "citty";
-import consola3 from "consola";
+import consola4 from "consola";
 var whoamiCommand = defineCommand3({
   meta: {
     name: "whoami",
@@ -234,14 +394,14 @@ var whoamiCommand = defineCommand3({
     console.log(`IdP:   ${auth.idp}`);
     console.log(`Token: ${isExpired ? "\u26A0 EXPIRED" : "valid"} (until ${expiresAt})`);
     if (isExpired) {
-      consola3.warn("Token is expired. Run `apes login` to re-authenticate.");
+      consola4.warn("Token is expired. Run `apes login` to re-authenticate.");
     }
   }
 });
 
 // src/commands/grants/list.ts
 import { defineCommand as defineCommand4 } from "citty";
-import consola4 from "consola";
+import consola5 from "consola";
 var listCommand = defineCommand4({
   meta: {
     name: "list",
@@ -290,7 +450,7 @@ var listCommand = defineCommand4({
       return;
     }
     if (grants.length === 0) {
-      consola4.info(args.all ? "No grants found." : "No grants found. Use --all to see all visible grants.");
+      consola5.info(args.all ? "No grants found." : "No grants found. Use --all to see all visible grants.");
       return;
     }
     for (const grant of grants) {
@@ -302,14 +462,14 @@ var listCommand = defineCommand4({
       }
     }
     if (response.pagination.has_more) {
-      consola4.info("More results available. Use --limit or pagination cursor.");
+      consola5.info("More results available. Use --limit or pagination cursor.");
     }
   }
 });
 
 // src/commands/grants/inbox.ts
 import { defineCommand as defineCommand5 } from "citty";
-import consola5 from "consola";
+import consola6 from "consola";
 var inboxCommand = defineCommand5({
   meta: {
     name: "inbox",
@@ -348,10 +508,10 @@ var inboxCommand = defineCommand5({
       return;
     }
     if (grants.length === 0) {
-      consola5.info("No pending grants to approve.");
+      consola6.info("No pending grants to approve.");
       return;
     }
-    consola5.info(`${grants.length} grant(s) awaiting approval:
+    consola6.info(`${grants.length} grant(s) awaiting approval:
 `);
     for (const grant of grants) {
       const cmd = grant.request?.command?.join(" ") || "(no command)";
@@ -366,7 +526,7 @@ var inboxCommand = defineCommand5({
       }
       console.log();
     }
-    consola5.info("Use `apes grants approve <id>` or `apes grants deny <id>` to respond.");
+    consola6.info("Use `apes grants approve <id>` or `apes grants deny <id>` to respond.");
   }
 });
 
@@ -422,7 +582,7 @@ var statusCommand = defineCommand6({
 // src/commands/grants/request.ts
 import { hostname } from "os";
 import { defineCommand as defineCommand7 } from "citty";
-import consola6 from "consola";
+import consola7 from "consola";
 var requestCommand = defineCommand7({
   meta: {
     name: "request",
@@ -489,9 +649,9 @@ var requestCommand = defineCommand7({
         ...args["run-as"] ? { run_as: args["run-as"] } : {}
       }
     });
-    consola6.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
+    consola7.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
     if (args.wait) {
-      consola6.info("Waiting for approval...");
+      consola7.info("Waiting for approval...");
       await waitForApproval(grantsUrl, grant.id);
     }
   }
@@ -503,7 +663,7 @@ async function waitForApproval(grantsUrl, grantId) {
   while (Date.now() - start < maxWait) {
     const grant = await apiFetch(`${grantsUrl}/${grantId}`);
     if (grant.status === "approved") {
-      consola6.success("Grant approved!");
+      consola7.success("Grant approved!");
       return;
     }
     if (grant.status === "denied") {
@@ -519,9 +679,8 @@ async function waitForApproval(grantsUrl, grantId) {
 
 // src/commands/grants/request-capability.ts
 import { hostname as hostname2 } from "os";
-import { buildStructuredCliGrantRequest, loadAdapter, resolveCapabilityRequest } from "@openape/shapes";
 import { defineCommand as defineCommand8 } from "citty";
-import consola7 from "consola";
+import consola8 from "consola";
 function parseCapabilityArgs(rawArgs) {
   const tokens = [...rawArgs];
   if (tokens[0] === "request-capability") {
@@ -628,7 +787,7 @@ async function waitForApproval2(grantsUrl, grantId) {
   while (Date.now() - start < maxWait) {
     const grant = await apiFetch(`${grantsUrl}/${grantId}`);
     if (grant.status === "approved") {
-      consola7.success("Grant approved!");
+      consola8.success("Grant approved!");
       return;
     }
     if (grant.status === "denied") {
@@ -637,7 +796,7 @@ async function waitForApproval2(grantsUrl, grantId) {
     if (grant.status === "revoked") {
       throw new CliError("Grant revoked.");
     }
-    await new Promise((resolve2) => setTimeout(resolve2, interval));
+    await new Promise((resolve3) => setTimeout(resolve3, interval));
   }
   throw new CliError("Timed out waiting for approval.");
 }
@@ -729,9 +888,9 @@ var requestCapabilityCommand = defineCommand8({
       idp,
       body: request
     });
-    consola7.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
+    consola8.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
     if (parsed.wait) {
-      consola7.info("Waiting for approval...");
+      consola8.info("Waiting for approval...");
       await waitForApproval2(grantsUrl, grant.id);
     }
   }
@@ -739,7 +898,7 @@ var requestCapabilityCommand = defineCommand8({
 
 // src/commands/grants/approve.ts
 import { defineCommand as defineCommand9 } from "citty";
-import consola8 from "consola";
+import consola9 from "consola";
 var approveCommand = defineCommand9({
   meta: {
     name: "approve",
@@ -758,13 +917,13 @@ var approveCommand = defineCommand9({
     await apiFetch(`${grantsUrl}/${args.id}/approve`, {
       method: "POST"
     });
-    consola8.success(`Grant ${args.id} approved.`);
+    consola9.success(`Grant ${args.id} approved.`);
   }
 });
 
 // src/commands/grants/deny.ts
 import { defineCommand as defineCommand10 } from "citty";
-import consola9 from "consola";
+import consola10 from "consola";
 var denyCommand = defineCommand10({
   meta: {
     name: "deny",
@@ -783,13 +942,13 @@ var denyCommand = defineCommand10({
     await apiFetch(`${grantsUrl}/${args.id}/deny`, {
       method: "POST"
     });
-    consola9.success(`Grant ${args.id} denied.`);
+    consola10.success(`Grant ${args.id} denied.`);
   }
 });
 
 // src/commands/grants/revoke.ts
 import { defineCommand as defineCommand11 } from "citty";
-import consola10 from "consola";
+import consola11 from "consola";
 var revokeCommand = defineCommand11({
   meta: {
     name: "revoke",
@@ -818,11 +977,11 @@ var revokeCommand = defineCommand11({
     const idp = getIdpUrl();
     const grantsUrl = await getGrantsEndpoint(idp);
     if (args.debug) {
-      consola10.debug(`idp: ${idp}`);
-      consola10.debug(`grantsUrl: ${grantsUrl}`);
-      consola10.debug(`auth.email: ${auth?.email}`);
-      consola10.debug(`auth.expires_at: ${auth?.expires_at} (now: ${Math.floor(Date.now() / 1e3)})`);
-      consola10.debug(`getAuthToken(): ${token ? `${token.substring(0, 20)}...` : "NULL"}`);
+      consola11.debug(`idp: ${idp}`);
+      consola11.debug(`grantsUrl: ${grantsUrl}`);
+      consola11.debug(`auth.email: ${auth?.email}`);
+      consola11.debug(`auth.expires_at: ${auth?.expires_at} (now: ${Math.floor(Date.now() / 1e3)})`);
+      consola11.debug(`getAuthToken(): ${token ? `${token.substring(0, 20)}...` : "NULL"}`);
     }
     if (!auth || !token) {
       throw new CliError("Authentication required. Run `apes login` and try again.");
@@ -840,11 +999,11 @@ var revokeCommand = defineCommand11({
       );
       const ownPending = auth2?.email ? response.data.filter((g) => g.request?.requester === auth2.email) : response.data;
       if (ownPending.length === 0) {
-        consola10.info("No pending grants to revoke.");
+        consola11.info("No pending grants to revoke.");
         return;
       }
       ids = ownPending.map((g) => g.id);
-      consola10.info(`Found ${ids.length} pending grant(s) to revoke.`);
+      consola11.info(`Found ${ids.length} pending grant(s) to revoke.`);
     } else if (explicitIds.length > 0) {
       ids = explicitIds;
     } else {
@@ -852,7 +1011,7 @@ var revokeCommand = defineCommand11({
     }
     if (ids.length === 1) {
       await apiFetch(`${grantsUrl}/${ids[0]}/revoke`, { method: "POST", token });
-      consola10.success(`Grant ${ids[0]} revoked.`);
+      consola11.success(`Grant ${ids[0]} revoked.`);
       return;
     }
     const operations = ids.map((id) => ({ id, action: "revoke" }));
@@ -863,16 +1022,16 @@ var revokeCommand = defineCommand11({
     let succeeded = 0;
     for (const r of results) {
       if (r.success) {
-        consola10.success(`Grant ${r.id} revoked.`);
+        consola11.success(`Grant ${r.id} revoked.`);
         succeeded++;
       } else {
-        consola10.error(`Grant ${r.id}: ${r.error?.title || "Failed"}`);
+        consola11.error(`Grant ${r.id}: ${r.error?.title || "Failed"}`);
       }
     }
     if (succeeded < results.length) {
       throw new CliError(`Revoked ${succeeded} of ${results.length} grants.`);
     } else {
-      consola10.success(`All ${succeeded} grants revoked.`);
+      consola11.success(`All ${succeeded} grants revoked.`);
     }
   }
 });
@@ -906,7 +1065,7 @@ var tokenCommand = defineCommand12({
 
 // src/commands/grants/delegate.ts
 import { defineCommand as defineCommand13 } from "citty";
-import consola11 from "consola";
+import consola12 from "consola";
 var delegateCommand = defineCommand13({
   meta: {
     name: "delegate",
@@ -959,7 +1118,7 @@ var delegateCommand = defineCommand13({
       method: "POST",
       body
     });
-    consola11.success(`Delegation created: ${result.id}`);
+    consola12.success(`Delegation created: ${result.id}`);
     console.log(`  Delegate: ${args.to}`);
     console.log(`  Audience: ${args.at}`);
     if (args.scopes)
@@ -972,7 +1131,7 @@ var delegateCommand = defineCommand13({
 
 // src/commands/grants/delegations.ts
 import { defineCommand as defineCommand14 } from "citty";
-import consola12 from "consola";
+import consola13 from "consola";
 var delegationsCommand = defineCommand14({
   meta: {
     name: "delegations",
@@ -988,13 +1147,14 @@ var delegationsCommand = defineCommand14({
   async run({ args }) {
     const idp = getIdpUrl();
     const delegationsUrl = await getDelegationsEndpoint(idp);
-    const delegations = await apiFetch(delegationsUrl);
+    const response = await apiFetch(delegationsUrl);
+    const delegations = Array.isArray(response) ? response : response.data;
     if (args.json) {
       console.log(JSON.stringify(delegations, null, 2));
       return;
     }
     if (delegations.length === 0) {
-      consola12.info("No delegations found.");
+      consola13.info("No delegations found.");
       return;
     }
     for (const d of delegations) {
@@ -1005,27 +1165,345 @@ var delegationsCommand = defineCommand14({
   }
 });
 
-// src/commands/adapter/index.ts
+// src/commands/grants/delegation-revoke.ts
 import { defineCommand as defineCommand15 } from "citty";
-import consola13 from "consola";
-import {
-  fetchRegistry,
-  findAdapter,
-  findConflictingAdapters,
-  getInstalledDigest,
-  installAdapter,
-  isInstalled,
-  loadAdapter as loadAdapter2,
-  removeAdapter,
-  searchAdapters
-} from "@openape/shapes";
-var adapterCommand = defineCommand15({
+import consola14 from "consola";
+var delegationRevokeCommand = defineCommand15({
+  meta: {
+    name: "delegation-revoke",
+    description: "Revoke a delegation"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Delegation ID to revoke",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const delegationsUrl = await getDelegationsEndpoint(idp);
+    const id = String(args.id);
+    const result = await apiFetch(
+      `${delegationsUrl}/${id}`,
+      { method: "DELETE" }
+    );
+    consola14.success(`Delegation ${result.id} revoked.`);
+  }
+});
+
+// src/commands/admin/index.ts
+import { defineCommand as defineCommand18 } from "citty";
+
+// src/commands/admin/users.ts
+import { defineCommand as defineCommand16 } from "citty";
+import consola15 from "consola";
+function getManagementToken() {
+  const token = process.env.APES_MANAGEMENT_TOKEN;
+  if (!token) {
+    throw new CliError("Management token required. Set APES_MANAGEMENT_TOKEN environment variable.");
+  }
+  return token;
+}
+var usersListCommand = defineCommand16({
+  meta: {
+    name: "list",
+    description: "List all users"
+  },
+  args: {
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    },
+    limit: {
+      type: "string",
+      description: "Max number of users to return (1-100, default 50)"
+    },
+    cursor: {
+      type: "string",
+      description: "Pagination cursor (email of last item from previous page)"
+    },
+    search: {
+      type: "string",
+      description: "Filter by email or name (case-insensitive)"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const params = new URLSearchParams();
+    if (args.limit) params.set("limit", args.limit);
+    if (args.cursor) params.set("cursor", args.cursor);
+    if (args.search) params.set("search", args.search);
+    const qs = params.toString();
+    const url = qs ? `${idp}/api/admin/users?${qs}` : `${idp}/api/admin/users`;
+    const result = await apiFetch(url, { token });
+    if (args.json) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    if (result.data.length === 0) {
+      consola15.info("No users found.");
+      return;
+    }
+    for (const u of result.data) {
+      const owner = u.owner ? ` (agent of ${u.owner})` : "";
+      const active = u.isActive ? "" : " [inactive]";
+      console.log(`${u.email}  ${u.name}${owner}${active}`);
+    }
+    if (result.pagination.has_more) {
+      consola15.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
+    }
+  }
+});
+var usersCreateCommand = defineCommand16({
+  meta: {
+    name: "create",
+    description: "Create a user"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "User name",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const result = await apiFetch(
+      `${idp}/api/admin/users`,
+      {
+        method: "POST",
+        body: { email: args.email, name: args.name },
+        token
+      }
+    );
+    consola15.success(`User created: ${result.email} (${result.name})`);
+  }
+});
+var usersDeleteCommand = defineCommand16({
+  meta: {
+    name: "delete",
+    description: "Delete a user"
+  },
+  args: {
+    email: {
+      type: "positional",
+      description: "User email",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken();
+    const email = String(args.email);
+    await apiFetch(`${idp}/api/admin/users/${encodeURIComponent(email)}`, {
+      method: "DELETE",
+      token
+    });
+    consola15.success(`User deleted: ${email}`);
+  }
+});
+
+// src/commands/admin/ssh-keys.ts
+import { existsSync as existsSync2, readFileSync } from "fs";
+import { resolve } from "path";
+import { homedir as homedir3 } from "os";
+import { defineCommand as defineCommand17 } from "citty";
+import consola16 from "consola";
+function getManagementToken2() {
+  const token = process.env.APES_MANAGEMENT_TOKEN;
+  if (!token) {
+    throw new CliError("Management token required. Set APES_MANAGEMENT_TOKEN environment variable.");
+  }
+  return token;
+}
+var sshKeysListCommand = defineCommand17({
+  meta: {
+    name: "list",
+    description: "List SSH keys for a user"
+  },
+  args: {
+    email: {
+      type: "positional",
+      description: "User email",
+      required: true
+    },
+    json: {
+      type: "boolean",
+      description: "Output as JSON",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    const email = String(args.email);
+    const keys = await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(email)}/ssh-keys`,
+      { token }
+    );
+    if (args.json) {
+      console.log(JSON.stringify(keys, null, 2));
+      return;
+    }
+    if (keys.length === 0) {
+      consola16.info(`No SSH keys found for ${email}.`);
+      return;
+    }
+    for (const k of keys) {
+      console.log(`${k.keyId}  ${k.name}  ${k.publicKey.substring(0, 40)}...`);
+    }
+  }
+});
+var sshKeysAddCommand = defineCommand17({
+  meta: {
+    name: "add",
+    description: "Add an SSH key for a user"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    key: {
+      type: "string",
+      description: "Path to public key file or key string",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "Key name/label"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    let publicKey = args.key;
+    const resolved = resolve(args.key.replace(/^~/, homedir3()));
+    if (existsSync2(resolved)) {
+      publicKey = readFileSync(resolved, "utf-8").trim();
+    }
+    const body = { publicKey };
+    if (args.name) {
+      body.name = args.name;
+    }
+    const result = await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(args.email)}/ssh-keys`,
+      {
+        method: "POST",
+        body,
+        token
+      }
+    );
+    consola16.success(`SSH key added: ${result.keyId} (${result.name})`);
+  }
+});
+var sshKeysDeleteCommand = defineCommand17({
+  meta: {
+    name: "delete",
+    description: "Delete an SSH key"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "User email",
+      required: true
+    },
+    keyId: {
+      type: "positional",
+      description: "Key ID",
+      required: true
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    }
+    const token = getManagementToken2();
+    const keyId = String(args.keyId);
+    await apiFetch(
+      `${idp}/api/admin/users/${encodeURIComponent(args.email)}/ssh-keys/${keyId}`,
+      {
+        method: "DELETE",
+        token
+      }
+    );
+    consola16.success(`SSH key deleted: ${keyId}`);
+  }
+});
+
+// src/commands/admin/index.ts
+var usersCommand = defineCommand18({
+  meta: {
+    name: "users",
+    description: "Manage users"
+  },
+  subCommands: {
+    list: usersListCommand,
+    create: usersCreateCommand,
+    delete: usersDeleteCommand
+  }
+});
+var sshKeysCommand = defineCommand18({
+  meta: {
+    name: "ssh-keys",
+    description: "Manage SSH keys"
+  },
+  subCommands: {
+    list: sshKeysListCommand,
+    add: sshKeysAddCommand,
+    delete: sshKeysDeleteCommand
+  }
+});
+var adminCommand = defineCommand18({
+  meta: {
+    name: "admin",
+    description: "Admin commands (requires APES_MANAGEMENT_TOKEN)"
+  },
+  subCommands: {
+    users: usersCommand,
+    "ssh-keys": sshKeysCommand
+  }
+});
+
+// src/commands/adapter/index.ts
+import { defineCommand as defineCommand19 } from "citty";
+import consola17 from "consola";
+var adapterCommand = defineCommand19({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand15({
+    list: defineCommand19({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -1056,7 +1534,7 @@ var adapterCommand = defineCommand15({
 `);
             return;
           }
-          consola13.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola17.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -1067,7 +1545,7 @@ var adapterCommand = defineCommand15({
         const local = [];
         for (const a of index.adapters) {
           try {
-            const loaded = loadAdapter2(a.id);
+            const loaded = loadAdapter(a.id);
             local.push({ id: a.id, source: loaded.source, digest: loaded.digest });
           } catch {
           }
@@ -1078,7 +1556,7 @@ var adapterCommand = defineCommand15({
           return;
         }
         if (local.length === 0) {
-          consola13.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola17.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -1086,7 +1564,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    install: defineCommand15({
+    install: defineCommand19({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -1115,24 +1593,24 @@ var adapterCommand = defineCommand15({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola13.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola17.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola13.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola13.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola17.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola17.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola13.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola13.info(`Digest: ${result.digest}`);
+          consola17.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola17.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand15({
+    remove: defineCommand19({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -1155,9 +1633,9 @@ var adapterCommand = defineCommand15({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola13.success(`Removed adapter: ${id}`);
+            consola17.success(`Removed adapter: ${id}`);
           } else {
-            consola13.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola17.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -1165,7 +1643,7 @@ var adapterCommand = defineCommand15({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand15({
+    info: defineCommand19({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -1207,7 +1685,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    search: defineCommand15({
+    search: defineCommand19({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -1239,7 +1717,7 @@ var adapterCommand = defineCommand15({
           return;
         }
         if (results.length === 0) {
-          consola13.info(`No adapters matching "${query}"`);
+          consola17.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -1248,7 +1726,7 @@ var adapterCommand = defineCommand15({
         }
       }
     }),
-    update: defineCommand15({
+    update: defineCommand19({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -1274,33 +1752,33 @@ var adapterCommand = defineCommand15({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola13.info("No adapters installed to update.");
+          consola17.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola13.warn(`${id}: not found in registry, skipping`);
+            consola17.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola13.info(`${id}: already up to date`);
+            consola17.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola13.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola13.info(`  Old: ${localDigest}`);
-            consola13.info(`  New: ${entry.digest}`);
-            consola13.info("  Use --yes to confirm");
+            consola17.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola17.info(`  Old: ${localDigest}`);
+            consola17.info(`  New: ${entry.digest}`);
+            consola17.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola13.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola17.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand15({
+    verify: defineCommand19({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -1333,7 +1811,7 @@ var adapterCommand = defineCommand15({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola13.success(`${id}: digest matches registry`);
+          consola17.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -1347,20 +1825,10 @@ var adapterCommand = defineCommand15({
 // src/commands/run.ts
 import { execFileSync } from "child_process";
 import { hostname as hostname3 } from "os";
-import { defineCommand as defineCommand16 } from "citty";
-import {
-  createShapesGrant,
-  extractOption,
-  extractWrappedCommand,
-  fetchGrantToken,
-  findExistingGrant,
-  loadAdapter as loadAdapter3,
-  resolveCommand,
-  verifyAndExecute,
-  waitForGrantStatus
-} from "@openape/shapes";
-import consola14 from "consola";
-var runCommand = defineCommand16({
+import { basename } from "path";
+import { defineCommand as defineCommand20 } from "citty";
+import consola18 from "consola";
+var runCommand = defineCommand20({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -1396,6 +1864,11 @@ var runCommand = defineCommand16({
       type: "string",
       description: "IdP URL"
     },
+    "shell": {
+      type: "boolean",
+      description: "Shell mode: use session grant with audience ape-shell",
+      default: false
+    },
     "_": {
       type: "positional",
       description: "Command to execute (after --)",
@@ -1404,6 +1877,10 @@ var runCommand = defineCommand16({
   },
   async run({ rawArgs, args }) {
     const wrappedCommand = extractWrappedCommand(rawArgs ?? []);
+    if (args.shell && wrappedCommand.length > 0) {
+      await runShellMode(wrappedCommand, args);
+      return;
+    }
     if (wrappedCommand.length > 0) {
       await runAdapterMode(wrappedCommand, rawArgs ?? [], args);
     } else {
@@ -1414,6 +1891,114 @@ var runCommand = defineCommand16({
     }
   }
 });
+async function runShellMode(command, args) {
+  const auth = loadAuth();
+  if (!auth)
+    throw new CliError("Not logged in. Run `apes login` first.");
+  const idp = getIdpUrl(args.idp);
+  if (!idp)
+    throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+  const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
+  if (adapterHandled) return;
+  const grantsUrl = await getGrantsEndpoint(idp);
+  const targetHost = args.host || hostname3();
+  try {
+    const grants = await apiFetch(
+      `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
+    );
+    const sessionGrant = grants.data.find(
+      (g) => g.request.audience === "ape-shell" && g.request.target_host === targetHost && g.request.grant_type !== "once"
+    );
+    if (sessionGrant) {
+      execShellCommand(command);
+      return;
+    }
+  } catch {
+  }
+  consola18.info(`Requesting ape-shell session grant on ${targetHost}`);
+  const grant = await apiFetch(grantsUrl, {
+    method: "POST",
+    body: {
+      requester: auth.email,
+      target_host: targetHost,
+      audience: "ape-shell",
+      grant_type: "once",
+      command: command.slice(0, 3),
+      reason: `Shell session: ${command.join(" ").slice(0, 100)}`
+    }
+  });
+  consola18.info(`Grant requested: ${grant.id}`);
+  consola18.info("Waiting for approval...");
+  const maxWait = 3e5;
+  const interval = 3e3;
+  const start = Date.now();
+  while (Date.now() - start < maxWait) {
+    const status = await apiFetch(`${grantsUrl}/${grant.id}`);
+    if (status.status === "approved")
+      break;
+    if (status.status === "denied" || status.status === "revoked")
+      throw new CliError(`Grant ${status.status}.`);
+    await new Promise((r) => setTimeout(r, interval));
+  }
+  execShellCommand(command);
+}
+async function tryAdapterModeFromShell(command, idp, args) {
+  const cmdString = extractShellCommandString(command);
+  if (!cmdString) return false;
+  const parsed = parseShellCommand(cmdString);
+  if (!parsed) return false;
+  if (parsed.isCompound) return false;
+  const loaded = await loadOrInstallAdapter(parsed.executable);
+  if (!loaded) return false;
+  const normalizedExecutable = basename(parsed.executable);
+  let resolved;
+  try {
+    resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
+  } catch (err) {
+    consola18.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    return false;
+  }
+  try {
+    const existingGrantId = await findExistingGrant(resolved, idp);
+    if (existingGrantId) {
+      consola18.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      const token2 = await fetchGrantToken(idp, existingGrantId);
+      await verifyAndExecute(token2, resolved);
+      return true;
+    }
+  } catch {
+  }
+  const approval = args.approval ?? "once";
+  consola18.info(`Requesting grant for: ${resolved.detail.display}`);
+  const grant = await createShapesGrant(resolved, {
+    idp,
+    approval,
+    reason: args.reason || `ape-shell: ${resolved.detail.display}`
+  });
+  consola18.info(`Grant requested: ${grant.id}`);
+  consola18.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  if (grant.similar_grants?.similar_grants?.length) {
+    const n = grant.similar_grants.similar_grants.length;
+    consola18.info("");
+    consola18.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+  }
+  const status = await waitForGrantStatus(idp, grant.id);
+  if (status !== "approved")
+    throw new CliError(`Grant ${status}`);
+  const token = await fetchGrantToken(idp, grant.id);
+  await verifyAndExecute(token, resolved);
+  return true;
+}
+function execShellCommand(command) {
+  if (command.length === 0)
+    throw new CliError("No command to execute");
+  try {
+    execFileSync(command[0], command.slice(1), { stdio: "inherit" });
+  } catch (err) {
+    const exitCode = err.status || 1;
+    throw new CliExit(exitCode);
+  }
+}
 function extractPositionals(rawArgs) {
   const positionals = [];
   const delimiter = rawArgs.indexOf("--");
@@ -1439,13 +2024,13 @@ async function runAdapterMode(command, rawArgs, args) {
     return;
   }
   const adapterOpt = extractOption(rawArgs, "adapter");
-  const loaded = loadAdapter3(command[0], adapterOpt);
+  const loaded = loadAdapter(command[0], adapterOpt);
   const resolved = await resolveCommand(loaded, command);
   const approval = args.approval ?? "once";
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola14.info(`Reusing existing grant: ${existingGrantId}`);
+      consola18.info(`Reusing existing grant: ${existingGrantId}`);
       const token2 = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token2, resolved);
       return;
@@ -1457,17 +2042,17 @@ async function runAdapterMode(command, rawArgs, args) {
     approval,
     ...args.reason ? { reason: args.reason } : {}
   });
-  consola14.info(`Grant requested: ${grant.id}`);
-  consola14.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola18.info(`Grant requested: ${grant.id}`);
+  consola18.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola14.info("");
-    consola14.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola18.info("");
+    consola18.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola14.info(`  Broader scope: ${wider}`);
+      consola18.info(`  Broader scope: ${wider}`);
     }
-    consola14.info("");
+    consola18.info("");
   }
   const status = await waitForGrantStatus(idp, grant.id);
   if (status !== "approved")
@@ -1484,7 +2069,7 @@ async function runAudienceMode(audience, action, args) {
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
   const targetHost = args.host || hostname3();
-  consola14.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  consola18.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -1497,15 +2082,15 @@ async function runAudienceMode(audience, action, args) {
       ...args.as ? { run_as: args.as } : {}
     }
   });
-  consola14.success(`Grant requested: ${grant.id}`);
-  consola14.info("Waiting for approval...");
+  consola18.success(`Grant requested: ${grant.id}`);
+  consola18.info("Waiting for approval...");
   const maxWait = 3e5;
   const interval = 3e3;
   const start = Date.now();
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola14.success("Grant approved!");
+      consola18.success("Grant approved!");
       break;
     }
     if (status.status === "denied" || status.status === "revoked") {
@@ -1513,12 +2098,12 @@ async function runAudienceMode(audience, action, args) {
     }
     await new Promise((r) => setTimeout(r, interval));
   }
-  consola14.info("Fetching grant token...");
+  consola18.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola14.info(`Executing: ${command.join(" ")}`);
+    consola18.info(`Executing: ${command.join(" ")}`);
     try {
       execFileSync(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
         stdio: "inherit"
@@ -1533,9 +2118,8 @@ async function runAudienceMode(audience, action, args) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand17 } from "citty";
-import { extractOption as extractOption2, extractWrappedCommand as extractWrappedCommand2, loadAdapter as loadAdapter4, resolveCommand as resolveCommand2 } from "@openape/shapes";
-var explainCommand = defineCommand17({
+import { defineCommand as defineCommand21 } from "citty";
+var explainCommand = defineCommand21({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -1552,12 +2136,12 @@ var explainCommand = defineCommand17({
     }
   },
   async run({ rawArgs }) {
-    const command = extractWrappedCommand2(rawArgs ?? []);
+    const command = extractWrappedCommand(rawArgs ?? []);
     if (command.length === 0)
       throw new Error("Missing wrapped command. Usage: apes explain [--adapter <file>] -- <cli> ...");
-    const adapterOpt = extractOption2(rawArgs ?? [], "adapter");
-    const loaded = loadAdapter4(command[0], adapterOpt);
-    const resolved = await resolveCommand2(loaded, command);
+    const adapterOpt = extractOption(rawArgs ?? [], "adapter");
+    const loaded = loadAdapter(command[0], adapterOpt);
+    const resolved = await resolveCommand(loaded, command);
     process.stdout.write(`${JSON.stringify({
       adapter: resolved.adapter.cli.id,
       source: resolved.source,
@@ -1573,9 +2157,9 @@ var explainCommand = defineCommand17({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand18 } from "citty";
-import consola15 from "consola";
-var configGetCommand = defineCommand18({
+import { defineCommand as defineCommand22 } from "citty";
+import consola19 from "consola";
+var configGetCommand = defineCommand22({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -1595,7 +2179,7 @@ var configGetCommand = defineCommand18({
         if (idp)
           console.log(idp);
         else
-          consola15.info("No IdP configured.");
+          consola19.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -1603,7 +2187,7 @@ var configGetCommand = defineCommand18({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola15.info("Not logged in.");
+          consola19.info("Not logged in.");
         break;
       }
       default: {
@@ -1616,7 +2200,7 @@ var configGetCommand = defineCommand18({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola15.info(`Key "${key}" not set.`);
+            consola19.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -1627,9 +2211,9 @@ var configGetCommand = defineCommand18({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand19 } from "citty";
-import consola16 from "consola";
-var configSetCommand = defineCommand19({
+import { defineCommand as defineCommand23 } from "citty";
+import consola20 from "consola";
+var configSetCommand = defineCommand23({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -1665,12 +2249,12 @@ var configSetCommand = defineCommand19({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola16.success(`Set ${key} = ${value}`);
+    consola20.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand20 } from "citty";
+import { defineCommand as defineCommand24 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -1706,13 +2290,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand20({
+var fetchCommand = defineCommand24({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand20({
+    get: defineCommand24({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -1738,7 +2322,7 @@ var fetchCommand = defineCommand20({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand20({
+    post: defineCommand24({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -1777,8 +2361,8 @@ var fetchCommand = defineCommand20({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand21 } from "citty";
-var mcpCommand = defineCommand21({
+import { defineCommand as defineCommand25 } from "citty";
+var mcpCommand = defineCommand25({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -1801,25 +2385,25 @@ var mcpCommand = defineCommand21({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-IYR5LM63.js");
+    const { startMcpServer } = await import("./server-UTCZSPCU.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync, copyFileSync, writeFileSync } from "fs";
+import { existsSync as existsSync3, copyFileSync, writeFileSync } from "fs";
 import { randomBytes } from "crypto";
 import { execFileSync as execFileSync2 } from "child_process";
-import { join } from "path";
-import { defineCommand as defineCommand22 } from "citty";
-import consola17 from "consola";
+import { join as join2 } from "path";
+import { defineCommand as defineCommand26 } from "citty";
+import consola21 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync(join(dir, name));
+  const hasLockFile = (name) => existsSync3(join2(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
     execFileSync2("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
@@ -1829,20 +2413,20 @@ function installDeps(dir) {
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola17.prompt(message, { type: "select", options: choices });
+  const result = await consola21.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola17.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola21.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand22({
+var initCommand = defineCommand26({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -1884,23 +2468,23 @@ var initCommand = defineCommand22({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync(join(dir, "package.json"))) {
+  if (existsSync3(join2(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola17.start("Scaffolding SP starter...");
+  consola21.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola17.success("Scaffolded from openape-sp-starter");
-  consola17.start("Installing dependencies...");
+  consola21.success("Scaffolded from openape-sp-starter");
+  consola21.start("Installing dependencies...");
   installDeps(dir);
-  consola17.success("Dependencies installed");
-  const envExample = join(dir, ".env.example");
-  const envFile = join(dir, ".env");
-  if (existsSync(envExample) && !existsSync(envFile)) {
+  consola21.success("Dependencies installed");
+  const envExample = join2(dir, ".env.example");
+  const envFile = join2(dir, ".env");
+  if (existsSync3(envExample) && !existsSync3(envFile)) {
     copyFileSync(envExample, envFile);
-    consola17.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola21.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola17.box([
+  consola21.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -1909,7 +2493,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync(join(dir, "package.json"))) {
+  if (existsSync3(join2(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -1919,15 +2503,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola17.start("Scaffolding IdP starter...");
+  consola21.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola17.success("Scaffolded from openape-idp-starter");
-  consola17.start("Installing dependencies...");
+  consola21.success("Scaffolded from openape-idp-starter");
+  consola21.start("Installing dependencies...");
   installDeps(dir);
-  consola17.success("Dependencies installed");
+  consola21.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola17.success("Secrets generated");
+  consola21.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -1941,11 +2525,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync(join(dir, ".env"), `${envContent}
+  writeFileSync(join2(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola17.success(".env created");
+  consola21.success(".env created");
   console.log("");
-  consola17.box([
+  consola21.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -1962,19 +2546,19 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer2 } from "buffer";
-import { existsSync as existsSync2, readFileSync, writeFileSync as writeFileSync2, mkdirSync } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { generateKeyPairSync, sign } from "crypto";
-import { dirname, resolve } from "path";
-import { homedir } from "os";
-import { defineCommand as defineCommand23 } from "citty";
-import consola18 from "consola";
+import { dirname, resolve as resolve2 } from "path";
+import { homedir as homedir4 } from "os";
+import { defineCommand as defineCommand27 } from "citty";
+import consola22 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
 var POLL_TIMEOUT = 3e5;
-function resolvePath(p) {
-  return resolve(p.replace(/^~/, homedir()));
+function resolvePath2(p) {
+  return resolve2(p.replace(/^~/, homedir4()));
 }
 function openBrowser2(url) {
   const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
@@ -1983,10 +2567,10 @@ function openBrowser2(url) {
 }
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
-  if (existsSync2(pubPath)) {
-    return readFileSync(pubPath, "utf-8").trim();
+  if (existsSync4(pubPath)) {
+    return readFileSync2(pubPath, "utf-8").trim();
   }
-  const keyContent = readFileSync(keyPath, "utf-8");
+  const keyContent = readFileSync2(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
   const pubBytes = Buffer2.from(jwk.x, "base64url");
@@ -1999,9 +2583,9 @@ function readPublicKey(keyPath) {
   return `ssh-ed25519 ${blob.toString("base64")}`;
 }
 function generateAndSaveKey(keyPath) {
-  const resolved = resolvePath(keyPath);
+  const resolved = resolvePath2(keyPath);
   const dir = dirname(resolved);
-  if (!existsSync2(dir)) {
+  if (!existsSync4(dir)) {
     mkdirSync(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
@@ -2021,8 +2605,8 @@ function generateAndSaveKey(keyPath) {
   return pubKeyStr;
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
-  const resolvedKey = resolvePath(keyPath);
-  const keyContent = readFileSync(resolvedKey, "utf-8");
+  const resolvedKey = resolvePath2(keyPath);
+  const keyContent = readFileSync2(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -2049,11 +2633,11 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       }
     } catch {
     }
-    await new Promise((resolve2) => setTimeout(resolve2, POLL_INTERVAL));
+    await new Promise((resolve3) => setTimeout(resolve3, POLL_INTERVAL));
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand23({
+var enrollCommand = defineCommand27({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -2073,38 +2657,38 @@ var enrollCommand = defineCommand23({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola18.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola22.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola18.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola22.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola18.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola22.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
-    const resolvedKey = resolvePath(keyPath);
+    const resolvedKey = resolvePath2(keyPath);
     let publicKey;
-    if (existsSync2(resolvedKey)) {
+    if (existsSync4(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola18.success(`Using existing key ${keyPath}`);
+      consola22.success(`Using existing key ${keyPath}`);
     } else {
-      consola18.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola22.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola18.success(`Key pair generated at ${keyPath}`);
+      consola22.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola18.info("Opening browser for enrollment...");
-    consola18.info(`\u2192 ${idp}/enroll`);
+    consola22.info("Opening browser for enrollment...");
+    consola22.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola18.prompt(
+    const agentEmail = await consola22.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -2114,7 +2698,7 @@ var enrollCommand = defineCommand23({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola18.start("Verifying enrollment...");
+    consola22.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -2126,18 +2710,81 @@ var enrollCommand = defineCommand23({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola18.success(`Agent enrolled as ${agentEmail}`);
-    consola18.success("Config saved to ~/.config/apes/");
+    consola22.success(`Agent enrolled as ${agentEmail}`);
+    consola22.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola18.info("Verify with: apes whoami");
+    consola22.info("Verify with: apes whoami");
+  }
+});
+
+// src/commands/register-user.ts
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
+import { defineCommand as defineCommand28 } from "citty";
+import consola23 from "consola";
+var registerUserCommand = defineCommand28({
+  meta: {
+    name: "register-user",
+    description: "Register a sub-user with SSH key"
+  },
+  args: {
+    email: {
+      type: "string",
+      description: "Email for the new user",
+      required: true
+    },
+    name: {
+      type: "string",
+      description: "Name for the new user",
+      required: true
+    },
+    key: {
+      type: "string",
+      description: "Path to SSH public key file or key string",
+      required: true
+    },
+    type: {
+      type: "string",
+      description: "User type: human or agent (default: agent)"
+    }
+  },
+  async run({ args }) {
+    const auth = loadAuth();
+    if (!auth) {
+      throw new CliError("Not authenticated. Run `apes login` first.");
+    }
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP URL configured. Run `apes login` first.");
+    }
+    let publicKey = args.key;
+    if (existsSync5(args.key)) {
+      publicKey = readFileSync3(args.key, "utf-8").trim();
+    }
+    if (!publicKey.startsWith("ssh-ed25519 ")) {
+      throw new CliError("Public key must be in ssh-ed25519 format.");
+    }
+    const userType = args.type;
+    if (userType && userType !== "human" && userType !== "agent") {
+      throw new CliError('Type must be "human" or "agent".');
+    }
+    const result = await apiFetch(`${idp}/api/auth/enroll`, {
+      method: "POST",
+      body: {
+        email: args.email,
+        name: args.name,
+        publicKey,
+        ...userType ? { type: userType } : {}
+      }
+    });
+    consola23.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand24 } from "citty";
-import consola19 from "consola";
-import { resolveDDISA } from "@openape/core";
-var dnsCheckCommand = defineCommand24({
+import { defineCommand as defineCommand29 } from "citty";
+import consola24 from "consola";
+import { resolveDDISA as resolveDDISA2 } from "@openape/core";
+var dnsCheckCommand = defineCommand29({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -2151,16 +2798,16 @@ var dnsCheckCommand = defineCommand24({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola19.start(`Checking _ddisa.${domain}...`);
+    consola24.start(`Checking _ddisa.${domain}...`);
     try {
-      const result = await resolveDDISA(domain);
+      const result = await resolveDDISA2(domain);
       if (!result) {
         console.log("");
         console.log("To set up DDISA, add a DNS TXT record:");
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola19.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola24.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -2169,14 +2816,14 @@ var dnsCheckCommand = defineCommand24({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola19.start(`Verifying IdP at ${result.idp}...`);
+      consola24.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola19.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola24.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola19.success(`IdP is reachable`);
+      consola24.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -2192,8 +2839,8 @@ var dnsCheckCommand = defineCommand24({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand25 } from "citty";
-import consola20 from "consola";
+import { defineCommand as defineCommand30 } from "citty";
+import consola25 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -2243,7 +2890,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand25({
+var workflowsCommand = defineCommand30({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -2264,7 +2911,7 @@ var workflowsCommand = defineCommand25({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola20.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola25.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -2308,8 +2955,39 @@ process.stdout.on("error", (err) => {
   if (err.code === "EPIPE") process.exit(0);
   throw err;
 });
+var shellRewrite = rewriteApeShellArgs(process.argv, process.argv0);
+if (shellRewrite) {
+  if (shellRewrite.action === "rewrite") {
+    process.argv = shellRewrite.argv;
+  } else if (shellRewrite.action === "version") {
+    console.log(`ape-shell ${"0.7.1"} (OpenApe DDISA shell wrapper)`);
+    process.exit(0);
+  } else if (shellRewrite.action === "help") {
+    console.log(`ape-shell ${"0.7.1"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log("");
+    console.log("Usage:");
+    console.log("  ape-shell                 Start interactive grant-mediated REPL");
+    console.log("  ape-shell -c <command>    Run a single command through the grant flow");
+    console.log("  ape-shell -i | -l         Force interactive mode");
+    console.log("");
+    console.log("Options:");
+    console.log("  -c <command>    Execute <command> via the apes grant flow and exit");
+    console.log("  -i              Interactive REPL (default when no args are given)");
+    console.log("  -l, --login     Login shell semantics \u2014 currently same as -i");
+    console.log("  --version, -v   Show ape-shell version");
+    console.log("  --help, -h      Show this help message");
+    process.exit(0);
+  } else if (shellRewrite.action === "interactive") {
+    const { runInteractiveShell } = await import("./orchestrator-JAMWD6DD.js");
+    await runInteractiveShell();
+    process.exit(0);
+  } else {
+    console.error("ape-shell: unsupported invocation. Try `ape-shell --help`.");
+    process.exit(1);
+  }
+}
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand26({
+var grantsCommand = defineCommand31({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -2325,10 +3003,11 @@ var grantsCommand = defineCommand26({
     revoke: revokeCommand,
     token: tokenCommand,
     delegate: delegateCommand,
-    delegations: delegationsCommand
+    delegations: delegationsCommand,
+    "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand26({
+var configCommand = defineCommand31({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -2338,20 +3017,22 @@ var configCommand = defineCommand26({
     set: configSetCommand
   }
 });
-var main = defineCommand26({
+var main = defineCommand31({
   meta: {
     name: "apes",
-    version: "0.6.0",
+    version: "0.7.1",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
     init: initCommand,
     enroll: enrollCommand,
+    "register-user": registerUserCommand,
     "dns-check": dnsCheckCommand,
     login: loginCommand,
     logout: logoutCommand,
     whoami: whoamiCommand,
     grants: grantsCommand,
+    admin: adminCommand,
     run: runCommand,
     explain: explainCommand,
     adapter: adapterCommand,
@@ -2366,13 +3047,13 @@ runMain(main).catch((err) => {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola21.error(err.message);
+    consola26.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola21.error(err);
+    consola26.error(err);
   } else {
-    consola21.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola26.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });