@openape/apes 0.6.0 → 0.7.1

package/dist/index.d.ts

@@ -1,4 +1,218 @@
-export { AdapterMeta, BuiltGrantRequest, GrantRequestOptions, LoadedAdapter, RegistryEntry, RegistryIndex, ResolvedCapability, ResolvedCommand, ShapesAdapter, ShapesOperation, buildExactCommandGrantRequest, buildStructuredCliGrantRequest, createShapesGrant, extractOption, extractWrappedCommand, fetchGrantToken, fetchRegistry, findAdapter, findConflictingAdapters, findExistingGrant, getInstalledDigest, installAdapter, isInstalled, loadAdapter, removeAdapter, resolveAdapterPath, resolveCapabilityRequest, resolveCommand, searchAdapters, verifyAndExecute, waitForGrantStatus } from '@openape/shapes';
+import { OpenApeGrantRequest, ScopeRiskLevel, OpenApeCliAuthorizationDetail, OpenApeExecutionContext } from '@openape/core';
+
+interface ShapesAdapter {
+    schema: string;
+    cli: {
+        id: string;
+        executable: string;
+        audience?: string;
+        version?: string;
+    };
+    operations: ShapesOperation[];
+}
+interface ShapesOperation {
+    id: string;
+    command: string[];
+    positionals?: string[];
+    required_options?: string[];
+    display: string;
+    action: string;
+    risk: ScopeRiskLevel;
+    resource_chain: string[];
+    exact_command?: boolean;
+}
+interface LoadedAdapter {
+    adapter: ShapesAdapter;
+    source: string;
+    digest: string;
+}
+interface ResolvedCommand {
+    adapter: ShapesAdapter;
+    source: string;
+    digest: string;
+    executable: string;
+    commandArgv: string[];
+    bindings: Record<string, string>;
+    detail: OpenApeCliAuthorizationDetail;
+    executionContext: OpenApeExecutionContext;
+    permission: string;
+}
+interface ResolvedCapability {
+    adapter: ShapesAdapter;
+    source: string;
+    digest: string;
+    executable: string;
+    details: OpenApeCliAuthorizationDetail[];
+    executionContext: OpenApeExecutionContext;
+    permissions: string[];
+    summary: string;
+}
+interface GrantRequestOptions {
+    requester: string;
+    target_host: string;
+    grant_type: 'once' | 'timed' | 'always';
+    reason?: string;
+    run_as?: string;
+}
+interface BuiltGrantRequest {
+    request: OpenApeGrantRequest;
+}
+interface RegistryEntry {
+    id: string;
+    name: string;
+    description: string;
+    category: string;
+    tags: string[];
+    author: string;
+    executable: string;
+    min_shapes_version: string;
+    digest: string;
+    download_url: string;
+}
+interface RegistryIndex {
+    version: number;
+    generated_at: string;
+    adapters: RegistryEntry[];
+}
+interface AdapterMeta {
+    id: string;
+    name: string;
+    description: string;
+    author: string;
+    category: string;
+    tags: string[];
+    executable: string;
+    risk_summary?: string;
+    homepage?: string;
+    min_shapes_version: string;
+}
+
+declare function resolveAdapterPath(cliId: string, explicitPath?: string): string;
+declare function loadAdapter(cliId: string, explicitPath?: string): LoadedAdapter;
+/** Try to load an adapter locally, return null instead of throwing when not found. */
+declare function tryLoadAdapter(cliId: string, explicitPath?: string): LoadedAdapter | null;
+
+/**
+ * Append a single entry to the audit log at ~/.config/apes/audit.jsonl.
+ * Failures are swallowed — the audit log should never break the actual flow.
+ */
+declare function appendAuditLog(entry: {
+    action: string;
+    timestamp?: number;
+} & Record<string, unknown>): void;
+
+/** A parsed shell command string with the executable and its argv extracted. */
+interface ParsedShellCommand {
+    /** The program to run (first token, e.g. "rm") */
+    executable: string;
+    /** Remaining tokens after the executable (e.g. ["-f", "/tmp/foo.txt"]) */
+    argv: string[];
+    /**
+     * true if the command contains compound operators (&&, ||, ;, |),
+     * subshells ($(...)), or backticks. These cannot be safely handled
+     * by the adapter mode and must fall back to the generic shell grant flow.
+     */
+    isCompound: boolean;
+    /** The original command string for display/logging */
+    raw: string;
+}
+/**
+ * Parse a shell command string like `rm /tmp/foo.txt` or `git commit -m "hello"` into
+ * its executable and argv. Uses `shell-quote` to handle quoting correctly.
+ *
+ * Returns null for empty/whitespace-only input.
+ */
+declare function parseShellCommand(raw: string): ParsedShellCommand | null;
+/**
+ * Extract the command string from an `apes run --shell -- bash -c "…"` argv.
+ * Returns null if the argv does not follow that shape.
+ */
+declare function extractShellCommandString(command: string[]): string | null;
+/**
+ * Load an adapter for the given CLI id. If the adapter is not installed locally,
+ * try to fetch it from the shapes registry and auto-install it.
+ *
+ * Returns null when no adapter exists in either location, or when any step fails.
+ * Failures are logged but never thrown — callers should fall back to the generic flow.
+ */
+declare function loadOrInstallAdapter(cliId: string): Promise<LoadedAdapter | null>;
+
+declare function resolveCapabilityRequest(loaded: LoadedAdapter, params: {
+    resources: string[];
+    selectors?: string[];
+    actions: string[];
+}): ResolvedCapability;
+
+declare function extractWrappedCommand(args: string[]): string[];
+declare function extractOption(args: string[], name: string): string | undefined;
+
+interface SimilarGrantsInfo {
+    similar_grants: Array<{
+        grant: {
+            id: string;
+        };
+        similar_detail_indices: number[];
+    }>;
+    widened_details: Array<{
+        permission: string;
+    }>;
+    merged_details: Array<{
+        permission: string;
+    }>;
+}
+declare function createShapesGrant(resolved: ResolvedCommand, params: {
+    idp: string;
+    approval: 'once' | 'timed' | 'always';
+    reason?: string;
+}): Promise<{
+    id: string;
+    status: string;
+    similar_grants?: SimilarGrantsInfo;
+}>;
+declare function waitForGrantStatus(idp: string, grantId: string): Promise<'approved' | 'denied' | 'revoked'>;
+declare function fetchGrantToken(idp: string, grantId: string): Promise<string>;
+/**
+ * One-shot verify + consume + execute. Preserves the legacy behavior of
+ * the `apes run --shell` path so existing callers keep working unchanged.
+ */
+declare function verifyAndExecute(token: string, resolved: ResolvedCommand): Promise<void>;
+declare function findExistingGrant(resolved: ResolvedCommand, idp: string): Promise<string | null>;
+
+declare function resolveCommand(loaded: LoadedAdapter, fullArgv: string[]): Promise<ResolvedCommand>;
+
+declare function buildExactCommandGrantRequest(command: string[], options: GrantRequestOptions & {
+    audience: string;
+}): Promise<BuiltGrantRequest>;
+declare function buildStructuredCliGrantRequest(resolved: ResolvedCommand | ResolvedCapability, options: GrantRequestOptions): Promise<BuiltGrantRequest>;
+
+declare function fetchRegistry(forceRefresh?: boolean): Promise<RegistryIndex>;
+declare function searchAdapters(index: RegistryIndex, query: string): RegistryEntry[];
+/**
+ * Look up a registry entry by its id or its executable field. This lets callers
+ * pass either the registry id ("o365") or the binary name ("o365-cli"); most
+ * adapters have id === executable, but the two can diverge.
+ */
+declare function findAdapter(index: RegistryIndex, idOrExecutable: string): RegistryEntry | undefined;
+
+interface InstallResult {
+    id: string;
+    path: string;
+    digest: string;
+    updated: boolean;
+}
+declare function installAdapter(entry: RegistryEntry, options?: {
+    local?: boolean;
+}): Promise<InstallResult>;
+declare function getInstalledDigest(id: string, local: boolean): string | null;
+declare function isInstalled(id: string, local: boolean): boolean;
+declare function removeAdapter(id: string, local: boolean): boolean;
+interface ConflictingAdapter {
+    file: string;
+    path: string;
+    adapterId: string;
+    executable: string;
+}
+declare function findConflictingAdapters(executable: string, excludeId: string): ConflictingAdapter[];
 
 interface AuthData {
     idp: string;
@@ -54,4 +268,4 @@ declare class CliExit extends Error {
     constructor(exitCode?: number);
 }
 
-export { type ApesConfig, ApiError, type AuthData, CliError, CliExit, apiFetch, clearAuth, discoverEndpoints, getAuthToken, getIdpUrl, getRequesterIdentity, loadAuth, loadConfig, parseDuration, saveAuth, saveConfig };
+export { type AdapterMeta, type ApesConfig, ApiError, type AuthData, type BuiltGrantRequest, CliError, CliExit, type GrantRequestOptions, type LoadedAdapter, type RegistryEntry, type RegistryIndex, type ResolvedCapability, type ResolvedCommand, type ShapesAdapter, type ShapesOperation, apiFetch, appendAuditLog, buildExactCommandGrantRequest, buildStructuredCliGrantRequest, clearAuth, createShapesGrant, discoverEndpoints, extractOption, extractShellCommandString, extractWrappedCommand, fetchGrantToken, fetchRegistry, findAdapter, findConflictingAdapters, findExistingGrant, getAuthToken, getIdpUrl, getInstalledDigest, getRequesterIdentity, installAdapter, isInstalled, loadAdapter, loadAuth, loadConfig, loadOrInstallAdapter, parseDuration, parseShellCommand, removeAdapter, resolveAdapterPath, resolveCapabilityRequest, resolveCommand, saveAuth, saveConfig, searchAdapters, tryLoadAdapter, verifyAndExecute, waitForGrantStatus };

package/dist/index.js

@@ -7,52 +7,57 @@ import {
 import {
   ApiError,
   apiFetch,
-  clearAuth,
-  discoverEndpoints,
-  getAuthToken,
-  getIdpUrl,
-  getRequesterIdentity,
-  loadAuth,
-  loadConfig,
-  saveAuth,
-  saveConfig
-} from "./chunk-KXESKY4X.js";
-
-// src/index.ts
-import {
-  loadAdapter,
-  resolveAdapterPath,
-  resolveCapabilityRequest,
-  resolveCommand,
+  appendAuditLog,
   buildExactCommandGrantRequest,
   buildStructuredCliGrantRequest,
+  createShapesGrant,
+  discoverEndpoints,
+  extractOption,
+  extractShellCommandString,
+  extractWrappedCommand,
+  fetchGrantToken,
   fetchRegistry,
   findAdapter,
-  searchAdapters,
   findConflictingAdapters,
+  findExistingGrant,
   getInstalledDigest,
   installAdapter,
   isInstalled,
+  loadAdapter,
+  loadOrInstallAdapter,
+  parseShellCommand,
   removeAdapter,
-  extractWrappedCommand,
-  extractOption,
-  createShapesGrant,
-  fetchGrantToken,
-  findExistingGrant,
+  resolveAdapterPath,
+  resolveCapabilityRequest,
+  resolveCommand,
+  searchAdapters,
+  tryLoadAdapter,
   verifyAndExecute,
   waitForGrantStatus
-} from "@openape/shapes";
+} from "./chunk-B32ZQP5K.js";
+import {
+  clearAuth,
+  getAuthToken,
+  getIdpUrl,
+  getRequesterIdentity,
+  loadAuth,
+  loadConfig,
+  saveAuth,
+  saveConfig
+} from "./chunk-TBYYREL6.js";
 export {
   ApiError,
   CliError,
   CliExit,
   apiFetch,
+  appendAuditLog,
   buildExactCommandGrantRequest,
   buildStructuredCliGrantRequest,
   clearAuth,
   createShapesGrant,
   discoverEndpoints,
   extractOption,
+  extractShellCommandString,
   extractWrappedCommand,
   fetchGrantToken,
   fetchRegistry,
@@ -68,7 +73,9 @@ export {
   loadAdapter,
   loadAuth,
   loadConfig,
+  loadOrInstallAdapter,
   parseDuration,
+  parseShellCommand,
   removeAdapter,
   resolveAdapterPath,
   resolveCapabilityRequest,
@@ -76,6 +83,7 @@ export {
   saveAuth,
   saveConfig,
   searchAdapters,
+  tryLoadAdapter,
   verifyAndExecute,
   waitForGrantStatus
 };

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"sourcesContent":["// Re-export all shapes library functions\nexport {\n  loadAdapter,\n  resolveAdapterPath,\n  resolveCapabilityRequest,\n  resolveCommand,\n  buildExactCommandGrantRequest,\n  buildStructuredCliGrantRequest,\n  fetchRegistry,\n  findAdapter,\n  searchAdapters,\n  findConflictingAdapters,\n  getInstalledDigest,\n  installAdapter,\n  isInstalled,\n  removeAdapter,\n  extractWrappedCommand,\n  extractOption,\n  createShapesGrant,\n  fetchGrantToken,\n  findExistingGrant,\n  verifyAndExecute,\n  waitForGrantStatus,\n} from '@openape/shapes'\n\nexport type {\n  AdapterMeta,\n  BuiltGrantRequest,\n  GrantRequestOptions,\n  LoadedAdapter,\n  RegistryEntry,\n  RegistryIndex,\n  ResolvedCapability,\n  ResolvedCommand,\n  ShapesAdapter,\n  ShapesOperation,\n} from '@openape/shapes'\n\n// Apes-specific exports\nexport { loadAuth, saveAuth, clearAuth, loadConfig, saveConfig, getIdpUrl, getAuthToken, getRequesterIdentity } from './config'\nexport type { AuthData, ApesConfig } from './config'\nexport { apiFetch, discoverEndpoints, ApiError } from './http'\nexport { parseDuration } from './duration'\nexport { CliError, CliExit } from './errors'\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;","names":[]}
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}