@openape/apes 0.6.1 → 0.7.1

package/dist/cli.js

@@ -5,13 +5,13 @@ import {
   parseDuration
 } from "./chunk-ZSJU7IXE.js";
 import {
-  loadEd25519PrivateKey
-} from "./chunk-KVBHBOED.js";
+  loadEd25519PrivateKey,
+  readPublicKeyComment
+} from "./chunk-ION3CWD5.js";
 import {
   ApiError,
   apiFetch,
   buildStructuredCliGrantRequest,
-  clearAuth,
   createShapesGrant,
   extractOption,
   extractShellCommandString,
@@ -23,45 +23,58 @@ import {
   findExistingGrant,
   getAgentAuthenticateEndpoint,
   getAgentChallengeEndpoint,
-  getAuthToken,
   getDelegationsEndpoint,
   getGrantsEndpoint,
-  getIdpUrl,
   getInstalledDigest,
   installAdapter,
   isInstalled,
   loadAdapter,
-  loadAuth,
-  loadConfig,
   loadOrInstallAdapter,
   parseShellCommand,
   removeAdapter,
   resolveCapabilityRequest,
   resolveCommand,
-  saveAuth,
-  saveConfig,
   searchAdapters,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-G3Q2TMAI.js";
+} from "./chunk-B32ZQP5K.js";
+import {
+  clearAuth,
+  getAuthToken,
+  getIdpUrl,
+  loadAuth,
+  loadConfig,
+  saveAuth,
+  saveConfig
+} from "./chunk-TBYYREL6.js";
 
 // src/cli.ts
-import consola25 from "consola";
+import consola26 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
-function rewriteApeShellArgs(argv) {
-  const invokedAs = path.basename(argv[1] ?? "");
-  if (invokedAs !== "ape-shell" && invokedAs !== "ape-shell.js")
+function rewriteApeShellArgs(argv, argv0) {
+  const rawInvokedAs = argv[1] ?? "";
+  const dashFromArgv1 = rawInvokedAs.startsWith("-");
+  const dashFromArgv0 = typeof argv0 === "string" && argv0.startsWith("-");
+  const looksLikeLoginShell = dashFromArgv1 || dashFromArgv0;
+  const normalizedInvokedAs = dashFromArgv1 ? rawInvokedAs.slice(1) : rawInvokedAs;
+  const invokedAs = path.basename(normalizedInvokedAs);
+  const wrapperEnv = typeof process !== "undefined" && process.env?.APES_SHELL_WRAPPER === "1";
+  const argvMatch = invokedAs === "ape-shell" || invokedAs === "ape-shell.js";
+  if (!wrapperEnv && !argvMatch)
     return null;
   const shellArgs = argv.slice(2);
   if (shellArgs[0] === "-c" && shellArgs.length > 1) {
     return { action: "rewrite", argv: [argv[0], argv[1], "run", "--shell", "--", "bash", "-c", ...shellArgs.slice(1)] };
   }
-  if (shellArgs[0] === "--version")
+  if (shellArgs[0] === "--version" || shellArgs[0] === "-v")
     return { action: "version" };
   if (shellArgs[0] === "--help" || shellArgs[0] === "-h")
     return { action: "help" };
+  if (shellArgs.length === 0 || shellArgs[0] === "-i" || shellArgs[0] === "-l" || shellArgs[0] === "--login" || looksLikeLoginShell) {
+    return { action: "interactive" };
+  }
   return { action: "error" };
 }
 
@@ -72,9 +85,74 @@ import { defineCommand as defineCommand31, runMain } from "citty";
 import { Buffer } from "buffer";
 import { execFile } from "child_process";
 import { createServer } from "http";
+import { homedir as homedir2 } from "os";
+import { resolve as resolvePath } from "path";
 import { defineCommand } from "citty";
 import { generateCodeChallenge, generateCodeVerifier } from "@openape/core";
+import consola2 from "consola";
+
+// src/commands/auth/resolve-login.ts
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { resolveDDISA } from "@openape/core";
 import consola from "consola";
+var DEFAULT_KEY = join(homedir(), ".ssh", "id_ed25519");
+async function resolveLoginInputs(flags) {
+  const config = loadConfig();
+  let keyPath;
+  if (!flags.browser) {
+    if (flags.key) {
+      keyPath = flags.key;
+    } else if (process.env.APES_KEY) {
+      keyPath = process.env.APES_KEY;
+      consola.info(`Using key from APES_KEY: ${keyPath}`);
+    } else if (config.agent?.key) {
+      keyPath = config.agent.key;
+      consola.info(`Using key from config: ${keyPath}`);
+    } else if (existsSync(DEFAULT_KEY)) {
+      keyPath = DEFAULT_KEY;
+      consola.info(`Using default key: ${keyPath}`);
+    }
+  }
+  let email;
+  if (flags.email) {
+    email = flags.email;
+  } else if (process.env.APES_EMAIL) {
+    email = process.env.APES_EMAIL;
+  } else if (config.agent?.email) {
+    email = config.agent.email;
+  } else if (keyPath) {
+    const comment = readPublicKeyComment(`${keyPath}.pub`);
+    if (comment && comment.includes("@")) {
+      email = comment;
+      consola.info(`Using email from ${keyPath}.pub comment: ${email}`);
+    }
+  }
+  let idp;
+  if (flags.idp) {
+    idp = flags.idp;
+  } else if (process.env.APES_IDP) {
+    idp = process.env.APES_IDP;
+  } else if (process.env.GRAPES_IDP) {
+    idp = process.env.GRAPES_IDP;
+  } else if (config.defaults?.idp) {
+    idp = config.defaults.idp;
+  } else if (email && email.includes("@")) {
+    const domain = email.split("@")[1];
+    try {
+      const record = await resolveDDISA(domain);
+      if (record?.idp) {
+        idp = record.idp;
+        consola.info(`Discovered IdP via DDISA (_ddisa.${domain}): ${idp}`);
+      }
+    } catch {
+    }
+  }
+  return { keyPath, email, idp };
+}
+
+// src/commands/auth/login.ts
 var CALLBACK_PORT = 9876;
 var CLIENT_ID = "grapes-cli";
 var loginCommand = defineCommand({
@@ -85,27 +163,56 @@ var loginCommand = defineCommand({
   args: {
     idp: {
       type: "string",
-      description: "IdP URL (e.g. https://id.openape.at)"
+      description: "IdP URL (e.g. https://id.openape.at). Auto-discovered via DDISA DNS if omitted."
     },
     key: {
       type: "string",
-      description: "Path to agent private key (agent mode)"
+      description: "Path to agent private key. Defaults to ~/.ssh/id_ed25519 if present."
     },
     email: {
       type: "string",
-      description: "Agent email (for DNS discovery)"
+      description: "Agent email. Extracted from <key>.pub comment if omitted."
+    },
+    browser: {
+      type: "boolean",
+      description: "Force browser (PKCE) login even if an SSH key exists"
     }
   },
   async run({ args }) {
-    const config = loadConfig();
-    const idp = args.idp || process.env.APES_IDP || process.env.GRAPES_IDP || config.defaults?.idp;
-    if (!idp) {
-      throw new CliError("IdP URL required. Use --idp <url> or set APES_IDP.");
-    }
-    if (args.key) {
-      await loginWithKey(idp, args.key, args.email);
+    const resolved = await resolveLoginInputs({
+      key: args.key,
+      idp: args.idp,
+      email: args.email,
+      browser: args.browser
+    });
+    if (resolved.keyPath) {
+      if (!resolved.email) {
+        throw new CliError(
+          `Agent email required for key-based login. Add an email comment to ${resolved.keyPath}.pub (ssh-keygen -C <email>) or pass --email <agent-email>.`
+        );
+      }
+      if (!resolved.idp) {
+        const domain = resolved.email.split("@")[1];
+        throw new CliError(
+          `No IdP found for ${resolved.email}.
+
+There is no DDISA TXT record for ${domain} and no --idp was provided.
+
+Options:
+  \u2022 Run your own IdP (recommended for production)
+    See: https://docs.openape.at
+  \u2022 Publish a DDISA TXT record for your domain:
+    _ddisa.${domain} TXT "v=ddisa1 idp=https://your-idp.example"
+  \u2022 Use OpenApe's free hosted IdP for testing:
+    apes login --idp https://id.openape.at`
+        );
+      }
+      await loginWithKey(resolved.idp, resolved.keyPath, resolved.email);
     } else {
-      await loginWithPKCE(idp);
+      if (!resolved.idp) {
+        throw new CliError("IdP URL required for browser login. Use --idp <url> or set APES_IDP.");
+      }
+      await loginWithPKCE(resolved.idp);
     }
   }
 });
@@ -157,7 +264,12 @@ async function loginWithPKCE(idp) {
       }
     });
     server.listen(CALLBACK_PORT, () => {
-      consola.info(`Opening browser for login at ${idp}...`);
+      console.log("");
+      console.log("Visit the following URL in a browser to authenticate:");
+      console.log("");
+      console.log(`  ${authUrl.toString()}`);
+      console.log("");
+      consola2.info(`Waiting for authentication callback on ${redirectUri} ...`);
       openBrowser(authUrl.toString());
     });
     const timeout = setTimeout(() => {
@@ -194,16 +306,12 @@ async function loginWithPKCE(idp) {
     email: payload.email || payload.sub,
     expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in || 3600)
   });
-  consola.success(`Logged in as ${payload.email || payload.sub}`);
+  consola2.success(`Logged in as ${payload.email || payload.sub}`);
 }
-async function loginWithKey(idp, keyPath, email) {
+async function loginWithKey(idp, keyPath, agentEmail) {
   const { readFileSync: readFileSync4 } = await import("fs");
   const { sign: sign2 } = await import("crypto");
-  const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-Q7KG4K25.js");
-  const agentEmail = email;
-  if (!agentEmail) {
-    throw new CliError("Agent email required for key-based login. Use --email <agent-email>");
-  }
+  const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-YBNNG5K5.js");
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const challengeResp = await fetch(challengeUrl, {
     method: "POST",
@@ -237,12 +345,23 @@ async function loginWithKey(idp, keyPath, email) {
     email: agentEmail,
     expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600)
   });
-  consola.success(`Logged in as ${agentEmail}`);
+  const absoluteKeyPath = resolvePath(keyPath.replace(/^~/, homedir2()));
+  const existingConfig = loadConfig();
+  saveConfig({
+    ...existingConfig,
+    agent: {
+      ...existingConfig.agent,
+      key: absoluteKeyPath,
+      email: agentEmail
+    }
+  });
+  consola2.success(`Logged in as ${agentEmail}`);
+  consola2.info(`Auto-refresh enabled (key path saved to ~/.config/apes/config.toml)`);
 }
 
 // src/commands/auth/logout.ts
 import { defineCommand as defineCommand2 } from "citty";
-import consola2 from "consola";
+import consola3 from "consola";
 var logoutCommand = defineCommand2({
   meta: {
     name: "logout",
@@ -250,13 +369,13 @@ var logoutCommand = defineCommand2({
   },
   run() {
     clearAuth();
-    consola2.success("Logged out.");
+    consola3.success("Logged out.");
   }
 });
 
 // src/commands/auth/whoami.ts
 import { defineCommand as defineCommand3 } from "citty";
-import consola3 from "consola";
+import consola4 from "consola";
 var whoamiCommand = defineCommand3({
   meta: {
     name: "whoami",
@@ -275,14 +394,14 @@ var whoamiCommand = defineCommand3({
     console.log(`IdP:   ${auth.idp}`);
     console.log(`Token: ${isExpired ? "\u26A0 EXPIRED" : "valid"} (until ${expiresAt})`);
     if (isExpired) {
-      consola3.warn("Token is expired. Run `apes login` to re-authenticate.");
+      consola4.warn("Token is expired. Run `apes login` to re-authenticate.");
     }
   }
 });
 
 // src/commands/grants/list.ts
 import { defineCommand as defineCommand4 } from "citty";
-import consola4 from "consola";
+import consola5 from "consola";
 var listCommand = defineCommand4({
   meta: {
     name: "list",
@@ -331,7 +450,7 @@ var listCommand = defineCommand4({
       return;
     }
     if (grants.length === 0) {
-      consola4.info(args.all ? "No grants found." : "No grants found. Use --all to see all visible grants.");
+      consola5.info(args.all ? "No grants found." : "No grants found. Use --all to see all visible grants.");
       return;
     }
     for (const grant of grants) {
@@ -343,14 +462,14 @@ var listCommand = defineCommand4({
       }
     }
     if (response.pagination.has_more) {
-      consola4.info("More results available. Use --limit or pagination cursor.");
+      consola5.info("More results available. Use --limit or pagination cursor.");
     }
   }
 });
 
 // src/commands/grants/inbox.ts
 import { defineCommand as defineCommand5 } from "citty";
-import consola5 from "consola";
+import consola6 from "consola";
 var inboxCommand = defineCommand5({
   meta: {
     name: "inbox",
@@ -389,10 +508,10 @@ var inboxCommand = defineCommand5({
       return;
     }
     if (grants.length === 0) {
-      consola5.info("No pending grants to approve.");
+      consola6.info("No pending grants to approve.");
       return;
     }
-    consola5.info(`${grants.length} grant(s) awaiting approval:
+    consola6.info(`${grants.length} grant(s) awaiting approval:
 `);
     for (const grant of grants) {
       const cmd = grant.request?.command?.join(" ") || "(no command)";
@@ -407,7 +526,7 @@ var inboxCommand = defineCommand5({
       }
       console.log();
     }
-    consola5.info("Use `apes grants approve <id>` or `apes grants deny <id>` to respond.");
+    consola6.info("Use `apes grants approve <id>` or `apes grants deny <id>` to respond.");
   }
 });
 
@@ -463,7 +582,7 @@ var statusCommand = defineCommand6({
 // src/commands/grants/request.ts
 import { hostname } from "os";
 import { defineCommand as defineCommand7 } from "citty";
-import consola6 from "consola";
+import consola7 from "consola";
 var requestCommand = defineCommand7({
   meta: {
     name: "request",
@@ -530,9 +649,9 @@ var requestCommand = defineCommand7({
         ...args["run-as"] ? { run_as: args["run-as"] } : {}
       }
     });
-    consola6.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
+    consola7.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
     if (args.wait) {
-      consola6.info("Waiting for approval...");
+      consola7.info("Waiting for approval...");
       await waitForApproval(grantsUrl, grant.id);
     }
   }
@@ -544,7 +663,7 @@ async function waitForApproval(grantsUrl, grantId) {
   while (Date.now() - start < maxWait) {
     const grant = await apiFetch(`${grantsUrl}/${grantId}`);
     if (grant.status === "approved") {
-      consola6.success("Grant approved!");
+      consola7.success("Grant approved!");
       return;
     }
     if (grant.status === "denied") {
@@ -561,7 +680,7 @@ async function waitForApproval(grantsUrl, grantId) {
 // src/commands/grants/request-capability.ts
 import { hostname as hostname2 } from "os";
 import { defineCommand as defineCommand8 } from "citty";
-import consola7 from "consola";
+import consola8 from "consola";
 function parseCapabilityArgs(rawArgs) {
   const tokens = [...rawArgs];
   if (tokens[0] === "request-capability") {
@@ -668,7 +787,7 @@ async function waitForApproval2(grantsUrl, grantId) {
   while (Date.now() - start < maxWait) {
     const grant = await apiFetch(`${grantsUrl}/${grantId}`);
     if (grant.status === "approved") {
-      consola7.success("Grant approved!");
+      consola8.success("Grant approved!");
       return;
     }
     if (grant.status === "denied") {
@@ -769,9 +888,9 @@ var requestCapabilityCommand = defineCommand8({
       idp,
       body: request
     });
-    consola7.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
+    consola8.success(`Grant requested: ${grant.id} (status: ${grant.status})`);
     if (parsed.wait) {
-      consola7.info("Waiting for approval...");
+      consola8.info("Waiting for approval...");
       await waitForApproval2(grantsUrl, grant.id);
     }
   }
@@ -779,7 +898,7 @@ var requestCapabilityCommand = defineCommand8({
 
 // src/commands/grants/approve.ts
 import { defineCommand as defineCommand9 } from "citty";
-import consola8 from "consola";
+import consola9 from "consola";
 var approveCommand = defineCommand9({
   meta: {
     name: "approve",
@@ -798,13 +917,13 @@ var approveCommand = defineCommand9({
     await apiFetch(`${grantsUrl}/${args.id}/approve`, {
       method: "POST"
     });
-    consola8.success(`Grant ${args.id} approved.`);
+    consola9.success(`Grant ${args.id} approved.`);
   }
 });
 
 // src/commands/grants/deny.ts
 import { defineCommand as defineCommand10 } from "citty";
-import consola9 from "consola";
+import consola10 from "consola";
 var denyCommand = defineCommand10({
   meta: {
     name: "deny",
@@ -823,13 +942,13 @@ var denyCommand = defineCommand10({
     await apiFetch(`${grantsUrl}/${args.id}/deny`, {
       method: "POST"
     });
-    consola9.success(`Grant ${args.id} denied.`);
+    consola10.success(`Grant ${args.id} denied.`);
   }
 });
 
 // src/commands/grants/revoke.ts
 import { defineCommand as defineCommand11 } from "citty";
-import consola10 from "consola";
+import consola11 from "consola";
 var revokeCommand = defineCommand11({
   meta: {
     name: "revoke",
@@ -858,11 +977,11 @@ var revokeCommand = defineCommand11({
     const idp = getIdpUrl();
     const grantsUrl = await getGrantsEndpoint(idp);
     if (args.debug) {
-      consola10.debug(`idp: ${idp}`);
-      consola10.debug(`grantsUrl: ${grantsUrl}`);
-      consola10.debug(`auth.email: ${auth?.email}`);
-      consola10.debug(`auth.expires_at: ${auth?.expires_at} (now: ${Math.floor(Date.now() / 1e3)})`);
-      consola10.debug(`getAuthToken(): ${token ? `${token.substring(0, 20)}...` : "NULL"}`);
+      consola11.debug(`idp: ${idp}`);
+      consola11.debug(`grantsUrl: ${grantsUrl}`);
+      consola11.debug(`auth.email: ${auth?.email}`);
+      consola11.debug(`auth.expires_at: ${auth?.expires_at} (now: ${Math.floor(Date.now() / 1e3)})`);
+      consola11.debug(`getAuthToken(): ${token ? `${token.substring(0, 20)}...` : "NULL"}`);
     }
     if (!auth || !token) {
       throw new CliError("Authentication required. Run `apes login` and try again.");
@@ -880,11 +999,11 @@ var revokeCommand = defineCommand11({
       );
       const ownPending = auth2?.email ? response.data.filter((g) => g.request?.requester === auth2.email) : response.data;
       if (ownPending.length === 0) {
-        consola10.info("No pending grants to revoke.");
+        consola11.info("No pending grants to revoke.");
         return;
       }
       ids = ownPending.map((g) => g.id);
-      consola10.info(`Found ${ids.length} pending grant(s) to revoke.`);
+      consola11.info(`Found ${ids.length} pending grant(s) to revoke.`);
     } else if (explicitIds.length > 0) {
       ids = explicitIds;
     } else {
@@ -892,7 +1011,7 @@ var revokeCommand = defineCommand11({
     }
     if (ids.length === 1) {
       await apiFetch(`${grantsUrl}/${ids[0]}/revoke`, { method: "POST", token });
-      consola10.success(`Grant ${ids[0]} revoked.`);
+      consola11.success(`Grant ${ids[0]} revoked.`);
       return;
     }
     const operations = ids.map((id) => ({ id, action: "revoke" }));
@@ -903,16 +1022,16 @@ var revokeCommand = defineCommand11({
     let succeeded = 0;
     for (const r of results) {
       if (r.success) {
-        consola10.success(`Grant ${r.id} revoked.`);
+        consola11.success(`Grant ${r.id} revoked.`);
         succeeded++;
       } else {
-        consola10.error(`Grant ${r.id}: ${r.error?.title || "Failed"}`);
+        consola11.error(`Grant ${r.id}: ${r.error?.title || "Failed"}`);
       }
     }
     if (succeeded < results.length) {
       throw new CliError(`Revoked ${succeeded} of ${results.length} grants.`);
     } else {
-      consola10.success(`All ${succeeded} grants revoked.`);
+      consola11.success(`All ${succeeded} grants revoked.`);
     }
   }
 });
@@ -946,7 +1065,7 @@ var tokenCommand = defineCommand12({
 
 // src/commands/grants/delegate.ts
 import { defineCommand as defineCommand13 } from "citty";
-import consola11 from "consola";
+import consola12 from "consola";
 var delegateCommand = defineCommand13({
   meta: {
     name: "delegate",
@@ -999,7 +1118,7 @@ var delegateCommand = defineCommand13({
       method: "POST",
       body
     });
-    consola11.success(`Delegation created: ${result.id}`);
+    consola12.success(`Delegation created: ${result.id}`);
     console.log(`  Delegate: ${args.to}`);
     console.log(`  Audience: ${args.at}`);
     if (args.scopes)
@@ -1012,7 +1131,7 @@ var delegateCommand = defineCommand13({
 
 // src/commands/grants/delegations.ts
 import { defineCommand as defineCommand14 } from "citty";
-import consola12 from "consola";
+import consola13 from "consola";
 var delegationsCommand = defineCommand14({
   meta: {
     name: "delegations",
@@ -1035,7 +1154,7 @@ var delegationsCommand = defineCommand14({
       return;
     }
     if (delegations.length === 0) {
-      consola12.info("No delegations found.");
+      consola13.info("No delegations found.");
       return;
     }
     for (const d of delegations) {
@@ -1048,7 +1167,7 @@ var delegationsCommand = defineCommand14({
 
 // src/commands/grants/delegation-revoke.ts
 import { defineCommand as defineCommand15 } from "citty";
-import consola13 from "consola";
+import consola14 from "consola";
 var delegationRevokeCommand = defineCommand15({
   meta: {
     name: "delegation-revoke",
@@ -1072,7 +1191,7 @@ var delegationRevokeCommand = defineCommand15({
       `${delegationsUrl}/${id}`,
       { method: "DELETE" }
     );
-    consola13.success(`Delegation ${result.id} revoked.`);
+    consola14.success(`Delegation ${result.id} revoked.`);
   }
 });
 
@@ -1081,7 +1200,7 @@ import { defineCommand as defineCommand18 } from "citty";
 
 // src/commands/admin/users.ts
 import { defineCommand as defineCommand16 } from "citty";
-import consola14 from "consola";
+import consola15 from "consola";
 function getManagementToken() {
   const token = process.env.APES_MANAGEMENT_TOKEN;
   if (!token) {
@@ -1131,7 +1250,7 @@ var usersListCommand = defineCommand16({
       return;
     }
     if (result.data.length === 0) {
-      consola14.info("No users found.");
+      consola15.info("No users found.");
       return;
     }
     for (const u of result.data) {
@@ -1140,7 +1259,7 @@ var usersListCommand = defineCommand16({
       console.log(`${u.email}  ${u.name}${owner}${active}`);
     }
     if (result.pagination.has_more) {
-      consola14.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
+      consola15.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
     }
   }
 });
@@ -1175,7 +1294,7 @@ var usersCreateCommand = defineCommand16({
         token
       }
     );
-    consola14.success(`User created: ${result.email} (${result.name})`);
+    consola15.success(`User created: ${result.email} (${result.name})`);
   }
 });
 var usersDeleteCommand = defineCommand16({
@@ -1201,16 +1320,16 @@ var usersDeleteCommand = defineCommand16({
       method: "DELETE",
       token
     });
-    consola14.success(`User deleted: ${email}`);
+    consola15.success(`User deleted: ${email}`);
   }
 });
 
 // src/commands/admin/ssh-keys.ts
-import { existsSync, readFileSync } from "fs";
+import { existsSync as existsSync2, readFileSync } from "fs";
 import { resolve } from "path";
-import { homedir } from "os";
+import { homedir as homedir3 } from "os";
 import { defineCommand as defineCommand17 } from "citty";
-import consola15 from "consola";
+import consola16 from "consola";
 function getManagementToken2() {
   const token = process.env.APES_MANAGEMENT_TOKEN;
   if (!token) {
@@ -1251,7 +1370,7 @@ var sshKeysListCommand = defineCommand17({
       return;
     }
     if (keys.length === 0) {
-      consola15.info(`No SSH keys found for ${email}.`);
+      consola16.info(`No SSH keys found for ${email}.`);
       return;
     }
     for (const k of keys) {
@@ -1287,8 +1406,8 @@ var sshKeysAddCommand = defineCommand17({
     }
     const token = getManagementToken2();
     let publicKey = args.key;
-    const resolved = resolve(args.key.replace(/^~/, homedir()));
-    if (existsSync(resolved)) {
+    const resolved = resolve(args.key.replace(/^~/, homedir3()));
+    if (existsSync2(resolved)) {
       publicKey = readFileSync(resolved, "utf-8").trim();
     }
     const body = { publicKey };
@@ -1303,7 +1422,7 @@ var sshKeysAddCommand = defineCommand17({
         token
       }
     );
-    consola15.success(`SSH key added: ${result.keyId} (${result.name})`);
+    consola16.success(`SSH key added: ${result.keyId} (${result.name})`);
   }
 });
 var sshKeysDeleteCommand = defineCommand17({
@@ -1337,7 +1456,7 @@ var sshKeysDeleteCommand = defineCommand17({
         token
       }
     );
-    consola15.success(`SSH key deleted: ${keyId}`);
+    consola16.success(`SSH key deleted: ${keyId}`);
   }
 });
 
@@ -1377,7 +1496,7 @@ var adminCommand = defineCommand18({
 
 // src/commands/adapter/index.ts
 import { defineCommand as defineCommand19 } from "citty";
-import consola16 from "consola";
+import consola17 from "consola";
 var adapterCommand = defineCommand19({
   meta: {
     name: "adapter",
@@ -1415,7 +1534,7 @@ var adapterCommand = defineCommand19({
 `);
             return;
           }
-          consola16.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola17.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -1437,7 +1556,7 @@ var adapterCommand = defineCommand19({
           return;
         }
         if (local.length === 0) {
-          consola16.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola17.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -1474,20 +1593,20 @@ var adapterCommand = defineCommand19({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola16.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola17.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola16.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola16.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola17.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola17.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola16.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola16.info(`Digest: ${result.digest}`);
+          consola17.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola17.info(`Digest: ${result.digest}`);
         }
       }
     }),
@@ -1514,9 +1633,9 @@ var adapterCommand = defineCommand19({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola16.success(`Removed adapter: ${id}`);
+            consola17.success(`Removed adapter: ${id}`);
           } else {
-            consola16.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola17.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -1598,7 +1717,7 @@ var adapterCommand = defineCommand19({
           return;
         }
         if (results.length === 0) {
-          consola16.info(`No adapters matching "${query}"`);
+          consola17.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -1633,29 +1752,29 @@ var adapterCommand = defineCommand19({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola16.info("No adapters installed to update.");
+          consola17.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola16.warn(`${id}: not found in registry, skipping`);
+            consola17.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola16.info(`${id}: already up to date`);
+            consola17.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola16.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola16.info(`  Old: ${localDigest}`);
-            consola16.info(`  New: ${entry.digest}`);
-            consola16.info("  Use --yes to confirm");
+            consola17.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola17.info(`  Old: ${localDigest}`);
+            consola17.info(`  New: ${entry.digest}`);
+            consola17.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola16.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola17.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
@@ -1692,7 +1811,7 @@ var adapterCommand = defineCommand19({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola16.success(`${id}: digest matches registry`);
+          consola17.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -1706,8 +1825,9 @@ var adapterCommand = defineCommand19({
 // src/commands/run.ts
 import { execFileSync } from "child_process";
 import { hostname as hostname3 } from "os";
+import { basename } from "path";
 import { defineCommand as defineCommand20 } from "citty";
-import consola17 from "consola";
+import consola18 from "consola";
 var runCommand = defineCommand20({
   meta: {
     name: "run",
@@ -1795,7 +1915,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola17.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola18.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -1807,8 +1927,8 @@ async function runShellMode(command, args) {
       reason: `Shell session: ${command.join(" ").slice(0, 100)}`
     }
   });
-  consola17.info(`Grant requested: ${grant.id}`);
-  consola17.info("Waiting for approval...");
+  consola18.info(`Grant requested: ${grant.id}`);
+  consola18.info("Waiting for approval...");
   const maxWait = 3e5;
   const interval = 3e3;
   const start = Date.now();
@@ -1830,17 +1950,18 @@ async function tryAdapterModeFromShell(command, idp, args) {
   if (parsed.isCompound) return false;
   const loaded = await loadOrInstallAdapter(parsed.executable);
   if (!loaded) return false;
+  const normalizedExecutable = basename(parsed.executable);
   let resolved;
   try {
-    resolved = await resolveCommand(loaded, [parsed.executable, ...parsed.argv]);
+    resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola17.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola18.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola17.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      consola18.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token2 = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token2, resolved);
       return true;
@@ -1848,18 +1969,18 @@ async function tryAdapterModeFromShell(command, idp, args) {
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola17.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola18.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
     reason: args.reason || `ape-shell: ${resolved.detail.display}`
   });
-  consola17.info(`Grant requested: ${grant.id}`);
-  consola17.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola18.info(`Grant requested: ${grant.id}`);
+  consola18.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola17.info("");
-    consola17.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola18.info("");
+    consola18.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
   }
   const status = await waitForGrantStatus(idp, grant.id);
   if (status !== "approved")
@@ -1909,7 +2030,7 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola17.info(`Reusing existing grant: ${existingGrantId}`);
+      consola18.info(`Reusing existing grant: ${existingGrantId}`);
       const token2 = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token2, resolved);
       return;
@@ -1921,17 +2042,17 @@ async function runAdapterMode(command, rawArgs, args) {
     approval,
     ...args.reason ? { reason: args.reason } : {}
   });
-  consola17.info(`Grant requested: ${grant.id}`);
-  consola17.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola18.info(`Grant requested: ${grant.id}`);
+  consola18.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola17.info("");
-    consola17.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola18.info("");
+    consola18.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola17.info(`  Broader scope: ${wider}`);
+      consola18.info(`  Broader scope: ${wider}`);
     }
-    consola17.info("");
+    consola18.info("");
   }
   const status = await waitForGrantStatus(idp, grant.id);
   if (status !== "approved")
@@ -1948,7 +2069,7 @@ async function runAudienceMode(audience, action, args) {
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
   const targetHost = args.host || hostname3();
-  consola17.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  consola18.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -1961,15 +2082,15 @@ async function runAudienceMode(audience, action, args) {
       ...args.as ? { run_as: args.as } : {}
     }
   });
-  consola17.success(`Grant requested: ${grant.id}`);
-  consola17.info("Waiting for approval...");
+  consola18.success(`Grant requested: ${grant.id}`);
+  consola18.info("Waiting for approval...");
   const maxWait = 3e5;
   const interval = 3e3;
   const start = Date.now();
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola17.success("Grant approved!");
+      consola18.success("Grant approved!");
       break;
     }
     if (status.status === "denied" || status.status === "revoked") {
@@ -1977,12 +2098,12 @@ async function runAudienceMode(audience, action, args) {
     }
     await new Promise((r) => setTimeout(r, interval));
   }
-  consola17.info("Fetching grant token...");
+  consola18.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola17.info(`Executing: ${command.join(" ")}`);
+    consola18.info(`Executing: ${command.join(" ")}`);
     try {
       execFileSync(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
         stdio: "inherit"
@@ -2037,7 +2158,7 @@ var explainCommand = defineCommand21({
 
 // src/commands/config/get.ts
 import { defineCommand as defineCommand22 } from "citty";
-import consola18 from "consola";
+import consola19 from "consola";
 var configGetCommand = defineCommand22({
   meta: {
     name: "get",
@@ -2058,7 +2179,7 @@ var configGetCommand = defineCommand22({
         if (idp)
           console.log(idp);
         else
-          consola18.info("No IdP configured.");
+          consola19.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -2066,7 +2187,7 @@ var configGetCommand = defineCommand22({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola18.info("Not logged in.");
+          consola19.info("Not logged in.");
         break;
       }
       default: {
@@ -2079,7 +2200,7 @@ var configGetCommand = defineCommand22({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola18.info(`Key "${key}" not set.`);
+            consola19.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -2091,7 +2212,7 @@ var configGetCommand = defineCommand22({
 
 // src/commands/config/set.ts
 import { defineCommand as defineCommand23 } from "citty";
-import consola19 from "consola";
+import consola20 from "consola";
 var configSetCommand = defineCommand23({
   meta: {
     name: "set",
@@ -2128,7 +2249,7 @@ var configSetCommand = defineCommand23({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola19.success(`Set ${key} = ${value}`);
+    consola20.success(`Set ${key} = ${value}`);
   }
 });
 
@@ -2264,25 +2385,25 @@ var mcpCommand = defineCommand25({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-FR6GFS3S.js");
+    const { startMcpServer } = await import("./server-UTCZSPCU.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync as existsSync2, copyFileSync, writeFileSync } from "fs";
+import { existsSync as existsSync3, copyFileSync, writeFileSync } from "fs";
 import { randomBytes } from "crypto";
 import { execFileSync as execFileSync2 } from "child_process";
-import { join } from "path";
+import { join as join2 } from "path";
 import { defineCommand as defineCommand26 } from "citty";
-import consola20 from "consola";
+import consola21 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync2(join(dir, name));
+  const hasLockFile = (name) => existsSync3(join2(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
     execFileSync2("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
@@ -2292,14 +2413,14 @@ function installDeps(dir) {
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola20.prompt(message, { type: "select", options: choices });
+  const result = await consola21.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola20.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola21.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
@@ -2347,23 +2468,23 @@ var initCommand = defineCommand26({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync2(join(dir, "package.json"))) {
+  if (existsSync3(join2(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola20.start("Scaffolding SP starter...");
+  consola21.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola20.success("Scaffolded from openape-sp-starter");
-  consola20.start("Installing dependencies...");
+  consola21.success("Scaffolded from openape-sp-starter");
+  consola21.start("Installing dependencies...");
   installDeps(dir);
-  consola20.success("Dependencies installed");
-  const envExample = join(dir, ".env.example");
-  const envFile = join(dir, ".env");
-  if (existsSync2(envExample) && !existsSync2(envFile)) {
+  consola21.success("Dependencies installed");
+  const envExample = join2(dir, ".env.example");
+  const envFile = join2(dir, ".env");
+  if (existsSync3(envExample) && !existsSync3(envFile)) {
     copyFileSync(envExample, envFile);
-    consola20.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola21.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola20.box([
+  consola21.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -2372,7 +2493,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync2(join(dir, "package.json"))) {
+  if (existsSync3(join2(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -2382,15 +2503,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola20.start("Scaffolding IdP starter...");
+  consola21.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola20.success("Scaffolded from openape-idp-starter");
-  consola20.start("Installing dependencies...");
+  consola21.success("Scaffolded from openape-idp-starter");
+  consola21.start("Installing dependencies...");
   installDeps(dir);
-  consola20.success("Dependencies installed");
+  consola21.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola20.success("Secrets generated");
+  consola21.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -2404,11 +2525,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync(join(dir, ".env"), `${envContent}
+  writeFileSync(join2(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola20.success(".env created");
+  consola21.success(".env created");
   console.log("");
-  consola20.box([
+  consola21.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -2425,19 +2546,19 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer2 } from "buffer";
-import { existsSync as existsSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { generateKeyPairSync, sign } from "crypto";
 import { dirname, resolve as resolve2 } from "path";
-import { homedir as homedir2 } from "os";
+import { homedir as homedir4 } from "os";
 import { defineCommand as defineCommand27 } from "citty";
-import consola21 from "consola";
+import consola22 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
 var POLL_TIMEOUT = 3e5;
-function resolvePath(p) {
-  return resolve2(p.replace(/^~/, homedir2()));
+function resolvePath2(p) {
+  return resolve2(p.replace(/^~/, homedir4()));
 }
 function openBrowser2(url) {
   const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
@@ -2446,7 +2567,7 @@ function openBrowser2(url) {
 }
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
-  if (existsSync3(pubPath)) {
+  if (existsSync4(pubPath)) {
     return readFileSync2(pubPath, "utf-8").trim();
   }
   const keyContent = readFileSync2(keyPath, "utf-8");
@@ -2462,9 +2583,9 @@ function readPublicKey(keyPath) {
   return `ssh-ed25519 ${blob.toString("base64")}`;
 }
 function generateAndSaveKey(keyPath) {
-  const resolved = resolvePath(keyPath);
+  const resolved = resolvePath2(keyPath);
   const dir = dirname(resolved);
-  if (!existsSync3(dir)) {
+  if (!existsSync4(dir)) {
     mkdirSync(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
@@ -2484,7 +2605,7 @@ function generateAndSaveKey(keyPath) {
   return pubKeyStr;
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
-  const resolvedKey = resolvePath(keyPath);
+  const resolvedKey = resolvePath2(keyPath);
   const keyContent = readFileSync2(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
@@ -2536,38 +2657,38 @@ var enrollCommand = defineCommand27({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola21.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola22.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola21.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola22.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola21.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola22.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
-    const resolvedKey = resolvePath(keyPath);
+    const resolvedKey = resolvePath2(keyPath);
     let publicKey;
-    if (existsSync3(resolvedKey)) {
+    if (existsSync4(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola21.success(`Using existing key ${keyPath}`);
+      consola22.success(`Using existing key ${keyPath}`);
     } else {
-      consola21.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola22.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola21.success(`Key pair generated at ${keyPath}`);
+      consola22.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola21.info("Opening browser for enrollment...");
-    consola21.info(`\u2192 ${idp}/enroll`);
+    consola22.info("Opening browser for enrollment...");
+    consola22.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola21.prompt(
+    const agentEmail = await consola22.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -2577,7 +2698,7 @@ var enrollCommand = defineCommand27({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola21.start("Verifying enrollment...");
+    consola22.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -2589,17 +2710,17 @@ var enrollCommand = defineCommand27({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola21.success(`Agent enrolled as ${agentEmail}`);
-    consola21.success("Config saved to ~/.config/apes/");
+    consola22.success(`Agent enrolled as ${agentEmail}`);
+    consola22.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola21.info("Verify with: apes whoami");
+    consola22.info("Verify with: apes whoami");
   }
 });
 
 // src/commands/register-user.ts
-import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
 import { defineCommand as defineCommand28 } from "citty";
-import consola22 from "consola";
+import consola23 from "consola";
 var registerUserCommand = defineCommand28({
   meta: {
     name: "register-user",
@@ -2636,7 +2757,7 @@ var registerUserCommand = defineCommand28({
       throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
     let publicKey = args.key;
-    if (existsSync4(args.key)) {
+    if (existsSync5(args.key)) {
       publicKey = readFileSync3(args.key, "utf-8").trim();
     }
     if (!publicKey.startsWith("ssh-ed25519 ")) {
@@ -2655,14 +2776,14 @@ var registerUserCommand = defineCommand28({
         ...userType ? { type: userType } : {}
       }
     });
-    consola22.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola23.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/dns-check.ts
 import { defineCommand as defineCommand29 } from "citty";
-import consola23 from "consola";
-import { resolveDDISA } from "@openape/core";
+import consola24 from "consola";
+import { resolveDDISA as resolveDDISA2 } from "@openape/core";
 var dnsCheckCommand = defineCommand29({
   meta: {
     name: "dns-check",
@@ -2677,16 +2798,16 @@ var dnsCheckCommand = defineCommand29({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola23.start(`Checking _ddisa.${domain}...`);
+    consola24.start(`Checking _ddisa.${domain}...`);
     try {
-      const result = await resolveDDISA(domain);
+      const result = await resolveDDISA2(domain);
       if (!result) {
         console.log("");
         console.log("To set up DDISA, add a DNS TXT record:");
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola23.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola24.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -2695,14 +2816,14 @@ var dnsCheckCommand = defineCommand29({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola23.start(`Verifying IdP at ${result.idp}...`);
+      consola24.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola23.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola24.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola23.success(`IdP is reachable`);
+      consola24.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -2719,7 +2840,7 @@ var dnsCheckCommand = defineCommand29({
 
 // src/commands/workflows.ts
 import { defineCommand as defineCommand30 } from "citty";
-import consola24 from "consola";
+import consola25 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -2790,7 +2911,7 @@ var workflowsCommand = defineCommand30({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola24.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola25.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -2834,19 +2955,34 @@ process.stdout.on("error", (err) => {
   if (err.code === "EPIPE") process.exit(0);
   throw err;
 });
-var shellRewrite = rewriteApeShellArgs(process.argv);
+var shellRewrite = rewriteApeShellArgs(process.argv, process.argv0);
 if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.7.1"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log("Usage: ape-shell -c <command>");
-    console.log("Routes all commands through apes run for grant-based authorization.");
+    console.log(`ape-shell ${"0.7.1"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log("");
+    console.log("Usage:");
+    console.log("  ape-shell                 Start interactive grant-mediated REPL");
+    console.log("  ape-shell -c <command>    Run a single command through the grant flow");
+    console.log("  ape-shell -i | -l         Force interactive mode");
+    console.log("");
+    console.log("Options:");
+    console.log("  -c <command>    Execute <command> via the apes grant flow and exit");
+    console.log("  -i              Interactive REPL (default when no args are given)");
+    console.log("  -l, --login     Login shell semantics \u2014 currently same as -i");
+    console.log("  --version, -v   Show ape-shell version");
+    console.log("  --help, -h      Show this help message");
+    process.exit(0);
+  } else if (shellRewrite.action === "interactive") {
+    const { runInteractiveShell } = await import("./orchestrator-JAMWD6DD.js");
+    await runInteractiveShell();
     process.exit(0);
   } else {
-    console.error("ape-shell: only -c <command> mode is supported");
+    console.error("ape-shell: unsupported invocation. Try `ape-shell --help`.");
     process.exit(1);
   }
 }
@@ -2884,7 +3020,7 @@ var configCommand = defineCommand31({
 var main = defineCommand31({
   meta: {
     name: "apes",
-    version: "0.6.1",
+    version: "0.7.1",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -2911,13 +3047,13 @@ runMain(main).catch((err) => {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola25.error(err.message);
+    consola26.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola25.error(err);
+    consola26.error(err);
   } else {
-    consola25.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola26.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });