@openape/apes 0.7.2 → 0.9.0

package/dist/cli.js

@@ -8,6 +8,9 @@ import {
   loadEd25519PrivateKey,
   readPublicKeyComment
 } from "./chunk-ION3CWD5.js";
+import {
+  notifyGrantPending
+} from "./chunk-LSKHTHUY.js";
 import {
   ApiError,
   apiFetch,
@@ -34,11 +37,14 @@ import {
   removeAdapter,
   resolveCapabilityRequest,
   resolveCommand,
+  resolveFromGrant,
   searchAdapters,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-B32ZQP5K.js";
+} from "./chunk-UQ673USC.js";
 import {
+  AUTH_FILE,
+  CONFIG_DIR,
   clearAuth,
   getAuthToken,
   getIdpUrl,
@@ -46,10 +52,10 @@ import {
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-TBYYREL6.js";
+} from "./chunk-AZVY3X7Q.js";
 
 // src/cli.ts
-import consola26 from "consola";
+import consola27 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -79,7 +85,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand31, runMain } from "citty";
+import { defineCommand as defineCommand33, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer } from "buffer";
@@ -1036,9 +1042,83 @@ var revokeCommand = defineCommand11({
   }
 });
 
-// src/commands/grants/token.ts
+// src/commands/grants/run.ts
+import { execFileSync } from "child_process";
 import { defineCommand as defineCommand12 } from "citty";
-var tokenCommand = defineCommand12({
+import consola12 from "consola";
+var runGrantCommand = defineCommand12({
+  meta: {
+    name: "run",
+    description: "Execute a previously-approved grant by ID"
+  },
+  args: {
+    id: {
+      type: "positional",
+      description: "Grant ID",
+      required: true
+    },
+    "escapes-path": {
+      type: "string",
+      description: "Path to escapes binary (audience=escapes only)",
+      default: "escapes"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp)
+      throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+    const grantsUrl = await getGrantsEndpoint(idp);
+    const grant = await apiFetch(`${grantsUrl}/${args.id}`);
+    if (grant.status === "pending")
+      throw new CliError(`Grant ${grant.id} is still pending. Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    if (grant.status === "denied" || grant.status === "revoked")
+      throw new CliError(`Grant ${grant.id} is ${grant.status}. Request a new one.`);
+    if (grant.status === "used")
+      throw new CliError(`Grant ${grant.id} has already been used. Request a new one (single-use grants cannot be re-executed).`);
+    if (grant.status !== "approved")
+      throw new CliError(`Grant ${grant.id} has unexpected status: ${grant.status}`);
+    const audience = grant.request?.audience;
+    const authDetails = grant.request?.authorization_details ?? [];
+    const hasOpenApeCliDetail = authDetails.some((d) => d?.type === "openape_cli");
+    const isShapesGrant = hasOpenApeCliDetail || audience === "shapes";
+    if (isShapesGrant) {
+      let resolved;
+      try {
+        resolved = await resolveFromGrant(grant);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new CliError(`Cannot re-resolve grant: ${msg}`);
+      }
+      const token = await fetchGrantToken(idp, grant.id);
+      await verifyAndExecute(token, resolved);
+      return;
+    }
+    if (audience === "escapes") {
+      const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, { method: "POST" });
+      const command = grant.request?.command ?? [];
+      if (command.length === 0)
+        throw new CliError(`Grant ${grant.id} has no command to execute.`);
+      consola12.info(`Executing via escapes: ${command.join(" ")}`);
+      try {
+        execFileSync(args["escapes-path"], ["--grant", authz_jwt, "--", ...command], { stdio: "inherit" });
+      } catch (err) {
+        const exitCode = err.status || 1;
+        throw new CliExit(exitCode);
+      }
+      return;
+    }
+    if (audience === "ape-shell") {
+      throw new CliError(
+        `Grant ${grant.id} is an ape-shell session grant and cannot be re-executed via \`apes grants run\`. Re-run the original command \u2014 if the grant was approved as timed/always, the REPL will reuse it automatically.`
+      );
+    }
+    throw new CliError(`Grant ${grant.id} has unsupported audience "${audience}" \u2014 no execution path available.`);
+  }
+});
+
+// src/commands/grants/token.ts
+import { defineCommand as defineCommand13 } from "citty";
+var tokenCommand = defineCommand13({
   meta: {
     name: "token",
     description: "Get grant token JWT"
@@ -1064,9 +1144,9 @@ var tokenCommand = defineCommand12({
 });
 
 // src/commands/grants/delegate.ts
-import { defineCommand as defineCommand13 } from "citty";
-import consola12 from "consola";
-var delegateCommand = defineCommand13({
+import { defineCommand as defineCommand14 } from "citty";
+import consola13 from "consola";
+var delegateCommand = defineCommand14({
   meta: {
     name: "delegate",
     description: "Create a delegation"
@@ -1118,7 +1198,7 @@ var delegateCommand = defineCommand13({
       method: "POST",
       body
     });
-    consola12.success(`Delegation created: ${result.id}`);
+    consola13.success(`Delegation created: ${result.id}`);
     console.log(`  Delegate: ${args.to}`);
     console.log(`  Audience: ${args.at}`);
     if (args.scopes)
@@ -1130,9 +1210,9 @@ var delegateCommand = defineCommand13({
 });
 
 // src/commands/grants/delegations.ts
-import { defineCommand as defineCommand14 } from "citty";
-import consola13 from "consola";
-var delegationsCommand = defineCommand14({
+import { defineCommand as defineCommand15 } from "citty";
+import consola14 from "consola";
+var delegationsCommand = defineCommand15({
   meta: {
     name: "delegations",
     description: "List delegations"
@@ -1154,7 +1234,7 @@ var delegationsCommand = defineCommand14({
       return;
     }
     if (delegations.length === 0) {
-      consola13.info("No delegations found.");
+      consola14.info("No delegations found.");
       return;
     }
     for (const d of delegations) {
@@ -1166,9 +1246,9 @@ var delegationsCommand = defineCommand14({
 });
 
 // src/commands/grants/delegation-revoke.ts
-import { defineCommand as defineCommand15 } from "citty";
-import consola14 from "consola";
-var delegationRevokeCommand = defineCommand15({
+import { defineCommand as defineCommand16 } from "citty";
+import consola15 from "consola";
+var delegationRevokeCommand = defineCommand16({
   meta: {
     name: "delegation-revoke",
     description: "Revoke a delegation"
@@ -1191,16 +1271,16 @@ var delegationRevokeCommand = defineCommand15({
       `${delegationsUrl}/${id}`,
       { method: "DELETE" }
     );
-    consola14.success(`Delegation ${result.id} revoked.`);
+    consola15.success(`Delegation ${result.id} revoked.`);
   }
 });
 
 // src/commands/admin/index.ts
-import { defineCommand as defineCommand18 } from "citty";
+import { defineCommand as defineCommand19 } from "citty";
 
 // src/commands/admin/users.ts
-import { defineCommand as defineCommand16 } from "citty";
-import consola15 from "consola";
+import { defineCommand as defineCommand17 } from "citty";
+import consola16 from "consola";
 function getManagementToken() {
   const token = process.env.APES_MANAGEMENT_TOKEN;
   if (!token) {
@@ -1208,7 +1288,7 @@ function getManagementToken() {
   }
   return token;
 }
-var usersListCommand = defineCommand16({
+var usersListCommand = defineCommand17({
   meta: {
     name: "list",
     description: "List all users"
@@ -1250,7 +1330,7 @@ var usersListCommand = defineCommand16({
       return;
     }
     if (result.data.length === 0) {
-      consola15.info("No users found.");
+      consola16.info("No users found.");
       return;
     }
     for (const u of result.data) {
@@ -1259,11 +1339,11 @@ var usersListCommand = defineCommand16({
       console.log(`${u.email}  ${u.name}${owner}${active}`);
     }
     if (result.pagination.has_more) {
-      consola15.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
+      consola16.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
     }
   }
 });
-var usersCreateCommand = defineCommand16({
+var usersCreateCommand = defineCommand17({
   meta: {
     name: "create",
     description: "Create a user"
@@ -1294,10 +1374,10 @@ var usersCreateCommand = defineCommand16({
         token
       }
     );
-    consola15.success(`User created: ${result.email} (${result.name})`);
+    consola16.success(`User created: ${result.email} (${result.name})`);
   }
 });
-var usersDeleteCommand = defineCommand16({
+var usersDeleteCommand = defineCommand17({
   meta: {
     name: "delete",
     description: "Delete a user"
@@ -1320,7 +1400,7 @@ var usersDeleteCommand = defineCommand16({
       method: "DELETE",
       token
     });
-    consola15.success(`User deleted: ${email}`);
+    consola16.success(`User deleted: ${email}`);
   }
 });
 
@@ -1328,8 +1408,8 @@ var usersDeleteCommand = defineCommand16({
 import { existsSync as existsSync2, readFileSync } from "fs";
 import { resolve } from "path";
 import { homedir as homedir3 } from "os";
-import { defineCommand as defineCommand17 } from "citty";
-import consola16 from "consola";
+import { defineCommand as defineCommand18 } from "citty";
+import consola17 from "consola";
 function getManagementToken2() {
   const token = process.env.APES_MANAGEMENT_TOKEN;
   if (!token) {
@@ -1337,7 +1417,7 @@ function getManagementToken2() {
   }
   return token;
 }
-var sshKeysListCommand = defineCommand17({
+var sshKeysListCommand = defineCommand18({
   meta: {
     name: "list",
     description: "List SSH keys for a user"
@@ -1370,7 +1450,7 @@ var sshKeysListCommand = defineCommand17({
       return;
     }
     if (keys.length === 0) {
-      consola16.info(`No SSH keys found for ${email}.`);
+      consola17.info(`No SSH keys found for ${email}.`);
       return;
     }
     for (const k of keys) {
@@ -1378,7 +1458,7 @@ var sshKeysListCommand = defineCommand17({
     }
   }
 });
-var sshKeysAddCommand = defineCommand17({
+var sshKeysAddCommand = defineCommand18({
   meta: {
     name: "add",
     description: "Add an SSH key for a user"
@@ -1422,10 +1502,10 @@ var sshKeysAddCommand = defineCommand17({
         token
       }
     );
-    consola16.success(`SSH key added: ${result.keyId} (${result.name})`);
+    consola17.success(`SSH key added: ${result.keyId} (${result.name})`);
   }
 });
-var sshKeysDeleteCommand = defineCommand17({
+var sshKeysDeleteCommand = defineCommand18({
   meta: {
     name: "delete",
     description: "Delete an SSH key"
@@ -1456,12 +1536,12 @@ var sshKeysDeleteCommand = defineCommand17({
         token
       }
     );
-    consola16.success(`SSH key deleted: ${keyId}`);
+    consola17.success(`SSH key deleted: ${keyId}`);
   }
 });
 
 // src/commands/admin/index.ts
-var usersCommand = defineCommand18({
+var usersCommand = defineCommand19({
   meta: {
     name: "users",
     description: "Manage users"
@@ -1472,7 +1552,7 @@ var usersCommand = defineCommand18({
     delete: usersDeleteCommand
   }
 });
-var sshKeysCommand = defineCommand18({
+var sshKeysCommand = defineCommand19({
   meta: {
     name: "ssh-keys",
     description: "Manage SSH keys"
@@ -1483,7 +1563,7 @@ var sshKeysCommand = defineCommand18({
     delete: sshKeysDeleteCommand
   }
 });
-var adminCommand = defineCommand18({
+var adminCommand = defineCommand19({
   meta: {
     name: "admin",
     description: "Admin commands (requires APES_MANAGEMENT_TOKEN)"
@@ -1495,15 +1575,15 @@ var adminCommand = defineCommand18({
 });
 
 // src/commands/adapter/index.ts
-import { defineCommand as defineCommand19 } from "citty";
-import consola17 from "consola";
-var adapterCommand = defineCommand19({
+import { defineCommand as defineCommand20 } from "citty";
+import consola18 from "consola";
+var adapterCommand = defineCommand20({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand19({
+    list: defineCommand20({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -1534,7 +1614,7 @@ var adapterCommand = defineCommand19({
 `);
             return;
           }
-          consola17.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola18.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -1556,7 +1636,7 @@ var adapterCommand = defineCommand19({
           return;
         }
         if (local.length === 0) {
-          consola17.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola18.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -1564,7 +1644,7 @@ var adapterCommand = defineCommand19({
         }
       }
     }),
-    install: defineCommand19({
+    install: defineCommand20({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -1593,24 +1673,24 @@ var adapterCommand = defineCommand19({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola17.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola18.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola17.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola17.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola18.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola18.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola17.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola17.info(`Digest: ${result.digest}`);
+          consola18.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola18.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand19({
+    remove: defineCommand20({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -1633,9 +1713,9 @@ var adapterCommand = defineCommand19({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola17.success(`Removed adapter: ${id}`);
+            consola18.success(`Removed adapter: ${id}`);
           } else {
-            consola17.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola18.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -1643,7 +1723,7 @@ var adapterCommand = defineCommand19({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand19({
+    info: defineCommand20({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -1685,7 +1765,7 @@ var adapterCommand = defineCommand19({
         }
       }
     }),
-    search: defineCommand19({
+    search: defineCommand20({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -1717,7 +1797,7 @@ var adapterCommand = defineCommand19({
           return;
         }
         if (results.length === 0) {
-          consola17.info(`No adapters matching "${query}"`);
+          consola18.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -1726,7 +1806,7 @@ var adapterCommand = defineCommand19({
         }
       }
     }),
-    update: defineCommand19({
+    update: defineCommand20({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -1752,33 +1832,33 @@ var adapterCommand = defineCommand19({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola17.info("No adapters installed to update.");
+          consola18.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola17.warn(`${id}: not found in registry, skipping`);
+            consola18.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola17.info(`${id}: already up to date`);
+            consola18.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola17.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola17.info(`  Old: ${localDigest}`);
-            consola17.info(`  New: ${entry.digest}`);
-            consola17.info("  Use --yes to confirm");
+            consola18.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola18.info(`  Old: ${localDigest}`);
+            consola18.info(`  New: ${entry.digest}`);
+            consola18.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola17.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola18.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand19({
+    verify: defineCommand20({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -1811,7 +1891,7 @@ var adapterCommand = defineCommand19({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola17.success(`${id}: digest matches registry`);
+          consola18.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -1823,12 +1903,24 @@ var adapterCommand = defineCommand19({
 });
 
 // src/commands/run.ts
-import { execFileSync } from "child_process";
+import { execFileSync as execFileSync2 } from "child_process";
 import { hostname as hostname3 } from "os";
 import { basename } from "path";
-import { defineCommand as defineCommand20 } from "citty";
-import consola18 from "consola";
-var runCommand = defineCommand20({
+import { defineCommand as defineCommand21 } from "citty";
+import consola19 from "consola";
+function shouldWaitForGrant(args) {
+  return args.wait === true || process.env.APE_WAIT === "1";
+}
+function printPendingGrantInfo(grant, idp) {
+  consola19.success(`Grant ${grant.id} erstellt`);
+  console.log(`  Approve:   ${idp}/grant-approval?grant_id=${grant.id}`);
+  console.log(`  Status:    apes grants status ${grant.id}`);
+  console.log(`  Ausf\xFChren: apes grants run ${grant.id}`);
+  console.log("");
+  console.log('  Tipp: Im Browser "als timed/always approven" w\xE4hlen, um das');
+  console.log("  Kommando ohne erneuten Approval wiederzuverwenden.");
+}
+var runCommand = defineCommand21({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -1869,6 +1961,11 @@ var runCommand = defineCommand20({
       description: "Shell mode: use session grant with audience ape-shell",
       default: false
     },
+    "wait": {
+      type: "boolean",
+      description: "Block until grant is approved (default: async, print grant info and exit 0). Equivalent to APE_WAIT=1.",
+      default: false
+    },
     "_": {
       type: "positional",
       description: "Command to execute (after --)",
@@ -1915,7 +2012,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola18.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola19.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -1927,20 +2024,31 @@ async function runShellMode(command, args) {
       reason: `Shell session: ${command.join(" ").slice(0, 100)}`
     }
   });
-  consola18.info(`Grant requested: ${grant.id}`);
-  consola18.info("Waiting for approval...");
-  const maxWait = 3e5;
-  const interval = 3e3;
-  const start = Date.now();
-  while (Date.now() - start < maxWait) {
-    const status = await apiFetch(`${grantsUrl}/${grant.id}`);
-    if (status.status === "approved")
-      break;
-    if (status.status === "denied" || status.status === "revoked")
-      throw new CliError(`Grant ${status.status}.`);
-    await new Promise((r) => setTimeout(r, interval));
+  notifyGrantPending({
+    grantId: grant.id,
+    approveUrl: `${idp}/grant-approval?grant_id=${grant.id}`,
+    command: command.join(" ").slice(0, 200),
+    audience: "ape-shell",
+    host: targetHost
+  });
+  if (shouldWaitForGrant(args)) {
+    consola19.info(`Grant requested: ${grant.id}`);
+    consola19.info("Waiting for approval...");
+    const maxWait = 3e5;
+    const interval = 3e3;
+    const start = Date.now();
+    while (Date.now() - start < maxWait) {
+      const status = await apiFetch(`${grantsUrl}/${grant.id}`);
+      if (status.status === "approved")
+        break;
+      if (status.status === "denied" || status.status === "revoked")
+        throw new CliError(`Grant ${status.status}.`);
+      await new Promise((r) => setTimeout(r, interval));
+    }
+    execShellCommand(command);
+    return;
   }
-  execShellCommand(command);
+  printPendingGrantInfo(grant, idp);
 }
 async function tryAdapterModeFromShell(command, idp, args) {
   const cmdString = extractShellCommandString(command);
@@ -1955,45 +2063,56 @@ async function tryAdapterModeFromShell(command, idp, args) {
   try {
     resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola18.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola19.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola18.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
-      const token2 = await fetchGrantToken(idp, existingGrantId);
-      await verifyAndExecute(token2, resolved);
+      consola19.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      const token = await fetchGrantToken(idp, existingGrantId);
+      await verifyAndExecute(token, resolved);
       return true;
     }
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola18.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola19.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
     reason: args.reason || `ape-shell: ${resolved.detail.display}`
   });
-  consola18.info(`Grant requested: ${grant.id}`);
-  consola18.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola18.info("");
-    consola18.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
-  }
-  const status = await waitForGrantStatus(idp, grant.id);
-  if (status !== "approved")
-    throw new CliError(`Grant ${status}`);
-  const token = await fetchGrantToken(idp, grant.id);
-  await verifyAndExecute(token, resolved);
+    consola19.info("");
+    consola19.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+  }
+  notifyGrantPending({
+    grantId: grant.id,
+    approveUrl: `${idp}/grant-approval?grant_id=${grant.id}`,
+    command: resolved.detail?.display || parsed?.raw || "unknown",
+    audience: resolved.adapter?.cli?.audience ?? "shapes",
+    host: args.host || hostname3()
+  });
+  if (shouldWaitForGrant(args)) {
+    consola19.info(`Grant requested: ${grant.id}`);
+    consola19.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    const status = await waitForGrantStatus(idp, grant.id);
+    if (status !== "approved")
+      throw new CliError(`Grant ${status}`);
+    const token = await fetchGrantToken(idp, grant.id);
+    await verifyAndExecute(token, resolved);
+    return true;
+  }
+  printPendingGrantInfo(grant, idp);
   return true;
 }
 function execShellCommand(command) {
   if (command.length === 0)
     throw new CliError("No command to execute");
   try {
-    execFileSync(command[0], command.slice(1), { stdio: "inherit" });
+    execFileSync2(command[0], command.slice(1), { stdio: "inherit" });
   } catch (err) {
     const exitCode = err.status || 1;
     throw new CliExit(exitCode);
@@ -2030,9 +2149,9 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola18.info(`Reusing existing grant: ${existingGrantId}`);
-      const token2 = await fetchGrantToken(idp, existingGrantId);
-      await verifyAndExecute(token2, resolved);
+      consola19.info(`Reusing existing grant: ${existingGrantId}`);
+      const token = await fetchGrantToken(idp, existingGrantId);
+      await verifyAndExecute(token, resolved);
       return;
     }
   } catch {
@@ -2042,23 +2161,27 @@ async function runAdapterMode(command, rawArgs, args) {
     approval,
     ...args.reason ? { reason: args.reason } : {}
   });
-  consola18.info(`Grant requested: ${grant.id}`);
-  consola18.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola18.info("");
-    consola18.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola19.info("");
+    consola19.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola18.info(`  Broader scope: ${wider}`);
-    }
-    consola18.info("");
+      consola19.info(`  Broader scope: ${wider}`);
+    }
+    consola19.info("");
+  }
+  if (shouldWaitForGrant(args)) {
+    consola19.info(`Grant requested: ${grant.id}`);
+    consola19.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    const status = await waitForGrantStatus(idp, grant.id);
+    if (status !== "approved")
+      throw new Error(`Grant ${status}`);
+    const token = await fetchGrantToken(idp, grant.id);
+    await verifyAndExecute(token, resolved);
+    return;
   }
-  const status = await waitForGrantStatus(idp, grant.id);
-  if (status !== "approved")
-    throw new Error(`Grant ${status}`);
-  const token = await fetchGrantToken(idp, grant.id);
-  await verifyAndExecute(token, resolved);
+  printPendingGrantInfo(grant, idp);
 }
 async function runAudienceMode(audience, action, args) {
   const auth = loadAuth();
@@ -2069,7 +2192,7 @@ async function runAudienceMode(audience, action, args) {
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
   const targetHost = args.host || hostname3();
-  consola18.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  consola19.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -2082,15 +2205,19 @@ async function runAudienceMode(audience, action, args) {
       ...args.as ? { run_as: args.as } : {}
     }
   });
-  consola18.success(`Grant requested: ${grant.id}`);
-  consola18.info("Waiting for approval...");
+  if (!shouldWaitForGrant(args)) {
+    printPendingGrantInfo(grant, idp);
+    return;
+  }
+  consola19.success(`Grant requested: ${grant.id}`);
+  consola19.info("Waiting for approval...");
   const maxWait = 3e5;
   const interval = 3e3;
   const start = Date.now();
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola18.success("Grant approved!");
+      consola19.success("Grant approved!");
       break;
     }
     if (status.status === "denied" || status.status === "revoked") {
@@ -2098,14 +2225,14 @@ async function runAudienceMode(audience, action, args) {
     }
     await new Promise((r) => setTimeout(r, interval));
   }
-  consola18.info("Fetching grant token...");
+  consola19.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola18.info(`Executing: ${command.join(" ")}`);
+    consola19.info(`Executing: ${command.join(" ")}`);
     try {
-      execFileSync(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
+      execFileSync2(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
         stdio: "inherit"
       });
     } catch (err) {
@@ -2118,8 +2245,8 @@ async function runAudienceMode(audience, action, args) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand21 } from "citty";
-var explainCommand = defineCommand21({
+import { defineCommand as defineCommand22 } from "citty";
+var explainCommand = defineCommand22({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -2157,9 +2284,9 @@ var explainCommand = defineCommand21({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand22 } from "citty";
-import consola19 from "consola";
-var configGetCommand = defineCommand22({
+import { defineCommand as defineCommand23 } from "citty";
+import consola20 from "consola";
+var configGetCommand = defineCommand23({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -2179,7 +2306,7 @@ var configGetCommand = defineCommand22({
         if (idp)
           console.log(idp);
         else
-          consola19.info("No IdP configured.");
+          consola20.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -2187,7 +2314,7 @@ var configGetCommand = defineCommand22({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola19.info("Not logged in.");
+          consola20.info("Not logged in.");
         break;
       }
       default: {
@@ -2200,7 +2327,7 @@ var configGetCommand = defineCommand22({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola19.info(`Key "${key}" not set.`);
+            consola20.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -2211,9 +2338,9 @@ var configGetCommand = defineCommand22({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand23 } from "citty";
-import consola20 from "consola";
-var configSetCommand = defineCommand23({
+import { defineCommand as defineCommand24 } from "citty";
+import consola21 from "consola";
+var configSetCommand = defineCommand24({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -2249,12 +2376,12 @@ var configSetCommand = defineCommand23({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola20.success(`Set ${key} = ${value}`);
+    consola21.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand24 } from "citty";
+import { defineCommand as defineCommand25 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -2290,13 +2417,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand24({
+var fetchCommand = defineCommand25({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand24({
+    get: defineCommand25({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -2322,7 +2449,7 @@ var fetchCommand = defineCommand24({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand24({
+    post: defineCommand25({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -2361,8 +2488,8 @@ var fetchCommand = defineCommand24({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand25 } from "citty";
-var mcpCommand = defineCommand25({
+import { defineCommand as defineCommand26 } from "citty";
+var mcpCommand = defineCommand26({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -2385,7 +2512,7 @@ var mcpCommand = defineCommand25({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-GPETT3ON.js");
+    const { startMcpServer } = await import("./server-FFOPFICW.js");
     await startMcpServer(transport, port);
   }
 });
@@ -2393,10 +2520,10 @@ var mcpCommand = defineCommand25({
 // src/commands/init/index.ts
 import { existsSync as existsSync3, copyFileSync, writeFileSync } from "fs";
 import { randomBytes } from "crypto";
-import { execFileSync as execFileSync2 } from "child_process";
+import { execFileSync as execFileSync3 } from "child_process";
 import { join as join2 } from "path";
-import { defineCommand as defineCommand26 } from "citty";
-import consola21 from "consola";
+import { defineCommand as defineCommand27 } from "citty";
+import consola22 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
@@ -2405,28 +2532,28 @@ async function downloadTemplate(repo, targetDir) {
 function installDeps(dir) {
   const hasLockFile = (name) => existsSync3(join2(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
-    execFileSync2("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync3("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
-    execFileSync2("bun", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync3("bun", ["install"], { cwd: dir, stdio: "inherit" });
   } else {
-    execFileSync2("npm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync3("npm", ["install"], { cwd: dir, stdio: "inherit" });
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola21.prompt(message, { type: "select", options: choices });
+  const result = await consola22.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola21.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola22.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand26({
+var initCommand = defineCommand27({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -2471,20 +2598,20 @@ async function initSP(targetDir) {
   if (existsSync3(join2(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola21.start("Scaffolding SP starter...");
+  consola22.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola21.success("Scaffolded from openape-sp-starter");
-  consola21.start("Installing dependencies...");
+  consola22.success("Scaffolded from openape-sp-starter");
+  consola22.start("Installing dependencies...");
   installDeps(dir);
-  consola21.success("Dependencies installed");
+  consola22.success("Dependencies installed");
   const envExample = join2(dir, ".env.example");
   const envFile = join2(dir, ".env");
   if (existsSync3(envExample) && !existsSync3(envFile)) {
     copyFileSync(envExample, envFile);
-    consola21.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola22.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola21.box([
+  consola22.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -2503,15 +2630,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola21.start("Scaffolding IdP starter...");
+  consola22.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola21.success("Scaffolded from openape-idp-starter");
-  consola21.start("Installing dependencies...");
+  consola22.success("Scaffolded from openape-idp-starter");
+  consola22.start("Installing dependencies...");
   installDeps(dir);
-  consola21.success("Dependencies installed");
+  consola22.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola21.success("Secrets generated");
+  consola22.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -2527,9 +2654,9 @@ async function initIdP(targetDir) {
   ].join("\n");
   writeFileSync(join2(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola21.success(".env created");
+  consola22.success(".env created");
   console.log("");
-  consola21.box([
+  consola22.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -2551,8 +2678,8 @@ import { execFile as execFile2 } from "child_process";
 import { generateKeyPairSync, sign } from "crypto";
 import { dirname, resolve as resolve2 } from "path";
 import { homedir as homedir4 } from "os";
-import { defineCommand as defineCommand27 } from "citty";
-import consola22 from "consola";
+import { defineCommand as defineCommand28 } from "citty";
+import consola23 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
@@ -2637,7 +2764,7 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand27({
+var enrollCommand = defineCommand28({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -2657,18 +2784,18 @@ var enrollCommand = defineCommand27({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola22.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola23.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola22.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola23.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola22.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola23.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
@@ -2676,19 +2803,19 @@ var enrollCommand = defineCommand27({
     let publicKey;
     if (existsSync4(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola22.success(`Using existing key ${keyPath}`);
+      consola23.success(`Using existing key ${keyPath}`);
     } else {
-      consola22.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola23.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola22.success(`Key pair generated at ${keyPath}`);
+      consola23.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola22.info("Opening browser for enrollment...");
-    consola22.info(`\u2192 ${idp}/enroll`);
+    consola23.info("Opening browser for enrollment...");
+    consola23.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola22.prompt(
+    const agentEmail = await consola23.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -2698,7 +2825,7 @@ var enrollCommand = defineCommand27({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola22.start("Verifying enrollment...");
+    consola23.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -2710,18 +2837,18 @@ var enrollCommand = defineCommand27({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola22.success(`Agent enrolled as ${agentEmail}`);
-    consola22.success("Config saved to ~/.config/apes/");
+    consola23.success(`Agent enrolled as ${agentEmail}`);
+    consola23.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola22.info("Verify with: apes whoami");
+    consola23.info("Verify with: apes whoami");
   }
 });
 
 // src/commands/register-user.ts
 import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
-import { defineCommand as defineCommand28 } from "citty";
-import consola23 from "consola";
-var registerUserCommand = defineCommand28({
+import { defineCommand as defineCommand29 } from "citty";
+import consola24 from "consola";
+var registerUserCommand = defineCommand29({
   meta: {
     name: "register-user",
     description: "Register a sub-user with SSH key"
@@ -2776,15 +2903,15 @@ var registerUserCommand = defineCommand28({
         ...userType ? { type: userType } : {}
       }
     });
-    consola23.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola24.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand29 } from "citty";
-import consola24 from "consola";
+import { defineCommand as defineCommand30 } from "citty";
+import consola25 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var dnsCheckCommand = defineCommand29({
+var dnsCheckCommand = defineCommand30({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -2798,7 +2925,7 @@ var dnsCheckCommand = defineCommand29({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola24.start(`Checking _ddisa.${domain}...`);
+    consola25.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA2(domain);
       if (!result) {
@@ -2807,7 +2934,7 @@ var dnsCheckCommand = defineCommand29({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola24.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola25.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -2816,14 +2943,14 @@ var dnsCheckCommand = defineCommand29({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola24.start(`Verifying IdP at ${result.idp}...`);
+      consola25.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola24.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola25.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola24.success(`IdP is reachable`);
+      consola25.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -2838,9 +2965,128 @@ var dnsCheckCommand = defineCommand29({
   }
 });
 
+// src/commands/health.ts
+import { exec } from "child_process";
+import { promisify } from "util";
+import { defineCommand as defineCommand31 } from "citty";
+var execAsync = promisify(exec);
+async function resolveApeShellPath() {
+  try {
+    const { stdout } = await execAsync("command -v ape-shell", { shell: "/bin/bash" });
+    const trimmed = stdout.trim();
+    return trimmed.length > 0 ? trimmed : null;
+  } catch {
+    return null;
+  }
+}
+async function probeIdp(url) {
+  const ctrl = new AbortController();
+  const timeout = setTimeout(() => ctrl.abort(), 3e3);
+  try {
+    await fetch(url, { method: "GET", signal: ctrl.signal });
+    return { reachable: true };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { reachable: false, error: message };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function bestEffortGrantCount(idp) {
+  try {
+    const grantsUrl = await getGrantsEndpoint(idp);
+    const res = await apiFetch(`${grantsUrl}?limit=1`);
+    const count = Array.isArray(res?.data) ? res.data.length : 0;
+    return { count };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { error: message };
+  }
+}
+async function runHealth(args) {
+  const version = true ? "0.9.0" : "0.0.0";
+  const auth = loadAuth();
+  if (!auth) {
+    throw new CliError("Not logged in. Run `apes login` first.", 1);
+  }
+  const isAgent = auth.email.includes("agent+");
+  const expiresDate = new Date(auth.expires_at * 1e3);
+  const isExpired = Date.now() / 1e3 > auth.expires_at;
+  if (isExpired) {
+    throw new CliError(`Token expired at ${expiresDate.toISOString()}. Run \`apes login\`.`, 1);
+  }
+  const idpProbe = await probeIdp(auth.idp);
+  const grantInfo = await bestEffortGrantCount(auth.idp);
+  const apeShellPath = await resolveApeShellPath();
+  const report = {
+    version,
+    config: { dir: CONFIG_DIR },
+    auth: {
+      file: AUTH_FILE,
+      present: true,
+      email: auth.email,
+      type: isAgent ? "agent" : "human",
+      idp: auth.idp,
+      expires_at_iso: expiresDate.toISOString(),
+      expires_at_local: expiresDate.toLocaleString(),
+      expired: false
+    },
+    idp: {
+      url: auth.idp,
+      reachable: idpProbe.reachable,
+      ..."error" in idpProbe ? { error: idpProbe.error } : {}
+    },
+    grants: "count" in grantInfo ? { count: grantInfo.count } : { error: grantInfo.error },
+    ape_shell_binary: apeShellPath,
+    ok: idpProbe.reachable
+  };
+  if (args.json) {
+    console.log(JSON.stringify(report, null, 2));
+  } else {
+    console.log(`apes ${version}`);
+    console.log("");
+    console.log(`Config: ${CONFIG_DIR}`);
+    console.log(`Auth:   ${AUTH_FILE}`);
+    console.log(`        ${auth.email} (${isAgent ? "agent" : "human"})`);
+    console.log(`        IdP: ${auth.idp}`);
+    console.log(`        Token: valid until ${expiresDate.toISOString()} (local: ${expiresDate.toLocaleString()})`);
+    console.log("");
+    if (idpProbe.reachable) {
+      console.log("IdP: reachable");
+    } else {
+      console.log(`IdP: <unreachable: ${idpProbe.error}>`);
+    }
+    if ("count" in grantInfo) {
+      console.log(`Grants: ${grantInfo.count}`);
+    } else {
+      console.log(`Grants: <unreachable: ${grantInfo.error}>`);
+    }
+    console.log(`ape-shell: ${apeShellPath ?? "(not on PATH)"}`);
+  }
+  if (!idpProbe.reachable) {
+    throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
+  }
+}
+var healthCommand = defineCommand31({
+  meta: {
+    name: "health",
+    description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
+  },
+  args: {
+    json: {
+      type: "boolean",
+      description: "Emit a machine-readable JSON report",
+      default: false
+    }
+  },
+  async run({ args }) {
+    await runHealth({ json: Boolean(args.json) });
+  }
+});
+
 // src/commands/workflows.ts
-import { defineCommand as defineCommand30 } from "citty";
-import consola25 from "consola";
+import { defineCommand as defineCommand32 } from "citty";
+import consola26 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -2890,7 +3136,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand30({
+var workflowsCommand = defineCommand32({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -2911,7 +3157,7 @@ var workflowsCommand = defineCommand30({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola25.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola26.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -2960,10 +3206,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.7.2"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.9.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.7.2"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.9.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -2978,7 +3224,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-JAMWD6DD.js");
+    const { runInteractiveShell } = await import("./orchestrator-GPNL543L.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -2987,7 +3233,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand31({
+var grantsCommand = defineCommand33({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -3001,13 +3247,14 @@ var grantsCommand = defineCommand31({
     approve: approveCommand,
     deny: denyCommand,
     revoke: revokeCommand,
+    run: runGrantCommand,
     token: tokenCommand,
     delegate: delegateCommand,
     delegations: delegationsCommand,
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand31({
+var configCommand = defineCommand33({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -3017,10 +3264,10 @@ var configCommand = defineCommand31({
     set: configSetCommand
   }
 });
-var main = defineCommand31({
+var main = defineCommand33({
   meta: {
     name: "apes",
-    version: "0.7.2",
+    version: "0.9.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -3031,6 +3278,7 @@ var main = defineCommand31({
     login: loginCommand,
     logout: logoutCommand,
     whoami: whoamiCommand,
+    health: healthCommand,
     grants: grantsCommand,
     admin: adminCommand,
     run: runCommand,
@@ -3047,13 +3295,13 @@ runMain(main).catch((err) => {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola26.error(err.message);
+    consola27.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola26.error(err);
+    consola27.error(err);
   } else {
-    consola26.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola27.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });