@openape/apes 0.9.3 → 0.9.4

package/dist/{chunk-5FV5KXEX.js → chunk-ZHTLP2DD.js}

@@ -44,7 +44,23 @@ function notifyGrantPending(info) {
   }
 }
 
+// src/shell/apes-self-dispatch.ts
+import { basename } from "path";
+var APES_GATED_SUBCOMMANDS = /* @__PURE__ */ new Set(["run", "fetch", "mcp"]);
+function isApesSelfDispatch(parsed) {
+  if (!parsed || parsed.isCompound)
+    return false;
+  const invokedName = basename(parsed.executable);
+  if (invokedName !== "apes" && invokedName !== "apes.js")
+    return false;
+  const subCommand = parsed.argv[0];
+  if (!subCommand)
+    return false;
+  return !APES_GATED_SUBCOMMANDS.has(subCommand);
+}
+
 export {
-  notifyGrantPending
+  notifyGrantPending,
+  isApesSelfDispatch
 };
-//# sourceMappingURL=chunk-5FV5KXEX.js.map
+//# sourceMappingURL=chunk-ZHTLP2DD.js.map

package/dist/chunk-ZHTLP2DD.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/notifications.ts","../src/shell/apes-self-dispatch.ts"],"sourcesContent":["import { spawn } from 'node:child_process'\nimport consola from 'consola'\nimport { quote } from 'shell-quote'\nimport { loadConfig } from './config'\n\nexport interface PendingGrantInfo {\n  grantId: string\n  approveUrl: string\n  command: string\n  audience: string\n  host: string\n}\n\n/**\n * Resolve the notification command for pending grants. Checks (in order):\n *   1. `APES_NOTIFY_PENDING_COMMAND` env var (highest priority — lets\n *      parent programs like openclaw override per invocation)\n *   2. `[notifications] pending_command` in ~/.config/apes/config.toml\n *\n * Returns undefined if no notification command is configured.\n */\nfunction resolvePendingCommand(): string | undefined {\n  if (process.env.APES_NOTIFY_PENDING_COMMAND)\n    return process.env.APES_NOTIFY_PENDING_COMMAND\n\n  const config = loadConfig()\n  return config.notifications?.pending_command\n}\n\n/**\n * Escape a value for safe embedding inside a single-quoted shell string.\n * We use `shell-quote` to produce a safe literal, then strip the outer\n * quoting because the template substitution embeds the value inside the\n * user's command template which is itself passed to `sh -c`.\n */\nfunction shellEscape(value: string): string {\n  // quote() wraps in single quotes and escapes internal single quotes\n  // e.g. \"it's\" → \"'it'\\\\''s'\"\n  // We return the raw escaped form so it's safe inside sh -c.\n  return quote([value])\n}\n\n/**\n * Substitute template variables in the notification command.\n * All values are shell-escaped to prevent injection.\n */\nfunction renderTemplate(template: string, info: PendingGrantInfo): string {\n  return template\n    .replace(/\\{grant_id\\}/g, shellEscape(info.grantId))\n    .replace(/\\{approve_url\\}/g, shellEscape(info.approveUrl))\n    .replace(/\\{command\\}/g, shellEscape(info.command))\n    .replace(/\\{audience\\}/g, shellEscape(info.audience))\n    .replace(/\\{host\\}/g, shellEscape(info.host))\n}\n\n/**\n * Send a notification that a grant is awaiting human approval.\n *\n * This is **fire-and-forget**: the notification subprocess runs detached\n * and unref'd so it cannot block the grant flow. A 10-second timeout\n * kills it if it hangs (e.g. network issue reaching Telegram API).\n *\n * Only fires when a notification command is configured. Silently returns\n * if not — the grant flow must never depend on notifications.\n *\n * Only call this when the grant **actually requires waiting** (new grant\n * with pending status). Do NOT call when:\n * - An existing timed/always grant was reused (no human action needed)\n * - The grant was instantly approved (no waiting phase)\n */\nexport function notifyGrantPending(info: PendingGrantInfo): void {\n  const template = resolvePendingCommand()\n  if (!template)\n    return\n\n  const rendered = renderTemplate(template, info)\n\n  try {\n    const child = spawn('sh', ['-c', rendered], {\n      detached: true,\n      stdio: 'ignore',\n      env: { ...process.env },\n    })\n\n    // Don't let the notification process keep the parent alive\n    child.unref()\n\n    // Kill after 10 seconds if it hasn't exited\n    const timeout = setTimeout(() => {\n      try {\n        child.kill('SIGKILL')\n      }\n      catch {}\n    }, 10_000)\n    timeout.unref()\n\n    child.on('exit', () => clearTimeout(timeout))\n  }\n  catch (err) {\n    // Never let notification failure break the grant flow\n    consola.debug('Notification command failed:', err)\n  }\n}\n","import { basename } from 'node:path'\nimport type { ParsedShellCommand } from '../shapes/shell-parser.js'\n\n/**\n * Subset of `apes` subcommands that remain grant-gated even when invoked\n * as self-dispatches from inside an ape-shell context. These are the\n * three categories where the shell-grant layer adds real security value\n * that isn't duplicated by server-side auth gates or local-file-only\n * semantics:\n *\n *   - `run`   — spawns arbitrary executables, the core of the grant system\n *   - `fetch` — forwards the bearer token to a user-specified URL\n *   - `mcp`   — binds a network port and serves a persistent API\n *\n * Every other `apes <subcmd>` either reads state, mutates the user's own\n * local config, or talks to the IdP through endpoints that are already\n * scoped by the auth token — gating them in the shell is redundant\n * friction, and under 0.9.0's async-default grant flow it actively\n * breaks `apes grants run <id>` via recursion (the polling call itself\n * creates a new grant, cascading indefinitely).\n *\n * This is the single source of truth shared by both dispatch paths:\n *   - Interactive REPL: `shell/grant-dispatch.ts` → `requestGrantForShellLine`\n *   - One-shot `ape-shell -c`: `commands/run.ts` → `runShellMode` (which\n *     receives the bash-c-wrapped command after `rewriteApeShellArgs`\n *     rewrites `ape-shell -c \"<cmd>\"` into `apes run --shell -- bash -c <cmd>`)\n *\n * Keep this list in sync with the blocklist snapshot test in\n * `shell-grant-dispatch.test.ts` — the tripwire that forces a review\n * decision whenever a new top-level apes subcommand is added.\n */\nexport const APES_GATED_SUBCOMMANDS = new Set(['run', 'fetch', 'mcp'])\n\n/**\n * Returns true if the parsed shell command is an `apes <subcmd>`\n * invocation that should bypass the grant flow entirely. Non-apes\n * binaries, compound lines (pipes, &&, etc.), and subcommands in\n * `APES_GATED_SUBCOMMANDS` all return false so they stay on the normal\n * grant path.\n *\n * The caller (either `requestGrantForShellLine` for the REPL path or\n * `runShellMode` for the one-shot path) is responsible for parsing the\n * input string and passing the resulting ParsedShellCommand here.\n */\nexport function isApesSelfDispatch(parsed: ParsedShellCommand | null | undefined): boolean {\n  if (!parsed || parsed.isCompound)\n    return false\n  const invokedName = basename(parsed.executable)\n  if (invokedName !== 'apes' && invokedName !== 'apes.js')\n    return false\n  const subCommand = parsed.argv[0]\n  if (!subCommand)\n    return false\n  return !APES_GATED_SUBCOMMANDS.has(subCommand)\n}\n"],"mappings":";;;;;;AAAA,SAAS,aAAa;AACtB,OAAO,aAAa;AACpB,SAAS,aAAa;AAmBtB,SAAS,wBAA4C;AACnD,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AAErB,QAAM,SAAS,WAAW;AAC1B,SAAO,OAAO,eAAe;AAC/B;AAQA,SAAS,YAAY,OAAuB;AAI1C,SAAO,MAAM,CAAC,KAAK,CAAC;AACtB;AAMA,SAAS,eAAe,UAAkB,MAAgC;AACxE,SAAO,SACJ,QAAQ,iBAAiB,YAAY,KAAK,OAAO,CAAC,EAClD,QAAQ,oBAAoB,YAAY,KAAK,UAAU,CAAC,EACxD,QAAQ,gBAAgB,YAAY,KAAK,OAAO,CAAC,EACjD,QAAQ,iBAAiB,YAAY,KAAK,QAAQ,CAAC,EACnD,QAAQ,aAAa,YAAY,KAAK,IAAI,CAAC;AAChD;AAiBO,SAAS,mBAAmB,MAA8B;AAC/D,QAAM,WAAW,sBAAsB;AACvC,MAAI,CAAC;AACH;AAEF,QAAM,WAAW,eAAe,UAAU,IAAI;AAE9C,MAAI;AACF,UAAM,QAAQ,MAAM,MAAM,CAAC,MAAM,QAAQ,GAAG;AAAA,MAC1C,UAAU;AAAA,MACV,OAAO;AAAA,MACP,KAAK,EAAE,GAAG,QAAQ,IAAI;AAAA,IACxB,CAAC;AAGD,UAAM,MAAM;AAGZ,UAAM,UAAU,WAAW,MAAM;AAC/B,UAAI;AACF,cAAM,KAAK,SAAS;AAAA,MACtB,QACM;AAAA,MAAC;AAAA,IACT,GAAG,GAAM;AACT,YAAQ,MAAM;AAEd,UAAM,GAAG,QAAQ,MAAM,aAAa,OAAO,CAAC;AAAA,EAC9C,SACO,KAAK;AAEV,YAAQ,MAAM,gCAAgC,GAAG;AAAA,EACnD;AACF;;;ACtGA,SAAS,gBAAgB;AA+BlB,IAAM,yBAAyB,oBAAI,IAAI,CAAC,OAAO,SAAS,KAAK,CAAC;AAa9D,SAAS,mBAAmB,QAAwD;AACzF,MAAI,CAAC,UAAU,OAAO;AACpB,WAAO;AACT,QAAM,cAAc,SAAS,OAAO,UAAU;AAC9C,MAAI,gBAAgB,UAAU,gBAAgB;AAC5C,WAAO;AACT,QAAM,aAAa,OAAO,KAAK,CAAC;AAChC,MAAI,CAAC;AACH,WAAO;AACT,SAAO,CAAC,uBAAuB,IAAI,UAAU;AAC/C;","names":[]}

package/dist/cli.js

@@ -9,8 +9,9 @@ import {
   readPublicKeyComment
 } from "./chunk-ION3CWD5.js";
 import {
+  isApesSelfDispatch,
   notifyGrantPending
-} from "./chunk-5FV5KXEX.js";
+} from "./chunk-ZHTLP2DD.js";
 import {
   ApiError,
   apiFetch,
@@ -2076,6 +2077,14 @@ async function runShellMode(command, args) {
   const idp = getIdpUrl(args.idp);
   if (!idp)
     throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
+  const innerLine = extractShellCommandString(command);
+  if (innerLine) {
+    const parsedInner = parseShellCommand(innerLine);
+    if (isApesSelfDispatch(parsedInner)) {
+      execShellCommand(command);
+      return;
+    }
+  }
   const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
   if (adapterHandled) return;
   const grantsUrl = await getGrantsEndpoint(idp);
@@ -2193,7 +2202,11 @@ function execShellCommand(command) {
   if (command.length === 0)
     throw new CliError("No command to execute");
   try {
-    execFileSync2(command[0], command.slice(1), { stdio: "inherit" });
+    const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
+    execFileSync2(command[0], command.slice(1), {
+      stdio: "inherit",
+      env: inheritedEnv
+    });
   } catch (err) {
     const exitCode = err.status || 1;
     throw new CliExit(exitCode);
@@ -2313,8 +2326,10 @@ async function runAudienceMode(audience, action, args) {
   if (audience === "escapes") {
     consola19.info(`Executing: ${command.join(" ")}`);
     try {
+      const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
       execFileSync2(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
-        stdio: "inherit"
+        stdio: "inherit",
+        env: inheritedEnv
       });
     } catch (err) {
       const exitCode = err.status || 1;
@@ -2593,7 +2608,7 @@ var mcpCommand = defineCommand26({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-2IMH7YQX.js");
+    const { startMcpServer } = await import("./server-ED5MMYT3.js");
     await startMcpServer(transport, port);
   }
 });
@@ -3085,7 +3100,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.9.3" : "0.0.0";
+  const version = true ? "0.9.4" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -3287,10 +3302,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.9.3"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.9.4"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.9.3"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.9.4"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -3305,7 +3320,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-MVOSHEI2.js");
+    const { runInteractiveShell } = await import("./orchestrator-5EZD7ZQE.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -3348,7 +3363,7 @@ var configCommand = defineCommand33({
 var main = defineCommand33({
   meta: {
     name: "apes",
-    version: "0.9.3",
+    version: "0.9.4",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {