@openape/apes 0.9.4 → 0.10.1

package/dist/{auth-lock-6GGWZVOA.js → auth-lock-O7BTENTJ.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   CONFIG_DIR
-} from "./chunk-ILKZ5HGV.js";
+} from "./chunk-6JSOSD7R.js";
 
 // src/auth-lock.ts
 import { open, rm, stat } from "fs/promises";
@@ -38,4 +38,4 @@ export {
   acquireAuthLock,
   releaseAuthLock
 };
-//# sourceMappingURL=auth-lock-6GGWZVOA.js.map
+//# sourceMappingURL=auth-lock-O7BTENTJ.js.map

package/dist/{chunk-ILKZ5HGV.js → chunk-6JSOSD7R.js}

@@ -142,4 +142,4 @@ export {
   getAuthToken,
   getRequesterIdentity
 };
-//# sourceMappingURL=chunk-ILKZ5HGV.js.map
+//# sourceMappingURL=chunk-6JSOSD7R.js.map

package/dist/chunk-6JSOSD7R.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/config.ts"],"sourcesContent":["import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\n\nexport interface AuthData {\n  idp: string\n  access_token: string\n  refresh_token?: string\n  email: string\n  expires_at: number\n}\n\nexport interface ApesConfig {\n  defaults?: {\n    idp?: string\n    approval?: string\n    /**\n     * Audience for the `apes run` async info block. `agent` (default)\n     * emits verbose agent-facing instructions with a polling protocol;\n     * `human` emits a short friendly block. Env var `APES_USER` wins.\n     */\n    user?: 'agent' | 'human'\n    /**\n     * Poll interval (seconds) embedded in the agent-mode instructions.\n     * Default 10. Env var `APES_GRANT_POLL_INTERVAL` wins. Stored as a\n     * string in TOML because the hand-rolled parser only handles quoted\n     * values — casting to number happens at read time.\n     */\n    grant_poll_interval_seconds?: string\n    /**\n     * Maximum poll duration (minutes) embedded in the agent-mode\n     * instructions. Default 5. Env var `APES_GRANT_POLL_MAX_MINUTES` wins.\n     */\n    grant_poll_max_minutes?: string\n    /**\n     * Exit code emitted by `apes run` / `ape-shell -c` when the async\n     * default path creates a pending grant. Default `75` (`EX_TEMPFAIL`\n     * from sysexits.h — \"temporary failure, retry later\"). Set to `0`\n     * to restore the pre-0.10.0 exit-0 behaviour. Env var\n     * `APES_ASYNC_EXIT_CODE` wins. Valid range 0–255.\n     */\n    async_exit_code?: string\n  }\n  agent?: {\n    key?: string\n    email?: string\n  }\n  notifications?: {\n    pending_command?: string\n  }\n}\n\nconst CONFIG_DIR = join(homedir(), '.config', 'apes')\nconst AUTH_FILE = join(CONFIG_DIR, 'auth.json')\nconst CONFIG_FILE = join(CONFIG_DIR, 'config.toml')\n\nfunction ensureDir() {\n  if (!existsSync(CONFIG_DIR)) {\n    mkdirSync(CONFIG_DIR, { recursive: true })\n  }\n}\n\nexport function loadAuth(): AuthData | null {\n  if (!existsSync(AUTH_FILE))\n    return null\n  try {\n    return JSON.parse(readFileSync(AUTH_FILE, 'utf-8'))\n  }\n  catch {\n    return null\n  }\n}\n\nexport function saveAuth(data: AuthData): void {\n  ensureDir()\n  writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 0o600 })\n}\n\nexport function clearAuth(): void {\n  if (existsSync(AUTH_FILE)) {\n    writeFileSync(AUTH_FILE, '', { mode: 0o600 })\n  }\n  // Also wipe the [agent] section from config.toml so logout disables\n  // auto-refresh. Preserves [defaults] so the IdP URL stays configured.\n  if (existsSync(CONFIG_FILE)) {\n    const existing = loadConfig()\n    if (existing.agent) {\n      const { agent: _removed, ...rest } = existing\n      saveConfig(rest)\n    }\n  }\n}\n\nexport function loadConfig(): ApesConfig {\n  if (!existsSync(CONFIG_FILE))\n    return {}\n  try {\n    return parseTOML(readFileSync(CONFIG_FILE, 'utf-8'))\n  }\n  catch {\n    return {}\n  }\n}\n\nfunction parseTOML(content: string): ApesConfig {\n  const config: ApesConfig = {}\n  let section = ''\n\n  for (const line of content.split('\\n')) {\n    const trimmed = line.trim()\n    if (!trimmed || trimmed.startsWith('#'))\n      continue\n\n    const sectionMatch = trimmed.match(/^\\[(.+)\\]$/)\n    if (sectionMatch) {\n      section = sectionMatch[1]!\n      continue\n    }\n\n    const kvMatch = trimmed.match(/^(\\w+)\\s*=\\s*\"(.+)\"$/)\n    if (kvMatch) {\n      const [, key, value] = kvMatch\n      if (section === 'defaults') {\n        config.defaults = config.defaults || {}\n        ;(config.defaults as Record<string, string>)[key!] = value!\n      }\n      else if (section === 'agent') {\n        config.agent = config.agent || {}\n        ;(config.agent as Record<string, string>)[key!] = value!\n      }\n      else if (section === 'notifications') {\n        config.notifications = config.notifications || {}\n        ;(config.notifications as Record<string, string>)[key!] = value!\n      }\n    }\n  }\n\n  return config\n}\n\nexport function saveConfig(config: ApesConfig): void {\n  ensureDir()\n  const lines: string[] = []\n\n  if (config.defaults) {\n    lines.push('[defaults]')\n    for (const [key, value] of Object.entries(config.defaults)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  if (config.agent) {\n    lines.push('[agent]')\n    for (const [key, value] of Object.entries(config.agent)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  if (config.notifications) {\n    lines.push('[notifications]')\n    for (const [key, value] of Object.entries(config.notifications)) {\n      if (value)\n        lines.push(`${key} = \"${value}\"`)\n    }\n    lines.push('')\n  }\n\n  writeFileSync(CONFIG_FILE, lines.join('\\n'), { mode: 0o600 })\n}\n\nexport function getIdpUrl(explicit?: string): string | null {\n  if (explicit)\n    return explicit\n  if (process.env.APES_IDP)\n    return process.env.APES_IDP\n\n  const auth = loadAuth()\n  if (auth?.idp)\n    return auth.idp\n\n  const config = loadConfig()\n  if (config.defaults?.idp)\n    return config.defaults.idp\n\n  return null\n}\n\nexport function getAuthToken(): string | null {\n  const auth = loadAuth()\n  if (!auth)\n    return null\n\n  // Check expiry (with 30s buffer)\n  if (auth.expires_at && Date.now() / 1000 > auth.expires_at - 30) {\n    return null // expired\n  }\n\n  return auth.access_token\n}\n\nexport function getRequesterIdentity(): string | null {\n  return loadAuth()?.email ?? null\n}\n\nexport { CONFIG_DIR, AUTH_FILE }\n"],"mappings":";;;AAAA,SAAS,YAAY,WAAW,cAAc,qBAAqB;AACnE,SAAS,eAAe;AACxB,SAAS,YAAY;AAkDrB,IAAM,aAAa,KAAK,QAAQ,GAAG,WAAW,MAAM;AACpD,IAAM,YAAY,KAAK,YAAY,WAAW;AAC9C,IAAM,cAAc,KAAK,YAAY,aAAa;AAElD,SAAS,YAAY;AACnB,MAAI,CAAC,WAAW,UAAU,GAAG;AAC3B,cAAU,YAAY,EAAE,WAAW,KAAK,CAAC;AAAA,EAC3C;AACF;AAEO,SAAS,WAA4B;AAC1C,MAAI,CAAC,WAAW,SAAS;AACvB,WAAO;AACT,MAAI;AACF,WAAO,KAAK,MAAM,aAAa,WAAW,OAAO,CAAC;AAAA,EACpD,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEO,SAAS,SAAS,MAAsB;AAC7C,YAAU;AACV,gBAAc,WAAW,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AACzE;AAEO,SAAS,YAAkB;AAChC,MAAI,WAAW,SAAS,GAAG;AACzB,kBAAc,WAAW,IAAI,EAAE,MAAM,IAAM,CAAC;AAAA,EAC9C;AAGA,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,WAAW,WAAW;AAC5B,QAAI,SAAS,OAAO;AAClB,YAAM,EAAE,OAAO,UAAU,GAAG,KAAK,IAAI;AACrC,iBAAW,IAAI;AAAA,IACjB;AAAA,EACF;AACF;AAEO,SAAS,aAAyB;AACvC,MAAI,CAAC,WAAW,WAAW;AACzB,WAAO,CAAC;AACV,MAAI;AACF,WAAO,UAAU,aAAa,aAAa,OAAO,CAAC;AAAA,EACrD,QACM;AACJ,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,UAAU,SAA6B;AAC9C,QAAM,SAAqB,CAAC;AAC5B,MAAI,UAAU;AAEd,aAAW,QAAQ,QAAQ,MAAM,IAAI,GAAG;AACtC,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,WAAW,QAAQ,WAAW,GAAG;AACpC;AAEF,UAAM,eAAe,QAAQ,MAAM,YAAY;AAC/C,QAAI,cAAc;AAChB,gBAAU,aAAa,CAAC;AACxB;AAAA,IACF;AAEA,UAAM,UAAU,QAAQ,MAAM,sBAAsB;AACpD,QAAI,SAAS;AACX,YAAM,CAAC,EAAE,KAAK,KAAK,IAAI;AACvB,UAAI,YAAY,YAAY;AAC1B,eAAO,WAAW,OAAO,YAAY,CAAC;AACrC,QAAC,OAAO,SAAoC,GAAI,IAAI;AAAA,MACvD,WACS,YAAY,SAAS;AAC5B,eAAO,QAAQ,OAAO,SAAS,CAAC;AAC/B,QAAC,OAAO,MAAiC,GAAI,IAAI;AAAA,MACpD,WACS,YAAY,iBAAiB;AACpC,eAAO,gBAAgB,OAAO,iBAAiB,CAAC;AAC/C,QAAC,OAAO,cAAyC,GAAI,IAAI;AAAA,MAC5D;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,WAAW,QAA0B;AACnD,YAAU;AACV,QAAM,QAAkB,CAAC;AAEzB,MAAI,OAAO,UAAU;AACnB,UAAM,KAAK,YAAY;AACvB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,QAAQ,GAAG;AAC1D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,OAAO;AAChB,UAAM,KAAK,SAAS;AACpB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,eAAe;AACxB,UAAM,KAAK,iBAAiB;AAC5B,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,aAAa,GAAG;AAC/D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,gBAAc,aAAa,MAAM,KAAK,IAAI,GAAG,EAAE,MAAM,IAAM,CAAC;AAC9D;AAEO,SAAS,UAAU,UAAkC;AAC1D,MAAI;AACF,WAAO;AACT,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AAErB,QAAM,OAAO,SAAS;AACtB,MAAI,MAAM;AACR,WAAO,KAAK;AAEd,QAAM,SAAS,WAAW;AAC1B,MAAI,OAAO,UAAU;AACnB,WAAO,OAAO,SAAS;AAEzB,SAAO;AACT;AAEO,SAAS,eAA8B;AAC5C,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AAGT,MAAI,KAAK,cAAc,KAAK,IAAI,IAAI,MAAO,KAAK,aAAa,IAAI;AAC/D,WAAO;AAAA,EACT;AAEA,SAAO,KAAK;AACd;AAEO,SAAS,uBAAsC;AACpD,SAAO,SAAS,GAAG,SAAS;AAC9B;","names":[]}

package/dist/{chunk-ZHTLP2DD.js → chunk-EAXBC4KC.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   loadConfig
-} from "./chunk-ILKZ5HGV.js";
+} from "./chunk-6JSOSD7R.js";
 
 // src/notifications.ts
 import { spawn } from "child_process";
@@ -63,4 +63,4 @@ export {
   notifyGrantPending,
   isApesSelfDispatch
 };
-//# sourceMappingURL=chunk-ZHTLP2DD.js.map
+//# sourceMappingURL=chunk-EAXBC4KC.js.map

package/dist/{chunk-D3OMN7RV.js → chunk-U4CI2RBO.js}

@@ -5,7 +5,7 @@ import {
   loadAuth,
   loadConfig,
   saveAuth
-} from "./chunk-ILKZ5HGV.js";
+} from "./chunk-6JSOSD7R.js";
 
 // src/http.ts
 import consola from "consola";
@@ -104,7 +104,7 @@ async function refreshOAuthToken() {
   const auth = loadAuth();
   if (!auth?.refresh_token)
     return null;
-  const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-6GGWZVOA.js");
+  const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-O7BTENTJ.js");
   const lock = await acquireAuthLock({ timeoutMs: 5e3 });
   if (!lock) {
     return getAuthToken();
@@ -1302,4 +1302,4 @@ export {
   buildExactCommandGrantRequest,
   buildStructuredCliGrantRequest
 };
-//# sourceMappingURL=chunk-D3OMN7RV.js.map
+//# sourceMappingURL=chunk-U4CI2RBO.js.map

package/dist/cli.js

@@ -11,7 +11,7 @@ import {
 import {
   isApesSelfDispatch,
   notifyGrantPending
-} from "./chunk-ZHTLP2DD.js";
+} from "./chunk-EAXBC4KC.js";
 import {
   ApiError,
   apiFetch,
@@ -42,7 +42,7 @@ import {
   searchAdapters,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-D3OMN7RV.js";
+} from "./chunk-U4CI2RBO.js";
 import {
   AUTH_FILE,
   CONFIG_DIR,
@@ -53,7 +53,7 @@ import {
   loadConfig,
   saveAuth,
   saveConfig
-} from "./chunk-ILKZ5HGV.js";
+} from "./chunk-6JSOSD7R.js";
 
 // src/cli.ts
 import consola27 from "consola";
@@ -1064,6 +1064,59 @@ var revokeCommand = defineCommand11({
 import { execFileSync } from "child_process";
 import { defineCommand as defineCommand12 } from "citty";
 import consola12 from "consola";
+
+// src/grant-poll.ts
+function getPollIntervalSeconds() {
+  const envValue = process.env.APES_GRANT_POLL_INTERVAL;
+  if (envValue) {
+    const n = Number(envValue);
+    if (Number.isFinite(n) && n > 0)
+      return Math.floor(n);
+  }
+  const cfg = loadConfig();
+  const cfgValue = cfg.defaults?.grant_poll_interval_seconds;
+  if (cfgValue) {
+    const n = Number(cfgValue);
+    if (Number.isFinite(n) && n > 0)
+      return Math.floor(n);
+  }
+  return 10;
+}
+function getPollMaxMinutes() {
+  const envValue = process.env.APES_GRANT_POLL_MAX_MINUTES;
+  if (envValue) {
+    const n = Number(envValue);
+    if (Number.isFinite(n) && n > 0)
+      return Math.floor(n);
+  }
+  const cfg = loadConfig();
+  const cfgValue = cfg.defaults?.grant_poll_max_minutes;
+  if (cfgValue) {
+    const n = Number(cfgValue);
+    if (Number.isFinite(n) && n > 0)
+      return Math.floor(n);
+  }
+  return 5;
+}
+async function pollGrantUntilResolved(idp, grantId) {
+  const grantsEndpoint = await getGrantsEndpoint(idp);
+  const intervalSec = getPollIntervalSeconds();
+  const maxMinutes = getPollMaxMinutes();
+  const maxMs = maxMinutes * 6e4;
+  const intervalMs = intervalSec * 1e3;
+  const start = Date.now();
+  while (Date.now() - start < maxMs) {
+    const grant = await apiFetch(`${grantsEndpoint}/${grantId}`);
+    if (grant.status === "approved")
+      return { kind: "approved" };
+    if (grant.status === "denied" || grant.status === "revoked" || grant.status === "used")
+      return { kind: "terminal", status: grant.status };
+    await new Promise((r) => setTimeout(r, intervalMs));
+  }
+  return { kind: "timeout" };
+}
+
+// src/commands/grants/run.ts
 var runGrantCommand = defineCommand12({
   meta: {
     name: "run",
@@ -1079,6 +1132,11 @@ var runGrantCommand = defineCommand12({
       type: "string",
       description: "Path to escapes binary (audience=escapes only)",
       default: "escapes"
+    },
+    wait: {
+      type: "boolean",
+      description: "If the grant is pending, block and poll until approved (or denied/revoked/used/timeout). Reuses APES_GRANT_POLL_INTERVAL / APES_GRANT_POLL_MAX_MINUTES knobs.",
+      default: false
     }
   },
   async run({ args }) {
@@ -1086,9 +1144,29 @@ var runGrantCommand = defineCommand12({
     if (!idp)
       throw new CliError("No IdP URL configured. Run `apes login` first or pass --idp.");
     const grantsUrl = await getGrantsEndpoint(idp);
-    const grant = await apiFetch(`${grantsUrl}/${args.id}`);
-    if (grant.status === "pending")
-      throw new CliError(`Grant ${grant.id} is still pending. Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    let grant = await apiFetch(`${grantsUrl}/${args.id}`);
+    if (grant.status === "pending") {
+      if (!args.wait) {
+        throw new CliError(
+          `Grant ${grant.id} is still pending. Approve at: ${idp}/grant-approval?grant_id=${grant.id}`
+        );
+      }
+      const maxMinutes = getPollMaxMinutes();
+      consola12.info(`Waiting for grant ${grant.id} approval (up to ${maxMinutes} minute${maxMinutes === 1 ? "" : "s"})...`);
+      const outcome = await pollGrantUntilResolved(idp, grant.id);
+      if (outcome.kind === "timeout") {
+        throw new CliError(
+          `Grant ${grant.id} approval timed out after ${maxMinutes} minute${maxMinutes === 1 ? "" : "s"}. Re-run after approval, or extend the timeout via APES_GRANT_POLL_MAX_MINUTES.`
+        );
+      }
+      if (outcome.kind === "terminal") {
+        throw new CliError(
+          `Grant ${grant.id} resolved to ${outcome.status}. Request a new one.`
+        );
+      }
+      grant = await apiFetch(`${grantsUrl}/${args.id}`);
+      consola12.info(`Grant ${grant.id} approved \u2014 continuing`);
+    }
     if (grant.status === "denied" || grant.status === "revoked")
       throw new CliError(`Grant ${grant.id} is ${grant.status}. Request a new one.`);
     if (grant.status === "used")
@@ -1940,37 +2018,21 @@ function getUserMode() {
     return "human";
   return "agent";
 }
-function getPollIntervalSeconds() {
-  const envValue = process.env.APES_GRANT_POLL_INTERVAL;
-  if (envValue) {
+function getAsyncExitCode() {
+  const envValue = process.env.APES_ASYNC_EXIT_CODE;
+  if (envValue !== void 0 && envValue !== "") {
     const n = Number(envValue);
-    if (Number.isFinite(n) && n > 0)
+    if (Number.isFinite(n) && n >= 0 && n <= 255)
       return Math.floor(n);
   }
   const cfg = loadConfig();
-  const cfgValue = cfg.defaults?.grant_poll_interval_seconds;
-  if (cfgValue) {
+  const cfgValue = cfg.defaults?.async_exit_code;
+  if (cfgValue !== void 0 && cfgValue !== "") {
     const n = Number(cfgValue);
-    if (Number.isFinite(n) && n > 0)
+    if (Number.isFinite(n) && n >= 0 && n <= 255)
       return Math.floor(n);
   }
-  return 10;
-}
-function getPollMaxMinutes() {
-  const envValue = process.env.APES_GRANT_POLL_MAX_MINUTES;
-  if (envValue) {
-    const n = Number(envValue);
-    if (Number.isFinite(n) && n > 0)
-      return Math.floor(n);
-  }
-  const cfg = loadConfig();
-  const cfgValue = cfg.defaults?.grant_poll_max_minutes;
-  if (cfgValue) {
-    const n = Number(cfgValue);
-    if (Number.isFinite(n) && n > 0)
-      return Math.floor(n);
-  }
-  return 5;
+  return 75;
 }
 function printPendingGrantInfo(grant, idp) {
   const mode = getUserMode();
@@ -1987,17 +2049,25 @@ function printPendingGrantInfo(grant, idp) {
     console.log("  this grant without re-approval on the next invocation.");
     return;
   }
-  const pollSec = getPollIntervalSeconds();
   const maxMin = getPollMaxMinutes();
   consola19.success(`Grant ${grant.id} created (pending approval)`);
   console.log(`  Approve:   ${approveUrl}`);
   console.log(`  Status:    ${statusCmd} [--json]`);
-  console.log(`  Execute:   ${executeCmd}`);
+  console.log(`  Execute:   ${executeCmd} --wait`);
   console.log("");
-  console.log(`  For agents: poll \`${statusCmd} --json\` every ${pollSec}s, wait up to ${maxMin} minutes.`);
-  console.log(`  When .status == "approved", run \`${executeCmd}\` to execute.`);
-  console.log(`  On "denied" or "revoked", stop and report to the user.`);
-  console.log(`  On timeout, stop and notify the user that approval has not happened.`);
+  console.log("  For agents:");
+  console.log(`    1. Tell the user about the pending grant and the approve URL above.`);
+  console.log(`    2. Run \`${executeCmd} --wait\`. This blocks up to ${maxMin} minutes`);
+  console.log(`       until the user approves (or denies/timeout) and then executes`);
+  console.log(`       the command in a single step. The CLI handles the polling loop`);
+  console.log(`       internally \u2014 you do not need to poll the status yourself.`);
+  console.log(`    3. Exit 0 means approved + executed; stdout is the command output.`);
+  console.log(`       Exit 75 (pending) only appears if you accidentally call this`);
+  console.log(`       without --wait. Any other non-zero exit means denied, revoked,`);
+  console.log(`       used, or timeout \u2014 report the reason to the user.`);
+  console.log("");
+  console.log('  Note: exit code 75 (EX_TEMPFAIL) from this command means "pending,');
+  console.log('  retry later" \u2014 do not abort your workflow, follow the steps above.');
   console.log("");
   console.log('  Tip: Approve as "timed" or "always" in the browser to let this');
   console.log("  grant be reused on subsequent invocations without re-approval.");
@@ -2139,6 +2209,7 @@ async function runShellMode(command, args) {
     return;
   }
   printPendingGrantInfo(grant, idp);
+  throw new CliExit(getAsyncExitCode());
 }
 async function tryAdapterModeFromShell(command, idp, args) {
   const cmdString = extractShellCommandString(command);
@@ -2196,7 +2267,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
     return true;
   }
   printPendingGrantInfo(grant, idp);
-  return true;
+  throw new CliExit(getAsyncExitCode());
 }
 function execShellCommand(command) {
   if (command.length === 0)
@@ -2276,6 +2347,7 @@ async function runAdapterMode(command, rawArgs, args) {
     return;
   }
   printPendingGrantInfo(grant, idp);
+  throw new CliExit(getAsyncExitCode());
 }
 async function runAudienceMode(audience, action, args) {
   const auth = loadAuth();
@@ -2301,7 +2373,7 @@ async function runAudienceMode(audience, action, args) {
   });
   if (!shouldWaitForGrant(args)) {
     printPendingGrantInfo(grant, idp);
-    return;
+    throw new CliExit(getAsyncExitCode());
   }
   consola19.success(`Grant requested: ${grant.id}`);
   consola19.info("Waiting for approval...");
@@ -2608,7 +2680,7 @@ var mcpCommand = defineCommand26({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-ED5MMYT3.js");
+    const { startMcpServer } = await import("./server-GTATJDYX.js");
     await startMcpServer(transport, port);
   }
 });
@@ -3100,7 +3172,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "0.9.4" : "0.0.0";
+  const version = true ? "0.10.1" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -3302,10 +3374,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"0.9.4"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"0.10.1"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"0.9.4"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"0.10.1"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -3320,7 +3392,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-5EZD7ZQE.js");
+    const { runInteractiveShell } = await import("./orchestrator-QL3AT67U.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -3363,7 +3435,7 @@ var configCommand = defineCommand33({
 var main = defineCommand33({
   meta: {
     name: "apes",
-    version: "0.9.4",
+    version: "0.10.1",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {