@openape/apes 1.10.0 → 1.12.0

package/dist/cli.js

@@ -7,8 +7,11 @@ import {
 import {
   CliError,
   CliExit,
-  parseDuration
-} from "./chunk-ZSJU7IXE.js";
+  RpcSessionMap,
+  parseDuration,
+  runLoop,
+  taskTools
+} from "./chunk-TDSCDH5P.js";
 import {
   loadEd25519PrivateKey,
   readPublicKeyComment
@@ -74,7 +77,7 @@ import {
 import "./chunk-7OCVIDC7.js";
 
 // src/cli.ts
-import consola51 from "consola";
+import consola49 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -104,7 +107,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand61, runMain } from "citty";
+import { defineCommand as defineCommand60, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer as Buffer2 } from "buffer";
@@ -317,7 +320,7 @@ async function loginWithPKCE(idp) {
   authUrl.searchParams.set("state", state);
   authUrl.searchParams.set("nonce", nonce);
   authUrl.searchParams.set("scope", "openid email profile offline_access");
-  const code = await new Promise((resolve5, reject) => {
+  const code = await new Promise((resolve4, reject) => {
     const server = createServer((req, res) => {
       const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
       if (url.pathname === "/callback") {
@@ -334,7 +337,7 @@ async function loginWithPKCE(idp) {
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end("<h1>Login successful!</h1><p>You can close this window.</p>");
           server.close();
-          resolve5(authCode);
+          resolve4(authCode);
           return;
         }
         res.writeHead(400);
@@ -895,7 +898,7 @@ async function waitForApproval2(grantsUrl, grantId) {
     if (grant.status === "revoked") {
       throw new CliError("Grant revoked.");
     }
-    await new Promise((resolve5) => setTimeout(resolve5, interval));
+    await new Promise((resolve4) => setTimeout(resolve4, interval));
   }
   throw new CliError("Timed out waiting for approval.");
 }
@@ -2262,7 +2265,7 @@ function createFetch(globalOptions = {}) {
       if (retries > 0 && (Array.isArray(context.options.retryStatusCodes) ? context.options.retryStatusCodes.includes(responseCode) : retryStatusCodes.has(responseCode))) {
         const retryDelay = typeof context.options.retryDelay === "function" ? context.options.retryDelay(context) : context.options.retryDelay || 0;
         if (retryDelay > 0) {
-          await new Promise((resolve5) => setTimeout(resolve5, retryDelay));
+          await new Promise((resolve4) => setTimeout(resolve4, retryDelay));
         }
         return $fetchRaw(context.request, {
           ...context.options,
@@ -2690,46 +2693,19 @@ function buildBridgeBlock(bridge) {
   return `
 mkdir -p "$HOME_DIR/Library/Application Support/openape/bridge" "$HOME_DIR/Library/Logs"
 cat > "$HOME_DIR/Library/Application Support/openape/bridge/.env" ${shHeredoc(bridge.envFile)}
-cat > "$HOME_DIR/Library/Application Support/openape/bridge/start.sh" ${shHeredoc(bridge.startScript)}
-chmod 755 "$HOME_DIR/Library/Application Support/openape/bridge/start.sh"
 chmod 600 "$HOME_DIR/Library/Application Support/openape/bridge/.env"
-
-# System-wide LaunchDaemon \u2014 root-owned, mode 644 (launchd refuses
-# group/world-writable plists). UserName in the plist makes launchd run
-# the binary as the agent, not root.
-cat > ${shQuote(bridge.plistPath)} ${shHeredoc(bridge.plistContent)}
-chown root:wheel ${shQuote(bridge.plistPath)}
-chmod 644 ${shQuote(bridge.plistPath)}
 `;
 }
-function buildBridgeBootstrapBlock(bridge, _name) {
-  if (!bridge) return "";
-  return `
-launchctl bootout "system/${bridge.plistLabel}" 2>/dev/null || true
-launchctl bootstrap system ${shQuote(bridge.plistPath)} || \\
-  echo "warn: bridge bootstrap into system domain failed; check ${bridge.plistPath}"
-`;
+function buildBridgeBootstrapBlock(_bridge, _name) {
+  return "";
 }
-function buildTroopBlock(troop) {
-  if (!troop) return "";
+function buildTroopBlock(_troop) {
   return `
-mkdir -p "$HOME_DIR/Library/LaunchAgents" "$HOME_DIR/Library/Logs" "$HOME_DIR/.openape/agent/tasks"
-cat > ${shQuote(troop.plistPath)} ${shHeredoc(troop.plistContent)}
-chown root:wheel ${shQuote(troop.plistPath)}
-chmod 644 ${shQuote(troop.plistPath)}
+mkdir -p "$HOME_DIR/Library/Logs" "$HOME_DIR/.openape/agent/tasks"
 `;
 }
-function buildTroopBootstrapBlock(troop, name) {
-  if (!troop) return "";
-  return `
-# Bootstrap the troop sync launchd in the system domain. setup.sh runs
-# as root via \`apes run --as root\`, so we have permission. Stale label
-# is bootouted first to make re-spawn idempotent.
-echo "==> Installing troop sync launchd as ${name}\u2026"
-launchctl bootout "system/${troop.plistLabel}" 2>/dev/null || true
-launchctl bootstrap system ${shQuote(troop.plistPath)} || \\
-  echo "warn: troop sync bootstrap failed; check ${troop.plistPath}"
-`;
+function buildTroopBootstrapBlock(_troop, _name) {
+  return "";
 }
 function buildDestroyTeardownScript(input) {
   const { name, homeDir, adminUser } = input;
@@ -2992,7 +2968,7 @@ function readPasswordSilent(prompt) {
       "No TTY available for the silent password prompt. Set APES_ADMIN_PASSWORD in the environment instead."
     ));
   }
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve4, reject) => {
     process.stdout.write(prompt);
     const wasRaw = process.stdin.isRaw ?? false;
     process.stdin.setRawMode(true);
@@ -3007,7 +2983,7 @@ function readPasswordSilent(prompt) {
         if (ch === "\r" || ch === "\n") {
           cleanup();
           process.stdout.write("\n");
-          resolve5(buf);
+          resolve4(buf);
           return;
         }
         if (code === 3) {
@@ -3303,481 +3279,12 @@ var registerAgentCommand = defineCommand23({
 });
 
 // src/commands/agents/run.ts
-import { existsSync as existsSync5, readFileSync as readFileSync5 } from "fs";
-import { homedir as homedir5 } from "os";
+import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+import { homedir as homedir4 } from "os";
 import { join as join3 } from "path";
 import { defineCommand as defineCommand24 } from "citty";
 import consola22 from "consola";
 
-// src/lib/agent-tools/file.ts
-import { mkdirSync, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
-import { homedir as homedir4 } from "os";
-import { dirname, normalize, resolve as resolve2 } from "path";
-var MAX_BYTES = 1024 * 1024;
-function jailPath(input) {
-  if (typeof input !== "string" || input === "") {
-    throw new Error("path must be a non-empty string");
-  }
-  const home = homedir4();
-  const candidate = input.startsWith("~/") ? resolve2(home, input.slice(2)) : input.startsWith("/") ? normalize(input) : resolve2(home, input);
-  if (candidate !== home && !candidate.startsWith(`${home}/`)) {
-    throw new Error(`path "${input}" resolves outside the agent's home`);
-  }
-  return candidate;
-}
-var fileTools = [
-  {
-    name: "file.read",
-    description: "Read a UTF-8 file from the agent's home directory ($HOME). Capped at 1MB. Path traversal blocked.",
-    parameters: {
-      type: "object",
-      properties: {
-        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME). `..` segments are rejected." }
-      },
-      required: ["path"]
-    },
-    execute: async (args) => {
-      const a = args;
-      const p2 = jailPath(a.path);
-      const content = readFileSync4(p2, "utf8");
-      if (Buffer.byteLength(content, "utf8") > MAX_BYTES) {
-        return { path: p2, truncated: true, content: content.slice(0, MAX_BYTES) };
-      }
-      return { path: p2, truncated: false, content };
-    }
-  },
-  {
-    name: "file.write",
-    description: "Write a UTF-8 file under the agent's home directory. Creates parent dirs as needed. 1MB max.",
-    parameters: {
-      type: "object",
-      properties: {
-        path: { type: "string", description: "Path relative to $HOME (or absolute under $HOME)." },
-        content: { type: "string", description: "File body. Existing files are overwritten." }
-      },
-      required: ["path", "content"]
-    },
-    execute: async (args) => {
-      const a = args;
-      if (typeof a.content !== "string") throw new Error("content must be a string");
-      if (Buffer.byteLength(a.content, "utf8") > MAX_BYTES) {
-        throw new Error(`content exceeds ${MAX_BYTES} byte cap`);
-      }
-      const p2 = jailPath(a.path);
-      mkdirSync(dirname(p2), { recursive: true });
-      writeFileSync2(p2, a.content, { encoding: "utf8" });
-      return { path: p2, bytes: Buffer.byteLength(a.content, "utf8") };
-    }
-  }
-];
-
-// src/lib/agent-tools/http.ts
-var MAX_BYTES2 = 1024 * 1024;
-var FORBIDDEN_HEADERS = /* @__PURE__ */ new Set([
-  "host",
-  "authorization",
-  "cookie",
-  "connection",
-  "transfer-encoding",
-  "upgrade",
-  "proxy-authorization"
-]);
-function sanitizeHeaders(input) {
-  if (!input || typeof input !== "object") return {};
-  const out = {};
-  for (const [k, v] of Object.entries(input)) {
-    if (typeof v !== "string") continue;
-    if (FORBIDDEN_HEADERS.has(k.toLowerCase())) continue;
-    out[k] = v;
-  }
-  return out;
-}
-async function readCappedBody(res) {
-  const buf = new Uint8Array(MAX_BYTES2 + 1);
-  let written = 0;
-  const reader = res.body?.getReader();
-  if (!reader) return await res.text();
-  while (true) {
-    const { value, done } = await reader.read();
-    if (done) break;
-    if (written + value.byteLength > MAX_BYTES2) {
-      buf.set(value.subarray(0, MAX_BYTES2 - written), written);
-      written = MAX_BYTES2;
-      try {
-        await reader.cancel();
-      } catch {
-      }
-      break;
-    }
-    buf.set(value, written);
-    written += value.byteLength;
-  }
-  return new TextDecoder().decode(buf.subarray(0, written));
-}
-var httpTools = [
-  {
-    name: "http.get",
-    description: "GET an HTTPS URL and return the response body (capped at 1MB). Useful for reading public APIs, RSS feeds, web pages.",
-    parameters: {
-      type: "object",
-      properties: {
-        url: { type: "string", description: "Absolute HTTPS URL." },
-        headers: { type: "object", description: "Optional headers (Host, Authorization, Cookie are stripped)." }
-      },
-      required: ["url"]
-    },
-    execute: async (args) => {
-      const a = args;
-      if (typeof a.url !== "string" || !a.url.startsWith("http")) {
-        throw new Error("url must be an http(s) URL");
-      }
-      const res = await fetch(a.url, { method: "GET", headers: sanitizeHeaders(a.headers) });
-      const body = await readCappedBody(res);
-      return { status: res.status, headers: Object.fromEntries(res.headers), body };
-    }
-  },
-  {
-    name: "http.post",
-    description: "POST JSON to an HTTPS URL and return the response body (capped at 1MB).",
-    parameters: {
-      type: "object",
-      properties: {
-        url: { type: "string", description: "Absolute HTTPS URL." },
-        body: { description: "JSON-serialisable payload." },
-        headers: { type: "object", description: "Optional headers (Host, Authorization, Cookie are stripped)." }
-      },
-      required: ["url", "body"]
-    },
-    execute: async (args) => {
-      const a = args;
-      if (typeof a.url !== "string" || !a.url.startsWith("http")) {
-        throw new Error("url must be an http(s) URL");
-      }
-      const res = await fetch(a.url, {
-        method: "POST",
-        headers: { "content-type": "application/json", ...sanitizeHeaders(a.headers) },
-        body: JSON.stringify(a.body)
-      });
-      const body = await readCappedBody(res);
-      return { status: res.status, headers: Object.fromEntries(res.headers), body };
-    }
-  }
-];
-
-// src/lib/agent-tools/mail.ts
-import { execFileSync as execFileSync5 } from "child_process";
-function o365(args) {
-  try {
-    return execFileSync5("o365-cli", args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
-  } catch (err) {
-    const e = err;
-    if (e.code === "ENOENT") {
-      throw new Error("o365-cli is not installed on this agent host");
-    }
-    const stderr = typeof e.stderr === "string" ? e.stderr : e.stderr?.toString("utf8");
-    throw new Error(`o365-cli failed: ${stderr ?? e.message ?? err}`);
-  }
-}
-var mailTools = [
-  {
-    name: "mail.list",
-    description: "List recent inbox messages via o365-cli. Optional `unread_only` and `limit`.",
-    parameters: {
-      type: "object",
-      properties: {
-        limit: { type: "integer", minimum: 1, maximum: 100, default: 20 },
-        unread_only: { type: "boolean", default: false }
-      },
-      required: []
-    },
-    execute: async (args) => {
-      const a = args ?? {};
-      const argv = ["mail", "list", "--json", "--limit", String(a.limit ?? 20)];
-      if (a.unread_only) argv.push("--unread");
-      const out = o365(argv);
-      try {
-        return JSON.parse(out);
-      } catch {
-        return { raw: out };
-      }
-    }
-  },
-  {
-    name: "mail.search",
-    description: "Search the inbox via o365-cli using a free-form query string.",
-    parameters: {
-      type: "object",
-      properties: {
-        q: { type: "string" },
-        limit: { type: "integer", minimum: 1, maximum: 100, default: 20 }
-      },
-      required: ["q"]
-    },
-    execute: async (args) => {
-      const a = args;
-      if (typeof a.q !== "string" || a.q.length === 0) throw new Error("q is required");
-      const argv = ["mail", "search", a.q, "--json", "--limit", String(a.limit ?? 20)];
-      const out = o365(argv);
-      try {
-        return JSON.parse(out);
-      } catch {
-        return { raw: out };
-      }
-    }
-  }
-];
-
-// src/lib/agent-tools/tasks.ts
-import { execFileSync as execFileSync6 } from "child_process";
-function ape(args) {
-  try {
-    return execFileSync6("ape-tasks", args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
-  } catch (err) {
-    const e = err;
-    const stderr = typeof e.stderr === "string" ? e.stderr : e.stderr?.toString("utf8");
-    throw new Error(`ape-tasks failed: ${stderr ?? e.message ?? err}`);
-  }
-}
-var tasksTools = [
-  {
-    name: "tasks.list",
-    description: "List the owner's open ape-tasks (the user's personal task list at tasks.openape.ai).",
-    parameters: {
-      type: "object",
-      properties: {
-        status: { type: "string", enum: ["open", "doing", "done", "archived"] },
-        team_id: { type: "string" }
-      },
-      required: []
-    },
-    execute: async (args) => {
-      const a = args ?? {};
-      const argv = ["list", "--json"];
-      if (a.status) argv.push("--status", a.status);
-      if (a.team_id) argv.push("--team", a.team_id);
-      const out = ape(argv);
-      try {
-        return JSON.parse(out);
-      } catch {
-        return { raw: out };
-      }
-    }
-  },
-  {
-    name: "tasks.create",
-    description: "Create a new ape-task on the owner's task list at tasks.openape.ai.",
-    parameters: {
-      type: "object",
-      properties: {
-        title: { type: "string" },
-        notes: { type: "string" },
-        priority: { type: "string", enum: ["low", "med", "high"] },
-        due_at: { type: "string", description: "ISO date or +Nh/+Nd shorthand." }
-      },
-      required: ["title"]
-    },
-    execute: async (args) => {
-      const a = args;
-      const argv = ["new", "--title", a.title, "--json"];
-      if (a.notes) argv.push("--notes", a.notes);
-      if (a.priority) argv.push("--priority", a.priority);
-      if (a.due_at) argv.push("--due", a.due_at);
-      const out = ape(argv);
-      try {
-        return JSON.parse(out);
-      } catch {
-        return { raw: out };
-      }
-    }
-  }
-];
-
-// src/lib/agent-tools/time.ts
-var timeTools = [
-  {
-    name: "time.now",
-    description: "Returns the current UTC date and time as ISO 8601 plus epoch seconds. No inputs.",
-    parameters: { type: "object", properties: {}, required: [] },
-    execute: async () => {
-      const now = /* @__PURE__ */ new Date();
-      return {
-        iso: now.toISOString(),
-        epoch_seconds: Math.floor(now.getTime() / 1e3),
-        timezone_offset_minutes: -now.getTimezoneOffset()
-      };
-    }
-  }
-];
-
-// src/lib/agent-tools/index.ts
-var ALL_TOOLS = [
-  ...timeTools,
-  ...httpTools,
-  ...fileTools,
-  ...tasksTools,
-  ...mailTools
-];
-var TOOLS = Object.fromEntries(
-  ALL_TOOLS.map((t) => [t.name, t])
-);
-function taskTools(names) {
-  const out = [];
-  const missing = [];
-  for (const name of names) {
-    const tool = TOOLS[name];
-    if (!tool) missing.push(name);
-    else out.push(tool);
-  }
-  if (missing.length > 0) {
-    throw new Error(`unknown tool(s): ${missing.join(", ")}`);
-  }
-  return out;
-}
-function asOpenAiTools(tools) {
-  return tools.map((t) => ({
-    type: "function",
-    function: { name: wireToolName(t.name), description: t.description, parameters: t.parameters }
-  }));
-}
-function wireToolName(local) {
-  return local.replace(/\./g, "_");
-}
-function localToolName(wire) {
-  for (const t of Object.values(TOOLS)) {
-    if (wireToolName(t.name) === wire) return t.name;
-  }
-  return wire;
-}
-
-// src/lib/agent-runtime.ts
-function previewJson(value, max = 500) {
-  let s;
-  try {
-    s = JSON.stringify(value);
-  } catch {
-    s = String(value);
-  }
-  return s.length > max ? `${s.slice(0, max)}\u2026` : s;
-}
-async function runLoop(opts) {
-  const fetchFn = opts.fetchImpl ?? fetch;
-  const trace = [];
-  const messages = [
-    { role: "system", content: opts.systemPrompt },
-    ...opts.history ?? [],
-    { role: "user", content: opts.userMessage }
-  ];
-  const tools = asOpenAiTools(opts.tools);
-  for (let step = 1; step <= opts.maxSteps; step++) {
-    const res = await fetchFn(`${opts.config.apiBase}/chat/completions`, {
-      method: "POST",
-      headers: {
-        "authorization": `Bearer ${opts.config.apiKey}`,
-        "content-type": "application/json"
-      },
-      body: JSON.stringify({
-        model: opts.config.model,
-        messages,
-        ...tools.length > 0 ? { tools, tool_choice: "auto" } : {}
-      })
-    });
-    if (!res.ok) {
-      const text = await res.text().catch(() => "");
-      throw new Error(`LiteLLM ${res.status}: ${text.slice(0, 500)}`);
-    }
-    const data = await res.json();
-    const choice = data.choices?.[0];
-    if (!choice) throw new Error("LiteLLM response had no choices");
-    const assistant = choice.message;
-    messages.push(assistant);
-    if (assistant.content) opts.handlers?.onTextDelta?.(assistant.content);
-    trace.push({
-      step,
-      type: "assistant",
-      preview: previewJson({ content: assistant.content, tool_calls: assistant.tool_calls?.length ?? 0 })
-    });
-    if (!assistant.tool_calls || assistant.tool_calls.length === 0) {
-      const result2 = {
-        status: "ok",
-        finalMessage: assistant.content,
-        stepCount: step,
-        trace
-      };
-      opts.handlers?.onDone?.(result2);
-      return result2;
-    }
-    for (const call of assistant.tool_calls) {
-      const wireName = call.function.name;
-      const localName = localToolName(wireName);
-      const tool = opts.tools.find((t) => t.name === localName);
-      let parsedArgs;
-      try {
-        parsedArgs = JSON.parse(call.function.arguments);
-      } catch {
-        parsedArgs = {};
-      }
-      opts.handlers?.onToolCall?.({ name: localName, args: parsedArgs });
-      trace.push({ step, type: "tool_call", tool: localName, preview: previewJson(parsedArgs) });
-      let result2;
-      let isError = false;
-      if (!tool) {
-        result2 = `unknown tool: ${localName}`;
-        isError = true;
-      } else {
-        try {
-          result2 = await tool.execute(parsedArgs);
-        } catch (err) {
-          result2 = err?.message ?? String(err);
-          isError = true;
-        }
-      }
-      if (isError) {
-        opts.handlers?.onToolError?.({ name: localName, error: String(result2) });
-        trace.push({ step, type: "tool_error", tool: localName, preview: previewJson(result2) });
-      } else {
-        opts.handlers?.onToolResult?.({ name: localName, result: result2 });
-        trace.push({ step, type: "tool_result", tool: localName, preview: previewJson(result2) });
-      }
-      messages.push({
-        role: "tool",
-        tool_call_id: call.id,
-        name: wireToolName(localName),
-        content: typeof result2 === "string" ? result2 : JSON.stringify(result2)
-      });
-    }
-  }
-  const result = {
-    status: "error",
-    finalMessage: `max_steps (${opts.maxSteps}) reached without completion`,
-    stepCount: opts.maxSteps,
-    trace
-  };
-  opts.handlers?.onDone?.(result);
-  return result;
-}
-var RPC_SESSION_TTL_MS = 60 * 60 * 1e3;
-var RpcSessionMap = class {
-  sessions = /* @__PURE__ */ new Map();
-  get(id) {
-    const s = this.sessions.get(id);
-    if (s) s.lastTouched = Date.now();
-    return s;
-  }
-  put(id, s) {
-    s.lastTouched = Date.now();
-    this.sessions.set(id, s);
-  }
-  evictStale() {
-    const cutoff = Date.now() - RPC_SESSION_TTL_MS;
-    for (const [k, v] of this.sessions) {
-      if (v.lastTouched < cutoff) this.sessions.delete(k);
-    }
-  }
-  size() {
-    return this.sessions.size;
-  }
-};
-
 // src/lib/troop-client.ts
 var DEFAULT_TROOP_URL = "https://troop.openape.ai";
 var TroopClient = class {
@@ -3836,13 +3343,13 @@ function resolveTroopUrl(override) {
 }
 
 // src/commands/agents/run.ts
-var AUTH_PATH = join3(homedir5(), ".config", "apes", "auth.json");
-var TASK_CACHE_DIR = join3(homedir5(), ".openape", "agent", "tasks");
+var AUTH_PATH = join3(homedir4(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR = join3(homedir4(), ".openape", "agent", "tasks");
 function readAuth() {
   if (!existsSync5(AUTH_PATH)) {
     throw new CliError(`No agent auth found at ${AUTH_PATH}. Run \`apes agents spawn <name>\` first.`);
   }
-  const parsed = JSON.parse(readFileSync5(AUTH_PATH, "utf8"));
+  const parsed = JSON.parse(readFileSync4(AUTH_PATH, "utf8"));
   if (!parsed.access_token) throw new CliError("auth.json missing access_token");
   return parsed;
 }
@@ -3882,22 +3389,22 @@ function readTaskSpec(taskId) {
   if (!existsSync5(path2)) {
     throw new CliError(`No cached task spec at ${path2}. Run \`apes agents sync\` first to pull the task list from troop.`);
   }
-  return JSON.parse(readFileSync5(path2, "utf8"));
+  return JSON.parse(readFileSync4(path2, "utf8"));
 }
-var AGENT_CONFIG_PATH = join3(homedir5(), ".openape", "agent", "agent.json");
+var AGENT_CONFIG_PATH = join3(homedir4(), ".openape", "agent", "agent.json");
 function readAgentConfig() {
   if (!existsSync5(AGENT_CONFIG_PATH)) return { systemPrompt: "" };
   try {
-    return JSON.parse(readFileSync5(AGENT_CONFIG_PATH, "utf8"));
+    return JSON.parse(readFileSync4(AGENT_CONFIG_PATH, "utf8"));
   } catch {
     return { systemPrompt: "" };
   }
 }
 function readLitellmConfig(model) {
-  const envPath = join3(homedir5(), "litellm", ".env");
+  const envPath = join3(homedir4(), "litellm", ".env");
   const env = {};
   if (existsSync5(envPath)) {
-    for (const line of readFileSync5(envPath, "utf8").split(/\r?\n/)) {
+    for (const line of readFileSync4(envPath, "utf8").split(/\r?\n/)) {
       const m = line.match(/^([A-Z_]+)=(.*)$/);
       if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
     }
@@ -4002,17 +3509,17 @@ var runAgentCommand = defineCommand24({
 });
 
 // src/commands/agents/serve.ts
-import { existsSync as existsSync6, readFileSync as readFileSync6 } from "fs";
-import { homedir as homedir6 } from "os";
+import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
+import { homedir as homedir5 } from "os";
 import { join as join4 } from "path";
 import { createInterface } from "readline";
 import { defineCommand as defineCommand25 } from "citty";
-var AUTH_PATH2 = join4(homedir6(), ".config", "apes", "auth.json");
+var AUTH_PATH2 = join4(homedir5(), ".config", "apes", "auth.json");
 function readLitellmConfig2(model) {
-  const envPath = join4(homedir6(), "litellm", ".env");
+  const envPath = join4(homedir5(), "litellm", ".env");
   const env = {};
   if (existsSync6(envPath)) {
-    for (const line of readFileSync6(envPath, "utf8").split(/\r?\n/)) {
+    for (const line of readFileSync5(envPath, "utf8").split(/\r?\n/)) {
       const m = line.match(/^([A-Z_]+)=(.*)$/);
       if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
     }
@@ -4046,7 +3553,7 @@ var serveAgentCommand = defineCommand25({
     }
     if (existsSync6(AUTH_PATH2)) {
       try {
-        JSON.parse(readFileSync6(AUTH_PATH2, "utf8"));
+        JSON.parse(readFileSync5(AUTH_PATH2, "utf8"));
       } catch {
       }
     }
@@ -4121,8 +3628,8 @@ async function handleInbound(msg, sessions) {
 }
 
 // src/commands/agents/spawn.ts
-import { execFileSync as execFileSync8 } from "child_process";
-import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, writeFileSync as writeFileSync4 } from "fs";
+import { execFileSync as execFileSync6 } from "child_process";
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, writeFileSync as writeFileSync3 } from "fs";
 import { tmpdir as tmpdir2 } from "os";
 import { join as join6 } from "path";
 import { defineCommand as defineCommand26 } from "citty";
@@ -4182,12 +3689,12 @@ ${envBlock}  <key>StartInterval</key>
 
 // src/lib/keygen.ts
 import { Buffer as Buffer4 } from "buffer";
-import { existsSync as existsSync7, mkdirSync as mkdirSync2, readFileSync as readFileSync7, writeFileSync as writeFileSync3 } from "fs";
+import { existsSync as existsSync7, mkdirSync, readFileSync as readFileSync6, writeFileSync as writeFileSync2 } from "fs";
 import { generateKeyPairSync } from "crypto";
-import { homedir as homedir7 } from "os";
-import { dirname as dirname2, resolve as resolve3 } from "path";
+import { homedir as homedir6 } from "os";
+import { dirname, resolve as resolve2 } from "path";
 function resolveKeyPath(p2) {
-  return resolve3(p2.replace(/^~/, homedir7()));
+  return resolve2(p2.replace(/^~/, homedir6()));
 }
 function buildSshEd25519Line(rawPub) {
   const keyTypeStr = "ssh-ed25519";
@@ -4201,9 +3708,9 @@ function buildSshEd25519Line(rawPub) {
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
   if (existsSync7(pubPath)) {
-    return readFileSync7(pubPath, "utf-8").trim();
+    return readFileSync6(pubPath, "utf-8").trim();
   }
-  const keyContent = readFileSync7(keyPath, "utf-8");
+  const keyContent = readFileSync6(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
   const pubBytes = Buffer4.from(jwk.x, "base64url");
@@ -4211,17 +3718,17 @@ function readPublicKey(keyPath) {
 }
 function generateAndSaveKey(keyPath) {
   const resolved = resolveKeyPath(keyPath);
-  const dir = dirname2(resolved);
+  const dir = dirname(resolved);
   if (!existsSync7(dir)) {
-    mkdirSync2(dir, { recursive: true });
+    mkdirSync(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
-  writeFileSync3(resolved, privatePem, { mode: 384 });
+  writeFileSync2(resolved, privatePem, { mode: 384 });
   const jwk = publicKey.export({ format: "jwk" });
   const pubBytes = Buffer4.from(jwk.x, "base64url");
   const pubKeyStr = buildSshEd25519Line(pubBytes);
-  writeFileSync3(`${resolved}.pub`, `${pubKeyStr}
+  writeFileSync2(`${resolved}.pub`, `${pubKeyStr}
 `, { mode: 420 });
   return pubKeyStr;
 }
@@ -4237,15 +3744,15 @@ function generateKeyPairInMemory() {
 }
 
 // src/lib/llm-bridge.ts
-import { execFileSync as execFileSync7 } from "child_process";
-import { existsSync as existsSync8, readFileSync as readFileSync8 } from "fs";
-import { homedir as homedir8 } from "os";
-import { dirname as dirname3, join as join5 } from "path";
+import { execFileSync as execFileSync5 } from "child_process";
+import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
+import { homedir as homedir7 } from "os";
+import { dirname as dirname2, join as join5 } from "path";
 var PLIST_LABEL_PREFIX = "eco.hofmann.apes.bridge";
-function readLitellmEnv(envPath = join5(homedir8(), "litellm", ".env")) {
+function readLitellmEnv(envPath = join5(homedir7(), "litellm", ".env")) {
   if (!existsSync8(envPath)) return null;
   try {
-    const text = readFileSync8(envPath, "utf8");
+    const text = readFileSync7(envPath, "utf8");
     const out = {};
     for (const line of text.split("\n")) {
       const trimmed = line.trim();
@@ -4281,12 +3788,12 @@ function captureHostBinDirs() {
   for (const bin of ["node", "openape-chat-bridge", "apes"]) {
     let resolved;
     try {
-      resolved = execFileSync7("/usr/bin/which", [bin], { encoding: "utf8" }).trim();
+      resolved = execFileSync5("/usr/bin/which", [bin], { encoding: "utf8" }).trim();
     } catch {
       const installCmd = bin === "openape-chat-bridge" ? "npm i -g @openape/chat-bridge" : bin === "apes" ? "npm i -g @openape/apes" : "install Node.js (e.g. brew install node)";
       throw new Error(`'${bin}' not found on host PATH. ${installCmd} before spawning agents \u2014 the bridge runtime resolves these at spawn time and bakes the dir into the agent's launchd plist.`);
     }
-    const dir = dirname3(resolved);
+    const dir = dirname2(resolved);
     if (!seen.has(dir)) {
       seen.add(dir);
       dirs.push(dir);
@@ -4532,10 +4039,10 @@ and try again.`
         bridge,
         troop
       });
-      writeFileSync4(scriptPath, script, { mode: 448 });
+      writeFileSync3(scriptPath, script, { mode: 448 });
       consola23.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
       consola23.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
-      execFileSync8(apes, ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
+      execFileSync6(apes, ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
       consola23.success(`Agent ${name} spawned.`);
       consola23.info(`\u{1F517} Troop: https://troop.openape.ai/agents/${name}`);
       if (args.bridge) {
@@ -4574,18 +4081,18 @@ async function resolveClaudeToken(opts) {
 }
 
 // src/commands/agents/sync.ts
-import { chownSync, existsSync as existsSync9, mkdirSync as mkdirSync3, readFileSync as readFileSync9, statSync, writeFileSync as writeFileSync5 } from "fs";
-import { homedir as homedir9 } from "os";
+import { chownSync, existsSync as existsSync9, mkdirSync as mkdirSync2, readFileSync as readFileSync8, statSync, writeFileSync as writeFileSync4 } from "fs";
+import { homedir as homedir8 } from "os";
 import { join as join7 } from "path";
 import { defineCommand as defineCommand27 } from "citty";
 import consola24 from "consola";
 
 // src/lib/macos-host.ts
-import { execFileSync as execFileSync9 } from "child_process";
+import { execFileSync as execFileSync7 } from "child_process";
 import { hostname as hostname3 } from "os";
 function getHostId() {
   try {
-    const output = execFileSync9(
+    const output = execFileSync7(
       "/usr/sbin/ioreg",
       ["-d2", "-c", "IOPlatformExpertDevice"],
       { encoding: "utf8", timeout: 2e3 }
@@ -4605,15 +4112,15 @@ function getHostname() {
 }
 
 // src/commands/agents/sync.ts
-var AUTH_PATH3 = join7(homedir9(), ".config", "apes", "auth.json");
-var TASK_CACHE_DIR2 = join7(homedir9(), ".openape", "agent", "tasks");
+var AUTH_PATH3 = join7(homedir8(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR2 = join7(homedir8(), ".openape", "agent", "tasks");
 function readAuthJson() {
   if (!existsSync9(AUTH_PATH3)) {
     throw new CliError(
       `No agent auth found at ${AUTH_PATH3}. Run \`apes agents spawn <name>\` to provision an agent first.`
     );
   }
-  const raw = readFileSync9(AUTH_PATH3, "utf8");
+  const raw = readFileSync8(AUTH_PATH3, "utf8");
   let parsed;
   try {
     parsed = JSON.parse(raw);
@@ -4674,7 +4181,7 @@ var syncAgentCommand = defineCommand27({
     let agentGid = null;
     if (process.geteuid?.() === 0) {
       try {
-        const homeStat = statSync(homedir9());
+        const homeStat = statSync(homedir8());
         agentUid = homeStat.uid;
         agentGid = homeStat.gid;
       } catch {
@@ -4688,23 +4195,23 @@ var syncAgentCommand = defineCommand27({
         }
       }
     }
-    const agentDir = join7(homedir9(), ".openape", "agent");
-    mkdirSync3(agentDir, { recursive: true });
-    chownToAgent(join7(homedir9(), ".openape"));
+    const agentDir = join7(homedir8(), ".openape", "agent");
+    mkdirSync2(agentDir, { recursive: true });
+    chownToAgent(join7(homedir8(), ".openape"));
     chownToAgent(agentDir);
     const agentJsonPath = join7(agentDir, "agent.json");
-    writeFileSync5(
+    writeFileSync4(
       agentJsonPath,
       `${JSON.stringify({ systemPrompt }, null, 2)}
 `,
       { mode: 384 }
     );
     chownToAgent(agentJsonPath);
-    mkdirSync3(TASK_CACHE_DIR2, { recursive: true });
+    mkdirSync2(TASK_CACHE_DIR2, { recursive: true });
     chownToAgent(TASK_CACHE_DIR2);
     for (const task of tasks) {
       const path2 = join7(TASK_CACHE_DIR2, `${task.taskId}.json`);
-      writeFileSync5(path2, `${JSON.stringify(task, null, 2)}
+      writeFileSync4(path2, `${JSON.stringify(task, null, 2)}
 `, { mode: 384 });
       chownToAgent(path2);
     }
@@ -4731,22 +4238,22 @@ var agentsCommand = defineCommand28({
 });
 
 // src/commands/nest/index.ts
-import { defineCommand as defineCommand37 } from "citty";
+import { defineCommand as defineCommand36 } from "citty";
 
 // src/commands/nest/authorize.ts
-import { execFileSync as execFileSync10 } from "child_process";
-import { existsSync as existsSync11, readFileSync as readFileSync10 } from "fs";
+import { execFileSync as execFileSync8 } from "child_process";
+import { existsSync as existsSync11, readFileSync as readFileSync9 } from "fs";
 import { join as join9 } from "path";
 import { defineCommand as defineCommand30 } from "citty";
 import consola26 from "consola";
 
 // src/commands/nest/enroll.ts
-import { hostname as hostname4, homedir as homedir10 } from "os";
-import { existsSync as existsSync10, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6, chmodSync } from "fs";
+import { hostname as hostname4, homedir as homedir9 } from "os";
+import { existsSync as existsSync10, mkdirSync as mkdirSync3, writeFileSync as writeFileSync5, chmodSync } from "fs";
 import { join as join8 } from "path";
 import { defineCommand as defineCommand29 } from "citty";
 import consola25 from "consola";
-var NEST_DATA_DIR = join8(homedir10(), ".openape", "nest");
+var NEST_DATA_DIR = join8(homedir9(), ".openape", "nest");
 function nestAgentName() {
   const raw = hostname4().toLowerCase();
   const head = raw.split(".")[0] ?? raw;
@@ -4785,13 +4292,13 @@ var enrollNestCommand = defineCommand29({
     }
     const sshDir = join8(NEST_DATA_DIR, ".ssh");
     const configDir = join8(NEST_DATA_DIR, ".config", "apes");
-    mkdirSync4(sshDir, { recursive: true });
-    mkdirSync4(configDir, { recursive: true });
+    mkdirSync3(sshDir, { recursive: true });
+    mkdirSync3(configDir, { recursive: true });
     consola25.start(`Generating keypair for ${name}\u2026`);
     const { privatePem, publicSshLine } = generateKeyPairInMemory();
-    writeFileSync6(join8(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
+    writeFileSync5(join8(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
 `, { mode: 384 });
-    writeFileSync6(join8(sshDir, "id_ed25519.pub"), `${publicSshLine}
+    writeFileSync5(join8(sshDir, "id_ed25519.pub"), `${publicSshLine}
 `, { mode: 420 });
     chmodSync(sshDir, 448);
     consola25.start(`Registering nest at ${idp}\u2026`);
@@ -4811,7 +4318,7 @@ var enrollNestCommand = defineCommand29({
       keyPath: join8(sshDir, "id_ed25519"),
       ownerEmail: ownerAuth.email
     });
-    writeFileSync6(authPath, authJson, { mode: 384 });
+    writeFileSync5(authPath, authJson, { mode: 384 });
     chmodSync(configDir, 448);
     consola25.success(`Nest enrolled \u2014 auth.json at ${authPath}`);
     consola25.info("");
@@ -4873,7 +4380,7 @@ var authorizeNestCommand = defineCommand30({
     if (!existsSync11(nestAuthPath)) {
       throw new CliError("Nest not enrolled. Run `apes nest enroll` first.");
     }
-    const nestAuth = JSON.parse(readFileSync10(nestAuthPath, "utf8"));
+    const nestAuth = JSON.parse(readFileSync9(nestAuthPath, "utf8"));
     if (!nestAuth.email) throw new CliError(`${nestAuthPath} has no email`);
     const allow = args.allow ?? DEFAULT_ALLOW_PATTERNS.join(",");
     consola26.info(`Configuring YOLO-policy on ${nestAuth.email} via \`apes yolo set\`\u2026`);
@@ -4890,7 +4397,7 @@ var authorizeNestCommand = defineCommand30({
       cmdArgs.push("--expires-in", args["expires-in"]);
     }
     try {
-      execFileSync10("apes", cmdArgs, { stdio: "inherit" });
+      execFileSync8("apes", cmdArgs, { stdio: "inherit" });
     } catch (err) {
       throw new CliError(err instanceof Error ? err.message : String(err));
     }
@@ -4900,147 +4407,107 @@ var authorizeNestCommand = defineCommand30({
 });
 
 // src/commands/nest/destroy.ts
-import process2 from "process";
 import { defineCommand as defineCommand31 } from "citty";
-import consola28 from "consola";
-
-// src/lib/nest-grant-flow.ts
-import { hostname as hostname5 } from "os";
 import consola27 from "consola";
-var NEST_AUDIENCE = "nest";
-async function requestNestGrant(opts) {
-  const auth = loadAuth();
-  if (!auth) {
-    throw new CliError("Not logged in. Run `apes login` first.");
-  }
-  const idp = getIdpUrl(opts.idp) ?? void 0;
-  if (!idp) {
-    throw new CliError("No IdP URL resolved. Pass --idp or run `apes login` first.");
-  }
-  const grantsUrl = await getGrantsEndpoint(idp);
-  const targetHost = opts.targetHost ?? hostname5();
-  const approval = opts.approval ?? "always";
-  const reusableId = await findReusableNestGrant({
-    grantsUrl,
-    requester: auth.email,
-    command: opts.command,
-    targetHost
-  });
-  if (reusableId) {
-    const { authz_jwt: authz_jwt2 } = await apiFetch(`${grantsUrl}/${reusableId}/token`, {
-      method: "POST"
-    });
-    return authz_jwt2;
-  }
-  consola27.info(`Requesting nest grant: ${opts.command.join(" ")}`);
-  const grant = await apiFetch(grantsUrl, {
-    method: "POST",
-    body: {
-      requester: auth.email,
-      target_host: targetHost,
-      audience: NEST_AUDIENCE,
-      grant_type: approval,
-      command: opts.command,
-      reason: opts.reason ?? opts.command.join(" ")
-    }
-  });
-  let approved = grant.status === "approved";
-  const maxWait = 15 * 60 * 1e3;
-  const interval = 3e3;
-  const start = Date.now();
-  while (!approved && Date.now() - start < maxWait) {
-    const status = await apiFetch(`${grantsUrl}/${grant.id}`);
-    if (status.status === "approved") {
-      approved = true;
-      break;
-    }
-    if (status.status === "denied" || status.status === "revoked") {
-      throw new CliError(`Grant ${status.status}.`);
-    }
-    if (!approved) {
-      consola27.info(`Waiting for approval: ${idp}/grant-approval?grant_id=${grant.id}`);
-      await new Promise((r3) => setTimeout(r3, interval));
+
+// src/lib/nest-intent.ts
+import { existsSync as existsSync12, mkdirSync as mkdirSync4, readFileSync as readFileSync10, statSync as statSync2, unlinkSync, writeFileSync as writeFileSync6 } from "fs";
+import { homedir as homedir10 } from "os";
+import { join as join10 } from "path";
+import { randomUUID } from "crypto";
+var POLL_INTERVAL_MS = 200;
+var DEFAULT_TIMEOUT_MS = 5 * 60 * 1e3;
+function resolveIntentDir() {
+  if (process.env.OPENAPE_NEST_INTENT_DIR) return process.env.OPENAPE_NEST_INTENT_DIR;
+  if (existsSync12("/var/openape/nest/intents")) return "/var/openape/nest/intents";
+  return join10(homedir10(), ".openape", "nest", "intents");
+}
+async function dispatchIntent(intent, opts = {}) {
+  const id = randomUUID();
+  const dir = resolveIntentDir();
+  if (!existsSync12(dir)) {
+    throw new CliError(`Nest intent dir does not exist: ${dir}
+  Is the nest daemon running? Try \`ps aux | grep openape-nest\`.`);
+  }
+  const intentPath = join10(dir, `${id}.json`);
+  const responsePath = join10(dir, `${id}.response`);
+  const tmpPath = `${intentPath}.tmp`;
+  writeFileSync6(tmpPath, `${JSON.stringify({ id, ...intent })}
+`, { mode: 432 });
+  try {
+    const fs = await import("fs");
+    fs.renameSync(tmpPath, intentPath);
+  } catch (err) {
+    try {
+      unlinkSync(tmpPath);
+    } catch {
     }
+    throw err;
   }
-  if (!approved) {
-    throw new CliError(
-      `Grant approval timed out after 15 min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id}.`
-    );
+  const deadline = Date.now() + (opts.timeoutMs ?? DEFAULT_TIMEOUT_MS);
+  while (Date.now() < deadline) {
+    if (existsSync12(responsePath)) {
+      let raw;
+      try {
+        const st = statSync2(responsePath);
+        if (Date.now() - st.mtimeMs < 50) {
+          await sleep(50);
+        }
+        raw = readFileSync10(responsePath, "utf8");
+      } catch {
+        await sleep(POLL_INTERVAL_MS);
+        continue;
+      }
+      try {
+        unlinkSync(responsePath);
+      } catch {
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(raw);
+      } catch (err) {
+        throw new CliError(`malformed nest response: ${err instanceof Error ? err.message : String(err)}`);
+      }
+      if (!parsed.ok) {
+        throw new CliError(`nest: ${parsed.error}`);
+      }
+      return parsed.result;
+    }
+    await sleep(POLL_INTERVAL_MS);
   }
-  const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
-    method: "POST"
-  });
-  return authz_jwt;
-}
-function nestBaseUrl(port) {
-  const p2 = port ?? Number(process.env.OPENAPE_NEST_PORT ?? 9091);
-  return `http://127.0.0.1:${p2}`;
-}
-async function findReusableNestGrant(opts) {
   try {
-    const grants = await apiFetch(
-      `${opts.grantsUrl}?requester=${encodeURIComponent(opts.requester)}&status=approved&limit=50`
-    );
-    const now = Math.floor(Date.now() / 1e3);
-    const match = grants.data.find((g) => {
-      const r3 = g.request;
-      if (r3.audience !== NEST_AUDIENCE) return false;
-      if (r3.target_host !== opts.targetHost) return false;
-      if (r3.grant_type === "once") return false;
-      if (r3.grant_type === "timed" && g.expires_at && g.expires_at <= now) return false;
-      const cmd = r3.command ?? [];
-      if (cmd.length !== opts.command.length) return false;
-      return cmd.every((c2, i) => c2 === opts.command[i]);
-    });
-    return match?.id ?? null;
+    unlinkSync(intentPath);
   } catch {
-    return null;
   }
+  throw new CliError(`nest intent timeout (${(opts.timeoutMs ?? DEFAULT_TIMEOUT_MS) / 1e3}s) \u2014 Nest daemon may not be running or is stuck.`);
+}
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
 }
 
 // src/commands/nest/destroy.ts
 var destroyNestCommand = defineCommand31({
   meta: {
     name: "destroy",
-    description: "Tear down an agent on the local nest (removes macOS user, hard-deletes IdP record, drops bridge plist). Requires a DDISA `nest destroy <name>` grant."
+    description: "Tear down an agent on the local nest. Drops an intent file the nest daemon picks up."
   },
   args: {
-    name: { type: "positional", required: true, description: "Agent name to destroy" },
-    port: { type: "string", description: "Override nest port (default: 9091)" }
+    name: { type: "positional", required: true, description: "Agent name to destroy" }
   },
   async run({ args }) {
     const name = String(args.name);
-    const token = await requestNestGrant({ command: ["nest", "destroy", name] });
-    const base = nestBaseUrl(args.port ? Number(args.port) : void 0);
-    try {
-      const res = await fetch(`${base}/agents/${encodeURIComponent(name)}`, {
-        method: "DELETE",
-        headers: { Authorization: `Bearer ${token}` }
-      });
-      if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        throw new CliError(`nest DELETE /agents/${name} failed: ${res.status} ${text}`);
-      }
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
-        consola28.error(`Nest daemon is not running at ${base}`);
-        consola28.info("  Run:  apes nest install");
-        process2.exit(2);
-      }
-      throw err;
-    }
-    consola28.success(`Destroyed ${name}`);
+    await dispatchIntent({ action: "destroy", name });
+    consola27.success(`Destroyed ${name}`);
   }
 });
 
 // src/commands/nest/install.ts
-import { execFileSync as execFileSync11 } from "child_process";
-import { existsSync as existsSync12, mkdirSync as mkdirSync5, readFileSync as readFileSync11, writeFileSync as writeFileSync7 } from "fs";
+import { execFileSync as execFileSync9 } from "child_process";
+import { existsSync as existsSync13, mkdirSync as mkdirSync5, readFileSync as readFileSync11, writeFileSync as writeFileSync7 } from "fs";
 import { homedir as homedir11, userInfo as userInfo2 } from "os";
-import { dirname as dirname4, join as join10 } from "path";
+import { dirname as dirname3, join as join11 } from "path";
 import { defineCommand as defineCommand32 } from "citty";
-import consola29 from "consola";
+import consola28 from "consola";
 
 // src/commands/nest/apes-agents-adapter.ts
 var APES_AGENTS_ADAPTER_TOML = `schema = "openape-shapes/v1"
@@ -5107,13 +4574,13 @@ resource_chain = ["agents:name={name}", "allowlist:email={peer_email}"]
 // src/commands/nest/install.ts
 var PLIST_LABEL = "ai.openape.nest";
 function plistPath() {
-  return join10(homedir11(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
+  return join11(homedir11(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
 }
 function escape2(s) {
   return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 function buildPlist(args) {
-  const logsDir = join10(args.userHome, "Library", "Logs");
+  const logsDir = join11(args.userHome, "Library", "Logs");
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -5148,8 +4615,8 @@ function buildPlist(args) {
 `;
 }
 function installAdapter2() {
-  const target = join10(homedir11(), ".openape", "shapes", "adapters", "apes-agents.toml");
-  mkdirSync5(dirname4(target), { recursive: true });
+  const target = join11(homedir11(), ".openape", "shapes", "adapters", "apes-agents.toml");
+  mkdirSync5(dirname3(target), { recursive: true });
   let existing = "";
   try {
     existing = readFileSync11(target, "utf8");
@@ -5157,15 +4624,15 @@ function installAdapter2() {
   }
   if (existing === APES_AGENTS_ADAPTER_TOML) return false;
   writeFileSync7(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
-  consola29.success(`Wrote shapes adapter ${target}`);
+  consola28.success(`Wrote shapes adapter ${target}`);
   return true;
 }
 function writeBridgeModelDefault(model) {
-  const envDir = join10(homedir11(), "litellm");
-  const envFile = join10(envDir, ".env");
+  const envDir = join11(homedir11(), "litellm");
+  const envFile = join11(envDir, ".env");
   mkdirSync5(envDir, { recursive: true });
   let lines = [];
-  if (existsSync12(envFile)) {
+  if (existsSync13(envFile)) {
     lines = readFileSync11(envFile, "utf8").split("\n").filter((l) => !l.startsWith("APE_CHAT_BRIDGE_MODEL="));
   }
   lines.push(`APE_CHAT_BRIDGE_MODEL=${model}`);
@@ -5175,13 +4642,13 @@ function writeBridgeModelDefault(model) {
 }
 function findBinary(name) {
   for (const dir of [
-    join10(homedir11(), ".bun", "bin"),
+    join11(homedir11(), ".bun", "bin"),
     "/opt/homebrew/bin",
     "/usr/local/bin",
     "/usr/bin"
   ]) {
-    const p2 = join10(dir, name);
-    if (existsSync12(p2)) return p2;
+    const p2 = join11(dir, name);
+    if (existsSync13(p2)) return p2;
   }
   throw new Error(`could not locate ${name} on PATH; install it first`);
 }
@@ -5208,16 +4675,16 @@ var installNestCommand = defineCommand32({
     }
     const nestBin = findBinary("openape-nest");
     const apesBin = findBinary("apes");
-    consola29.info(`Installing nest at ${plistPath()}`);
-    consola29.info(`  nest binary: ${nestBin}`);
-    consola29.info(`  apes binary: ${apesBin}`);
-    consola29.info(`  HTTP port:   ${port}`);
+    consola28.info(`Installing nest at ${plistPath()}`);
+    consola28.info(`  nest binary: ${nestBin}`);
+    consola28.info(`  apes binary: ${apesBin}`);
+    consola28.info(`  HTTP port:   ${port}`);
     if (typeof args["bridge-model"] === "string" && args["bridge-model"]) {
       writeBridgeModelDefault(args["bridge-model"]);
-      consola29.success(`Default bridge model set to ${args["bridge-model"]} (in ~/litellm/.env)`);
+      consola28.success(`Default bridge model set to ${args["bridge-model"]} (in ~/litellm/.env)`);
     }
     installAdapter2();
-    mkdirSync5(join10(homeDir, "Library", "LaunchAgents"), { recursive: true });
+    mkdirSync5(join11(homeDir, "Library", "LaunchAgents"), { recursive: true });
     mkdirSync5(NEST_DATA_DIR, { recursive: true });
     const desired = buildPlist({ nestBin, apesBin, userHome: homeDir, nestHome: NEST_DATA_DIR, port });
     let existing = "";
@@ -5227,218 +4694,126 @@ var installNestCommand = defineCommand32({
     }
     if (existing !== desired) {
       writeFileSync7(plistPath(), desired, { mode: 420 });
-      consola29.success("Wrote launchd plist");
+      consola28.success("Wrote launchd plist");
     } else {
-      consola29.info("plist already up to date");
+      consola28.info("plist already up to date");
     }
     const uid = userInfo2().uid;
     try {
-      execFileSync11("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL}`], { stdio: "ignore" });
+      execFileSync9("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL}`], { stdio: "ignore" });
     } catch {
     }
-    execFileSync11("/bin/launchctl", ["bootstrap", `gui/${uid}`, plistPath()], { stdio: "inherit" });
-    consola29.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
-    consola29.info("");
-    consola29.info("Next steps for zero-prompt spawn \u2014 both one-time:");
-    consola29.info("");
-    consola29.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
-    consola29.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
-    consola29.info("");
-    consola29.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
+    execFileSync9("/bin/launchctl", ["bootstrap", `gui/${uid}`, plistPath()], { stdio: "inherit" });
+    consola28.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
+    consola28.info("");
+    consola28.info("Next steps for zero-prompt spawn \u2014 both one-time:");
+    consola28.info("");
+    consola28.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
+    consola28.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
+    consola28.info("");
+    consola28.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
   }
 });
 
 // src/commands/nest/list.ts
-import process3 from "process";
 import { defineCommand as defineCommand33 } from "citty";
-import consola30 from "consola";
+import consola29 from "consola";
 var listNestCommand = defineCommand33({
   meta: {
     name: "list",
-    description: "List agents registered with the local nest. Goes through DDISA grants \u2014 YOLO auto-approves under the standard nest policy."
+    description: "List agents registered with the local nest. File-based intent."
   },
   args: {
-    port: { type: "string", description: "Override nest port (default: 9091)" },
     json: { type: "boolean", description: "JSON output for scripts" }
   },
   async run({ args }) {
-    const token = await requestNestGrant({ command: ["nest", "list"] });
-    const base = nestBaseUrl(args.port ? Number(args.port) : void 0);
-    let resp;
-    try {
-      const res = await fetch(`${base}/agents`, {
-        headers: { Authorization: `Bearer ${token}` }
-      });
-      if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        throw new CliError(`nest GET /agents failed: ${res.status} ${text}`);
-      }
-      resp = await res.json();
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
-        consola30.error(`Nest daemon is not running at ${base}`);
-        consola30.info("  Run:  apes nest install");
-        process3.exit(2);
-      }
-      throw err;
-    }
+    const result = await dispatchIntent({ action: "list" });
     if (args.json) {
-      console.log(JSON.stringify(resp, null, 2));
+      console.log(JSON.stringify(result, null, 2));
       return;
     }
-    if (resp.agents.length === 0) {
-      consola30.info("(no agents registered with this nest)");
+    if (result.agents.length === 0) {
+      consola29.info("(no agents registered with this nest)");
       return;
     }
-    consola30.info(`${resp.agents.length} agent(s) registered with this nest:`);
-    for (const a of resp.agents) {
+    consola29.info(`${result.agents.length} agent(s) registered with this nest:`);
+    for (const a of result.agents) {
       const bridge = a.bridge ? " bridge=on" : "";
-      consola30.info(`  ${a.name.padEnd(16)} uid=${String(a.uid).padEnd(5)} home=${a.home}${bridge}`);
+      consola29.info(`  ${a.name.padEnd(16)} uid=${String(a.uid).padEnd(5)} home=${a.home}${bridge}`);
     }
   }
 });
 
 // src/commands/nest/spawn.ts
-import process4 from "process";
 import { defineCommand as defineCommand34 } from "citty";
-import consola31 from "consola";
+import consola30 from "consola";
 var spawnNestCommand = defineCommand34({
   meta: {
     name: "spawn",
-    description: "Spawn a new agent on the local nest. Requires a DDISA `nest spawn <name>` grant \u2014 auto-approved by Patrick's policy on first use, reused on subsequent calls."
+    description: "Spawn a new agent on the local nest. Drops an intent file the nest daemon picks up; UNIX permissions on the intents dir gate access."
   },
   args: {
     name: { type: "positional", required: true, description: "Agent name (lowercase, [a-z0-9-], max 24 chars)" },
     "no-bridge": { type: "boolean", description: "Skip installing the chat-bridge daemon (default: install it)" },
     "bridge-key": { type: "string", description: "Override LITELLM_API_KEY (default: read from ~/litellm/.env)" },
     "bridge-base-url": { type: "string", description: "Override LITELLM_BASE_URL (default: read from ~/litellm/.env)" },
-    "bridge-model": { type: "string", description: "Override APE_CHAT_BRIDGE_MODEL" },
-    "port": { type: "string", description: "Override nest port (default: 9091)" }
+    "bridge-model": { type: "string", description: "Override APE_CHAT_BRIDGE_MODEL" }
   },
   async run({ args }) {
     const name = String(args.name);
-    const token = await requestNestGrant({ command: ["nest", "spawn"] });
-    const base = nestBaseUrl(args.port ? Number(args.port) : void 0);
-    const reqBody = {
+    const intent = {
+      action: "spawn",
       name,
       bridge: !args["no-bridge"]
     };
-    if (typeof args["bridge-key"] === "string") reqBody.bridgeKey = args["bridge-key"];
-    if (typeof args["bridge-base-url"] === "string") reqBody.bridgeBaseUrl = args["bridge-base-url"];
-    if (typeof args["bridge-model"] === "string") reqBody.bridgeModel = args["bridge-model"];
-    let resp;
-    try {
-      const res = await fetch(`${base}/agents`, {
-        method: "POST",
-        headers: {
-          "Authorization": `Bearer ${token}`,
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify(reqBody)
-      });
-      if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        throw new CliError(`nest POST /agents failed: ${res.status} ${text}`);
-      }
-      resp = await res.json();
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
-        consola31.error(`Nest daemon is not running at ${base}`);
-        consola31.info("  Run:  apes nest install");
-        process4.exit(2);
-      }
-      throw err;
-    }
-    consola31.success(`Spawned ${resp.name} (uid=${resp.uid}, home=${resp.home})`);
-  }
-});
-
-// src/commands/nest/status.ts
-import process5 from "process";
-import { defineCommand as defineCommand35 } from "citty";
-import consola32 from "consola";
-var statusNestCommand = defineCommand35({
-  meta: {
-    name: "status",
-    description: "Print health of the local nest-daemon (agents registered). Goes through DDISA grants."
-  },
-  args: {
-    port: { type: "string", description: "Override nest port (default: 9091)" },
-    json: { type: "boolean", description: "JSON output for scripts" }
-  },
-  async run({ args }) {
-    const token = await requestNestGrant({ command: ["nest", "status"] });
-    const base = nestBaseUrl(args.port ? Number(args.port) : void 0);
-    let status;
-    try {
-      const res = await fetch(`${base}/status`, {
-        headers: { Authorization: `Bearer ${token}` }
-      });
-      if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        throw new CliError(`nest GET /status failed: ${res.status} ${text}`);
-      }
-      status = await res.json();
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
-        consola32.error(`Nest daemon is not running at ${base}`);
-        consola32.info("  Run:  apes nest install");
-        process5.exit(2);
-      }
-      throw err;
-    }
-    if (args.json) {
-      console.log(JSON.stringify(status, null, 2));
-      return;
-    }
-    consola32.info(`Nest at ${base} \u2014 ${status.agents} agent(s) registered`);
+    if (typeof args["bridge-key"] === "string") intent.bridgeKey = args["bridge-key"];
+    if (typeof args["bridge-base-url"] === "string") intent.bridgeBaseUrl = args["bridge-base-url"];
+    if (typeof args["bridge-model"] === "string") intent.bridgeModel = args["bridge-model"];
+    const result = await dispatchIntent(intent);
+    consola30.success(`Spawned ${result.name} (uid=${result.uid}, home=${result.home})`);
   }
 });
 
 // src/commands/nest/uninstall.ts
-import { execFileSync as execFileSync12 } from "child_process";
-import { existsSync as existsSync13, unlinkSync } from "fs";
+import { execFileSync as execFileSync10 } from "child_process";
+import { existsSync as existsSync14, unlinkSync as unlinkSync2 } from "fs";
 import { homedir as homedir12, userInfo as userInfo3 } from "os";
-import { join as join11 } from "path";
-import { defineCommand as defineCommand36 } from "citty";
-import consola33 from "consola";
+import { join as join12 } from "path";
+import { defineCommand as defineCommand35 } from "citty";
+import consola31 from "consola";
 var PLIST_LABEL2 = "ai.openape.nest";
-var uninstallNestCommand = defineCommand36({
+var uninstallNestCommand = defineCommand35({
   meta: {
     name: "uninstall",
     description: "Stop + remove the local nest-daemon (registry + agents preserved)"
   },
   async run() {
     const uid = userInfo3().uid;
-    const path2 = join11(homedir12(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
+    const path2 = join12(homedir12(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
     try {
-      execFileSync12("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL2}`], { stdio: "ignore" });
-      consola33.success("Nest daemon stopped");
+      execFileSync10("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL2}`], { stdio: "ignore" });
+      consola31.success("Nest daemon stopped");
     } catch {
-      consola33.info("Nest daemon was not loaded");
+      consola31.info("Nest daemon was not loaded");
     }
-    if (existsSync13(path2)) {
-      unlinkSync(path2);
-      consola33.success(`Removed ${path2}`);
+    if (existsSync14(path2)) {
+      unlinkSync2(path2);
+      consola31.success(`Removed ${path2}`);
     }
-    consola33.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
+    consola31.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
   }
 });
 
 // src/commands/nest/index.ts
-var nestCommand = defineCommand37({
+var nestCommand = defineCommand36({
   meta: {
     name: "nest",
-    description: "Manage the local Nest control-plane daemon. One-time setup: `install` (launchd) \u2192 `enroll` (own DDISA identity) \u2192 `authorize` (YOLO-policy). Day-to-day: `status` / `list` (read-only) and `spawn` / `destroy` (mutating) \u2014 every API call is gated by a DDISA grant audited at the IdP, YOLO-approved silently under the policy `apes nest authorize` sets up."
+    description: "Manage the local Nest control-plane daemon. One-time setup: `install` \u2192 `enroll` \u2192 `authorize`. Day-to-day: `list` / `spawn` / `destroy`. As of Phase D the Nest is a long-running CLIENT \u2014 commands talk to it via filesystem intent files in $NEST_HOME/intents (mode 770, group _openape_nest) instead of HTTP."
   },
   subCommands: {
     install: installNestCommand,
     enroll: enrollNestCommand,
     authorize: authorizeNestCommand,
-    status: statusNestCommand,
     list: listNestCommand,
     spawn: spawnNestCommand,
     destroy: destroyNestCommand,
@@ -5447,12 +4822,12 @@ var nestCommand = defineCommand37({
 });
 
 // src/commands/yolo/index.ts
-import { defineCommand as defineCommand41 } from "citty";
+import { defineCommand as defineCommand40 } from "citty";
 
 // src/commands/yolo/clear.ts
-import { defineCommand as defineCommand38 } from "citty";
-import consola34 from "consola";
-var yoloClearCommand = defineCommand38({
+import { defineCommand as defineCommand37 } from "citty";
+import consola32 from "consola";
+var yoloClearCommand = defineCommand37({
   meta: {
     name: "clear",
     description: "Remove the YOLO-policy from a DDISA agent (subsequent grants need human approval)"
@@ -5481,15 +4856,15 @@ var yoloClearCommand = defineCommand38({
       const text = await res.text().catch(() => "");
       throw new CliError(`DELETE /yolo-policy failed (${res.status}): ${text}`);
     }
-    consola34.success(`YOLO-policy cleared on ${email}`);
+    consola32.success(`YOLO-policy cleared on ${email}`);
   }
 });
 
 // src/commands/yolo/set.ts
-import { defineCommand as defineCommand39 } from "citty";
-import consola35 from "consola";
+import { defineCommand as defineCommand38 } from "citty";
+import consola33 from "consola";
 var VALID_MODES = ["allow-list", "deny-list"];
-var yoloSetCommand = defineCommand39({
+var yoloSetCommand = defineCommand38({
   meta: {
     name: "set",
     description: "Write a YOLO-policy on a DDISA agent you own"
@@ -5537,12 +4912,12 @@ var yoloSetCommand = defineCommand39({
     const denyPatterns = parseList(args.deny);
     const denyRiskThreshold = args["deny-risk"] ?? null;
     const expiresAt = parseExpiresIn(args["expires-in"]);
-    consola35.info(`Setting YOLO-policy on ${email}`);
-    consola35.info(`  mode:           ${mode}`);
-    if (allowPatterns.length) consola35.info(`  allow_patterns: ${allowPatterns.join(", ")}`);
-    if (denyPatterns.length) consola35.info(`  deny_patterns:  ${denyPatterns.join(", ")}`);
-    if (denyRiskThreshold) consola35.info(`  deny_risk:      ${denyRiskThreshold}`);
-    if (expiresAt) consola35.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
+    consola33.info(`Setting YOLO-policy on ${email}`);
+    consola33.info(`  mode:           ${mode}`);
+    if (allowPatterns.length) consola33.info(`  allow_patterns: ${allowPatterns.join(", ")}`);
+    if (denyPatterns.length) consola33.info(`  deny_patterns:  ${denyPatterns.join(", ")}`);
+    if (denyRiskThreshold) consola33.info(`  deny_risk:      ${denyRiskThreshold}`);
+    if (expiresAt) consola33.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
     const url = `${idp}/api/users/${encodeURIComponent(email)}/yolo-policy`;
     const res = await fetch(url, {
       method: "PUT",
@@ -5562,7 +4937,7 @@ var yoloSetCommand = defineCommand39({
       const text = await res.text().catch(() => "");
       throw new CliError(`PUT /yolo-policy failed (${res.status}): ${text}`);
     }
-    consola35.success(`YOLO-policy applied to ${email}`);
+    consola33.success(`YOLO-policy applied to ${email}`);
   }
 });
 function parseList(s) {
@@ -5580,9 +4955,9 @@ function parseExpiresIn(s) {
 }
 
 // src/commands/yolo/show.ts
-import { defineCommand as defineCommand40 } from "citty";
-import consola36 from "consola";
-var yoloShowCommand = defineCommand40({
+import { defineCommand as defineCommand39 } from "citty";
+import consola34 from "consola";
+var yoloShowCommand = defineCommand39({
   meta: {
     name: "show",
     description: "Print the YOLO-policy currently set on a DDISA agent"
@@ -5619,17 +4994,17 @@ var yoloShowCommand = defineCommand40({
       console.log(JSON.stringify(policy, null, 2));
       return;
     }
-    consola36.info(`YOLO-policy for ${email}`);
-    consola36.info(`  mode:           ${policy.mode}`);
-    consola36.info(`  allow_patterns: ${policy.allowPatterns.length ? policy.allowPatterns.join(", ") : "(none)"}`);
-    consola36.info(`  deny_patterns:  ${policy.denyPatterns.length ? policy.denyPatterns.join(", ") : "(none)"}`);
-    consola36.info(`  deny_risk:      ${policy.denyRiskThreshold ?? "(none)"}`);
-    consola36.info(`  expires_at:     ${policy.expiresAt ? new Date(policy.expiresAt * 1e3).toISOString() : "(never)"}`);
+    consola34.info(`YOLO-policy for ${email}`);
+    consola34.info(`  mode:           ${policy.mode}`);
+    consola34.info(`  allow_patterns: ${policy.allowPatterns.length ? policy.allowPatterns.join(", ") : "(none)"}`);
+    consola34.info(`  deny_patterns:  ${policy.denyPatterns.length ? policy.denyPatterns.join(", ") : "(none)"}`);
+    consola34.info(`  deny_risk:      ${policy.denyRiskThreshold ?? "(none)"}`);
+    consola34.info(`  expires_at:     ${policy.expiresAt ? new Date(policy.expiresAt * 1e3).toISOString() : "(never)"}`);
   }
 });
 
 // src/commands/yolo/index.ts
-var yoloCommand = defineCommand41({
+var yoloCommand = defineCommand40({
   meta: {
     name: "yolo",
     description: "Manage YOLO-policies on DDISA agents you own \u2014 auto-approve grant patterns at the IdP layer (allow-list) or block dangerous ones outright (deny-list)."
@@ -5642,15 +5017,15 @@ var yoloCommand = defineCommand41({
 });
 
 // src/commands/adapter/index.ts
-import { defineCommand as defineCommand42 } from "citty";
-import consola37 from "consola";
-var adapterCommand = defineCommand42({
+import { defineCommand as defineCommand41 } from "citty";
+import consola35 from "consola";
+var adapterCommand = defineCommand41({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand42({
+    list: defineCommand41({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -5681,7 +5056,7 @@ var adapterCommand = defineCommand42({
 `);
             return;
           }
-          consola37.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola35.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -5703,7 +5078,7 @@ var adapterCommand = defineCommand42({
           return;
         }
         if (local.length === 0) {
-          consola37.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola35.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -5711,7 +5086,7 @@ var adapterCommand = defineCommand42({
         }
       }
     }),
-    install: defineCommand42({
+    install: defineCommand41({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -5740,24 +5115,24 @@ var adapterCommand = defineCommand42({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola37.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola35.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c2 of conflicts) {
-              consola37.warn(`Conflicting adapter found: ${c2.path} (id: ${c2.adapterId}, executable: ${c2.executable})`);
-              consola37.warn(`  Remove it with: apes adapter remove ${c2.adapterId}`);
+              consola35.warn(`Conflicting adapter found: ${c2.path} (id: ${c2.adapterId}, executable: ${c2.executable})`);
+              consola35.warn(`  Remove it with: apes adapter remove ${c2.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola37.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola37.info(`Digest: ${result.digest}`);
+          consola35.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola35.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand42({
+    remove: defineCommand41({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -5780,9 +5155,9 @@ var adapterCommand = defineCommand42({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola37.success(`Removed adapter: ${id}`);
+            consola35.success(`Removed adapter: ${id}`);
           } else {
-            consola37.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola35.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -5790,7 +5165,7 @@ var adapterCommand = defineCommand42({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand42({
+    info: defineCommand41({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -5832,7 +5207,7 @@ var adapterCommand = defineCommand42({
         }
       }
     }),
-    search: defineCommand42({
+    search: defineCommand41({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -5864,7 +5239,7 @@ var adapterCommand = defineCommand42({
           return;
         }
         if (results.length === 0) {
-          consola37.info(`No adapters matching "${query}"`);
+          consola35.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -5873,7 +5248,7 @@ var adapterCommand = defineCommand42({
         }
       }
     }),
-    update: defineCommand42({
+    update: defineCommand41({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -5899,33 +5274,33 @@ var adapterCommand = defineCommand42({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola37.info("No adapters installed to update.");
+          consola35.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola37.warn(`${id}: not found in registry, skipping`);
+            consola35.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola37.info(`${id}: already up to date`);
+            consola35.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola37.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola37.info(`  Old: ${localDigest}`);
-            consola37.info(`  New: ${entry.digest}`);
-            consola37.info("  Use --yes to confirm");
+            consola35.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola35.info(`  Old: ${localDigest}`);
+            consola35.info(`  New: ${entry.digest}`);
+            consola35.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola37.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola35.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand42({
+    verify: defineCommand41({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -5958,7 +5333,7 @@ var adapterCommand = defineCommand42({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola37.success(`${id}: digest matches registry`);
+          consola35.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -5970,11 +5345,11 @@ var adapterCommand = defineCommand42({
 });
 
 // src/commands/run.ts
-import { execFileSync as execFileSync13 } from "child_process";
-import { hostname as hostname6 } from "os";
+import { execFileSync as execFileSync11 } from "child_process";
+import { hostname as hostname5 } from "os";
 import { basename } from "path";
-import { defineCommand as defineCommand43 } from "citty";
-import consola38 from "consola";
+import { defineCommand as defineCommand42 } from "citty";
+import consola36 from "consola";
 function shouldWaitForGrant(args) {
   return args.wait === true || process.env.APE_WAIT === "1";
 }
@@ -6011,7 +5386,7 @@ function printPendingGrantInfo(grant, idp) {
   const statusCmd = `apes grants status ${grant.id}`;
   const executeCmd = `apes grants run ${grant.id}`;
   if (mode === "human") {
-    consola38.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
+    consola36.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
     console.log(`  Approve in browser:  ${approveUrl}`);
     console.log(`  Check status:        ${statusCmd}`);
     console.log(`  Run after approval:  ${executeCmd}`);
@@ -6021,7 +5396,7 @@ function printPendingGrantInfo(grant, idp) {
     return;
   }
   const maxMin = getPollMaxMinutes();
-  consola38.success(`Grant ${grant.id} created (pending approval)`);
+  consola36.success(`Grant ${grant.id} created (pending approval)`);
   console.log(`  Approve:   ${approveUrl}`);
   console.log(`  Status:    ${statusCmd} [--json]`);
   console.log(`  Execute:   ${executeCmd} --wait`);
@@ -6043,7 +5418,7 @@ function printPendingGrantInfo(grant, idp) {
   console.log('  Tip: Approve as "timed" or "always" in the browser to let this');
   console.log("  grant be reused on subsequent invocations without re-approval.");
 }
-var runCommand = defineCommand43({
+var runCommand = defineCommand42({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -6132,7 +5507,7 @@ async function runShellMode(command, args) {
   const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
   if (adapterHandled) return;
   const grantsUrl = await getGrantsEndpoint(idp);
-  const targetHost = args.host || hostname6();
+  const targetHost = args.host || hostname5();
   try {
     const grants = await apiFetch(
       `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
@@ -6146,7 +5521,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola38.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola36.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -6166,8 +5541,8 @@ async function runShellMode(command, args) {
     host: targetHost
   });
   if (shouldWaitForGrant(args)) {
-    consola38.info(`Grant requested: ${grant.id}`);
-    consola38.info("Waiting for approval...");
+    consola36.info(`Grant requested: ${grant.id}`);
+    consola36.info("Waiting for approval...");
     const maxWait = 3e5;
     const interval = 3e3;
     const start = Date.now();
@@ -6198,13 +5573,13 @@ async function tryAdapterModeFromShell(command, idp, args) {
   try {
     resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola38.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola36.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola38.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      consola36.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return true;
@@ -6212,7 +5587,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola38.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola36.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
@@ -6220,19 +5595,19 @@ async function tryAdapterModeFromShell(command, idp, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n2 = grant.similar_grants.similar_grants.length;
-    consola38.info("");
-    consola38.info(`  Similar grant(s) found (${n2}). Your approver can extend an existing grant to cover this request.`);
+    consola36.info("");
+    consola36.info(`  Similar grant(s) found (${n2}). Your approver can extend an existing grant to cover this request.`);
   }
   notifyGrantPending({
     grantId: grant.id,
     approveUrl: `${idp}/grant-approval?grant_id=${grant.id}`,
     command: resolved.detail?.display || parsed?.raw || "unknown",
     audience: resolved.adapter?.cli?.audience ?? "shapes",
-    host: args.host || hostname6()
+    host: args.host || hostname5()
   });
   if (shouldWaitForGrant(args)) {
-    consola38.info(`Grant requested: ${grant.id}`);
-    consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola36.info(`Grant requested: ${grant.id}`);
+    consola36.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new CliError(`Grant ${status}`);
@@ -6248,7 +5623,7 @@ function execShellCommand(command) {
     throw new CliError("No command to execute");
   try {
     const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-    execFileSync13(command[0], command.slice(1), {
+    execFileSync11(command[0], command.slice(1), {
       stdio: "inherit",
       env: inheritedEnv
     });
@@ -6306,7 +5681,7 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola38.info(`Reusing existing grant: ${existingGrantId}`);
+      consola36.info(`Reusing existing grant: ${existingGrantId}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return;
@@ -6320,17 +5695,17 @@ async function runAdapterMode(command, rawArgs, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n2 = grant.similar_grants.similar_grants.length;
-    consola38.info("");
-    consola38.info(`  Similar grant(s) found (${n2}). Your approver can extend an existing grant to cover this request.`);
+    consola36.info("");
+    consola36.info(`  Similar grant(s) found (${n2}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola38.info(`  Broader scope: ${wider}`);
+      consola36.info(`  Broader scope: ${wider}`);
     }
-    consola38.info("");
+    consola36.info("");
   }
   if (shouldWaitForGrant(args)) {
-    consola38.info(`Grant requested: ${grant.id}`);
-    consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola36.info(`Grant requested: ${grant.id}`);
+    consola36.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new Error(`Grant ${status}`);
@@ -6349,8 +5724,8 @@ async function runAudienceMode(audience, action, args) {
   const idp = getIdpUrl(args.idp);
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
-  const targetHost = args.host || hostname6();
-  consola38.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  const targetHost = args.host || hostname5();
+  consola36.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -6367,9 +5742,9 @@ async function runAudienceMode(audience, action, args) {
     printPendingGrantInfo(grant, idp);
     throw new CliExit(getAsyncExitCode());
   }
-  consola38.success(`Grant requested: ${grant.id}`);
-  consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
-  consola38.info("Waiting for approval...");
+  consola36.success(`Grant requested: ${grant.id}`);
+  consola36.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola36.info("Waiting for approval...");
   const maxWait = 15 * 60 * 1e3;
   const interval = 3e3;
   const start = Date.now();
@@ -6377,7 +5752,7 @@ async function runAudienceMode(audience, action, args) {
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola38.success("Grant approved!");
+      consola36.success("Grant approved!");
       approved = true;
       break;
     }
@@ -6392,15 +5767,15 @@ async function runAudienceMode(audience, action, args) {
       `Grant approval timed out after ${minutes} min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id} \u2014 if approved later, re-run the same \`apes run\` command and it will reuse the grant.`
     );
   }
-  consola38.info("Fetching grant token...");
+  consola36.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola38.info(`Executing: ${command.join(" ")}`);
+    consola36.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-      execFileSync13(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
+      execFileSync11(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
         stdio: "inherit",
         env: inheritedEnv
       });
@@ -6415,8 +5790,8 @@ async function runAudienceMode(audience, action, args) {
 
 // src/commands/proxy.ts
 import { spawn as spawn2 } from "child_process";
-import { defineCommand as defineCommand44 } from "citty";
-import consola39 from "consola";
+import { defineCommand as defineCommand43 } from "citty";
+import consola37 from "consola";
 
 // src/proxy/config.ts
 function buildDefaultProxyConfigToml(opts) {
@@ -6453,7 +5828,7 @@ import { spawn } from "child_process";
 import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, writeFileSync as writeFileSync8 } from "fs";
 import { createRequire } from "module";
 import { tmpdir as tmpdir3 } from "os";
-import { dirname as dirname5, join as join12, resolve as resolve4 } from "path";
+import { dirname as dirname4, join as join13, resolve as resolve3 } from "path";
 var require2 = createRequire(import.meta.url);
 function findProxyBin() {
   const pkgPath = require2.resolve("@openape/proxy/package.json");
@@ -6462,11 +5837,11 @@ function findProxyBin() {
   if (!binRel) {
     throw new Error("@openape/proxy is missing the openape-proxy bin entry");
   }
-  return resolve4(dirname5(pkgPath), binRel);
+  return resolve3(dirname4(pkgPath), binRel);
 }
 async function startEphemeralProxy(configToml) {
-  const tmpDir = mkdtempSync3(join12(tmpdir3(), "openape-proxy-"));
-  const configPath = join12(tmpDir, "config.toml");
+  const tmpDir = mkdtempSync3(join13(tmpdir3(), "openape-proxy-"));
+  const configPath = join13(tmpDir, "config.toml");
   writeFileSync8(configPath, configToml, { mode: 384 });
   const binPath = findProxyBin();
   const child = spawn(process.execPath, [binPath, "-c", configPath], {
@@ -6559,10 +5934,10 @@ function resolveProxyConfigOptions() {
       77
     );
   }
-  consola39.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
+  consola37.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
   return { agentEmail: auth.email, idpUrl: auth.idp, mediated: true };
 }
-var proxyCommand = defineCommand44({
+var proxyCommand = defineCommand43({
   meta: {
     name: "proxy",
     description: "Run a command with HTTPS_PROXY routed through the OpenApe egress proxy."
@@ -6584,12 +5959,12 @@ var proxyCommand = defineCommand44({
     let close = null;
     if (reuseUrl) {
       proxyUrl = reuseUrl;
-      consola39.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
+      consola37.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
     } else {
       const ephemeral = await startEphemeralProxy(buildDefaultProxyConfigToml(resolveProxyConfigOptions()));
       proxyUrl = ephemeral.url;
       close = ephemeral.close;
-      consola39.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
+      consola37.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
     }
     const noProxy = process.env.NO_PROXY ?? process.env.no_proxy ?? "127.0.0.1,localhost";
     const childEnv = {
@@ -6621,7 +5996,7 @@ var proxyCommand = defineCommand44({
         else resolveExit(code ?? 0);
       });
       child.once("error", (err) => {
-        consola39.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
+        consola37.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
         resolveExit(127);
       });
     });
@@ -6635,8 +6010,8 @@ function signalNumber(signal) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand45 } from "citty";
-var explainCommand = defineCommand45({
+import { defineCommand as defineCommand44 } from "citty";
+var explainCommand = defineCommand44({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -6674,9 +6049,9 @@ var explainCommand = defineCommand45({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand46 } from "citty";
-import consola40 from "consola";
-var configGetCommand = defineCommand46({
+import { defineCommand as defineCommand45 } from "citty";
+import consola38 from "consola";
+var configGetCommand = defineCommand45({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -6696,7 +6071,7 @@ var configGetCommand = defineCommand46({
         if (idp)
           console.log(idp);
         else
-          consola40.info("No IdP configured.");
+          consola38.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -6704,7 +6079,7 @@ var configGetCommand = defineCommand46({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola40.info("Not logged in.");
+          consola38.info("Not logged in.");
         break;
       }
       default: {
@@ -6717,7 +6092,7 @@ var configGetCommand = defineCommand46({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola40.info(`Key "${key}" not set.`);
+            consola38.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -6728,9 +6103,9 @@ var configGetCommand = defineCommand46({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand47 } from "citty";
-import consola41 from "consola";
-var configSetCommand = defineCommand47({
+import { defineCommand as defineCommand46 } from "citty";
+import consola39 from "consola";
+var configSetCommand = defineCommand46({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -6766,12 +6141,12 @@ var configSetCommand = defineCommand47({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola41.success(`Set ${key} = ${value}`);
+    consola39.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand48 } from "citty";
+import { defineCommand as defineCommand47 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -6807,13 +6182,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand48({
+var fetchCommand = defineCommand47({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand48({
+    get: defineCommand47({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -6839,7 +6214,7 @@ var fetchCommand = defineCommand48({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand48({
+    post: defineCommand47({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -6878,8 +6253,8 @@ var fetchCommand = defineCommand48({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand49 } from "citty";
-var mcpCommand = defineCommand49({
+import { defineCommand as defineCommand48 } from "citty";
+var mcpCommand = defineCommand48({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -6902,48 +6277,48 @@ var mcpCommand = defineCommand49({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-AZOEKT55.js");
+    const { startMcpServer } = await import("./server-TGGXHP4H.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync as existsSync14, copyFileSync, writeFileSync as writeFileSync9 } from "fs";
+import { existsSync as existsSync15, copyFileSync, writeFileSync as writeFileSync9 } from "fs";
 import { randomBytes } from "crypto";
-import { execFileSync as execFileSync14 } from "child_process";
-import { join as join13 } from "path";
-import { defineCommand as defineCommand50 } from "citty";
-import consola42 from "consola";
+import { execFileSync as execFileSync12 } from "child_process";
+import { join as join14 } from "path";
+import { defineCommand as defineCommand49 } from "citty";
+import consola40 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync14(join13(dir, name));
+  const hasLockFile = (name) => existsSync15(join14(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
-    execFileSync14("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
-    execFileSync14("bun", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("bun", ["install"], { cwd: dir, stdio: "inherit" });
   } else {
-    execFileSync14("npm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("npm", ["install"], { cwd: dir, stdio: "inherit" });
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola42.prompt(message, { type: "select", options: choices });
+  const result = await consola40.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola42.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola40.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand50({
+var initCommand = defineCommand49({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -6985,23 +6360,23 @@ var initCommand = defineCommand50({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync14(join13(dir, "package.json"))) {
+  if (existsSync15(join14(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola42.start("Scaffolding SP starter...");
+  consola40.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola42.success("Scaffolded from openape-sp-starter");
-  consola42.start("Installing dependencies...");
+  consola40.success("Scaffolded from openape-sp-starter");
+  consola40.start("Installing dependencies...");
   installDeps(dir);
-  consola42.success("Dependencies installed");
-  const envExample = join13(dir, ".env.example");
-  const envFile = join13(dir, ".env");
-  if (existsSync14(envExample) && !existsSync14(envFile)) {
+  consola40.success("Dependencies installed");
+  const envExample = join14(dir, ".env.example");
+  const envFile = join14(dir, ".env");
+  if (existsSync15(envExample) && !existsSync15(envFile)) {
     copyFileSync(envExample, envFile);
-    consola42.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola40.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola42.box([
+  consola40.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -7010,7 +6385,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync14(join13(dir, "package.json"))) {
+  if (existsSync15(join14(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -7020,15 +6395,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola42.start("Scaffolding IdP starter...");
+  consola40.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola42.success("Scaffolded from openape-idp-starter");
-  consola42.start("Installing dependencies...");
+  consola40.success("Scaffolded from openape-idp-starter");
+  consola40.start("Installing dependencies...");
   installDeps(dir);
-  consola42.success("Dependencies installed");
+  consola40.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola42.success("Secrets generated");
+  consola40.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -7042,11 +6417,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync9(join13(dir, ".env"), `${envContent}
+  writeFileSync9(join14(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola42.success(".env created");
+  consola40.success(".env created");
   console.log("");
-  consola42.box([
+  consola40.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -7063,11 +6438,11 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer5 } from "buffer";
-import { existsSync as existsSync15, readFileSync as readFileSync12 } from "fs";
+import { existsSync as existsSync16, readFileSync as readFileSync12 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
-import { defineCommand as defineCommand51 } from "citty";
-import consola43 from "consola";
+import { defineCommand as defineCommand50 } from "citty";
+import consola41 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
@@ -7106,11 +6481,11 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       }
     } catch {
     }
-    await new Promise((resolve5) => setTimeout(resolve5, POLL_INTERVAL));
+    await new Promise((resolve4) => setTimeout(resolve4, POLL_INTERVAL));
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand51({
+var enrollCommand = defineCommand50({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -7130,38 +6505,38 @@ var enrollCommand = defineCommand51({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola43.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r3) => {
+    const idp = args.idp || await consola41.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r3) => {
       if (typeof r3 === "symbol") throw new CliExit(0);
       return r3;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola43.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r3) => {
+    const agentName = args.name || await consola41.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r3) => {
       if (typeof r3 === "symbol") throw new CliExit(0);
       return r3;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola43.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r3) => {
+    const keyPath = args.key || await consola41.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r3) => {
       if (typeof r3 === "symbol") throw new CliExit(0);
       return r3;
     }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolveKeyPath(keyPath);
     let publicKey;
-    if (existsSync15(resolvedKey)) {
+    if (existsSync16(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola43.success(`Using existing key ${keyPath}`);
+      consola41.success(`Using existing key ${keyPath}`);
     } else {
-      consola43.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola41.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola43.success(`Key pair generated at ${keyPath}`);
+      consola41.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola43.info("Opening browser for enrollment...");
-    consola43.info(`\u2192 ${idp}/enroll`);
+    consola41.info("Opening browser for enrollment...");
+    consola41.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola43.prompt(
+    const agentEmail = await consola41.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r3) => {
@@ -7171,7 +6546,7 @@ var enrollCommand = defineCommand51({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola43.start("Verifying enrollment...");
+    consola41.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -7183,18 +6558,18 @@ var enrollCommand = defineCommand51({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola43.success(`Agent enrolled as ${agentEmail}`);
-    consola43.success("Config saved to ~/.config/apes/");
+    consola41.success(`Agent enrolled as ${agentEmail}`);
+    consola41.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola43.info("Verify with: apes whoami");
+    consola41.info("Verify with: apes whoami");
   }
 });
 
 // src/commands/register-user.ts
-import { existsSync as existsSync16, readFileSync as readFileSync13 } from "fs";
-import { defineCommand as defineCommand52 } from "citty";
-import consola44 from "consola";
-var registerUserCommand = defineCommand52({
+import { existsSync as existsSync17, readFileSync as readFileSync13 } from "fs";
+import { defineCommand as defineCommand51 } from "citty";
+import consola42 from "consola";
+var registerUserCommand = defineCommand51({
   meta: {
     name: "register-user",
     description: "Register a sub-user with SSH key"
@@ -7230,7 +6605,7 @@ var registerUserCommand = defineCommand52({
       throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
     let publicKey = args.key;
-    if (existsSync16(args.key)) {
+    if (existsSync17(args.key)) {
       publicKey = readFileSync13(args.key, "utf-8").trim();
     }
     if (!publicKey.startsWith("ssh-ed25519 ")) {
@@ -7249,18 +6624,18 @@ var registerUserCommand = defineCommand52({
         ...userType ? { type: userType } : {}
       }
     });
-    consola44.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola42.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/utils/index.ts
-import { defineCommand as defineCommand54 } from "citty";
+import { defineCommand as defineCommand53 } from "citty";
 
 // src/commands/utils/dig.ts
-import { defineCommand as defineCommand53 } from "citty";
-import consola45 from "consola";
+import { defineCommand as defineCommand52 } from "citty";
+import consola43 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var digCommand = defineCommand53({
+var digCommand = defineCommand52({
   meta: {
     name: "dig",
     description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
@@ -7333,12 +6708,12 @@ var digCommand = defineCommand53({
     console.log(`  domain: ${domain}`);
     console.log("");
     if (!result.ddisa.found) {
-      consola45.warn(`No DDISA record at _ddisa.${domain}`);
+      consola43.warn(`No DDISA record at _ddisa.${domain}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`No DDISA record found for ${domain}`);
     }
-    consola45.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    consola43.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
     console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
     console.log(`  IdP URL:  ${result.ddisa.idp}`);
     if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
@@ -7348,13 +6723,13 @@ ${result.hint}`);
       return;
     }
     if (result.idpDiscovery.ok) {
-      consola45.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      consola43.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
       if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
       if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
       if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
       if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
     } else {
-      consola45.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      consola43.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
@@ -7363,7 +6738,7 @@ ${result.hint}`);
 });
 
 // src/commands/utils/index.ts
-var utilsCommand = defineCommand54({
+var utilsCommand = defineCommand53({
   meta: {
     name: "utils",
     description: "Admin/diagnostic utilities (dig, \u2026)"
@@ -7374,12 +6749,12 @@ var utilsCommand = defineCommand54({
 });
 
 // src/commands/sessions/index.ts
-import { defineCommand as defineCommand57 } from "citty";
+import { defineCommand as defineCommand56 } from "citty";
 
 // src/commands/sessions/list.ts
-import { defineCommand as defineCommand55 } from "citty";
-import consola46 from "consola";
-var sessionsListCommand = defineCommand55({
+import { defineCommand as defineCommand54 } from "citty";
+import consola44 from "consola";
+var sessionsListCommand = defineCommand54({
   meta: {
     name: "list",
     description: "List your active refresh-token families (one per logged-in device)."
@@ -7397,7 +6772,7 @@ var sessionsListCommand = defineCommand55({
       return;
     }
     if (result.data.length === 0) {
-      consola46.info("No active sessions.");
+      consola44.info("No active sessions.");
       return;
     }
     for (const f of result.data) {
@@ -7409,9 +6784,9 @@ var sessionsListCommand = defineCommand55({
 });
 
 // src/commands/sessions/remove.ts
-import { defineCommand as defineCommand56 } from "citty";
-import consola47 from "consola";
-var sessionsRemoveCommand = defineCommand56({
+import { defineCommand as defineCommand55 } from "citty";
+import consola45 from "consola";
+var sessionsRemoveCommand = defineCommand55({
   meta: {
     name: "remove",
     description: "Revoke one of your active refresh-token families by id."
@@ -7427,12 +6802,12 @@ var sessionsRemoveCommand = defineCommand56({
     const id = String(args.familyId).trim();
     if (!id) throw new CliError("familyId required");
     await apiFetch(`/api/me/sessions/${encodeURIComponent(id)}`, { method: "DELETE" });
-    consola47.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
+    consola45.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
   }
 });
 
 // src/commands/sessions/index.ts
-var sessionsCommand = defineCommand57({
+var sessionsCommand = defineCommand56({
   meta: {
     name: "sessions",
     description: "Manage your active refresh-token sessions across devices"
@@ -7444,10 +6819,10 @@ var sessionsCommand = defineCommand57({
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand58 } from "citty";
-import consola48 from "consola";
+import { defineCommand as defineCommand57 } from "citty";
+import consola46 from "consola";
 import { resolveDDISA as resolveDDISA3 } from "@openape/core";
-var dnsCheckCommand = defineCommand58({
+var dnsCheckCommand = defineCommand57({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -7461,7 +6836,7 @@ var dnsCheckCommand = defineCommand58({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola48.start(`Checking _ddisa.${domain}...`);
+    consola46.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA3(domain);
       if (!result) {
@@ -7470,7 +6845,7 @@ var dnsCheckCommand = defineCommand58({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola48.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola46.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -7479,14 +6854,14 @@ var dnsCheckCommand = defineCommand58({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola48.start(`Verifying IdP at ${result.idp}...`);
+      consola46.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola48.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola46.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola48.success(`IdP is reachable`);
+      consola46.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -7504,7 +6879,7 @@ var dnsCheckCommand = defineCommand58({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand59 } from "citty";
+import { defineCommand as defineCommand58 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -7540,7 +6915,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.10.0" : "0.0.0";
+  const version = true ? "1.12.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -7603,7 +6978,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand59({
+var healthCommand = defineCommand58({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -7621,8 +6996,8 @@ var healthCommand = defineCommand59({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand60 } from "citty";
-import consola49 from "consola";
+import { defineCommand as defineCommand59 } from "citty";
+import consola47 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -7672,7 +7047,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand60({
+var workflowsCommand = defineCommand59({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -7693,7 +7068,7 @@ var workflowsCommand = defineCommand60({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola49.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola47.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -7733,15 +7108,15 @@ var workflowsCommand = defineCommand60({
 });
 
 // src/version-check.ts
-import { existsSync as existsSync17, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync10 } from "fs";
+import { existsSync as existsSync18, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync10 } from "fs";
 import { homedir as homedir13 } from "os";
-import { join as join14 } from "path";
-import consola50 from "consola";
+import { join as join15 } from "path";
+import consola48 from "consola";
 var PACKAGE_NAME = "@openape/apes";
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
-var CACHE_FILE = join14(homedir13(), ".config", "apes", ".version-check.json");
+var CACHE_FILE = join15(homedir13(), ".config", "apes", ".version-check.json");
 function readCache() {
-  if (!existsSync17(CACHE_FILE)) return null;
+  if (!existsSync18(CACHE_FILE)) return null;
   try {
     return JSON.parse(readFileSync14(CACHE_FILE, "utf-8"));
   } catch {
@@ -7750,8 +7125,8 @@ function readCache() {
 }
 function writeCache(entry) {
   try {
-    const dir = join14(homedir13(), ".config", "apes");
-    if (!existsSync17(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
+    const dir = join15(homedir13(), ".config", "apes");
+    if (!existsSync18(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
     writeFileSync10(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
   } catch {
   }
@@ -7781,7 +7156,7 @@ async function fetchLatestVersion() {
 }
 function warnIfBehind(currentVersion, latest) {
   if (compareSemver(currentVersion, latest) < 0) {
-    consola50.warn(
+    consola48.warn(
       `apes ${currentVersion} is behind latest @openape/apes@${latest}. Run \`npm i -g @openape/apes@latest\` to update. (Suppress with APES_NO_UPDATE_CHECK=1.)`
     );
   }
@@ -7813,10 +7188,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.10.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.12.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.10.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.12.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -7840,7 +7215,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand61({
+var grantsCommand = defineCommand60({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -7861,7 +7236,7 @@ var grantsCommand = defineCommand61({
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand61({
+var configCommand = defineCommand60({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -7871,10 +7246,10 @@ var configCommand = defineCommand61({
     set: configSetCommand
   }
 });
-var main = defineCommand61({
+var main = defineCommand60({
   meta: {
     name: "apes",
-    version: "1.10.0",
+    version: "1.12.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -7931,20 +7306,20 @@ async function maybeRefreshAuth() {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.10.0").catch(() => {
+await maybeWarnStaleVersion("1.12.0").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola51.error(err.message);
+    consola49.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola51.error(err);
+    consola49.error(err);
   } else {
-    consola51.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola49.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });