@openape/apes 1.16.0 → 1.17.0

package/dist/cli.js

@@ -4163,9 +4163,15 @@ and try again.`
         troop
       });
       writeFileSync4(scriptPath, script, { mode: 448 });
-      consola23.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
-      consola23.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
-      execFileSync6(apes, ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
+      const alreadyRoot = process.getuid?.() === 0;
+      if (alreadyRoot) {
+        consola23.start("Running privileged setup directly (already root)\u2026");
+        execFileSync6("bash", [scriptPath], { stdio: "inherit" });
+      } else {
+        consola23.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
+        consola23.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
+        execFileSync6(apes, ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
+      }
       try {
         const uid = readMacOSUidOrNull(name);
         upsertNestAgent({
@@ -5815,6 +5821,19 @@ async function runAudienceMode(audience, action, args) {
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
   const targetHost = args.host || hostname5();
+  const runAs = args.as ?? void 0;
+  const reusableId = await findReusableAudienceGrant({
+    grantsUrl,
+    requester: auth.email,
+    audience,
+    command,
+    targetHost,
+    runAs
+  });
+  if (reusableId) {
+    const { authz_jwt: authz_jwt2 } = await apiFetch(`${grantsUrl}/${reusableId}/token`, { method: "POST" });
+    return executeWithGrantToken({ audience, command, args, token: authz_jwt2 });
+  }
   consola36.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
@@ -5825,7 +5844,7 @@ async function runAudienceMode(audience, action, args) {
       grant_type: args.approval,
       command,
       reason: args.reason || command.join(" "),
-      ...args.as ? { run_as: args.as } : {}
+      ...runAs ? { run_as: runAs } : {}
     }
   });
   if (!shouldWaitForGrant(args)) {
@@ -5861,11 +5880,15 @@ async function runAudienceMode(audience, action, args) {
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
+  return executeWithGrantToken({ audience, command, args, token: authz_jwt });
+}
+function executeWithGrantToken(opts) {
+  const { audience, command, args, token } = opts;
   if (audience === "escapes") {
     consola36.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-      execFileSync13(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
+      execFileSync13(args["escapes-path"] || "escapes", ["--grant", token, "--", ...command], {
         stdio: "inherit",
         env: inheritedEnv
       });
@@ -5874,7 +5897,28 @@ async function runAudienceMode(audience, action, args) {
       throw new CliExit(exitCode);
     }
   } else {
-    process.stdout.write(authz_jwt);
+    process.stdout.write(token);
+  }
+}
+async function findReusableAudienceGrant(opts) {
+  try {
+    const grants = await apiFetch(`${opts.grantsUrl}?requester=${encodeURIComponent(opts.requester)}&status=approved&limit=50`);
+    const now = Math.floor(Date.now() / 1e3);
+    const match = grants.data.find((g) => {
+      const r3 = g.request;
+      if (r3.audience !== opts.audience) return false;
+      if (r3.target_host !== opts.targetHost) return false;
+      if (r3.grant_type === "once") return false;
+      if (r3.grant_type === "timed" && g.expires_at && g.expires_at <= now) return false;
+      const cmd = r3.command ?? [];
+      if (cmd.length !== opts.command.length) return false;
+      if (!cmd.every((c2, i) => c2 === opts.command[i])) return false;
+      if ((r3.run_as ?? void 0) !== opts.runAs) return false;
+      return true;
+    });
+    return match?.id ?? null;
+  } catch {
+    return null;
   }
 }
 
@@ -6367,7 +6411,7 @@ var mcpCommand = defineCommand48({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-FVFFPVVN.js");
+    const { startMcpServer } = await import("./server-VPKUJDKY.js");
     await startMcpServer(transport, port);
   }
 });
@@ -7005,7 +7049,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.16.0" : "0.0.0";
+  const version = true ? "1.17.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -7278,10 +7322,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.16.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.17.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.16.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.17.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -7339,7 +7383,7 @@ var configCommand = defineCommand60({
 var main = defineCommand60({
   meta: {
     name: "apes",
-    version: "1.16.0",
+    version: "1.17.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -7396,7 +7440,7 @@ async function maybeRefreshAuth() {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.16.0").catch(() => {
+await maybeWarnStaleVersion("1.17.0").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {