@openape/apes 1.26.0 → 1.28.0

package/dist/cli.js

@@ -3,10 +3,17 @@ import {
   CliError,
   CliExit,
   RpcSessionMap,
+  buildCreateCommand,
+  buildIssueGet,
+  buildPrCreate,
+  buildPrMerge,
+  detectForge,
   parseDuration,
+  runApeShell,
   runLoop,
-  taskTools
-} from "./chunk-VHZEVW2N.js";
+  taskTools,
+  worktreePathFor
+} from "./chunk-AFTJZVOQ.js";
 import {
   loadEd25519PrivateKey,
   readPublicKeyComment
@@ -66,7 +73,7 @@ import {
 } from "./chunk-OBF7IMQ2.js";
 
 // src/cli.ts
-import consola51 from "consola";
+import consola52 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -96,7 +103,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand63, runMain } from "citty";
+import { defineCommand as defineCommand64, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer as Buffer2 } from "buffer";
@@ -382,7 +389,7 @@ async function loginWithPKCE(idp) {
   consola2.success(`Logged in as ${payload.email || payload.sub}`);
 }
 async function loginWithKey(idp, keyPath, agentEmail) {
-  const { readFileSync: readFileSync17 } = await import("fs");
+  const { readFileSync: readFileSync18 } = await import("fs");
   const { sign: sign3 } = await import("crypto");
   const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-YBNNG5K5.js");
   const challengeUrl = await getAgentChallengeEndpoint(idp);
@@ -395,7 +402,7 @@ async function loginWithKey(idp, keyPath, agentEmail) {
     throw new CliError(`Challenge failed: ${await challengeResp.text()}`);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync17(keyPath, "utf-8");
+  const keyContent = readFileSync18(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
   const signature = sign3(null, Buffer2.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -1955,7 +1962,7 @@ var agentCommand = defineCommand21({
 });
 
 // src/commands/agents/index.ts
-import { defineCommand as defineCommand31 } from "citty";
+import { defineCommand as defineCommand32 } from "citty";
 
 // src/commands/agents/allow.ts
 import { execFileSync as execFileSync4 } from "child_process";
@@ -2619,31 +2626,483 @@ var cleanupOrphansCommand = defineCommand23({
   }
 });
 
+// src/commands/agents/code.ts
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join2 } from "path";
+import process2 from "process";
+import { defineCommand as defineCommand24 } from "citty";
+import { consola as consola21 } from "consola";
+
+// src/lib/coding/issue-task.ts
+var DEFAULT_TEMPLATE = "{type}/issue-{number}-{slug}";
+var DEFAULT_TYPE = "fix";
+var DEFAULT_SLUG_MAX = 48;
+var DEFAULT_INSTRUCTIONS = [
+  "Work in the provided worktree. When done:",
+  "- ensure the verification command passes (no PR on red)",
+  "- open a PR that references this issue",
+  "- leave risk-path / agent-judged-risky changes for human approval"
+].join("\n");
+var TYPE_RE = /^[a-z]{2,12}$/;
+function slugify(title, max = DEFAULT_SLUG_MAX) {
+  return title.toLowerCase().normalize("NFKD").replace(/[^\w\s-]/g, "").trim().replace(/[\s_]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "").slice(0, max).replace(/-$/, "");
+}
+function buildBranchName(issue, naming = {}) {
+  const num = String(issue.number).replace(/\D/g, "");
+  if (!num) throw new Error("issue number required");
+  const type = issue.type && TYPE_RE.test(issue.type) ? issue.type : naming.defaultType ?? DEFAULT_TYPE;
+  const slug = slugify(issue.title, naming.slugMax ?? DEFAULT_SLUG_MAX) || "task";
+  return (naming.template ?? DEFAULT_TEMPLATE).replace(/\{type\}/g, type).replace(/\{number\}/g, num).replace(/\{slug\}/g, slug);
+}
+function buildTaskPrompt(issue, framing = {}) {
+  const num = String(issue.number);
+  const parts = [];
+  if (framing.persona?.trim()) parts.push(framing.persona.trim());
+  parts.push(`Issue #${num}: ${issue.title}`);
+  parts.push(issue.body?.trim() ? issue.body.trim() : "(no description provided)");
+  parts.push(framing.instructions?.trim() ? framing.instructions.trim() : DEFAULT_INSTRUCTIONS);
+  return parts.join("\n\n");
+}
+
+// src/lib/coding/merge-policy.ts
+var SECURE_DEFAULT_POLICY = {
+  autoMergeEnabled: false,
+  autoPaths: [],
+  riskPaths: []
+};
+function globToRegExp(glob) {
+  let re = "";
+  for (let i = 0; i < glob.length; i++) {
+    const c = glob[i];
+    if (c === "*") {
+      if (glob[i + 1] === "*") {
+        re += ".*";
+        i++;
+        if (glob[i + 1] === "/") i++;
+      } else {
+        re += "[^/]*";
+      }
+    } else if (c === "?") {
+      re += "[^/]";
+    } else if (".+^${}()|[]\\".includes(c)) {
+      re += `\\${c}`;
+    } else {
+      re += c;
+    }
+  }
+  return new RegExp(`^${re}$`);
+}
+function matchesAny(path2, globs) {
+  return globs.some((g) => globToRegExp(g).test(path2));
+}
+function classifyChange(paths, policy = SECURE_DEFAULT_POLICY) {
+  if (paths.length === 0) return "code";
+  if (paths.some((p) => matchesAny(p, policy.riskPaths))) return "risk";
+  if (policy.autoPaths.length > 0 && paths.every((p) => matchesAny(p, policy.autoPaths))) return "chore";
+  return "code";
+}
+function decideMerge(paths, policy = SECURE_DEFAULT_POLICY, agentRisk) {
+  const globClass = classifyChange(paths, policy);
+  const isRisk = globClass === "risk" || agentRisk?.risky === true;
+  const classification = isRisk ? "risk" : globClass;
+  if (!policy.autoMergeEnabled) {
+    return { classification, autoMerge: false, needsReview: false, needsHuman: true, reason: "auto-merge not enabled for this repo \u2014 human approval required (set autoMergeEnabled in .openape/coding.json to opt in)" };
+  }
+  if (isRisk) {
+    const why = agentRisk?.risky ? `agent judged this risky${agentRisk.reason ? `: ${agentRisk.reason}` : ""}` : "matches a repo/derived risk path";
+    return { classification, autoMerge: false, needsReview: false, needsHuman: true, reason: `${why} \u2014 human approval required` };
+  }
+  if (classification === "chore") {
+    return { classification, autoMerge: true, needsReview: false, needsHuman: false, reason: "chore/docs only \u2014 auto-merge on green CI" };
+  }
+  return { classification, autoMerge: true, needsReview: true, needsHuman: false, reason: "code change \u2014 auto-merge after reviewer-agent approval" };
+}
+async function loadMergePolicy(worktreeDir) {
+  const { readFile } = await import("fs/promises");
+  const { join: join20 } = await import("path");
+  try {
+    const raw = await readFile(join20(worktreeDir, ".openape", "coding.json"), "utf8");
+    const parsed = JSON.parse(raw);
+    const mp = parsed.mergePolicy;
+    if (!mp) return SECURE_DEFAULT_POLICY;
+    return {
+      autoMergeEnabled: mp.autoMergeEnabled === true,
+      autoPaths: Array.isArray(mp.autoPaths) ? mp.autoPaths.filter((g) => typeof g === "string") : [],
+      riskPaths: Array.isArray(mp.riskPaths) ? mp.riskPaths.filter((g) => typeof g === "string") : []
+    };
+  } catch {
+    return SECURE_DEFAULT_POLICY;
+  }
+}
+
+// src/lib/coding/review-gate.ts
+async function gateMerge(decision, req, reviewer) {
+  if (decision.needsHuman) {
+    return { armMerge: false, awaitingHuman: true, reason: "risk-path change \u2014 handed off to human reviewer" };
+  }
+  if (!decision.needsReview) {
+    return { armMerge: true, awaitingHuman: false, reason: "chore change \u2014 no reviewer gate" };
+  }
+  const verdict = await reviewer({ ...req, classification: decision.classification });
+  if (verdict.approved) {
+    return { armMerge: true, awaitingHuman: false, reason: `reviewer approved${verdict.reason ? `: ${verdict.reason}` : ""}` };
+  }
+  return { armMerge: false, awaitingHuman: false, reason: `reviewer blocked${verdict.reason ? `: ${verdict.reason}` : ""}` };
+}
+
+// src/lib/coding/coding-loop.ts
+var DIFF_CAP = 60 * 1024;
+function taskIdFromIssue(issue) {
+  const num = String(issue.number).replace(/\D/g, "");
+  return `issue-${num || "x"}`;
+}
+async function runCodingTask(input, deps) {
+  const shell = deps.shell ?? (async (cmd, t) => {
+    const r = await runApeShell(cmd, t);
+    return { stdout: r.stdout, stderr: r.stderr, exit_code: r.exit_code };
+  });
+  const loop = deps.runLoopImpl ?? runLoop;
+  const log = deps.log ?? (() => {
+  });
+  const branch = buildBranchName(input.issue, deps.branchNaming);
+  const taskId = taskIdFromIssue(input.issue);
+  const worktree = worktreePathFor(taskId);
+  log(`[coding] creating worktree ${worktree} on ${branch}`);
+  const wt = await shell(buildCreateCommand(input.repo, taskId, branch));
+  if (wt.exit_code !== 0) {
+    return { branch, worktree, runStatus: "error", changedFiles: [], outcome: "run-failed", reason: `worktree create failed: ${wt.stderr.slice(0, 300)}` };
+  }
+  const policy = deps.resolvePolicy ? await deps.resolvePolicy(worktree) : deps.policy ?? SECURE_DEFAULT_POLICY;
+  const prompt = buildTaskPrompt(input.issue, { persona: deps.persona });
+  const run = await loop({
+    config: deps.runtimeConfig,
+    systemPrompt: deps.persona,
+    userMessage: `${prompt}
+
+Worktree: ${worktree}`,
+    tools: deps.tools,
+    maxSteps: deps.maxSteps
+  });
+  if (run.status !== "ok") {
+    return { branch, worktree, runStatus: "error", changedFiles: [], outcome: "run-failed", reason: `coding loop errored after ${run.stepCount} steps` };
+  }
+  const namesRes = await shell(`git -C '${worktree}' add -A && git -C '${worktree}' diff --cached --name-only`);
+  const changedFiles = namesRes.stdout.split("\n").map((s) => s.trim()).filter(Boolean);
+  if (changedFiles.length === 0) {
+    return { branch, worktree, runStatus: "ok", changedFiles: [], outcome: "run-failed", reason: "no changes produced \u2014 nothing to PR" };
+  }
+  const diffRes = await shell(`git -C '${worktree}' diff --cached`);
+  const diff = diffRes.stdout.slice(0, DIFF_CAP);
+  const agentRisk = await deps.riskAssessor({ paths: changedFiles, diff });
+  const decision = decideMerge(changedFiles, policy, agentRisk);
+  log(`[coding] decision=${decision.classification} (${decision.reason})`);
+  await shell(`git -C '${worktree}' commit -m ${shqMsg(input.issue)} && git -C '${worktree}' push -u origin '${branch}'`);
+  const prCmd = buildPrCreate({ forge: input.forge, title: prTitle(input.issue), body: prBody(input.issue), head: branch });
+  const prRes = await shell(`cd '${worktree}' && ${prCmd}`);
+  const prRef = prRes.stdout.match(/\/pull\/(\d+)|!(\d+)|\bpr\/(\d+)/i)?.slice(1).find(Boolean) ?? branch;
+  if (decision.needsHuman) {
+    return { branch, worktree, runStatus: "ok", changedFiles, decision, outcome: "awaiting-human", prRef, reason: decision.reason };
+  }
+  const gate = await gateMerge(decision, { prRef, diff }, deps.reviewer);
+  if (!gate.armMerge) {
+    return { branch, worktree, runStatus: "ok", changedFiles, decision, outcome: "reviewer-blocked", prRef, reason: gate.reason };
+  }
+  const mergeCmd = buildPrMerge({ forge: input.forge, ref: prRef, auto: true, squash: deps.squash, deleteBranch: true });
+  await shell(`cd '${worktree}' && ${mergeCmd}`);
+  return { branch, worktree, runStatus: "ok", changedFiles, decision, outcome: "auto-armed", prRef, reason: gate.reason };
+}
+function prTitle(issue) {
+  return `${issue.type ?? "fix"}: ${issue.title} (#${String(issue.number).replace(/\D/g, "")})`;
+}
+function prBody(issue) {
+  return `Resolves #${String(issue.number).replace(/\D/g, "")}.
+
+Automated by the OpenApe coding agent.`;
+}
+function shqMsg(issue) {
+  return `'${prTitle(issue).replace(/'/g, "'\\''")}'`;
+}
+
+// src/lib/coding/llm-review.ts
+var DIFF_CAP2 = 48 * 1024;
+async function jsonCompletion(config, system, user, fetchImpl = fetch) {
+  try {
+    const res = await fetchImpl(`${config.apiBase}/chat/completions`, {
+      method: "POST",
+      headers: { "authorization": `Bearer ${config.apiKey}`, "content-type": "application/json" },
+      body: JSON.stringify({
+        model: config.model,
+        messages: [{ role: "system", content: system }, { role: "user", content: user }],
+        response_format: { type: "json_object" }
+      })
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    const content = data.choices?.[0]?.message?.content;
+    if (!content) return null;
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+var RISK_SYSTEM = [
+  "You are a security/risk classifier for an autonomous coding agent.",
+  "Given a diff + changed file paths, decide whether merging it WITHOUT a human is risky.",
+  "Risky = touches authentication, authorization, secrets/credentials, payment, data migrations,",
+  "deploy/release/CI config, cryptography, deletion of data, or anything whose failure is hard to",
+  "reverse in production. Routine code/tests/docs/refactors are NOT risky.",
+  'Respond ONLY as JSON: {"risky": boolean, "reason": string}.'
+].join(" ");
+function createLlmRiskAssessor(config, fetchImpl) {
+  return async ({ paths, diff }) => {
+    const user = `Changed files:
+${paths.join("\n")}
+
+Diff (truncated):
+${diff.slice(0, DIFF_CAP2)}`;
+    const out = await jsonCompletion(config, RISK_SYSTEM, user, fetchImpl);
+    if (!out || typeof out.risky !== "boolean") {
+      return { risky: true, reason: "risk classifier unavailable/unparseable \u2014 treating as risky (fail-safe)" };
+    }
+    return { risky: out.risky, reason: typeof out.reason === "string" ? out.reason : void 0 };
+  };
+}
+var REVIEW_SYSTEM = [
+  "You are a code reviewer for an autonomous coding agent.",
+  "Given a PR diff, decide whether it is correct, safe, and complete enough to auto-merge.",
+  "Approve only if you would be comfortable shipping it without further human review.",
+  "Block if you see bugs, missing tests, security issues, or incomplete work.",
+  'Respond ONLY as JSON: {"approved": boolean, "reason": string}.'
+].join(" ");
+function createLlmReviewer(config, fetchImpl) {
+  return async ({ prRef, diff }) => {
+    const user = `PR ${String(prRef)} diff (truncated):
+${diff.slice(0, DIFF_CAP2)}`;
+    const out = await jsonCompletion(config, REVIEW_SYSTEM, user, fetchImpl);
+    if (!out || typeof out.approved !== "boolean") {
+      return { approved: false, reason: "reviewer unavailable/unparseable \u2014 blocking (fail-safe)" };
+    }
+    return { approved: out.approved, reason: typeof out.reason === "string" ? out.reason : void 0 };
+  };
+}
+
+// src/lib/coding/derive-policy.ts
+function indentOf(line) {
+  return line.length - line.trimStart().length;
+}
+function unquote(s) {
+  return s.trim().replace(/^['"]|['"]$/g, "").trim();
+}
+function extractWorkflowPaths(yamlText) {
+  const out = [];
+  const lines = yamlText.split("\n");
+  let inBlock = false;
+  let keyIndent = -1;
+  for (const line of lines) {
+    if (inBlock) {
+      const m = /^\s*-\s*(\S.*)$/.exec(line);
+      if (m && indentOf(line) > keyIndent) {
+        out.push(unquote(m[1]));
+        continue;
+      }
+      if (line.trim() !== "") inBlock = false;
+    }
+    const inline = /^\s*paths:\s*\[(.+)\]\s*$/.exec(line);
+    if (inline) {
+      for (const tok of inline[1].split(",")) {
+        const g = unquote(tok);
+        if (g) out.push(g);
+      }
+      continue;
+    }
+    if (/^\s*paths:\s*$/.test(line)) {
+      inBlock = true;
+      keyIndent = indentOf(line);
+    }
+  }
+  return [...new Set(out)];
+}
+function parseCodeowners(text) {
+  const out = [];
+  for (const raw of text.split("\n")) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#")) continue;
+    const pattern = line.split(/\s+/)[0];
+    if (!pattern || pattern.startsWith("@")) continue;
+    let g = pattern.replace(/^\//, "");
+    if (g.endsWith("/")) g += "**";
+    if (g) out.push(g);
+  }
+  return [...new Set(out)];
+}
+async function deriveRiskGlobs(worktreeDir) {
+  const { readFile, readdir } = await import("fs/promises");
+  const { join: join20 } = await import("path");
+  const globs = /* @__PURE__ */ new Set();
+  try {
+    const wfDir = join20(worktreeDir, ".github", "workflows");
+    const files = await readdir(wfDir);
+    for (const f of files) {
+      if (!/deploy.*\.ya?ml$/i.test(f)) continue;
+      try {
+        const text = await readFile(join20(wfDir, f), "utf8");
+        for (const g of extractWorkflowPaths(text)) globs.add(g);
+      } catch {
+      }
+    }
+  } catch {
+  }
+  for (const loc of [".github/CODEOWNERS", "CODEOWNERS", "docs/CODEOWNERS"]) {
+    try {
+      const text = await readFile(join20(worktreeDir, loc), "utf8");
+      for (const g of parseCodeowners(text)) globs.add(g);
+      break;
+    } catch {
+    }
+  }
+  return [...globs];
+}
+async function resolveMergePolicy(worktreeDir) {
+  const explicit = await loadMergePolicy(worktreeDir).catch(() => SECURE_DEFAULT_POLICY);
+  const derived = await deriveRiskGlobs(worktreeDir).catch(() => []);
+  return {
+    autoMergeEnabled: explicit.autoMergeEnabled,
+    autoPaths: explicit.autoPaths,
+    riskPaths: [.../* @__PURE__ */ new Set([...explicit.riskPaths, ...derived])]
+  };
+}
+
+// src/commands/agents/code.ts
+var CliError2 = class extends Error {
+};
+var CODING_TOOLS = ["file.read", "file.write", "file.edit", "bash", "git.worktree", "verify", "forge.issue.get", "forge.pr.status"];
+var DEFAULT_PERSONA = [
+  "You are an autonomous coding agent. You implement an assigned issue in",
+  "the provided git worktree: read the relevant code, make small targeted",
+  "edits with file.edit, and make the repo verification command pass via",
+  "the verify tool. Do not open or merge PRs \u2014 the orchestrator does that.",
+  "No change is done until verify is green."
+].join(" ");
+function readLitellmConfig(model) {
+  const env = {};
+  const envPath = join2(homedir4(), "litellm", ".env");
+  if (existsSync4(envPath)) {
+    for (const raw of readFileSync3(envPath, "utf8").split("\n")) {
+      const line = raw.trim();
+      const m = /^([A-Z_][A-Z0-9_]*)=(.*)$/.exec(line);
+      if (m) env[m[1]] = m[2].trim().replace(/^["']|["']$/g, "");
+    }
+  }
+  for (const k of ["LITELLM_API_KEY", "LITELLM_MASTER_KEY", "LITELLM_BASE_URL"]) {
+    if (process2.env[k]) env[k] = process2.env[k];
+  }
+  const apiKey = env.LITELLM_API_KEY || env.LITELLM_MASTER_KEY;
+  const apiBase = (env.LITELLM_BASE_URL || "http://127.0.0.1:4000/v1").replace(/\/$/, "");
+  if (!apiKey) throw new CliError2("No LITELLM_API_KEY / LITELLM_MASTER_KEY in ~/litellm/.env or env.");
+  return { apiBase, apiKey, model: model || process2.env.APE_CHAT_BRIDGE_MODEL || "claude-haiku-4-5" };
+}
+function readPersona(file) {
+  if (file && existsSync4(file)) return readFileSync3(file, "utf8");
+  const agentJson = join2(homedir4(), ".openape", "agent", "agent.json");
+  if (existsSync4(agentJson)) {
+    try {
+      const p = JSON.parse(readFileSync3(agentJson, "utf8"));
+      if (p.systemPrompt?.trim()) return p.systemPrompt;
+    } catch {
+    }
+  }
+  return DEFAULT_PERSONA;
+}
+async function fetchIssue(forge, ref) {
+  const res = await runApeShell(buildIssueGet(forge, ref));
+  if (res.exit_code !== 0) throw new CliError2(`could not fetch issue ${ref}: ${res.stderr.slice(0, 200)}`);
+  const j = JSON.parse(res.stdout);
+  const number = j.number ?? j.id ?? Number(ref);
+  const title = j.title ?? j.fields?.["System.Title"] ?? `issue ${ref}`;
+  return { number, title, body: j.body };
+}
+var codeAgentCommand = defineCommand24({
+  meta: {
+    name: "code",
+    description: "Run a coding task: issue to worktree to edit to verify to PR (policy-gated merge). The agent never self-merges."
+  },
+  args: {
+    "issue": { type: "string", description: "Issue / work-item ref to work on." },
+    "repo": { type: "string", description: "Git remote URL of the target repo.", required: true },
+    "forge": { type: "string", description: "github | azure | registered forge. Auto-detected from --repo if omitted." },
+    "model": { type: "string", description: "Override LLM model." },
+    "max-steps": { type: "string", description: "Max tool-call rounds (default 40)." },
+    "persona-file": { type: "string", description: "File with the agent persona/system prompt." },
+    "poll-label": { type: "string", description: "Poll mode: work all open issues with this label." }
+  },
+  async run({ args }) {
+    const repo = args.repo;
+    const forge = args.forge || detectForge(repo);
+    const config = readLitellmConfig(args.model);
+    const persona = readPersona(args["persona-file"]);
+    const maxSteps = Number(args["max-steps"]) > 0 ? Number(args["max-steps"]) : 40;
+    const tools = taskTools(CODING_TOOLS);
+    const deps = {
+      runtimeConfig: config,
+      tools,
+      persona,
+      maxSteps,
+      resolvePolicy: (worktree) => resolveMergePolicy(worktree),
+      reviewer: createLlmReviewer(config),
+      riskAssessor: createLlmRiskAssessor(config),
+      log: (l) => consola21.info(l)
+    };
+    const refs = [];
+    if (args["poll-label"]) {
+      const slug = repo.replace(/^https:\/\/github\.com\//, "").replace(/\.git$/, "");
+      const list = await runApeShell(`gh issue list --repo ${slug} --label '${args["poll-label"]}' --state open --json number --jq '.[].number'`);
+      refs.push(...list.stdout.split("\n").map((s) => s.trim()).filter(Boolean));
+      if (refs.length === 0) {
+        consola21.info("no open issues with that label");
+        return;
+      }
+    } else if (args.issue) {
+      refs.push(args.issue);
+    } else {
+      throw new CliError2("provide --issue <ref> or --poll-label <label>");
+    }
+    for (const ref of refs) {
+      const issue = await fetchIssue(forge, ref);
+      consola21.start(`coding issue #${issue.number}: ${issue.title}`);
+      const result = await runCodingTask({ issue, repo, forge }, deps);
+      consola21.box(`#${issue.number} -> ${result.outcome}
+PR: ${result.prRef ?? "(none)"}
+${result.reason}`);
+    }
+  }
+});
+
 // src/commands/agents/destroy.ts
 import { execFileSync as execFileSync6 } from "child_process";
 import { mkdtempSync, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
 import { tmpdir, userInfo } from "os";
-import { join as join3 } from "path";
-import { defineCommand as defineCommand24 } from "citty";
-import consola21 from "consola";
+import { join as join4 } from "path";
+import { defineCommand as defineCommand25 } from "citty";
+import consola22 from "consola";
 
 // src/lib/nest-registry.ts
-import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync3, writeFileSync } from "fs";
-import { homedir as homedir4 } from "os";
-import { join as join2 } from "path";
+import { existsSync as existsSync5, mkdirSync, readFileSync as readFileSync4, writeFileSync } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join3 } from "path";
 function resolveRegistryPath() {
-  if (existsSync4("/var/openape/nest/agents.json")) return "/var/openape/nest/agents.json";
-  if (existsSync4("/var/openape/nest")) return "/var/openape/nest/agents.json";
-  return join2(homedir4(), ".openape", "nest", "agents.json");
+  if (existsSync5("/var/openape/nest/agents.json")) return "/var/openape/nest/agents.json";
+  if (existsSync5("/var/openape/nest")) return "/var/openape/nest/agents.json";
+  return join3(homedir5(), ".openape", "nest", "agents.json");
 }
 function emptyRegistry() {
   return { version: 1, agents: [] };
 }
 function readNestRegistry() {
   const path2 = resolveRegistryPath();
-  if (!existsSync4(path2)) return emptyRegistry();
+  if (!existsSync5(path2)) return emptyRegistry();
   try {
-    const parsed = JSON.parse(readFileSync3(path2, "utf8"));
+    const parsed = JSON.parse(readFileSync4(path2, "utf8"));
     if (parsed?.version !== 1 || !Array.isArray(parsed.agents)) return emptyRegistry();
     return parsed;
   } catch {
@@ -2731,7 +3190,7 @@ function readPasswordSilent(prompt) {
 }
 
 // src/commands/agents/destroy.ts
-var destroyAgentCommand = defineCommand24({
+var destroyAgentCommand = defineCommand25({
   meta: {
     name: "destroy",
     description: "Tear down an agent: remove macOS user, hard-delete IdP agent, drop all SSH keys"
@@ -2773,7 +3232,7 @@ var destroyAgentCommand = defineCommand24({
       const resolved = lookupMacOSUserForAgent(name);
       const macOSUsername = resolved?.name ?? macOSUsernameForAgent(name);
       const homeDir = resolved?.homeDir ?? `/var/openape/homes/${macOSUsername}`;
-      consola21.start(`Running teardown for ${name} (Phase-G, root-stage)\u2026`);
+      consola22.start(`Running teardown for ${name} (Phase-G, root-stage)\u2026`);
       runPhaseGTeardownInProcess({ name, homeDir, macOSUsername });
       return;
     }
@@ -2791,7 +3250,7 @@ var destroyAgentCommand = defineCommand24({
     const osUser = isDarwin() ? lookupMacOSUserForAgent(name) : null;
     const osUserExists = !args["keep-os-user"] && osUser !== null;
     if (!idpExists && !osUserExists) {
-      consola21.info(`Nothing to destroy: no IdP agent and no OS user for "${name}".`);
+      consola22.info(`Nothing to destroy: no IdP agent and no OS user for "${name}".`);
       return;
     }
     if (!args.force) {
@@ -2803,14 +3262,14 @@ var destroyAgentCommand = defineCommand24({
       if (idpExists) {
         consequences.push(args.soft ? `\u2022 Deactivate IdP agent ${idpAgent.email} (PATCH isActive=false)` : `\u2022 Hard-delete IdP agent ${idpAgent.email} and all its SSH keys`);
       }
-      consola21.warn(`About to destroy "${name}":
+      consola22.warn(`About to destroy "${name}":
 ${consequences.join("\n")}`);
       if (!process.stdin.isTTY) {
         throw new CliError(
           "No TTY available for the interactive confirmation. Re-run with --force to skip the prompt (this is the same flag CI uses)."
         );
       }
-      const confirmed = await consola21.prompt("Proceed?", { type: "confirm", initial: false });
+      const confirmed = await consola22.prompt("Proceed?", { type: "confirm", initial: false });
       if (typeof confirmed === "symbol" || !confirmed) {
         throw new CliExit(0);
       }
@@ -2819,13 +3278,13 @@ ${consequences.join("\n")}`);
       const id = encodeURIComponent(idpAgent.email);
       if (args.soft) {
         await apiFetch(`/api/my-agents/${id}`, { method: "PATCH", body: { isActive: false }, idp });
-        consola21.success(`Deactivated IdP agent ${idpAgent.email}`);
+        consola22.success(`Deactivated IdP agent ${idpAgent.email}`);
       } else {
         await apiFetch(`/api/my-agents/${id}`, { method: "DELETE", idp });
-        consola21.success(`Deleted IdP agent ${idpAgent.email}`);
+        consola22.success(`Deleted IdP agent ${idpAgent.email}`);
       }
     } else {
-      consola21.info("No IdP agent to remove (skipped).");
+      consola22.info("No IdP agent to remove (skipped).");
     }
     if (osUserExists) {
       const macOSUsername = osUser?.name ?? macOSUsernameForAgent(name);
@@ -2834,10 +3293,10 @@ ${consequences.join("\n")}`);
       const isPhaseG = homeDir.startsWith("/var/openape/homes/");
       if (isPhaseG) {
         if (process.geteuid?.() === 0) {
-          consola21.start("Running teardown (Phase G \u2014 already root, no grant needed)\u2026");
+          consola22.start("Running teardown (Phase G \u2014 already root, no grant needed)\u2026");
           runPhaseGTeardownInProcess({ name, homeDir, macOSUsername });
         } else {
-          consola21.start("Running teardown (Phase G \u2014 no admin password needed)\u2026");
+          consola22.start("Running teardown (Phase G \u2014 no admin password needed)\u2026");
           execFileSync6("apes", [
             "run",
             "--as",
@@ -2852,7 +3311,7 @@ ${consequences.join("\n")}`);
             "--root-stage"
           ], { stdio: "inherit" });
         }
-        consola21.info(`dscl record /Users/${macOSUsername} kept as tombstone (hidden, no home). Run \`sudo apes agents cleanup-orphans\` to sweep accumulated tombstones.`);
+        consola22.info(`dscl record /Users/${macOSUsername} kept as tombstone (hidden, no home). Run \`sudo apes agents cleanup-orphans\` to sweep accumulated tombstones.`);
       } else {
         const sudo = whichBinary("sudo");
         if (!sudo) {
@@ -2865,19 +3324,19 @@ ${consequences.join("\n")}`);
         } catch (err) {
           const headless = !process.stdin.isTTY && !process.env.APES_ADMIN_PASSWORD;
           if (headless) {
-            consola21.warn(`Legacy OS teardown for ${name} requires a TTY or APES_ADMIN_PASSWORD; skipping. Run \`apes agents destroy ${name}\` from a shell later to fully clean up /Users/${name} + dscl record.`);
+            consola22.warn(`Legacy OS teardown for ${name} requires a TTY or APES_ADMIN_PASSWORD; skipping. Run \`apes agents destroy ${name}\` from a shell later to fully clean up /Users/${name} + dscl record.`);
             adminPassword = "";
           } else {
             throw err;
           }
         }
         if (adminPassword) {
-          const scratch = mkdtempSync(join3(tmpdir(), `apes-destroy-${name}-`));
-          const scriptPath = join3(scratch, "teardown.sh");
+          const scratch = mkdtempSync(join4(tmpdir(), `apes-destroy-${name}-`));
+          const scriptPath = join4(scratch, "teardown.sh");
           try {
             const script = buildDestroyTeardownScript({ name, homeDir, adminUser });
             writeFileSync2(scriptPath, script, { mode: 448 });
-            consola21.start("Running teardown via sudo\u2026");
+            consola22.start("Running teardown via sudo\u2026");
             execFileSync6(sudo, ["-S", "--prompt=", "--", "bash", scriptPath], {
               input: `${adminPassword}
 ${adminPassword}
@@ -2890,14 +3349,14 @@ ${adminPassword}
         }
       }
     } else if (!args["keep-os-user"] && isDarwin()) {
-      consola21.info("No macOS user to remove (skipped).");
+      consola22.info("No macOS user to remove (skipped).");
     }
     try {
       removeNestAgent(name);
     } catch (err) {
-      consola21.warn(`Could not update nest registry: ${err instanceof Error ? err.message : String(err)}`);
+      consola22.warn(`Could not update nest registry: ${err instanceof Error ? err.message : String(err)}`);
     }
-    consola21.success(`Destroyed ${name}.`);
+    consola22.success(`Destroyed ${name}.`);
   }
 });
 async function collectAdminPassword(opts) {
@@ -2911,9 +3370,9 @@ async function collectAdminPassword(opts) {
 }
 
 // src/commands/agents/list.ts
-import { defineCommand as defineCommand25 } from "citty";
-import consola22 from "consola";
-var listAgentsCommand = defineCommand25({
+import { defineCommand as defineCommand26 } from "citty";
+import consola23 from "consola";
+var listAgentsCommand = defineCommand26({
   meta: {
     name: "list",
     description: "List agents owned by the current user, with local OS-user status"
@@ -2964,7 +3423,7 @@ var listAgentsCommand = defineCommand25({
       return;
     }
     if (rows.length === 0) {
-      consola22.info(args["include-inactive"] ? "No agents found." : "No active agents found. Use --include-inactive to show deactivated.");
+      consola23.info(args["include-inactive"] ? "No agents found." : "No active agents found. Use --include-inactive to show deactivated.");
       return;
     }
     const nameW = Math.max(4, ...rows.map((r) => r.name.length));
@@ -2982,10 +3441,10 @@ var listAgentsCommand = defineCommand25({
 });
 
 // src/commands/agents/register.ts
-import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
-import { defineCommand as defineCommand26 } from "citty";
-import consola23 from "consola";
-var registerAgentCommand = defineCommand26({
+import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
+import { defineCommand as defineCommand27 } from "citty";
+import consola24 from "consola";
+var registerAgentCommand = defineCommand27({
   meta: {
     name: "register",
     description: "Register an agent at the IdP using a supplied public key"
@@ -3030,10 +3489,10 @@ var registerAgentCommand = defineCommand26({
       throw new CliError("Pass either --public-key or --public-key-file, not both.");
     }
     if (!publicKey && keyFile) {
-      if (!existsSync5(keyFile)) {
+      if (!existsSync6(keyFile)) {
         throw new CliError(`Public-key file not found: ${keyFile}`);
       }
-      publicKey = readFileSync4(keyFile, "utf-8").trim();
+      publicKey = readFileSync5(keyFile, "utf-8").trim();
     }
     if (!publicKey) {
       throw new CliError('Provide --public-key "<ssh-ed25519 line>" or --public-key-file <path>.');
@@ -3055,7 +3514,7 @@ var registerAgentCommand = defineCommand26({
 `);
       return;
     }
-    consola23.success("Agent registered.");
+    consola24.success("Agent registered.");
     console.log(`  Name:     ${result.name}`);
     console.log(`  Email:    ${result.email}`);
     console.log(`  IdP:      ${idp}`);
@@ -3068,28 +3527,28 @@ var registerAgentCommand = defineCommand26({
 });
 
 // src/commands/agents/run.ts
-import { existsSync as existsSync7, readFileSync as readFileSync6 } from "fs";
-import { homedir as homedir6 } from "os";
-import { join as join5 } from "path";
-import { defineCommand as defineCommand27 } from "citty";
-import consola24 from "consola";
+import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
+import { homedir as homedir7 } from "os";
+import { join as join6 } from "path";
+import { defineCommand as defineCommand28 } from "citty";
+import consola25 from "consola";
 
 // src/lib/agent-secrets-runtime.ts
-import { existsSync as existsSync6, readdirSync, readFileSync as readFileSync5, watch } from "fs";
-import { homedir as homedir5 } from "os";
-import { join as join4 } from "path";
+import { existsSync as existsSync7, readdirSync, readFileSync as readFileSync6, watch } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join5 } from "path";
 import { openString } from "@openape/core";
-var CONFIG_DIR2 = join4(homedir5(), ".config", "openape");
-var SECRETS_DIR = join4(CONFIG_DIR2, "secrets.d");
-var X25519_KEY_PATH = join4(CONFIG_DIR2, "agent-x25519.key");
+var CONFIG_DIR2 = join5(homedir6(), ".config", "openape");
+var SECRETS_DIR = join5(CONFIG_DIR2, "secrets.d");
+var X25519_KEY_PATH = join5(CONFIG_DIR2, "agent-x25519.key");
 function envNameFromFile(file) {
   if (!file.endsWith(".blob")) return null;
   const env = file.slice(0, -".blob".length);
   return /^[A-Z][A-Z0-9_]*$/.test(env) ? env : null;
 }
 function readAgentEncryptionKey(keyPath = X25519_KEY_PATH) {
-  if (!existsSync6(keyPath)) return null;
-  const k = readFileSync5(keyPath, "utf8").trim();
+  if (!existsSync7(keyPath)) return null;
+  const k = readFileSync6(keyPath, "utf8").trim();
   return k.length > 0 ? k : null;
 }
 function materializeSecrets(opts = {}) {
@@ -3100,12 +3559,12 @@ function materializeSecrets(opts = {}) {
   const applied = [];
   const failed = [];
   const key = readAgentEncryptionKey(opts.keyPath);
-  const files = key && existsSync6(dir) ? readdirSync(dir) : [];
+  const files = key && existsSync7(dir) ? readdirSync(dir) : [];
   for (const file of files) {
     const name = envNameFromFile(file);
     if (!name) continue;
     try {
-      const box = JSON.parse(readFileSync5(join4(dir, file), "utf8"));
+      const box = JSON.parse(readFileSync6(join5(dir, file), "utf8"));
       env[name] = openString(box, key);
       applied.push(name);
     } catch (e) {
@@ -3132,7 +3591,7 @@ function startSecretsWatcher(opts = {}) {
     appliedNames = new Set(r.applied);
   };
   run();
-  if (!existsSync6(dir)) return () => {
+  if (!existsSync7(dir)) return () => {
   };
   let timer = null;
   const watcher = watch(dir, () => {
@@ -3147,13 +3606,13 @@ function startSecretsWatcher(opts = {}) {
 }
 
 // src/commands/agents/run.ts
-var AUTH_PATH = join5(homedir6(), ".config", "apes", "auth.json");
-var TASK_CACHE_DIR = join5(homedir6(), ".openape", "agent", "tasks");
+var AUTH_PATH = join6(homedir7(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR = join6(homedir7(), ".openape", "agent", "tasks");
 function readAuth() {
-  if (!existsSync7(AUTH_PATH)) {
+  if (!existsSync8(AUTH_PATH)) {
     throw new CliError(`No agent auth found at ${AUTH_PATH}. Run \`apes agents spawn <name>\` first.`);
   }
-  const parsed = JSON.parse(readFileSync6(AUTH_PATH, "utf8"));
+  const parsed = JSON.parse(readFileSync7(AUTH_PATH, "utf8"));
   if (!parsed.access_token) throw new CliError("auth.json missing access_token");
   return parsed;
 }
@@ -3168,7 +3627,7 @@ async function postRunResultToChat(opts) {
     const ownerLower = opts.ownerEmail.toLowerCase();
     const ownerRow = contacts.find((c) => c.peerEmail.toLowerCase() === ownerLower && c.connected && c.roomId);
     if (!ownerRow?.roomId) {
-      consola24.info("chat DM skipped \u2014 no active room with owner (accept the contact request in chat to enable)");
+      consola25.info("chat DM skipped \u2014 no active room with owner (accept the contact request in chat to enable)");
       return;
     }
     const prefix = opts.status === "ok" ? "\u2705" : "\u274C";
@@ -3182,33 +3641,33 @@ ${msg}`.slice(0, 9e3);
       body: JSON.stringify({ body })
     });
     if (!postRes.ok) {
-      consola24.warn(`chat DM post failed: ${postRes.status}`);
+      consola25.warn(`chat DM post failed: ${postRes.status}`);
     }
   } catch (err) {
-    consola24.warn(`chat DM error: ${err.message}`);
+    consola25.warn(`chat DM error: ${err.message}`);
   }
 }
 function readTaskSpec(taskId) {
-  const path2 = join5(TASK_CACHE_DIR, `${taskId}.json`);
-  if (!existsSync7(path2)) {
+  const path2 = join6(TASK_CACHE_DIR, `${taskId}.json`);
+  if (!existsSync8(path2)) {
     throw new CliError(`No cached task spec at ${path2}. Run \`apes agents sync\` first to pull the task list from troop.`);
   }
-  return JSON.parse(readFileSync6(path2, "utf8"));
+  return JSON.parse(readFileSync7(path2, "utf8"));
 }
-var AGENT_CONFIG_PATH = join5(homedir6(), ".openape", "agent", "agent.json");
+var AGENT_CONFIG_PATH = join6(homedir7(), ".openape", "agent", "agent.json");
 function readAgentConfig() {
-  if (!existsSync7(AGENT_CONFIG_PATH)) return { systemPrompt: "" };
+  if (!existsSync8(AGENT_CONFIG_PATH)) return { systemPrompt: "" };
   try {
-    return JSON.parse(readFileSync6(AGENT_CONFIG_PATH, "utf8"));
+    return JSON.parse(readFileSync7(AGENT_CONFIG_PATH, "utf8"));
   } catch {
     return { systemPrompt: "" };
   }
 }
-function readLitellmConfig(model) {
-  const envPath = join5(homedir6(), "litellm", ".env");
+function readLitellmConfig2(model) {
+  const envPath = join6(homedir7(), "litellm", ".env");
   const env = {};
-  if (existsSync7(envPath)) {
-    for (const line of readFileSync6(envPath, "utf8").split(/\r?\n/)) {
+  if (existsSync8(envPath)) {
+    for (const line of readFileSync7(envPath, "utf8").split(/\r?\n/)) {
       const m = line.match(/^([A-Z_]+)=(.*)$/);
       if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
     }
@@ -3223,7 +3682,7 @@ function readLitellmConfig(model) {
   }
   return { apiBase, apiKey, model: model || "claude-haiku-4-5" };
 }
-var runAgentCommand = defineCommand27({
+var runAgentCommand = defineCommand28({
   meta: {
     name: "run",
     description: "Execute one task (typically launchd-invoked). Reports the run record to troop."
@@ -3246,10 +3705,10 @@ var runAgentCommand = defineCommand27({
   async run({ args }) {
     const taskId = args["task-id"];
     const auth = readAuth();
-    materializeSecrets({ log: (l) => consola24.info(l) });
+    materializeSecrets({ log: (l) => consola25.info(l) });
     const spec = readTaskSpec(taskId);
     const agentCfg = readAgentConfig();
-    const config = readLitellmConfig(args.model);
+    const config = readLitellmConfig2(args.model);
     let tools;
     try {
       tools = taskTools(spec.tools);
@@ -3258,7 +3717,7 @@ var runAgentCommand = defineCommand27({
     }
     const troop = new TroopClient(resolveTroopUrl(args["troop-url"]), auth.access_token);
     const { id: runId } = await troop.startRun(taskId);
-    consola24.info(`Run ${runId} started for task ${taskId}`);
+    consola25.info(`Run ${runId} started for task ${taskId}`);
     try {
       const result = await runLoop({
         config,
@@ -3277,7 +3736,7 @@ var runAgentCommand = defineCommand27({
         step_count: result.stepCount,
         trace: result.trace
       });
-      consola24.success(`Run ${runId} ${result.status} (${result.stepCount} steps)`);
+      consola25.success(`Run ${runId} ${result.status} (${result.stepCount} steps)`);
       if (auth.owner_email) {
         await postRunResultToChat({
           authToken: auth.access_token,
@@ -3314,17 +3773,17 @@ var runAgentCommand = defineCommand27({
 });
 
 // src/commands/agents/serve.ts
-import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
-import { homedir as homedir7 } from "os";
-import { join as join6 } from "path";
+import { existsSync as existsSync9, readFileSync as readFileSync8 } from "fs";
+import { homedir as homedir8 } from "os";
+import { join as join7 } from "path";
 import { createInterface } from "readline";
-import { defineCommand as defineCommand28 } from "citty";
-var AUTH_PATH2 = join6(homedir7(), ".config", "apes", "auth.json");
-function readLitellmConfig2(model) {
-  const envPath = join6(homedir7(), "litellm", ".env");
+import { defineCommand as defineCommand29 } from "citty";
+var AUTH_PATH2 = join7(homedir8(), ".config", "apes", "auth.json");
+function readLitellmConfig3(model) {
+  const envPath = join7(homedir8(), "litellm", ".env");
   const env = {};
-  if (existsSync8(envPath)) {
-    for (const line of readFileSync7(envPath, "utf8").split(/\r?\n/)) {
+  if (existsSync9(envPath)) {
+    for (const line of readFileSync8(envPath, "utf8").split(/\r?\n/)) {
       const m = line.match(/^([A-Z_]+)=(.*)$/);
       if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
     }
@@ -3341,7 +3800,7 @@ function emit(event) {
   process.stdout.write(`${JSON.stringify(event)}
 `);
 }
-var serveAgentCommand = defineCommand28({
+var serveAgentCommand = defineCommand29({
   meta: {
     name: "serve",
     description: "Long-running stdio RPC server for chat-bridge subprocess use."
@@ -3356,9 +3815,9 @@ var serveAgentCommand = defineCommand28({
     if (!args.rpc) {
       throw new CliError("apes agents serve currently only supports --rpc mode");
     }
-    if (existsSync8(AUTH_PATH2)) {
+    if (existsSync9(AUTH_PATH2)) {
       try {
-        JSON.parse(readFileSync7(AUTH_PATH2, "utf8"));
+        JSON.parse(readFileSync8(AUTH_PATH2, "utf8"));
       } catch {
       }
     }
@@ -3396,7 +3855,7 @@ var serveAgentCommand = defineCommand28({
   }
 });
 async function handleInbound(msg, sessions) {
-  const config = readLitellmConfig2(msg.model);
+  const config = readLitellmConfig3(msg.model);
   const tools = taskTools(msg.tools ?? []);
   const maxSteps = msg.max_steps ?? 10;
   let session = sessions.get(msg.session_id);
@@ -3441,9 +3900,9 @@ async function handleInbound(msg, sessions) {
 import { execFileSync as execFileSync8 } from "child_process";
 import { mkdtempSync as mkdtempSync2, rmSync as rmSync3, writeFileSync as writeFileSync4 } from "fs";
 import { tmpdir as tmpdir2 } from "os";
-import { join as join8 } from "path";
-import { defineCommand as defineCommand29 } from "citty";
-import consola25 from "consola";
+import { join as join9 } from "path";
+import { defineCommand as defineCommand30 } from "citty";
+import consola26 from "consola";
 
 // src/lib/troop-bootstrap.ts
 var SYNC_LABEL_PREFIX = "openape.troop.sync";
@@ -3499,13 +3958,13 @@ ${envBlock}  <key>StartInterval</key>
 
 // src/lib/keygen.ts
 import { Buffer as Buffer4 } from "buffer";
-import { existsSync as existsSync9, mkdirSync as mkdirSync2, readFileSync as readFileSync8, writeFileSync as writeFileSync3 } from "fs";
+import { existsSync as existsSync10, mkdirSync as mkdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync3 } from "fs";
 import { generateKeyPairSync } from "crypto";
-import { homedir as homedir8 } from "os";
+import { homedir as homedir9 } from "os";
 import { dirname, resolve as resolve2 } from "path";
 import { generateX25519KeyPair } from "@openape/core";
 function resolveKeyPath(p) {
-  return resolve2(p.replace(/^~/, homedir8()));
+  return resolve2(p.replace(/^~/, homedir9()));
 }
 function buildSshEd25519Line(rawPub) {
   const keyTypeStr = "ssh-ed25519";
@@ -3518,10 +3977,10 @@ function buildSshEd25519Line(rawPub) {
 }
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
-  if (existsSync9(pubPath)) {
-    return readFileSync8(pubPath, "utf-8").trim();
+  if (existsSync10(pubPath)) {
+    return readFileSync9(pubPath, "utf-8").trim();
   }
-  const keyContent = readFileSync8(keyPath, "utf-8");
+  const keyContent = readFileSync9(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
   const pubBytes = Buffer4.from(jwk.x, "base64url");
@@ -3530,7 +3989,7 @@ function readPublicKey(keyPath) {
 function generateAndSaveKey(keyPath) {
   const resolved = resolveKeyPath(keyPath);
   const dir = dirname(resolved);
-  if (!existsSync9(dir)) {
+  if (!existsSync10(dir)) {
     mkdirSync2(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
@@ -3559,14 +4018,14 @@ function generateKeyPairInMemory() {
 
 // src/lib/llm-bridge.ts
 import { execFileSync as execFileSync7 } from "child_process";
-import { existsSync as existsSync10, readFileSync as readFileSync9 } from "fs";
-import { homedir as homedir9 } from "os";
-import { dirname as dirname2, join as join7 } from "path";
+import { existsSync as existsSync11, readFileSync as readFileSync10 } from "fs";
+import { homedir as homedir10 } from "os";
+import { dirname as dirname2, join as join8 } from "path";
 var PLIST_LABEL_PREFIX = "eco.hofmann.apes.bridge";
-function readLitellmEnv(envPath = join7(homedir9(), "litellm", ".env")) {
-  if (!existsSync10(envPath)) return null;
+function readLitellmEnv(envPath = join8(homedir10(), "litellm", ".env")) {
+  if (!existsSync11(envPath)) return null;
   try {
-    const text = readFileSync9(envPath, "utf8");
+    const text = readFileSync10(envPath, "utf8");
     const out = {};
     for (const line of text.split("\n")) {
       const trimmed = line.trim();
@@ -3703,7 +4162,7 @@ function readMacOSUidOrNull(name) {
     return null;
   }
 }
-var spawnAgentCommand = defineCommand29({
+var spawnAgentCommand = defineCommand30({
   meta: {
     name: "spawn",
     description: "Provision a local macOS agent end-to-end (OS user, keypair, IdP agent, Claude hook)"
@@ -3791,15 +4250,15 @@ and try again.`
       throw new CliError(`macOS user "${existing.name}" already exists (uid=${existing.uid ?? "?"}). Refusing to overwrite.`);
     }
     const homeDir = `/var/openape/homes/${macOSUsername}`;
-    const scratch = mkdtempSync2(join8(tmpdir2(), `apes-spawn-${name}-`));
-    const scriptPath = join8(scratch, "setup.sh");
+    const scratch = mkdtempSync2(join9(tmpdir2(), `apes-spawn-${name}-`));
+    const scriptPath = join9(scratch, "setup.sh");
     try {
-      consola25.start(`Generating keypair for ${name}\u2026`);
+      consola26.start(`Generating keypair for ${name}\u2026`);
       const { privatePem, publicSshLine, x25519PrivateKey, x25519PublicKey } = generateKeyPairInMemory();
-      consola25.start(`Registering agent at ${idp}\u2026`);
+      consola26.start(`Registering agent at ${idp}\u2026`);
       const registration = await registerAgentAtIdp({ name, publicKey: publicSshLine, idp });
-      consola25.success(`Registered as ${registration.email}`);
-      consola25.start("Issuing agent access token\u2026");
+      consola26.success(`Registered as ${registration.email}`);
+      consola26.start("Issuing agent access token\u2026");
       const { token, expiresIn } = await issueAgentToken({
         idp,
         agentEmail: registration.email,
@@ -3869,11 +4328,11 @@ and try again.`
       writeFileSync4(scriptPath, script, { mode: 448 });
       const alreadyRoot = process.getuid?.() === 0;
       if (alreadyRoot) {
-        consola25.start("Running privileged setup directly (already root)\u2026");
+        consola26.start("Running privileged setup directly (already root)\u2026");
         execFileSync8("bash", [scriptPath], { stdio: "inherit" });
       } else {
-        consola25.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
-        consola25.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
+        consola26.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
+        consola26.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
         execFileSync8(apes, ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
       }
       try {
@@ -3891,13 +4350,13 @@ and try again.`
           } : void 0
         });
       } catch (err) {
-        consola25.warn(`Could not write to nest registry: ${err instanceof Error ? err.message : String(err)}`);
+        consola26.warn(`Could not write to nest registry: ${err instanceof Error ? err.message : String(err)}`);
       }
-      consola25.success(`Agent ${name} spawned.`);
-      consola25.info(`\u{1F517} Troop: https://troop.openape.ai/agents/${name}`);
+      consola26.success(`Agent ${name} spawned.`);
+      consola26.info(`\u{1F517} Troop: https://troop.openape.ai/agents/${name}`);
       if (withBridge) {
-        consola25.info(`On first boot, the bridge will send you a contact request from ${registration.email}.`);
-        consola25.info("Open chat.openape.ai and accept it to start chatting with the agent.");
+        consola26.info(`On first boot, the bridge will send you a contact request from ${registration.email}.`);
+        consola26.info("Open chat.openape.ai and accept it to start chatting with the agent.");
       }
       console.log("");
       console.log("Run as the agent with:");
@@ -3931,11 +4390,11 @@ async function resolveClaudeToken(opts) {
 }
 
 // src/commands/agents/sync.ts
-import { chownSync, existsSync as existsSync11, mkdirSync as mkdirSync3, readdirSync as readdirSync2, readFileSync as readFileSync10, rmSync as rmSync4, statSync, writeFileSync as writeFileSync5 } from "fs";
-import { homedir as homedir10 } from "os";
-import { join as join9 } from "path";
-import { defineCommand as defineCommand30 } from "citty";
-import consola26 from "consola";
+import { chownSync, existsSync as existsSync12, mkdirSync as mkdirSync3, readdirSync as readdirSync2, readFileSync as readFileSync11, rmSync as rmSync4, statSync, writeFileSync as writeFileSync5 } from "fs";
+import { homedir as homedir11 } from "os";
+import { join as join10 } from "path";
+import { defineCommand as defineCommand31 } from "citty";
+import consola27 from "consola";
 
 // src/lib/macos-host.ts
 import { execFileSync as execFileSync9 } from "child_process";
@@ -3962,15 +4421,15 @@ function getHostname() {
 }
 
 // src/commands/agents/sync.ts
-var AUTH_PATH3 = join9(homedir10(), ".config", "apes", "auth.json");
-var TASK_CACHE_DIR2 = join9(homedir10(), ".openape", "agent", "tasks");
+var AUTH_PATH3 = join10(homedir11(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR2 = join10(homedir11(), ".openape", "agent", "tasks");
 function readAuthJson() {
-  if (!existsSync11(AUTH_PATH3)) {
+  if (!existsSync12(AUTH_PATH3)) {
     throw new CliError(
       `No agent auth found at ${AUTH_PATH3}. Run \`apes agents spawn <name>\` to provision an agent first.`
     );
   }
-  const raw = readFileSync10(AUTH_PATH3, "utf8");
+  const raw = readFileSync11(AUTH_PATH3, "utf8");
   let parsed;
   try {
     parsed = JSON.parse(raw);
@@ -3994,7 +4453,7 @@ function agentNameFromEmail(email) {
   }
   return before.slice(0, dashIdx);
 }
-var syncAgentCommand = defineCommand30({
+var syncAgentCommand = defineCommand31({
   meta: {
     name: "sync",
     description: "Pull this agent's task list from troop.openape.ai and reconcile launchd plists"
@@ -4018,22 +4477,22 @@ var syncAgentCommand = defineCommand30({
     if (!auth.owner_email) {
       throw new CliError(`${AUTH_PATH3} is missing owner_email \u2014 re-run \`apes agents spawn\` to update.`);
     }
-    consola26.start(`Syncing ${agentName} (${host}, hostId ${hostId.slice(0, 8)}\u2026) with ${troopUrl}`);
+    consola27.start(`Syncing ${agentName} (${host}, hostId ${hostId.slice(0, 8)}\u2026) with ${troopUrl}`);
     const sync = await client.sync({
       hostname: host,
       hostId,
       ownerEmail: auth.owner_email
     });
-    consola26.info(sync.first_sync ? "\u2713 first sync \u2014 agent registered" : "\u2713 presence updated");
+    consola27.info(sync.first_sync ? "\u2713 first sync \u2014 agent registered" : "\u2713 presence updated");
     const { system_prompt: systemPrompt, tools, skills, tasks } = await client.listTasks();
-    consola26.info(`Pulled ${tasks.length} task${tasks.length === 1 ? "" : "s"}`);
-    consola26.info(`Tools enabled: ${tools.length === 0 ? "(none)" : tools.join(", ")}`);
-    consola26.info(`Skills: ${skills.length === 0 ? "(none)" : skills.map((s) => s.name).join(", ")}`);
+    consola27.info(`Pulled ${tasks.length} task${tasks.length === 1 ? "" : "s"}`);
+    consola27.info(`Tools enabled: ${tools.length === 0 ? "(none)" : tools.join(", ")}`);
+    consola27.info(`Skills: ${skills.length === 0 ? "(none)" : skills.map((s) => s.name).join(", ")}`);
     let agentUid = null;
     let agentGid = null;
     if (process.geteuid?.() === 0) {
       try {
-        const homeStat = statSync(homedir10());
+        const homeStat = statSync(homedir11());
         agentUid = homeStat.uid;
         agentGid = homeStat.gid;
       } catch {
@@ -4047,11 +4506,11 @@ var syncAgentCommand = defineCommand30({
         }
       }
     }
-    const agentDir = join9(homedir10(), ".openape", "agent");
+    const agentDir = join10(homedir11(), ".openape", "agent");
     mkdirSync3(agentDir, { recursive: true });
-    chownToAgent(join9(homedir10(), ".openape"));
+    chownToAgent(join10(homedir11(), ".openape"));
     chownToAgent(agentDir);
-    const agentJsonPath = join9(agentDir, "agent.json");
+    const agentJsonPath = join10(agentDir, "agent.json");
     writeFileSync5(
       agentJsonPath,
       `${JSON.stringify({ systemPrompt, tools }, null, 2)}
@@ -4062,12 +4521,12 @@ var syncAgentCommand = defineCommand30({
     mkdirSync3(TASK_CACHE_DIR2, { recursive: true });
     chownToAgent(TASK_CACHE_DIR2);
     for (const task of tasks) {
-      const path2 = join9(TASK_CACHE_DIR2, `${task.taskId}.json`);
+      const path2 = join10(TASK_CACHE_DIR2, `${task.taskId}.json`);
       writeFileSync5(path2, `${JSON.stringify(task, null, 2)}
 `, { mode: 384 });
       chownToAgent(path2);
     }
-    const skillsDir = join9(agentDir, "skills");
+    const skillsDir = join10(agentDir, "skills");
     mkdirSync3(skillsDir, { recursive: true });
     chownToAgent(skillsDir);
     const incomingNames = new Set(skills.map((s) => s.name));
@@ -4075,30 +4534,30 @@ var syncAgentCommand = defineCommand30({
       for (const entry of readdirSync2(skillsDir)) {
         if (incomingNames.has(entry)) continue;
         try {
-          rmSync4(join9(skillsDir, entry), { recursive: true, force: true });
+          rmSync4(join10(skillsDir, entry), { recursive: true, force: true });
         } catch {
         }
       }
     } catch {
     }
     for (const skill of skills) {
-      const skillDir = join9(skillsDir, skill.name);
+      const skillDir = join10(skillsDir, skill.name);
       mkdirSync3(skillDir, { recursive: true });
       chownToAgent(skillDir);
-      const skillPath = join9(skillDir, "SKILL.md");
+      const skillPath = join10(skillDir, "SKILL.md");
       writeFileSync5(skillPath, skill.body.endsWith("\n") ? skill.body : `${skill.body}
 `, { mode: 384 });
       chownToAgent(skillPath);
     }
-    consola26.success("Sync complete.");
+    consola27.success("Sync complete.");
   }
 });
 
 // src/commands/agents/index.ts
-var agentsCommand = defineCommand31({
+var agentsCommand = defineCommand32({
   meta: {
     name: "agents",
-    description: "Manage owned agents (register, spawn, list, destroy, allow, sync, run, serve, cleanup-orphans)"
+    description: "Manage owned agents (register, spawn, list, destroy, allow, sync, run, serve, code, cleanup-orphans)"
   },
   subCommands: {
     register: registerAgentCommand,
@@ -4109,27 +4568,28 @@ var agentsCommand = defineCommand31({
     sync: syncAgentCommand,
     run: runAgentCommand,
     serve: serveAgentCommand,
+    code: codeAgentCommand,
     "cleanup-orphans": cleanupOrphansCommand
   }
 });
 
 // src/commands/nest/index.ts
-import { defineCommand as defineCommand39 } from "citty";
+import { defineCommand as defineCommand40 } from "citty";
 
 // src/commands/nest/authorize.ts
 import { execFileSync as execFileSync10 } from "child_process";
-import { existsSync as existsSync13, readFileSync as readFileSync11 } from "fs";
+import { existsSync as existsSync14, readFileSync as readFileSync12 } from "fs";
+import { join as join12 } from "path";
+import { defineCommand as defineCommand34 } from "citty";
+import consola29 from "consola";
+
+// src/commands/nest/enroll.ts
+import { hostname as hostname4, homedir as homedir12 } from "os";
+import { existsSync as existsSync13, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6, chmodSync } from "fs";
 import { join as join11 } from "path";
 import { defineCommand as defineCommand33 } from "citty";
 import consola28 from "consola";
-
-// src/commands/nest/enroll.ts
-import { hostname as hostname4, homedir as homedir11 } from "os";
-import { existsSync as existsSync12, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6, chmodSync } from "fs";
-import { join as join10 } from "path";
-import { defineCommand as defineCommand32 } from "citty";
-import consola27 from "consola";
-var NEST_DATA_DIR = join10(homedir11(), ".openape", "nest");
+var NEST_DATA_DIR = join11(homedir12(), ".openape", "nest");
 function nestAgentName() {
   const raw = hostname4().toLowerCase();
   const head = raw.split(".")[0] ?? raw;
@@ -4137,7 +4597,7 @@ function nestAgentName() {
   const trimmed = safe.slice(0, 16);
   return `nest-${trimmed || "host"}`;
 }
-var enrollNestCommand = defineCommand32({
+var enrollNestCommand = defineCommand33({
   meta: {
     name: "enroll",
     description: "Register the local nest as a DDISA agent at the IdP. One-time per machine. Required before `apes nest authorize` so YOLO-policies have a target identity."
@@ -4162,25 +4622,25 @@ var enrollNestCommand = defineCommand32({
       throw new CliError("Run `apes login <email>` first \u2014 nest enroll attaches the new identity to your owner account.");
     }
     const name = args.name || nestAgentName();
-    const authPath = join10(NEST_DATA_DIR, ".config", "apes", "auth.json");
-    if (existsSync12(authPath) && !args.force) {
+    const authPath = join11(NEST_DATA_DIR, ".config", "apes", "auth.json");
+    if (existsSync13(authPath) && !args.force) {
       throw new CliError(`Nest already enrolled at ${authPath}. Pass --force to re-enroll.`);
     }
-    const sshDir = join10(NEST_DATA_DIR, ".ssh");
-    const configDir = join10(NEST_DATA_DIR, ".config", "apes");
+    const sshDir = join11(NEST_DATA_DIR, ".ssh");
+    const configDir = join11(NEST_DATA_DIR, ".config", "apes");
     mkdirSync4(sshDir, { recursive: true });
     mkdirSync4(configDir, { recursive: true });
-    consola27.start(`Generating keypair for ${name}\u2026`);
+    consola28.start(`Generating keypair for ${name}\u2026`);
     const { privatePem, publicSshLine } = generateKeyPairInMemory();
-    writeFileSync6(join10(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
+    writeFileSync6(join11(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
 `, { mode: 384 });
-    writeFileSync6(join10(sshDir, "id_ed25519.pub"), `${publicSshLine}
+    writeFileSync6(join11(sshDir, "id_ed25519.pub"), `${publicSshLine}
 `, { mode: 420 });
     chmodSync(sshDir, 448);
-    consola27.start(`Registering nest at ${idp}\u2026`);
+    consola28.start(`Registering nest at ${idp}\u2026`);
     const registration = await registerAgentAtIdp({ name, publicKey: publicSshLine, idp });
-    consola27.success(`Registered as ${registration.email}`);
-    consola27.start("Issuing nest access token\u2026");
+    consola28.success(`Registered as ${registration.email}`);
+    consola28.start("Issuing nest access token\u2026");
     const { token, expiresIn } = await issueAgentToken({
       idp,
       agentEmail: registration.email,
@@ -4191,16 +4651,16 @@ var enrollNestCommand = defineCommand32({
       accessToken: token,
       email: registration.email,
       expiresAt: Math.floor(Date.now() / 1e3) + expiresIn,
-      keyPath: join10(sshDir, "id_ed25519"),
+      keyPath: join11(sshDir, "id_ed25519"),
       ownerEmail: ownerAuth.email
     });
     writeFileSync6(authPath, authJson, { mode: 384 });
     chmodSync(configDir, 448);
-    consola27.success(`Nest enrolled \u2014 auth.json at ${authPath}`);
-    consola27.info("");
-    consola27.info("Next: configure the YOLO-policy so the nest can spawn/destroy without prompts:");
-    consola27.info("");
-    consola27.info("  apes nest authorize");
+    consola28.success(`Nest enrolled \u2014 auth.json at ${authPath}`);
+    consola28.info("");
+    consola28.info("Next: configure the YOLO-policy so the nest can spawn/destroy without prompts:");
+    consola28.info("");
+    consola28.info("  apes nest authorize");
   }
 });
 
@@ -4247,7 +4707,7 @@ var DEFAULT_ALLOW_PATTERNS = [
   "pm2 delete openape-bridge-*",
   "pm2 jlist"
 ];
-var authorizeNestCommand = defineCommand33({
+var authorizeNestCommand = defineCommand34({
   meta: {
     name: "authorize",
     description: "Set the YOLO-policy that lets the local nest spawn/destroy without per-call DDISA prompts (wraps `apes yolo set`)"
@@ -4263,14 +4723,14 @@ var authorizeNestCommand = defineCommand33({
     }
   },
   async run({ args }) {
-    const nestAuthPath = join11(NEST_DATA_DIR, ".config", "apes", "auth.json");
-    if (!existsSync13(nestAuthPath)) {
+    const nestAuthPath = join12(NEST_DATA_DIR, ".config", "apes", "auth.json");
+    if (!existsSync14(nestAuthPath)) {
       throw new CliError("Nest not enrolled. Run `apes nest enroll` first.");
     }
-    const nestAuth = JSON.parse(readFileSync11(nestAuthPath, "utf8"));
+    const nestAuth = JSON.parse(readFileSync12(nestAuthPath, "utf8"));
     if (!nestAuth.email) throw new CliError(`${nestAuthPath} has no email`);
     const allow = args.allow ?? DEFAULT_ALLOW_PATTERNS.join(",");
-    consola28.info(`Configuring YOLO-policy on ${nestAuth.email} via \`apes yolo set\`\u2026`);
+    consola29.info(`Configuring YOLO-policy on ${nestAuth.email} via \`apes yolo set\`\u2026`);
     const cmdArgs = [
       "yolo",
       "set",
@@ -4288,16 +4748,16 @@ var authorizeNestCommand = defineCommand33({
     } catch (err) {
       throw new CliError(err instanceof Error ? err.message : String(err));
     }
-    consola28.success("Nest-driven agent lifecycle is now zero-prompt.");
-    consola28.info("Test: apes agents spawn <name> via the nest API \u2192 no DDISA prompt.");
+    consola29.success("Nest-driven agent lifecycle is now zero-prompt.");
+    consola29.info("Test: apes agents spawn <name> via the nest API \u2192 no DDISA prompt.");
   }
 });
 
 // src/commands/nest/destroy.ts
 import { execFileSync as execFileSync11 } from "child_process";
-import { defineCommand as defineCommand34 } from "citty";
-import consola29 from "consola";
-var destroyNestCommand = defineCommand34({
+import { defineCommand as defineCommand35 } from "citty";
+import consola30 from "consola";
+var destroyNestCommand = defineCommand35({
   meta: {
     name: "destroy",
     description: "Destroy a local agent. Wraps `apes run --as root -- apes agents destroy <name>`; the Nest watches its registry and pm2-deletes the bridge automatically."
@@ -4309,7 +4769,7 @@ var destroyNestCommand = defineCommand34({
     const name = String(args.name);
     try {
       execFileSync11("apes", ["run", "--as", "root", "--wait", "--", "apes", "agents", "destroy", name, "--force"], { stdio: "inherit" });
-      consola29.success(`Nest will tear down ${name}'s pm2 process on its next reconcile (\u22642s).`);
+      consola30.success(`Nest will tear down ${name}'s pm2 process on its next reconcile (\u22642s).`);
     } catch (err) {
       const status = err.status ?? 1;
       throw new CliExit(status);
@@ -4319,11 +4779,11 @@ var destroyNestCommand = defineCommand34({
 
 // src/commands/nest/install.ts
 import { execFileSync as execFileSync12 } from "child_process";
-import { existsSync as existsSync14, mkdirSync as mkdirSync5, readFileSync as readFileSync12, writeFileSync as writeFileSync7 } from "fs";
-import { homedir as homedir12, userInfo as userInfo2 } from "os";
-import { dirname as dirname3, join as join12 } from "path";
-import { defineCommand as defineCommand35 } from "citty";
-import consola30 from "consola";
+import { existsSync as existsSync15, mkdirSync as mkdirSync5, readFileSync as readFileSync13, writeFileSync as writeFileSync7 } from "fs";
+import { homedir as homedir13, userInfo as userInfo2 } from "os";
+import { dirname as dirname3, join as join13 } from "path";
+import { defineCommand as defineCommand36 } from "citty";
+import consola31 from "consola";
 
 // src/commands/nest/apes-agents-adapter.ts
 var APES_AGENTS_ADAPTER_TOML = `schema = "openape-shapes/v1"
@@ -4390,13 +4850,13 @@ resource_chain = ["agents:name={name}", "allowlist:email={peer_email}"]
 // src/commands/nest/install.ts
 var PLIST_LABEL = "ai.openape.nest";
 function plistPath() {
-  return join12(homedir12(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
+  return join13(homedir13(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
 }
 function escape2(s) {
   return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 function buildPlist(args) {
-  const logsDir = join12(args.userHome, "Library", "Logs");
+  const logsDir = join13(args.userHome, "Library", "Logs");
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -4431,25 +4891,25 @@ function buildPlist(args) {
 `;
 }
 function installAdapter2() {
-  const target = join12(homedir12(), ".openape", "shapes", "adapters", "apes-agents.toml");
+  const target = join13(homedir13(), ".openape", "shapes", "adapters", "apes-agents.toml");
   mkdirSync5(dirname3(target), { recursive: true });
   let existing = "";
   try {
-    existing = readFileSync12(target, "utf8");
+    existing = readFileSync13(target, "utf8");
   } catch {
   }
   if (existing === APES_AGENTS_ADAPTER_TOML) return false;
   writeFileSync7(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
-  consola30.success(`Wrote shapes adapter ${target}`);
+  consola31.success(`Wrote shapes adapter ${target}`);
   return true;
 }
 function writeBridgeModelDefault(model) {
-  for (const envDir of [join12(homedir12(), "litellm"), join12(NEST_DATA_DIR, "litellm")]) {
-    const envFile = join12(envDir, ".env");
+  for (const envDir of [join13(homedir13(), "litellm"), join13(NEST_DATA_DIR, "litellm")]) {
+    const envFile = join13(envDir, ".env");
     mkdirSync5(envDir, { recursive: true });
     let lines = [];
-    if (existsSync14(envFile)) {
-      lines = readFileSync12(envFile, "utf8").split("\n").filter((l) => !l.startsWith("APE_CHAT_BRIDGE_MODEL="));
+    if (existsSync15(envFile)) {
+      lines = readFileSync13(envFile, "utf8").split("\n").filter((l) => !l.startsWith("APE_CHAT_BRIDGE_MODEL="));
     }
     lines.push(`APE_CHAT_BRIDGE_MODEL=${model}`);
     while (lines.length > 0 && lines.at(-1).trim() === "") lines.pop();
@@ -4459,17 +4919,17 @@ function writeBridgeModelDefault(model) {
 }
 function findBinary(name) {
   for (const dir of [
-    join12(homedir12(), ".bun", "bin"),
+    join13(homedir13(), ".bun", "bin"),
     "/opt/homebrew/bin",
     "/usr/local/bin",
     "/usr/bin"
   ]) {
-    const p = join12(dir, name);
-    if (existsSync14(p)) return p;
+    const p = join13(dir, name);
+    if (existsSync15(p)) return p;
   }
   throw new Error(`could not locate ${name} on PATH; install it first`);
 }
-var installNestCommand = defineCommand35({
+var installNestCommand = defineCommand36({
   meta: {
     name: "install",
     description: "Install + start the local nest-daemon (idempotent \u2014 re-running just restarts)"
@@ -4485,35 +4945,35 @@ var installNestCommand = defineCommand35({
     }
   },
   async run({ args }) {
-    const homeDir = homedir12();
+    const homeDir = homedir13();
     const port = Number(args.port ?? 9091);
     if (!Number.isInteger(port) || port < 1024 || port > 65535) {
       throw new Error(`invalid port ${port}`);
     }
     const nestBin = findBinary("openape-nest");
     const apesBin = findBinary("apes");
-    consola30.info(`Installing nest at ${plistPath()}`);
-    consola30.info(`  nest binary: ${nestBin}`);
-    consola30.info(`  apes binary: ${apesBin}`);
-    consola30.info(`  HTTP port:   ${port}`);
+    consola31.info(`Installing nest at ${plistPath()}`);
+    consola31.info(`  nest binary: ${nestBin}`);
+    consola31.info(`  apes binary: ${apesBin}`);
+    consola31.info(`  HTTP port:   ${port}`);
     if (typeof args["bridge-model"] === "string" && args["bridge-model"]) {
       writeBridgeModelDefault(args["bridge-model"]);
-      consola30.success(`Default bridge model set to ${args["bridge-model"]} (in ~/litellm/.env)`);
+      consola31.success(`Default bridge model set to ${args["bridge-model"]} (in ~/litellm/.env)`);
     }
     installAdapter2();
-    mkdirSync5(join12(homeDir, "Library", "LaunchAgents"), { recursive: true });
+    mkdirSync5(join13(homeDir, "Library", "LaunchAgents"), { recursive: true });
     mkdirSync5(NEST_DATA_DIR, { recursive: true });
     const desired = buildPlist({ nestBin, apesBin, userHome: homeDir, nestHome: NEST_DATA_DIR, port });
     let existing = "";
     try {
-      existing = readFileSync12(plistPath(), "utf8");
+      existing = readFileSync13(plistPath(), "utf8");
     } catch {
     }
     if (existing !== desired) {
       writeFileSync7(plistPath(), desired, { mode: 420 });
-      consola30.success("Wrote launchd plist");
+      consola31.success("Wrote launchd plist");
     } else {
-      consola30.info("plist already up to date");
+      consola31.info("plist already up to date");
     }
     const uid = userInfo2().uid;
     try {
@@ -4521,21 +4981,21 @@ var installNestCommand = defineCommand35({
     } catch {
     }
     execFileSync12("/bin/launchctl", ["bootstrap", `gui/${uid}`, plistPath()], { stdio: "inherit" });
-    consola30.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
-    consola30.info("");
-    consola30.info("Next steps for zero-prompt spawn \u2014 both one-time:");
-    consola30.info("");
-    consola30.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
-    consola30.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
-    consola30.info("");
-    consola30.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
+    consola31.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
+    consola31.info("");
+    consola31.info("Next steps for zero-prompt spawn \u2014 both one-time:");
+    consola31.info("");
+    consola31.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
+    consola31.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
+    consola31.info("");
+    consola31.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
   }
 });
 
 // src/commands/nest/list.ts
-import { defineCommand as defineCommand36 } from "citty";
-import consola31 from "consola";
-var listNestCommand = defineCommand36({
+import { defineCommand as defineCommand37 } from "citty";
+import consola32 from "consola";
+var listNestCommand = defineCommand37({
   meta: {
     name: "list",
     description: "List agents registered with the local nest. Reads /var/openape/nest/agents.json directly."
@@ -4550,22 +5010,22 @@ var listNestCommand = defineCommand36({
       return;
     }
     if (reg.agents.length === 0) {
-      consola31.info("(no agents registered with this nest)");
+      consola32.info("(no agents registered with this nest)");
       return;
     }
-    consola31.info(`${reg.agents.length} agent(s) registered with this nest:`);
+    consola32.info(`${reg.agents.length} agent(s) registered with this nest:`);
     for (const a of reg.agents) {
       const bridge = a.bridge ? " bridge=on" : "";
-      consola31.info(`  ${a.name.padEnd(16)} uid=${String(a.uid).padEnd(5)} home=${a.home}${bridge}`);
+      consola32.info(`  ${a.name.padEnd(16)} uid=${String(a.uid).padEnd(5)} home=${a.home}${bridge}`);
     }
   }
 });
 
 // src/commands/nest/spawn.ts
 import { execFileSync as execFileSync13 } from "child_process";
-import { defineCommand as defineCommand37 } from "citty";
-import consola32 from "consola";
-var spawnNestCommand = defineCommand37({
+import { defineCommand as defineCommand38 } from "citty";
+import consola33 from "consola";
+var spawnNestCommand = defineCommand38({
   meta: {
     name: "spawn",
     description: "Spawn a new agent locally. Wraps `apes run --as root -- apes agents spawn <name>`; the Nest watches its registry and starts the bridge in pm2 automatically."
@@ -4596,7 +5056,7 @@ var spawnNestCommand = defineCommand37({
     if (typeof args["bridge-model"] === "string") apesArgs.push("--bridge-model", args["bridge-model"]);
     try {
       execFileSync13("apes", apesArgs, { stdio: "inherit" });
-      consola32.success(`Nest will pick up ${name} on its next reconcile (\u22642s).`);
+      consola33.success(`Nest will pick up ${name} on its next reconcile (\u22642s).`);
     } catch (err) {
       const status = err.status ?? 1;
       throw new CliExit(status);
@@ -4606,36 +5066,36 @@ var spawnNestCommand = defineCommand37({
 
 // src/commands/nest/uninstall.ts
 import { execFileSync as execFileSync14 } from "child_process";
-import { existsSync as existsSync15, unlinkSync } from "fs";
-import { homedir as homedir13, userInfo as userInfo3 } from "os";
-import { join as join13 } from "path";
-import { defineCommand as defineCommand38 } from "citty";
-import consola33 from "consola";
+import { existsSync as existsSync16, unlinkSync } from "fs";
+import { homedir as homedir14, userInfo as userInfo3 } from "os";
+import { join as join14 } from "path";
+import { defineCommand as defineCommand39 } from "citty";
+import consola34 from "consola";
 var PLIST_LABEL2 = "ai.openape.nest";
-var uninstallNestCommand = defineCommand38({
+var uninstallNestCommand = defineCommand39({
   meta: {
     name: "uninstall",
     description: "Stop + remove the local nest-daemon (registry + agents preserved)"
   },
   async run() {
     const uid = userInfo3().uid;
-    const path2 = join13(homedir13(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
+    const path2 = join14(homedir14(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
     try {
       execFileSync14("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL2}`], { stdio: "ignore" });
-      consola33.success("Nest daemon stopped");
+      consola34.success("Nest daemon stopped");
     } catch {
-      consola33.info("Nest daemon was not loaded");
+      consola34.info("Nest daemon was not loaded");
     }
-    if (existsSync15(path2)) {
+    if (existsSync16(path2)) {
       unlinkSync(path2);
-      consola33.success(`Removed ${path2}`);
+      consola34.success(`Removed ${path2}`);
     }
-    consola33.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
+    consola34.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
   }
 });
 
 // src/commands/nest/index.ts
-var nestCommand = defineCommand39({
+var nestCommand = defineCommand40({
   meta: {
     name: "nest",
     description: "Manage the local Nest control-plane daemon. One-time setup: `install` \u2192 `enroll` \u2192 `authorize`. Day-to-day: `list` / `spawn` / `destroy`. As of Phase D the Nest is a long-running CLIENT \u2014 commands talk to it via filesystem intent files in $NEST_HOME/intents (mode 770, group _openape_nest) instead of HTTP."
@@ -4652,12 +5112,12 @@ var nestCommand = defineCommand39({
 });
 
 // src/commands/yolo/index.ts
-import { defineCommand as defineCommand43 } from "citty";
+import { defineCommand as defineCommand44 } from "citty";
 
 // src/commands/yolo/clear.ts
-import { defineCommand as defineCommand40 } from "citty";
-import consola34 from "consola";
-var yoloClearCommand = defineCommand40({
+import { defineCommand as defineCommand41 } from "citty";
+import consola35 from "consola";
+var yoloClearCommand = defineCommand41({
   meta: {
     name: "clear",
     description: "Remove the YOLO-policy from a DDISA agent (subsequent grants need human approval)"
@@ -4686,15 +5146,15 @@ var yoloClearCommand = defineCommand40({
       const text = await res.text().catch(() => "");
       throw new CliError(`DELETE /yolo-policy failed (${res.status}): ${text}`);
     }
-    consola34.success(`YOLO-policy cleared on ${email}`);
+    consola35.success(`YOLO-policy cleared on ${email}`);
   }
 });
 
 // src/commands/yolo/set.ts
-import { defineCommand as defineCommand41 } from "citty";
-import consola35 from "consola";
+import { defineCommand as defineCommand42 } from "citty";
+import consola36 from "consola";
 var VALID_MODES = ["allow-list", "deny-list"];
-var yoloSetCommand = defineCommand41({
+var yoloSetCommand = defineCommand42({
   meta: {
     name: "set",
     description: "Write a YOLO-policy on a DDISA agent you own"
@@ -4742,12 +5202,12 @@ var yoloSetCommand = defineCommand41({
     const denyPatterns = parseList(args.deny);
     const denyRiskThreshold = args["deny-risk"] ?? null;
     const expiresAt = parseExpiresIn(args["expires-in"]);
-    consola35.info(`Setting YOLO-policy on ${email}`);
-    consola35.info(`  mode:           ${mode}`);
-    if (allowPatterns.length) consola35.info(`  allow_patterns: ${allowPatterns.join(", ")}`);
-    if (denyPatterns.length) consola35.info(`  deny_patterns:  ${denyPatterns.join(", ")}`);
-    if (denyRiskThreshold) consola35.info(`  deny_risk:      ${denyRiskThreshold}`);
-    if (expiresAt) consola35.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
+    consola36.info(`Setting YOLO-policy on ${email}`);
+    consola36.info(`  mode:           ${mode}`);
+    if (allowPatterns.length) consola36.info(`  allow_patterns: ${allowPatterns.join(", ")}`);
+    if (denyPatterns.length) consola36.info(`  deny_patterns:  ${denyPatterns.join(", ")}`);
+    if (denyRiskThreshold) consola36.info(`  deny_risk:      ${denyRiskThreshold}`);
+    if (expiresAt) consola36.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
     const url = `${idp}/api/users/${encodeURIComponent(email)}/yolo-policy`;
     const res = await fetch(url, {
       method: "PUT",
@@ -4767,7 +5227,7 @@ var yoloSetCommand = defineCommand41({
       const text = await res.text().catch(() => "");
       throw new CliError(`PUT /yolo-policy failed (${res.status}): ${text}`);
     }
-    consola35.success(`YOLO-policy applied to ${email}`);
+    consola36.success(`YOLO-policy applied to ${email}`);
   }
 });
 function parseList(s) {
@@ -4785,9 +5245,9 @@ function parseExpiresIn(s) {
 }
 
 // src/commands/yolo/show.ts
-import { defineCommand as defineCommand42 } from "citty";
-import consola36 from "consola";
-var yoloShowCommand = defineCommand42({
+import { defineCommand as defineCommand43 } from "citty";
+import consola37 from "consola";
+var yoloShowCommand = defineCommand43({
   meta: {
     name: "show",
     description: "Print the YOLO-policy currently set on a DDISA agent"
@@ -4824,17 +5284,17 @@ var yoloShowCommand = defineCommand42({
       console.log(JSON.stringify(policy, null, 2));
       return;
     }
-    consola36.info(`YOLO-policy for ${email}`);
-    consola36.info(`  mode:           ${policy.mode}`);
-    consola36.info(`  allow_patterns: ${policy.allowPatterns.length ? policy.allowPatterns.join(", ") : "(none)"}`);
-    consola36.info(`  deny_patterns:  ${policy.denyPatterns.length ? policy.denyPatterns.join(", ") : "(none)"}`);
-    consola36.info(`  deny_risk:      ${policy.denyRiskThreshold ?? "(none)"}`);
-    consola36.info(`  expires_at:     ${policy.expiresAt ? new Date(policy.expiresAt * 1e3).toISOString() : "(never)"}`);
+    consola37.info(`YOLO-policy for ${email}`);
+    consola37.info(`  mode:           ${policy.mode}`);
+    consola37.info(`  allow_patterns: ${policy.allowPatterns.length ? policy.allowPatterns.join(", ") : "(none)"}`);
+    consola37.info(`  deny_patterns:  ${policy.denyPatterns.length ? policy.denyPatterns.join(", ") : "(none)"}`);
+    consola37.info(`  deny_risk:      ${policy.denyRiskThreshold ?? "(none)"}`);
+    consola37.info(`  expires_at:     ${policy.expiresAt ? new Date(policy.expiresAt * 1e3).toISOString() : "(never)"}`);
   }
 });
 
 // src/commands/yolo/index.ts
-var yoloCommand = defineCommand43({
+var yoloCommand = defineCommand44({
   meta: {
     name: "yolo",
     description: "Manage YOLO-policies on DDISA agents you own \u2014 auto-approve grant patterns at the IdP layer (allow-list) or block dangerous ones outright (deny-list)."
@@ -4847,15 +5307,15 @@ var yoloCommand = defineCommand43({
 });
 
 // src/commands/adapter/index.ts
-import { defineCommand as defineCommand44 } from "citty";
-import consola37 from "consola";
-var adapterCommand = defineCommand44({
+import { defineCommand as defineCommand45 } from "citty";
+import consola38 from "consola";
+var adapterCommand = defineCommand45({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand44({
+    list: defineCommand45({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -4886,7 +5346,7 @@ var adapterCommand = defineCommand44({
 `);
             return;
           }
-          consola37.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola38.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -4908,7 +5368,7 @@ var adapterCommand = defineCommand44({
           return;
         }
         if (local.length === 0) {
-          consola37.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola38.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -4916,7 +5376,7 @@ var adapterCommand = defineCommand44({
         }
       }
     }),
-    install: defineCommand44({
+    install: defineCommand45({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -4945,24 +5405,24 @@ var adapterCommand = defineCommand44({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola37.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola38.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola37.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola37.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola38.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola38.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola37.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola37.info(`Digest: ${result.digest}`);
+          consola38.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola38.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand44({
+    remove: defineCommand45({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -4985,9 +5445,9 @@ var adapterCommand = defineCommand44({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola37.success(`Removed adapter: ${id}`);
+            consola38.success(`Removed adapter: ${id}`);
           } else {
-            consola37.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola38.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -4995,7 +5455,7 @@ var adapterCommand = defineCommand44({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand44({
+    info: defineCommand45({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -5037,7 +5497,7 @@ var adapterCommand = defineCommand44({
         }
       }
     }),
-    search: defineCommand44({
+    search: defineCommand45({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -5069,7 +5529,7 @@ var adapterCommand = defineCommand44({
           return;
         }
         if (results.length === 0) {
-          consola37.info(`No adapters matching "${query}"`);
+          consola38.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -5078,7 +5538,7 @@ var adapterCommand = defineCommand44({
         }
       }
     }),
-    update: defineCommand44({
+    update: defineCommand45({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -5104,33 +5564,33 @@ var adapterCommand = defineCommand44({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola37.info("No adapters installed to update.");
+          consola38.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola37.warn(`${id}: not found in registry, skipping`);
+            consola38.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola37.info(`${id}: already up to date`);
+            consola38.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola37.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola37.info(`  Old: ${localDigest}`);
-            consola37.info(`  New: ${entry.digest}`);
-            consola37.info("  Use --yes to confirm");
+            consola38.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola38.info(`  Old: ${localDigest}`);
+            consola38.info(`  New: ${entry.digest}`);
+            consola38.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola37.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola38.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand44({
+    verify: defineCommand45({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -5163,7 +5623,7 @@ var adapterCommand = defineCommand44({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola37.success(`${id}: digest matches registry`);
+          consola38.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -5178,8 +5638,8 @@ var adapterCommand = defineCommand44({
 import { execFileSync as execFileSync15 } from "child_process";
 import { hostname as hostname5 } from "os";
 import { basename } from "path";
-import { defineCommand as defineCommand45 } from "citty";
-import consola38 from "consola";
+import { defineCommand as defineCommand46 } from "citty";
+import consola39 from "consola";
 function resolveRunAsTarget(runAs) {
   if (!runAs) return runAs;
   if (!isDarwin()) return runAs;
@@ -5225,7 +5685,7 @@ function printPendingGrantInfo(grant, idp) {
   const statusCmd = `apes grants status ${grant.id}`;
   const executeCmd = `apes grants run ${grant.id}`;
   if (mode === "human") {
-    consola38.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
+    consola39.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
     console.log(`  Approve in browser:  ${approveUrl}`);
     console.log(`  Check status:        ${statusCmd}`);
     console.log(`  Run after approval:  ${executeCmd}`);
@@ -5235,7 +5695,7 @@ function printPendingGrantInfo(grant, idp) {
     return;
   }
   const maxMin = getPollMaxMinutes();
-  consola38.success(`Grant ${grant.id} created (pending approval)`);
+  consola39.success(`Grant ${grant.id} created (pending approval)`);
   console.log(`  Approve:   ${approveUrl}`);
   console.log(`  Status:    ${statusCmd} [--json]`);
   console.log(`  Execute:   ${executeCmd} --wait`);
@@ -5257,7 +5717,7 @@ function printPendingGrantInfo(grant, idp) {
   console.log('  Tip: Approve as "timed" or "always" in the browser to let this');
   console.log("  grant be reused on subsequent invocations without re-approval.");
 }
-var runCommand = defineCommand45({
+var runCommand = defineCommand46({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -5360,7 +5820,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola38.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola39.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -5380,8 +5840,8 @@ async function runShellMode(command, args) {
     host: targetHost
   });
   if (shouldWaitForGrant(args)) {
-    consola38.info(`Grant requested: ${grant.id}`);
-    consola38.info("Waiting for approval...");
+    consola39.info(`Grant requested: ${grant.id}`);
+    consola39.info("Waiting for approval...");
     const maxWait = 3e5;
     const interval = 3e3;
     const start = Date.now();
@@ -5412,13 +5872,13 @@ async function tryAdapterModeFromShell(command, idp, args) {
   try {
     resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola38.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola39.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola38.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      consola39.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return true;
@@ -5426,7 +5886,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola38.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola39.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
@@ -5434,8 +5894,8 @@ async function tryAdapterModeFromShell(command, idp, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola38.info("");
-    consola38.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola39.info("");
+    consola39.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
   }
   notifyGrantPending({
     grantId: grant.id,
@@ -5445,8 +5905,8 @@ async function tryAdapterModeFromShell(command, idp, args) {
     host: args.host || hostname5()
   });
   if (shouldWaitForGrant(args)) {
-    consola38.info(`Grant requested: ${grant.id}`);
-    consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola39.info(`Grant requested: ${grant.id}`);
+    consola39.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new CliError(`Grant ${status}`);
@@ -5520,7 +5980,7 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola38.info(`Reusing existing grant: ${existingGrantId}`);
+      consola39.info(`Reusing existing grant: ${existingGrantId}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return;
@@ -5534,17 +5994,17 @@ async function runAdapterMode(command, rawArgs, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola38.info("");
-    consola38.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola39.info("");
+    consola39.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola38.info(`  Broader scope: ${wider}`);
+      consola39.info(`  Broader scope: ${wider}`);
     }
-    consola38.info("");
+    consola39.info("");
   }
   if (shouldWaitForGrant(args)) {
-    consola38.info(`Grant requested: ${grant.id}`);
-    consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola39.info(`Grant requested: ${grant.id}`);
+    consola39.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new Error(`Grant ${status}`);
@@ -5577,7 +6037,7 @@ async function runAudienceMode(audience, action, args) {
     const { authz_jwt: authz_jwt2 } = await apiFetch(`${grantsUrl}/${reusableId}/token`, { method: "POST" });
     return executeWithGrantToken({ audience, command, args, token: authz_jwt2 });
   }
-  consola38.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  consola39.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -5594,9 +6054,9 @@ async function runAudienceMode(audience, action, args) {
     printPendingGrantInfo(grant, idp);
     throw new CliExit(getAsyncExitCode());
   }
-  consola38.success(`Grant requested: ${grant.id}`);
-  consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
-  consola38.info("Waiting for approval...");
+  consola39.success(`Grant requested: ${grant.id}`);
+  consola39.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola39.info("Waiting for approval...");
   const maxWait = 15 * 60 * 1e3;
   const interval = 3e3;
   const start = Date.now();
@@ -5604,7 +6064,7 @@ async function runAudienceMode(audience, action, args) {
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola38.success("Grant approved!");
+      consola39.success("Grant approved!");
       approved = true;
       break;
     }
@@ -5619,7 +6079,7 @@ async function runAudienceMode(audience, action, args) {
       `Grant approval timed out after ${minutes} min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id} \u2014 if approved later, re-run the same \`apes run\` command and it will reuse the grant.`
     );
   }
-  consola38.info("Fetching grant token...");
+  consola39.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
@@ -5628,7 +6088,7 @@ async function runAudienceMode(audience, action, args) {
 function executeWithGrantToken(opts) {
   const { audience, command, args, token } = opts;
   if (audience === "escapes") {
-    consola38.info(`Executing: ${command.join(" ")}`);
+    consola39.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
       execFileSync15(args["escapes-path"] || "escapes", ["--grant", token, "--", ...command], {
@@ -5667,11 +6127,11 @@ async function findReusableAudienceGrant(opts) {
 
 // src/commands/proxy.ts
 import { spawn as spawn2 } from "child_process";
-import { existsSync as existsSync17 } from "fs";
-import { homedir as homedir14 } from "os";
-import { join as join16 } from "path";
-import { defineCommand as defineCommand46 } from "citty";
-import consola39 from "consola";
+import { existsSync as existsSync18 } from "fs";
+import { homedir as homedir15 } from "os";
+import { join as join17 } from "path";
+import { defineCommand as defineCommand47 } from "citty";
+import consola40 from "consola";
 
 // src/proxy/config.ts
 function buildDefaultProxyConfigToml(opts) {
@@ -5708,7 +6168,7 @@ import { spawn } from "child_process";
 import { mkdtempSync as mkdtempSync3, rmSync as rmSync5, writeFileSync as writeFileSync8 } from "fs";
 import { createRequire } from "module";
 import { tmpdir as tmpdir3 } from "os";
-import { dirname as dirname4, join as join14, resolve as resolve3 } from "path";
+import { dirname as dirname4, join as join15, resolve as resolve3 } from "path";
 var require2 = createRequire(import.meta.url);
 function findProxyBin() {
   const pkgPath = require2.resolve("@openape/proxy/package.json");
@@ -5720,8 +6180,8 @@ function findProxyBin() {
   return resolve3(dirname4(pkgPath), binRel);
 }
 async function startEphemeralProxy(configToml) {
-  const tmpDir = mkdtempSync3(join14(tmpdir3(), "openape-proxy-"));
-  const configPath = join14(tmpDir, "config.toml");
+  const tmpDir = mkdtempSync3(join15(tmpdir3(), "openape-proxy-"));
+  const configPath = join15(tmpDir, "config.toml");
   writeFileSync8(configPath, configToml, { mode: 384 });
   const binPath = findProxyBin();
   const child = spawn(process.execPath, [binPath, "-c", configPath], {
@@ -5804,9 +6264,9 @@ function waitForListenLine(child) {
 }
 
 // src/proxy/trust-bundle.ts
-import { existsSync as existsSync16, mkdtempSync as mkdtempSync4, readFileSync as readFileSync13, rmdirSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync9 } from "fs";
+import { existsSync as existsSync17, mkdtempSync as mkdtempSync4, readFileSync as readFileSync14, rmdirSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync9 } from "fs";
 import { tmpdir as tmpdir4 } from "os";
-import { join as join15 } from "path";
+import { join as join16 } from "path";
 var CANDIDATES = [
   "/etc/ssl/cert.pem",
   // macOS
@@ -5819,17 +6279,17 @@ var CANDIDATES = [
 ];
 function detectSystemCaPath() {
   for (const p of CANDIDATES) {
-    if (existsSync16(p)) return p;
+    if (existsSync17(p)) return p;
   }
   throw new Error(
     `Could not locate a system CA bundle. Tried: ${CANDIDATES.join(", ")}. Set NODE_EXTRA_CA_CERTS yourself or pass --allow-no-system-ca.`
   );
 }
 function buildTrustBundle(opts) {
-  const dir = mkdtempSync4(join15(tmpdir4(), "openape-trust-"));
-  const path2 = join15(dir, "bundle.pem");
-  const sys = readFileSync13(opts.systemCaPath, "utf-8");
-  const local = readFileSync13(opts.localCaPath, "utf-8");
+  const dir = mkdtempSync4(join16(tmpdir4(), "openape-trust-"));
+  const path2 = join16(dir, "bundle.pem");
+  const sys = readFileSync14(opts.systemCaPath, "utf-8");
+  const local = readFileSync14(opts.localCaPath, "utf-8");
   writeFileSync9(path2, `${sys.trimEnd()}
 ${local.trimEnd()}
 `, { mode: 384 });
@@ -5859,10 +6319,10 @@ function resolveProxyConfigOptions() {
       77
     );
   }
-  consola39.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
+  consola40.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
   return { agentEmail: auth.email, idpUrl: auth.idp, mediated: true };
 }
-var proxyCommand = defineCommand46({
+var proxyCommand = defineCommand47({
   meta: {
     name: "proxy",
     description: "Run a command with HTTPS_PROXY routed through the OpenApe egress proxy."
@@ -5886,9 +6346,9 @@ var proxyCommand = defineCommand46({
     let close = null;
     if (reuseHostPort) {
       proxyUrl = `http://${reuseHostPort}`;
-      consola39.info(`[apes proxy] using long-running daemon at ${proxyUrl}`);
-      const localCaPath = join16(homedir14(), ".openape", "proxy", "ca.crt");
-      if (!existsSync17(localCaPath)) {
+      consola40.info(`[apes proxy] using long-running daemon at ${proxyUrl}`);
+      const localCaPath = join17(homedir15(), ".openape", "proxy", "ca.crt");
+      if (!existsSync18(localCaPath)) {
         throw new CliError(
           `OPENAPE_PROXY is set but no local CA found at ${localCaPath}. Start the daemon (sudo -u <agent> apes proxy --global < secrets.toml) first.`
         );
@@ -5897,15 +6357,15 @@ var proxyCommand = defineCommand46({
         systemCaPath: detectSystemCaPath(),
         localCaPath
       });
-      consola39.debug(`[apes proxy] trust bundle: ${bundle.path}`);
+      consola40.debug(`[apes proxy] trust bundle: ${bundle.path}`);
     } else if (reuseUrl) {
       proxyUrl = reuseUrl;
-      consola39.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
+      consola40.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
     } else {
       const ephemeral = await startEphemeralProxy(buildDefaultProxyConfigToml(resolveProxyConfigOptions()));
       proxyUrl = ephemeral.url;
       close = ephemeral.close;
-      consola39.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
+      consola40.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
     }
     const noProxy = process.env.NO_PROXY ?? process.env.no_proxy ?? "127.0.0.1,localhost";
     const childEnv = {
@@ -5946,7 +6406,7 @@ var proxyCommand = defineCommand46({
           else resolveExit(code ?? 0);
         });
         child.once("error", (err) => {
-          consola39.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
+          consola40.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
           resolveExit(127);
         });
       });
@@ -5963,8 +6423,8 @@ function signalNumber(signal) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand47 } from "citty";
-var explainCommand = defineCommand47({
+import { defineCommand as defineCommand48 } from "citty";
+var explainCommand = defineCommand48({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -6002,9 +6462,9 @@ var explainCommand = defineCommand47({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand48 } from "citty";
-import consola40 from "consola";
-var configGetCommand = defineCommand48({
+import { defineCommand as defineCommand49 } from "citty";
+import consola41 from "consola";
+var configGetCommand = defineCommand49({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -6024,7 +6484,7 @@ var configGetCommand = defineCommand48({
         if (idp)
           console.log(idp);
         else
-          consola40.info("No IdP configured.");
+          consola41.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -6032,7 +6492,7 @@ var configGetCommand = defineCommand48({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola40.info("Not logged in.");
+          consola41.info("Not logged in.");
         break;
       }
       default: {
@@ -6045,7 +6505,7 @@ var configGetCommand = defineCommand48({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola40.info(`Key "${key}" not set.`);
+            consola41.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -6056,9 +6516,9 @@ var configGetCommand = defineCommand48({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand49 } from "citty";
-import consola41 from "consola";
-var configSetCommand = defineCommand49({
+import { defineCommand as defineCommand50 } from "citty";
+import consola42 from "consola";
+var configSetCommand = defineCommand50({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -6094,12 +6554,12 @@ var configSetCommand = defineCommand49({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola41.success(`Set ${key} = ${value}`);
+    consola42.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand50 } from "citty";
+import { defineCommand as defineCommand51 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -6135,13 +6595,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand50({
+var fetchCommand = defineCommand51({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand50({
+    get: defineCommand51({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -6167,7 +6627,7 @@ var fetchCommand = defineCommand50({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand50({
+    post: defineCommand51({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -6206,8 +6666,8 @@ var fetchCommand = defineCommand50({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand51 } from "citty";
-var mcpCommand = defineCommand51({
+import { defineCommand as defineCommand52 } from "citty";
+var mcpCommand = defineCommand52({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -6230,25 +6690,25 @@ var mcpCommand = defineCommand51({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-64H5O3CG.js");
+    const { startMcpServer } = await import("./server-UKHYMZ7X.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync as existsSync18, copyFileSync, writeFileSync as writeFileSync10 } from "fs";
+import { existsSync as existsSync19, copyFileSync, writeFileSync as writeFileSync10 } from "fs";
 import { randomBytes } from "crypto";
 import { execFileSync as execFileSync16 } from "child_process";
-import { join as join17 } from "path";
-import { defineCommand as defineCommand52 } from "citty";
-import consola42 from "consola";
+import { join as join18 } from "path";
+import { defineCommand as defineCommand53 } from "citty";
+import consola43 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync18(join17(dir, name));
+  const hasLockFile = (name) => existsSync19(join18(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
     execFileSync16("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
@@ -6258,20 +6718,20 @@ function installDeps(dir) {
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola42.prompt(message, { type: "select", options: choices });
+  const result = await consola43.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola42.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola43.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand52({
+var initCommand = defineCommand53({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -6313,23 +6773,23 @@ var initCommand = defineCommand52({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync18(join17(dir, "package.json"))) {
+  if (existsSync19(join18(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola42.start("Scaffolding SP starter...");
+  consola43.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola42.success("Scaffolded from openape-sp-starter");
-  consola42.start("Installing dependencies...");
+  consola43.success("Scaffolded from openape-sp-starter");
+  consola43.start("Installing dependencies...");
   installDeps(dir);
-  consola42.success("Dependencies installed");
-  const envExample = join17(dir, ".env.example");
-  const envFile = join17(dir, ".env");
-  if (existsSync18(envExample) && !existsSync18(envFile)) {
+  consola43.success("Dependencies installed");
+  const envExample = join18(dir, ".env.example");
+  const envFile = join18(dir, ".env");
+  if (existsSync19(envExample) && !existsSync19(envFile)) {
     copyFileSync(envExample, envFile);
-    consola42.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola43.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola42.box([
+  consola43.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -6338,7 +6798,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync18(join17(dir, "package.json"))) {
+  if (existsSync19(join18(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -6348,15 +6808,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola42.start("Scaffolding IdP starter...");
+  consola43.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola42.success("Scaffolded from openape-idp-starter");
-  consola42.start("Installing dependencies...");
+  consola43.success("Scaffolded from openape-idp-starter");
+  consola43.start("Installing dependencies...");
   installDeps(dir);
-  consola42.success("Dependencies installed");
+  consola43.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola42.success("Secrets generated");
+  consola43.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -6370,11 +6830,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync10(join17(dir, ".env"), `${envContent}
+  writeFileSync10(join18(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola42.success(".env created");
+  consola43.success(".env created");
   console.log("");
-  consola42.box([
+  consola43.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -6391,11 +6851,11 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer5 } from "buffer";
-import { existsSync as existsSync19, readFileSync as readFileSync14 } from "fs";
+import { existsSync as existsSync20, readFileSync as readFileSync15 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
-import { defineCommand as defineCommand53 } from "citty";
-import consola43 from "consola";
+import { defineCommand as defineCommand54 } from "citty";
+import consola44 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
@@ -6407,7 +6867,7 @@ function openBrowser2(url) {
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
   const resolvedKey = resolveKeyPath(keyPath);
-  const keyContent = readFileSync14(resolvedKey, "utf-8");
+  const keyContent = readFileSync15(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -6438,7 +6898,7 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand53({
+var enrollCommand = defineCommand54({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -6458,38 +6918,38 @@ var enrollCommand = defineCommand53({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola43.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola44.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola43.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola44.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola43.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola44.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolveKeyPath(keyPath);
     let publicKey;
-    if (existsSync19(resolvedKey)) {
+    if (existsSync20(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola43.success(`Using existing key ${keyPath}`);
+      consola44.success(`Using existing key ${keyPath}`);
     } else {
-      consola43.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola44.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola43.success(`Key pair generated at ${keyPath}`);
+      consola44.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola43.info("Opening browser for enrollment...");
-    consola43.info(`\u2192 ${idp}/enroll`);
+    consola44.info("Opening browser for enrollment...");
+    consola44.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola43.prompt(
+    const agentEmail = await consola44.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -6499,7 +6959,7 @@ var enrollCommand = defineCommand53({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola43.start("Verifying enrollment...");
+    consola44.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -6511,18 +6971,18 @@ var enrollCommand = defineCommand53({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola43.success(`Agent enrolled as ${agentEmail}`);
-    consola43.success("Config saved to ~/.config/apes/");
+    consola44.success(`Agent enrolled as ${agentEmail}`);
+    consola44.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola43.info("Verify with: apes whoami");
+    consola44.info("Verify with: apes whoami");
   }
 });
 
 // src/commands/register-user.ts
-import { existsSync as existsSync20, readFileSync as readFileSync15 } from "fs";
-import { defineCommand as defineCommand54 } from "citty";
-import consola44 from "consola";
-var registerUserCommand = defineCommand54({
+import { existsSync as existsSync21, readFileSync as readFileSync16 } from "fs";
+import { defineCommand as defineCommand55 } from "citty";
+import consola45 from "consola";
+var registerUserCommand = defineCommand55({
   meta: {
     name: "register-user",
     description: "Register a sub-user with SSH key"
@@ -6558,8 +7018,8 @@ var registerUserCommand = defineCommand54({
       throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
     let publicKey = args.key;
-    if (existsSync20(args.key)) {
-      publicKey = readFileSync15(args.key, "utf-8").trim();
+    if (existsSync21(args.key)) {
+      publicKey = readFileSync16(args.key, "utf-8").trim();
     }
     if (!publicKey.startsWith("ssh-ed25519 ")) {
       throw new CliError("Public key must be in ssh-ed25519 format.");
@@ -6577,18 +7037,18 @@ var registerUserCommand = defineCommand54({
         ...userType ? { type: userType } : {}
       }
     });
-    consola44.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola45.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/utils/index.ts
-import { defineCommand as defineCommand56 } from "citty";
+import { defineCommand as defineCommand57 } from "citty";
 
 // src/commands/utils/dig.ts
-import { defineCommand as defineCommand55 } from "citty";
-import consola45 from "consola";
+import { defineCommand as defineCommand56 } from "citty";
+import consola46 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var digCommand = defineCommand55({
+var digCommand = defineCommand56({
   meta: {
     name: "dig",
     description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
@@ -6661,12 +7121,12 @@ var digCommand = defineCommand55({
     console.log(`  domain: ${domain}`);
     console.log("");
     if (!result.ddisa.found) {
-      consola45.warn(`No DDISA record at _ddisa.${domain}`);
+      consola46.warn(`No DDISA record at _ddisa.${domain}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`No DDISA record found for ${domain}`);
     }
-    consola45.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    consola46.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
     console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
     console.log(`  IdP URL:  ${result.ddisa.idp}`);
     if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
@@ -6676,13 +7136,13 @@ ${result.hint}`);
       return;
     }
     if (result.idpDiscovery.ok) {
-      consola45.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      consola46.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
       if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
       if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
       if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
       if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
     } else {
-      consola45.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      consola46.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
@@ -6691,7 +7151,7 @@ ${result.hint}`);
 });
 
 // src/commands/utils/index.ts
-var utilsCommand = defineCommand56({
+var utilsCommand = defineCommand57({
   meta: {
     name: "utils",
     description: "Admin/diagnostic utilities (dig, \u2026)"
@@ -6702,12 +7162,12 @@ var utilsCommand = defineCommand56({
 });
 
 // src/commands/sessions/index.ts
-import { defineCommand as defineCommand59 } from "citty";
+import { defineCommand as defineCommand60 } from "citty";
 
 // src/commands/sessions/list.ts
-import { defineCommand as defineCommand57 } from "citty";
-import consola46 from "consola";
-var sessionsListCommand = defineCommand57({
+import { defineCommand as defineCommand58 } from "citty";
+import consola47 from "consola";
+var sessionsListCommand = defineCommand58({
   meta: {
     name: "list",
     description: "List your active refresh-token families (one per logged-in device)."
@@ -6725,7 +7185,7 @@ var sessionsListCommand = defineCommand57({
       return;
     }
     if (result.data.length === 0) {
-      consola46.info("No active sessions.");
+      consola47.info("No active sessions.");
       return;
     }
     for (const f of result.data) {
@@ -6737,9 +7197,9 @@ var sessionsListCommand = defineCommand57({
 });
 
 // src/commands/sessions/remove.ts
-import { defineCommand as defineCommand58 } from "citty";
-import consola47 from "consola";
-var sessionsRemoveCommand = defineCommand58({
+import { defineCommand as defineCommand59 } from "citty";
+import consola48 from "consola";
+var sessionsRemoveCommand = defineCommand59({
   meta: {
     name: "remove",
     description: "Revoke one of your active refresh-token families by id."
@@ -6755,12 +7215,12 @@ var sessionsRemoveCommand = defineCommand58({
     const id = String(args.familyId).trim();
     if (!id) throw new CliError("familyId required");
     await apiFetch(`/api/me/sessions/${encodeURIComponent(id)}`, { method: "DELETE" });
-    consola47.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
+    consola48.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
   }
 });
 
 // src/commands/sessions/index.ts
-var sessionsCommand = defineCommand59({
+var sessionsCommand = defineCommand60({
   meta: {
     name: "sessions",
     description: "Manage your active refresh-token sessions across devices"
@@ -6772,10 +7232,10 @@ var sessionsCommand = defineCommand59({
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand60 } from "citty";
-import consola48 from "consola";
+import { defineCommand as defineCommand61 } from "citty";
+import consola49 from "consola";
 import { resolveDDISA as resolveDDISA3 } from "@openape/core";
-var dnsCheckCommand = defineCommand60({
+var dnsCheckCommand = defineCommand61({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -6789,7 +7249,7 @@ var dnsCheckCommand = defineCommand60({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola48.start(`Checking _ddisa.${domain}...`);
+    consola49.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA3(domain);
       if (!result) {
@@ -6798,7 +7258,7 @@ var dnsCheckCommand = defineCommand60({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola48.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola49.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -6807,14 +7267,14 @@ var dnsCheckCommand = defineCommand60({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola48.start(`Verifying IdP at ${result.idp}...`);
+      consola49.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola48.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola49.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola48.success(`IdP is reachable`);
+      consola49.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -6832,7 +7292,7 @@ var dnsCheckCommand = defineCommand60({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand61 } from "citty";
+import { defineCommand as defineCommand62 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -6868,7 +7328,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.26.0" : "0.0.0";
+  const version = true ? "1.28.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -6931,7 +7391,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand61({
+var healthCommand = defineCommand62({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -6949,8 +7409,8 @@ var healthCommand = defineCommand61({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand62 } from "citty";
-import consola49 from "consola";
+import { defineCommand as defineCommand63 } from "citty";
+import consola50 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -7000,7 +7460,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand62({
+var workflowsCommand = defineCommand63({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -7021,7 +7481,7 @@ var workflowsCommand = defineCommand62({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola49.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola50.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -7061,25 +7521,25 @@ var workflowsCommand = defineCommand62({
 });
 
 // src/version-check.ts
-import { existsSync as existsSync21, mkdirSync as mkdirSync6, readFileSync as readFileSync16, writeFileSync as writeFileSync11 } from "fs";
-import { homedir as homedir15 } from "os";
-import { join as join18 } from "path";
-import consola50 from "consola";
+import { existsSync as existsSync22, mkdirSync as mkdirSync6, readFileSync as readFileSync17, writeFileSync as writeFileSync11 } from "fs";
+import { homedir as homedir16 } from "os";
+import { join as join19 } from "path";
+import consola51 from "consola";
 var PACKAGE_NAME = "@openape/apes";
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
-var CACHE_FILE = join18(homedir15(), ".config", "apes", ".version-check.json");
+var CACHE_FILE = join19(homedir16(), ".config", "apes", ".version-check.json");
 function readCache() {
-  if (!existsSync21(CACHE_FILE)) return null;
+  if (!existsSync22(CACHE_FILE)) return null;
   try {
-    return JSON.parse(readFileSync16(CACHE_FILE, "utf-8"));
+    return JSON.parse(readFileSync17(CACHE_FILE, "utf-8"));
   } catch {
     return null;
   }
 }
 function writeCache(entry) {
   try {
-    const dir = join18(homedir15(), ".config", "apes");
-    if (!existsSync21(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
+    const dir = join19(homedir16(), ".config", "apes");
+    if (!existsSync22(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
     writeFileSync11(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
   } catch {
   }
@@ -7109,7 +7569,7 @@ async function fetchLatestVersion() {
 }
 function warnIfBehind(currentVersion, latest) {
   if (compareSemver(currentVersion, latest) < 0) {
-    consola50.warn(
+    consola51.warn(
       `apes ${currentVersion} is behind latest @openape/apes@${latest}. Run \`npm i -g @openape/apes@latest\` to update. (Suppress with APES_NO_UPDATE_CHECK=1.)`
     );
   }
@@ -7141,10 +7601,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.26.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.28.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.26.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.28.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -7168,7 +7628,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand63({
+var grantsCommand = defineCommand64({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -7189,7 +7649,7 @@ var grantsCommand = defineCommand63({
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand63({
+var configCommand = defineCommand64({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -7199,10 +7659,10 @@ var configCommand = defineCommand63({
     set: configSetCommand
   }
 });
-var main = defineCommand63({
+var main = defineCommand64({
   meta: {
     name: "apes",
-    version: "1.26.0",
+    version: "1.28.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -7260,20 +7720,20 @@ async function maybeRefreshAuth() {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.26.0").catch(() => {
+await maybeWarnStaleVersion("1.28.0").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola51.error(err.message);
+    consola52.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola51.error(err);
+    consola52.error(err);
   } else {
-    consola51.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola52.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });