@openape/apes 1.28.1 → 1.28.3

package/dist/cli.js

@@ -1805,7 +1805,12 @@ var TroopClient = class {
         hostname: input.hostname,
         host_id: input.hostId,
         owner_email: input.ownerEmail,
-        ...input.pubkeySsh ? { pubkey_ssh: input.pubkeySsh } : {}
+        ...input.pubkeySsh ? { pubkey_ssh: input.pubkeySsh } : {},
+        // Without this the agent's encryption pubkey never reaches troop,
+        // so every sealed-capability bind 409s ("no X25519 public key
+        // yet"). The keypair is written at spawn (agent-bootstrap); we
+        // just have to report the public half here.
+        ...input.pubkeyX25519 ? { pubkey_x25519: input.pubkeyX25519 } : {}
       })
     });
   }
@@ -3553,6 +3558,7 @@ import { openString } from "@openape/core";
 var CONFIG_DIR2 = join5(homedir6(), ".config", "openape");
 var SECRETS_DIR = join5(CONFIG_DIR2, "secrets.d");
 var X25519_KEY_PATH = join5(CONFIG_DIR2, "agent-x25519.key");
+var X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`;
 function envNameFromFile(file) {
   if (!file.endsWith(".blob")) return null;
   const env = file.slice(0, -".blob".length);
@@ -3563,6 +3569,11 @@ function readAgentEncryptionKey(keyPath = X25519_KEY_PATH) {
   const k = readFileSync6(keyPath, "utf8").trim();
   return k.length > 0 ? k : null;
 }
+function readAgentEncryptionPublicKey(pubPath = X25519_PUBKEY_PATH) {
+  if (!existsSync7(pubPath)) return null;
+  const k = readFileSync6(pubPath, "utf8").trim();
+  return k.length > 0 ? k : null;
+}
 function materializeSecrets(opts = {}) {
   const dir = opts.dir ?? SECRETS_DIR;
   const env = opts.env ?? process.env;
@@ -4490,12 +4501,15 @@ var syncAgentCommand = defineCommand31({
       throw new CliError(`${AUTH_PATH3} is missing owner_email \u2014 re-run \`apes agents spawn\` to update.`);
     }
     consola27.start(`Syncing ${agentName} (${host}, hostId ${hostId.slice(0, 8)}\u2026) with ${troopUrl}`);
+    const pubkeyX25519 = readAgentEncryptionPublicKey() ?? void 0;
     const sync = await client.sync({
       hostname: host,
       hostId,
-      ownerEmail: auth.owner_email
+      ownerEmail: auth.owner_email,
+      ...pubkeyX25519 ? { pubkeyX25519 } : {}
     });
     consola27.info(sync.first_sync ? "\u2713 first sync \u2014 agent registered" : "\u2713 presence updated");
+    if (!pubkeyX25519) consola27.warn("No X25519 public key found on disk \u2014 sealed capability secrets cannot be bound until the agent is re-spawned.");
     const { system_prompt: systemPrompt, tools, skills, tasks } = await client.listTasks();
     consola27.info(`Pulled ${tasks.length} task${tasks.length === 1 ? "" : "s"}`);
     consola27.info(`Tools enabled: ${tools.length === 0 ? "(none)" : tools.join(", ")}`);
@@ -5675,6 +5689,16 @@ function getUserMode() {
     return "human";
   return "agent";
 }
+var writeRealStdout = (s) => {
+  process.stdout.write(s);
+};
+function routeDiagnosticsToStderrForWrappedAgentRun() {
+  const original = process.stdout.write.bind(process.stdout);
+  writeRealStdout = (s) => {
+    original(s);
+  };
+  process.stdout.write = ((chunk, ...rest) => process.stderr.write(chunk, ...rest));
+}
 function getAsyncExitCode() {
   const envValue = process.env.APES_ASYNC_EXIT_CODE;
   if (envValue !== void 0 && envValue !== "") {
@@ -5783,6 +5807,9 @@ var runCommand = defineCommand46({
   },
   async run({ rawArgs, args }) {
     const wrappedCommand = extractWrappedCommand(rawArgs ?? []);
+    if (wrappedCommand.length > 0 && getUserMode() === "agent") {
+      routeDiagnosticsToStderrForWrappedAgentRun();
+    }
     if (args.shell && wrappedCommand.length > 0) {
       await runShellMode(wrappedCommand, args);
       return;
@@ -6112,7 +6139,7 @@ function executeWithGrantToken(opts) {
       throw new CliExit(exitCode);
     }
   } else {
-    process.stdout.write(token);
+    writeRealStdout(token);
   }
 }
 async function findReusableAudienceGrant(opts) {
@@ -6702,7 +6729,7 @@ var mcpCommand = defineCommand52({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-RPIK3EDU.js");
+    const { startMcpServer } = await import("./server-5N27B7F2.js");
     await startMcpServer(transport, port);
   }
 });
@@ -7340,7 +7367,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.28.1" : "0.0.0";
+  const version = true ? "1.28.3" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -7613,10 +7640,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.28.1"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.28.3"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.28.1"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.28.3"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -7674,7 +7701,7 @@ var configCommand = defineCommand64({
 var main = defineCommand64({
   meta: {
     name: "apes",
-    version: "1.28.1",
+    version: "1.28.3",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -7732,7 +7759,7 @@ async function maybeRefreshAuth() {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.28.1").catch(() => {
+await maybeWarnStaleVersion("1.28.3").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {