@openape/apes 1.28.11 → 1.28.13

package/dist/cli.js

@@ -13,7 +13,7 @@ import {
   runLoop,
   taskTools,
   worktreePathFor
-} from "./chunk-OOKB2IL2.js";
+} from "./chunk-ZEUSCNCH.js";
 import {
   loadEd25519PrivateKey,
   readPublicKeyComment
@@ -50,7 +50,7 @@ import {
   searchAdapters,
   verifyAndExecute,
   waitForGrantStatus
-} from "./chunk-DYSFQ26B.js";
+} from "./chunk-PEA2RDWK.js";
 import {
   ApiError,
   apiFetch,
@@ -58,7 +58,7 @@ import {
   getAgentChallengeEndpoint,
   getDelegationsEndpoint,
   getGrantsEndpoint
-} from "./chunk-4KPKANZT.js";
+} from "./chunk-NYJSBFLG.js";
 import {
   AUTH_FILE,
   CONFIG_DIR,
@@ -389,28 +389,30 @@ async function loginWithPKCE(idp) {
   consola2.success(`Logged in as ${payload.email || payload.sub}`);
 }
 async function loginWithKey(idp, keyPath, agentEmail) {
-  const { readFileSync: readFileSync18 } = await import("fs");
+  const { readFileSync: readFileSync21 } = await import("fs");
   const { sign: sign3 } = await import("crypto");
   const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-YBNNG5K5.js");
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const challengeResp = await fetch(challengeUrl, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ agent_id: agentEmail })
+    // Use canonical `id` field (the server's /api/auth/challenge handler expects `id`).
+    body: JSON.stringify({ id: agentEmail })
   });
   if (!challengeResp.ok) {
     throw new CliError(`Challenge failed: ${await challengeResp.text()}`);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync18(keyPath, "utf-8");
+  const keyContent = readFileSync21(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
   const signature = sign3(null, Buffer2.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
   const authResp = await fetch(authenticateUrl, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
+    // Use canonical `id` field (the server's /api/auth/authenticate handler expects `id`).
     body: JSON.stringify({
-      agent_id: agentEmail,
+      id: agentEmail,
       challenge,
       signature
     })
@@ -1982,7 +1984,7 @@ var agentCommand = defineCommand21({
 import { defineCommand as defineCommand32 } from "citty";
 
 // src/commands/agents/allow.ts
-import { execFileSync as execFileSync4 } from "child_process";
+import { execFileSync as execFileSync10 } from "child_process";
 import { defineCommand as defineCommand22 } from "citty";
 import consola19 from "consola";
 
@@ -2496,6 +2498,348 @@ function isShellRegistered(shellPath) {
   return content.split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#")).includes(shellPath);
 }
 
+// src/lib/host-platform/index.ts
+import process2 from "process";
+
+// src/lib/macos-host.ts
+import { execFileSync as execFileSync4 } from "child_process";
+import { hostname as hostname3 } from "os";
+function getHostId() {
+  try {
+    const output = execFileSync4(
+      "/usr/sbin/ioreg",
+      ["-d2", "-c", "IOPlatformExpertDevice"],
+      { encoding: "utf8", timeout: 2e3 }
+    );
+    const match = output.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
+    return match ? match[1].trim().toLowerCase() : "";
+  } catch {
+    return "";
+  }
+}
+function getHostname() {
+  try {
+    return hostname3();
+  } catch {
+    return "";
+  }
+}
+
+// src/lib/host-platform/darwin-nest.ts
+import { execFileSync as execFileSync5 } from "child_process";
+import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync3, unlinkSync, writeFileSync } from "fs";
+import { userInfo } from "os";
+import { join as join2 } from "path";
+var PLIST_LABEL = "ai.openape.nest";
+function plistPath(userHome) {
+  return join2(userHome, "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
+}
+function xmlEscape(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function buildNestPlist(spec) {
+  const logsDir = join2(spec.userHome, "Library", "Logs");
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${xmlEscape(PLIST_LABEL)}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${xmlEscape(spec.nestBin)}</string>
+  </array>
+  <key>WorkingDirectory</key>
+  <string>${xmlEscape(spec.nestHome)}</string>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+  <key>ThrottleInterval</key>
+  <integer>10</integer>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>HOME</key><string>${xmlEscape(spec.nestHome)}</string>
+    <key>PATH</key><string>/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
+    <key>OPENAPE_NEST_PORT</key><string>${spec.port}</string>
+    <key>OPENAPE_APES_BIN</key><string>${xmlEscape(spec.apesBin)}</string>
+  </dict>
+  <key>StandardOutPath</key>
+  <string>${xmlEscape(logsDir)}/openape-nest.log</string>
+  <key>StandardErrorPath</key>
+  <string>${xmlEscape(logsDir)}/openape-nest.log</string>
+</dict>
+</plist>
+`;
+}
+async function installNestSupervisorOnDarwin(spec) {
+  const path2 = plistPath(spec.userHome);
+  mkdirSync(join2(spec.userHome, "Library", "LaunchAgents"), { recursive: true });
+  const desired = buildNestPlist(spec);
+  let existing = "";
+  try {
+    existing = readFileSync3(path2, "utf8");
+  } catch {
+  }
+  if (existing !== desired) {
+    writeFileSync(path2, desired, { mode: 420 });
+  }
+  const uid = userInfo().uid;
+  try {
+    execFileSync5("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL}`], { stdio: "ignore" });
+  } catch {
+  }
+  execFileSync5("/bin/launchctl", ["bootstrap", `gui/${uid}`, path2], { stdio: "inherit" });
+}
+async function uninstallNestSupervisorOnDarwin() {
+  const home = userInfo().homedir;
+  const uid = userInfo().uid;
+  const path2 = plistPath(home);
+  try {
+    execFileSync5("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL}`], { stdio: "ignore" });
+  } catch {
+  }
+  if (existsSync4(path2)) unlinkSync(path2);
+}
+
+// src/lib/host-platform/darwin-exec.ts
+import { execFileSync as execFileSync6, spawnSync } from "child_process";
+import { mkdtempSync, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
+import { tmpdir } from "os";
+import { join as join3 } from "path";
+function resolveApesBinary() {
+  return process.env.OPENAPE_APES_BIN || "apes";
+}
+async function runPrivilegedBashOnDarwin(script) {
+  const dir = mkdtempSync(join3(tmpdir(), "apes-privileged-"));
+  const scriptPath = join3(dir, "run.sh");
+  writeFileSync2(scriptPath, script, { mode: 448 });
+  try {
+    if (process.getuid?.() === 0) {
+      execFileSync6("bash", [scriptPath], { stdio: "inherit" });
+    } else {
+      execFileSync6(resolveApesBinary(), ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
+    }
+  } finally {
+    try {
+      rmSync2(dir, { recursive: true, force: true });
+    } catch {
+    }
+  }
+}
+async function runAsAgentUserOnDarwin(agentName, argv) {
+  const r = spawnSync(
+    resolveApesBinary(),
+    ["run", "--as", agentName, "--wait", "--", ...argv],
+    { encoding: "utf8" }
+  );
+  return {
+    stdout: r.stdout ?? "",
+    stderr: r.stderr ?? "",
+    exitCode: r.status ?? 1
+  };
+}
+
+// src/lib/host-platform/darwin.ts
+var darwinHostPlatform = {
+  getHostId,
+  getHostname,
+  agentUsername: macOSUsernameForAgent,
+  lookupAgentUser: (agentName) => lookupMacOSUserForAgent(agentName),
+  readAgentUser: (osName) => readMacOSUser(osName),
+  listAgentUserNames: listMacOSUserNames,
+  listOrphanAgentUsers: () => listOrphanedAgentRecords().map((r) => ({ name: r.name, uid: r.uid, homeDir: r.homeDir })),
+  installNestSupervisor: installNestSupervisorOnDarwin,
+  uninstallNestSupervisor: uninstallNestSupervisorOnDarwin,
+  runPrivilegedBash: runPrivilegedBashOnDarwin,
+  runAsAgentUser: runAsAgentUserOnDarwin
+};
+
+// src/lib/host-platform/linux-host.ts
+import { hostname as hostname4 } from "os";
+import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+var FALLBACK_PATHS = ["/etc/machine-id", "/var/lib/dbus/machine-id"];
+function getLinuxHostId() {
+  for (const path2 of FALLBACK_PATHS) {
+    if (!existsSync5(path2)) continue;
+    try {
+      const v = readFileSync4(path2, "utf-8").trim();
+      if (v) return v;
+    } catch {
+    }
+  }
+  return hostname4();
+}
+function getLinuxHostname() {
+  return hostname4();
+}
+
+// src/lib/host-platform/linux-user.ts
+import { execFileSync as execFileSync7 } from "child_process";
+function getentPasswd(name) {
+  try {
+    return execFileSync7("getent", ["passwd", name], {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "ignore"]
+    }).trim() || null;
+  } catch {
+    return null;
+  }
+}
+function parsePasswdLine(line) {
+  const parts = line.split(":");
+  if (parts.length < 7) return null;
+  const [name, , uidStr, , , homeDir, shell] = parts;
+  if (!name || !uidStr) return null;
+  const uid = Number.parseInt(uidStr, 10);
+  return {
+    name,
+    uid: Number.isFinite(uid) ? uid : null,
+    shell: shell?.trim() || null,
+    homeDir: homeDir?.trim() || null
+  };
+}
+function readLinuxUser(name) {
+  const line = getentPasswd(name);
+  if (!line) return null;
+  return parsePasswdLine(line);
+}
+function listLinuxUserNames() {
+  try {
+    const out = execFileSync7("getent", ["passwd"], {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    const names = /* @__PURE__ */ new Set();
+    for (const line of out.split("\n")) {
+      const name = line.split(":", 1)[0]?.trim();
+      if (name) names.add(name);
+    }
+    return names;
+  } catch {
+    return /* @__PURE__ */ new Set();
+  }
+}
+
+// src/lib/host-platform/linux-exec.ts
+import { execFileSync as execFileSync8, spawnSync as spawnSync2 } from "child_process";
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync3, writeFileSync as writeFileSync3 } from "fs";
+import { tmpdir as tmpdir2 } from "os";
+import { join as join4 } from "path";
+async function runPrivilegedBashOnLinux(script) {
+  const dir = mkdtempSync2(join4(tmpdir2(), "apes-privileged-"));
+  const scriptPath = join4(dir, "run.sh");
+  writeFileSync3(scriptPath, script, { mode: 448 });
+  try {
+    if (process.getuid?.() === 0) {
+      execFileSync8("bash", [scriptPath], { stdio: "inherit" });
+    } else {
+      execFileSync8("sudo", ["-n", "--", "bash", scriptPath], { stdio: "inherit" });
+    }
+  } finally {
+    try {
+      rmSync3(dir, { recursive: true, force: true });
+    } catch {
+    }
+  }
+}
+async function runAsAgentUserOnLinux(agentName, argv) {
+  const r = spawnSync2("sudo", ["-n", "-H", "-u", agentName, "--", ...argv], { encoding: "utf8" });
+  return {
+    stdout: r.stdout ?? "",
+    stderr: r.stderr ?? "",
+    exitCode: r.status ?? 1
+  };
+}
+
+// src/lib/host-platform/linux-nest.ts
+import { execFileSync as execFileSync9 } from "child_process";
+import { existsSync as existsSync6, readFileSync as readFileSync5, unlinkSync as unlinkSync2, writeFileSync as writeFileSync4 } from "fs";
+var UNIT_NAME = "openape-nest.service";
+var UNIT_PATH = `/etc/systemd/system/${UNIT_NAME}`;
+function buildNestUnit(spec) {
+  return `[Unit]
+Description=OpenApe Nest supervisor
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${spec.nestBin}
+WorkingDirectory=${spec.nestHome}
+Restart=always
+RestartSec=10
+Environment=HOME=${spec.nestHome}
+Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+Environment=OPENAPE_NEST_PORT=${spec.port}
+Environment=OPENAPE_APES_BIN=${spec.apesBin}
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+`;
+}
+async function installNestSupervisorOnLinux(spec) {
+  const desired = buildNestUnit(spec);
+  let existing = "";
+  try {
+    existing = readFileSync5(UNIT_PATH, "utf8");
+  } catch {
+  }
+  if (existing !== desired) {
+    writeFileSync4(UNIT_PATH, desired, { mode: 420 });
+  }
+  execFileSync9("systemctl", ["daemon-reload"], { stdio: "inherit" });
+  execFileSync9("systemctl", ["enable", "--now", UNIT_NAME], { stdio: "inherit" });
+}
+async function uninstallNestSupervisorOnLinux() {
+  try {
+    execFileSync9("systemctl", ["disable", "--now", UNIT_NAME], { stdio: "inherit" });
+  } catch {
+  }
+  if (existsSync6(UNIT_PATH)) unlinkSync2(UNIT_PATH);
+  try {
+    execFileSync9("systemctl", ["daemon-reload"], { stdio: "inherit" });
+  } catch {
+  }
+}
+
+// src/lib/host-platform/linux.ts
+var linuxHostPlatform = {
+  getHostId: getLinuxHostId,
+  getHostname: getLinuxHostname,
+  // No prefix on Linux — the agent name IS the OS username. In the
+  // container, the OpenApe namespace IS the namespace; no need to
+  // disambiguate with `openape-agent-`. (Linux limits usernames to
+  // 32 chars, so a prefix would also reject longer agent names.)
+  agentUsername: (agentName) => agentName,
+  lookupAgentUser: (agentName) => readLinuxUser(agentName),
+  readAgentUser: (osName) => readLinuxUser(osName),
+  listAgentUserNames: listLinuxUserNames,
+  // No tombstone concept on Linux — userdel + groupdel are clean.
+  listOrphanAgentUsers: () => [],
+  installNestSupervisor: installNestSupervisorOnLinux,
+  uninstallNestSupervisor: uninstallNestSupervisorOnLinux,
+  runPrivilegedBash: runPrivilegedBashOnLinux,
+  runAsAgentUser: runAsAgentUserOnLinux
+};
+
+// src/lib/host-platform/index.ts
+function isDarwin2() {
+  return process2.platform === "darwin";
+}
+function isLinux() {
+  return process2.platform === "linux";
+}
+var testOverride = null;
+function getHostPlatform() {
+  if (testOverride) return testOverride;
+  if (isDarwin2()) return darwinHostPlatform;
+  if (isLinux()) return linuxHostPlatform;
+  throw new Error(`unsupported host platform: ${process2.platform}`);
+}
+
 // src/commands/agents/allow.ts
 var allowAgentCommand = defineCommand22({
   meta: {
@@ -2523,10 +2867,10 @@ var allowAgentCommand = defineCommand22({
     if (!email.includes("@")) {
       throw new CliError(`Invalid email "${email}".`);
     }
-    if (!isDarwin()) {
+    if (!isDarwin2()) {
       throw new CliError("`apes agents allow` is currently macOS-only.");
     }
-    if (!lookupMacOSUserForAgent(agent)) {
+    if (!getHostPlatform().lookupAgentUser(agent)) {
       throw new CliError(`No macOS user for agent "${agent}" \u2014 has it been spawned?`);
     }
     const apes = whichBinary("apes");
@@ -2558,7 +2902,7 @@ PY
 chmod 600 "$F"
 `;
     consola19.start(`Adding ${email} to ${agent}'s allowlist\u2026`);
-    execFileSync4(apes, ["run", "--as", agent, "--wait", "--", "bash", "-c", script], { stdio: "inherit" });
+    execFileSync10(apes, ["run", "--as", agent, "--wait", "--", "bash", "-c", script], { stdio: "inherit" });
     consola19.success(`${agent} will auto-accept future contact requests from ${email} (within ~30s of next bridge connect).`);
   }
 });
@@ -2567,7 +2911,7 @@ function shQuote2(s) {
 }
 
 // src/commands/agents/cleanup-orphans.ts
-import { execFileSync as execFileSync5 } from "child_process";
+import { execFileSync as execFileSync11 } from "child_process";
 import { defineCommand as defineCommand23 } from "citty";
 import consola20 from "consola";
 var cleanupOrphansCommand = defineCommand23({
@@ -2586,10 +2930,10 @@ var cleanupOrphansCommand = defineCommand23({
     }
   },
   async run({ args }) {
-    if (!isDarwin()) {
+    if (!isDarwin2()) {
       throw new CliError(`\`apes agents cleanup-orphans\` is macOS-only. Detected platform: ${process.platform}.`);
     }
-    const orphans = listOrphanedAgentRecords();
+    const orphans = getHostPlatform().listOrphanAgentUsers();
     if (orphans.length === 0) {
       consola20.success("No agent tombstones found \u2014 dscl is clean.");
       return;
@@ -2626,7 +2970,7 @@ var cleanupOrphansCommand = defineCommand23({
     let failed = 0;
     for (const o of orphans) {
       try {
-        execFileSync5("/usr/sbin/sysadminctl", ["-deleteUser", o.name], {
+        execFileSync11("/usr/sbin/sysadminctl", ["-deleteUser", o.name], {
           stdio: ["ignore", "inherit", "inherit"]
         });
         consola20.success(`Deleted ${o.name}`);
@@ -2644,21 +2988,21 @@ var cleanupOrphansCommand = defineCommand23({
 });
 
 // src/commands/agents/code.ts
-import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
 import { homedir as homedir5 } from "os";
-import { join as join3 } from "path";
-import process2 from "process";
+import { join as join6 } from "path";
+import process3 from "process";
 import { defineCommand as defineCommand24 } from "citty";
 import { consola as consola21 } from "consola";
 
 // src/lib/agent-secrets-runtime.ts
-import { existsSync as existsSync4, readdirSync, readFileSync as readFileSync3, watch } from "fs";
+import { existsSync as existsSync7, readdirSync, readFileSync as readFileSync6, watch } from "fs";
 import { homedir as homedir4 } from "os";
-import { join as join2 } from "path";
+import { join as join5 } from "path";
 import { openString } from "@openape/core";
-var CONFIG_DIR2 = join2(homedir4(), ".config", "openape");
-var SECRETS_DIR = join2(CONFIG_DIR2, "secrets.d");
-var X25519_KEY_PATH = join2(CONFIG_DIR2, "agent-x25519.key");
+var CONFIG_DIR2 = join5(homedir4(), ".config", "openape");
+var SECRETS_DIR = join5(CONFIG_DIR2, "secrets.d");
+var X25519_KEY_PATH = join5(CONFIG_DIR2, "agent-x25519.key");
 var X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`;
 function envNameFromFile(file) {
   if (!file.endsWith(".blob")) return null;
@@ -2666,13 +3010,13 @@ function envNameFromFile(file) {
   return /^[A-Z][A-Z0-9_]*$/.test(env) ? env : null;
 }
 function readAgentEncryptionKey(keyPath = X25519_KEY_PATH) {
-  if (!existsSync4(keyPath)) return null;
-  const k = readFileSync3(keyPath, "utf8").trim();
+  if (!existsSync7(keyPath)) return null;
+  const k = readFileSync6(keyPath, "utf8").trim();
   return k.length > 0 ? k : null;
 }
 function readAgentEncryptionPublicKey(pubPath = X25519_PUBKEY_PATH) {
-  if (!existsSync4(pubPath)) return null;
-  const k = readFileSync3(pubPath, "utf8").trim();
+  if (!existsSync7(pubPath)) return null;
+  const k = readFileSync6(pubPath, "utf8").trim();
   return k.length > 0 ? k : null;
 }
 function materializeSecrets(opts = {}) {
@@ -2683,12 +3027,12 @@ function materializeSecrets(opts = {}) {
   const applied = [];
   const failed = [];
   const key = readAgentEncryptionKey(opts.keyPath);
-  const files = key && existsSync4(dir) ? readdirSync(dir) : [];
+  const files = key && existsSync7(dir) ? readdirSync(dir) : [];
   for (const file of files) {
     const name = envNameFromFile(file);
     if (!name) continue;
     try {
-      const box = JSON.parse(readFileSync3(join2(dir, file), "utf8"));
+      const box = JSON.parse(readFileSync6(join5(dir, file), "utf8"));
       env[name] = openString(box, key);
       applied.push(name);
     } catch (e) {
@@ -2715,7 +3059,7 @@ function startSecretsWatcher(opts = {}) {
     appliedNames = new Set(r.applied);
   };
   run();
-  if (!existsSync4(dir)) return () => {
+  if (!existsSync7(dir)) return () => {
   };
   let timer = null;
   const watcher = watch(dir, () => {
@@ -2815,9 +3159,9 @@ function decideMerge(paths, policy = SECURE_DEFAULT_POLICY, agentRisk) {
 }
 async function loadMergePolicy(worktreeDir) {
   const { readFile } = await import("fs/promises");
-  const { join: join20 } = await import("path");
+  const { join: join21 } = await import("path");
   try {
-    const raw = await readFile(join20(worktreeDir, ".openape", "coding.json"), "utf8");
+    const raw = await readFile(join21(worktreeDir, ".openape", "coding.json"), "utf8");
     const parsed = JSON.parse(raw);
     const mp = parsed.mergePolicy;
     if (!mp) return SECURE_DEFAULT_POLICY;
@@ -2877,8 +3221,14 @@ async function runCodingTask(input, deps) {
 
 Worktree: ${worktree}`,
     tools: deps.tools,
-    maxSteps: deps.maxSteps
+    maxSteps: deps.maxSteps,
+    streamAggregate: deps.streamAggregate
   });
+  if (process.env.OPENAPE_VERBOSE_TRACE === "1") {
+    for (const t of run.trace) {
+      log(`[trace] step=${t.step} type=${t.type}${t.tool ? ` tool=${t.tool}` : ""} ${t.preview}`);
+    }
+  }
   if (run.status !== "ok") {
     return { branch, worktree, runStatus: "error", changedFiles: [], outcome: "run-failed", reason: `coding loop errored after ${run.stepCount} steps` };
   }
@@ -3054,15 +3404,15 @@ function parseCodeowners(text) {
 }
 async function deriveRiskGlobs(worktreeDir) {
   const { readFile, readdir } = await import("fs/promises");
-  const { join: join20 } = await import("path");
+  const { join: join21 } = await import("path");
   const globs = /* @__PURE__ */ new Set();
   try {
-    const wfDir = join20(worktreeDir, ".github", "workflows");
+    const wfDir = join21(worktreeDir, ".github", "workflows");
     const files = await readdir(wfDir);
     for (const f of files) {
       if (!/deploy.*\.ya?ml$/i.test(f)) continue;
       try {
-        const text = await readFile(join20(wfDir, f), "utf8");
+        const text = await readFile(join21(wfDir, f), "utf8");
         for (const g of extractWorkflowPaths(text)) globs.add(g);
       } catch {
       }
@@ -3071,7 +3421,7 @@ async function deriveRiskGlobs(worktreeDir) {
   }
   for (const loc of [".github/CODEOWNERS", "CODEOWNERS", "docs/CODEOWNERS"]) {
     try {
-      const text = await readFile(join20(worktreeDir, loc), "utf8");
+      const text = await readFile(join21(worktreeDir, loc), "utf8");
       for (const g of parseCodeowners(text)) globs.add(g);
       break;
     } catch {
@@ -3102,29 +3452,29 @@ var DEFAULT_PERSONA = [
 ].join(" ");
 function readLitellmConfig(model) {
   const env = {};
-  const envPath = join3(homedir5(), "litellm", ".env");
-  if (existsSync5(envPath)) {
-    for (const raw of readFileSync4(envPath, "utf8").split("\n")) {
+  const envPath = join6(homedir5(), "litellm", ".env");
+  if (existsSync8(envPath)) {
+    for (const raw of readFileSync7(envPath, "utf8").split("\n")) {
       const line = raw.trim();
       const m = /^([A-Z_][A-Z0-9_]*)=(.*)$/.exec(line);
       if (m) env[m[1]] = m[2].trim().replace(/^["']|["']$/g, "");
     }
   }
   for (const k of ["LITELLM_API_KEY", "LITELLM_MASTER_KEY", "LITELLM_BASE_URL"]) {
-    if (process2.env[k]) env[k] = process2.env[k];
+    if (process3.env[k]) env[k] = process3.env[k];
   }
   const apiBase = (env.LITELLM_BASE_URL || "http://127.0.0.1:4000/v1").replace(/\/$/, "");
   const isLoopback = /^https?:\/\/(?:127\.0\.0\.1|localhost|\[::1\])(?::\d+)?(?:\/|$)/.test(apiBase);
   const apiKey = env.LITELLM_API_KEY || env.LITELLM_MASTER_KEY || (isLoopback ? "sk-loopback-noauth" : "");
   if (!apiKey) throw new CliError2("No LITELLM_API_KEY / LITELLM_MASTER_KEY for non-loopback LITELLM_BASE_URL.");
-  return { apiBase, apiKey, model: model || process2.env.APE_CHAT_BRIDGE_MODEL || "claude-haiku-4-5" };
+  return { apiBase, apiKey, model: model || process3.env.APE_CHAT_BRIDGE_MODEL || "claude-haiku-4-5" };
 }
 function readPersona(file) {
-  if (file && existsSync5(file)) return readFileSync4(file, "utf8");
-  const agentJson = join3(homedir5(), ".openape", "agent", "agent.json");
-  if (existsSync5(agentJson)) {
+  if (file && existsSync8(file)) return readFileSync7(file, "utf8");
+  const agentJson = join6(homedir5(), ".openape", "agent", "agent.json");
+  if (existsSync8(agentJson)) {
     try {
-      const p = JSON.parse(readFileSync4(agentJson, "utf8"));
+      const p = JSON.parse(readFileSync7(agentJson, "utf8"));
       if (p.systemPrompt?.trim()) return p.systemPrompt;
     } catch {
     }
@@ -3165,6 +3515,7 @@ var codeAgentCommand = defineCommand24({
     const persona = readPersona(args["persona-file"]);
     const maxSteps = Number(args["max-steps"]) > 0 ? Number(args["max-steps"]) : 40;
     const tools = taskTools(CODING_TOOLS);
+    const streamAggregate = process3.env.OPENAPE_STREAM_AGGREGATE === "1";
     const deps = {
       runtimeConfig: config,
       tools,
@@ -3173,7 +3524,8 @@ var codeAgentCommand = defineCommand24({
       resolvePolicy: (worktree) => resolveMergePolicy(worktree),
       reviewer: createLlmReviewer(config),
       riskAssessor: createLlmRiskAssessor(config),
-      log: (l) => consola21.info(l)
+      log: (l) => consola21.info(l),
+      streamAggregate
     };
     const refs = [];
     if (args["poll-label"]) {
@@ -3207,30 +3559,30 @@ ${result.reason}`);
 });
 
 // src/commands/agents/destroy.ts
-import { execFileSync as execFileSync6 } from "child_process";
-import { mkdtempSync, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
-import { tmpdir, userInfo } from "os";
-import { join as join5 } from "path";
+import { execFileSync as execFileSync12 } from "child_process";
+import { mkdtempSync as mkdtempSync3, rmSync as rmSync4, writeFileSync as writeFileSync6 } from "fs";
+import { tmpdir as tmpdir3, userInfo as userInfo2 } from "os";
+import { join as join8 } from "path";
 import { defineCommand as defineCommand25 } from "citty";
 import consola22 from "consola";
 
 // src/lib/nest-registry.ts
-import { existsSync as existsSync6, mkdirSync, readFileSync as readFileSync5, writeFileSync } from "fs";
+import { existsSync as existsSync9, mkdirSync as mkdirSync2, readFileSync as readFileSync8, writeFileSync as writeFileSync5 } from "fs";
 import { homedir as homedir6 } from "os";
-import { join as join4 } from "path";
+import { join as join7 } from "path";
 function resolveRegistryPath() {
-  if (existsSync6("/var/openape/nest/agents.json")) return "/var/openape/nest/agents.json";
-  if (existsSync6("/var/openape/nest")) return "/var/openape/nest/agents.json";
-  return join4(homedir6(), ".openape", "nest", "agents.json");
+  if (existsSync9("/var/openape/nest/agents.json")) return "/var/openape/nest/agents.json";
+  if (existsSync9("/var/openape/nest")) return "/var/openape/nest/agents.json";
+  return join7(homedir6(), ".openape", "nest", "agents.json");
 }
 function emptyRegistry() {
   return { version: 1, agents: [] };
 }
 function readNestRegistry() {
   const path2 = resolveRegistryPath();
-  if (!existsSync6(path2)) return emptyRegistry();
+  if (!existsSync9(path2)) return emptyRegistry();
   try {
-    const parsed = JSON.parse(readFileSync5(path2, "utf8"));
+    const parsed = JSON.parse(readFileSync8(path2, "utf8"));
     if (parsed?.version !== 1 || !Array.isArray(parsed.agents)) return emptyRegistry();
     return parsed;
   } catch {
@@ -3241,10 +3593,10 @@ function writeNestRegistry(reg) {
   const path2 = resolveRegistryPath();
   const dir = path2.replace(/\/agents\.json$/, "");
   try {
-    mkdirSync(dir, { recursive: true });
+    mkdirSync2(dir, { recursive: true });
   } catch {
   }
-  writeFileSync(path2, `${JSON.stringify(reg, null, 2)}
+  writeFileSync5(path2, `${JSON.stringify(reg, null, 2)}
 `, { mode: 432 });
 }
 function upsertNestAgent(entry) {
@@ -3357,8 +3709,9 @@ var destroyAgentCommand = defineCommand25({
       if (process.geteuid?.() !== 0) {
         throw new CliError("--root-stage was passed but this process is not running as root. Refusing to continue.");
       }
-      const resolved = lookupMacOSUserForAgent(name);
-      const macOSUsername = resolved?.name ?? macOSUsernameForAgent(name);
+      const platform = getHostPlatform();
+      const resolved = platform.lookupAgentUser(name);
+      const macOSUsername = resolved?.name ?? platform.agentUsername(name);
       const homeDir = resolved?.homeDir ?? `/var/openape/homes/${macOSUsername}`;
       consola22.start(`Running teardown for ${name} (Phase-G, root-stage)\u2026`);
       runPhaseGTeardownInProcess({ name, homeDir, macOSUsername });
@@ -3375,7 +3728,7 @@ var destroyAgentCommand = defineCommand25({
     const owned = await apiFetch("/api/my-agents", { idp });
     const idpAgent = owned.find((u) => u.name === name);
     const idpExists = idpAgent !== void 0;
-    const osUser = isDarwin() ? lookupMacOSUserForAgent(name) : null;
+    const osUser = isDarwin2() ? getHostPlatform().lookupAgentUser(name) : null;
     const osUserExists = !args["keep-os-user"] && osUser !== null;
     if (!idpExists && !osUserExists) {
       consola22.info(`Nothing to destroy: no IdP agent and no OS user for "${name}".`);
@@ -3415,7 +3768,7 @@ ${consequences.join("\n")}`);
       consola22.info("No IdP agent to remove (skipped).");
     }
     if (osUserExists) {
-      const macOSUsername = osUser?.name ?? macOSUsernameForAgent(name);
+      const macOSUsername = osUser?.name ?? getHostPlatform().agentUsername(name);
       const fallbackHome = macOSUsername.startsWith("openape-agent-") ? `/var/openape/homes/${macOSUsername}` : `/Users/${macOSUsername}`;
       const homeDir = osUser?.homeDir ?? fallbackHome;
       const isPhaseG = homeDir.startsWith("/var/openape/homes/");
@@ -3425,7 +3778,7 @@ ${consequences.join("\n")}`);
           runPhaseGTeardownInProcess({ name, homeDir, macOSUsername });
         } else {
           consola22.start("Running teardown (Phase G \u2014 no admin password needed)\u2026");
-          execFileSync6("apes", [
+          execFileSync12("apes", [
             "run",
             "--as",
             "root",
@@ -3445,7 +3798,7 @@ ${consequences.join("\n")}`);
         if (!sudo) {
           throw new CliError("`sudo` not found on PATH; required for OS teardown.");
         }
-        const adminUser = userInfo().username;
+        const adminUser = userInfo2().username;
         let adminPassword;
         try {
           adminPassword = await collectAdminPassword({ adminUser });
@@ -3459,24 +3812,24 @@ ${consequences.join("\n")}`);
           }
         }
         if (adminPassword) {
-          const scratch = mkdtempSync(join5(tmpdir(), `apes-destroy-${name}-`));
-          const scriptPath = join5(scratch, "teardown.sh");
+          const scratch = mkdtempSync3(join8(tmpdir3(), `apes-destroy-${name}-`));
+          const scriptPath = join8(scratch, "teardown.sh");
           try {
             const script = buildDestroyTeardownScript({ name, homeDir, adminUser });
-            writeFileSync2(scriptPath, script, { mode: 448 });
+            writeFileSync6(scriptPath, script, { mode: 448 });
             consola22.start("Running teardown via sudo\u2026");
-            execFileSync6(sudo, ["-S", "--prompt=", "--", "bash", scriptPath], {
+            execFileSync12(sudo, ["-S", "--prompt=", "--", "bash", scriptPath], {
               input: `${adminPassword}
 ${adminPassword}
 `,
               stdio: ["pipe", "inherit", "inherit"]
             });
           } finally {
-            rmSync2(scratch, { recursive: true, force: true });
+            rmSync4(scratch, { recursive: true, force: true });
           }
         }
       }
-    } else if (!args["keep-os-user"] && isDarwin()) {
+    } else if (!args["keep-os-user"] && isDarwin2()) {
       consola22.info("No macOS user to remove (skipped).");
     }
     try {
@@ -3526,11 +3879,12 @@ var listAgentsCommand = defineCommand26({
     }
     const all = await apiFetch("/api/my-agents", { idp });
     const filtered = args["include-inactive"] ? all : all.filter((u) => u.isActive !== false);
-    const osUsers = isDarwin() ? listMacOSUserNames() : /* @__PURE__ */ new Set();
+    const platform = getHostPlatform();
+    const osUsers = isDarwin2() ? platform.listAgentUserNames() : /* @__PURE__ */ new Set();
     const osStateOf = (agentName) => {
-      const u = lookupMacOSUserForAgent(agentName);
+      const u = platform.lookupAgentUser(agentName);
       if (u) return { osUser: true, home: u.homeDir };
-      if (osUsers.has(macOSUsernameForAgent(agentName)) || osUsers.has(agentName)) {
+      if (osUsers.has(platform.agentUsername(agentName)) || osUsers.has(agentName)) {
         return { osUser: true, home: null };
       }
       return { osUser: false, home: null };
@@ -3562,14 +3916,14 @@ var listAgentsCommand = defineCommand26({
     for (const r of rows) {
       const active = r.isActive ? "\u2713" : "\u2717";
       const os = r.osUser ? "\u2713" : "\u2717";
-      const homeCol = r.home ?? (isDarwin() ? "(missing)" : "(non-darwin)");
+      const homeCol = r.home ?? (isDarwin2() ? "(missing)" : "(non-darwin)");
       console.log(`${r.name.padEnd(nameW)}  ${r.email.padEnd(emailW)}  ${active.padEnd(6)}  ${os.padEnd(7)}  ${homeCol}`);
     }
   }
 });
 
 // src/commands/agents/register.ts
-import { existsSync as existsSync7, readFileSync as readFileSync6 } from "fs";
+import { existsSync as existsSync10, readFileSync as readFileSync9 } from "fs";
 import { defineCommand as defineCommand27 } from "citty";
 import consola24 from "consola";
 var registerAgentCommand = defineCommand27({
@@ -3617,10 +3971,10 @@ var registerAgentCommand = defineCommand27({
       throw new CliError("Pass either --public-key or --public-key-file, not both.");
     }
     if (!publicKey && keyFile) {
-      if (!existsSync7(keyFile)) {
+      if (!existsSync10(keyFile)) {
         throw new CliError(`Public-key file not found: ${keyFile}`);
       }
-      publicKey = readFileSync6(keyFile, "utf-8").trim();
+      publicKey = readFileSync9(keyFile, "utf-8").trim();
     }
     if (!publicKey) {
       throw new CliError('Provide --public-key "<ssh-ed25519 line>" or --public-key-file <path>.');
@@ -3655,18 +4009,18 @@ var registerAgentCommand = defineCommand27({
 });
 
 // src/commands/agents/run.ts
-import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
+import { existsSync as existsSync11, readFileSync as readFileSync10 } from "fs";
 import { homedir as homedir7 } from "os";
-import { join as join6 } from "path";
+import { join as join9 } from "path";
 import { defineCommand as defineCommand28 } from "citty";
 import consola25 from "consola";
-var AUTH_PATH = join6(homedir7(), ".config", "apes", "auth.json");
-var TASK_CACHE_DIR = join6(homedir7(), ".openape", "agent", "tasks");
+var AUTH_PATH = join9(homedir7(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR = join9(homedir7(), ".openape", "agent", "tasks");
 function readAuth() {
-  if (!existsSync8(AUTH_PATH)) {
+  if (!existsSync11(AUTH_PATH)) {
     throw new CliError(`No agent auth found at ${AUTH_PATH}. Run \`apes agents spawn <name>\` first.`);
   }
-  const parsed = JSON.parse(readFileSync7(AUTH_PATH, "utf8"));
+  const parsed = JSON.parse(readFileSync10(AUTH_PATH, "utf8"));
   if (!parsed.access_token) throw new CliError("auth.json missing access_token");
   return parsed;
 }
@@ -3702,26 +4056,26 @@ ${msg}`.slice(0, 9e3);
   }
 }
 function readTaskSpec(taskId) {
-  const path2 = join6(TASK_CACHE_DIR, `${taskId}.json`);
-  if (!existsSync8(path2)) {
+  const path2 = join9(TASK_CACHE_DIR, `${taskId}.json`);
+  if (!existsSync11(path2)) {
     throw new CliError(`No cached task spec at ${path2}. Run \`apes agents sync\` first to pull the task list from troop.`);
   }
-  return JSON.parse(readFileSync7(path2, "utf8"));
+  return JSON.parse(readFileSync10(path2, "utf8"));
 }
-var AGENT_CONFIG_PATH = join6(homedir7(), ".openape", "agent", "agent.json");
+var AGENT_CONFIG_PATH = join9(homedir7(), ".openape", "agent", "agent.json");
 function readAgentConfig() {
-  if (!existsSync8(AGENT_CONFIG_PATH)) return { systemPrompt: "" };
+  if (!existsSync11(AGENT_CONFIG_PATH)) return { systemPrompt: "" };
   try {
-    return JSON.parse(readFileSync7(AGENT_CONFIG_PATH, "utf8"));
+    return JSON.parse(readFileSync10(AGENT_CONFIG_PATH, "utf8"));
   } catch {
     return { systemPrompt: "" };
   }
 }
 function readLitellmConfig2(model) {
-  const envPath = join6(homedir7(), "litellm", ".env");
+  const envPath = join9(homedir7(), "litellm", ".env");
   const env = {};
-  if (existsSync8(envPath)) {
-    for (const line of readFileSync7(envPath, "utf8").split(/\r?\n/)) {
+  if (existsSync11(envPath)) {
+    for (const line of readFileSync10(envPath, "utf8").split(/\r?\n/)) {
       const m = line.match(/^([A-Z_]+)=(.*)$/);
       if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
     }
@@ -3827,17 +4181,17 @@ var runAgentCommand = defineCommand28({
 });
 
 // src/commands/agents/serve.ts
-import { existsSync as existsSync9, readFileSync as readFileSync8 } from "fs";
+import { existsSync as existsSync12, readFileSync as readFileSync11 } from "fs";
 import { homedir as homedir8 } from "os";
-import { join as join7 } from "path";
+import { join as join10 } from "path";
 import { createInterface } from "readline";
 import { defineCommand as defineCommand29 } from "citty";
-var AUTH_PATH2 = join7(homedir8(), ".config", "apes", "auth.json");
+var AUTH_PATH2 = join10(homedir8(), ".config", "apes", "auth.json");
 function readLitellmConfig3(model) {
-  const envPath = join7(homedir8(), "litellm", ".env");
+  const envPath = join10(homedir8(), "litellm", ".env");
   const env = {};
-  if (existsSync9(envPath)) {
-    for (const line of readFileSync8(envPath, "utf8").split(/\r?\n/)) {
+  if (existsSync12(envPath)) {
+    for (const line of readFileSync11(envPath, "utf8").split(/\r?\n/)) {
       const m = line.match(/^([A-Z_]+)=(.*)$/);
       if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
     }
@@ -3869,9 +4223,9 @@ var serveAgentCommand = defineCommand29({
     if (!args.rpc) {
       throw new CliError("apes agents serve currently only supports --rpc mode");
     }
-    if (existsSync9(AUTH_PATH2)) {
+    if (existsSync12(AUTH_PATH2)) {
       try {
-        JSON.parse(readFileSync8(AUTH_PATH2, "utf8"));
+        JSON.parse(readFileSync11(AUTH_PATH2, "utf8"));
       } catch {
       }
     }
@@ -3951,10 +4305,6 @@ async function handleInbound(msg, sessions) {
 }
 
 // src/commands/agents/spawn.ts
-import { execFileSync as execFileSync8 } from "child_process";
-import { mkdtempSync as mkdtempSync2, rmSync as rmSync3, writeFileSync as writeFileSync4 } from "fs";
-import { tmpdir as tmpdir2 } from "os";
-import { join as join9 } from "path";
 import { defineCommand as defineCommand30 } from "citty";
 import consola26 from "consola";
 
@@ -4012,7 +4362,7 @@ ${envBlock}  <key>StartInterval</key>
 
 // src/lib/keygen.ts
 import { Buffer as Buffer4 } from "buffer";
-import { existsSync as existsSync10, mkdirSync as mkdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync3 } from "fs";
+import { existsSync as existsSync13, mkdirSync as mkdirSync3, readFileSync as readFileSync12, writeFileSync as writeFileSync7 } from "fs";
 import { generateKeyPairSync } from "crypto";
 import { homedir as homedir9 } from "os";
 import { dirname, resolve as resolve2 } from "path";
@@ -4031,10 +4381,10 @@ function buildSshEd25519Line(rawPub) {
 }
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
-  if (existsSync10(pubPath)) {
-    return readFileSync9(pubPath, "utf-8").trim();
+  if (existsSync13(pubPath)) {
+    return readFileSync12(pubPath, "utf-8").trim();
   }
-  const keyContent = readFileSync9(keyPath, "utf-8");
+  const keyContent = readFileSync12(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
   const pubBytes = Buffer4.from(jwk.x, "base64url");
@@ -4043,16 +4393,16 @@ function readPublicKey(keyPath) {
 function generateAndSaveKey(keyPath) {
   const resolved = resolveKeyPath(keyPath);
   const dir = dirname(resolved);
-  if (!existsSync10(dir)) {
-    mkdirSync2(dir, { recursive: true });
+  if (!existsSync13(dir)) {
+    mkdirSync3(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
-  writeFileSync3(resolved, privatePem, { mode: 384 });
+  writeFileSync7(resolved, privatePem, { mode: 384 });
   const jwk = publicKey.export({ format: "jwk" });
   const pubBytes = Buffer4.from(jwk.x, "base64url");
   const pubKeyStr = buildSshEd25519Line(pubBytes);
-  writeFileSync3(`${resolved}.pub`, `${pubKeyStr}
+  writeFileSync7(`${resolved}.pub`, `${pubKeyStr}
 `, { mode: 420 });
   return pubKeyStr;
 }
@@ -4071,15 +4421,15 @@ function generateKeyPairInMemory() {
 }
 
 // src/lib/llm-bridge.ts
-import { execFileSync as execFileSync7 } from "child_process";
-import { existsSync as existsSync11, readFileSync as readFileSync10 } from "fs";
+import { execFileSync as execFileSync13 } from "child_process";
+import { existsSync as existsSync14, readFileSync as readFileSync13 } from "fs";
 import { homedir as homedir10 } from "os";
-import { dirname as dirname2, join as join8 } from "path";
+import { dirname as dirname2, join as join11 } from "path";
 var PLIST_LABEL_PREFIX = "eco.hofmann.apes.bridge";
-function readLitellmEnv(envPath = join8(homedir10(), "litellm", ".env")) {
-  if (!existsSync11(envPath)) return null;
+function readLitellmEnv(envPath = join11(homedir10(), "litellm", ".env")) {
+  if (!existsSync14(envPath)) return null;
   try {
-    const text = readFileSync10(envPath, "utf8");
+    const text = readFileSync13(envPath, "utf8");
     const out = {};
     for (const line of text.split("\n")) {
       const trimmed = line.trim();
@@ -4115,7 +4465,7 @@ function captureHostBinDirs() {
   for (const bin of ["node", "ape-agent", "apes"]) {
     let resolved;
     try {
-      resolved = execFileSync7("/usr/bin/which", [bin], { encoding: "utf8" }).trim();
+      resolved = execFileSync13("/usr/bin/which", [bin], { encoding: "utf8" }).trim();
     } catch {
       const installCmd = bin === "ape-agent" ? "npm i -g @openape/ape-agent" : bin === "apes" ? "npm i -g @openape/apes" : "install Node.js (e.g. brew install node)";
       throw new Error(`'${bin}' not found on host PATH. ${installCmd} before spawning agents \u2014 the bridge runtime resolves these at spawn time and bakes the dir into the agent's launchd plist.`);
@@ -4210,7 +4560,7 @@ function buildBridgePlist(agentName, homeDir, ownerEmail, hostBinDirs) {
 // src/commands/agents/spawn.ts
 function readMacOSUidOrNull(name) {
   try {
-    const u = readMacOSUser(name);
+    const u = getHostPlatform().readAgentUser(name);
     return u?.uid ?? null;
   } catch {
     return null;
@@ -4267,7 +4617,7 @@ var spawnAgentCommand = defineCommand30({
         `Invalid agent name "${name}". Must match /^[a-z][a-z0-9-]{0,23}$/ \u2014 lowercase letters, digits and hyphens, 1\u201324 chars, must start with a letter.`
       );
     }
-    if (!isDarwin()) {
+    if (!isDarwin2()) {
       throw new CliError(
         `\`apes agents spawn\` is currently macOS-only. Detected platform: ${process.platform}. Linux support is a follow-up; for now, use \`apes agents register\` plus a manually provisioned user.`
       );
@@ -4298,14 +4648,13 @@ var spawnAgentCommand = defineCommand30({
 and try again.`
       );
     }
-    const macOSUsername = macOSUsernameForAgent(name);
-    const existing = readMacOSUser(macOSUsername) ?? readMacOSUser(name);
+    const platform = getHostPlatform();
+    const macOSUsername = platform.agentUsername(name);
+    const existing = platform.readAgentUser(macOSUsername) ?? platform.readAgentUser(name);
     if (existing) {
       throw new CliError(`macOS user "${existing.name}" already exists (uid=${existing.uid ?? "?"}). Refusing to overwrite.`);
     }
     const homeDir = `/var/openape/homes/${macOSUsername}`;
-    const scratch = mkdtempSync2(join9(tmpdir2(), `apes-spawn-${name}-`));
-    const scriptPath = join9(scratch, "setup.sh");
     try {
       consola26.start(`Generating keypair for ${name}\u2026`);
       const { privatePem, publicSshLine, x25519PrivateKey, x25519PublicKey } = generateKeyPairInMemory();
@@ -4379,16 +4728,11 @@ and try again.`
         bridge,
         troop
       });
-      writeFileSync4(scriptPath, script, { mode: 448 });
-      const alreadyRoot = process.getuid?.() === 0;
-      if (alreadyRoot) {
-        consola26.start("Running privileged setup directly (already root)\u2026");
-        execFileSync8("bash", [scriptPath], { stdio: "inherit" });
-      } else {
-        consola26.start("Running privileged setup as root via `apes run --as root --wait`\u2026");
+      consola26.start("Running privileged setup\u2026");
+      if (process.getuid?.() !== 0) {
         consola26.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
-        execFileSync8(apes, ["run", "--as", "root", "--wait", "--", "bash", scriptPath], { stdio: "inherit" });
       }
+      await platform.runPrivilegedBash(script);
       try {
         const uid = readMacOSUidOrNull(macOSUsername) ?? readMacOSUidOrNull(name);
         upsertNestAgent({
@@ -4416,7 +4760,6 @@ and try again.`
       console.log("Run as the agent with:");
       console.log(`  apes run --as ${name} -- claude --session-name ${name} --dangerously-skip-permissions`);
     } finally {
-      rmSync3(scratch, { recursive: true, force: true });
     }
   }
 });
@@ -4444,46 +4787,20 @@ async function resolveClaudeToken(opts) {
 }
 
 // src/commands/agents/sync.ts
-import { chownSync, existsSync as existsSync12, mkdirSync as mkdirSync3, readdirSync as readdirSync2, readFileSync as readFileSync11, rmSync as rmSync4, statSync, writeFileSync as writeFileSync5 } from "fs";
+import { chownSync, existsSync as existsSync15, mkdirSync as mkdirSync4, readdirSync as readdirSync2, readFileSync as readFileSync14, rmSync as rmSync5, statSync, writeFileSync as writeFileSync8 } from "fs";
 import { homedir as homedir11 } from "os";
-import { join as join10 } from "path";
+import { join as join12 } from "path";
 import { defineCommand as defineCommand31 } from "citty";
 import consola27 from "consola";
-
-// src/lib/macos-host.ts
-import { execFileSync as execFileSync9 } from "child_process";
-import { hostname as hostname3 } from "os";
-function getHostId() {
-  try {
-    const output = execFileSync9(
-      "/usr/sbin/ioreg",
-      ["-d2", "-c", "IOPlatformExpertDevice"],
-      { encoding: "utf8", timeout: 2e3 }
-    );
-    const match = output.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
-    return match ? match[1].trim().toLowerCase() : "";
-  } catch {
-    return "";
-  }
-}
-function getHostname() {
-  try {
-    return hostname3();
-  } catch {
-    return "";
-  }
-}
-
-// src/commands/agents/sync.ts
-var AUTH_PATH3 = join10(homedir11(), ".config", "apes", "auth.json");
-var TASK_CACHE_DIR2 = join10(homedir11(), ".openape", "agent", "tasks");
+var AUTH_PATH3 = join12(homedir11(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR2 = join12(homedir11(), ".openape", "agent", "tasks");
 function readAuthJson() {
-  if (!existsSync12(AUTH_PATH3)) {
+  if (!existsSync15(AUTH_PATH3)) {
     throw new CliError(
       `No agent auth found at ${AUTH_PATH3}. Run \`apes agents spawn <name>\` to provision an agent first.`
     );
   }
-  const raw = readFileSync11(AUTH_PATH3, "utf8");
+  const raw = readFileSync14(AUTH_PATH3, "utf8");
   let parsed;
   try {
     parsed = JSON.parse(raw);
@@ -4523,8 +4840,9 @@ var syncAgentCommand = defineCommand31({
     const agentName = agentNameFromEmail(auth.email);
     const troopUrl = resolveTroopUrl(args["troop-url"]);
     const client = new TroopClient(troopUrl, auth.access_token);
-    const hostId = getHostId();
-    const host = getHostname();
+    const platform = getHostPlatform();
+    const hostId = platform.getHostId();
+    const host = platform.getHostname();
     if (!hostId) {
       throw new CliError("Could not read IOPlatformUUID \u2014 is this macOS? Troop sync only works on macOS for v1.");
     }
@@ -4563,46 +4881,46 @@ var syncAgentCommand = defineCommand31({
         }
       }
     }
-    const agentDir = join10(homedir11(), ".openape", "agent");
-    mkdirSync3(agentDir, { recursive: true });
-    chownToAgent(join10(homedir11(), ".openape"));
+    const agentDir = join12(homedir11(), ".openape", "agent");
+    mkdirSync4(agentDir, { recursive: true });
+    chownToAgent(join12(homedir11(), ".openape"));
     chownToAgent(agentDir);
-    const agentJsonPath = join10(agentDir, "agent.json");
-    writeFileSync5(
+    const agentJsonPath = join12(agentDir, "agent.json");
+    writeFileSync8(
       agentJsonPath,
       `${JSON.stringify({ systemPrompt, tools }, null, 2)}
 `,
       { mode: 384 }
     );
     chownToAgent(agentJsonPath);
-    mkdirSync3(TASK_CACHE_DIR2, { recursive: true });
+    mkdirSync4(TASK_CACHE_DIR2, { recursive: true });
     chownToAgent(TASK_CACHE_DIR2);
     for (const task of tasks) {
-      const path2 = join10(TASK_CACHE_DIR2, `${task.taskId}.json`);
-      writeFileSync5(path2, `${JSON.stringify(task, null, 2)}
+      const path2 = join12(TASK_CACHE_DIR2, `${task.taskId}.json`);
+      writeFileSync8(path2, `${JSON.stringify(task, null, 2)}
 `, { mode: 384 });
       chownToAgent(path2);
     }
-    const skillsDir = join10(agentDir, "skills");
-    mkdirSync3(skillsDir, { recursive: true });
+    const skillsDir = join12(agentDir, "skills");
+    mkdirSync4(skillsDir, { recursive: true });
     chownToAgent(skillsDir);
     const incomingNames = new Set(skills.map((s) => s.name));
     try {
       for (const entry of readdirSync2(skillsDir)) {
         if (incomingNames.has(entry)) continue;
         try {
-          rmSync4(join10(skillsDir, entry), { recursive: true, force: true });
+          rmSync5(join12(skillsDir, entry), { recursive: true, force: true });
         } catch {
         }
       }
     } catch {
     }
     for (const skill of skills) {
-      const skillDir = join10(skillsDir, skill.name);
-      mkdirSync3(skillDir, { recursive: true });
+      const skillDir = join12(skillsDir, skill.name);
+      mkdirSync4(skillDir, { recursive: true });
       chownToAgent(skillDir);
-      const skillPath = join10(skillDir, "SKILL.md");
-      writeFileSync5(skillPath, skill.body.endsWith("\n") ? skill.body : `${skill.body}
+      const skillPath = join12(skillDir, "SKILL.md");
+      writeFileSync8(skillPath, skill.body.endsWith("\n") ? skill.body : `${skill.body}
 `, { mode: 384 });
       chownToAgent(skillPath);
     }
@@ -4634,21 +4952,21 @@ var agentsCommand = defineCommand32({
 import { defineCommand as defineCommand40 } from "citty";
 
 // src/commands/nest/authorize.ts
-import { execFileSync as execFileSync10 } from "child_process";
-import { existsSync as existsSync14, readFileSync as readFileSync12 } from "fs";
-import { join as join12 } from "path";
+import { execFileSync as execFileSync14 } from "child_process";
+import { existsSync as existsSync17, readFileSync as readFileSync15 } from "fs";
+import { join as join14 } from "path";
 import { defineCommand as defineCommand34 } from "citty";
 import consola29 from "consola";
 
 // src/commands/nest/enroll.ts
-import { hostname as hostname4, homedir as homedir12 } from "os";
-import { existsSync as existsSync13, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6, chmodSync } from "fs";
-import { join as join11 } from "path";
+import { hostname as hostname5, homedir as homedir12 } from "os";
+import { existsSync as existsSync16, mkdirSync as mkdirSync5, writeFileSync as writeFileSync9, chmodSync } from "fs";
+import { join as join13 } from "path";
 import { defineCommand as defineCommand33 } from "citty";
 import consola28 from "consola";
-var NEST_DATA_DIR = join11(homedir12(), ".openape", "nest");
+var NEST_DATA_DIR = join13(homedir12(), ".openape", "nest");
 function nestAgentName() {
-  const raw = hostname4().toLowerCase();
+  const raw = hostname5().toLowerCase();
   const head = raw.split(".")[0] ?? raw;
   const safe = head.replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-+|-+$/g, "");
   const trimmed = safe.slice(0, 16);
@@ -4679,19 +4997,19 @@ var enrollNestCommand = defineCommand33({
       throw new CliError("Run `apes login <email>` first \u2014 nest enroll attaches the new identity to your owner account.");
     }
     const name = args.name || nestAgentName();
-    const authPath = join11(NEST_DATA_DIR, ".config", "apes", "auth.json");
-    if (existsSync13(authPath) && !args.force) {
+    const authPath = join13(NEST_DATA_DIR, ".config", "apes", "auth.json");
+    if (existsSync16(authPath) && !args.force) {
       throw new CliError(`Nest already enrolled at ${authPath}. Pass --force to re-enroll.`);
     }
-    const sshDir = join11(NEST_DATA_DIR, ".ssh");
-    const configDir = join11(NEST_DATA_DIR, ".config", "apes");
-    mkdirSync4(sshDir, { recursive: true });
-    mkdirSync4(configDir, { recursive: true });
+    const sshDir = join13(NEST_DATA_DIR, ".ssh");
+    const configDir = join13(NEST_DATA_DIR, ".config", "apes");
+    mkdirSync5(sshDir, { recursive: true });
+    mkdirSync5(configDir, { recursive: true });
     consola28.start(`Generating keypair for ${name}\u2026`);
     const { privatePem, publicSshLine } = generateKeyPairInMemory();
-    writeFileSync6(join11(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
+    writeFileSync9(join13(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
 `, { mode: 384 });
-    writeFileSync6(join11(sshDir, "id_ed25519.pub"), `${publicSshLine}
+    writeFileSync9(join13(sshDir, "id_ed25519.pub"), `${publicSshLine}
 `, { mode: 420 });
     chmodSync(sshDir, 448);
     consola28.start(`Registering nest at ${idp}\u2026`);
@@ -4708,10 +5026,10 @@ var enrollNestCommand = defineCommand33({
       accessToken: token,
       email: registration.email,
       expiresAt: Math.floor(Date.now() / 1e3) + expiresIn,
-      keyPath: join11(sshDir, "id_ed25519"),
+      keyPath: join13(sshDir, "id_ed25519"),
       ownerEmail: ownerAuth.email
     });
-    writeFileSync6(authPath, authJson, { mode: 384 });
+    writeFileSync9(authPath, authJson, { mode: 384 });
     chmodSync(configDir, 448);
     consola28.success(`Nest enrolled \u2014 auth.json at ${authPath}`);
     consola28.info("");
@@ -4780,11 +5098,11 @@ var authorizeNestCommand = defineCommand34({
     }
   },
   async run({ args }) {
-    const nestAuthPath = join12(NEST_DATA_DIR, ".config", "apes", "auth.json");
-    if (!existsSync14(nestAuthPath)) {
+    const nestAuthPath = join14(NEST_DATA_DIR, ".config", "apes", "auth.json");
+    if (!existsSync17(nestAuthPath)) {
       throw new CliError("Nest not enrolled. Run `apes nest enroll` first.");
     }
-    const nestAuth = JSON.parse(readFileSync12(nestAuthPath, "utf8"));
+    const nestAuth = JSON.parse(readFileSync15(nestAuthPath, "utf8"));
     if (!nestAuth.email) throw new CliError(`${nestAuthPath} has no email`);
     const allow = args.allow ?? DEFAULT_ALLOW_PATTERNS.join(",");
     consola29.info(`Configuring YOLO-policy on ${nestAuth.email} via \`apes yolo set\`\u2026`);
@@ -4801,7 +5119,7 @@ var authorizeNestCommand = defineCommand34({
       cmdArgs.push("--expires-in", args["expires-in"]);
     }
     try {
-      execFileSync10("apes", cmdArgs, { stdio: "inherit" });
+      execFileSync14("apes", cmdArgs, { stdio: "inherit" });
     } catch (err) {
       throw new CliError(err instanceof Error ? err.message : String(err));
     }
@@ -4811,7 +5129,7 @@ var authorizeNestCommand = defineCommand34({
 });
 
 // src/commands/nest/destroy.ts
-import { execFileSync as execFileSync11 } from "child_process";
+import { execFileSync as execFileSync15 } from "child_process";
 import { defineCommand as defineCommand35 } from "citty";
 import consola30 from "consola";
 var destroyNestCommand = defineCommand35({
@@ -4825,7 +5143,7 @@ var destroyNestCommand = defineCommand35({
   async run({ args }) {
     const name = String(args.name);
     try {
-      execFileSync11("apes", ["run", "--as", "root", "--wait", "--", "apes", "agents", "destroy", name, "--force"], { stdio: "inherit" });
+      execFileSync15("apes", ["run", "--as", "root", "--wait", "--", "apes", "agents", "destroy", name, "--force"], { stdio: "inherit" });
       consola30.success(`Nest will tear down ${name}'s pm2 process on its next reconcile (\u22642s).`);
     } catch (err) {
       const status = err.status ?? 1;
@@ -4835,10 +5153,9 @@ var destroyNestCommand = defineCommand35({
 });
 
 // src/commands/nest/install.ts
-import { execFileSync as execFileSync12 } from "child_process";
-import { existsSync as existsSync15, mkdirSync as mkdirSync5, readFileSync as readFileSync13, writeFileSync as writeFileSync7 } from "fs";
-import { homedir as homedir13, userInfo as userInfo2 } from "os";
-import { dirname as dirname3, join as join13 } from "path";
+import { existsSync as existsSync18, mkdirSync as mkdirSync6, readFileSync as readFileSync16, writeFileSync as writeFileSync10 } from "fs";
+import { homedir as homedir13 } from "os";
+import { dirname as dirname3, join as join15 } from "path";
 import { defineCommand as defineCommand36 } from "citty";
 import consola31 from "consola";
 
@@ -4905,84 +5222,42 @@ resource_chain = ["agents:name={name}", "allowlist:email={peer_email}"]
 `;
 
 // src/commands/nest/install.ts
-var PLIST_LABEL = "ai.openape.nest";
-function plistPath() {
-  return join13(homedir13(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
-}
-function escape2(s) {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
-}
-function buildPlist(args) {
-  const logsDir = join13(args.userHome, "Library", "Logs");
-  return `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-  <key>Label</key>
-  <string>${escape2(PLIST_LABEL)}</string>
-  <key>ProgramArguments</key>
-  <array>
-    <string>${escape2(args.nestBin)}</string>
-  </array>
-  <key>WorkingDirectory</key>
-  <string>${escape2(args.nestHome)}</string>
-  <key>RunAtLoad</key>
-  <true/>
-  <key>KeepAlive</key>
-  <true/>
-  <key>ThrottleInterval</key>
-  <integer>10</integer>
-  <key>EnvironmentVariables</key>
-  <dict>
-    <key>HOME</key><string>${escape2(args.nestHome)}</string>
-    <key>PATH</key><string>/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
-    <key>OPENAPE_NEST_PORT</key><string>${args.port}</string>
-    <key>OPENAPE_APES_BIN</key><string>${escape2(args.apesBin)}</string>
-  </dict>
-  <key>StandardOutPath</key>
-  <string>${escape2(logsDir)}/openape-nest.log</string>
-  <key>StandardErrorPath</key>
-  <string>${escape2(logsDir)}/openape-nest.log</string>
-</dict>
-</plist>
-`;
-}
 function installAdapter2() {
-  const target = join13(homedir13(), ".openape", "shapes", "adapters", "apes-agents.toml");
-  mkdirSync5(dirname3(target), { recursive: true });
+  const target = join15(homedir13(), ".openape", "shapes", "adapters", "apes-agents.toml");
+  mkdirSync6(dirname3(target), { recursive: true });
   let existing = "";
   try {
-    existing = readFileSync13(target, "utf8");
+    existing = readFileSync16(target, "utf8");
   } catch {
   }
   if (existing === APES_AGENTS_ADAPTER_TOML) return false;
-  writeFileSync7(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
+  writeFileSync10(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
   consola31.success(`Wrote shapes adapter ${target}`);
   return true;
 }
 function writeBridgeModelDefault(model) {
-  for (const envDir of [join13(homedir13(), "litellm"), join13(NEST_DATA_DIR, "litellm")]) {
-    const envFile = join13(envDir, ".env");
-    mkdirSync5(envDir, { recursive: true });
+  for (const envDir of [join15(homedir13(), "litellm"), join15(NEST_DATA_DIR, "litellm")]) {
+    const envFile = join15(envDir, ".env");
+    mkdirSync6(envDir, { recursive: true });
     let lines = [];
-    if (existsSync15(envFile)) {
-      lines = readFileSync13(envFile, "utf8").split("\n").filter((l) => !l.startsWith("APE_CHAT_BRIDGE_MODEL="));
+    if (existsSync18(envFile)) {
+      lines = readFileSync16(envFile, "utf8").split("\n").filter((l) => !l.startsWith("APE_CHAT_BRIDGE_MODEL="));
     }
     lines.push(`APE_CHAT_BRIDGE_MODEL=${model}`);
     while (lines.length > 0 && lines.at(-1).trim() === "") lines.pop();
-    writeFileSync7(envFile, `${lines.join("\n")}
+    writeFileSync10(envFile, `${lines.join("\n")}
 `, { mode: 384 });
   }
 }
 function findBinary(name) {
   for (const dir of [
-    join13(homedir13(), ".bun", "bin"),
+    join15(homedir13(), ".bun", "bin"),
     "/opt/homebrew/bin",
     "/usr/local/bin",
     "/usr/bin"
   ]) {
-    const p = join13(dir, name);
-    if (existsSync15(p)) return p;
+    const p = join15(dir, name);
+    if (existsSync18(p)) return p;
   }
   throw new Error(`could not locate ${name} on PATH; install it first`);
 }
@@ -5009,7 +5284,7 @@ var installNestCommand = defineCommand36({
     }
     const nestBin = findBinary("openape-nest");
     const apesBin = findBinary("apes");
-    consola31.info(`Installing nest at ${plistPath()}`);
+    consola31.info(`Installing nest supervisor`);
     consola31.info(`  nest binary: ${nestBin}`);
     consola31.info(`  apes binary: ${apesBin}`);
     consola31.info(`  HTTP port:   ${port}`);
@@ -5018,26 +5293,14 @@ var installNestCommand = defineCommand36({
       consola31.success(`Default bridge model set to ${args["bridge-model"]} (in ~/litellm/.env)`);
     }
     installAdapter2();
-    mkdirSync5(join13(homeDir, "Library", "LaunchAgents"), { recursive: true });
-    mkdirSync5(NEST_DATA_DIR, { recursive: true });
-    const desired = buildPlist({ nestBin, apesBin, userHome: homeDir, nestHome: NEST_DATA_DIR, port });
-    let existing = "";
-    try {
-      existing = readFileSync13(plistPath(), "utf8");
-    } catch {
-    }
-    if (existing !== desired) {
-      writeFileSync7(plistPath(), desired, { mode: 420 });
-      consola31.success("Wrote launchd plist");
-    } else {
-      consola31.info("plist already up to date");
-    }
-    const uid = userInfo2().uid;
-    try {
-      execFileSync12("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL}`], { stdio: "ignore" });
-    } catch {
-    }
-    execFileSync12("/bin/launchctl", ["bootstrap", `gui/${uid}`, plistPath()], { stdio: "inherit" });
+    mkdirSync6(NEST_DATA_DIR, { recursive: true });
+    await getHostPlatform().installNestSupervisor({
+      nestBin,
+      apesBin,
+      userHome: homeDir,
+      nestHome: NEST_DATA_DIR,
+      port
+    });
     consola31.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
     consola31.info("");
     consola31.info("Next steps for zero-prompt spawn \u2014 both one-time:");
@@ -5079,7 +5342,7 @@ var listNestCommand = defineCommand37({
 });
 
 // src/commands/nest/spawn.ts
-import { execFileSync as execFileSync13 } from "child_process";
+import { execFileSync as execFileSync16 } from "child_process";
 import { defineCommand as defineCommand38 } from "citty";
 import consola33 from "consola";
 var spawnNestCommand = defineCommand38({
@@ -5112,7 +5375,7 @@ var spawnNestCommand = defineCommand38({
     if (typeof args["bridge-base-url"] === "string") apesArgs.push("--bridge-base-url", args["bridge-base-url"]);
     if (typeof args["bridge-model"] === "string") apesArgs.push("--bridge-model", args["bridge-model"]);
     try {
-      execFileSync13("apes", apesArgs, { stdio: "inherit" });
+      execFileSync16("apes", apesArgs, { stdio: "inherit" });
       consola33.success(`Nest will pick up ${name} on its next reconcile (\u22642s).`);
     } catch (err) {
       const status = err.status ?? 1;
@@ -5122,31 +5385,16 @@ var spawnNestCommand = defineCommand38({
 });
 
 // src/commands/nest/uninstall.ts
-import { execFileSync as execFileSync14 } from "child_process";
-import { existsSync as existsSync16, unlinkSync } from "fs";
-import { homedir as homedir14, userInfo as userInfo3 } from "os";
-import { join as join14 } from "path";
 import { defineCommand as defineCommand39 } from "citty";
 import consola34 from "consola";
-var PLIST_LABEL2 = "ai.openape.nest";
 var uninstallNestCommand = defineCommand39({
   meta: {
     name: "uninstall",
     description: "Stop + remove the local nest-daemon (registry + agents preserved)"
   },
   async run() {
-    const uid = userInfo3().uid;
-    const path2 = join14(homedir14(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
-    try {
-      execFileSync14("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL2}`], { stdio: "ignore" });
-      consola34.success("Nest daemon stopped");
-    } catch {
-      consola34.info("Nest daemon was not loaded");
-    }
-    if (existsSync16(path2)) {
-      unlinkSync(path2);
-      consola34.success(`Removed ${path2}`);
-    }
+    await getHostPlatform().uninstallNestSupervisor();
+    consola34.success("Nest daemon stopped + supervisor unit removed");
     consola34.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
   }
 });
@@ -5692,18 +5940,19 @@ var adapterCommand = defineCommand45({
 });
 
 // src/commands/run.ts
-import { execFileSync as execFileSync15 } from "child_process";
-import { hostname as hostname5 } from "os";
+import { execFileSync as execFileSync17 } from "child_process";
+import { hostname as hostname6 } from "os";
 import { basename } from "path";
 import { defineCommand as defineCommand46 } from "citty";
 import consola39 from "consola";
 function resolveRunAsTarget(runAs) {
   if (!runAs) return runAs;
-  if (!isDarwin()) return runAs;
+  if (!isDarwin2()) return runAs;
   if (!AGENT_NAME_REGEX.test(runAs)) return runAs;
   if (runAs.startsWith("openape-agent-")) return runAs;
-  const prefixed = macOSUsernameForAgent(runAs);
-  if (readMacOSUser(prefixed)) return prefixed;
+  const platform = getHostPlatform();
+  const prefixed = platform.agentUsername(runAs);
+  if (platform.readAgentUser(prefixed)) return prefixed;
   return runAs;
 }
 function shouldWaitForGrant(args) {
@@ -5876,7 +6125,7 @@ async function runShellMode(command, args) {
   const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
   if (adapterHandled) return;
   const grantsUrl = await getGrantsEndpoint(idp);
-  const targetHost = args.host || hostname5();
+  const targetHost = args.host || hostname6();
   try {
     const grants = await apiFetch(
       `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
@@ -5972,7 +6221,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
     approveUrl: `${idp}/grant-approval?grant_id=${grant.id}`,
     command: resolved.detail?.display || parsed?.raw || "unknown",
     audience: resolved.adapter?.cli?.audience ?? "shapes",
-    host: args.host || hostname5()
+    host: args.host || hostname6()
   });
   if (shouldWaitForGrant(args)) {
     consola39.info(`Grant requested: ${grant.id}`);
@@ -5992,7 +6241,7 @@ function execShellCommand(command) {
     throw new CliError("No command to execute");
   try {
     const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-    execFileSync15(command[0], command.slice(1), {
+    execFileSync17(command[0], command.slice(1), {
       stdio: "inherit",
       env: inheritedEnv
     });
@@ -6093,7 +6342,7 @@ async function runAudienceMode(audience, action, args, commandArgv) {
   const idp = getIdpUrl(args.idp);
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = commandArgv ?? action.split(" ");
-  const targetHost = args.host || hostname5();
+  const targetHost = args.host || hostname6();
   const runAs = resolveRunAsTarget(args.as ?? void 0);
   const reusableId = await findReusableAudienceGrant({
     grantsUrl,
@@ -6161,7 +6410,7 @@ function executeWithGrantToken(opts) {
     consola39.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-      execFileSync15(args["escapes-path"] || "escapes", ["--grant", token, "--", ...command], {
+      execFileSync17(args["escapes-path"] || "escapes", ["--grant", token, "--", ...command], {
         stdio: "inherit",
         env: inheritedEnv
       });
@@ -6197,9 +6446,9 @@ async function findReusableAudienceGrant(opts) {
 
 // src/commands/proxy.ts
 import { spawn as spawn2 } from "child_process";
-import { existsSync as existsSync18 } from "fs";
-import { homedir as homedir15 } from "os";
-import { join as join17 } from "path";
+import { existsSync as existsSync20 } from "fs";
+import { homedir as homedir14 } from "os";
+import { join as join18 } from "path";
 import { defineCommand as defineCommand47 } from "citty";
 import consola40 from "consola";
 
@@ -6235,10 +6484,10 @@ note = "VPC-internal hostname suffix"
 
 // src/proxy/local-proxy.ts
 import { spawn } from "child_process";
-import { mkdtempSync as mkdtempSync3, rmSync as rmSync5, writeFileSync as writeFileSync8 } from "fs";
+import { mkdtempSync as mkdtempSync4, rmSync as rmSync6, writeFileSync as writeFileSync11 } from "fs";
 import { createRequire } from "module";
-import { tmpdir as tmpdir3 } from "os";
-import { dirname as dirname4, join as join15, resolve as resolve3 } from "path";
+import { tmpdir as tmpdir4 } from "os";
+import { dirname as dirname4, join as join16, resolve as resolve3 } from "path";
 var require2 = createRequire(import.meta.url);
 function findProxyBin() {
   const pkgPath = require2.resolve("@openape/proxy/package.json");
@@ -6250,9 +6499,9 @@ function findProxyBin() {
   return resolve3(dirname4(pkgPath), binRel);
 }
 async function startEphemeralProxy(configToml) {
-  const tmpDir = mkdtempSync3(join15(tmpdir3(), "openape-proxy-"));
-  const configPath = join15(tmpDir, "config.toml");
-  writeFileSync8(configPath, configToml, { mode: 384 });
+  const tmpDir = mkdtempSync4(join16(tmpdir4(), "openape-proxy-"));
+  const configPath = join16(tmpDir, "config.toml");
+  writeFileSync11(configPath, configToml, { mode: 384 });
   const binPath = findProxyBin();
   const child = spawn(process.execPath, [binPath, "-c", configPath], {
     stdio: ["ignore", "pipe", "pipe"],
@@ -6260,7 +6509,7 @@ async function startEphemeralProxy(configToml) {
   });
   const cleanupTmp = () => {
     try {
-      rmSync5(tmpDir, { recursive: true, force: true });
+      rmSync6(tmpDir, { recursive: true, force: true });
     } catch {
     }
   };
@@ -6334,9 +6583,9 @@ function waitForListenLine(child) {
 }
 
 // src/proxy/trust-bundle.ts
-import { existsSync as existsSync17, mkdtempSync as mkdtempSync4, readFileSync as readFileSync14, rmdirSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync9 } from "fs";
-import { tmpdir as tmpdir4 } from "os";
-import { join as join16 } from "path";
+import { existsSync as existsSync19, mkdtempSync as mkdtempSync5, readFileSync as readFileSync17, rmdirSync, unlinkSync as unlinkSync3, writeFileSync as writeFileSync12 } from "fs";
+import { tmpdir as tmpdir5 } from "os";
+import { join as join17 } from "path";
 var CANDIDATES = [
   "/etc/ssl/cert.pem",
   // macOS
@@ -6349,25 +6598,25 @@ var CANDIDATES = [
 ];
 function detectSystemCaPath() {
   for (const p of CANDIDATES) {
-    if (existsSync17(p)) return p;
+    if (existsSync19(p)) return p;
   }
   throw new Error(
     `Could not locate a system CA bundle. Tried: ${CANDIDATES.join(", ")}. Set NODE_EXTRA_CA_CERTS yourself or pass --allow-no-system-ca.`
   );
 }
 function buildTrustBundle(opts) {
-  const dir = mkdtempSync4(join16(tmpdir4(), "openape-trust-"));
-  const path2 = join16(dir, "bundle.pem");
-  const sys = readFileSync14(opts.systemCaPath, "utf-8");
-  const local = readFileSync14(opts.localCaPath, "utf-8");
-  writeFileSync9(path2, `${sys.trimEnd()}
+  const dir = mkdtempSync5(join17(tmpdir5(), "openape-trust-"));
+  const path2 = join17(dir, "bundle.pem");
+  const sys = readFileSync17(opts.systemCaPath, "utf-8");
+  const local = readFileSync17(opts.localCaPath, "utf-8");
+  writeFileSync12(path2, `${sys.trimEnd()}
 ${local.trimEnd()}
 `, { mode: 384 });
   return {
     path: path2,
     cleanup: () => {
       try {
-        unlinkSync2(path2);
+        unlinkSync3(path2);
       } catch {
       }
       try {
@@ -6417,8 +6666,8 @@ var proxyCommand = defineCommand47({
     if (reuseHostPort) {
       proxyUrl = `http://${reuseHostPort}`;
       consola40.info(`[apes proxy] using long-running daemon at ${proxyUrl}`);
-      const localCaPath = join17(homedir15(), ".openape", "proxy", "ca.crt");
-      if (!existsSync18(localCaPath)) {
+      const localCaPath = join18(homedir14(), ".openape", "proxy", "ca.crt");
+      if (!existsSync20(localCaPath)) {
         throw new CliError(
           `OPENAPE_PROXY is set but no local CA found at ${localCaPath}. Start the daemon (sudo -u <agent> apes proxy --global < secrets.toml) first.`
         );
@@ -6760,16 +7009,16 @@ var mcpCommand = defineCommand52({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-WB77GNKJ.js");
+    const { startMcpServer } = await import("./server-JGX5FIDP.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync as existsSync19, copyFileSync, writeFileSync as writeFileSync10 } from "fs";
+import { existsSync as existsSync21, copyFileSync, writeFileSync as writeFileSync13 } from "fs";
 import { randomBytes } from "crypto";
-import { execFileSync as execFileSync16 } from "child_process";
-import { join as join18 } from "path";
+import { execFileSync as execFileSync18 } from "child_process";
+import { join as join19 } from "path";
 import { defineCommand as defineCommand53 } from "citty";
 import consola43 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
@@ -6778,13 +7027,13 @@ async function downloadTemplate(repo, targetDir) {
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync19(join18(dir, name));
+  const hasLockFile = (name) => existsSync21(join19(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
-    execFileSync16("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync18("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
-    execFileSync16("bun", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync18("bun", ["install"], { cwd: dir, stdio: "inherit" });
   } else {
-    execFileSync16("npm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync18("npm", ["install"], { cwd: dir, stdio: "inherit" });
   }
 }
 async function promptChoice(message, choices) {
@@ -6843,7 +7092,7 @@ var initCommand = defineCommand53({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync19(join18(dir, "package.json"))) {
+  if (existsSync21(join19(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   consola43.start("Scaffolding SP starter...");
@@ -6852,9 +7101,9 @@ async function initSP(targetDir) {
   consola43.start("Installing dependencies...");
   installDeps(dir);
   consola43.success("Dependencies installed");
-  const envExample = join18(dir, ".env.example");
-  const envFile = join18(dir, ".env");
-  if (existsSync19(envExample) && !existsSync19(envFile)) {
+  const envExample = join19(dir, ".env.example");
+  const envFile = join19(dir, ".env");
+  if (existsSync21(envExample) && !existsSync21(envFile)) {
     copyFileSync(envExample, envFile);
     consola43.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
@@ -6868,7 +7117,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync19(join18(dir, "package.json"))) {
+  if (existsSync21(join19(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -6900,7 +7149,7 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync10(join18(dir, ".env"), `${envContent}
+  writeFileSync13(join19(dir, ".env"), `${envContent}
 `, { mode: 384 });
   consola43.success(".env created");
   console.log("");
@@ -6921,7 +7170,7 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer5 } from "buffer";
-import { existsSync as existsSync20, readFileSync as readFileSync15 } from "fs";
+import { existsSync as existsSync22, readFileSync as readFileSync18 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
 import { defineCommand as defineCommand54 } from "citty";
@@ -6937,7 +7186,7 @@ function openBrowser2(url) {
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
   const resolvedKey = resolveKeyPath(keyPath);
-  const keyContent = readFileSync15(resolvedKey, "utf-8");
+  const keyContent = readFileSync18(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -7005,7 +7254,7 @@ var enrollCommand = defineCommand54({
     }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolveKeyPath(keyPath);
     let publicKey;
-    if (existsSync20(resolvedKey)) {
+    if (existsSync22(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
       consola44.success(`Using existing key ${keyPath}`);
     } else {
@@ -7049,7 +7298,7 @@ var enrollCommand = defineCommand54({
 });
 
 // src/commands/register-user.ts
-import { existsSync as existsSync21, readFileSync as readFileSync16 } from "fs";
+import { existsSync as existsSync23, readFileSync as readFileSync19 } from "fs";
 import { defineCommand as defineCommand55 } from "citty";
 import consola45 from "consola";
 var registerUserCommand = defineCommand55({
@@ -7088,8 +7337,8 @@ var registerUserCommand = defineCommand55({
       throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
     let publicKey = args.key;
-    if (existsSync21(args.key)) {
-      publicKey = readFileSync16(args.key, "utf-8").trim();
+    if (existsSync23(args.key)) {
+      publicKey = readFileSync19(args.key, "utf-8").trim();
     }
     if (!publicKey.startsWith("ssh-ed25519 ")) {
       throw new CliError("Public key must be in ssh-ed25519 format.");
@@ -7398,7 +7647,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.28.11" : "0.0.0";
+  const version = true ? "1.28.13" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -7591,26 +7840,26 @@ var workflowsCommand = defineCommand63({
 });
 
 // src/version-check.ts
-import { existsSync as existsSync22, mkdirSync as mkdirSync6, readFileSync as readFileSync17, writeFileSync as writeFileSync11 } from "fs";
-import { homedir as homedir16 } from "os";
-import { join as join19 } from "path";
+import { existsSync as existsSync24, mkdirSync as mkdirSync7, readFileSync as readFileSync20, writeFileSync as writeFileSync14 } from "fs";
+import { homedir as homedir15 } from "os";
+import { join as join20 } from "path";
 import consola51 from "consola";
 var PACKAGE_NAME = "@openape/apes";
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
-var CACHE_FILE = join19(homedir16(), ".config", "apes", ".version-check.json");
+var CACHE_FILE = join20(homedir15(), ".config", "apes", ".version-check.json");
 function readCache() {
-  if (!existsSync22(CACHE_FILE)) return null;
+  if (!existsSync24(CACHE_FILE)) return null;
   try {
-    return JSON.parse(readFileSync17(CACHE_FILE, "utf-8"));
+    return JSON.parse(readFileSync20(CACHE_FILE, "utf-8"));
   } catch {
     return null;
   }
 }
 function writeCache(entry) {
   try {
-    const dir = join19(homedir16(), ".config", "apes");
-    if (!existsSync22(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
-    writeFileSync11(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
+    const dir = join20(homedir15(), ".config", "apes");
+    if (!existsSync24(dir)) mkdirSync7(dir, { recursive: true, mode: 448 });
+    writeFileSync14(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
   } catch {
   }
 }
@@ -7671,10 +7920,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.28.11"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.28.13"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.28.11"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.28.13"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -7689,7 +7938,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-CIDV7OGM.js");
+    const { runInteractiveShell } = await import("./orchestrator-REICEX3F.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -7732,7 +7981,7 @@ var configCommand = defineCommand64({
 var main = defineCommand64({
   meta: {
     name: "apes",
-    version: "1.28.11",
+    version: "1.28.13",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -7784,13 +8033,13 @@ async function maybeRefreshAuth() {
   const { loadAuth: loadAuth2 } = await import("./config-MOB5DJ6H.js");
   if (!loadAuth2()) return;
   try {
-    const { ensureFreshToken } = await import("./http-6OKWT52Z.js");
+    const { ensureFreshToken } = await import("./http-UPOTOYQV.js");
     await ensureFreshToken();
   } catch {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.28.11").catch(() => {
+await maybeWarnStaleVersion("1.28.13").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {