@openape/apes 1.28.13 → 1.29.0

package/dist/chunk-PEA2RDWK.js

@@ -1,1068 +0,0 @@
-#!/usr/bin/env node
-import {
-  getGenericAuditLogPath
-} from "./chunk-OBF7IMQ2.js";
-
-// src/shapes/adapters.ts
-import { createHash } from "crypto";
-import { existsSync, readdirSync, readFileSync } from "fs";
-import { homedir } from "os";
-import { basename, join } from "path";
-
-// src/shapes/toml.ts
-function parseKeyValue(line) {
-  const eqIndex = line.indexOf("=");
-  if (eqIndex === -1)
-    return null;
-  const key = line.slice(0, eqIndex).trim();
-  const value = line.slice(eqIndex + 1).trim();
-  if (!key || !value)
-    return null;
-  return { key, value };
-}
-function parseTomlValue(raw) {
-  const trimmed = raw.trim();
-  if (trimmed.startsWith('"') && trimmed.endsWith('"'))
-    return trimmed.slice(1, -1);
-  if (trimmed === "true")
-    return true;
-  if (trimmed === "false")
-    return false;
-  if (trimmed.startsWith("[") && trimmed.endsWith("]")) {
-    const inner = trimmed.slice(1, -1).trim();
-    if (!inner)
-      return [];
-    return inner.split(",").map((value) => value.trim().replace(/^"|"$/g, ""));
-  }
-  return trimmed;
-}
-function parseAdapterToml(content) {
-  const result = {};
-  const operations = [];
-  let currentSection = "root";
-  let currentEntry = {};
-  const flushOperation = () => {
-    if (currentSection === "operation" && Object.keys(currentEntry).length > 0) {
-      operations.push(currentEntry);
-      currentEntry = {};
-    }
-  };
-  for (const rawLine of content.split("\n")) {
-    const line = rawLine.trim();
-    if (!line || line.startsWith("#"))
-      continue;
-    if (line === "[cli]") {
-      flushOperation();
-      currentSection = "cli";
-      result.cli = {};
-      continue;
-    }
-    if (line === "[[operation]]") {
-      flushOperation();
-      currentSection = "operation";
-      currentEntry = {};
-      continue;
-    }
-    const kv = parseKeyValue(line);
-    if (!kv)
-      continue;
-    const value = parseTomlValue(kv.value);
-    if (currentSection === "root") {
-      ;
-      result[kv.key] = value;
-    } else if (currentSection === "cli") {
-      ;
-      result.cli[kv.key] = value;
-    } else {
-      currentEntry[kv.key] = value;
-    }
-  }
-  flushOperation();
-  result.operation = operations;
-  if (result.schema !== "openape-shapes/v1") {
-    throw new Error(`Unsupported adapter schema: ${result.schema ?? "missing"}`);
-  }
-  if (!result.cli?.id || !result.cli.executable) {
-    throw new Error("Adapter is missing cli.id or cli.executable");
-  }
-  if (!result.operation?.length) {
-    throw new Error("Adapter must define at least one [[operation]] entry");
-  }
-  return {
-    schema: result.schema,
-    cli: {
-      id: String(result.cli.id),
-      executable: String(result.cli.executable),
-      ...result.cli.audience ? { audience: String(result.cli.audience) } : {},
-      ...result.cli.version ? { version: String(result.cli.version) } : {}
-    },
-    operations: result.operation.map((operation) => {
-      if (!Array.isArray(operation.command) || operation.command.some((token) => typeof token !== "string")) {
-        throw new Error(`Operation ${String(operation.id ?? "<unknown>")} is missing command[]`);
-      }
-      if (!Array.isArray(operation.resource_chain) || operation.resource_chain.some((token) => typeof token !== "string")) {
-        throw new Error(`Operation ${String(operation.id ?? "<unknown>")} is missing resource_chain[]`);
-      }
-      if (typeof operation.id !== "string" || typeof operation.display !== "string" || typeof operation.action !== "string") {
-        throw new TypeError("Operation must define id, display, and action");
-      }
-      return {
-        id: operation.id,
-        command: operation.command,
-        ...Array.isArray(operation.positionals) ? { positionals: operation.positionals } : {},
-        ...Array.isArray(operation.required_options) ? { required_options: operation.required_options } : {},
-        display: operation.display,
-        action: operation.action,
-        risk: operation.risk || "low",
-        resource_chain: operation.resource_chain,
-        ...operation.exact_command !== void 0 ? { exact_command: Boolean(operation.exact_command) } : {}
-      };
-    })
-  };
-}
-
-// src/shapes/generic.ts
-import { canonicalizeCliPermission, computeArgvHash } from "@openape/grants";
-var GENERIC_OPERATION_ID = "_generic.exec";
-var SYNTHETIC_SCHEMA = "openape-shapes/v1";
-function buildGenericAdapter(cliId) {
-  const adapter = {
-    schema: SYNTHETIC_SCHEMA,
-    cli: {
-      id: cliId,
-      executable: cliId,
-      audience: "shapes",
-      version: "synthetic"
-    },
-    operations: []
-  };
-  return {
-    adapter,
-    source: "<synthetic>",
-    digest: "synthetic",
-    synthetic: true
-  };
-}
-async function buildGenericResolved(cliId, fullArgv) {
-  if (fullArgv.length === 0)
-    throw new Error("buildGenericResolved: fullArgv must include the executable");
-  const executable = fullArgv[0];
-  const commandArgv = fullArgv.slice(1);
-  const argvHash = await computeArgvHash(fullArgv);
-  const display = `Execute (unshaped): \`${cliId} ${commandArgv.join(" ")}\``;
-  const detail = {
-    type: "openape_cli",
-    cli_id: cliId,
-    operation_id: GENERIC_OPERATION_ID,
-    resource_chain: [
-      { resource: "cli", selector: { name: cliId } },
-      { resource: "argv", selector: { hash: argvHash } }
-    ],
-    action: "exec",
-    permission: "",
-    display,
-    risk: "high",
-    constraints: { exact_command: true }
-  };
-  detail.permission = canonicalizeCliPermission(detail);
-  const adapter = buildGenericAdapter(cliId);
-  return {
-    adapter: adapter.adapter,
-    source: adapter.source,
-    digest: adapter.digest,
-    executable,
-    commandArgv,
-    bindings: {},
-    detail,
-    executionContext: {
-      argv: fullArgv,
-      argv_hash: argvHash,
-      adapter_id: cliId,
-      adapter_version: SYNTHETIC_SCHEMA,
-      adapter_digest: adapter.digest,
-      resolved_executable: executable,
-      context_bindings: {}
-    },
-    permission: detail.permission
-  };
-}
-function isGenericResolved(resolved) {
-  return resolved.detail.operation_id === GENERIC_OPERATION_ID;
-}
-
-// src/shapes/adapters.ts
-function digest(content) {
-  return `SHA-256:${createHash("sha256").update(content).digest("hex")}`;
-}
-function adapterDirs() {
-  return [
-    join(process.cwd(), ".openape", "shapes", "adapters"),
-    join(homedir(), ".openape", "shapes", "adapters"),
-    join("/etc", "openape", "shapes", "adapters")
-  ];
-}
-function findByExecutable(executable) {
-  for (const dir of adapterDirs()) {
-    if (!existsSync(dir))
-      continue;
-    try {
-      const files = readdirSync(dir).filter((f) => f.endsWith(".toml"));
-      for (const file of files) {
-        const path = join(dir, file);
-        const content = readFileSync(path, "utf-8");
-        const match = content.match(/^\s*executable\s*=\s*"([^"]+)"/m);
-        if (match && match[1] === executable)
-          return path;
-      }
-    } catch {
-    }
-  }
-  return void 0;
-}
-function resolveAdapterPath(cliId, explicitPath) {
-  if (explicitPath) {
-    if (existsSync(explicitPath))
-      return explicitPath;
-    throw new Error(`Adapter file not found: ${explicitPath}`);
-  }
-  const candidates = adapterDirs().map((dir) => join(dir, `${cliId}.toml`));
-  const match = candidates.find((path) => existsSync(path));
-  if (match)
-    return match;
-  const byExec = findByExecutable(cliId);
-  if (byExec)
-    return byExec;
-  throw new Error(`No adapter found for ${cliId}`);
-}
-function loadAdapter(cliId, explicitPath) {
-  const source = resolveAdapterPath(cliId, explicitPath);
-  const content = readFileSync(source, "utf-8");
-  const adapter = parseAdapterToml(content);
-  const idMatch = adapter.cli.id === cliId;
-  const fileMatch = basename(source) === `${cliId}.toml`;
-  const execMatch = adapter.cli.executable === cliId;
-  if (!idMatch && !fileMatch && !execMatch)
-    throw new Error(`Adapter ${source} does not match requested CLI ${cliId}`);
-  return {
-    adapter,
-    source,
-    digest: digest(content)
-  };
-}
-async function resolveGenericOrReject(cliId, fullArgv, opts) {
-  if (!opts.genericEnabled)
-    throw new Error(`No adapter found for ${cliId}`);
-  return await buildGenericResolved(cliId, fullArgv);
-}
-function tryLoadAdapter(cliId, explicitPath) {
-  try {
-    return loadAdapter(cliId, explicitPath);
-  } catch {
-    return null;
-  }
-}
-
-// src/shapes/audit.ts
-import { appendFileSync, existsSync as existsSync2, mkdirSync } from "fs";
-import { homedir as homedir2 } from "os";
-import { dirname, join as join2 } from "path";
-function auditPath() {
-  return join2(homedir2(), ".config", "apes", "audit.jsonl");
-}
-function appendAuditLog(entry) {
-  const full = {
-    ...entry,
-    action: entry.action,
-    timestamp: entry.timestamp ?? Date.now()
-  };
-  const path = auditPath();
-  const dir = dirname(path);
-  try {
-    if (!existsSync2(dir)) mkdirSync(dir, { recursive: true });
-    appendFileSync(path, `${JSON.stringify(full)}
-`);
-  } catch {
-  }
-}
-
-// src/shapes/installer.ts
-import { createHash as createHash2 } from "crypto";
-import { existsSync as existsSync3, mkdirSync as mkdirSync2, readdirSync as readdirSync2, readFileSync as readFileSync2, unlinkSync, writeFileSync } from "fs";
-import { homedir as homedir3 } from "os";
-import { join as join3 } from "path";
-function adapterDir(local) {
-  const base = local ? process.cwd() : homedir3();
-  return join3(base, ".openape", "shapes", "adapters");
-}
-function adapterPath(id, local) {
-  return join3(adapterDir(local), `${id}.toml`);
-}
-function sha256(content) {
-  return `SHA-256:${createHash2("sha256").update(content).digest("hex")}`;
-}
-async function installAdapter(entry, options = {}) {
-  const local = options.local ?? false;
-  const dest = adapterPath(entry.id, local);
-  const dir = adapterDir(local);
-  const response = await fetch(entry.download_url);
-  if (!response.ok)
-    throw new Error(`Failed to download adapter ${entry.id}: ${response.status} ${response.statusText}`);
-  const content = await response.text();
-  const digest2 = sha256(content);
-  if (digest2 !== entry.digest)
-    throw new Error(`Digest mismatch for ${entry.id}: expected ${entry.digest}, got ${digest2}`);
-  const updated = existsSync3(dest);
-  if (!existsSync3(dir))
-    mkdirSync2(dir, { recursive: true });
-  writeFileSync(dest, content);
-  return { id: entry.id, path: dest, digest: digest2, updated };
-}
-function getInstalledDigest(id, local) {
-  const path = adapterPath(id, local);
-  if (!existsSync3(path))
-    return null;
-  const content = readFileSync2(path, "utf-8");
-  return sha256(content);
-}
-function isInstalled(id, local) {
-  return existsSync3(adapterPath(id, local));
-}
-function removeAdapter(id, local) {
-  const path = adapterPath(id, local);
-  if (!existsSync3(path))
-    return false;
-  unlinkSync(path);
-  return true;
-}
-function findConflictingAdapters(executable, excludeId) {
-  const conflicts = [];
-  const dirs = [
-    join3(process.cwd(), ".openape", "shapes", "adapters"),
-    join3(homedir3(), ".openape", "shapes", "adapters")
-  ];
-  for (const dir of dirs) {
-    if (!existsSync3(dir))
-      continue;
-    try {
-      for (const file of readdirSync2(dir).filter((f) => f.endsWith(".toml"))) {
-        const path = join3(dir, file);
-        const content = readFileSync2(path, "utf-8");
-        const execMatch = content.match(/^\s*executable\s*=\s*"([^"]+)"/m);
-        const idMatch = content.match(/^\s*id\s*=\s*"([^"]+)"/m);
-        if (execMatch?.[1] === executable && idMatch?.[1] !== excludeId) {
-          conflicts.push({ file, path, adapterId: idMatch?.[1] ?? file, executable });
-        }
-      }
-    } catch {
-    }
-  }
-  return conflicts;
-}
-
-// src/shapes/registry.ts
-import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { homedir as homedir4 } from "os";
-import { join as join4 } from "path";
-var REGISTRY_URL = process.env.SHAPES_REGISTRY_URL ?? "https://raw.githubusercontent.com/openape-ai/shapes-registry/main/registry.json";
-var CACHE_TTL_MS = 60 * 60 * 1e3;
-function cacheDir() {
-  return join4(homedir4(), ".openape", "shapes", "cache");
-}
-function cachePath() {
-  return join4(cacheDir(), "registry.json");
-}
-function readCache() {
-  const path = cachePath();
-  if (!existsSync4(path))
-    return null;
-  try {
-    const raw = readFileSync3(path, "utf-8");
-    const stat = JSON.parse(raw);
-    if (stat._cached_at && Date.now() - stat._cached_at > CACHE_TTL_MS)
-      return null;
-    return stat;
-  } catch {
-    return null;
-  }
-}
-function writeCache(index) {
-  const dir = cacheDir();
-  if (!existsSync4(dir))
-    mkdirSync3(dir, { recursive: true });
-  writeFileSync2(cachePath(), JSON.stringify({ ...index, _cached_at: Date.now() }, null, 2));
-}
-async function fetchRegistry(forceRefresh = false) {
-  if (!forceRefresh) {
-    const cached = readCache();
-    if (cached)
-      return cached;
-  }
-  const response = await fetch(REGISTRY_URL);
-  if (!response.ok)
-    throw new Error(`Failed to fetch registry: ${response.status} ${response.statusText}`);
-  const index = await response.json();
-  writeCache(index);
-  return index;
-}
-function searchAdapters(index, query) {
-  const q = query.toLowerCase();
-  return index.adapters.filter(
-    (a) => a.id.includes(q) || a.name.toLowerCase().includes(q) || a.description.toLowerCase().includes(q) || a.tags.some((t) => t.includes(q)) || a.category.includes(q)
-  );
-}
-function findAdapter(index, idOrExecutable) {
-  return index.adapters.find(
-    (a) => a.id === idOrExecutable || a.executable === idOrExecutable
-  );
-}
-
-// src/shapes/shell-parser.ts
-import { basename as basename2 } from "path";
-import consola from "consola";
-import { parse as shellParse } from "shell-quote";
-var COMPOUND_OPERATORS = /* @__PURE__ */ new Set(["&&", "||", ";", "|", "&", ">", ">>", "<"]);
-function parseShellCommand(raw) {
-  const trimmed = raw.trim();
-  if (trimmed.length === 0) return null;
-  let tokens;
-  try {
-    tokens = shellParse(trimmed);
-  } catch {
-    return null;
-  }
-  const hasShellExpansion = /\$\(|`/.test(trimmed);
-  const hasOperatorToken = tokens.some((t) => typeof t === "object" && t !== null && "op" in t && COMPOUND_OPERATORS.has(t.op));
-  const isCompound = hasShellExpansion || hasOperatorToken;
-  const stringTokens = [];
-  for (const t of tokens) {
-    if (typeof t === "string") {
-      stringTokens.push(t);
-    } else {
-      break;
-    }
-  }
-  if (stringTokens.length === 0) return null;
-  return {
-    executable: stringTokens[0],
-    argv: stringTokens.slice(1),
-    isCompound,
-    raw: trimmed
-  };
-}
-function extractShellCommandString(command) {
-  if (command.length < 3) return null;
-  if (command[0] !== "bash" && command[0] !== "sh") return null;
-  if (command[1] !== "-c") return null;
-  return command.slice(2).join(" ");
-}
-async function loadOrInstallAdapter(cliId) {
-  const lookupId = basename2(cliId);
-  const local = tryLoadAdapter(lookupId);
-  if (local) return local;
-  try {
-    const index = await fetchRegistry();
-    const entry = findAdapter(index, lookupId);
-    if (!entry) return null;
-    consola.info(`Installing shapes adapter for ${entry.id} from registry...`);
-    await installAdapter(entry, { local: false });
-    appendAuditLog({
-      action: "adapter-auto-install",
-      cli_id: entry.id,
-      digest: entry.digest,
-      source: "ape-shell"
-    });
-    return tryLoadAdapter(entry.id);
-  } catch (err) {
-    consola.debug(`ape-shell adapter auto-install failed for ${lookupId}:`, err);
-    return null;
-  }
-}
-
-// src/shapes/capabilities.ts
-import { canonicalizeCliPermission as canonicalizeCliPermission2 } from "@openape/grants";
-function parseOperationChainEntry(entry) {
-  const [resource, selectorSpec = "*"] = entry.split(":", 2);
-  if (!resource) {
-    throw new Error(`Invalid resource chain entry: ${entry}`);
-  }
-  if (selectorSpec === "*") {
-    return { resource, selectorKeys: [] };
-  }
-  const selectorKeys = selectorSpec.split(",").map((segment) => {
-    const [key] = segment.split("=", 2);
-    if (!key)
-      throw new Error(`Invalid selector segment: ${segment}`);
-    return key;
-  });
-  return { resource, selectorKeys };
-}
-function operationChain(operation) {
-  return operation.resource_chain.map(parseOperationChainEntry);
-}
-function knownSelectorKeys(operations, resource) {
-  const keys = /* @__PURE__ */ new Set();
-  for (const operation of operations) {
-    for (const entry of operationChain(operation)) {
-      if (entry.resource !== resource)
-        continue;
-      for (const key of entry.selectorKeys) {
-        keys.add(key);
-      }
-    }
-  }
-  return Array.from(keys).sort();
-}
-function parseResourceSelector(raw) {
-  const [lhs, value] = raw.split("=", 2);
-  if (!lhs || !value) {
-    throw new Error(`Invalid selector: ${raw}`);
-  }
-  const [resource, key] = lhs.split(".", 2);
-  if (!resource || !key) {
-    throw new Error(`Selectors must be in resource.key=value form: ${raw}`);
-  }
-  return { resource, key, value };
-}
-function formatSelector(selector) {
-  if (!selector || Object.keys(selector).length === 0)
-    return "*";
-  return Object.entries(selector).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}=${value}`).join(",");
-}
-function summarizeDetail(detail) {
-  const chain = detail.resource_chain.map((resource) => `${resource.resource}[${formatSelector(resource.selector)}]`).join(" -> ");
-  return `Allow ${detail.action} on ${detail.cli_id} ${chain}`;
-}
-function resolveCapabilityRequest(loaded, params) {
-  if (params.resources.length === 0) {
-    throw new Error("At least one --resource is required");
-  }
-  if (params.actions.length === 0) {
-    throw new Error("At least one --action is required");
-  }
-  const selectorMap = /* @__PURE__ */ new Map();
-  for (const rawSelector of params.selectors ?? []) {
-    const { resource, key, value } = parseResourceSelector(rawSelector);
-    const current = selectorMap.get(resource) ?? {};
-    current[key] = value;
-    selectorMap.set(resource, current);
-  }
-  const resource_chain = params.resources.map((resource) => {
-    const selector = selectorMap.get(resource);
-    const knownKeys = knownSelectorKeys(loaded.adapter.operations, resource);
-    if (selector) {
-      for (const key of Object.keys(selector)) {
-        if (!knownKeys.includes(key)) {
-          throw new Error(`Unknown selector ${resource}.${key} for adapter ${loaded.adapter.cli.id}`);
-        }
-      }
-    }
-    return selector && Object.keys(selector).length > 0 ? { resource, selector } : { resource };
-  });
-  const requestedSequence = params.resources.join("\0");
-  const matchingOperations = loaded.adapter.operations.filter((operation) => {
-    const sequence = operationChain(operation).map((entry) => entry.resource).join("\0");
-    return sequence === requestedSequence || sequence.startsWith(`${requestedSequence}\0`);
-  });
-  if (matchingOperations.length === 0) {
-    throw new Error(`No adapter operation supports resource chain: ${params.resources.join(" -> ")}`);
-  }
-  const details = params.actions.map((action) => {
-    const matchingActionOps = matchingOperations.filter((operation) => operation.action === action);
-    if (matchingActionOps.length === 0) {
-      throw new Error(`Action ${action} is not valid for resource chain: ${params.resources.join(" -> ")}`);
-    }
-    const exact_command = matchingActionOps.every((operation) => operation.exact_command === true);
-    const risks = ["low", "medium", "high", "critical"];
-    const risk = matchingActionOps.reduce((current, operation) => {
-      return risks.indexOf(operation.risk) > risks.indexOf(current) ? operation.risk : current;
-    }, "low");
-    const detail = {
-      type: "openape_cli",
-      cli_id: loaded.adapter.cli.id,
-      operation_id: `capability.${action}`,
-      resource_chain,
-      action,
-      permission: "",
-      display: "",
-      risk,
-      ...exact_command ? { constraints: { exact_command: true } } : {}
-    };
-    detail.permission = canonicalizeCliPermission2(detail);
-    detail.display = summarizeDetail(detail);
-    return detail;
-  });
-  return {
-    adapter: loaded.adapter,
-    source: loaded.source,
-    digest: loaded.digest,
-    executable: loaded.adapter.cli.executable,
-    details,
-    executionContext: {
-      adapter_id: loaded.adapter.cli.id,
-      adapter_version: loaded.adapter.cli.version ?? loaded.adapter.schema,
-      adapter_digest: loaded.digest,
-      resolved_executable: loaded.adapter.cli.executable,
-      context_bindings: Object.fromEntries(
-        Array.from(selectorMap.entries()).flatMap(
-          ([resource, selector]) => Object.entries(selector).map(([key, value]) => [`${resource}.${key}`, value])
-        )
-      )
-    },
-    permissions: details.map((detail) => detail.permission),
-    summary: details.map((detail) => detail.display).join("; ")
-  };
-}
-
-// src/shapes/parser.ts
-import { buildCliAuthDetail, computeArgvHash as computeArgvHash2, matchArgvToOperation } from "@openape/grants";
-async function resolveCommand(loaded, fullArgv) {
-  const [executable, ...commandArgv] = fullArgv;
-  if (!executable) {
-    throw new Error("Missing wrapped command");
-  }
-  if (executable !== loaded.adapter.cli.executable) {
-    throw new Error(`Adapter ${loaded.adapter.cli.id} expects executable ${loaded.adapter.cli.executable}, got ${executable}`);
-  }
-  const match = matchArgvToOperation(loaded.adapter.operations, commandArgv);
-  if (!match) {
-    throw new Error(`No adapter operation matched: ${fullArgv.join(" ")}`);
-  }
-  const { operation, bindings } = match;
-  const detail = buildCliAuthDetail(loaded.adapter.cli.id, operation, bindings);
-  return {
-    adapter: loaded.adapter,
-    source: loaded.source,
-    digest: loaded.digest,
-    executable,
-    commandArgv,
-    bindings,
-    detail,
-    executionContext: {
-      argv: fullArgv,
-      argv_hash: await computeArgvHash2(fullArgv),
-      adapter_id: loaded.adapter.cli.id,
-      adapter_version: loaded.adapter.cli.version ?? loaded.adapter.schema,
-      adapter_digest: loaded.digest,
-      resolved_executable: executable,
-      context_bindings: bindings
-    },
-    permission: detail.permission
-  };
-}
-
-// src/shapes/commands/explain.ts
-import { defineCommand } from "citty";
-var explainCommand = defineCommand({
-  meta: {
-    name: "explain",
-    description: "Show what permission a wrapped command would need"
-  },
-  args: {
-    adapter: {
-      type: "string",
-      description: "Explicit path to adapter TOML file"
-    },
-    _: {
-      type: "positional",
-      description: "Wrapped command (after --)",
-      required: false
-    }
-  },
-  async run({ rawArgs }) {
-    const command = extractWrappedCommand(rawArgs ?? []);
-    if (command.length === 0)
-      throw new Error("Missing wrapped command. Usage: shapes explain [--adapter <file>] -- <cli> ...");
-    const adapterOpt = extractOption(rawArgs ?? [], "adapter");
-    const loaded = loadAdapter(command[0], adapterOpt);
-    const resolved = await resolveCommand(loaded, command);
-    process.stdout.write(`${JSON.stringify({
-      adapter: resolved.adapter.cli.id,
-      source: resolved.source,
-      operation: resolved.detail.operation_id,
-      display: resolved.detail.display,
-      permission: resolved.permission,
-      resource_chain: resolved.detail.resource_chain,
-      exact_command: resolved.detail.constraints?.exact_command ?? false,
-      adapter_digest: resolved.digest
-    }, null, 2)}
-`);
-  }
-});
-function extractWrappedCommand(args) {
-  const delimiter = args.indexOf("--");
-  return delimiter >= 0 ? args.slice(delimiter + 1) : [];
-}
-function extractOption(args, name) {
-  const delimiter = args.indexOf("--");
-  const optionArgs = delimiter >= 0 ? args.slice(0, delimiter) : args;
-  const index = optionArgs.indexOf(`--${name}`);
-  if (index >= 0 && index + 1 < optionArgs.length)
-    return optionArgs[index + 1];
-  return void 0;
-}
-
-// src/shapes/grants.ts
-import { computeCmdHash } from "@openape/core";
-import { cliAuthorizationDetailCovers, verifyAuthzJWT } from "@openape/grants";
-import { execFileSync } from "child_process";
-import { hostname } from "os";
-import consola2 from "consola";
-
-// src/shapes/config.ts
-import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
-import { homedir as homedir5 } from "os";
-import { join as join5 } from "path";
-var AUTH_FILE = join5(homedir5(), ".config", "apes", "auth.json");
-function loadAuth() {
-  if (!existsSync5(AUTH_FILE))
-    return null;
-  try {
-    return JSON.parse(readFileSync4(AUTH_FILE, "utf-8"));
-  } catch {
-    return null;
-  }
-}
-function getIdpUrl(explicit) {
-  if (explicit)
-    return explicit;
-  if (process.env.APES_IDP)
-    return process.env.APES_IDP;
-  if (process.env.SHAPES_IDP)
-    return process.env.SHAPES_IDP;
-  return loadAuth()?.idp ?? null;
-}
-function getAuthToken() {
-  const auth = loadAuth();
-  if (!auth)
-    return null;
-  if (auth.expires_at && Date.now() / 1e3 > auth.expires_at - 30)
-    return null;
-  return auth.access_token;
-}
-function getRequesterIdentity() {
-  return loadAuth()?.email ?? null;
-}
-
-// src/shapes/http.ts
-async function discoverEndpoints(idpUrl) {
-  const response = await fetch(`${idpUrl}/.well-known/openid-configuration`);
-  if (!response.ok)
-    return {};
-  return response.json();
-}
-async function getGrantsEndpoint(idpUrl) {
-  const discovery = await discoverEndpoints(idpUrl);
-  return String(discovery.openape_grants_endpoint ?? `${idpUrl}/api/grants`);
-}
-async function apiFetch(path, options = {}) {
-  const token = options.token ?? getAuthToken();
-  if (!token)
-    throw new Error("Not authenticated. Run `apes login` first.");
-  const idp = options.idp ?? getIdpUrl();
-  if (!path.startsWith("http") && !idp)
-    throw new Error("No IdP URL configured. Use --idp or log in with apes.");
-  const url = path.startsWith("http") ? path : `${idp}${path}`;
-  const response = await fetch(url, {
-    method: options.method ?? "GET",
-    headers: {
-      Authorization: `Bearer ${token}`,
-      "Content-Type": "application/json"
-    },
-    body: options.body ? JSON.stringify(options.body) : void 0
-  });
-  if (!response.ok) {
-    const text = await response.text();
-    throw new Error(text || `${response.status} ${response.statusText}`);
-  }
-  return response.json();
-}
-
-// src/audit/generic-log.ts
-import { mkdir, appendFile } from "fs/promises";
-import { homedir as homedir6 } from "os";
-import { dirname as dirname2, join as join6 } from "path";
-function defaultGenericLogPath() {
-  return join6(homedir6(), ".config", "apes", "generic-calls.log");
-}
-async function appendGenericCallLog(entry, logPath) {
-  const path = logPath ?? defaultGenericLogPath();
-  await mkdir(dirname2(path), { recursive: true });
-  await appendFile(path, `${JSON.stringify(entry)}
-`, "utf-8");
-}
-
-// src/shapes/grants.ts
-function decodePayload(token) {
-  const [, payload] = token.split(".");
-  if (!payload)
-    throw new Error("Invalid JWT");
-  return JSON.parse(Buffer.from(payload, "base64url").toString("utf-8"));
-}
-async function createShapesGrant(resolved, params) {
-  const grantsEndpoint = await getGrantsEndpoint(params.idp);
-  const requester = getRequesterIdentity();
-  if (!requester) {
-    throw new Error("No requester identity available. Run `apes login` first.");
-  }
-  return apiFetch(grantsEndpoint, {
-    method: "POST",
-    idp: params.idp,
-    body: {
-      requester,
-      target_host: hostname(),
-      audience: resolved.adapter.cli.audience ?? "shapes",
-      grant_type: params.approval,
-      command: resolved.executionContext.argv,
-      reason: params.reason ?? resolved.detail.display,
-      permissions: [resolved.permission],
-      authorization_details: [resolved.detail],
-      execution_context: resolved.executionContext
-    }
-  });
-}
-async function waitForGrantStatus(idp, grantId) {
-  const grantsEndpoint = await getGrantsEndpoint(idp);
-  const deadline = Date.now() + 3e5;
-  while (Date.now() < deadline) {
-    const grant = await apiFetch(`${grantsEndpoint}/${grantId}`, { idp });
-    if (grant.status === "approved" || grant.status === "denied" || grant.status === "revoked")
-      return grant.status;
-    await new Promise((resolve) => setTimeout(resolve, 3e3));
-  }
-  throw new Error("Timed out waiting for grant approval");
-}
-async function fetchGrantToken(idp, grantId) {
-  const grantsEndpoint = await getGrantsEndpoint(idp);
-  const response = await apiFetch(`${grantsEndpoint}/${grantId}/token`, {
-    method: "POST",
-    idp
-  });
-  return response.authz_jwt;
-}
-function grantedCliDetails(claims) {
-  const details = claims.authorization_details;
-  if (!Array.isArray(details))
-    return [];
-  return details.filter(
-    (detail) => typeof detail === "object" && detail !== null && detail.type === "openape_cli"
-  );
-}
-function hasStructuredCliGrant(claims) {
-  return grantedCliDetails(claims).length > 0;
-}
-async function verifyAndConsume(token, resolved) {
-  const payload = decodePayload(token);
-  const issuer = String(payload.iss ?? "");
-  if (!issuer)
-    throw new Error("Grant token is missing issuer");
-  const discovery = await discoverEndpoints(issuer);
-  const jwksUri = String(discovery.jwks_uri ?? `${issuer}/.well-known/jwks.json`);
-  const result = await verifyAuthzJWT(token, {
-    expectedIss: issuer,
-    expectedAud: resolved.adapter.cli.audience ?? "shapes",
-    jwksUri
-  });
-  if (!result.valid || !result.claims) {
-    throw new Error(result.error ?? "Grant verification failed");
-  }
-  const claims = result.claims;
-  const details = grantedCliDetails(claims);
-  if (claims.execution_context?.adapter_digest && claims.execution_context.adapter_digest !== resolved.digest) {
-    throw new Error("Adapter digest mismatch");
-  }
-  if (!hasStructuredCliGrant(claims)) {
-    const argv = resolved.executionContext.argv;
-    if (!argv?.length) {
-      throw new Error("Resolved command is missing argv");
-    }
-    const expectedCmdHash = await computeCmdHash(argv.join(" "));
-    if (claims.command?.join("\0") !== argv.join("\0")) {
-      throw new Error("Granted command does not match current argv");
-    }
-    if (claims.cmd_hash && claims.cmd_hash !== expectedCmdHash) {
-      throw new Error("Granted command does not match current argv");
-    }
-    if (!claims.command?.length && !claims.cmd_hash) {
-      throw new Error("Grant is not a structured CLI grant and is missing command binding");
-    }
-  } else {
-    if (!details.some((detail) => cliAuthorizationDetailCovers(detail, resolved.detail))) {
-      throw new Error(`Grant does not cover required permission: ${resolved.permission}`);
-    }
-    const exactRequired = details.some(
-      (detail) => cliAuthorizationDetailCovers(detail, resolved.detail) && detail.constraints?.exact_command
-    );
-    const isOnce = claims.grant_type === "once" || claims.approval === "once";
-    const enforceArgvHash = exactRequired || isOnce && !!claims.execution_context?.argv_hash;
-    if (enforceArgvHash && claims.execution_context?.argv_hash !== resolved.executionContext.argv_hash) {
-      throw new Error("Granted command does not match current argv");
-    }
-  }
-  const grantsEndpoint = await getGrantsEndpoint(issuer);
-  const consume = await fetch(`${grantsEndpoint}/${claims.grant_id}/consume`, {
-    method: "POST",
-    headers: {
-      Authorization: `Bearer ${token}`
-    }
-  });
-  if (!consume.ok) {
-    throw new Error(`Consume failed: ${consume.status} ${consume.statusText}`);
-  }
-  const consumeResult = await consume.json();
-  if (consumeResult.error) {
-    throw new Error(`Grant rejected at consume step: ${consumeResult.error}`);
-  }
-}
-function executeResolvedViaExec(resolved) {
-  consola2.info(`Executing ${(resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv]).join(" ")}`);
-  execFileSync(resolved.executable, resolved.commandArgv, { stdio: "inherit" });
-}
-async function verifyAndExecute(token, resolved, grantId) {
-  await verifyAndConsume(token, resolved);
-  const isGeneric = isGenericResolved(resolved);
-  const start = Date.now();
-  let exitCode = 0;
-  try {
-    executeResolvedViaExec(resolved);
-  } catch (err) {
-    exitCode = err?.status ?? 1;
-    throw err;
-  } finally {
-    if (isGeneric && grantId) {
-      try {
-        await appendGenericCallLog(
-          {
-            ts: (/* @__PURE__ */ new Date()).toISOString(),
-            cli: resolved.detail.cli_id,
-            argv: resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv],
-            argv_hash: resolved.executionContext.argv_hash ?? "",
-            grant_id: grantId,
-            exit_code: exitCode,
-            duration_ms: Date.now() - start
-          },
-          getGenericAuditLogPath()
-        );
-      } catch (logErr) {
-        consola2.debug("Failed to append generic-call audit entry:", logErr);
-      }
-    }
-  }
-}
-async function resolveFromGrant(grant) {
-  const argv = grant.request?.command;
-  if (!argv || argv.length === 0)
-    throw new Error("Grant request is missing command argv");
-  const executable = argv[0];
-  const adapter = await loadOrInstallAdapter(executable);
-  if (!adapter)
-    throw new Error(`No shapes adapter found for ${executable}`);
-  const resolved = await resolveCommand(adapter, argv);
-  const grantDigest = grant.request.execution_context?.adapter_digest;
-  if (grantDigest && grantDigest !== resolved.digest) {
-    throw new Error(
-      `Adapter digest mismatch: grant was created against adapter ${grantDigest}, but local adapter is ${resolved.digest}. Reinstall or revert the adapter.`
-    );
-  }
-  return resolved;
-}
-async function findExistingGrant(resolved, idp) {
-  const grantsEndpoint = await getGrantsEndpoint(idp);
-  const response = await apiFetch(
-    `${grantsEndpoint}?status=approved`,
-    { idp }
-  );
-  const now = Math.floor(Date.now() / 1e3);
-  const expectedAudience = resolved.adapter.cli.audience ?? "shapes";
-  for (const grant of response.data) {
-    const req = grant.request;
-    if (req.grant_type === "once")
-      continue;
-    if (req.grant_type === "timed" && grant.expires_at && grant.expires_at <= now)
-      continue;
-    if (req.audience !== expectedAudience)
-      continue;
-    if (req.execution_context?.adapter_digest && req.execution_context.adapter_digest !== resolved.digest)
-      continue;
-    const cliDetails = (req.authorization_details ?? []).filter(
-      (d) => d.type === "openape_cli"
-    );
-    if (cliDetails.length > 0) {
-      if (cliDetails.some((detail) => cliAuthorizationDetailCovers(detail, resolved.detail)))
-        return grant.id;
-    } else if (req.permissions?.includes(resolved.permission)) {
-      return grant.id;
-    }
-  }
-  return null;
-}
-
-// src/shapes/request-builders.ts
-import { computeCmdHash as computeCmdHash2 } from "@openape/core";
-async function buildExactCommandGrantRequest(command, options) {
-  return {
-    request: {
-      requester: options.requester,
-      target_host: options.target_host,
-      audience: options.audience,
-      grant_type: options.grant_type,
-      command,
-      cmd_hash: await computeCmdHash2(command.join(" ")),
-      ...options.reason ? { reason: options.reason } : {},
-      ...options.run_as ? { run_as: options.run_as } : {}
-    }
-  };
-}
-async function buildStructuredCliGrantRequest(resolved, options) {
-  const details = "detail" in resolved ? [resolved.detail] : resolved.details;
-  const permissions = "permission" in resolved ? [resolved.permission] : resolved.permissions;
-  const command = "executionContext" in resolved && resolved.executionContext.argv?.length ? resolved.executionContext.argv : void 0;
-  return {
-    request: {
-      requester: options.requester,
-      target_host: options.target_host,
-      audience: resolved.adapter.cli.audience ?? "shapes",
-      grant_type: options.grant_type,
-      permissions,
-      authorization_details: details,
-      execution_context: resolved.executionContext,
-      ...command ? { command } : {},
-      ...options.reason ? { reason: options.reason } : { reason: "summary" in resolved ? resolved.summary : details[0]?.display },
-      ...options.run_as ? { run_as: options.run_as } : {}
-    }
-  };
-}
-
-export {
-  GENERIC_OPERATION_ID,
-  buildGenericResolved,
-  resolveAdapterPath,
-  loadAdapter,
-  resolveGenericOrReject,
-  tryLoadAdapter,
-  appendAuditLog,
-  installAdapter,
-  getInstalledDigest,
-  isInstalled,
-  removeAdapter,
-  findConflictingAdapters,
-  fetchRegistry,
-  searchAdapters,
-  findAdapter,
-  parseShellCommand,
-  extractShellCommandString,
-  loadOrInstallAdapter,
-  resolveCapabilityRequest,
-  resolveCommand,
-  extractWrappedCommand,
-  extractOption,
-  createShapesGrant,
-  waitForGrantStatus,
-  fetchGrantToken,
-  verifyAndConsume,
-  verifyAndExecute,
-  resolveFromGrant,
-  findExistingGrant,
-  buildExactCommandGrantRequest,
-  buildStructuredCliGrantRequest
-};
-//# sourceMappingURL=chunk-PEA2RDWK.js.map