@openape/apes 1.28.3 → 1.28.5

package/dist/cli.js

@@ -2644,13 +2644,91 @@ var cleanupOrphansCommand = defineCommand23({
 });
 
 // src/commands/agents/code.ts
-import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
-import { homedir as homedir4 } from "os";
-import { join as join2 } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join3 } from "path";
 import process2 from "process";
 import { defineCommand as defineCommand24 } from "citty";
 import { consola as consola21 } from "consola";
 
+// src/lib/agent-secrets-runtime.ts
+import { existsSync as existsSync4, readdirSync, readFileSync as readFileSync3, watch } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join2 } from "path";
+import { openString } from "@openape/core";
+var CONFIG_DIR2 = join2(homedir4(), ".config", "openape");
+var SECRETS_DIR = join2(CONFIG_DIR2, "secrets.d");
+var X25519_KEY_PATH = join2(CONFIG_DIR2, "agent-x25519.key");
+var X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`;
+function envNameFromFile(file) {
+  if (!file.endsWith(".blob")) return null;
+  const env = file.slice(0, -".blob".length);
+  return /^[A-Z][A-Z0-9_]*$/.test(env) ? env : null;
+}
+function readAgentEncryptionKey(keyPath = X25519_KEY_PATH) {
+  if (!existsSync4(keyPath)) return null;
+  const k = readFileSync3(keyPath, "utf8").trim();
+  return k.length > 0 ? k : null;
+}
+function readAgentEncryptionPublicKey(pubPath = X25519_PUBKEY_PATH) {
+  if (!existsSync4(pubPath)) return null;
+  const k = readFileSync3(pubPath, "utf8").trim();
+  return k.length > 0 ? k : null;
+}
+function materializeSecrets(opts = {}) {
+  const dir = opts.dir ?? SECRETS_DIR;
+  const env = opts.env ?? process.env;
+  const log = opts.log ?? (() => {
+  });
+  const applied = [];
+  const failed = [];
+  const key = readAgentEncryptionKey(opts.keyPath);
+  const files = key && existsSync4(dir) ? readdirSync(dir) : [];
+  for (const file of files) {
+    const name = envNameFromFile(file);
+    if (!name) continue;
+    try {
+      const box = JSON.parse(readFileSync3(join2(dir, file), "utf8"));
+      env[name] = openString(box, key);
+      applied.push(name);
+    } catch (e) {
+      failed.push(file);
+      log(`secrets: failed to open ${file}: ${e.message}`);
+    }
+  }
+  const live = new Set(applied);
+  for (const prev of opts.previouslyApplied ?? []) {
+    if (!live.has(prev)) {
+      delete env[prev];
+      log(`secrets: revoked ${prev}`);
+    }
+  }
+  return { applied, failed };
+}
+function startSecretsWatcher(opts = {}) {
+  const dir = opts.dir ?? SECRETS_DIR;
+  const log = opts.log ?? (() => {
+  });
+  let appliedNames = /* @__PURE__ */ new Set();
+  const run = () => {
+    const r = materializeSecrets({ ...opts, previouslyApplied: appliedNames });
+    appliedNames = new Set(r.applied);
+  };
+  run();
+  if (!existsSync4(dir)) return () => {
+  };
+  let timer = null;
+  const watcher = watch(dir, () => {
+    if (timer) clearTimeout(timer);
+    timer = setTimeout(run, 150);
+  });
+  watcher.on("error", (err) => log(`secrets: watcher error: ${err.message}`));
+  return () => {
+    if (timer) clearTimeout(timer);
+    watcher.close();
+  };
+}
+
 // src/lib/coding/issue-task.ts
 var DEFAULT_TEMPLATE = "{type}/issue-{number}-{slug}";
 var DEFAULT_TYPE = "fix";
@@ -3003,9 +3081,9 @@ var DEFAULT_PERSONA = [
 ].join(" ");
 function readLitellmConfig(model) {
   const env = {};
-  const envPath = join2(homedir4(), "litellm", ".env");
-  if (existsSync4(envPath)) {
-    for (const raw of readFileSync3(envPath, "utf8").split("\n")) {
+  const envPath = join3(homedir5(), "litellm", ".env");
+  if (existsSync5(envPath)) {
+    for (const raw of readFileSync4(envPath, "utf8").split("\n")) {
       const line = raw.trim();
       const m = /^([A-Z_][A-Z0-9_]*)=(.*)$/.exec(line);
       if (m) env[m[1]] = m[2].trim().replace(/^["']|["']$/g, "");
@@ -3020,11 +3098,11 @@ function readLitellmConfig(model) {
   return { apiBase, apiKey, model: model || process2.env.APE_CHAT_BRIDGE_MODEL || "claude-haiku-4-5" };
 }
 function readPersona(file) {
-  if (file && existsSync4(file)) return readFileSync3(file, "utf8");
-  const agentJson = join2(homedir4(), ".openape", "agent", "agent.json");
-  if (existsSync4(agentJson)) {
+  if (file && existsSync5(file)) return readFileSync4(file, "utf8");
+  const agentJson = join3(homedir5(), ".openape", "agent", "agent.json");
+  if (existsSync5(agentJson)) {
     try {
-      const p = JSON.parse(readFileSync3(agentJson, "utf8"));
+      const p = JSON.parse(readFileSync4(agentJson, "utf8"));
       if (p.systemPrompt?.trim()) return p.systemPrompt;
     } catch {
     }
@@ -3056,6 +3134,11 @@ var codeAgentCommand = defineCommand24({
   async run({ args }) {
     const repo = args.repo;
     const forge = args.forge || detectForge(repo);
+    try {
+      const { applied } = materializeSecrets();
+      if (applied.length > 0) consola21.info(`Capabilities available: ${applied.join(", ")}`);
+    } catch {
+    }
     const config = readLitellmConfig(args.model);
     const persona = readPersona(args["persona-file"]);
     const maxSteps = Number(args["max-steps"]) > 0 ? Number(args["max-steps"]) : 40;
@@ -3074,7 +3157,13 @@ var codeAgentCommand = defineCommand24({
     if (args["poll-label"]) {
       const slug = repo.replace(/^https:\/\/github\.com\//, "").replace(/\.git$/, "");
       const list = await runApeShell(`gh issue list --repo ${slug} --label '${args["poll-label"]}' --state open --json number --jq '.[].number'`);
-      refs.push(...list.stdout.split("\n").map((s) => s.trim()).filter(Boolean));
+      if (list.exit_code !== 0) {
+        throw new CliError2(`gh issue list failed (exit ${list.exit_code}): ${(list.stderr || list.stdout).slice(0, 300)}`);
+      }
+      if (list.stdout.trim() === "" && /gh auth login|GH_TOKEN/i.test(list.stderr)) {
+        throw new CliError2("gh is not authenticated (no GH_TOKEN). The agent's GH_TOKEN capability is not materialized \u2014 bind it via the deploy/secrets flow.");
+      }
+      refs.push(...list.stdout.split("\n").map((s) => s.trim()).filter((s) => /^\d+$/.test(s)));
       if (refs.length === 0) {
         consola21.info("no open issues with that label");
         return;
@@ -3099,27 +3188,27 @@ ${result.reason}`);
 import { execFileSync as execFileSync6 } from "child_process";
 import { mkdtempSync, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
 import { tmpdir, userInfo } from "os";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 import { defineCommand as defineCommand25 } from "citty";
 import consola22 from "consola";
 
 // src/lib/nest-registry.ts
-import { existsSync as existsSync5, mkdirSync, readFileSync as readFileSync4, writeFileSync } from "fs";
-import { homedir as homedir5 } from "os";
-import { join as join3 } from "path";
+import { existsSync as existsSync6, mkdirSync, readFileSync as readFileSync5, writeFileSync } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join4 } from "path";
 function resolveRegistryPath() {
-  if (existsSync5("/var/openape/nest/agents.json")) return "/var/openape/nest/agents.json";
-  if (existsSync5("/var/openape/nest")) return "/var/openape/nest/agents.json";
-  return join3(homedir5(), ".openape", "nest", "agents.json");
+  if (existsSync6("/var/openape/nest/agents.json")) return "/var/openape/nest/agents.json";
+  if (existsSync6("/var/openape/nest")) return "/var/openape/nest/agents.json";
+  return join4(homedir6(), ".openape", "nest", "agents.json");
 }
 function emptyRegistry() {
   return { version: 1, agents: [] };
 }
 function readNestRegistry() {
   const path2 = resolveRegistryPath();
-  if (!existsSync5(path2)) return emptyRegistry();
+  if (!existsSync6(path2)) return emptyRegistry();
   try {
-    const parsed = JSON.parse(readFileSync4(path2, "utf8"));
+    const parsed = JSON.parse(readFileSync5(path2, "utf8"));
     if (parsed?.version !== 1 || !Array.isArray(parsed.agents)) return emptyRegistry();
     return parsed;
   } catch {
@@ -3348,8 +3437,8 @@ ${consequences.join("\n")}`);
           }
         }
         if (adminPassword) {
-          const scratch = mkdtempSync(join4(tmpdir(), `apes-destroy-${name}-`));
-          const scriptPath = join4(scratch, "teardown.sh");
+          const scratch = mkdtempSync(join5(tmpdir(), `apes-destroy-${name}-`));
+          const scriptPath = join5(scratch, "teardown.sh");
           try {
             const script = buildDestroyTeardownScript({ name, homeDir, adminUser });
             writeFileSync2(scriptPath, script, { mode: 448 });
@@ -3458,7 +3547,7 @@ var listAgentsCommand = defineCommand26({
 });
 
 // src/commands/agents/register.ts
-import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync6 } from "fs";
 import { defineCommand as defineCommand27 } from "citty";
 import consola24 from "consola";
 var registerAgentCommand = defineCommand27({
@@ -3506,10 +3595,10 @@ var registerAgentCommand = defineCommand27({
       throw new CliError("Pass either --public-key or --public-key-file, not both.");
     }
     if (!publicKey && keyFile) {
-      if (!existsSync6(keyFile)) {
+      if (!existsSync7(keyFile)) {
         throw new CliError(`Public-key file not found: ${keyFile}`);
       }
-      publicKey = readFileSync5(keyFile, "utf-8").trim();
+      publicKey = readFileSync6(keyFile, "utf-8").trim();
     }
     if (!publicKey) {
       throw new CliError('Provide --public-key "<ssh-ed25519 line>" or --public-key-file <path>.');
@@ -3549,86 +3638,6 @@ import { homedir as homedir7 } from "os";
 import { join as join6 } from "path";
 import { defineCommand as defineCommand28 } from "citty";
 import consola25 from "consola";
-
-// src/lib/agent-secrets-runtime.ts
-import { existsSync as existsSync7, readdirSync, readFileSync as readFileSync6, watch } from "fs";
-import { homedir as homedir6 } from "os";
-import { join as join5 } from "path";
-import { openString } from "@openape/core";
-var CONFIG_DIR2 = join5(homedir6(), ".config", "openape");
-var SECRETS_DIR = join5(CONFIG_DIR2, "secrets.d");
-var X25519_KEY_PATH = join5(CONFIG_DIR2, "agent-x25519.key");
-var X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`;
-function envNameFromFile(file) {
-  if (!file.endsWith(".blob")) return null;
-  const env = file.slice(0, -".blob".length);
-  return /^[A-Z][A-Z0-9_]*$/.test(env) ? env : null;
-}
-function readAgentEncryptionKey(keyPath = X25519_KEY_PATH) {
-  if (!existsSync7(keyPath)) return null;
-  const k = readFileSync6(keyPath, "utf8").trim();
-  return k.length > 0 ? k : null;
-}
-function readAgentEncryptionPublicKey(pubPath = X25519_PUBKEY_PATH) {
-  if (!existsSync7(pubPath)) return null;
-  const k = readFileSync6(pubPath, "utf8").trim();
-  return k.length > 0 ? k : null;
-}
-function materializeSecrets(opts = {}) {
-  const dir = opts.dir ?? SECRETS_DIR;
-  const env = opts.env ?? process.env;
-  const log = opts.log ?? (() => {
-  });
-  const applied = [];
-  const failed = [];
-  const key = readAgentEncryptionKey(opts.keyPath);
-  const files = key && existsSync7(dir) ? readdirSync(dir) : [];
-  for (const file of files) {
-    const name = envNameFromFile(file);
-    if (!name) continue;
-    try {
-      const box = JSON.parse(readFileSync6(join5(dir, file), "utf8"));
-      env[name] = openString(box, key);
-      applied.push(name);
-    } catch (e) {
-      failed.push(file);
-      log(`secrets: failed to open ${file}: ${e.message}`);
-    }
-  }
-  const live = new Set(applied);
-  for (const prev of opts.previouslyApplied ?? []) {
-    if (!live.has(prev)) {
-      delete env[prev];
-      log(`secrets: revoked ${prev}`);
-    }
-  }
-  return { applied, failed };
-}
-function startSecretsWatcher(opts = {}) {
-  const dir = opts.dir ?? SECRETS_DIR;
-  const log = opts.log ?? (() => {
-  });
-  let appliedNames = /* @__PURE__ */ new Set();
-  const run = () => {
-    const r = materializeSecrets({ ...opts, previouslyApplied: appliedNames });
-    appliedNames = new Set(r.applied);
-  };
-  run();
-  if (!existsSync7(dir)) return () => {
-  };
-  let timer = null;
-  const watcher = watch(dir, () => {
-    if (timer) clearTimeout(timer);
-    timer = setTimeout(run, 150);
-  });
-  watcher.on("error", (err) => log(`secrets: watcher error: ${err.message}`));
-  return () => {
-    if (timer) clearTimeout(timer);
-    watcher.close();
-  };
-}
-
-// src/commands/agents/run.ts
 var AUTH_PATH = join6(homedir7(), ".config", "apes", "auth.json");
 var TASK_CACHE_DIR = join6(homedir7(), ".openape", "agent", "tasks");
 function readAuth() {
@@ -5996,7 +6005,7 @@ async function runAdapterMode(command, rawArgs, args) {
   if (!idp)
     throw new Error("No IdP URL configured. Run `apes login` first or pass --idp.");
   if (args.as) {
-    await runAudienceMode("escapes", command.join(" "), args);
+    await runAudienceMode("escapes", command.join(" "), args, command);
     return;
   }
   const adapterOpt = extractOption(rawArgs, "adapter");
@@ -6054,14 +6063,14 @@ async function runAdapterMode(command, rawArgs, args) {
   printPendingGrantInfo(grant, idp);
   throw new CliExit(getAsyncExitCode());
 }
-async function runAudienceMode(audience, action, args) {
+async function runAudienceMode(audience, action, args, commandArgv) {
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.");
   }
   const idp = getIdpUrl(args.idp);
   const grantsUrl = await getGrantsEndpoint(idp);
-  const command = action.split(" ");
+  const command = commandArgv ?? action.split(" ");
   const targetHost = args.host || hostname5();
   const runAs = resolveRunAsTarget(args.as ?? void 0);
   const reusableId = await findReusableAudienceGrant({
@@ -6729,7 +6738,7 @@ var mcpCommand = defineCommand52({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-5N27B7F2.js");
+    const { startMcpServer } = await import("./server-QQ6WQ244.js");
     await startMcpServer(transport, port);
   }
 });
@@ -7367,7 +7376,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.28.3" : "0.0.0";
+  const version = true ? "1.28.5" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -7640,10 +7649,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.28.3"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.28.5"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.28.3"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.28.5"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -7701,7 +7710,7 @@ var configCommand = defineCommand64({
 var main = defineCommand64({
   meta: {
     name: "apes",
-    version: "1.28.3",
+    version: "1.28.5",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -7759,7 +7768,7 @@ async function maybeRefreshAuth() {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.28.3").catch(() => {
+await maybeWarnStaleVersion("1.28.5").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {