@openape/apes 1.30.0 → 1.31.1

package/dist/cli.js

@@ -2,8 +2,11 @@
 import {
   CliError,
   CliExit,
-  parseDuration
-} from "./chunk-QMMRZPD2.js";
+  materializeSecrets,
+  parseDuration,
+  readAgentEncryptionPublicKey,
+  startSecretsWatcher
+} from "./chunk-3LH4FT4R.js";
 import {
   loadEd25519PrivateKey,
   readPublicKeyComment
@@ -50,7 +53,7 @@ import {
   getAgentChallengeEndpoint,
   getDelegationsEndpoint,
   getGrantsEndpoint
-} from "./chunk-NYJSBFLG.js";
+} from "./chunk-MMBFV5WN.js";
 import {
   AUTH_FILE,
   CONFIG_DIR,
@@ -65,7 +68,7 @@ import {
 } from "./chunk-OBF7IMQ2.js";
 
 // src/cli.ts
-import consola52 from "consola";
+import consola54 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -95,10 +98,10 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand64, runMain } from "citty";
+import { defineCommand as defineCommand65, runMain } from "citty";
 
 // src/commands/auth/login.ts
-import { Buffer as Buffer2 } from "buffer";
+import { Buffer } from "buffer";
 import { execFile } from "child_process";
 import { createServer } from "http";
 import { homedir as homedir2 } from "os";
@@ -308,7 +311,7 @@ async function loginWithPKCE(idp) {
   authUrl.searchParams.set("state", state);
   authUrl.searchParams.set("nonce", nonce);
   authUrl.searchParams.set("scope", "openid email profile offline_access");
-  const code = await new Promise((resolve4, reject) => {
+  const code = await new Promise((resolve5, reject) => {
     const server = createServer((req, res) => {
       const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
       if (url.pathname === "/callback") {
@@ -325,7 +328,7 @@ async function loginWithPKCE(idp) {
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end("<h1>Login successful!</h1><p>You can close this window.</p>");
           server.close();
-          resolve4(authCode);
+          resolve5(authCode);
           return;
         }
         res.writeHead(400);
@@ -397,7 +400,7 @@ async function loginWithKey(idp, keyPath, agentEmail) {
   const { challenge } = await challengeResp.json();
   const keyContent = readFileSync18(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
-  const signature = sign3(null, Buffer2.from(challenge), privateKey).toString("base64");
+  const signature = sign3(null, Buffer.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
   const authResp = await fetch(authenticateUrl, {
     method: "POST",
@@ -888,7 +891,7 @@ async function waitForApproval2(grantsUrl, grantId) {
     if (grant.status === "revoked") {
       throw new CliError("Grant revoked.");
     }
-    await new Promise((resolve4) => setTimeout(resolve4, interval));
+    await new Promise((resolve5) => setTimeout(resolve5, interval));
   }
   throw new CliError("Timed out waiting for approval.");
 }
@@ -1460,12 +1463,75 @@ var delegationRevokeCommand = defineCommand16({
   }
 });
 
+// src/commands/grants/llm.ts
+import { defineCommand as defineCommand17 } from "citty";
+import consola16 from "consola";
+var AUDIENCE = "llms.openape.ai";
+var RESOURCE = "llm-account";
+function templateFor(account) {
+  return account === "*" ? [{ resource: RESOURCE }] : [{ resource: RESOURCE, selector: { account } }];
+}
+function accountOf(g) {
+  return (g.request.resource_chain_template ?? []).filter((r) => r.resource === RESOURCE).map((r) => r.selector?.account ?? "*").join(",") || "?";
+}
+var allow = defineCommand17({
+  meta: { name: "allow", description: "Allow an agent to use an LLM account on llms.openape.ai" },
+  args: {
+    agent: { type: "positional", required: true, description: "Agent DDISA email (the grant delegate)" },
+    account: { type: "positional", required: true, description: "LLM account name, or * for all" }
+  },
+  async run({ args }) {
+    const agent = String(args.agent);
+    if (!agent.includes("@")) {
+      throw new CliError("Pass the full agent DDISA email (e.g. from `ape-troop agents list`), not a short name.");
+    }
+    const account = String(args.account);
+    const grant = await apiFetch("/api/standing-grants", {
+      method: "POST",
+      body: {
+        delegate: agent,
+        audience: AUDIENCE,
+        resource_chain_template: templateFor(account),
+        grant_type: "always",
+        reason: `LLM gateway access: ${account}`
+      }
+    });
+    consola16.success(`Granted ${agent} \u2192 llm-account[${account}] (standing grant ${grant.id})`);
+  }
+});
+var list = defineCommand17({
+  meta: { name: "list", description: "List LLM-account standing grants (optionally for one agent)" },
+  args: { agent: { type: "positional", required: false, description: "Filter by agent email" } },
+  async run({ args }) {
+    const all = await apiFetch("/api/standing-grants");
+    const filter = args.agent ? String(args.agent) : void 0;
+    const llm = all.filter((g) => g.request.audience === AUDIENCE && (!filter || g.request.delegate === filter));
+    if (!llm.length) {
+      consola16.info("No LLM-account standing grants.");
+      return;
+    }
+    for (const g of llm) consola16.log(`${g.id}  ${g.request.delegate} \u2192 ${accountOf(g)}  [${g.status}]`);
+  }
+});
+var revoke = defineCommand17({
+  meta: { name: "revoke", description: "Revoke an LLM-account standing grant by id" },
+  args: { id: { type: "positional", required: true, description: "Standing grant id" } },
+  async run({ args }) {
+    await apiFetch(`/api/standing-grants/${String(args.id)}`, { method: "DELETE" });
+    consola16.success(`Revoked standing grant ${args.id}`);
+  }
+});
+var llmCommand = defineCommand17({
+  meta: { name: "llm", description: "Grant agents access to LLM accounts on llms.openape.ai" },
+  subCommands: { allow, list, revoke }
+});
+
 // src/commands/admin/index.ts
-import { defineCommand as defineCommand19 } from "citty";
+import { defineCommand as defineCommand20 } from "citty";
 
 // src/commands/admin/users.ts
-import { defineCommand as defineCommand17 } from "citty";
-import consola16 from "consola";
+import { defineCommand as defineCommand18 } from "citty";
+import consola17 from "consola";
 function getManagementToken() {
   const token = process.env.APES_MANAGEMENT_TOKEN;
   if (!token) {
@@ -1473,7 +1539,7 @@ function getManagementToken() {
   }
   return token;
 }
-var usersListCommand = defineCommand17({
+var usersListCommand = defineCommand18({
   meta: {
     name: "list",
     description: "List all users"
@@ -1515,7 +1581,7 @@ var usersListCommand = defineCommand17({
       return;
     }
     if (result.data.length === 0) {
-      consola16.info("No users found.");
+      consola17.info("No users found.");
       return;
     }
     for (const u of result.data) {
@@ -1524,11 +1590,11 @@ var usersListCommand = defineCommand17({
       console.log(`${u.email}  ${u.name}${owner}${active}`);
     }
     if (result.pagination.has_more) {
-      consola16.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
+      consola17.info(`More results available. Use --cursor="${result.pagination.cursor}" to see next page.`);
     }
   }
 });
-var usersCreateCommand = defineCommand17({
+var usersCreateCommand = defineCommand18({
   meta: {
     name: "create",
     description: "Create a user"
@@ -1559,10 +1625,10 @@ var usersCreateCommand = defineCommand17({
         token
       }
     );
-    consola16.success(`User created: ${result.email} (${result.name})`);
+    consola17.success(`User created: ${result.email} (${result.name})`);
   }
 });
-var usersDeleteCommand = defineCommand17({
+var usersDeleteCommand = defineCommand18({
   meta: {
     name: "delete",
     description: "Delete a user"
@@ -1585,7 +1651,7 @@ var usersDeleteCommand = defineCommand17({
       method: "DELETE",
       token
     });
-    consola16.success(`User deleted: ${email}`);
+    consola17.success(`User deleted: ${email}`);
   }
 });
 
@@ -1593,8 +1659,8 @@ var usersDeleteCommand = defineCommand17({
 import { existsSync as existsSync2, readFileSync } from "fs";
 import { resolve } from "path";
 import { homedir as homedir3 } from "os";
-import { defineCommand as defineCommand18 } from "citty";
-import consola17 from "consola";
+import { defineCommand as defineCommand19 } from "citty";
+import consola18 from "consola";
 function getManagementToken2() {
   const token = process.env.APES_MANAGEMENT_TOKEN;
   if (!token) {
@@ -1602,7 +1668,7 @@ function getManagementToken2() {
   }
   return token;
 }
-var sshKeysListCommand = defineCommand18({
+var sshKeysListCommand = defineCommand19({
   meta: {
     name: "list",
     description: "List SSH keys for a user"
@@ -1635,7 +1701,7 @@ var sshKeysListCommand = defineCommand18({
       return;
     }
     if (keys.length === 0) {
-      consola17.info(`No SSH keys found for ${email}.`);
+      consola18.info(`No SSH keys found for ${email}.`);
       return;
     }
     for (const k of keys) {
@@ -1643,7 +1709,7 @@ var sshKeysListCommand = defineCommand18({
     }
   }
 });
-var sshKeysAddCommand = defineCommand18({
+var sshKeysAddCommand = defineCommand19({
   meta: {
     name: "add",
     description: "Add an SSH key for a user"
@@ -1687,10 +1753,10 @@ var sshKeysAddCommand = defineCommand18({
         token
       }
     );
-    consola17.success(`SSH key added: ${result.keyId} (${result.name})`);
+    consola18.success(`SSH key added: ${result.keyId} (${result.name})`);
   }
 });
-var sshKeysDeleteCommand = defineCommand18({
+var sshKeysDeleteCommand = defineCommand19({
   meta: {
     name: "delete",
     description: "Delete an SSH key"
@@ -1721,12 +1787,12 @@ var sshKeysDeleteCommand = defineCommand18({
         token
       }
     );
-    consola17.success(`SSH key deleted: ${keyId}`);
+    consola18.success(`SSH key deleted: ${keyId}`);
   }
 });
 
 // src/commands/admin/index.ts
-var usersCommand = defineCommand19({
+var usersCommand = defineCommand20({
   meta: {
     name: "users",
     description: "Manage users"
@@ -1737,7 +1803,7 @@ var usersCommand = defineCommand19({
     delete: usersDeleteCommand
   }
 });
-var sshKeysCommand = defineCommand19({
+var sshKeysCommand = defineCommand20({
   meta: {
     name: "ssh-keys",
     description: "Manage SSH keys"
@@ -1748,7 +1814,7 @@ var sshKeysCommand = defineCommand19({
     delete: sshKeysDeleteCommand
   }
 });
-var adminCommand = defineCommand19({
+var adminCommand = defineCommand20({
   meta: {
     name: "admin",
     description: "Admin commands (requires APES_MANAGEMENT_TOKEN)"
@@ -1760,12 +1826,12 @@ var adminCommand = defineCommand19({
 });
 
 // src/commands/agent/index.ts
-import { defineCommand as defineCommand21 } from "citty";
+import { defineCommand as defineCommand22 } from "citty";
 
 // src/commands/agent/deploy.ts
 import { ensureFreshIdpAuth } from "@openape/cli-auth";
-import { defineCommand as defineCommand20 } from "citty";
-import consola18 from "consola";
+import { defineCommand as defineCommand21 } from "citty";
+import consola19 from "consola";
 
 // src/lib/troop-client.ts
 var DEFAULT_TROOP_URL = "https://troop.openape.ai";
@@ -1873,7 +1939,7 @@ async function api(url, token, init) {
   return res.json();
 }
 var sleep = (ms) => new Promise((r) => setTimeout(r, ms));
-var deployAgentCommand = defineCommand20({
+var deployAgentCommand = defineCommand21({
   meta: { name: "deploy", description: "Deploy an Agent Recipe (<repo>@<ref>) in one step" },
   args: {
     repo: { type: "positional", description: "Recipe repo + pinned ref, e.g. github.com/owner/name@v1.0.0" },
@@ -1899,8 +1965,8 @@ var deployAgentCommand = defineCommand20({
       })
     });
     if (!json) {
-      consola18.success(`Deploying ${deploy.agent_name} from ${repoRef} (ref ${deploy.ref})`);
-      consola18.info(`Schedules: ${deploy.schedules.map((s) => `${s.task_id}=${s.cron}`).join(", ") || "none"}`);
+      consola19.success(`Deploying ${deploy.agent_name} from ${repoRef} (ref ${deploy.ref})`);
+      consola19.info(`Schedules: ${deploy.schedules.map((s) => `${s.task_id}=${s.cron}`).join(", ") || "none"}`);
     }
     const missing = missingCapabilities(deploy.required_capabilities, secrets);
     if (missing.length > 0) {
@@ -1908,13 +1974,13 @@ var deployAgentCommand = defineCommand20({
         throw new CliError(`missing required capability secrets: ${missing.join(", ")} (pass via --secret in --json mode)`);
       }
       for (const env of missing) {
-        const val = await consola18.prompt(`Secret value for ${env}:`, { type: "text" });
+        const val = await consola19.prompt(`Secret value for ${env}:`, { type: "text" });
         if (typeof val !== "string" || val.length === 0) throw new CliError(`no value provided for ${env} \u2014 aborting`);
         secrets[env] = val;
       }
     }
     if (Object.keys(secrets).length > 0) {
-      if (!json) consola18.start("Waiting for the agent to come online\u2026");
+      if (!json) consola19.start("Waiting for the agent to come online\u2026");
       let online = false;
       for (let i = 0; i < 90 && !online; i++) {
         const st = await api(
@@ -1943,11 +2009,11 @@ var deployAgentCommand = defineCommand20({
             await sleep(3e3);
           }
         }
-        if (!json) consola18.success(`Bound ${env}`);
+        if (!json) consola19.success(`Bound ${env}`);
       }
     }
     if (json) {
-      consola18.log(JSON.stringify({
+      consola19.log(JSON.stringify({
         ok: true,
         agent_name: deploy.agent_name,
         ref: deploy.ref,
@@ -1956,13 +2022,13 @@ var deployAgentCommand = defineCommand20({
         bound: Object.keys(secrets)
       }));
     } else {
-      consola18.success(`${deploy.agent_name} deployed. Schedules are live; secrets sealed to the agent.`);
+      consola19.success(`${deploy.agent_name} deployed. Schedules are live; secrets sealed to the agent.`);
     }
   }
 });
 
 // src/commands/agent/index.ts
-var agentCommand = defineCommand21({
+var agentCommand = defineCommand22({
   meta: {
     name: "agent",
     description: "Agent Recipe operations (deploy)"
@@ -1973,15 +2039,15 @@ var agentCommand = defineCommand21({
 });
 
 // src/commands/agents/index.ts
-import { defineCommand as defineCommand32 } from "citty";
+import { defineCommand as defineCommand33 } from "citty";
 
 // src/commands/agents/allow.ts
 import { execFileSync as execFileSync6 } from "child_process";
-import { defineCommand as defineCommand22 } from "citty";
-import consola19 from "consola";
+import { defineCommand as defineCommand23 } from "citty";
+import consola20 from "consola";
 
 // src/lib/agent-bootstrap.ts
-import { Buffer as Buffer3 } from "buffer";
+import { Buffer as Buffer2 } from "buffer";
 import { createPrivateKey, sign } from "crypto";
 import { exchangeWithDelegation } from "@openape/cli-auth";
 var AGENT_NAME_REGEX = /^[a-z][a-z0-9-]{0,23}$/;
@@ -2047,7 +2113,7 @@ function decodeJwtClaims(token) {
     const part = token.split(".")[1];
     if (!part) return null;
     const padded = part + "=".repeat((4 - part.length % 4) % 4);
-    const json = Buffer3.from(padded, "base64").toString("utf8");
+    const json = Buffer2.from(padded, "base64").toString("utf8");
     return JSON.parse(json);
   } catch {
     return null;
@@ -2069,7 +2135,7 @@ async function issueAgentToken(input) {
     throw new Error(`Challenge failed (${challengeResp.status}): ${text}`);
   }
   const { challenge } = await challengeResp.json();
-  const signature = sign(null, Buffer3.from(challenge), privateKey).toString("base64");
+  const signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(input.idp);
   const authResp = await fetch(authenticateUrl, {
     method: "POST",
@@ -2102,25 +2168,6 @@ mkdir -p "$HOME_DIR/.claude/hooks"
 cat > "$HOME_DIR/.claude/settings.json" ${shHeredoc(input.claudeSettingsJson)}
 cat > "$HOME_DIR/.claude/hooks/bash-via-ape-shell.sh" ${shHeredoc(input.hookScriptSource)}
 chmod 755 "$HOME_DIR/.claude/hooks/bash-via-ape-shell.sh"
-` : "";
-  const claudeTokenBlock = input.claudeOauthToken ? `
-mkdir -p "$HOME_DIR/.config/openape"
-cat > "$HOME_DIR/.config/openape/claude-token.env" ${shHeredoc(`# Auto-generated by 'apes agents spawn'. chmod 600 \u2014 contains a long-lived
-# Claude Code OAuth token. Rotate by editing this file in place; the
-# .zshenv / .profile source-lines below will pick it up automatically.
-export CLAUDE_CODE_OAUTH_TOKEN=${shQuote(input.claudeOauthToken)}
-`)}
-SOURCE_LINE='[ -f "$HOME/.config/openape/claude-token.env" ] && . "$HOME/.config/openape/claude-token.env"'
-for f in "$HOME_DIR/.zshenv" "$HOME_DIR/.profile"; do
-  touch "$f"
-  if ! grep -qF 'config/openape/claude-token.env' "$f" 2>/dev/null; then
-    {
-      echo ''
-      echo '# OpenApe: load Claude Code OAuth token (added by apes agents spawn)'
-      echo "$SOURCE_LINE"
-    } >> "$f"
-  fi
-done
 ` : "";
   return `#!/bin/bash
 set -euo pipefail
@@ -2163,7 +2210,7 @@ cat > "$HOME_DIR/.ssh/id_ed25519.pub" ${shHeredoc(input.publicKeySshLine)}
 cat > "$HOME_DIR/.config/apes/auth.json" ${shHeredoc(input.authJson)}
 cat > "$HOME_DIR/.config/openape/agent-x25519.key" ${shHeredoc(input.x25519PrivateKey)}
 cat > "$HOME_DIR/.config/openape/agent-x25519.key.pub" ${shHeredoc(input.x25519PublicKey)}
-${claudeBlock}${claudeTokenBlock}
+${claudeBlock}
 # Per-agent task dir that \`apes agents sync\` writes to (XDG-style on
 # Linux; was ~/Library/... on macOS).
 mkdir -p "$HOME_DIR/.openape/agent/tasks"
@@ -2177,9 +2224,6 @@ chmod 644 "$HOME_DIR/.ssh/id_ed25519.pub"
 chmod 600 "$HOME_DIR/.config/apes/auth.json"
 chmod 600 "$HOME_DIR/.config/openape/agent-x25519.key"
 chmod 644 "$HOME_DIR/.config/openape/agent-x25519.key.pub"
-if [ -f "$HOME_DIR/.config/openape/claude-token.env" ]; then
-  chmod 600 "$HOME_DIR/.config/openape/claude-token.env"
-fi
 
 echo "OK $NAME (linux user) uid=$NEW_UID home=$HOME_DIR"
 `;
@@ -2425,7 +2469,7 @@ function getHostPlatform() {
 }
 
 // src/commands/agents/allow.ts
-var allowAgentCommand = defineCommand22({
+var allowAgentCommand = defineCommand23({
   meta: {
     name: "allow",
     description: "Add a peer to the agent's contact-allowlist so the bridge auto-accepts that peer's contact request."
@@ -2482,9 +2526,9 @@ print("ok")
 PY
 chmod 600 "$F"
 `;
-    consola19.start(`Adding ${email} to ${agent}'s allowlist\u2026`);
+    consola20.start(`Adding ${email} to ${agent}'s allowlist\u2026`);
     execFileSync6(apes, ["run", "--as", agent, "--wait", "--", "bash", "-c", script], { stdio: "inherit" });
-    consola19.success(`${agent} will auto-accept future contact requests from ${email} (within ~30s of next bridge connect).`);
+    consola20.success(`${agent} will auto-accept future contact requests from ${email} (within ~30s of next bridge connect).`);
   }
 });
 function shQuote2(s) {
@@ -2492,9 +2536,9 @@ function shQuote2(s) {
 }
 
 // src/commands/agents/cleanup-orphans.ts
-import { defineCommand as defineCommand23 } from "citty";
-import consola20 from "consola";
-var cleanupOrphansCommand = defineCommand23({
+import { defineCommand as defineCommand24 } from "citty";
+import consola21 from "consola";
+var cleanupOrphansCommand = defineCommand24({
   meta: {
     name: "cleanup-orphans",
     description: "Report agent-user tombstones. Linux userdel is atomic, so there are normally none."
@@ -2512,105 +2556,25 @@ var cleanupOrphansCommand = defineCommand23({
   async run() {
     const orphans = getHostPlatform().listOrphanAgentUsers();
     if (orphans.length === 0) {
-      consola20.success("No agent tombstones \u2014 userdel is clean on Linux.");
+      consola21.success("No agent tombstones \u2014 userdel is clean on Linux.");
       return;
     }
-    consola20.warn(`Found ${orphans.length} unexpected agent tombstone${orphans.length === 1 ? "" : "s"}:`);
+    consola21.warn(`Found ${orphans.length} unexpected agent tombstone${orphans.length === 1 ? "" : "s"}:`);
     for (const o of orphans) {
       console.log(`  \u2022 ${o.name}${o.uid !== null ? ` (uid=${o.uid})` : ""} \u2014 was ${o.homeDir}`);
     }
-    consola20.info("Remove each one manually with `userdel -r <name>`.");
+    consola21.info("Remove each one manually with `userdel -r <name>`.");
   }
 });
 
 // src/commands/agents/code.ts
-import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
-import { homedir as homedir5 } from "os";
-import { join as join4 } from "path";
-import process3 from "process";
-import { defineCommand as defineCommand24 } from "citty";
-import { consola as consola21 } from "consola";
-import { taskTools, runApeShell, runCodingTask, buildIssueGet, detectForge, createLlmReviewer, createLlmRiskAssessor, resolveMergePolicy } from "@openape/agent-runtime";
-
-// src/lib/agent-secrets-runtime.ts
-import { existsSync as existsSync5, readdirSync, readFileSync as readFileSync4, watch } from "fs";
+import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
 import { homedir as homedir4 } from "os";
 import { join as join3 } from "path";
-import { openString } from "@openape/core";
-var CONFIG_DIR2 = join3(homedir4(), ".config", "openape");
-var SECRETS_DIR = join3(CONFIG_DIR2, "secrets.d");
-var X25519_KEY_PATH = join3(CONFIG_DIR2, "agent-x25519.key");
-var X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`;
-function envNameFromFile(file) {
-  if (!file.endsWith(".blob")) return null;
-  const env = file.slice(0, -".blob".length);
-  return /^[A-Z][A-Z0-9_]*$/.test(env) ? env : null;
-}
-function readAgentEncryptionKey(keyPath = X25519_KEY_PATH) {
-  if (!existsSync5(keyPath)) return null;
-  const k = readFileSync4(keyPath, "utf8").trim();
-  return k.length > 0 ? k : null;
-}
-function readAgentEncryptionPublicKey(pubPath = X25519_PUBKEY_PATH) {
-  if (!existsSync5(pubPath)) return null;
-  const k = readFileSync4(pubPath, "utf8").trim();
-  return k.length > 0 ? k : null;
-}
-function materializeSecrets(opts = {}) {
-  const dir = opts.dir ?? SECRETS_DIR;
-  const env = opts.env ?? process.env;
-  const log = opts.log ?? (() => {
-  });
-  const applied = [];
-  const failed = [];
-  const key = readAgentEncryptionKey(opts.keyPath);
-  const files = key && existsSync5(dir) ? readdirSync(dir) : [];
-  for (const file of files) {
-    const name = envNameFromFile(file);
-    if (!name) continue;
-    try {
-      const box = JSON.parse(readFileSync4(join3(dir, file), "utf8"));
-      env[name] = openString(box, key);
-      applied.push(name);
-    } catch (e) {
-      failed.push(file);
-      log(`secrets: failed to open ${file}: ${e.message}`);
-    }
-  }
-  const live = new Set(applied);
-  for (const prev of opts.previouslyApplied ?? []) {
-    if (!live.has(prev)) {
-      delete env[prev];
-      log(`secrets: revoked ${prev}`);
-    }
-  }
-  return { applied, failed };
-}
-function startSecretsWatcher(opts = {}) {
-  const dir = opts.dir ?? SECRETS_DIR;
-  const log = opts.log ?? (() => {
-  });
-  let appliedNames = /* @__PURE__ */ new Set();
-  const run = () => {
-    const r = materializeSecrets({ ...opts, previouslyApplied: appliedNames });
-    appliedNames = new Set(r.applied);
-  };
-  run();
-  if (!existsSync5(dir)) return () => {
-  };
-  let timer = null;
-  const watcher = watch(dir, () => {
-    if (timer) clearTimeout(timer);
-    timer = setTimeout(run, 150);
-  });
-  watcher.on("error", (err) => log(`secrets: watcher error: ${err.message}`));
-  return () => {
-    if (timer) clearTimeout(timer);
-    watcher.close();
-  };
-}
-
-// src/commands/agents/code.ts
+import process3 from "process";
+import { defineCommand as defineCommand25 } from "citty";
+import { consola as consola22 } from "consola";
+import { taskTools, runApeShell, runCodingTask, buildIssueGet, detectForge, createLlmReviewer, createLlmRiskAssessor, resolveMergePolicy } from "@openape/agent-runtime";
 var CliError2 = class extends Error {
 };
 var CODING_TOOLS = ["file.read", "file.write", "file.edit", "bash", "git.worktree", "verify", "forge.issue.get", "forge.pr.status"];
@@ -2623,9 +2587,9 @@ var DEFAULT_PERSONA = [
 ].join(" ");
 function readLitellmConfig(model) {
   const env = {};
-  const envPath = join4(homedir5(), "litellm", ".env");
-  if (existsSync6(envPath)) {
-    for (const raw of readFileSync5(envPath, "utf8").split("\n")) {
+  const envPath = join3(homedir4(), "litellm", ".env");
+  if (existsSync5(envPath)) {
+    for (const raw of readFileSync4(envPath, "utf8").split("\n")) {
       const line = raw.trim();
       const m = /^([A-Z_][A-Z0-9_]*)=(.*)$/.exec(line);
       if (m) env[m[1]] = m[2].trim().replace(/^["']|["']$/g, "");
@@ -2641,11 +2605,11 @@ function readLitellmConfig(model) {
   return { apiBase, apiKey, model: model || process3.env.APE_CHAT_BRIDGE_MODEL || "claude-haiku-4-5" };
 }
 function readPersona(file) {
-  if (file && existsSync6(file)) return readFileSync5(file, "utf8");
-  const agentJson = join4(homedir5(), ".openape", "agent", "agent.json");
-  if (existsSync6(agentJson)) {
+  if (file && existsSync5(file)) return readFileSync4(file, "utf8");
+  const agentJson = join3(homedir4(), ".openape", "agent", "agent.json");
+  if (existsSync5(agentJson)) {
     try {
-      const p = JSON.parse(readFileSync5(agentJson, "utf8"));
+      const p = JSON.parse(readFileSync4(agentJson, "utf8"));
       if (p.systemPrompt?.trim()) return p.systemPrompt;
     } catch {
     }
@@ -2660,7 +2624,7 @@ async function fetchIssue(forge, ref, repo) {
   const title = j.title ?? j.fields?.["System.Title"] ?? `issue ${ref}`;
   return { number, title, body: j.body };
 }
-var codeAgentCommand = defineCommand24({
+var codeAgentCommand = defineCommand25({
   meta: {
     name: "code",
     description: "Run a coding task: issue to worktree to edit to verify to PR (policy-gated merge). The agent never self-merges."
@@ -2679,7 +2643,7 @@ var codeAgentCommand = defineCommand24({
     const forge = args.forge || detectForge(repo);
     try {
       const { applied } = materializeSecrets();
-      if (applied.length > 0) consola21.info(`Capabilities available: ${applied.join(", ")}`);
+      if (applied.length > 0) consola22.info(`Capabilities available: ${applied.join(", ")}`);
     } catch {
     }
     const config = readLitellmConfig(args.model);
@@ -2695,22 +2659,22 @@ var codeAgentCommand = defineCommand24({
       resolvePolicy: (worktree) => resolveMergePolicy(worktree),
       reviewer: createLlmReviewer(config),
       riskAssessor: createLlmRiskAssessor(config),
-      log: (l) => consola21.info(l),
+      log: (l) => consola22.info(l),
       streamAggregate
     };
     const refs = [];
     if (args["poll-label"]) {
       const slug = repo.replace(/^https:\/\/github\.com\//, "").replace(/\.git$/, "");
-      const list = await runApeShell(`gh issue list --repo ${slug} --label '${args["poll-label"]}' --state open --json number --jq '.[].number'`);
-      if (list.exit_code !== 0) {
-        throw new CliError2(`gh issue list failed (exit ${list.exit_code}): ${(list.stderr || list.stdout).slice(0, 300)}`);
+      const list2 = await runApeShell(`gh issue list --repo ${slug} --label '${args["poll-label"]}' --state open --json number --jq '.[].number'`);
+      if (list2.exit_code !== 0) {
+        throw new CliError2(`gh issue list failed (exit ${list2.exit_code}): ${(list2.stderr || list2.stdout).slice(0, 300)}`);
       }
-      if (list.stdout.trim() === "" && /gh auth login|GH_TOKEN/i.test(list.stderr)) {
+      if (list2.stdout.trim() === "" && /gh auth login|GH_TOKEN/i.test(list2.stderr)) {
         throw new CliError2("gh is not authenticated (no GH_TOKEN). The agent's GH_TOKEN capability is not materialized \u2014 bind it via the deploy/secrets flow.");
       }
-      refs.push(...list.stdout.split("\n").map((s) => s.trim()).filter((s) => /^\d+$/.test(s)));
+      refs.push(...list2.stdout.split("\n").map((s) => s.trim()).filter((s) => /^\d+$/.test(s)));
       if (refs.length === 0) {
-        consola21.info("no open issues with that label");
+        consola22.info("no open issues with that label");
         return;
       }
     } else if (args.issue) {
@@ -2720,9 +2684,9 @@ var codeAgentCommand = defineCommand24({
     }
     for (const ref of refs) {
       const issue = await fetchIssue(forge, ref, repo);
-      consola21.start(`coding issue #${issue.number}: ${issue.title}`);
+      consola22.start(`coding issue #${issue.number}: ${issue.title}`);
       const result = await runCodingTask({ issue, repo, forge }, deps);
-      consola21.box(`#${issue.number} -> ${result.outcome}
+      consola22.box(`#${issue.number} -> ${result.outcome}
 PR: ${result.prRef ?? "(none)"}
 ${result.reason}`);
     }
@@ -2730,27 +2694,27 @@ ${result.reason}`);
 });
 
 // src/commands/agents/destroy.ts
-import { defineCommand as defineCommand25 } from "citty";
-import consola22 from "consola";
+import { defineCommand as defineCommand26 } from "citty";
+import consola23 from "consola";
 
 // src/lib/nest-registry.ts
-import { existsSync as existsSync7, mkdirSync, readFileSync as readFileSync6, writeFileSync as writeFileSync3 } from "fs";
-import { homedir as homedir6 } from "os";
-import { join as join5 } from "path";
+import { existsSync as existsSync6, mkdirSync, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join4 } from "path";
 function resolveRegistryPath() {
   if (process.env.OPENAPE_NEST_REGISTRY_PATH) return process.env.OPENAPE_NEST_REGISTRY_PATH;
-  if (existsSync7("/var/openape/nest/agents.json")) return "/var/openape/nest/agents.json";
-  if (existsSync7("/var/openape/nest")) return "/var/openape/nest/agents.json";
-  return join5(homedir6(), ".openape", "nest", "agents.json");
+  if (existsSync6("/var/openape/nest/agents.json")) return "/var/openape/nest/agents.json";
+  if (existsSync6("/var/openape/nest")) return "/var/openape/nest/agents.json";
+  return join4(homedir5(), ".openape", "nest", "agents.json");
 }
 function emptyRegistry() {
   return { version: 1, agents: [] };
 }
 function readNestRegistry() {
   const path2 = resolveRegistryPath();
-  if (!existsSync7(path2)) return emptyRegistry();
+  if (!existsSync6(path2)) return emptyRegistry();
   try {
-    const parsed = JSON.parse(readFileSync6(path2, "utf8"));
+    const parsed = JSON.parse(readFileSync5(path2, "utf8"));
     if (parsed?.version !== 1 || !Array.isArray(parsed.agents)) return emptyRegistry();
     return parsed;
   } catch {
@@ -2784,7 +2748,7 @@ function removeNestAgent(name) {
 }
 
 // src/commands/agents/destroy.ts
-var destroyAgentCommand = defineCommand25({
+var destroyAgentCommand = defineCommand26({
   meta: {
     name: "destroy",
     description: "Tear down an agent: remove the OS user, hard-delete IdP agent, drop all SSH keys"
@@ -2829,7 +2793,7 @@ var destroyAgentCommand = defineCommand25({
     const osUser = getHostPlatform().lookupAgentUser(name);
     const osUserExists = !args["keep-os-user"] && osUser !== null;
     if (!idpExists && !osUserExists) {
-      consola22.info(`Nothing to destroy: no IdP agent and no OS user for "${name}".`);
+      consola23.info(`Nothing to destroy: no IdP agent and no OS user for "${name}".`);
       return;
     }
     if (!args.force) {
@@ -2841,14 +2805,14 @@ var destroyAgentCommand = defineCommand25({
       if (idpExists) {
         consequences.push(args.soft ? `\u2022 Deactivate IdP agent ${idpAgent.email} (PATCH isActive=false)` : `\u2022 Hard-delete IdP agent ${idpAgent.email} and all its SSH keys`);
       }
-      consola22.warn(`About to destroy "${name}":
+      consola23.warn(`About to destroy "${name}":
 ${consequences.join("\n")}`);
       if (!process.stdin.isTTY) {
         throw new CliError(
           "No TTY available for the interactive confirmation. Re-run with --force to skip the prompt (this is the same flag CI uses)."
         );
       }
-      const confirmed = await consola22.prompt("Proceed?", { type: "confirm", initial: false });
+      const confirmed = await consola23.prompt("Proceed?", { type: "confirm", initial: false });
       if (typeof confirmed === "symbol" || !confirmed) {
         throw new CliExit(0);
       }
@@ -2857,16 +2821,16 @@ ${consequences.join("\n")}`);
       const id = encodeURIComponent(idpAgent.email);
       if (args.soft) {
         await apiFetch(`/api/my-agents/${id}`, { method: "PATCH", body: { isActive: false }, idp });
-        consola22.success(`Deactivated IdP agent ${idpAgent.email}`);
+        consola23.success(`Deactivated IdP agent ${idpAgent.email}`);
       } else {
         await apiFetch(`/api/my-agents/${id}`, { method: "DELETE", idp });
-        consola22.success(`Deleted IdP agent ${idpAgent.email}`);
+        consola23.success(`Deleted IdP agent ${idpAgent.email}`);
       }
     } else {
-      consola22.info("No IdP agent to remove (skipped).");
+      consola23.info("No IdP agent to remove (skipped).");
     }
     if (osUserExists) {
-      consola22.start(`Removing OS user ${name}\u2026`);
+      consola23.start(`Removing OS user ${name}\u2026`);
       await getHostPlatform().runPrivilegedBash(
         `#!/bin/bash
 set -euo pipefail
@@ -2876,21 +2840,21 @@ if getent passwd ${JSON.stringify(name)} >/dev/null 2>&1; then
 fi
 `
       );
-      consola22.success(`Removed OS user ${name}.`);
+      consola23.success(`Removed OS user ${name}.`);
     }
     try {
       removeNestAgent(name);
     } catch (err) {
-      consola22.warn(`Could not update nest registry: ${err instanceof Error ? err.message : String(err)}`);
+      consola23.warn(`Could not update nest registry: ${err instanceof Error ? err.message : String(err)}`);
     }
-    consola22.success(`Destroyed ${name}.`);
+    consola23.success(`Destroyed ${name}.`);
   }
 });
 
 // src/commands/agents/list.ts
-import { defineCommand as defineCommand26 } from "citty";
-import consola23 from "consola";
-var listAgentsCommand = defineCommand26({
+import { defineCommand as defineCommand27 } from "citty";
+import consola24 from "consola";
+var listAgentsCommand = defineCommand27({
   meta: {
     name: "list",
     description: "List agents owned by the current user, with local OS-user status"
@@ -2942,7 +2906,7 @@ var listAgentsCommand = defineCommand26({
       return;
     }
     if (rows.length === 0) {
-      consola23.info(args["include-inactive"] ? "No agents found." : "No active agents found. Use --include-inactive to show deactivated.");
+      consola24.info(args["include-inactive"] ? "No agents found." : "No active agents found. Use --include-inactive to show deactivated.");
       return;
     }
     const nameW = Math.max(4, ...rows.map((r) => r.name.length));
@@ -2960,10 +2924,10 @@ var listAgentsCommand = defineCommand26({
 });
 
 // src/commands/agents/register.ts
-import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
-import { defineCommand as defineCommand27 } from "citty";
-import consola24 from "consola";
-var registerAgentCommand = defineCommand27({
+import { existsSync as existsSync7, readFileSync as readFileSync6 } from "fs";
+import { defineCommand as defineCommand28 } from "citty";
+import consola25 from "consola";
+var registerAgentCommand = defineCommand28({
   meta: {
     name: "register",
     description: "Register an agent at the IdP using a supplied public key"
@@ -3008,10 +2972,10 @@ var registerAgentCommand = defineCommand27({
       throw new CliError("Pass either --public-key or --public-key-file, not both.");
     }
     if (!publicKey && keyFile) {
-      if (!existsSync8(keyFile)) {
+      if (!existsSync7(keyFile)) {
         throw new CliError(`Public-key file not found: ${keyFile}`);
       }
-      publicKey = readFileSync7(keyFile, "utf-8").trim();
+      publicKey = readFileSync6(keyFile, "utf-8").trim();
     }
     if (!publicKey) {
       throw new CliError('Provide --public-key "<ssh-ed25519 line>" or --public-key-file <path>.');
@@ -3033,7 +2997,7 @@ var registerAgentCommand = defineCommand27({
 `);
       return;
     }
-    consola24.success("Agent registered.");
+    consola25.success("Agent registered.");
     console.log(`  Name:     ${result.name}`);
     console.log(`  Email:    ${result.email}`);
     console.log(`  IdP:      ${idp}`);
@@ -3046,19 +3010,19 @@ var registerAgentCommand = defineCommand27({
 });
 
 // src/commands/agents/run.ts
-import { existsSync as existsSync9, readFileSync as readFileSync8 } from "fs";
-import { homedir as homedir7 } from "os";
-import { join as join6 } from "path";
-import { defineCommand as defineCommand28 } from "citty";
-import consola25 from "consola";
+import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join5 } from "path";
+import { defineCommand as defineCommand29 } from "citty";
+import consola26 from "consola";
 import { taskTools as taskTools2, runLoop } from "@openape/agent-runtime";
-var AUTH_PATH = join6(homedir7(), ".config", "apes", "auth.json");
-var TASK_CACHE_DIR = join6(homedir7(), ".openape", "agent", "tasks");
+var AUTH_PATH = join5(homedir6(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR = join5(homedir6(), ".openape", "agent", "tasks");
 function readAuth() {
-  if (!existsSync9(AUTH_PATH)) {
+  if (!existsSync8(AUTH_PATH)) {
     throw new CliError(`No agent auth found at ${AUTH_PATH}. Run \`apes agents spawn <name>\` first.`);
   }
-  const parsed = JSON.parse(readFileSync8(AUTH_PATH, "utf8"));
+  const parsed = JSON.parse(readFileSync7(AUTH_PATH, "utf8"));
   if (!parsed.access_token) throw new CliError("auth.json missing access_token");
   return parsed;
 }
@@ -3073,7 +3037,7 @@ async function postRunResultToChat(opts) {
     const ownerLower = opts.ownerEmail.toLowerCase();
     const ownerRow = contacts.find((c) => c.peerEmail.toLowerCase() === ownerLower && c.connected && c.roomId);
     if (!ownerRow?.roomId) {
-      consola25.info("chat DM skipped \u2014 no active room with owner (accept the contact request in chat to enable)");
+      consola26.info("chat DM skipped \u2014 no active room with owner (accept the contact request in chat to enable)");
       return;
     }
     const prefix = opts.status === "ok" ? "\u2705" : "\u274C";
@@ -3087,33 +3051,33 @@ ${msg}`.slice(0, 9e3);
       body: JSON.stringify({ body })
     });
     if (!postRes.ok) {
-      consola25.warn(`chat DM post failed: ${postRes.status}`);
+      consola26.warn(`chat DM post failed: ${postRes.status}`);
     }
   } catch (err) {
-    consola25.warn(`chat DM error: ${err.message}`);
+    consola26.warn(`chat DM error: ${err.message}`);
   }
 }
 function readTaskSpec(taskId) {
-  const path2 = join6(TASK_CACHE_DIR, `${taskId}.json`);
-  if (!existsSync9(path2)) {
+  const path2 = join5(TASK_CACHE_DIR, `${taskId}.json`);
+  if (!existsSync8(path2)) {
     throw new CliError(`No cached task spec at ${path2}. Run \`apes agents sync\` first to pull the task list from troop.`);
   }
-  return JSON.parse(readFileSync8(path2, "utf8"));
+  return JSON.parse(readFileSync7(path2, "utf8"));
 }
-var AGENT_CONFIG_PATH = join6(homedir7(), ".openape", "agent", "agent.json");
+var AGENT_CONFIG_PATH = join5(homedir6(), ".openape", "agent", "agent.json");
 function readAgentConfig() {
-  if (!existsSync9(AGENT_CONFIG_PATH)) return { systemPrompt: "" };
+  if (!existsSync8(AGENT_CONFIG_PATH)) return { systemPrompt: "" };
   try {
-    return JSON.parse(readFileSync8(AGENT_CONFIG_PATH, "utf8"));
+    return JSON.parse(readFileSync7(AGENT_CONFIG_PATH, "utf8"));
   } catch {
     return { systemPrompt: "" };
   }
 }
 function readLitellmConfig2(model) {
-  const envPath = join6(homedir7(), "litellm", ".env");
+  const envPath = join5(homedir6(), "litellm", ".env");
   const env = {};
-  if (existsSync9(envPath)) {
-    for (const line of readFileSync8(envPath, "utf8").split(/\r?\n/)) {
+  if (existsSync8(envPath)) {
+    for (const line of readFileSync7(envPath, "utf8").split(/\r?\n/)) {
       const m = line.match(/^([A-Z_]+)=(.*)$/);
       if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
     }
@@ -3128,7 +3092,7 @@ function readLitellmConfig2(model) {
   }
   return { apiBase, apiKey, model: model || "claude-haiku-4-5" };
 }
-var runAgentCommand = defineCommand28({
+var runAgentCommand = defineCommand29({
   meta: {
     name: "run",
     description: "Execute one task (typically launchd-invoked). Reports the run record to troop."
@@ -3151,7 +3115,7 @@ var runAgentCommand = defineCommand28({
   async run({ args }) {
     const taskId = args["task-id"];
     const auth = readAuth();
-    materializeSecrets({ log: (l) => consola25.info(l) });
+    materializeSecrets({ log: (l) => consola26.info(l) });
     const spec = readTaskSpec(taskId);
     const agentCfg = readAgentConfig();
     const config = readLitellmConfig2(args.model);
@@ -3163,7 +3127,7 @@ var runAgentCommand = defineCommand28({
     }
     const troop = new TroopClient(resolveTroopUrl(args["troop-url"]), auth.access_token);
     const { id: runId } = await troop.startRun(taskId);
-    consola25.info(`Run ${runId} started for task ${taskId}`);
+    consola26.info(`Run ${runId} started for task ${taskId}`);
     try {
       const result = await runLoop({
         config,
@@ -3182,7 +3146,7 @@ var runAgentCommand = defineCommand28({
         step_count: result.stepCount,
         trace: result.trace
       });
-      consola25.success(`Run ${runId} ${result.status} (${result.stepCount} steps)`);
+      consola26.success(`Run ${runId} ${result.status} (${result.stepCount} steps)`);
       if (auth.owner_email) {
         await postRunResultToChat({
           authToken: auth.access_token,
@@ -3219,18 +3183,18 @@ var runAgentCommand = defineCommand28({
 });
 
 // src/commands/agents/serve.ts
-import { existsSync as existsSync10, readFileSync as readFileSync9 } from "fs";
-import { homedir as homedir8 } from "os";
-import { join as join7 } from "path";
+import { existsSync as existsSync9, readFileSync as readFileSync8 } from "fs";
+import { homedir as homedir7 } from "os";
+import { join as join6 } from "path";
 import { createInterface } from "readline";
-import { defineCommand as defineCommand29 } from "citty";
+import { defineCommand as defineCommand30 } from "citty";
 import { taskTools as taskTools3, runLoop as runLoop2, RpcSessionMap } from "@openape/agent-runtime";
-var AUTH_PATH2 = join7(homedir8(), ".config", "apes", "auth.json");
+var AUTH_PATH2 = join6(homedir7(), ".config", "apes", "auth.json");
 function readLitellmConfig3(model) {
-  const envPath = join7(homedir8(), "litellm", ".env");
+  const envPath = join6(homedir7(), "litellm", ".env");
   const env = {};
-  if (existsSync10(envPath)) {
-    for (const line of readFileSync9(envPath, "utf8").split(/\r?\n/)) {
+  if (existsSync9(envPath)) {
+    for (const line of readFileSync8(envPath, "utf8").split(/\r?\n/)) {
       const m = line.match(/^([A-Z_]+)=(.*)$/);
       if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
     }
@@ -3247,7 +3211,7 @@ function emit(event) {
   process.stdout.write(`${JSON.stringify(event)}
 `);
 }
-var serveAgentCommand = defineCommand29({
+var serveAgentCommand = defineCommand30({
   meta: {
     name: "serve",
     description: "Long-running stdio RPC server for chat-bridge subprocess use."
@@ -3262,9 +3226,9 @@ var serveAgentCommand = defineCommand29({
     if (!args.rpc) {
       throw new CliError("apes agents serve currently only supports --rpc mode");
     }
-    if (existsSync10(AUTH_PATH2)) {
+    if (existsSync9(AUTH_PATH2)) {
       try {
-        JSON.parse(readFileSync9(AUTH_PATH2, "utf8"));
+        JSON.parse(readFileSync8(AUTH_PATH2, "utf8"));
       } catch {
       }
     }
@@ -3344,50 +3308,50 @@ async function handleInbound(msg, sessions) {
 }
 
 // src/commands/agents/spawn.ts
-import { defineCommand as defineCommand30 } from "citty";
-import consola26 from "consola";
+import { defineCommand as defineCommand31 } from "citty";
+import consola27 from "consola";
 
 // src/lib/keygen.ts
-import { Buffer as Buffer4 } from "buffer";
-import { existsSync as existsSync11, mkdirSync as mkdirSync2, readFileSync as readFileSync10, writeFileSync as writeFileSync4 } from "fs";
+import { Buffer as Buffer3 } from "buffer";
+import { existsSync as existsSync10, mkdirSync as mkdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync4 } from "fs";
 import { generateKeyPairSync } from "crypto";
-import { homedir as homedir9 } from "os";
+import { homedir as homedir8 } from "os";
 import { dirname, resolve as resolve2 } from "path";
 import { generateX25519KeyPair } from "@openape/core";
 function resolveKeyPath(p) {
-  return resolve2(p.replace(/^~/, homedir9()));
+  return resolve2(p.replace(/^~/, homedir8()));
 }
 function buildSshEd25519Line(rawPub) {
   const keyTypeStr = "ssh-ed25519";
-  const keyTypeLen = Buffer4.alloc(4);
+  const keyTypeLen = Buffer3.alloc(4);
   keyTypeLen.writeUInt32BE(keyTypeStr.length);
-  const pubKeyLen = Buffer4.alloc(4);
+  const pubKeyLen = Buffer3.alloc(4);
   pubKeyLen.writeUInt32BE(rawPub.length);
-  const blob = Buffer4.concat([keyTypeLen, Buffer4.from(keyTypeStr), pubKeyLen, rawPub]);
+  const blob = Buffer3.concat([keyTypeLen, Buffer3.from(keyTypeStr), pubKeyLen, rawPub]);
   return `ssh-ed25519 ${blob.toString("base64")}`;
 }
 function readPublicKey(keyPath) {
   const pubPath = `${keyPath}.pub`;
-  if (existsSync11(pubPath)) {
-    return readFileSync10(pubPath, "utf-8").trim();
+  if (existsSync10(pubPath)) {
+    return readFileSync9(pubPath, "utf-8").trim();
   }
-  const keyContent = readFileSync10(keyPath, "utf-8");
+  const keyContent = readFileSync9(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const jwk = privateKey.export({ format: "jwk" });
-  const pubBytes = Buffer4.from(jwk.x, "base64url");
+  const pubBytes = Buffer3.from(jwk.x, "base64url");
   return buildSshEd25519Line(pubBytes);
 }
 function generateAndSaveKey(keyPath) {
   const resolved = resolveKeyPath(keyPath);
   const dir = dirname(resolved);
-  if (!existsSync11(dir)) {
+  if (!existsSync10(dir)) {
     mkdirSync2(dir, { recursive: true });
   }
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
   writeFileSync4(resolved, privatePem, { mode: 384 });
   const jwk = publicKey.export({ format: "jwk" });
-  const pubBytes = Buffer4.from(jwk.x, "base64url");
+  const pubBytes = Buffer3.from(jwk.x, "base64url");
   const pubKeyStr = buildSshEd25519Line(pubBytes);
   writeFileSync4(`${resolved}.pub`, `${pubKeyStr}
 `, { mode: 420 });
@@ -3397,7 +3361,7 @@ function generateKeyPairInMemory() {
   const { publicKey, privateKey } = generateKeyPairSync("ed25519");
   const privatePem = privateKey.export({ type: "pkcs8", format: "pem" });
   const jwk = publicKey.export({ format: "jwk" });
-  const pubBytes = Buffer4.from(jwk.x, "base64url");
+  const pubBytes = Buffer3.from(jwk.x, "base64url");
   const enc = generateX25519KeyPair();
   return {
     privatePem,
@@ -3416,7 +3380,7 @@ function readUidOrNull(name) {
     return null;
   }
 }
-var spawnAgentCommand = defineCommand30({
+var spawnAgentCommand = defineCommand31({
   meta: {
     name: "spawn",
     description: "Provision a local Linux agent end-to-end (OS user, keypair, IdP agent, Claude hook)"
@@ -3435,14 +3399,6 @@ var spawnAgentCommand = defineCommand30({
       type: "boolean",
       description: "Skip writing ~/.claude/settings.json + the Bash-rewrite hook"
     },
-    "claude-token": {
-      type: "string",
-      description: "Claude Code OAuth token (sk-ant-oat01-\u2026) from `claude setup-token`. Visible to ps \u2014 prefer --claude-token-stdin in scripts."
-    },
-    "claude-token-stdin": {
-      type: "boolean",
-      description: "Read the Claude Code OAuth token from stdin (paranoid form of --claude-token)."
-    },
     "no-bridge": {
       type: "boolean",
       description: "Skip the ape-agent runtime install. Default behaviour installs the runtime so the agent answers chat.openape.ai messages (reads LITELLM_API_KEY/BASE_URL from ~/litellm/.env; override via --bridge-key / --bridge-base-url). Use --no-bridge for headless / CI / IdP-only account provisioning where the agent will not run a chat loop."
@@ -3458,6 +3414,22 @@ var spawnAgentCommand = defineCommand30({
     "bridge-model": {
       type: "string",
       description: "Model the bridge sends in chat-completion requests (default: claude-haiku-4-5). Override when fronting a proxy that doesn't route the default \u2014 e.g. ChatGPT-only proxy needs `gpt-5.4`."
+    },
+    "bridge-reasoning-effort": {
+      type: "string",
+      description: "Reasoning/thinking depth for gpt-5.x (minimal|low|medium|high). Tier compute by task difficulty on the same model \u2014 quick-win=low, research=high."
+    },
+    "kind": {
+      type: "string",
+      description: `Agent kind: "user" (default, connects to troop-chat) or "service" (polls an SP backend's task queue and runs each task through the LLM). With "service", --serves is required.`
+    },
+    "serves": {
+      type: "string",
+      description: "For --kind service: base URL of the SP backend this agent serves (e.g. https://zaz.delta-mind.at or http://127.0.0.1:3013). The agent pulls GetNextTask / posts ResolveTask there."
+    },
+    "poll-interval": {
+      type: "string",
+      description: "For --kind service: idle poll interval in ms (default 2000)."
     }
   },
   async run({ args }) {
@@ -3467,6 +3439,13 @@ var spawnAgentCommand = defineCommand30({
         `Invalid agent name "${name}". Must match /^[a-z][a-z0-9-]{0,23}$/ \u2014 lowercase letters, digits and hyphens, 1\u201324 chars, must start with a letter.`
       );
     }
+    if (args.kind != null && args.kind !== "user" && args.kind !== "service")
+      throw new CliError(`Invalid --kind "${String(args.kind)}". Must be "user" or "service".`);
+    const isService = args.kind === "service";
+    const servesUrl = typeof args.serves === "string" ? args.serves.replace(/\/$/, "") : void 0;
+    if (isService && !servesUrl)
+      throw new CliError("--kind service requires --serves <SP base URL> (e.g. https://zaz.delta-mind.at).");
+    const pollMs = typeof args["poll-interval"] === "string" ? Number.parseInt(args["poll-interval"], 10) : void 0;
     const auth = loadAuth();
     if (!auth) {
       throw new CliError("Not authenticated. Run `apes login` first.");
@@ -3483,12 +3462,12 @@ var spawnAgentCommand = defineCommand30({
       throw new CliError(`OS user "${existing.name}" already exists (uid=${existing.uid ?? "?"}). Refusing to overwrite.`);
     }
     const homeDir = `/var/lib/openape/homes/${osUsername}`;
-    consola26.start(`Generating keypair for ${name}\u2026`);
+    consola27.start(`Generating keypair for ${name}\u2026`);
     const { privatePem, publicSshLine, x25519PrivateKey, x25519PublicKey } = generateKeyPairInMemory();
-    consola26.start(`Registering agent at ${idp}\u2026`);
+    consola27.start(`Registering agent at ${idp}\u2026`);
     const registration = await registerAgentAtIdp({ name, publicKey: publicSshLine, idp });
-    consola26.success(`Registered as ${registration.email}`);
-    consola26.start("Issuing agent access token\u2026");
+    consola27.success(`Registered as ${registration.email}`);
+    consola27.start("Issuing agent access token\u2026");
     const { token, expiresIn } = await issueAgentToken({
       idp,
       agentEmail: registration.email,
@@ -3511,10 +3490,6 @@ var spawnAgentCommand = defineCommand30({
       ownerEmail: registration.owner
     });
     const includeClaudeHook = !args["no-claude-hook"];
-    const claudeOauthToken = await resolveClaudeToken({
-      flag: typeof args["claude-token"] === "string" ? args["claude-token"] : void 0,
-      fromStdin: !!args["claude-token-stdin"]
-    });
     const withBridge = !args["no-bridge"];
     const script = buildSpawnSetupScript({
       name,
@@ -3526,12 +3501,11 @@ var spawnAgentCommand = defineCommand30({
       x25519PublicKey,
       authJson,
       claudeSettingsJson: includeClaudeHook ? CLAUDE_SETTINGS_JSON : null,
-      hookScriptSource: includeClaudeHook ? BASH_VIA_APE_SHELL_HOOK_SOURCE : null,
-      claudeOauthToken
+      hookScriptSource: includeClaudeHook ? BASH_VIA_APE_SHELL_HOOK_SOURCE : null
     });
-    consola26.start("Running privileged setup\u2026");
+    consola27.start("Running privileged setup\u2026");
     if (process.getuid?.() !== 0) {
-      consola26.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
+      consola27.info("You will be asked to approve the as=root grant in your DDISA inbox; this command blocks until you do.");
     }
     await platform.runPrivilegedBash(script);
     try {
@@ -3542,57 +3516,112 @@ var spawnAgentCommand = defineCommand30({
         home: homeDir,
         email: registration.email,
         registeredAt: Math.floor(Date.now() / 1e3),
-        bridge: withBridge ? {
+        kind: isService ? "service" : void 0,
+        service: isService && servesUrl ? { spBaseUrl: servesUrl, pollIntervalMs: pollMs != null && Number.isFinite(pollMs) && pollMs > 0 ? pollMs : void 0 } : void 0,
+        // Service agents also carry bridge config — it's the LLM endpoint the
+        // worker forwards to (baseUrl/key/model from --bridge-*).
+        bridge: withBridge || isService ? {
           baseUrl: typeof args["bridge-base-url"] === "string" ? args["bridge-base-url"] : void 0,
           apiKey: typeof args["bridge-key"] === "string" ? args["bridge-key"] : void 0,
-          model: typeof args["bridge-model"] === "string" ? args["bridge-model"] : void 0
+          model: typeof args["bridge-model"] === "string" ? args["bridge-model"] : void 0,
+          reasoningEffort: typeof args["bridge-reasoning-effort"] === "string" ? args["bridge-reasoning-effort"] : void 0
         } : void 0
       });
     } catch (err) {
-      consola26.warn(`Could not write to nest registry: ${err instanceof Error ? err.message : String(err)}`);
+      consola27.warn(`Could not write to nest registry: ${err instanceof Error ? err.message : String(err)}`);
     }
-    consola26.success(`Agent ${name} spawned.`);
-    consola26.info(`\u{1F517} Troop: https://troop.openape.ai/agents/${name}`);
+    consola27.success(`Agent ${name} spawned.`);
+    consola27.info(`\u{1F517} Troop: https://troop.openape.ai/agents/${name}`);
     if (withBridge) {
-      consola26.info(`On first boot, the bridge will send you a contact request from ${registration.email}.`);
-      consola26.info("Open chat.openape.ai and accept it to start chatting with the agent.");
+      consola27.info(`On first boot, the bridge will send you a contact request from ${registration.email}.`);
+      consola27.info("Open chat.openape.ai and accept it to start chatting with the agent.");
     }
     console.log("");
     console.log("Run as the agent with:");
     console.log(`  apes run --as ${name} -- claude --session-name ${name} --dangerously-skip-permissions`);
   }
 });
-async function resolveClaudeToken(opts) {
-  if (opts.flag && opts.fromStdin) {
-    throw new CliError("Pass --claude-token OR --claude-token-stdin, not both.");
-  }
-  let raw = null;
-  if (typeof opts.flag === "string") {
-    raw = opts.flag.trim();
-  } else if (opts.fromStdin) {
-    const chunks = [];
-    for await (const chunk of process.stdin) {
-      chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
-    }
-    raw = Buffer.concat(chunks).toString("utf-8").trim();
-  }
-  if (!raw) return null;
-  if (!raw.startsWith("sk-ant-oat01-")) {
-    throw new CliError(
-      `Claude token doesn't look right (expected sk-ant-oat01-\u2026). Run \`claude setup-token\` and paste the resulting token.`
-    );
+
+// src/commands/agents/sync.ts
+import { chownSync, existsSync as existsSync12, mkdirSync as mkdirSync3, readdirSync, readFileSync as readFileSync11, rmSync as rmSync3, statSync, writeFileSync as writeFileSync6 } from "fs";
+import { homedir as homedir9 } from "os";
+import { join as join8 } from "path";
+import { refreshAgentToken } from "@openape/cli-auth";
+import { defineCommand as defineCommand32 } from "citty";
+import consola29 from "consola";
+
+// src/lib/recipe-checkout.ts
+import { execFileSync as execFileSync7 } from "child_process";
+import { cpSync, existsSync as existsSync11, readFileSync as readFileSync10, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "fs";
+import { join as join7, resolve as resolve3, sep } from "path";
+import consola28 from "consola";
+var MARKER_FILE = ".recipe-ref";
+var GITHUB_PREFIX = "github.com/";
+function ensureRecipeCheckout(recipeRef, recipeDir, exec2 = execFileSync7) {
+  const at = recipeRef.lastIndexOf("@");
+  if (at <= 0) {
+    consola28.warn(`recipe: malformed recipeRef "${recipeRef}" (expected <owner>/<name>[/<subdir>]@<ref>) \u2014 skipping checkout`);
+    return;
+  }
+  const spec = recipeRef.slice(0, at);
+  const ref = recipeRef.slice(at + 1);
+  const slug = spec.startsWith(GITHUB_PREFIX) ? spec.slice(GITHUB_PREFIX.length) : spec;
+  if (!slug || !ref) {
+    consola28.warn(`recipe: malformed recipeRef "${recipeRef}" (empty slug or ref) \u2014 skipping checkout`);
+    return;
+  }
+  const segments = slug.split("/").filter(Boolean);
+  if (segments.length < 2) {
+    consola28.warn(`recipe: malformed recipeRef "${recipeRef}" (expected <owner>/<name>[/<subdir>]@<ref>) \u2014 skipping checkout`);
+    return;
+  }
+  if (segments.some((s) => s === "." || s === ".." || s.includes("\\"))) {
+    consola28.warn(`recipe: unsafe path segment in recipeRef "${recipeRef}" \u2014 skipping checkout`);
+    return;
+  }
+  const repoSlug = segments.slice(0, 2).join("/");
+  const subdir = segments.slice(2).join("/");
+  const markerPath = join7(recipeDir, MARKER_FILE);
+  if (existsSync11(markerPath)) {
+    try {
+      if (readFileSync10(markerPath, "utf8") === recipeRef) return;
+    } catch {
+    }
+  }
+  const cloneUrl = `https://github.com/${repoSlug}`;
+  const staging = subdir ? `${recipeDir}.checkout` : recipeDir;
+  try {
+    rmSync2(recipeDir, { recursive: true, force: true });
+    if (subdir)
+      rmSync2(staging, { recursive: true, force: true });
+    exec2("git", ["clone", "--depth", "1", "--branch", ref, cloneUrl, staging]);
+    if (subdir) {
+      const src = join7(staging, subdir);
+      if (!resolve3(src).startsWith(resolve3(staging) + sep)) {
+        consola28.warn(`recipe: subdirectory "${subdir}" escapes the checkout dir \u2014 skipping`);
+        rmSync2(staging, { recursive: true, force: true });
+        return;
+      }
+      if (!existsSync11(src)) {
+        consola28.warn(`recipe: subdirectory "${subdir}" not found in ${repoSlug}@${ref} \u2014 skipping checkout`);
+        rmSync2(staging, { recursive: true, force: true });
+        return;
+      }
+      cpSync(src, recipeDir, { recursive: true });
+      rmSync2(staging, { recursive: true, force: true });
+    }
+    writeFileSync5(markerPath, recipeRef);
+    consola28.info(`recipe: checked out ${slug}@${ref} \u2192 ${recipeDir}`);
+  } catch (err) {
+    consola28.warn(`recipe: checkout of ${slug}@${ref} failed \u2014 ${err instanceof Error ? err.message : String(err)}`);
+    if (subdir)
+      rmSync2(staging, { recursive: true, force: true });
   }
-  return raw;
 }
 
 // src/commands/agents/sync.ts
-import { chownSync, existsSync as existsSync12, mkdirSync as mkdirSync3, readdirSync as readdirSync2, readFileSync as readFileSync11, rmSync as rmSync2, statSync, writeFileSync as writeFileSync5 } from "fs";
-import { homedir as homedir10 } from "os";
-import { join as join8 } from "path";
-import { defineCommand as defineCommand31 } from "citty";
-import consola27 from "consola";
-var AUTH_PATH3 = join8(homedir10(), ".config", "apes", "auth.json");
-var TASK_CACHE_DIR2 = join8(homedir10(), ".openape", "agent", "tasks");
+var AUTH_PATH3 = join8(homedir9(), ".config", "apes", "auth.json");
+var TASK_CACHE_DIR2 = join8(homedir9(), ".openape", "agent", "tasks");
 function readAuthJson() {
   if (!existsSync12(AUTH_PATH3)) {
     throw new CliError(
@@ -3623,7 +3652,7 @@ function agentNameFromEmail(email) {
   }
   return before.slice(0, dashIdx);
 }
-var syncAgentCommand = defineCommand31({
+var syncAgentCommand = defineCommand32({
   meta: {
     name: "sync",
     description: "Pull this agent's task list from troop.openape.ai and reconcile launchd plists"
@@ -3637,6 +3666,21 @@ var syncAgentCommand = defineCommand31({
   async run({ args }) {
     const auth = readAuthJson();
     const agentName = agentNameFromEmail(auth.email);
+    const refreshed = await refreshAgentToken({ ...auth, expires_at: auth.expires_at ?? 0 }).catch(() => null);
+    if (refreshed?.access_token && refreshed.access_token !== auth.access_token) {
+      auth.access_token = refreshed.access_token;
+      if (typeof refreshed.expires_at === "number") auth.expires_at = refreshed.expires_at;
+      try {
+        const { uid, gid } = statSync(AUTH_PATH3);
+        writeFileSync6(AUTH_PATH3, `${JSON.stringify(auth, null, 2)}
+`);
+        try {
+          chownSync(AUTH_PATH3, uid, gid);
+        } catch {
+        }
+      } catch {
+      }
+    }
     const troopUrl = resolveTroopUrl(args["troop-url"]);
     const client = new TroopClient(troopUrl, auth.access_token);
     const platform = getHostPlatform();
@@ -3648,7 +3692,7 @@ var syncAgentCommand = defineCommand31({
     if (!auth.owner_email) {
       throw new CliError(`${AUTH_PATH3} is missing owner_email \u2014 re-run \`apes agents spawn\` to update.`);
     }
-    consola27.start(`Syncing ${agentName} (${host}, hostId ${hostId.slice(0, 8)}\u2026) with ${troopUrl}`);
+    consola29.start(`Syncing ${agentName} (${host}, hostId ${hostId.slice(0, 8)}\u2026) with ${troopUrl}`);
     const pubkeyX25519 = readAgentEncryptionPublicKey() ?? void 0;
     const sync = await client.sync({
       hostname: host,
@@ -3656,17 +3700,17 @@ var syncAgentCommand = defineCommand31({
       ownerEmail: auth.owner_email,
       ...pubkeyX25519 ? { pubkeyX25519 } : {}
     });
-    consola27.info(sync.first_sync ? "\u2713 first sync \u2014 agent registered" : "\u2713 presence updated");
-    if (!pubkeyX25519) consola27.warn("No X25519 public key found on disk \u2014 sealed capability secrets cannot be bound until the agent is re-spawned.");
-    const { system_prompt: systemPrompt, tools, skills, tasks } = await client.listTasks();
-    consola27.info(`Pulled ${tasks.length} task${tasks.length === 1 ? "" : "s"}`);
-    consola27.info(`Tools enabled: ${tools.length === 0 ? "(none)" : tools.join(", ")}`);
-    consola27.info(`Skills: ${skills.length === 0 ? "(none)" : skills.map((s) => s.name).join(", ")}`);
+    consola29.info(sync.first_sync ? "\u2713 first sync \u2014 agent registered" : "\u2713 presence updated");
+    if (!pubkeyX25519) consola29.warn("No X25519 public key found on disk \u2014 sealed capability secrets cannot be bound until the agent is re-spawned.");
+    const { system_prompt: systemPrompt, tools, skills, tasks, recipe_ref: recipeRef } = await client.listTasks();
+    consola29.info(`Pulled ${tasks.length} task${tasks.length === 1 ? "" : "s"}`);
+    consola29.info(`Tools enabled: ${tools.length === 0 ? "(none)" : tools.join(", ")}`);
+    consola29.info(`Skills: ${skills.length === 0 ? "(none)" : skills.map((s) => s.name).join(", ")}`);
     let agentUid = null;
     let agentGid = null;
     if (process.geteuid?.() === 0) {
       try {
-        const homeStat = statSync(homedir10());
+        const homeStat = statSync(homedir9());
         agentUid = homeStat.uid;
         agentGid = homeStat.gid;
       } catch {
@@ -3680,23 +3724,24 @@ var syncAgentCommand = defineCommand31({
         }
       }
     }
-    const agentDir = join8(homedir10(), ".openape", "agent");
+    const agentDir = join8(homedir9(), ".openape", "agent");
     mkdirSync3(agentDir, { recursive: true });
-    chownToAgent(join8(homedir10(), ".openape"));
+    chownToAgent(join8(homedir9(), ".openape"));
     chownToAgent(agentDir);
     const agentJsonPath = join8(agentDir, "agent.json");
-    writeFileSync5(
+    writeFileSync6(
       agentJsonPath,
-      `${JSON.stringify({ systemPrompt, tools }, null, 2)}
+      `${JSON.stringify({ systemPrompt, tools, ...recipeRef ? { recipeRef } : {} }, null, 2)}
 `,
       { mode: 384 }
     );
     chownToAgent(agentJsonPath);
+    if (recipeRef) ensureRecipeCheckout(recipeRef, join8(homedir9(), "recipe"));
     mkdirSync3(TASK_CACHE_DIR2, { recursive: true });
     chownToAgent(TASK_CACHE_DIR2);
     for (const task of tasks) {
       const path2 = join8(TASK_CACHE_DIR2, `${task.taskId}.json`);
-      writeFileSync5(path2, `${JSON.stringify(task, null, 2)}
+      writeFileSync6(path2, `${JSON.stringify(task, null, 2)}
 `, { mode: 384 });
       chownToAgent(path2);
     }
@@ -3705,10 +3750,10 @@ var syncAgentCommand = defineCommand31({
     chownToAgent(skillsDir);
     const incomingNames = new Set(skills.map((s) => s.name));
     try {
-      for (const entry of readdirSync2(skillsDir)) {
+      for (const entry of readdirSync(skillsDir)) {
         if (incomingNames.has(entry)) continue;
         try {
-          rmSync2(join8(skillsDir, entry), { recursive: true, force: true });
+          rmSync3(join8(skillsDir, entry), { recursive: true, force: true });
         } catch {
         }
       }
@@ -3719,16 +3764,16 @@ var syncAgentCommand = defineCommand31({
       mkdirSync3(skillDir, { recursive: true });
       chownToAgent(skillDir);
       const skillPath = join8(skillDir, "SKILL.md");
-      writeFileSync5(skillPath, skill.body.endsWith("\n") ? skill.body : `${skill.body}
+      writeFileSync6(skillPath, skill.body.endsWith("\n") ? skill.body : `${skill.body}
 `, { mode: 384 });
       chownToAgent(skillPath);
     }
-    consola27.success("Sync complete.");
+    consola29.success("Sync complete.");
   }
 });
 
 // src/commands/agents/index.ts
-var agentsCommand = defineCommand32({
+var agentsCommand = defineCommand33({
   meta: {
     name: "agents",
     description: "Manage owned agents (register, spawn, list, destroy, allow, sync, run, serve, code, cleanup-orphans)"
@@ -3748,22 +3793,22 @@ var agentsCommand = defineCommand32({
 });
 
 // src/commands/nest/index.ts
-import { defineCommand as defineCommand40 } from "citty";
+import { defineCommand as defineCommand41 } from "citty";
 
 // src/commands/nest/authorize.ts
-import { execFileSync as execFileSync7 } from "child_process";
+import { execFileSync as execFileSync8 } from "child_process";
 import { existsSync as existsSync14, readFileSync as readFileSync12 } from "fs";
 import { join as join10 } from "path";
-import { defineCommand as defineCommand34 } from "citty";
-import consola29 from "consola";
+import { defineCommand as defineCommand35 } from "citty";
+import consola31 from "consola";
 
 // src/commands/nest/enroll.ts
-import { hostname as hostname4, homedir as homedir11 } from "os";
-import { existsSync as existsSync13, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6, chmodSync } from "fs";
+import { hostname as hostname4, homedir as homedir10 } from "os";
+import { existsSync as existsSync13, mkdirSync as mkdirSync4, writeFileSync as writeFileSync7, chmodSync } from "fs";
 import { join as join9 } from "path";
-import { defineCommand as defineCommand33 } from "citty";
-import consola28 from "consola";
-var NEST_DATA_DIR = join9(homedir11(), ".openape", "nest");
+import { defineCommand as defineCommand34 } from "citty";
+import consola30 from "consola";
+var NEST_DATA_DIR = join9(homedir10(), ".openape", "nest");
 function nestAgentName() {
   const raw = hostname4().toLowerCase();
   const head = raw.split(".")[0] ?? raw;
@@ -3771,7 +3816,7 @@ function nestAgentName() {
   const trimmed = safe.slice(0, 16);
   return `nest-${trimmed || "host"}`;
 }
-var enrollNestCommand = defineCommand33({
+var enrollNestCommand = defineCommand34({
   meta: {
     name: "enroll",
     description: "Register the local nest as a DDISA agent at the IdP. One-time per machine. Required before `apes nest authorize` so YOLO-policies have a target identity."
@@ -3804,17 +3849,17 @@ var enrollNestCommand = defineCommand33({
     const configDir = join9(NEST_DATA_DIR, ".config", "apes");
     mkdirSync4(sshDir, { recursive: true });
     mkdirSync4(configDir, { recursive: true });
-    consola28.start(`Generating keypair for ${name}\u2026`);
+    consola30.start(`Generating keypair for ${name}\u2026`);
     const { privatePem, publicSshLine } = generateKeyPairInMemory();
-    writeFileSync6(join9(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
+    writeFileSync7(join9(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
 `, { mode: 384 });
-    writeFileSync6(join9(sshDir, "id_ed25519.pub"), `${publicSshLine}
+    writeFileSync7(join9(sshDir, "id_ed25519.pub"), `${publicSshLine}
 `, { mode: 420 });
     chmodSync(sshDir, 448);
-    consola28.start(`Registering nest at ${idp}\u2026`);
+    consola30.start(`Registering nest at ${idp}\u2026`);
     const registration = await registerAgentAtIdp({ name, publicKey: publicSshLine, idp });
-    consola28.success(`Registered as ${registration.email}`);
-    consola28.start("Issuing nest access token\u2026");
+    consola30.success(`Registered as ${registration.email}`);
+    consola30.start("Issuing nest access token\u2026");
     const { token, expiresIn } = await issueAgentToken({
       idp,
       agentEmail: registration.email,
@@ -3828,13 +3873,13 @@ var enrollNestCommand = defineCommand33({
       keyPath: join9(sshDir, "id_ed25519"),
       ownerEmail: ownerAuth.email
     });
-    writeFileSync6(authPath, authJson, { mode: 384 });
+    writeFileSync7(authPath, authJson, { mode: 384 });
     chmodSync(configDir, 448);
-    consola28.success(`Nest enrolled \u2014 auth.json at ${authPath}`);
-    consola28.info("");
-    consola28.info("Next: configure the YOLO-policy so the nest can spawn/destroy without prompts:");
-    consola28.info("");
-    consola28.info("  apes nest authorize");
+    consola30.success(`Nest enrolled \u2014 auth.json at ${authPath}`);
+    consola30.info("");
+    consola30.info("Next: configure the YOLO-policy so the nest can spawn/destroy without prompts:");
+    consola30.info("");
+    consola30.info("  apes nest authorize");
   }
 });
 
@@ -3881,7 +3926,7 @@ var DEFAULT_ALLOW_PATTERNS = [
   "pm2 delete openape-bridge-*",
   "pm2 jlist"
 ];
-var authorizeNestCommand = defineCommand34({
+var authorizeNestCommand = defineCommand35({
   meta: {
     name: "authorize",
     description: "Set the YOLO-policy that lets the local nest spawn/destroy without per-call DDISA prompts (wraps `apes yolo set`)"
@@ -3903,8 +3948,8 @@ var authorizeNestCommand = defineCommand34({
     }
     const nestAuth = JSON.parse(readFileSync12(nestAuthPath, "utf8"));
     if (!nestAuth.email) throw new CliError(`${nestAuthPath} has no email`);
-    const allow = args.allow ?? DEFAULT_ALLOW_PATTERNS.join(",");
-    consola29.info(`Configuring YOLO-policy on ${nestAuth.email} via \`apes yolo set\`\u2026`);
+    const allow2 = args.allow ?? DEFAULT_ALLOW_PATTERNS.join(",");
+    consola31.info(`Configuring YOLO-policy on ${nestAuth.email} via \`apes yolo set\`\u2026`);
     const cmdArgs = [
       "yolo",
       "set",
@@ -3912,26 +3957,26 @@ var authorizeNestCommand = defineCommand34({
       "--mode",
       "allow-list",
       "--allow",
-      allow
+      allow2
     ];
     if (typeof args["expires-in"] === "string" && args["expires-in"]) {
       cmdArgs.push("--expires-in", args["expires-in"]);
     }
     try {
-      execFileSync7("apes", cmdArgs, { stdio: "inherit" });
+      execFileSync8("apes", cmdArgs, { stdio: "inherit" });
     } catch (err) {
       throw new CliError(err instanceof Error ? err.message : String(err));
     }
-    consola29.success("Nest-driven agent lifecycle is now zero-prompt.");
-    consola29.info("Test: apes agents spawn <name> via the nest API \u2192 no DDISA prompt.");
+    consola31.success("Nest-driven agent lifecycle is now zero-prompt.");
+    consola31.info("Test: apes agents spawn <name> via the nest API \u2192 no DDISA prompt.");
   }
 });
 
 // src/commands/nest/destroy.ts
-import { execFileSync as execFileSync8 } from "child_process";
-import { defineCommand as defineCommand35 } from "citty";
-import consola30 from "consola";
-var destroyNestCommand = defineCommand35({
+import { execFileSync as execFileSync9 } from "child_process";
+import { defineCommand as defineCommand36 } from "citty";
+import consola32 from "consola";
+var destroyNestCommand = defineCommand36({
   meta: {
     name: "destroy",
     description: "Destroy a local agent. Wraps `apes run --as root -- apes agents destroy <name>`; the Nest watches its registry and pm2-deletes the bridge automatically."
@@ -3942,8 +3987,8 @@ var destroyNestCommand = defineCommand35({
   async run({ args }) {
     const name = String(args.name);
     try {
-      execFileSync8("apes", ["run", "--as", "root", "--wait", "--", "apes", "agents", "destroy", name, "--force"], { stdio: "inherit" });
-      consola30.success(`Nest will tear down ${name}'s pm2 process on its next reconcile (\u22642s).`);
+      execFileSync9("apes", ["run", "--as", "root", "--wait", "--", "apes", "agents", "destroy", name, "--force"], { stdio: "inherit" });
+      consola32.success(`Nest will tear down ${name}'s pm2 process on its next reconcile (\u22642s).`);
     } catch (err) {
       const status = err.status ?? 1;
       throw new CliExit(status);
@@ -3952,11 +3997,11 @@ var destroyNestCommand = defineCommand35({
 });
 
 // src/commands/nest/install.ts
-import { existsSync as existsSync15, mkdirSync as mkdirSync5, readFileSync as readFileSync13, writeFileSync as writeFileSync7 } from "fs";
-import { homedir as homedir12 } from "os";
+import { existsSync as existsSync15, mkdirSync as mkdirSync5, readFileSync as readFileSync13, writeFileSync as writeFileSync8 } from "fs";
+import { homedir as homedir11 } from "os";
 import { dirname as dirname2, join as join11 } from "path";
-import { defineCommand as defineCommand36 } from "citty";
-import consola31 from "consola";
+import { defineCommand as defineCommand37 } from "citty";
+import consola33 from "consola";
 
 // src/commands/nest/apes-agents-adapter.ts
 var APES_AGENTS_ADAPTER_TOML = `schema = "openape-shapes/v1"
@@ -4022,7 +4067,7 @@ resource_chain = ["agents:name={name}", "allowlist:email={peer_email}"]
 
 // src/commands/nest/install.ts
 function installAdapter2() {
-  const target = join11(homedir12(), ".openape", "shapes", "adapters", "apes-agents.toml");
+  const target = join11(homedir11(), ".openape", "shapes", "adapters", "apes-agents.toml");
   mkdirSync5(dirname2(target), { recursive: true });
   let existing = "";
   try {
@@ -4030,12 +4075,12 @@ function installAdapter2() {
   } catch {
   }
   if (existing === APES_AGENTS_ADAPTER_TOML) return false;
-  writeFileSync7(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
-  consola31.success(`Wrote shapes adapter ${target}`);
+  writeFileSync8(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
+  consola33.success(`Wrote shapes adapter ${target}`);
   return true;
 }
 function writeBridgeModelDefault(model) {
-  for (const envDir of [join11(homedir12(), "litellm"), join11(NEST_DATA_DIR, "litellm")]) {
+  for (const envDir of [join11(homedir11(), "litellm"), join11(NEST_DATA_DIR, "litellm")]) {
     const envFile = join11(envDir, ".env");
     mkdirSync5(envDir, { recursive: true });
     let lines = [];
@@ -4044,13 +4089,13 @@ function writeBridgeModelDefault(model) {
     }
     lines.push(`APE_CHAT_BRIDGE_MODEL=${model}`);
     while (lines.length > 0 && lines.at(-1).trim() === "") lines.pop();
-    writeFileSync7(envFile, `${lines.join("\n")}
+    writeFileSync8(envFile, `${lines.join("\n")}
 `, { mode: 384 });
   }
 }
 function findBinary(name) {
   for (const dir of [
-    join11(homedir12(), ".bun", "bin"),
+    join11(homedir11(), ".bun", "bin"),
     "/opt/homebrew/bin",
     "/usr/local/bin",
     "/usr/bin"
@@ -4060,7 +4105,7 @@ function findBinary(name) {
   }
   throw new Error(`could not locate ${name} on PATH; install it first`);
 }
-var installNestCommand = defineCommand36({
+var installNestCommand = defineCommand37({
   meta: {
     name: "install",
     description: "Install + start the local nest-daemon (idempotent \u2014 re-running just restarts)"
@@ -4076,20 +4121,20 @@ var installNestCommand = defineCommand36({
     }
   },
   async run({ args }) {
-    const homeDir = homedir12();
+    const homeDir = homedir11();
     const port = Number(args.port ?? 9091);
     if (!Number.isInteger(port) || port < 1024 || port > 65535) {
       throw new Error(`invalid port ${port}`);
     }
     const nestBin = findBinary("openape-nest");
     const apesBin = findBinary("apes");
-    consola31.info(`Installing nest supervisor`);
-    consola31.info(`  nest binary: ${nestBin}`);
-    consola31.info(`  apes binary: ${apesBin}`);
-    consola31.info(`  HTTP port:   ${port}`);
+    consola33.info(`Installing nest supervisor`);
+    consola33.info(`  nest binary: ${nestBin}`);
+    consola33.info(`  apes binary: ${apesBin}`);
+    consola33.info(`  HTTP port:   ${port}`);
     if (typeof args["bridge-model"] === "string" && args["bridge-model"]) {
       writeBridgeModelDefault(args["bridge-model"]);
-      consola31.success(`Default bridge model set to ${args["bridge-model"]} (in ~/litellm/.env)`);
+      consola33.success(`Default bridge model set to ${args["bridge-model"]} (in ~/litellm/.env)`);
     }
     installAdapter2();
     mkdirSync5(NEST_DATA_DIR, { recursive: true });
@@ -4100,21 +4145,21 @@ var installNestCommand = defineCommand36({
       nestHome: NEST_DATA_DIR,
       port
     });
-    consola31.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
-    consola31.info("");
-    consola31.info("Next steps for zero-prompt spawn \u2014 both one-time:");
-    consola31.info("");
-    consola31.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
-    consola31.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
-    consola31.info("");
-    consola31.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
+    consola33.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
+    consola33.info("");
+    consola33.info("Next steps for zero-prompt spawn \u2014 both one-time:");
+    consola33.info("");
+    consola33.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
+    consola33.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
+    consola33.info("");
+    consola33.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
   }
 });
 
 // src/commands/nest/list.ts
-import { defineCommand as defineCommand37 } from "citty";
-import consola32 from "consola";
-var listNestCommand = defineCommand37({
+import { defineCommand as defineCommand38 } from "citty";
+import consola34 from "consola";
+var listNestCommand = defineCommand38({
   meta: {
     name: "list",
     description: "List agents registered with the local nest. Reads /var/openape/nest/agents.json directly."
@@ -4129,22 +4174,22 @@ var listNestCommand = defineCommand37({
       return;
     }
     if (reg.agents.length === 0) {
-      consola32.info("(no agents registered with this nest)");
+      consola34.info("(no agents registered with this nest)");
       return;
     }
-    consola32.info(`${reg.agents.length} agent(s) registered with this nest:`);
+    consola34.info(`${reg.agents.length} agent(s) registered with this nest:`);
     for (const a of reg.agents) {
       const bridge = a.bridge ? " bridge=on" : "";
-      consola32.info(`  ${a.name.padEnd(16)} uid=${String(a.uid).padEnd(5)} home=${a.home}${bridge}`);
+      consola34.info(`  ${a.name.padEnd(16)} uid=${String(a.uid).padEnd(5)} home=${a.home}${bridge}`);
     }
   }
 });
 
 // src/commands/nest/spawn.ts
-import { execFileSync as execFileSync9 } from "child_process";
-import { defineCommand as defineCommand38 } from "citty";
-import consola33 from "consola";
-var spawnNestCommand = defineCommand38({
+import { execFileSync as execFileSync10 } from "child_process";
+import { defineCommand as defineCommand39 } from "citty";
+import consola35 from "consola";
+var spawnNestCommand = defineCommand39({
   meta: {
     name: "spawn",
     description: "Spawn a new agent locally. Wraps `apes run --as root -- apes agents spawn <name>`; the Nest watches its registry and starts the bridge in pm2 automatically."
@@ -4174,8 +4219,8 @@ var spawnNestCommand = defineCommand38({
     if (typeof args["bridge-base-url"] === "string") apesArgs.push("--bridge-base-url", args["bridge-base-url"]);
     if (typeof args["bridge-model"] === "string") apesArgs.push("--bridge-model", args["bridge-model"]);
     try {
-      execFileSync9("apes", apesArgs, { stdio: "inherit" });
-      consola33.success(`Nest will pick up ${name} on its next reconcile (\u22642s).`);
+      execFileSync10("apes", apesArgs, { stdio: "inherit" });
+      consola35.success(`Nest will pick up ${name} on its next reconcile (\u22642s).`);
     } catch (err) {
       const status = err.status ?? 1;
       throw new CliExit(status);
@@ -4184,22 +4229,22 @@ var spawnNestCommand = defineCommand38({
 });
 
 // src/commands/nest/uninstall.ts
-import { defineCommand as defineCommand39 } from "citty";
-import consola34 from "consola";
-var uninstallNestCommand = defineCommand39({
+import { defineCommand as defineCommand40 } from "citty";
+import consola36 from "consola";
+var uninstallNestCommand = defineCommand40({
   meta: {
     name: "uninstall",
     description: "Stop + remove the local nest-daemon (registry + agents preserved)"
   },
   async run() {
     await getHostPlatform().uninstallNestSupervisor();
-    consola34.success("Nest daemon stopped + supervisor unit removed");
-    consola34.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
+    consola36.success("Nest daemon stopped + supervisor unit removed");
+    consola36.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
   }
 });
 
 // src/commands/nest/index.ts
-var nestCommand = defineCommand40({
+var nestCommand = defineCommand41({
   meta: {
     name: "nest",
     description: "Manage the local Nest control-plane daemon. One-time setup: `install` \u2192 `enroll` \u2192 `authorize`. Day-to-day: `list` / `spawn` / `destroy`. As of Phase D the Nest is a long-running CLIENT \u2014 commands talk to it via filesystem intent files in $NEST_HOME/intents (mode 770, group _openape_nest) instead of HTTP."
@@ -4216,12 +4261,12 @@ var nestCommand = defineCommand40({
 });
 
 // src/commands/yolo/index.ts
-import { defineCommand as defineCommand44 } from "citty";
+import { defineCommand as defineCommand45 } from "citty";
 
 // src/commands/yolo/clear.ts
-import { defineCommand as defineCommand41 } from "citty";
-import consola35 from "consola";
-var yoloClearCommand = defineCommand41({
+import { defineCommand as defineCommand42 } from "citty";
+import consola37 from "consola";
+var yoloClearCommand = defineCommand42({
   meta: {
     name: "clear",
     description: "Remove the YOLO-policy from a DDISA agent (subsequent grants need human approval)"
@@ -4250,15 +4295,15 @@ var yoloClearCommand = defineCommand41({
       const text = await res.text().catch(() => "");
       throw new CliError(`DELETE /yolo-policy failed (${res.status}): ${text}`);
     }
-    consola35.success(`YOLO-policy cleared on ${email}`);
+    consola37.success(`YOLO-policy cleared on ${email}`);
   }
 });
 
 // src/commands/yolo/set.ts
-import { defineCommand as defineCommand42 } from "citty";
-import consola36 from "consola";
+import { defineCommand as defineCommand43 } from "citty";
+import consola38 from "consola";
 var VALID_MODES = ["allow-list", "deny-list"];
-var yoloSetCommand = defineCommand42({
+var yoloSetCommand = defineCommand43({
   meta: {
     name: "set",
     description: "Write a YOLO-policy on a DDISA agent you own"
@@ -4306,12 +4351,12 @@ var yoloSetCommand = defineCommand42({
     const denyPatterns = parseList(args.deny);
     const denyRiskThreshold = args["deny-risk"] ?? null;
     const expiresAt = parseExpiresIn(args["expires-in"]);
-    consola36.info(`Setting YOLO-policy on ${email}`);
-    consola36.info(`  mode:           ${mode}`);
-    if (allowPatterns.length) consola36.info(`  allow_patterns: ${allowPatterns.join(", ")}`);
-    if (denyPatterns.length) consola36.info(`  deny_patterns:  ${denyPatterns.join(", ")}`);
-    if (denyRiskThreshold) consola36.info(`  deny_risk:      ${denyRiskThreshold}`);
-    if (expiresAt) consola36.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
+    consola38.info(`Setting YOLO-policy on ${email}`);
+    consola38.info(`  mode:           ${mode}`);
+    if (allowPatterns.length) consola38.info(`  allow_patterns: ${allowPatterns.join(", ")}`);
+    if (denyPatterns.length) consola38.info(`  deny_patterns:  ${denyPatterns.join(", ")}`);
+    if (denyRiskThreshold) consola38.info(`  deny_risk:      ${denyRiskThreshold}`);
+    if (expiresAt) consola38.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
     const url = `${idp}/api/users/${encodeURIComponent(email)}/yolo-policy`;
     const res = await fetch(url, {
       method: "PUT",
@@ -4331,7 +4376,7 @@ var yoloSetCommand = defineCommand42({
       const text = await res.text().catch(() => "");
       throw new CliError(`PUT /yolo-policy failed (${res.status}): ${text}`);
     }
-    consola36.success(`YOLO-policy applied to ${email}`);
+    consola38.success(`YOLO-policy applied to ${email}`);
   }
 });
 function parseList(s) {
@@ -4349,9 +4394,9 @@ function parseExpiresIn(s) {
 }
 
 // src/commands/yolo/show.ts
-import { defineCommand as defineCommand43 } from "citty";
-import consola37 from "consola";
-var yoloShowCommand = defineCommand43({
+import { defineCommand as defineCommand44 } from "citty";
+import consola39 from "consola";
+var yoloShowCommand = defineCommand44({
   meta: {
     name: "show",
     description: "Print the YOLO-policy currently set on a DDISA agent"
@@ -4388,17 +4433,17 @@ var yoloShowCommand = defineCommand43({
       console.log(JSON.stringify(policy, null, 2));
       return;
     }
-    consola37.info(`YOLO-policy for ${email}`);
-    consola37.info(`  mode:           ${policy.mode}`);
-    consola37.info(`  allow_patterns: ${policy.allowPatterns.length ? policy.allowPatterns.join(", ") : "(none)"}`);
-    consola37.info(`  deny_patterns:  ${policy.denyPatterns.length ? policy.denyPatterns.join(", ") : "(none)"}`);
-    consola37.info(`  deny_risk:      ${policy.denyRiskThreshold ?? "(none)"}`);
-    consola37.info(`  expires_at:     ${policy.expiresAt ? new Date(policy.expiresAt * 1e3).toISOString() : "(never)"}`);
+    consola39.info(`YOLO-policy for ${email}`);
+    consola39.info(`  mode:           ${policy.mode}`);
+    consola39.info(`  allow_patterns: ${policy.allowPatterns.length ? policy.allowPatterns.join(", ") : "(none)"}`);
+    consola39.info(`  deny_patterns:  ${policy.denyPatterns.length ? policy.denyPatterns.join(", ") : "(none)"}`);
+    consola39.info(`  deny_risk:      ${policy.denyRiskThreshold ?? "(none)"}`);
+    consola39.info(`  expires_at:     ${policy.expiresAt ? new Date(policy.expiresAt * 1e3).toISOString() : "(never)"}`);
   }
 });
 
 // src/commands/yolo/index.ts
-var yoloCommand = defineCommand44({
+var yoloCommand = defineCommand45({
   meta: {
     name: "yolo",
     description: "Manage YOLO-policies on DDISA agents you own \u2014 auto-approve grant patterns at the IdP layer (allow-list) or block dangerous ones outright (deny-list)."
@@ -4411,15 +4456,15 @@ var yoloCommand = defineCommand44({
 });
 
 // src/commands/adapter/index.ts
-import { defineCommand as defineCommand45 } from "citty";
-import consola38 from "consola";
-var adapterCommand = defineCommand45({
+import { defineCommand as defineCommand46 } from "citty";
+import consola40 from "consola";
+var adapterCommand = defineCommand46({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand45({
+    list: defineCommand46({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -4450,7 +4495,7 @@ var adapterCommand = defineCommand45({
 `);
             return;
           }
-          consola38.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola40.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -4472,7 +4517,7 @@ var adapterCommand = defineCommand45({
           return;
         }
         if (local.length === 0) {
-          consola38.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola40.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -4480,7 +4525,7 @@ var adapterCommand = defineCommand45({
         }
       }
     }),
-    install: defineCommand45({
+    install: defineCommand46({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -4509,24 +4554,24 @@ var adapterCommand = defineCommand45({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola38.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola40.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola38.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola38.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola40.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola40.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola38.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola38.info(`Digest: ${result.digest}`);
+          consola40.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola40.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand45({
+    remove: defineCommand46({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -4549,9 +4594,9 @@ var adapterCommand = defineCommand45({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola38.success(`Removed adapter: ${id}`);
+            consola40.success(`Removed adapter: ${id}`);
           } else {
-            consola38.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola40.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -4559,7 +4604,7 @@ var adapterCommand = defineCommand45({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand45({
+    info: defineCommand46({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -4601,7 +4646,7 @@ var adapterCommand = defineCommand45({
         }
       }
     }),
-    search: defineCommand45({
+    search: defineCommand46({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -4633,7 +4678,7 @@ var adapterCommand = defineCommand45({
           return;
         }
         if (results.length === 0) {
-          consola38.info(`No adapters matching "${query}"`);
+          consola40.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -4642,7 +4687,7 @@ var adapterCommand = defineCommand45({
         }
       }
     }),
-    update: defineCommand45({
+    update: defineCommand46({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -4668,33 +4713,33 @@ var adapterCommand = defineCommand45({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola38.info("No adapters installed to update.");
+          consola40.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola38.warn(`${id}: not found in registry, skipping`);
+            consola40.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola38.info(`${id}: already up to date`);
+            consola40.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola38.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola38.info(`  Old: ${localDigest}`);
-            consola38.info(`  New: ${entry.digest}`);
-            consola38.info("  Use --yes to confirm");
+            consola40.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola40.info(`  Old: ${localDigest}`);
+            consola40.info(`  New: ${entry.digest}`);
+            consola40.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola38.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola40.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand45({
+    verify: defineCommand46({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -4727,7 +4772,7 @@ var adapterCommand = defineCommand45({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola38.success(`${id}: digest matches registry`);
+          consola40.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -4739,11 +4784,11 @@ var adapterCommand = defineCommand45({
 });
 
 // src/commands/run.ts
-import { execFileSync as execFileSync10 } from "child_process";
+import { execFileSync as execFileSync11 } from "child_process";
 import { hostname as hostname5 } from "os";
 import { basename } from "path";
-import { defineCommand as defineCommand46 } from "citty";
-import consola39 from "consola";
+import { defineCommand as defineCommand47 } from "citty";
+import consola41 from "consola";
 function resolveRunAsTarget(runAs) {
   if (!runAs) return runAs;
   if (!AGENT_NAME_REGEX.test(runAs)) return runAs;
@@ -4799,7 +4844,7 @@ function printPendingGrantInfo(grant, idp) {
   const statusCmd = `apes grants status ${grant.id}`;
   const executeCmd = `apes grants run ${grant.id}`;
   if (mode === "human") {
-    consola39.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
+    consola41.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
     console.log(`  Approve in browser:  ${approveUrl}`);
     console.log(`  Check status:        ${statusCmd}`);
     console.log(`  Run after approval:  ${executeCmd}`);
@@ -4809,7 +4854,7 @@ function printPendingGrantInfo(grant, idp) {
     return;
   }
   const maxMin = getPollMaxMinutes();
-  consola39.success(`Grant ${grant.id} created (pending approval)`);
+  consola41.success(`Grant ${grant.id} created (pending approval)`);
   console.log(`  Approve:   ${approveUrl}`);
   console.log(`  Status:    ${statusCmd} [--json]`);
   console.log(`  Execute:   ${executeCmd} --wait`);
@@ -4831,7 +4876,7 @@ function printPendingGrantInfo(grant, idp) {
   console.log('  Tip: Approve as "timed" or "always" in the browser to let this');
   console.log("  grant be reused on subsequent invocations without re-approval.");
 }
-var runCommand = defineCommand46({
+var runCommand = defineCommand47({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -4937,7 +4982,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola39.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola41.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -4957,8 +5002,8 @@ async function runShellMode(command, args) {
     host: targetHost
   });
   if (shouldWaitForGrant(args)) {
-    consola39.info(`Grant requested: ${grant.id}`);
-    consola39.info("Waiting for approval...");
+    consola41.info(`Grant requested: ${grant.id}`);
+    consola41.info("Waiting for approval...");
     const maxWait = 3e5;
     const interval = 3e3;
     const start = Date.now();
@@ -4989,13 +5034,13 @@ async function tryAdapterModeFromShell(command, idp, args) {
   try {
     resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola39.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola41.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola39.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      consola41.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return true;
@@ -5003,7 +5048,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola39.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola41.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
@@ -5011,8 +5056,8 @@ async function tryAdapterModeFromShell(command, idp, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola39.info("");
-    consola39.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola41.info("");
+    consola41.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
   }
   notifyGrantPending({
     grantId: grant.id,
@@ -5022,8 +5067,8 @@ async function tryAdapterModeFromShell(command, idp, args) {
     host: args.host || hostname5()
   });
   if (shouldWaitForGrant(args)) {
-    consola39.info(`Grant requested: ${grant.id}`);
-    consola39.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola41.info(`Grant requested: ${grant.id}`);
+    consola41.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new CliError(`Grant ${status}`);
@@ -5039,7 +5084,7 @@ function execShellCommand(command) {
     throw new CliError("No command to execute");
   try {
     const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-    execFileSync10(command[0], command.slice(1), {
+    execFileSync11(command[0], command.slice(1), {
       stdio: "inherit",
       env: inheritedEnv
     });
@@ -5097,7 +5142,7 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola39.info(`Reusing existing grant: ${existingGrantId}`);
+      consola41.info(`Reusing existing grant: ${existingGrantId}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return;
@@ -5111,17 +5156,17 @@ async function runAdapterMode(command, rawArgs, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola39.info("");
-    consola39.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola41.info("");
+    consola41.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola39.info(`  Broader scope: ${wider}`);
+      consola41.info(`  Broader scope: ${wider}`);
     }
-    consola39.info("");
+    consola41.info("");
   }
   if (shouldWaitForGrant(args)) {
-    consola39.info(`Grant requested: ${grant.id}`);
-    consola39.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola41.info(`Grant requested: ${grant.id}`);
+    consola41.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new Error(`Grant ${status}`);
@@ -5154,7 +5199,7 @@ async function runAudienceMode(audience, action, args, commandArgv) {
     const { authz_jwt: authz_jwt2 } = await apiFetch(`${grantsUrl}/${reusableId}/token`, { method: "POST" });
     return executeWithGrantToken({ audience, command, args, token: authz_jwt2 });
   }
-  consola39.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  consola41.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -5171,9 +5216,9 @@ async function runAudienceMode(audience, action, args, commandArgv) {
     printPendingGrantInfo(grant, idp);
     throw new CliExit(getAsyncExitCode());
   }
-  consola39.success(`Grant requested: ${grant.id}`);
-  consola39.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
-  consola39.info("Waiting for approval...");
+  consola41.success(`Grant requested: ${grant.id}`);
+  consola41.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola41.info("Waiting for approval...");
   const maxWait = 15 * 60 * 1e3;
   const interval = 3e3;
   const start = Date.now();
@@ -5181,7 +5226,7 @@ async function runAudienceMode(audience, action, args, commandArgv) {
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola39.success("Grant approved!");
+      consola41.success("Grant approved!");
       approved = true;
       break;
     }
@@ -5196,7 +5241,7 @@ async function runAudienceMode(audience, action, args, commandArgv) {
       `Grant approval timed out after ${minutes} min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id} \u2014 if approved later, re-run the same \`apes run\` command and it will reuse the grant.`
     );
   }
-  consola39.info("Fetching grant token...");
+  consola41.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
@@ -5205,10 +5250,10 @@ async function runAudienceMode(audience, action, args, commandArgv) {
 function executeWithGrantToken(opts) {
   const { audience, command, args, token } = opts;
   if (audience === "escapes") {
-    consola39.info(`Executing: ${command.join(" ")}`);
+    consola41.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-      execFileSync10(args["escapes-path"] || "escapes", ["--grant", token, "--", ...command], {
+      execFileSync11(args["escapes-path"] || "escapes", ["--grant", token, "--", ...command], {
         stdio: "inherit",
         env: inheritedEnv
       });
@@ -5245,10 +5290,10 @@ async function findReusableAudienceGrant(opts) {
 // src/commands/proxy.ts
 import { spawn as spawn2 } from "child_process";
 import { existsSync as existsSync17 } from "fs";
-import { homedir as homedir13 } from "os";
+import { homedir as homedir12 } from "os";
 import { join as join14 } from "path";
-import { defineCommand as defineCommand47 } from "citty";
-import consola40 from "consola";
+import { defineCommand as defineCommand48 } from "citty";
+import consola42 from "consola";
 
 // src/proxy/config.ts
 function buildDefaultProxyConfigToml(opts) {
@@ -5282,10 +5327,10 @@ note = "VPC-internal hostname suffix"
 
 // src/proxy/local-proxy.ts
 import { spawn } from "child_process";
-import { mkdtempSync as mkdtempSync2, rmSync as rmSync3, writeFileSync as writeFileSync8 } from "fs";
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync4, writeFileSync as writeFileSync9 } from "fs";
 import { createRequire } from "module";
 import { tmpdir as tmpdir2 } from "os";
-import { dirname as dirname3, join as join12, resolve as resolve3 } from "path";
+import { dirname as dirname3, join as join12, resolve as resolve4 } from "path";
 var require2 = createRequire(import.meta.url);
 function findProxyBin() {
   const pkgPath = require2.resolve("@openape/proxy/package.json");
@@ -5294,12 +5339,12 @@ function findProxyBin() {
   if (!binRel) {
     throw new Error("@openape/proxy is missing the openape-proxy bin entry");
   }
-  return resolve3(dirname3(pkgPath), binRel);
+  return resolve4(dirname3(pkgPath), binRel);
 }
 async function startEphemeralProxy(configToml) {
   const tmpDir = mkdtempSync2(join12(tmpdir2(), "openape-proxy-"));
   const configPath = join12(tmpDir, "config.toml");
-  writeFileSync8(configPath, configToml, { mode: 384 });
+  writeFileSync9(configPath, configToml, { mode: 384 });
   const binPath = findProxyBin();
   const child = spawn(process.execPath, [binPath, "-c", configPath], {
     stdio: ["ignore", "pipe", "pipe"],
@@ -5307,7 +5352,7 @@ async function startEphemeralProxy(configToml) {
   });
   const cleanupTmp = () => {
     try {
-      rmSync3(tmpDir, { recursive: true, force: true });
+      rmSync4(tmpDir, { recursive: true, force: true });
     } catch {
     }
   };
@@ -5381,7 +5426,7 @@ function waitForListenLine(child) {
 }
 
 // src/proxy/trust-bundle.ts
-import { existsSync as existsSync16, mkdtempSync as mkdtempSync3, readFileSync as readFileSync14, rmdirSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync9 } from "fs";
+import { existsSync as existsSync16, mkdtempSync as mkdtempSync3, readFileSync as readFileSync14, rmdirSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync10 } from "fs";
 import { tmpdir as tmpdir3 } from "os";
 import { join as join13 } from "path";
 var CANDIDATES = [
@@ -5407,7 +5452,7 @@ function buildTrustBundle(opts) {
   const path2 = join13(dir, "bundle.pem");
   const sys = readFileSync14(opts.systemCaPath, "utf-8");
   const local = readFileSync14(opts.localCaPath, "utf-8");
-  writeFileSync9(path2, `${sys.trimEnd()}
+  writeFileSync10(path2, `${sys.trimEnd()}
 ${local.trimEnd()}
 `, { mode: 384 });
   return {
@@ -5436,10 +5481,10 @@ function resolveProxyConfigOptions() {
       77
     );
   }
-  consola40.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
+  consola42.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
   return { agentEmail: auth.email, idpUrl: auth.idp, mediated: true };
 }
-var proxyCommand = defineCommand47({
+var proxyCommand = defineCommand48({
   meta: {
     name: "proxy",
     description: "Run a command with HTTPS_PROXY routed through the OpenApe egress proxy."
@@ -5463,8 +5508,8 @@ var proxyCommand = defineCommand47({
     let close = null;
     if (reuseHostPort) {
       proxyUrl = `http://${reuseHostPort}`;
-      consola40.info(`[apes proxy] using long-running daemon at ${proxyUrl}`);
-      const localCaPath = join14(homedir13(), ".openape", "proxy", "ca.crt");
+      consola42.info(`[apes proxy] using long-running daemon at ${proxyUrl}`);
+      const localCaPath = join14(homedir12(), ".openape", "proxy", "ca.crt");
       if (!existsSync17(localCaPath)) {
         throw new CliError(
           `OPENAPE_PROXY is set but no local CA found at ${localCaPath}. Start the daemon (sudo -u <agent> apes proxy --global < secrets.toml) first.`
@@ -5474,15 +5519,15 @@ var proxyCommand = defineCommand47({
         systemCaPath: detectSystemCaPath(),
         localCaPath
       });
-      consola40.debug(`[apes proxy] trust bundle: ${bundle.path}`);
+      consola42.debug(`[apes proxy] trust bundle: ${bundle.path}`);
     } else if (reuseUrl) {
       proxyUrl = reuseUrl;
-      consola40.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
+      consola42.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
     } else {
       const ephemeral = await startEphemeralProxy(buildDefaultProxyConfigToml(resolveProxyConfigOptions()));
       proxyUrl = ephemeral.url;
       close = ephemeral.close;
-      consola40.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
+      consola42.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
     }
     const noProxy = process.env.NO_PROXY ?? process.env.no_proxy ?? "127.0.0.1,localhost";
     const childEnv = {
@@ -5523,7 +5568,7 @@ var proxyCommand = defineCommand47({
           else resolveExit(code ?? 0);
         });
         child.once("error", (err) => {
-          consola40.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
+          consola42.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
           resolveExit(127);
         });
       });
@@ -5540,8 +5585,8 @@ function signalNumber(signal) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand48 } from "citty";
-var explainCommand = defineCommand48({
+import { defineCommand as defineCommand49 } from "citty";
+var explainCommand = defineCommand49({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -5579,9 +5624,9 @@ var explainCommand = defineCommand48({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand49 } from "citty";
-import consola41 from "consola";
-var configGetCommand = defineCommand49({
+import { defineCommand as defineCommand50 } from "citty";
+import consola43 from "consola";
+var configGetCommand = defineCommand50({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -5601,7 +5646,7 @@ var configGetCommand = defineCommand49({
         if (idp)
           console.log(idp);
         else
-          consola41.info("No IdP configured.");
+          consola43.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -5609,7 +5654,7 @@ var configGetCommand = defineCommand49({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola41.info("Not logged in.");
+          consola43.info("Not logged in.");
         break;
       }
       default: {
@@ -5622,7 +5667,7 @@ var configGetCommand = defineCommand49({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola41.info(`Key "${key}" not set.`);
+            consola43.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -5633,9 +5678,9 @@ var configGetCommand = defineCommand49({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand50 } from "citty";
-import consola42 from "consola";
-var configSetCommand = defineCommand50({
+import { defineCommand as defineCommand51 } from "citty";
+import consola44 from "consola";
+var configSetCommand = defineCommand51({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -5671,12 +5716,12 @@ var configSetCommand = defineCommand50({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola42.success(`Set ${key} = ${value}`);
+    consola44.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand51 } from "citty";
+import { defineCommand as defineCommand52 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -5712,13 +5757,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand51({
+var fetchCommand = defineCommand52({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand51({
+    get: defineCommand52({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -5744,7 +5789,7 @@ var fetchCommand = defineCommand51({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand51({
+    post: defineCommand52({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -5783,8 +5828,8 @@ var fetchCommand = defineCommand51({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand52 } from "citty";
-var mcpCommand = defineCommand52({
+import { defineCommand as defineCommand53 } from "citty";
+var mcpCommand = defineCommand53({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -5807,18 +5852,18 @@ var mcpCommand = defineCommand52({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-X4HHOCKV.js");
+    const { startMcpServer } = await import("./server-32CG5WG2.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync as existsSync18, copyFileSync, writeFileSync as writeFileSync10 } from "fs";
+import { existsSync as existsSync18, copyFileSync, writeFileSync as writeFileSync11 } from "fs";
 import { randomBytes } from "crypto";
-import { execFileSync as execFileSync11 } from "child_process";
+import { execFileSync as execFileSync12 } from "child_process";
 import { join as join15 } from "path";
-import { defineCommand as defineCommand53 } from "citty";
-import consola43 from "consola";
+import { defineCommand as defineCommand54 } from "citty";
+import consola45 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
@@ -5827,28 +5872,28 @@ async function downloadTemplate(repo, targetDir) {
 function installDeps(dir) {
   const hasLockFile = (name) => existsSync18(join15(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
-    execFileSync11("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
-    execFileSync11("bun", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("bun", ["install"], { cwd: dir, stdio: "inherit" });
   } else {
-    execFileSync11("npm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("npm", ["install"], { cwd: dir, stdio: "inherit" });
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola43.prompt(message, { type: "select", options: choices });
+  const result = await consola45.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola43.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola45.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand53({
+var initCommand = defineCommand54({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -5893,20 +5938,20 @@ async function initSP(targetDir) {
   if (existsSync18(join15(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola43.start("Scaffolding SP starter...");
+  consola45.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola43.success("Scaffolded from openape-sp-starter");
-  consola43.start("Installing dependencies...");
+  consola45.success("Scaffolded from openape-sp-starter");
+  consola45.start("Installing dependencies...");
   installDeps(dir);
-  consola43.success("Dependencies installed");
+  consola45.success("Dependencies installed");
   const envExample = join15(dir, ".env.example");
   const envFile = join15(dir, ".env");
   if (existsSync18(envExample) && !existsSync18(envFile)) {
     copyFileSync(envExample, envFile);
-    consola43.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola45.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola43.box([
+  consola45.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -5925,15 +5970,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola43.start("Scaffolding IdP starter...");
+  consola45.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola43.success("Scaffolded from openape-idp-starter");
-  consola43.start("Installing dependencies...");
+  consola45.success("Scaffolded from openape-idp-starter");
+  consola45.start("Installing dependencies...");
   installDeps(dir);
-  consola43.success("Dependencies installed");
+  consola45.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola43.success("Secrets generated");
+  consola45.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -5947,11 +5992,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync10(join15(dir, ".env"), `${envContent}
+  writeFileSync11(join15(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola43.success(".env created");
+  consola45.success(".env created");
   console.log("");
-  consola43.box([
+  consola45.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -5967,12 +6012,12 @@ async function initIdP(targetDir) {
 }
 
 // src/commands/enroll.ts
-import { Buffer as Buffer5 } from "buffer";
+import { Buffer as Buffer4 } from "buffer";
 import { existsSync as existsSync19, readFileSync as readFileSync15 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
-import { defineCommand as defineCommand54 } from "citty";
-import consola44 from "consola";
+import { defineCommand as defineCommand55 } from "citty";
+import consola46 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
@@ -5998,7 +6043,7 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       });
       if (challengeResp.ok) {
         const { challenge } = await challengeResp.json();
-        const signature = sign2(null, Buffer5.from(challenge), privateKey).toString("base64");
+        const signature = sign2(null, Buffer4.from(challenge), privateKey).toString("base64");
         const authResp = await fetch(authenticateUrl, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
@@ -6011,11 +6056,11 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
       }
     } catch {
     }
-    await new Promise((resolve4) => setTimeout(resolve4, POLL_INTERVAL));
+    await new Promise((resolve5) => setTimeout(resolve5, POLL_INTERVAL));
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand54({
+var enrollCommand = defineCommand55({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -6035,18 +6080,18 @@ var enrollCommand = defineCommand54({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola44.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola46.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola44.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola46.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola44.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola46.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
@@ -6054,19 +6099,19 @@ var enrollCommand = defineCommand54({
     let publicKey;
     if (existsSync19(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola44.success(`Using existing key ${keyPath}`);
+      consola46.success(`Using existing key ${keyPath}`);
     } else {
-      consola44.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola46.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola44.success(`Key pair generated at ${keyPath}`);
+      consola46.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola44.info("Opening browser for enrollment...");
-    consola44.info(`\u2192 ${idp}/enroll`);
+    consola46.info("Opening browser for enrollment...");
+    consola46.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola44.prompt(
+    const agentEmail = await consola46.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -6076,7 +6121,7 @@ var enrollCommand = defineCommand54({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola44.start("Verifying enrollment...");
+    consola46.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -6088,18 +6133,18 @@ var enrollCommand = defineCommand54({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola44.success(`Agent enrolled as ${agentEmail}`);
-    consola44.success("Config saved to ~/.config/apes/");
+    consola46.success(`Agent enrolled as ${agentEmail}`);
+    consola46.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola44.info("Verify with: apes whoami");
+    consola46.info("Verify with: apes whoami");
   }
 });
 
 // src/commands/register-user.ts
 import { existsSync as existsSync20, readFileSync as readFileSync16 } from "fs";
-import { defineCommand as defineCommand55 } from "citty";
-import consola45 from "consola";
-var registerUserCommand = defineCommand55({
+import { defineCommand as defineCommand56 } from "citty";
+import consola47 from "consola";
+var registerUserCommand = defineCommand56({
   meta: {
     name: "register-user",
     description: "Register a sub-user with SSH key"
@@ -6154,18 +6199,18 @@ var registerUserCommand = defineCommand55({
         ...userType ? { type: userType } : {}
       }
     });
-    consola45.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola47.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/utils/index.ts
-import { defineCommand as defineCommand57 } from "citty";
+import { defineCommand as defineCommand58 } from "citty";
 
 // src/commands/utils/dig.ts
-import { defineCommand as defineCommand56 } from "citty";
-import consola46 from "consola";
+import { defineCommand as defineCommand57 } from "citty";
+import consola48 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var digCommand = defineCommand56({
+var digCommand = defineCommand57({
   meta: {
     name: "dig",
     description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
@@ -6238,12 +6283,12 @@ var digCommand = defineCommand56({
     console.log(`  domain: ${domain}`);
     console.log("");
     if (!result.ddisa.found) {
-      consola46.warn(`No DDISA record at _ddisa.${domain}`);
+      consola48.warn(`No DDISA record at _ddisa.${domain}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`No DDISA record found for ${domain}`);
     }
-    consola46.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    consola48.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
     console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
     console.log(`  IdP URL:  ${result.ddisa.idp}`);
     if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
@@ -6253,13 +6298,13 @@ ${result.hint}`);
       return;
     }
     if (result.idpDiscovery.ok) {
-      consola46.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      consola48.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
       if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
       if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
       if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
       if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
     } else {
-      consola46.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      consola48.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
@@ -6268,7 +6313,7 @@ ${result.hint}`);
 });
 
 // src/commands/utils/index.ts
-var utilsCommand = defineCommand57({
+var utilsCommand = defineCommand58({
   meta: {
     name: "utils",
     description: "Admin/diagnostic utilities (dig, \u2026)"
@@ -6279,12 +6324,12 @@ var utilsCommand = defineCommand57({
 });
 
 // src/commands/sessions/index.ts
-import { defineCommand as defineCommand60 } from "citty";
+import { defineCommand as defineCommand61 } from "citty";
 
 // src/commands/sessions/list.ts
-import { defineCommand as defineCommand58 } from "citty";
-import consola47 from "consola";
-var sessionsListCommand = defineCommand58({
+import { defineCommand as defineCommand59 } from "citty";
+import consola49 from "consola";
+var sessionsListCommand = defineCommand59({
   meta: {
     name: "list",
     description: "List your active refresh-token families (one per logged-in device)."
@@ -6302,7 +6347,7 @@ var sessionsListCommand = defineCommand58({
       return;
     }
     if (result.data.length === 0) {
-      consola47.info("No active sessions.");
+      consola49.info("No active sessions.");
       return;
     }
     for (const f of result.data) {
@@ -6314,9 +6359,9 @@ var sessionsListCommand = defineCommand58({
 });
 
 // src/commands/sessions/remove.ts
-import { defineCommand as defineCommand59 } from "citty";
-import consola48 from "consola";
-var sessionsRemoveCommand = defineCommand59({
+import { defineCommand as defineCommand60 } from "citty";
+import consola50 from "consola";
+var sessionsRemoveCommand = defineCommand60({
   meta: {
     name: "remove",
     description: "Revoke one of your active refresh-token families by id."
@@ -6332,12 +6377,12 @@ var sessionsRemoveCommand = defineCommand59({
     const id = String(args.familyId).trim();
     if (!id) throw new CliError("familyId required");
     await apiFetch(`/api/me/sessions/${encodeURIComponent(id)}`, { method: "DELETE" });
-    consola48.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
+    consola50.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
   }
 });
 
 // src/commands/sessions/index.ts
-var sessionsCommand = defineCommand60({
+var sessionsCommand = defineCommand61({
   meta: {
     name: "sessions",
     description: "Manage your active refresh-token sessions across devices"
@@ -6349,10 +6394,10 @@ var sessionsCommand = defineCommand60({
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand61 } from "citty";
-import consola49 from "consola";
+import { defineCommand as defineCommand62 } from "citty";
+import consola51 from "consola";
 import { resolveDDISA as resolveDDISA3 } from "@openape/core";
-var dnsCheckCommand = defineCommand61({
+var dnsCheckCommand = defineCommand62({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -6366,7 +6411,7 @@ var dnsCheckCommand = defineCommand61({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola49.start(`Checking _ddisa.${domain}...`);
+    consola51.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA3(domain);
       if (!result) {
@@ -6375,7 +6420,7 @@ var dnsCheckCommand = defineCommand61({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola49.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola51.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -6384,14 +6429,14 @@ var dnsCheckCommand = defineCommand61({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola49.start(`Verifying IdP at ${result.idp}...`);
+      consola51.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola49.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola51.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola49.success(`IdP is reachable`);
+      consola51.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -6409,7 +6454,7 @@ var dnsCheckCommand = defineCommand61({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand62 } from "citty";
+import { defineCommand as defineCommand63 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -6445,7 +6490,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.30.0" : "0.0.0";
+  const version = true ? "1.31.1" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -6508,7 +6553,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand62({
+var healthCommand = defineCommand63({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -6526,8 +6571,8 @@ var healthCommand = defineCommand62({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand63 } from "citty";
-import consola50 from "consola";
+import { defineCommand as defineCommand64 } from "citty";
+import consola52 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -6577,7 +6622,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand63({
+var workflowsCommand = defineCommand64({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -6598,7 +6643,7 @@ var workflowsCommand = defineCommand63({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola50.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola52.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -6638,13 +6683,13 @@ var workflowsCommand = defineCommand63({
 });
 
 // src/version-check.ts
-import { existsSync as existsSync21, mkdirSync as mkdirSync6, readFileSync as readFileSync17, writeFileSync as writeFileSync11 } from "fs";
-import { homedir as homedir14 } from "os";
+import { existsSync as existsSync21, mkdirSync as mkdirSync6, readFileSync as readFileSync17, writeFileSync as writeFileSync12 } from "fs";
+import { homedir as homedir13 } from "os";
 import { join as join16 } from "path";
-import consola51 from "consola";
+import consola53 from "consola";
 var PACKAGE_NAME = "@openape/apes";
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
-var CACHE_FILE = join16(homedir14(), ".config", "apes", ".version-check.json");
+var CACHE_FILE = join16(homedir13(), ".config", "apes", ".version-check.json");
 function readCache() {
   if (!existsSync21(CACHE_FILE)) return null;
   try {
@@ -6655,9 +6700,9 @@ function readCache() {
 }
 function writeCache(entry) {
   try {
-    const dir = join16(homedir14(), ".config", "apes");
+    const dir = join16(homedir13(), ".config", "apes");
     if (!existsSync21(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
-    writeFileSync11(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
+    writeFileSync12(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
   } catch {
   }
 }
@@ -6686,7 +6731,7 @@ async function fetchLatestVersion() {
 }
 function warnIfBehind(currentVersion, latest) {
   if (compareSemver(currentVersion, latest) < 0) {
-    consola51.warn(
+    consola53.warn(
       `apes ${currentVersion} is behind latest @openape/apes@${latest}. Run \`npm i -g @openape/apes@latest\` to update. (Suppress with APES_NO_UPDATE_CHECK=1.)`
     );
   }
@@ -6718,10 +6763,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.30.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.31.1"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.30.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.31.1"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -6736,7 +6781,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-P7QFDBBK.js");
+    const { runInteractiveShell } = await import("./orchestrator-6PZXCE54.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -6745,7 +6790,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand64({
+var grantsCommand = defineCommand65({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -6763,10 +6808,11 @@ var grantsCommand = defineCommand64({
     token: tokenCommand,
     delegate: delegateCommand,
     delegations: delegationsCommand,
-    "delegation-revoke": delegationRevokeCommand
+    "delegation-revoke": delegationRevokeCommand,
+    llm: llmCommand
   }
 });
-var configCommand = defineCommand64({
+var configCommand = defineCommand65({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -6776,10 +6822,10 @@ var configCommand = defineCommand64({
     set: configSetCommand
   }
 });
-var main = defineCommand64({
+var main = defineCommand65({
   meta: {
     name: "apes",
-    version: "1.30.0",
+    version: "1.31.1",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -6831,26 +6877,26 @@ async function maybeRefreshAuth() {
   const { loadAuth: loadAuth2 } = await import("./config-MOB5DJ6H.js");
   if (!loadAuth2()) return;
   try {
-    const { ensureFreshToken } = await import("./http-UPOTOYQV.js");
+    const { ensureFreshToken } = await import("./http-SILH37L7.js");
     await ensureFreshToken();
   } catch {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.30.0").catch(() => {
+await maybeWarnStaleVersion("1.31.1").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola52.error(err.message);
+    consola54.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola52.error(err);
+    consola54.error(err);
   } else {
-    consola52.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola54.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });