npm - @openape/apes - Versions diffs - 1.4.0 → 1.6.0 - Mend

@openape/apes 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js +513 -263
package/dist/cli.js.map +1 -1
package/dist/{server-A56K7VDD.js → server-PHANS7PS.js} +2 -2
package/package.json +3 -3
/package/dist/{server-A56K7VDD.js.map → server-PHANS7PS.js.map} +0 -0

package/dist/cli.js CHANGED Viewed

@@ -63,7 +63,7 @@ import {
 } from "./chunk-OBF7IMQ2.js";
 // src/cli.ts
-import consola42 from "consola";
+import consola44 from "consola";
 // src/ape-shell.ts
 import path from "path";
@@ -93,7 +93,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 // src/cli.ts
-import { defineCommand as defineCommand52, runMain } from "citty";
+import { defineCommand as defineCommand54, runMain } from "citty";
 // src/commands/auth/login.ts
 import { Buffer as Buffer2 } from "buffer";
@@ -379,7 +379,7 @@ async function loginWithPKCE(idp) {
   consola2.success(`Logged in as ${payload.email || payload.sub}`);
 }
 async function loginWithKey(idp, keyPath, agentEmail) {
-  const { readFileSync: readFileSync14 } = await import("fs");
+  const { readFileSync: readFileSync15 } = await import("fs");
   const { sign: sign3 } = await import("crypto");
   const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-YBNNG5K5.js");
   const challengeUrl = await getAgentChallengeEndpoint(idp);
@@ -392,7 +392,7 @@ async function loginWithKey(idp, keyPath, agentEmail) {
     throw new CliError(`Challenge failed: ${await challengeResp.text()}`);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync14(keyPath, "utf-8");
+  const keyContent = readFileSync15(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
   const signature = sign3(null, Buffer2.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -3918,24 +3918,259 @@ var agentsCommand = defineCommand28({
 });
 // src/commands/nest/index.ts
-import { defineCommand as defineCommand32 } from "citty";
+import { defineCommand as defineCommand34 } from "citty";
-// src/commands/nest/install.ts
-import { execFileSync as execFileSync9 } from "child_process";
-import { existsSync as existsSync10, mkdirSync as mkdirSync4, readFileSync as readFileSync10, writeFileSync as writeFileSync6 } from "fs";
-import { homedir as homedir10, userInfo as userInfo2 } from "os";
+// src/commands/nest/authorize.ts
+import { existsSync as existsSync11, readFileSync as readFileSync10 } from "fs";
+import { join as join9 } from "path";
+import { defineCommand as defineCommand30 } from "citty";
+import consola26 from "consola";
+// src/commands/nest/enroll.ts
+import { hostname as hostname4, homedir as homedir10 } from "os";
+import { existsSync as existsSync10, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6, chmodSync } from "fs";
 import { join as join8 } from "path";
 import { defineCommand as defineCommand29 } from "citty";
 import consola25 from "consola";
+var NEST_DATA_DIR = join8(homedir10(), ".openape", "nest");
+function nestAgentName() {
+  const raw = hostname4().toLowerCase();
+  const head = raw.split(".")[0] ?? raw;
+  const safe = head.replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-+|-+$/g, "");
+  const trimmed = safe.slice(0, 16);
+  return `nest-${trimmed || "host"}`;
+}
+var enrollNestCommand = defineCommand29({
+  meta: {
+    name: "enroll",
+    description: "Register the local nest as a DDISA agent at the IdP. One-time per machine. Required before `apes nest authorize` so YOLO-policies have a target identity."
+  },
+  args: {
+    name: {
+      type: "string",
+      description: "Override the nest agent name (default: nest-<short-hostname>)"
+    },
+    force: {
+      type: "boolean",
+      description: "Re-enroll even if ~/.openape/nest/.config/apes/auth.json already exists"
+    }
+  },
+  async run({ args }) {
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP configured. Run `apes login <email>` first.");
+    }
+    const ownerAuth = loadAuth();
+    if (!ownerAuth?.email) {
+      throw new CliError("Run `apes login <email>` first \u2014 nest enroll attaches the new identity to your owner account.");
+    }
+    const name = args.name || nestAgentName();
+    const authPath = join8(NEST_DATA_DIR, ".config", "apes", "auth.json");
+    if (existsSync10(authPath) && !args.force) {
+      throw new CliError(`Nest already enrolled at ${authPath}. Pass --force to re-enroll.`);
+    }
+    const sshDir = join8(NEST_DATA_DIR, ".ssh");
+    const configDir = join8(NEST_DATA_DIR, ".config", "apes");
+    mkdirSync4(sshDir, { recursive: true });
+    mkdirSync4(configDir, { recursive: true });
+    consola25.start(`Generating keypair for ${name}\u2026`);
+    const { privatePem, publicSshLine } = generateKeyPairInMemory();
+    writeFileSync6(join8(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
+`, { mode: 384 });
+    writeFileSync6(join8(sshDir, "id_ed25519.pub"), `${publicSshLine}
+`, { mode: 420 });
+    chmodSync(sshDir, 448);
+    consola25.start(`Registering nest at ${idp}\u2026`);
+    const registration = await registerAgentAtIdp({ name, publicKey: publicSshLine, idp });
+    consola25.success(`Registered as ${registration.email}`);
+    consola25.start("Issuing nest access token\u2026");
+    const { token, expiresIn } = await issueAgentToken({
+      idp,
+      agentEmail: registration.email,
+      privateKeyPem: privatePem
+    });
+    const authJson = buildAgentAuthJson({
+      idp,
+      accessToken: token,
+      email: registration.email,
+      expiresAt: Math.floor(Date.now() / 1e3) + expiresIn,
+      keyPath: join8(sshDir, "id_ed25519"),
+      ownerEmail: ownerAuth.email
+    });
+    writeFileSync6(authPath, authJson, { mode: 384 });
+    chmodSync(configDir, 448);
+    consola25.success(`Nest enrolled \u2014 auth.json at ${authPath}`);
+    consola25.info("");
+    consola25.info("Next: configure the YOLO-policy so the nest can spawn/destroy without prompts:");
+    consola25.info("");
+    consola25.info("  apes nest authorize");
+  }
+});
+// src/commands/nest/authorize.ts
+var DEFAULT_ALLOW_PATTERNS = [
+  // Agent lifecycle ops the nest issues against `apes run --as root`
+  "apes agents spawn *",
+  "apes agents destroy *",
+  "apes agents sync",
+  // Bridge invocation the supervisor uses to keep agent processes
+  // running. Pattern is intentionally precise — not a generic
+  // `apes run --as *` wildcard — so a compromised nest can't pivot
+  // to running arbitrary commands as arbitrary users.
+  "apes run --as * -- openape-chat-bridge"
+];
+var authorizeNestCommand = defineCommand30({
+  meta: {
+    name: "authorize",
+    description: "Set the YOLO-policy that lets the local nest spawn/destroy without per-call DDISA prompts"
+  },
+  args: {
+    "allow": {
+      type: "string",
+      description: "Override allow_patterns (comma-separated globs). Default: nest-managed agent lifecycle."
+    },
+    "mode": {
+      type: "string",
+      description: "Policy mode (allow-list | deny-list). Default: allow-list \u2014 auto-approve only matched patterns."
+    },
+    "expires-in": {
+      type: "string",
+      description: "Optional duration like 30d, 6h. Omit for no expiry."
+    }
+  },
+  async run({ args }) {
+    const ownerAuth = loadAuth();
+    if (!ownerAuth?.email || !ownerAuth.access_token) {
+      throw new CliError("Run `apes login <email>` first \u2014 only the nest's owner can set its YOLO-policy.");
+    }
+    const nestAuthPath = join9(NEST_DATA_DIR, ".config", "apes", "auth.json");
+    if (!existsSync11(nestAuthPath)) {
+      throw new CliError("Nest not enrolled. Run `apes nest enroll` first.");
+    }
+    const nestAuth = JSON.parse(readFileSync10(nestAuthPath, "utf8"));
+    if (!nestAuth.email) throw new CliError(`${nestAuthPath} has no email`);
+    const idp = getIdpUrl();
+    if (!idp) throw new CliError("No IdP configured.");
+    const allowPatterns = typeof args.allow === "string" && args.allow ? args.allow.split(",").map((s) => s.trim()).filter(Boolean) : DEFAULT_ALLOW_PATTERNS;
+    const mode = args.mode ?? "allow-list";
+    const expiresAt = parseExpiresIn(args["expires-in"]);
+    consola26.info(`Setting YOLO-policy on ${nestAuth.email}`);
+    consola26.info(`  mode:           ${mode}`);
+    consola26.info(`  allow_patterns:`);
+    for (const p of allowPatterns) consola26.info(`    - ${p}`);
+    if (expiresAt) consola26.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
+    const url = `${idp}/api/users/${encodeURIComponent(nestAuth.email)}/yolo-policy`;
+    const res = await fetch(url, {
+      method: "PUT",
+      headers: {
+        "Authorization": `Bearer ${ownerAuth.access_token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        mode,
+        allowPatterns,
+        denyPatterns: [],
+        expiresAt: expiresAt ?? null
+      })
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new CliError(`PUT /yolo-policy failed (${res.status}): ${text}`);
+    }
+    consola26.success("YOLO-policy applied. Nest-driven agent lifecycle is now zero-prompt.");
+    consola26.info("Test: apes agents spawn <name> via the nest API \u2192 no DDISA prompt.");
+  }
+});
+function parseExpiresIn(s) {
+  if (!s) return null;
+  const m = s.match(/^(\d+)([hdw])$/);
+  if (!m) throw new CliError(`Invalid --expires-in "${s}" \u2014 expected forms like 30d, 6h, 2w`);
+  const n = Number(m[1]);
+  const unit = m[2];
+  const seconds = unit === "h" ? 3600 : unit === "d" ? 86400 : 7 * 86400;
+  return Math.floor(Date.now() / 1e3) + n * seconds;
+}
+// src/commands/nest/install.ts
+import { execFileSync as execFileSync9 } from "child_process";
+import { existsSync as existsSync12, mkdirSync as mkdirSync5, readFileSync as readFileSync11, writeFileSync as writeFileSync7 } from "fs";
+import { homedir as homedir11, userInfo as userInfo2 } from "os";
+import { dirname as dirname3, join as join10 } from "path";
+import { defineCommand as defineCommand31 } from "citty";
+import consola27 from "consola";
+// src/commands/nest/apes-agents-adapter.ts
+var APES_AGENTS_ADAPTER_TOML = `schema = "openape-shapes/v1"
+# Adapter for the \`apes agents\` subtree \u2014 written by \`apes nest install\`.
+# A capability-grant with selector \`name=*\` covers any agent name
+# (selectorValueMatches treats '*' as a glob), letting the nest spawn
+# and destroy without per-agent DDISA prompts.
+[cli]
+id = "apes-agents"
+executable = "apes"
+audience = "shapes"
+version = "1"
+# \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+# AGENT LIFECYCLE \u2014 spawn / destroy / sync
+# \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+[[operation]]
+id = "agents.spawn"
+command = ["agents", "spawn"]
+positionals = ["name"]
+display = "Spawn agent {name}"
+action = "create"
+risk = "high"
+resource_chain = ["agents:name={name}"]
+[[operation]]
+id = "agents.destroy"
+command = ["agents", "destroy"]
+positionals = ["name"]
+display = "Destroy agent {name}"
+action = "delete"
+risk = "critical"
+resource_chain = ["agents:name={name}"]
+[[operation]]
+id = "agents.sync"
+command = ["agents", "sync"]
+display = "Sync agent state with troop"
+action = "edit"
+risk = "low"
+resource_chain = ["agents:*"]
+[[operation]]
+id = "agents.list"
+command = ["agents", "list"]
+display = "List agents"
+action = "list"
+risk = "low"
+resource_chain = ["agents:*"]
+[[operation]]
+id = "agents.allow"
+command = ["agents", "allow"]
+positionals = ["name", "peer_email"]
+display = "Allow agent {name} to accept contact requests from {peer_email}"
+action = "edit"
+risk = "medium"
+resource_chain = ["agents:name={name}", "allowlist:email={peer_email}"]
+`;
+// src/commands/nest/install.ts
 var PLIST_LABEL = "ai.openape.nest";
 function plistPath() {
-  return join8(homedir10(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
+  return join10(homedir11(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
 }
 function escape2(s) {
   return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 function buildPlist(args) {
-  const logsDir = join8(args.homeDir, "Library", "Logs");
+  const logsDir = join10(args.userHome, "Library", "Logs");
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -3947,7 +4182,7 @@ function buildPlist(args) {
     <string>${escape2(args.nestBin)}</string>
   </array>
   <key>WorkingDirectory</key>
-  <string>${escape2(args.homeDir)}</string>
+  <string>${escape2(args.nestHome)}</string>
   <key>RunAtLoad</key>
   <true/>
   <key>KeepAlive</key>
@@ -3956,8 +4191,8 @@ function buildPlist(args) {
   <integer>10</integer>
   <key>EnvironmentVariables</key>
   <dict>
-    <key>HOME</key><string>${escape2(args.homeDir)}</string>
-    <key>PATH</key><string>${escape2(args.homeDir)}/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
+    <key>HOME</key><string>${escape2(args.nestHome)}</string>
+    <key>PATH</key><string>${escape2(args.userHome)}/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
     <key>OPENAPE_NEST_PORT</key><string>${args.port}</string>
     <key>OPENAPE_APES_BIN</key><string>${escape2(args.apesBin)}</string>
   </dict>
@@ -3969,19 +4204,32 @@ function buildPlist(args) {
 </plist>
 `;
 }
+function installAdapter2() {
+  const target = join10(homedir11(), ".openape", "shapes", "adapters", "apes-agents.toml");
+  mkdirSync5(dirname3(target), { recursive: true });
+  let existing = "";
+  try {
+    existing = readFileSync11(target, "utf8");
+  } catch {
+  }
+  if (existing === APES_AGENTS_ADAPTER_TOML) return false;
+  writeFileSync7(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
+  consola27.success(`Wrote shapes adapter ${target}`);
+  return true;
+}
 function findBinary(name) {
   for (const dir of [
-    join8(homedir10(), ".bun", "bin"),
+    join10(homedir11(), ".bun", "bin"),
     "/opt/homebrew/bin",
     "/usr/local/bin",
     "/usr/bin"
   ]) {
-    const p = join8(dir, name);
-    if (existsSync10(p)) return p;
+    const p = join10(dir, name);
+    if (existsSync12(p)) return p;
   }
   throw new Error(`could not locate ${name} on PATH; install it first`);
 }
-var installNestCommand = defineCommand29({
+var installNestCommand = defineCommand31({
   meta: {
     name: "install",
     description: "Install + start the local nest-daemon (idempotent \u2014 re-running just restarts)"
@@ -3993,29 +4241,31 @@ var installNestCommand = defineCommand29({
     }
   },
   async run({ args }) {
-    const homeDir = homedir10();
+    const homeDir = homedir11();
     const port = Number(args.port ?? 9091);
     if (!Number.isInteger(port) || port < 1024 || port > 65535) {
       throw new Error(`invalid port ${port}`);
     }
     const nestBin = findBinary("openape-nest");
     const apesBin = findBinary("apes");
-    consola25.info(`Installing nest at ${plistPath()}`);
-    consola25.info(`  nest binary: ${nestBin}`);
-    consola25.info(`  apes binary: ${apesBin}`);
-    consola25.info(`  HTTP port:   ${port}`);
-    mkdirSync4(join8(homeDir, "Library", "LaunchAgents"), { recursive: true });
-    const desired = buildPlist({ nestBin, apesBin, homeDir, port });
+    consola27.info(`Installing nest at ${plistPath()}`);
+    consola27.info(`  nest binary: ${nestBin}`);
+    consola27.info(`  apes binary: ${apesBin}`);
+    consola27.info(`  HTTP port:   ${port}`);
+    installAdapter2();
+    mkdirSync5(join10(homeDir, "Library", "LaunchAgents"), { recursive: true });
+    mkdirSync5(NEST_DATA_DIR, { recursive: true });
+    const desired = buildPlist({ nestBin, apesBin, userHome: homeDir, nestHome: NEST_DATA_DIR, port });
     let existing = "";
     try {
-      existing = readFileSync10(plistPath(), "utf8");
+      existing = readFileSync11(plistPath(), "utf8");
     } catch {
     }
     if (existing !== desired) {
-      writeFileSync6(plistPath(), desired, { mode: 420 });
-      consola25.success("Wrote launchd plist");
+      writeFileSync7(plistPath(), desired, { mode: 420 });
+      consola27.success("Wrote launchd plist");
     } else {
-      consola25.info("plist already up to date");
+      consola27.info("plist already up to date");
     }
     const uid = userInfo2().uid;
     try {
@@ -4023,25 +4273,23 @@ var installNestCommand = defineCommand29({
     } catch {
     }
     execFileSync9("/bin/launchctl", ["bootstrap", `gui/${uid}`, plistPath()], { stdio: "inherit" });
-    consola25.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
-    consola25.info("");
-    consola25.info("Next: approve the always-grant for nest-managed spawn/destroy.");
-    consola25.info('Run this once and choose "Always" when the IdP UI prompts:');
-    consola25.info("");
-    consola25.info('  apes run --as root --approval=always --reason "nest-managed agent spawn" \\');
-    consola25.info("    -- apes agents spawn _grant_pattern_seed_");
-    consola25.info("");
-    consola25.info('(The seed-spawn will fail because "_grant_pattern_seed_" is not a valid');
-    consola25.info("agent name \u2014 that's expected. The grant just needs to be approved-as-always.)");
+    consola27.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
+    consola27.info("");
+    consola27.info("Next steps for zero-prompt spawn \u2014 both one-time:");
+    consola27.info("");
+    consola27.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
+    consola27.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
+    consola27.info("");
+    consola27.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
   }
 });
 // src/commands/nest/status.ts
 import process2 from "process";
-import { defineCommand as defineCommand30 } from "citty";
-import consola26 from "consola";
+import { defineCommand as defineCommand32 } from "citty";
+import consola28 from "consola";
 var DEFAULT_PORT = 9091;
-var statusNestCommand = defineCommand30({
+var statusNestCommand = defineCommand32({
   meta: {
     name: "status",
     description: "Print state of the local nest-daemon (agents registered, processes supervised)"
@@ -4061,8 +4309,8 @@ var statusNestCommand = defineCommand30({
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
-        consola26.error(`Nest daemon is not running at http://127.0.0.1:${port}`);
-        consola26.info("  Run:  apes nest install");
+        consola28.error(`Nest daemon is not running at http://127.0.0.1:${port}`);
+        consola28.info("  Run:  apes nest install");
         process2.exit(2);
       }
       throw err;
@@ -4071,15 +4319,15 @@ var statusNestCommand = defineCommand30({
       console.log(JSON.stringify(status, null, 2));
       return;
     }
-    consola26.info(`Nest at http://127.0.0.1:${port} \u2014 ${status.agents} agent(s) registered, ${status.processes.length} supervised`);
+    consola28.info(`Nest at http://127.0.0.1:${port} \u2014 ${status.agents} agent(s) registered, ${status.processes.length} supervised`);
     if (status.processes.length === 0) {
-      consola26.info("  (no processes running)");
+      consola28.info("  (no processes running)");
       return;
     }
     for (const p of status.processes) {
       const uptime = humanDuration(p.uptimeSec);
       const crashTag = p.consecutiveCrashes > 0 ? ` \u26A0 ${p.consecutiveCrashes} crash(es)` : "";
-      consola26.info(`  ${p.name.padEnd(16)} pid=${String(p.pid).padEnd(6)} up=${uptime}${crashTag}`);
+      consola28.info(`  ${p.name.padEnd(16)} pid=${String(p.pid).padEnd(6)} up=${uptime}${crashTag}`);
     }
   }
 });
@@ -4092,57 +4340,59 @@ function humanDuration(sec) {
 // src/commands/nest/uninstall.ts
 import { execFileSync as execFileSync10 } from "child_process";
-import { existsSync as existsSync11, unlinkSync } from "fs";
-import { homedir as homedir11, userInfo as userInfo3 } from "os";
-import { join as join9 } from "path";
-import { defineCommand as defineCommand31 } from "citty";
-import consola27 from "consola";
+import { existsSync as existsSync13, unlinkSync } from "fs";
+import { homedir as homedir12, userInfo as userInfo3 } from "os";
+import { join as join11 } from "path";
+import { defineCommand as defineCommand33 } from "citty";
+import consola29 from "consola";
 var PLIST_LABEL2 = "ai.openape.nest";
-var uninstallNestCommand = defineCommand31({
+var uninstallNestCommand = defineCommand33({
   meta: {
     name: "uninstall",
     description: "Stop + remove the local nest-daemon (registry + agents preserved)"
   },
   async run() {
     const uid = userInfo3().uid;
-    const path2 = join9(homedir11(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
+    const path2 = join11(homedir12(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
     try {
       execFileSync10("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL2}`], { stdio: "ignore" });
-      consola27.success("Nest daemon stopped");
+      consola29.success("Nest daemon stopped");
     } catch {
-      consola27.info("Nest daemon was not loaded");
+      consola29.info("Nest daemon was not loaded");
     }
-    if (existsSync11(path2)) {
+    if (existsSync13(path2)) {
       unlinkSync(path2);
-      consola27.success(`Removed ${path2}`);
+      consola29.success(`Removed ${path2}`);
     }
-    consola27.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
+    consola29.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
   }
 });
 // src/commands/nest/index.ts
-var nestCommand = defineCommand32({
+var nestCommand = defineCommand34({
   meta: {
     name: "nest",
-    description: "Manage the local Nest control-plane daemon (install, status, uninstall). The Nest hosts agents on this computer \u2014 once installed, `apes agents spawn` is fast (no per-spawn DDISA approvals) and per-agent launchd plists are replaced by a single supervised process tree."
+    description: "Manage the local Nest control-plane daemon (install / enroll / authorize / status / uninstall). One-time setup: `install` (launchd) \u2192 `enroll` (own DDISA identity) \u2192 `authorize` (YOLO-policy). After that, `apes agents spawn` runs without per-call DDISA approvals."
   },
   subCommands: {
     install: installNestCommand,
+    enroll: enrollNestCommand,
+    authorize: authorizeNestCommand,
     status: statusNestCommand,
     uninstall: uninstallNestCommand
   }
 });
 // src/commands/adapter/index.ts
-import { defineCommand as defineCommand33 } from "citty";
-import consola28 from "consola";
-var adapterCommand = defineCommand33({
+import { defineCommand as defineCommand35 } from "citty";
+import consola30 from "consola";
+var adapterCommand = defineCommand35({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand33({
+    list: defineCommand35({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -4173,7 +4423,7 @@ var adapterCommand = defineCommand33({
 `);
             return;
           }
-          consola28.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola30.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -4195,7 +4445,7 @@ var adapterCommand = defineCommand33({
           return;
         }
         if (local.length === 0) {
-          consola28.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola30.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -4203,7 +4453,7 @@ var adapterCommand = defineCommand33({
         }
       }
     }),
-    install: defineCommand33({
+    install: defineCommand35({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -4232,24 +4482,24 @@ var adapterCommand = defineCommand33({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola28.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola30.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola28.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola28.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola30.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola30.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola28.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola28.info(`Digest: ${result.digest}`);
+          consola30.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola30.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand33({
+    remove: defineCommand35({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -4272,9 +4522,9 @@ var adapterCommand = defineCommand33({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola28.success(`Removed adapter: ${id}`);
+            consola30.success(`Removed adapter: ${id}`);
           } else {
-            consola28.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola30.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -4282,7 +4532,7 @@ var adapterCommand = defineCommand33({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand33({
+    info: defineCommand35({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -4324,7 +4574,7 @@ var adapterCommand = defineCommand33({
         }
       }
     }),
-    search: defineCommand33({
+    search: defineCommand35({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -4356,7 +4606,7 @@ var adapterCommand = defineCommand33({
           return;
         }
         if (results.length === 0) {
-          consola28.info(`No adapters matching "${query}"`);
+          consola30.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -4365,7 +4615,7 @@ var adapterCommand = defineCommand33({
         }
       }
     }),
-    update: defineCommand33({
+    update: defineCommand35({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -4391,33 +4641,33 @@ var adapterCommand = defineCommand33({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola28.info("No adapters installed to update.");
+          consola30.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola28.warn(`${id}: not found in registry, skipping`);
+            consola30.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola28.info(`${id}: already up to date`);
+            consola30.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola28.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola28.info(`  Old: ${localDigest}`);
-            consola28.info(`  New: ${entry.digest}`);
-            consola28.info("  Use --yes to confirm");
+            consola30.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola30.info(`  Old: ${localDigest}`);
+            consola30.info(`  New: ${entry.digest}`);
+            consola30.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola28.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola30.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand33({
+    verify: defineCommand35({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -4450,7 +4700,7 @@ var adapterCommand = defineCommand33({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola28.success(`${id}: digest matches registry`);
+          consola30.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -4463,10 +4713,10 @@ var adapterCommand = defineCommand33({
 // src/commands/run.ts
 import { execFileSync as execFileSync11 } from "child_process";
-import { hostname as hostname4 } from "os";
+import { hostname as hostname5 } from "os";
 import { basename } from "path";
-import { defineCommand as defineCommand34 } from "citty";
-import consola29 from "consola";
+import { defineCommand as defineCommand36 } from "citty";
+import consola31 from "consola";
 function shouldWaitForGrant(args) {
   return args.wait === true || process.env.APE_WAIT === "1";
 }
@@ -4503,7 +4753,7 @@ function printPendingGrantInfo(grant, idp) {
   const statusCmd = `apes grants status ${grant.id}`;
   const executeCmd = `apes grants run ${grant.id}`;
   if (mode === "human") {
-    consola29.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
+    consola31.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
     console.log(`  Approve in browser:  ${approveUrl}`);
     console.log(`  Check status:        ${statusCmd}`);
     console.log(`  Run after approval:  ${executeCmd}`);
@@ -4513,7 +4763,7 @@ function printPendingGrantInfo(grant, idp) {
     return;
   }
   const maxMin = getPollMaxMinutes();
-  consola29.success(`Grant ${grant.id} created (pending approval)`);
+  consola31.success(`Grant ${grant.id} created (pending approval)`);
   console.log(`  Approve:   ${approveUrl}`);
   console.log(`  Status:    ${statusCmd} [--json]`);
   console.log(`  Execute:   ${executeCmd} --wait`);
@@ -4535,7 +4785,7 @@ function printPendingGrantInfo(grant, idp) {
   console.log('  Tip: Approve as "timed" or "always" in the browser to let this');
   console.log("  grant be reused on subsequent invocations without re-approval.");
 }
-var runCommand = defineCommand34({
+var runCommand = defineCommand36({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -4624,7 +4874,7 @@ async function runShellMode(command, args) {
   const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
   if (adapterHandled) return;
   const grantsUrl = await getGrantsEndpoint(idp);
-  const targetHost = args.host || hostname4();
+  const targetHost = args.host || hostname5();
   try {
     const grants = await apiFetch(
       `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
@@ -4638,7 +4888,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola29.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola31.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -4658,8 +4908,8 @@ async function runShellMode(command, args) {
     host: targetHost
   });
   if (shouldWaitForGrant(args)) {
-    consola29.info(`Grant requested: ${grant.id}`);
-    consola29.info("Waiting for approval...");
+    consola31.info(`Grant requested: ${grant.id}`);
+    consola31.info("Waiting for approval...");
     const maxWait = 3e5;
     const interval = 3e3;
     const start = Date.now();
@@ -4690,13 +4940,13 @@ async function tryAdapterModeFromShell(command, idp, args) {
   try {
     resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola29.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola31.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola29.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      consola31.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return true;
@@ -4704,7 +4954,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola29.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola31.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
@@ -4712,19 +4962,19 @@ async function tryAdapterModeFromShell(command, idp, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola29.info("");
-    consola29.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola31.info("");
+    consola31.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
   }
   notifyGrantPending({
     grantId: grant.id,
     approveUrl: `${idp}/grant-approval?grant_id=${grant.id}`,
     command: resolved.detail?.display || parsed?.raw || "unknown",
     audience: resolved.adapter?.cli?.audience ?? "shapes",
-    host: args.host || hostname4()
+    host: args.host || hostname5()
   });
   if (shouldWaitForGrant(args)) {
-    consola29.info(`Grant requested: ${grant.id}`);
-    consola29.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola31.info(`Grant requested: ${grant.id}`);
+    consola31.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new CliError(`Grant ${status}`);
@@ -4798,7 +5048,7 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola29.info(`Reusing existing grant: ${existingGrantId}`);
+      consola31.info(`Reusing existing grant: ${existingGrantId}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return;
@@ -4812,17 +5062,17 @@ async function runAdapterMode(command, rawArgs, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola29.info("");
-    consola29.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola31.info("");
+    consola31.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola29.info(`  Broader scope: ${wider}`);
+      consola31.info(`  Broader scope: ${wider}`);
     }
-    consola29.info("");
+    consola31.info("");
   }
   if (shouldWaitForGrant(args)) {
-    consola29.info(`Grant requested: ${grant.id}`);
-    consola29.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola31.info(`Grant requested: ${grant.id}`);
+    consola31.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new Error(`Grant ${status}`);
@@ -4841,8 +5091,8 @@ async function runAudienceMode(audience, action, args) {
   const idp = getIdpUrl(args.idp);
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
-  const targetHost = args.host || hostname4();
-  consola29.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  const targetHost = args.host || hostname5();
+  consola31.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -4859,9 +5109,9 @@ async function runAudienceMode(audience, action, args) {
     printPendingGrantInfo(grant, idp);
     throw new CliExit(getAsyncExitCode());
   }
-  consola29.success(`Grant requested: ${grant.id}`);
-  consola29.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
-  consola29.info("Waiting for approval...");
+  consola31.success(`Grant requested: ${grant.id}`);
+  consola31.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola31.info("Waiting for approval...");
   const maxWait = 15 * 60 * 1e3;
   const interval = 3e3;
   const start = Date.now();
@@ -4869,7 +5119,7 @@ async function runAudienceMode(audience, action, args) {
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola29.success("Grant approved!");
+      consola31.success("Grant approved!");
       approved = true;
       break;
     }
@@ -4884,12 +5134,12 @@ async function runAudienceMode(audience, action, args) {
       `Grant approval timed out after ${minutes} min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id} \u2014 if approved later, re-run the same \`apes run\` command and it will reuse the grant.`
     );
   }
-  consola29.info("Fetching grant token...");
+  consola31.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola29.info(`Executing: ${command.join(" ")}`);
+    consola31.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
       execFileSync11(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
@@ -4907,8 +5157,8 @@ async function runAudienceMode(audience, action, args) {
 // src/commands/proxy.ts
 import { spawn as spawn2 } from "child_process";
-import { defineCommand as defineCommand35 } from "citty";
-import consola30 from "consola";
+import { defineCommand as defineCommand37 } from "citty";
+import consola32 from "consola";
 // src/proxy/config.ts
 function buildDefaultProxyConfigToml(opts) {
@@ -4942,10 +5192,10 @@ note = "VPC-internal hostname suffix"
 // src/proxy/local-proxy.ts
 import { spawn } from "child_process";
-import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, writeFileSync as writeFileSync7 } from "fs";
+import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, writeFileSync as writeFileSync8 } from "fs";
 import { createRequire } from "module";
 import { tmpdir as tmpdir3 } from "os";
-import { dirname as dirname3, join as join10, resolve as resolve4 } from "path";
+import { dirname as dirname4, join as join12, resolve as resolve4 } from "path";
 var require2 = createRequire(import.meta.url);
 function findProxyBin() {
   const pkgPath = require2.resolve("@openape/proxy/package.json");
@@ -4954,12 +5204,12 @@ function findProxyBin() {
   if (!binRel) {
     throw new Error("@openape/proxy is missing the openape-proxy bin entry");
   }
-  return resolve4(dirname3(pkgPath), binRel);
+  return resolve4(dirname4(pkgPath), binRel);
 }
 async function startEphemeralProxy(configToml) {
-  const tmpDir = mkdtempSync3(join10(tmpdir3(), "openape-proxy-"));
-  const configPath = join10(tmpDir, "config.toml");
-  writeFileSync7(configPath, configToml, { mode: 384 });
+  const tmpDir = mkdtempSync3(join12(tmpdir3(), "openape-proxy-"));
+  const configPath = join12(tmpDir, "config.toml");
+  writeFileSync8(configPath, configToml, { mode: 384 });
   const binPath = findProxyBin();
   const child = spawn(process.execPath, [binPath, "-c", configPath], {
     stdio: ["ignore", "pipe", "pipe"],
@@ -5051,10 +5301,10 @@ function resolveProxyConfigOptions() {
       77
     );
   }
-  consola30.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
+  consola32.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
   return { agentEmail: auth.email, idpUrl: auth.idp, mediated: true };
 }
-var proxyCommand = defineCommand35({
+var proxyCommand = defineCommand37({
   meta: {
     name: "proxy",
     description: "Run a command with HTTPS_PROXY routed through the OpenApe egress proxy."
@@ -5076,12 +5326,12 @@ var proxyCommand = defineCommand35({
     let close = null;
     if (reuseUrl) {
       proxyUrl = reuseUrl;
-      consola30.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
+      consola32.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
     } else {
       const ephemeral = await startEphemeralProxy(buildDefaultProxyConfigToml(resolveProxyConfigOptions()));
       proxyUrl = ephemeral.url;
       close = ephemeral.close;
-      consola30.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
+      consola32.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
     }
     const noProxy = process.env.NO_PROXY ?? process.env.no_proxy ?? "127.0.0.1,localhost";
     const childEnv = {
@@ -5113,7 +5363,7 @@ var proxyCommand = defineCommand35({
         else resolveExit(code ?? 0);
       });
       child.once("error", (err) => {
-        consola30.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
+        consola32.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
         resolveExit(127);
       });
     });
@@ -5127,8 +5377,8 @@ function signalNumber(signal) {
 }
 // src/commands/explain.ts
-import { defineCommand as defineCommand36 } from "citty";
-var explainCommand = defineCommand36({
+import { defineCommand as defineCommand38 } from "citty";
+var explainCommand = defineCommand38({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -5166,9 +5416,9 @@ var explainCommand = defineCommand36({
 });
 // src/commands/config/get.ts
-import { defineCommand as defineCommand37 } from "citty";
-import consola31 from "consola";
-var configGetCommand = defineCommand37({
+import { defineCommand as defineCommand39 } from "citty";
+import consola33 from "consola";
+var configGetCommand = defineCommand39({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -5188,7 +5438,7 @@ var configGetCommand = defineCommand37({
         if (idp)
           console.log(idp);
         else
-          consola31.info("No IdP configured.");
+          consola33.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -5196,7 +5446,7 @@ var configGetCommand = defineCommand37({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola31.info("Not logged in.");
+          consola33.info("Not logged in.");
         break;
       }
       default: {
@@ -5209,7 +5459,7 @@ var configGetCommand = defineCommand37({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola31.info(`Key "${key}" not set.`);
+            consola33.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -5220,9 +5470,9 @@ var configGetCommand = defineCommand37({
 });
 // src/commands/config/set.ts
-import { defineCommand as defineCommand38 } from "citty";
-import consola32 from "consola";
-var configSetCommand = defineCommand38({
+import { defineCommand as defineCommand40 } from "citty";
+import consola34 from "consola";
+var configSetCommand = defineCommand40({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -5258,12 +5508,12 @@ var configSetCommand = defineCommand38({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola32.success(`Set ${key} = ${value}`);
+    consola34.success(`Set ${key} = ${value}`);
   }
 });
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand39 } from "citty";
+import { defineCommand as defineCommand41 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -5299,13 +5549,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand39({
+var fetchCommand = defineCommand41({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand39({
+    get: defineCommand41({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -5331,7 +5581,7 @@ var fetchCommand = defineCommand39({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand39({
+    post: defineCommand41({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -5370,8 +5620,8 @@ var fetchCommand = defineCommand39({
 });
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand40 } from "citty";
-var mcpCommand = defineCommand40({
+import { defineCommand as defineCommand42 } from "citty";
+var mcpCommand = defineCommand42({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -5394,25 +5644,25 @@ var mcpCommand = defineCommand40({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-A56K7VDD.js");
+    const { startMcpServer } = await import("./server-PHANS7PS.js");
     await startMcpServer(transport, port);
   }
 });
 // src/commands/init/index.ts
-import { existsSync as existsSync12, copyFileSync, writeFileSync as writeFileSync8 } from "fs";
+import { existsSync as existsSync14, copyFileSync, writeFileSync as writeFileSync9 } from "fs";
 import { randomBytes } from "crypto";
 import { execFileSync as execFileSync12 } from "child_process";
-import { join as join11 } from "path";
-import { defineCommand as defineCommand41 } from "citty";
-import consola33 from "consola";
+import { join as join13 } from "path";
+import { defineCommand as defineCommand43 } from "citty";
+import consola35 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync12(join11(dir, name));
+  const hasLockFile = (name) => existsSync14(join13(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
     execFileSync12("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
@@ -5422,20 +5672,20 @@ function installDeps(dir) {
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola33.prompt(message, { type: "select", options: choices });
+  const result = await consola35.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola33.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola35.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand41({
+var initCommand = defineCommand43({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -5477,23 +5727,23 @@ var initCommand = defineCommand41({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync12(join11(dir, "package.json"))) {
+  if (existsSync14(join13(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola33.start("Scaffolding SP starter...");
+  consola35.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola33.success("Scaffolded from openape-sp-starter");
-  consola33.start("Installing dependencies...");
+  consola35.success("Scaffolded from openape-sp-starter");
+  consola35.start("Installing dependencies...");
   installDeps(dir);
-  consola33.success("Dependencies installed");
-  const envExample = join11(dir, ".env.example");
-  const envFile = join11(dir, ".env");
-  if (existsSync12(envExample) && !existsSync12(envFile)) {
+  consola35.success("Dependencies installed");
+  const envExample = join13(dir, ".env.example");
+  const envFile = join13(dir, ".env");
+  if (existsSync14(envExample) && !existsSync14(envFile)) {
     copyFileSync(envExample, envFile);
-    consola33.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola35.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola33.box([
+  consola35.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -5502,7 +5752,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync12(join11(dir, "package.json"))) {
+  if (existsSync14(join13(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -5512,15 +5762,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola33.start("Scaffolding IdP starter...");
+  consola35.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola33.success("Scaffolded from openape-idp-starter");
-  consola33.start("Installing dependencies...");
+  consola35.success("Scaffolded from openape-idp-starter");
+  consola35.start("Installing dependencies...");
   installDeps(dir);
-  consola33.success("Dependencies installed");
+  consola35.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola33.success("Secrets generated");
+  consola35.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -5534,11 +5784,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync8(join11(dir, ".env"), `${envContent}
+  writeFileSync9(join13(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola33.success(".env created");
+  consola35.success(".env created");
   console.log("");
-  consola33.box([
+  consola35.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -5555,11 +5805,11 @@ async function initIdP(targetDir) {
 // src/commands/enroll.ts
 import { Buffer as Buffer5 } from "buffer";
-import { existsSync as existsSync13, readFileSync as readFileSync11 } from "fs";
+import { existsSync as existsSync15, readFileSync as readFileSync12 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
-import { defineCommand as defineCommand42 } from "citty";
-import consola34 from "consola";
+import { defineCommand as defineCommand44 } from "citty";
+import consola36 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
@@ -5571,7 +5821,7 @@ function openBrowser2(url) {
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
   const resolvedKey = resolveKeyPath(keyPath);
-  const keyContent = readFileSync11(resolvedKey, "utf-8");
+  const keyContent = readFileSync12(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -5602,7 +5852,7 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand42({
+var enrollCommand = defineCommand44({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -5622,38 +5872,38 @@ var enrollCommand = defineCommand42({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola34.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola36.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola34.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola36.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola34.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola36.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolveKeyPath(keyPath);
     let publicKey;
-    if (existsSync13(resolvedKey)) {
+    if (existsSync15(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola34.success(`Using existing key ${keyPath}`);
+      consola36.success(`Using existing key ${keyPath}`);
     } else {
-      consola34.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola36.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola34.success(`Key pair generated at ${keyPath}`);
+      consola36.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola34.info("Opening browser for enrollment...");
-    consola34.info(`\u2192 ${idp}/enroll`);
+    consola36.info("Opening browser for enrollment...");
+    consola36.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola34.prompt(
+    const agentEmail = await consola36.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -5663,7 +5913,7 @@ var enrollCommand = defineCommand42({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola34.start("Verifying enrollment...");
+    consola36.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -5675,18 +5925,18 @@ var enrollCommand = defineCommand42({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola34.success(`Agent enrolled as ${agentEmail}`);
-    consola34.success("Config saved to ~/.config/apes/");
+    consola36.success(`Agent enrolled as ${agentEmail}`);
+    consola36.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola34.info("Verify with: apes whoami");
+    consola36.info("Verify with: apes whoami");
   }
 });
 // src/commands/register-user.ts
-import { existsSync as existsSync14, readFileSync as readFileSync12 } from "fs";
-import { defineCommand as defineCommand43 } from "citty";
-import consola35 from "consola";
-var registerUserCommand = defineCommand43({
+import { existsSync as existsSync16, readFileSync as readFileSync13 } from "fs";
+import { defineCommand as defineCommand45 } from "citty";
+import consola37 from "consola";
+var registerUserCommand = defineCommand45({
   meta: {
     name: "register-user",
     description: "Register a sub-user with SSH key"
@@ -5722,8 +5972,8 @@ var registerUserCommand = defineCommand43({
       throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
     let publicKey = args.key;
-    if (existsSync14(args.key)) {
-      publicKey = readFileSync12(args.key, "utf-8").trim();
+    if (existsSync16(args.key)) {
+      publicKey = readFileSync13(args.key, "utf-8").trim();
     }
     if (!publicKey.startsWith("ssh-ed25519 ")) {
       throw new CliError("Public key must be in ssh-ed25519 format.");
@@ -5741,18 +5991,18 @@ var registerUserCommand = defineCommand43({
         ...userType ? { type: userType } : {}
       }
     });
-    consola35.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola37.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 // src/commands/utils/index.ts
-import { defineCommand as defineCommand45 } from "citty";
+import { defineCommand as defineCommand47 } from "citty";
 // src/commands/utils/dig.ts
-import { defineCommand as defineCommand44 } from "citty";
-import consola36 from "consola";
+import { defineCommand as defineCommand46 } from "citty";
+import consola38 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var digCommand = defineCommand44({
+var digCommand = defineCommand46({
   meta: {
     name: "dig",
     description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
@@ -5825,12 +6075,12 @@ var digCommand = defineCommand44({
     console.log(`  domain: ${domain}`);
     console.log("");
     if (!result.ddisa.found) {
-      consola36.warn(`No DDISA record at _ddisa.${domain}`);
+      consola38.warn(`No DDISA record at _ddisa.${domain}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`No DDISA record found for ${domain}`);
     }
-    consola36.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    consola38.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
     console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
     console.log(`  IdP URL:  ${result.ddisa.idp}`);
     if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
@@ -5840,13 +6090,13 @@ ${result.hint}`);
       return;
     }
     if (result.idpDiscovery.ok) {
-      consola36.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      consola38.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
       if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
       if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
       if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
       if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
     } else {
-      consola36.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      consola38.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
@@ -5855,7 +6105,7 @@ ${result.hint}`);
 });
 // src/commands/utils/index.ts
-var utilsCommand = defineCommand45({
+var utilsCommand = defineCommand47({
   meta: {
     name: "utils",
     description: "Admin/diagnostic utilities (dig, \u2026)"
@@ -5866,12 +6116,12 @@ var utilsCommand = defineCommand45({
 });
 // src/commands/sessions/index.ts
-import { defineCommand as defineCommand48 } from "citty";
+import { defineCommand as defineCommand50 } from "citty";
 // src/commands/sessions/list.ts
-import { defineCommand as defineCommand46 } from "citty";
-import consola37 from "consola";
-var sessionsListCommand = defineCommand46({
+import { defineCommand as defineCommand48 } from "citty";
+import consola39 from "consola";
+var sessionsListCommand = defineCommand48({
   meta: {
     name: "list",
     description: "List your active refresh-token families (one per logged-in device)."
@@ -5889,7 +6139,7 @@ var sessionsListCommand = defineCommand46({
       return;
     }
     if (result.data.length === 0) {
-      consola37.info("No active sessions.");
+      consola39.info("No active sessions.");
       return;
     }
     for (const f of result.data) {
@@ -5901,9 +6151,9 @@ var sessionsListCommand = defineCommand46({
 });
 // src/commands/sessions/remove.ts
-import { defineCommand as defineCommand47 } from "citty";
-import consola38 from "consola";
-var sessionsRemoveCommand = defineCommand47({
+import { defineCommand as defineCommand49 } from "citty";
+import consola40 from "consola";
+var sessionsRemoveCommand = defineCommand49({
   meta: {
     name: "remove",
     description: "Revoke one of your active refresh-token families by id."
@@ -5919,12 +6169,12 @@ var sessionsRemoveCommand = defineCommand47({
     const id = String(args.familyId).trim();
     if (!id) throw new CliError("familyId required");
     await apiFetch(`/api/me/sessions/${encodeURIComponent(id)}`, { method: "DELETE" });
-    consola38.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
+    consola40.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
   }
 });
 // src/commands/sessions/index.ts
-var sessionsCommand = defineCommand48({
+var sessionsCommand = defineCommand50({
   meta: {
     name: "sessions",
     description: "Manage your active refresh-token sessions across devices"
@@ -5936,10 +6186,10 @@ var sessionsCommand = defineCommand48({
 });
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand49 } from "citty";
-import consola39 from "consola";
+import { defineCommand as defineCommand51 } from "citty";
+import consola41 from "consola";
 import { resolveDDISA as resolveDDISA3 } from "@openape/core";
-var dnsCheckCommand = defineCommand49({
+var dnsCheckCommand = defineCommand51({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -5953,7 +6203,7 @@ var dnsCheckCommand = defineCommand49({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola39.start(`Checking _ddisa.${domain}...`);
+    consola41.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA3(domain);
       if (!result) {
@@ -5962,7 +6212,7 @@ var dnsCheckCommand = defineCommand49({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola39.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola41.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -5971,14 +6221,14 @@ var dnsCheckCommand = defineCommand49({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola39.start(`Verifying IdP at ${result.idp}...`);
+      consola41.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola39.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola41.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola39.success(`IdP is reachable`);
+      consola41.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -5996,7 +6246,7 @@ var dnsCheckCommand = defineCommand49({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand50 } from "citty";
+import { defineCommand as defineCommand52 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -6032,7 +6282,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.4.0" : "0.0.0";
+  const version = true ? "1.6.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -6095,7 +6345,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand50({
+var healthCommand = defineCommand52({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -6113,8 +6363,8 @@ var healthCommand = defineCommand50({
 });
 // src/commands/workflows.ts
-import { defineCommand as defineCommand51 } from "citty";
-import consola40 from "consola";
+import { defineCommand as defineCommand53 } from "citty";
+import consola42 from "consola";
 // src/guides/index.ts
 var guides = [
@@ -6164,7 +6414,7 @@ var guides = [
 ];
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand51({
+var workflowsCommand = defineCommand53({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -6185,7 +6435,7 @@ var workflowsCommand = defineCommand51({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola40.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola42.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -6225,26 +6475,26 @@ var workflowsCommand = defineCommand51({
 });
 // src/version-check.ts
-import { existsSync as existsSync15, mkdirSync as mkdirSync5, readFileSync as readFileSync13, writeFileSync as writeFileSync9 } from "fs";
-import { homedir as homedir12 } from "os";
-import { join as join12 } from "path";
-import consola41 from "consola";
+import { existsSync as existsSync17, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync10 } from "fs";
+import { homedir as homedir13 } from "os";
+import { join as join14 } from "path";
+import consola43 from "consola";
 var PACKAGE_NAME = "@openape/apes";
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
-var CACHE_FILE = join12(homedir12(), ".config", "apes", ".version-check.json");
+var CACHE_FILE = join14(homedir13(), ".config", "apes", ".version-check.json");
 function readCache() {
-  if (!existsSync15(CACHE_FILE)) return null;
+  if (!existsSync17(CACHE_FILE)) return null;
   try {
-    return JSON.parse(readFileSync13(CACHE_FILE, "utf-8"));
+    return JSON.parse(readFileSync14(CACHE_FILE, "utf-8"));
   } catch {
     return null;
   }
 }
 function writeCache(entry) {
   try {
-    const dir = join12(homedir12(), ".config", "apes");
-    if (!existsSync15(dir)) mkdirSync5(dir, { recursive: true, mode: 448 });
-    writeFileSync9(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
+    const dir = join14(homedir13(), ".config", "apes");
+    if (!existsSync17(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
+    writeFileSync10(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
   } catch {
   }
 }
@@ -6273,7 +6523,7 @@ async function fetchLatestVersion() {
 }
 function warnIfBehind(currentVersion, latest) {
   if (compareSemver(currentVersion, latest) < 0) {
-    consola41.warn(
+    consola43.warn(
       `apes ${currentVersion} is behind latest @openape/apes@${latest}. Run \`npm i -g @openape/apes@latest\` to update. (Suppress with APES_NO_UPDATE_CHECK=1.)`
     );
   }
@@ -6305,10 +6555,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.4.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.6.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.4.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.6.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -6332,7 +6582,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand52({
+var grantsCommand = defineCommand54({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -6353,7 +6603,7 @@ var grantsCommand = defineCommand52({
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand52({
+var configCommand = defineCommand54({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -6363,10 +6613,10 @@ var configCommand = defineCommand52({
     set: configSetCommand
   }
 });
-var main = defineCommand52({
+var main = defineCommand54({
   meta: {
     name: "apes",
-    version: "1.4.0",
+    version: "1.6.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -6422,20 +6672,20 @@ async function maybeRefreshAuth() {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.4.0").catch(() => {
+await maybeWarnStaleVersion("1.6.0").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola42.error(err.message);
+    consola44.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola42.error(err);
+    consola44.error(err);
   } else {
-    consola42.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola44.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });