@openape/apes 1.5.0 → 1.6.1

package/dist/cli.js

@@ -63,7 +63,7 @@ import {
 } from "./chunk-OBF7IMQ2.js";
 
 // src/cli.ts
-import consola43 from "consola";
+import consola44 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -93,7 +93,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand53, runMain } from "citty";
+import { defineCommand as defineCommand54, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer as Buffer2 } from "buffer";
@@ -379,7 +379,7 @@ async function loginWithPKCE(idp) {
   consola2.success(`Logged in as ${payload.email || payload.sub}`);
 }
 async function loginWithKey(idp, keyPath, agentEmail) {
-  const { readFileSync: readFileSync14 } = await import("fs");
+  const { readFileSync: readFileSync15 } = await import("fs");
   const { sign: sign3 } = await import("crypto");
   const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-YBNNG5K5.js");
   const challengeUrl = await getAgentChallengeEndpoint(idp);
@@ -392,7 +392,7 @@ async function loginWithKey(idp, keyPath, agentEmail) {
     throw new CliError(`Challenge failed: ${await challengeResp.text()}`);
   }
   const { challenge } = await challengeResp.json();
-  const keyContent = readFileSync14(keyPath, "utf-8");
+  const keyContent = readFileSync15(keyPath, "utf-8");
   const privateKey = loadEd25519PrivateKey2(keyContent);
   const signature = sign3(null, Buffer2.from(challenge), privateKey).toString("base64");
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -3918,71 +3918,193 @@ var agentsCommand = defineCommand28({
 });
 
 // src/commands/nest/index.ts
-import { defineCommand as defineCommand33 } from "citty";
+import { defineCommand as defineCommand34 } from "citty";
 
 // src/commands/nest/authorize.ts
-import { execFileSync as execFileSync9 } from "child_process";
+import { existsSync as existsSync11, readFileSync as readFileSync10 } from "fs";
+import { join as join9 } from "path";
+import { defineCommand as defineCommand30 } from "citty";
+import consola26 from "consola";
+
+// src/commands/nest/enroll.ts
+import { hostname as hostname4, homedir as homedir10 } from "os";
+import { existsSync as existsSync10, mkdirSync as mkdirSync4, writeFileSync as writeFileSync6, chmodSync } from "fs";
+import { join as join8 } from "path";
 import { defineCommand as defineCommand29 } from "citty";
 import consola25 from "consola";
-var authorizeNestCommand = defineCommand29({
+var NEST_DATA_DIR = join8(homedir10(), ".openape", "nest");
+function nestAgentName() {
+  const raw = hostname4().toLowerCase();
+  const head = raw.split(".")[0] ?? raw;
+  const safe = head.replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-+|-+$/g, "");
+  const trimmed = safe.slice(0, 16);
+  return `nest-${trimmed || "host"}`;
+}
+var enrollNestCommand = defineCommand29({
   meta: {
-    name: "authorize",
-    description: "Request the always-capability-grant the nest needs for zero-prompt spawn/destroy"
+    name: "enroll",
+    description: "Register the local nest as a DDISA agent at the IdP. One-time per machine. Required before `apes nest authorize` so YOLO-policies have a target identity."
   },
   args: {
-    "reason": {
+    name: {
       type: "string",
-      description: "Reason shown in the DDISA approval UI"
+      description: "Override the nest agent name (default: nest-<short-hostname>)"
     },
-    "wait": {
+    force: {
       type: "boolean",
-      description: "Block until the grant is approved (default: print URL + exit 0)"
+      description: "Re-enroll even if ~/.openape/nest/.config/apes/auth.json already exists"
     }
   },
   async run({ args }) {
-    const reason = args.reason ?? "nest-managed agent lifecycle (spawn / destroy / sync) \u2014 approve as Always";
-    consola25.info("Requesting capability-grant for `apes-agents` (selector name=* covers all agent names)...");
+    const idp = getIdpUrl();
+    if (!idp) {
+      throw new CliError("No IdP configured. Run `apes login <email>` first.");
+    }
+    const ownerAuth = loadAuth();
+    if (!ownerAuth?.email) {
+      throw new CliError("Run `apes login <email>` first \u2014 nest enroll attaches the new identity to your owner account.");
+    }
+    const name = args.name || nestAgentName();
+    const authPath = join8(NEST_DATA_DIR, ".config", "apes", "auth.json");
+    if (existsSync10(authPath) && !args.force) {
+      throw new CliError(`Nest already enrolled at ${authPath}. Pass --force to re-enroll.`);
+    }
+    const sshDir = join8(NEST_DATA_DIR, ".ssh");
+    const configDir = join8(NEST_DATA_DIR, ".config", "apes");
+    mkdirSync4(sshDir, { recursive: true });
+    mkdirSync4(configDir, { recursive: true });
+    consola25.start(`Generating keypair for ${name}\u2026`);
+    const { privatePem, publicSshLine } = generateKeyPairInMemory();
+    writeFileSync6(join8(sshDir, "id_ed25519"), `${privatePem.trimEnd()}
+`, { mode: 384 });
+    writeFileSync6(join8(sshDir, "id_ed25519.pub"), `${publicSshLine}
+`, { mode: 420 });
+    chmodSync(sshDir, 448);
+    consola25.start(`Registering nest at ${idp}\u2026`);
+    const registration = await registerAgentAtIdp({ name, publicKey: publicSshLine, idp });
+    consola25.success(`Registered as ${registration.email}`);
+    consola25.start("Issuing nest access token\u2026");
+    const { token, expiresIn } = await issueAgentToken({
+      idp,
+      agentEmail: registration.email,
+      privateKeyPem: privatePem
+    });
+    const authJson = buildAgentAuthJson({
+      idp,
+      accessToken: token,
+      email: registration.email,
+      expiresAt: Math.floor(Date.now() / 1e3) + expiresIn,
+      keyPath: join8(sshDir, "id_ed25519"),
+      ownerEmail: ownerAuth.email
+    });
+    writeFileSync6(authPath, authJson, { mode: 384 });
+    chmodSync(configDir, 448);
+    consola25.success(`Nest enrolled \u2014 auth.json at ${authPath}`);
     consola25.info("");
-    consola25.info("When the IdP approval page opens, choose **Always** so the nest can re-use the grant on every spawn.");
+    consola25.info("Next: configure the YOLO-policy so the nest can spawn/destroy without prompts:");
     consola25.info("");
-    const cmdArgs = [
-      "grants",
-      "request-capability",
-      "apes-agents",
-      "--resource",
-      "agents:*",
-      "--selector",
-      "name=*",
-      "--action",
-      "create",
-      "--action",
-      "delete",
-      "--action",
-      "edit",
-      "--action",
-      "list",
-      "--approval=always",
-      "--reason",
-      reason,
-      "--run-as",
-      "root"
-    ];
-    if (args.wait) cmdArgs.push("--wait");
-    try {
-      execFileSync9("apes", cmdArgs, { stdio: "inherit" });
-    } catch (err) {
-      throw new Error(err instanceof Error ? err.message : String(err));
+    consola25.info("  apes nest authorize");
+  }
+});
+
+// src/commands/nest/authorize.ts
+var DEFAULT_ALLOW_PATTERNS = [
+  // Outer spawn-grant — what the nest's HTTP handler invokes.
+  "apes agents spawn *",
+  "apes agents destroy *",
+  "apes agents sync",
+  // Inner setup.sh-grant — `apes agents spawn` itself shells out to
+  // `apes run --as root --wait -- bash <tempdir>/setup.sh` to do the
+  // dscl/launchctl/heredoc-write work. Path looks like
+  // `bash /var/folders/.../apes-spawn-<name>-XXXX/setup.sh`. The narrow
+  // glob below limits the auto-approval to that exact lifecycle path
+  // — `bash *` would be unsafe.
+  "bash *apes-spawn-*setup.sh",
+  // Bridge invocation the nest's process supervisor uses (Stage 1
+  // supervisor work). Intentionally precise — not a generic
+  // `apes run --as *` wildcard — so a compromised nest can't pivot
+  // to running arbitrary commands as arbitrary users.
+  "apes run --as * -- openape-chat-bridge"
+];
+var authorizeNestCommand = defineCommand30({
+  meta: {
+    name: "authorize",
+    description: "Set the YOLO-policy that lets the local nest spawn/destroy without per-call DDISA prompts"
+  },
+  args: {
+    "allow": {
+      type: "string",
+      description: "Override allow_patterns (comma-separated globs). Default: nest-managed agent lifecycle."
+    },
+    "mode": {
+      type: "string",
+      description: "Policy mode (allow-list | deny-list). Default: allow-list \u2014 auto-approve only matched patterns."
+    },
+    "expires-in": {
+      type: "string",
+      description: "Optional duration like 30d, 6h. Omit for no expiry."
+    }
+  },
+  async run({ args }) {
+    const ownerAuth = loadAuth();
+    if (!ownerAuth?.email || !ownerAuth.access_token) {
+      throw new CliError("Run `apes login <email>` first \u2014 only the nest's owner can set its YOLO-policy.");
+    }
+    const nestAuthPath = join9(NEST_DATA_DIR, ".config", "apes", "auth.json");
+    if (!existsSync11(nestAuthPath)) {
+      throw new CliError("Nest not enrolled. Run `apes nest enroll` first.");
+    }
+    const nestAuth = JSON.parse(readFileSync10(nestAuthPath, "utf8"));
+    if (!nestAuth.email) throw new CliError(`${nestAuthPath} has no email`);
+    const idp = getIdpUrl();
+    if (!idp) throw new CliError("No IdP configured.");
+    const allowPatterns = typeof args.allow === "string" && args.allow ? args.allow.split(",").map((s) => s.trim()).filter(Boolean) : DEFAULT_ALLOW_PATTERNS;
+    const mode = args.mode ?? "allow-list";
+    const expiresAt = parseExpiresIn(args["expires-in"]);
+    consola26.info(`Setting YOLO-policy on ${nestAuth.email}`);
+    consola26.info(`  mode:           ${mode}`);
+    consola26.info(`  allow_patterns:`);
+    for (const p of allowPatterns) consola26.info(`    - ${p}`);
+    if (expiresAt) consola26.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
+    const url = `${idp}/api/users/${encodeURIComponent(nestAuth.email)}/yolo-policy`;
+    const res = await fetch(url, {
+      method: "PUT",
+      headers: {
+        "Authorization": `Bearer ${ownerAuth.access_token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        mode,
+        allowPatterns,
+        denyPatterns: [],
+        expiresAt: expiresAt ?? null
+      })
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new CliError(`PUT /yolo-policy failed (${res.status}): ${text}`);
     }
+    consola26.success("YOLO-policy applied. Nest-driven agent lifecycle is now zero-prompt.");
+    consola26.info("Test: apes agents spawn <name> via the nest API \u2192 no DDISA prompt.");
   }
 });
+function parseExpiresIn(s) {
+  if (!s) return null;
+  const m = s.match(/^(\d+)([hdw])$/);
+  if (!m) throw new CliError(`Invalid --expires-in "${s}" \u2014 expected forms like 30d, 6h, 2w`);
+  const n = Number(m[1]);
+  const unit = m[2];
+  const seconds = unit === "h" ? 3600 : unit === "d" ? 86400 : 7 * 86400;
+  return Math.floor(Date.now() / 1e3) + n * seconds;
+}
 
 // src/commands/nest/install.ts
-import { execFileSync as execFileSync10 } from "child_process";
-import { existsSync as existsSync10, mkdirSync as mkdirSync4, readFileSync as readFileSync10, writeFileSync as writeFileSync6 } from "fs";
-import { homedir as homedir10, userInfo as userInfo2 } from "os";
-import { dirname as dirname3, join as join8 } from "path";
-import { defineCommand as defineCommand30 } from "citty";
-import consola26 from "consola";
+import { execFileSync as execFileSync9 } from "child_process";
+import { existsSync as existsSync12, mkdirSync as mkdirSync5, readFileSync as readFileSync11, writeFileSync as writeFileSync7 } from "fs";
+import { homedir as homedir11, userInfo as userInfo2 } from "os";
+import { dirname as dirname3, join as join10 } from "path";
+import { defineCommand as defineCommand31 } from "citty";
+import consola27 from "consola";
 
 // src/commands/nest/apes-agents-adapter.ts
 var APES_AGENTS_ADAPTER_TOML = `schema = "openape-shapes/v1"
@@ -4049,13 +4171,13 @@ resource_chain = ["agents:name={name}", "allowlist:email={peer_email}"]
 // src/commands/nest/install.ts
 var PLIST_LABEL = "ai.openape.nest";
 function plistPath() {
-  return join8(homedir10(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
+  return join10(homedir11(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
 }
 function escape2(s) {
   return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 function buildPlist(args) {
-  const logsDir = join8(args.homeDir, "Library", "Logs");
+  const logsDir = join10(args.userHome, "Library", "Logs");
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -4067,7 +4189,7 @@ function buildPlist(args) {
     <string>${escape2(args.nestBin)}</string>
   </array>
   <key>WorkingDirectory</key>
-  <string>${escape2(args.homeDir)}</string>
+  <string>${escape2(args.nestHome)}</string>
   <key>RunAtLoad</key>
   <true/>
   <key>KeepAlive</key>
@@ -4076,8 +4198,8 @@ function buildPlist(args) {
   <integer>10</integer>
   <key>EnvironmentVariables</key>
   <dict>
-    <key>HOME</key><string>${escape2(args.homeDir)}</string>
-    <key>PATH</key><string>${escape2(args.homeDir)}/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
+    <key>HOME</key><string>${escape2(args.nestHome)}</string>
+    <key>PATH</key><string>${escape2(args.userHome)}/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
     <key>OPENAPE_NEST_PORT</key><string>${args.port}</string>
     <key>OPENAPE_APES_BIN</key><string>${escape2(args.apesBin)}</string>
   </dict>
@@ -4090,31 +4212,31 @@ function buildPlist(args) {
 `;
 }
 function installAdapter2() {
-  const target = join8(homedir10(), ".openape", "shapes", "adapters", "apes-agents.toml");
-  mkdirSync4(dirname3(target), { recursive: true });
+  const target = join10(homedir11(), ".openape", "shapes", "adapters", "apes-agents.toml");
+  mkdirSync5(dirname3(target), { recursive: true });
   let existing = "";
   try {
-    existing = readFileSync10(target, "utf8");
+    existing = readFileSync11(target, "utf8");
   } catch {
   }
   if (existing === APES_AGENTS_ADAPTER_TOML) return false;
-  writeFileSync6(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
-  consola26.success(`Wrote shapes adapter ${target}`);
+  writeFileSync7(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
+  consola27.success(`Wrote shapes adapter ${target}`);
   return true;
 }
 function findBinary(name) {
   for (const dir of [
-    join8(homedir10(), ".bun", "bin"),
+    join10(homedir11(), ".bun", "bin"),
     "/opt/homebrew/bin",
     "/usr/local/bin",
     "/usr/bin"
   ]) {
-    const p = join8(dir, name);
-    if (existsSync10(p)) return p;
+    const p = join10(dir, name);
+    if (existsSync12(p)) return p;
   }
   throw new Error(`could not locate ${name} on PATH; install it first`);
 }
-var installNestCommand = defineCommand30({
+var installNestCommand = defineCommand31({
   meta: {
     name: "install",
     description: "Install + start the local nest-daemon (idempotent \u2014 re-running just restarts)"
@@ -4126,54 +4248,55 @@ var installNestCommand = defineCommand30({
     }
   },
   async run({ args }) {
-    const homeDir = homedir10();
+    const homeDir = homedir11();
     const port = Number(args.port ?? 9091);
     if (!Number.isInteger(port) || port < 1024 || port > 65535) {
       throw new Error(`invalid port ${port}`);
     }
     const nestBin = findBinary("openape-nest");
     const apesBin = findBinary("apes");
-    consola26.info(`Installing nest at ${plistPath()}`);
-    consola26.info(`  nest binary: ${nestBin}`);
-    consola26.info(`  apes binary: ${apesBin}`);
-    consola26.info(`  HTTP port:   ${port}`);
+    consola27.info(`Installing nest at ${plistPath()}`);
+    consola27.info(`  nest binary: ${nestBin}`);
+    consola27.info(`  apes binary: ${apesBin}`);
+    consola27.info(`  HTTP port:   ${port}`);
     installAdapter2();
-    mkdirSync4(join8(homeDir, "Library", "LaunchAgents"), { recursive: true });
-    const desired = buildPlist({ nestBin, apesBin, homeDir, port });
+    mkdirSync5(join10(homeDir, "Library", "LaunchAgents"), { recursive: true });
+    mkdirSync5(NEST_DATA_DIR, { recursive: true });
+    const desired = buildPlist({ nestBin, apesBin, userHome: homeDir, nestHome: NEST_DATA_DIR, port });
     let existing = "";
     try {
-      existing = readFileSync10(plistPath(), "utf8");
+      existing = readFileSync11(plistPath(), "utf8");
     } catch {
     }
     if (existing !== desired) {
-      writeFileSync6(plistPath(), desired, { mode: 420 });
-      consola26.success("Wrote launchd plist");
+      writeFileSync7(plistPath(), desired, { mode: 420 });
+      consola27.success("Wrote launchd plist");
     } else {
-      consola26.info("plist already up to date");
+      consola27.info("plist already up to date");
     }
     const uid = userInfo2().uid;
     try {
-      execFileSync10("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL}`], { stdio: "ignore" });
+      execFileSync9("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL}`], { stdio: "ignore" });
     } catch {
     }
-    execFileSync10("/bin/launchctl", ["bootstrap", `gui/${uid}`, plistPath()], { stdio: "inherit" });
-    consola26.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
-    consola26.info("");
-    consola26.info("Next: request the capability-grant that lets the nest spawn/destroy any agent without per-call approval:");
-    consola26.info("");
-    consola26.info("  apes nest authorize");
-    consola26.info("");
-    consola26.info("That requests an `apes-agents` capability-grant covering all agent names (selector glob `name=*`)");
-    consola26.info("from your DDISA inbox; approve it once as `always` and the nest API runs silently from then on.");
+    execFileSync9("/bin/launchctl", ["bootstrap", `gui/${uid}`, plistPath()], { stdio: "inherit" });
+    consola27.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
+    consola27.info("");
+    consola27.info("Next steps for zero-prompt spawn \u2014 both one-time:");
+    consola27.info("");
+    consola27.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
+    consola27.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
+    consola27.info("");
+    consola27.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
   }
 });
 
 // src/commands/nest/status.ts
 import process2 from "process";
-import { defineCommand as defineCommand31 } from "citty";
-import consola27 from "consola";
+import { defineCommand as defineCommand32 } from "citty";
+import consola28 from "consola";
 var DEFAULT_PORT = 9091;
-var statusNestCommand = defineCommand31({
+var statusNestCommand = defineCommand32({
   meta: {
     name: "status",
     description: "Print state of the local nest-daemon (agents registered, processes supervised)"
@@ -4193,8 +4316,8 @@ var statusNestCommand = defineCommand31({
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
-        consola27.error(`Nest daemon is not running at http://127.0.0.1:${port}`);
-        consola27.info("  Run:  apes nest install");
+        consola28.error(`Nest daemon is not running at http://127.0.0.1:${port}`);
+        consola28.info("  Run:  apes nest install");
         process2.exit(2);
       }
       throw err;
@@ -4203,15 +4326,15 @@ var statusNestCommand = defineCommand31({
       console.log(JSON.stringify(status, null, 2));
       return;
     }
-    consola27.info(`Nest at http://127.0.0.1:${port} \u2014 ${status.agents} agent(s) registered, ${status.processes.length} supervised`);
+    consola28.info(`Nest at http://127.0.0.1:${port} \u2014 ${status.agents} agent(s) registered, ${status.processes.length} supervised`);
     if (status.processes.length === 0) {
-      consola27.info("  (no processes running)");
+      consola28.info("  (no processes running)");
       return;
     }
     for (const p of status.processes) {
       const uptime = humanDuration(p.uptimeSec);
       const crashTag = p.consecutiveCrashes > 0 ? ` \u26A0 ${p.consecutiveCrashes} crash(es)` : "";
-      consola27.info(`  ${p.name.padEnd(16)} pid=${String(p.pid).padEnd(6)} up=${uptime}${crashTag}`);
+      consola28.info(`  ${p.name.padEnd(16)} pid=${String(p.pid).padEnd(6)} up=${uptime}${crashTag}`);
     }
   }
 });
@@ -4223,43 +4346,44 @@ function humanDuration(sec) {
 }
 
 // src/commands/nest/uninstall.ts
-import { execFileSync as execFileSync11 } from "child_process";
-import { existsSync as existsSync11, unlinkSync } from "fs";
-import { homedir as homedir11, userInfo as userInfo3 } from "os";
-import { join as join9 } from "path";
-import { defineCommand as defineCommand32 } from "citty";
-import consola28 from "consola";
+import { execFileSync as execFileSync10 } from "child_process";
+import { existsSync as existsSync13, unlinkSync } from "fs";
+import { homedir as homedir12, userInfo as userInfo3 } from "os";
+import { join as join11 } from "path";
+import { defineCommand as defineCommand33 } from "citty";
+import consola29 from "consola";
 var PLIST_LABEL2 = "ai.openape.nest";
-var uninstallNestCommand = defineCommand32({
+var uninstallNestCommand = defineCommand33({
   meta: {
     name: "uninstall",
     description: "Stop + remove the local nest-daemon (registry + agents preserved)"
   },
   async run() {
     const uid = userInfo3().uid;
-    const path2 = join9(homedir11(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
+    const path2 = join11(homedir12(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
     try {
-      execFileSync11("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL2}`], { stdio: "ignore" });
-      consola28.success("Nest daemon stopped");
+      execFileSync10("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL2}`], { stdio: "ignore" });
+      consola29.success("Nest daemon stopped");
     } catch {
-      consola28.info("Nest daemon was not loaded");
+      consola29.info("Nest daemon was not loaded");
     }
-    if (existsSync11(path2)) {
+    if (existsSync13(path2)) {
       unlinkSync(path2);
-      consola28.success(`Removed ${path2}`);
+      consola29.success(`Removed ${path2}`);
     }
-    consola28.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
+    consola29.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
   }
 });
 
 // src/commands/nest/index.ts
-var nestCommand = defineCommand33({
+var nestCommand = defineCommand34({
   meta: {
     name: "nest",
-    description: "Manage the local Nest control-plane daemon (install, authorize, status, uninstall). The Nest hosts agents on this computer \u2014 once installed + authorized, `apes agents spawn` is fast (no per-spawn DDISA approvals) and per-agent launchd plists are replaced by a single supervised process tree."
+    description: "Manage the local Nest control-plane daemon (install / enroll / authorize / status / uninstall). One-time setup: `install` (launchd) \u2192 `enroll` (own DDISA identity) \u2192 `authorize` (YOLO-policy). After that, `apes agents spawn` runs without per-call DDISA approvals."
   },
   subCommands: {
     install: installNestCommand,
+    enroll: enrollNestCommand,
     authorize: authorizeNestCommand,
     status: statusNestCommand,
     uninstall: uninstallNestCommand
@@ -4267,15 +4391,15 @@ var nestCommand = defineCommand33({
 });
 
 // src/commands/adapter/index.ts
-import { defineCommand as defineCommand34 } from "citty";
-import consola29 from "consola";
-var adapterCommand = defineCommand34({
+import { defineCommand as defineCommand35 } from "citty";
+import consola30 from "consola";
+var adapterCommand = defineCommand35({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand34({
+    list: defineCommand35({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -4306,7 +4430,7 @@ var adapterCommand = defineCommand34({
 `);
             return;
           }
-          consola29.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola30.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -4328,7 +4452,7 @@ var adapterCommand = defineCommand34({
           return;
         }
         if (local.length === 0) {
-          consola29.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola30.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -4336,7 +4460,7 @@ var adapterCommand = defineCommand34({
         }
       }
     }),
-    install: defineCommand34({
+    install: defineCommand35({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -4365,24 +4489,24 @@ var adapterCommand = defineCommand34({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola29.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola30.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
             for (const c of conflicts) {
-              consola29.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola29.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+              consola30.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
+              consola30.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola29.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola29.info(`Digest: ${result.digest}`);
+          consola30.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola30.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand34({
+    remove: defineCommand35({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -4405,9 +4529,9 @@ var adapterCommand = defineCommand34({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola29.success(`Removed adapter: ${id}`);
+            consola30.success(`Removed adapter: ${id}`);
           } else {
-            consola29.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola30.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -4415,7 +4539,7 @@ var adapterCommand = defineCommand34({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand34({
+    info: defineCommand35({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -4457,7 +4581,7 @@ var adapterCommand = defineCommand34({
         }
       }
     }),
-    search: defineCommand34({
+    search: defineCommand35({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -4489,7 +4613,7 @@ var adapterCommand = defineCommand34({
           return;
         }
         if (results.length === 0) {
-          consola29.info(`No adapters matching "${query}"`);
+          consola30.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -4498,7 +4622,7 @@ var adapterCommand = defineCommand34({
         }
       }
     }),
-    update: defineCommand34({
+    update: defineCommand35({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -4524,33 +4648,33 @@ var adapterCommand = defineCommand34({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola29.info("No adapters installed to update.");
+          consola30.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola29.warn(`${id}: not found in registry, skipping`);
+            consola30.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola29.info(`${id}: already up to date`);
+            consola30.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola29.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola29.info(`  Old: ${localDigest}`);
-            consola29.info(`  New: ${entry.digest}`);
-            consola29.info("  Use --yes to confirm");
+            consola30.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola30.info(`  Old: ${localDigest}`);
+            consola30.info(`  New: ${entry.digest}`);
+            consola30.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola29.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola30.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand34({
+    verify: defineCommand35({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -4583,7 +4707,7 @@ var adapterCommand = defineCommand34({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola29.success(`${id}: digest matches registry`);
+          consola30.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -4595,11 +4719,11 @@ var adapterCommand = defineCommand34({
 });
 
 // src/commands/run.ts
-import { execFileSync as execFileSync12 } from "child_process";
-import { hostname as hostname4 } from "os";
+import { execFileSync as execFileSync11 } from "child_process";
+import { hostname as hostname5 } from "os";
 import { basename } from "path";
-import { defineCommand as defineCommand35 } from "citty";
-import consola30 from "consola";
+import { defineCommand as defineCommand36 } from "citty";
+import consola31 from "consola";
 function shouldWaitForGrant(args) {
   return args.wait === true || process.env.APE_WAIT === "1";
 }
@@ -4636,7 +4760,7 @@ function printPendingGrantInfo(grant, idp) {
   const statusCmd = `apes grants status ${grant.id}`;
   const executeCmd = `apes grants run ${grant.id}`;
   if (mode === "human") {
-    consola30.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
+    consola31.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
     console.log(`  Approve in browser:  ${approveUrl}`);
     console.log(`  Check status:        ${statusCmd}`);
     console.log(`  Run after approval:  ${executeCmd}`);
@@ -4646,7 +4770,7 @@ function printPendingGrantInfo(grant, idp) {
     return;
   }
   const maxMin = getPollMaxMinutes();
-  consola30.success(`Grant ${grant.id} created (pending approval)`);
+  consola31.success(`Grant ${grant.id} created (pending approval)`);
   console.log(`  Approve:   ${approveUrl}`);
   console.log(`  Status:    ${statusCmd} [--json]`);
   console.log(`  Execute:   ${executeCmd} --wait`);
@@ -4668,7 +4792,7 @@ function printPendingGrantInfo(grant, idp) {
   console.log('  Tip: Approve as "timed" or "always" in the browser to let this');
   console.log("  grant be reused on subsequent invocations without re-approval.");
 }
-var runCommand = defineCommand35({
+var runCommand = defineCommand36({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -4757,7 +4881,7 @@ async function runShellMode(command, args) {
   const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
   if (adapterHandled) return;
   const grantsUrl = await getGrantsEndpoint(idp);
-  const targetHost = args.host || hostname4();
+  const targetHost = args.host || hostname5();
   try {
     const grants = await apiFetch(
       `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
@@ -4771,7 +4895,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola30.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola31.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -4791,8 +4915,8 @@ async function runShellMode(command, args) {
     host: targetHost
   });
   if (shouldWaitForGrant(args)) {
-    consola30.info(`Grant requested: ${grant.id}`);
-    consola30.info("Waiting for approval...");
+    consola31.info(`Grant requested: ${grant.id}`);
+    consola31.info("Waiting for approval...");
     const maxWait = 3e5;
     const interval = 3e3;
     const start = Date.now();
@@ -4823,13 +4947,13 @@ async function tryAdapterModeFromShell(command, idp, args) {
   try {
     resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola30.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola31.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola30.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      consola31.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return true;
@@ -4837,7 +4961,7 @@ async function tryAdapterModeFromShell(command, idp, args) {
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola30.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola31.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
@@ -4845,19 +4969,19 @@ async function tryAdapterModeFromShell(command, idp, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola30.info("");
-    consola30.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola31.info("");
+    consola31.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
   }
   notifyGrantPending({
     grantId: grant.id,
     approveUrl: `${idp}/grant-approval?grant_id=${grant.id}`,
     command: resolved.detail?.display || parsed?.raw || "unknown",
     audience: resolved.adapter?.cli?.audience ?? "shapes",
-    host: args.host || hostname4()
+    host: args.host || hostname5()
   });
   if (shouldWaitForGrant(args)) {
-    consola30.info(`Grant requested: ${grant.id}`);
-    consola30.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola31.info(`Grant requested: ${grant.id}`);
+    consola31.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new CliError(`Grant ${status}`);
@@ -4873,7 +4997,7 @@ function execShellCommand(command) {
     throw new CliError("No command to execute");
   try {
     const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-    execFileSync12(command[0], command.slice(1), {
+    execFileSync11(command[0], command.slice(1), {
       stdio: "inherit",
       env: inheritedEnv
     });
@@ -4931,7 +5055,7 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola30.info(`Reusing existing grant: ${existingGrantId}`);
+      consola31.info(`Reusing existing grant: ${existingGrantId}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return;
@@ -4945,17 +5069,17 @@ async function runAdapterMode(command, rawArgs, args) {
   });
   if (grant.similar_grants?.similar_grants?.length) {
     const n = grant.similar_grants.similar_grants.length;
-    consola30.info("");
-    consola30.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    consola31.info("");
+    consola31.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola30.info(`  Broader scope: ${wider}`);
+      consola31.info(`  Broader scope: ${wider}`);
     }
-    consola30.info("");
+    consola31.info("");
   }
   if (shouldWaitForGrant(args)) {
-    consola30.info(`Grant requested: ${grant.id}`);
-    consola30.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola31.info(`Grant requested: ${grant.id}`);
+    consola31.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new Error(`Grant ${status}`);
@@ -4974,8 +5098,8 @@ async function runAudienceMode(audience, action, args) {
   const idp = getIdpUrl(args.idp);
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
-  const targetHost = args.host || hostname4();
-  consola30.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  const targetHost = args.host || hostname5();
+  consola31.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -4992,9 +5116,9 @@ async function runAudienceMode(audience, action, args) {
     printPendingGrantInfo(grant, idp);
     throw new CliExit(getAsyncExitCode());
   }
-  consola30.success(`Grant requested: ${grant.id}`);
-  consola30.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
-  consola30.info("Waiting for approval...");
+  consola31.success(`Grant requested: ${grant.id}`);
+  consola31.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola31.info("Waiting for approval...");
   const maxWait = 15 * 60 * 1e3;
   const interval = 3e3;
   const start = Date.now();
@@ -5002,7 +5126,7 @@ async function runAudienceMode(audience, action, args) {
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola30.success("Grant approved!");
+      consola31.success("Grant approved!");
       approved = true;
       break;
     }
@@ -5017,15 +5141,15 @@ async function runAudienceMode(audience, action, args) {
       `Grant approval timed out after ${minutes} min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id} \u2014 if approved later, re-run the same \`apes run\` command and it will reuse the grant.`
     );
   }
-  consola30.info("Fetching grant token...");
+  consola31.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola30.info(`Executing: ${command.join(" ")}`);
+    consola31.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
-      execFileSync12(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
+      execFileSync11(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
         stdio: "inherit",
         env: inheritedEnv
       });
@@ -5040,8 +5164,8 @@ async function runAudienceMode(audience, action, args) {
 
 // src/commands/proxy.ts
 import { spawn as spawn2 } from "child_process";
-import { defineCommand as defineCommand36 } from "citty";
-import consola31 from "consola";
+import { defineCommand as defineCommand37 } from "citty";
+import consola32 from "consola";
 
 // src/proxy/config.ts
 function buildDefaultProxyConfigToml(opts) {
@@ -5075,10 +5199,10 @@ note = "VPC-internal hostname suffix"
 
 // src/proxy/local-proxy.ts
 import { spawn } from "child_process";
-import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, writeFileSync as writeFileSync7 } from "fs";
+import { mkdtempSync as mkdtempSync3, rmSync as rmSync3, writeFileSync as writeFileSync8 } from "fs";
 import { createRequire } from "module";
 import { tmpdir as tmpdir3 } from "os";
-import { dirname as dirname4, join as join10, resolve as resolve4 } from "path";
+import { dirname as dirname4, join as join12, resolve as resolve4 } from "path";
 var require2 = createRequire(import.meta.url);
 function findProxyBin() {
   const pkgPath = require2.resolve("@openape/proxy/package.json");
@@ -5090,9 +5214,9 @@ function findProxyBin() {
   return resolve4(dirname4(pkgPath), binRel);
 }
 async function startEphemeralProxy(configToml) {
-  const tmpDir = mkdtempSync3(join10(tmpdir3(), "openape-proxy-"));
-  const configPath = join10(tmpDir, "config.toml");
-  writeFileSync7(configPath, configToml, { mode: 384 });
+  const tmpDir = mkdtempSync3(join12(tmpdir3(), "openape-proxy-"));
+  const configPath = join12(tmpDir, "config.toml");
+  writeFileSync8(configPath, configToml, { mode: 384 });
   const binPath = findProxyBin();
   const child = spawn(process.execPath, [binPath, "-c", configPath], {
     stdio: ["ignore", "pipe", "pipe"],
@@ -5184,10 +5308,10 @@ function resolveProxyConfigOptions() {
       77
     );
   }
-  consola31.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
+  consola32.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
   return { agentEmail: auth.email, idpUrl: auth.idp, mediated: true };
 }
-var proxyCommand = defineCommand36({
+var proxyCommand = defineCommand37({
   meta: {
     name: "proxy",
     description: "Run a command with HTTPS_PROXY routed through the OpenApe egress proxy."
@@ -5209,12 +5333,12 @@ var proxyCommand = defineCommand36({
     let close = null;
     if (reuseUrl) {
       proxyUrl = reuseUrl;
-      consola31.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
+      consola32.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
     } else {
       const ephemeral = await startEphemeralProxy(buildDefaultProxyConfigToml(resolveProxyConfigOptions()));
       proxyUrl = ephemeral.url;
       close = ephemeral.close;
-      consola31.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
+      consola32.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
     }
     const noProxy = process.env.NO_PROXY ?? process.env.no_proxy ?? "127.0.0.1,localhost";
     const childEnv = {
@@ -5246,7 +5370,7 @@ var proxyCommand = defineCommand36({
         else resolveExit(code ?? 0);
       });
       child.once("error", (err) => {
-        consola31.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
+        consola32.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
         resolveExit(127);
       });
     });
@@ -5260,8 +5384,8 @@ function signalNumber(signal) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand37 } from "citty";
-var explainCommand = defineCommand37({
+import { defineCommand as defineCommand38 } from "citty";
+var explainCommand = defineCommand38({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -5299,9 +5423,9 @@ var explainCommand = defineCommand37({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand38 } from "citty";
-import consola32 from "consola";
-var configGetCommand = defineCommand38({
+import { defineCommand as defineCommand39 } from "citty";
+import consola33 from "consola";
+var configGetCommand = defineCommand39({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -5321,7 +5445,7 @@ var configGetCommand = defineCommand38({
         if (idp)
           console.log(idp);
         else
-          consola32.info("No IdP configured.");
+          consola33.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -5329,7 +5453,7 @@ var configGetCommand = defineCommand38({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola32.info("Not logged in.");
+          consola33.info("Not logged in.");
         break;
       }
       default: {
@@ -5342,7 +5466,7 @@ var configGetCommand = defineCommand38({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola32.info(`Key "${key}" not set.`);
+            consola33.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -5353,9 +5477,9 @@ var configGetCommand = defineCommand38({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand39 } from "citty";
-import consola33 from "consola";
-var configSetCommand = defineCommand39({
+import { defineCommand as defineCommand40 } from "citty";
+import consola34 from "consola";
+var configSetCommand = defineCommand40({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -5391,12 +5515,12 @@ var configSetCommand = defineCommand39({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola33.success(`Set ${key} = ${value}`);
+    consola34.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand40 } from "citty";
+import { defineCommand as defineCommand41 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -5432,13 +5556,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand40({
+var fetchCommand = defineCommand41({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand40({
+    get: defineCommand41({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -5464,7 +5588,7 @@ var fetchCommand = defineCommand40({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand40({
+    post: defineCommand41({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -5503,8 +5627,8 @@ var fetchCommand = defineCommand40({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand41 } from "citty";
-var mcpCommand = defineCommand41({
+import { defineCommand as defineCommand42 } from "citty";
+var mcpCommand = defineCommand42({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -5527,48 +5651,48 @@ var mcpCommand = defineCommand41({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-AK2JBMJD.js");
+    const { startMcpServer } = await import("./server-UKQ5QFOZ.js");
     await startMcpServer(transport, port);
   }
 });
 
 // src/commands/init/index.ts
-import { existsSync as existsSync12, copyFileSync, writeFileSync as writeFileSync8 } from "fs";
+import { existsSync as existsSync14, copyFileSync, writeFileSync as writeFileSync9 } from "fs";
 import { randomBytes } from "crypto";
-import { execFileSync as execFileSync13 } from "child_process";
-import { join as join11 } from "path";
-import { defineCommand as defineCommand42 } from "citty";
-import consola34 from "consola";
+import { execFileSync as execFileSync12 } from "child_process";
+import { join as join13 } from "path";
+import { defineCommand as defineCommand43 } from "citty";
+import consola35 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
   await gigetDownload(`gh:${repo}`, { dir: targetDir, force: false });
 }
 function installDeps(dir) {
-  const hasLockFile = (name) => existsSync12(join11(dir, name));
+  const hasLockFile = (name) => existsSync14(join13(dir, name));
   if (hasLockFile("pnpm-lock.yaml")) {
-    execFileSync13("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("pnpm", ["install"], { cwd: dir, stdio: "inherit" });
   } else if (hasLockFile("bun.lockb")) {
-    execFileSync13("bun", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("bun", ["install"], { cwd: dir, stdio: "inherit" });
   } else {
-    execFileSync13("npm", ["install"], { cwd: dir, stdio: "inherit" });
+    execFileSync12("npm", ["install"], { cwd: dir, stdio: "inherit" });
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola34.prompt(message, { type: "select", options: choices });
+  const result = await consola35.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola34.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola35.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand42({
+var initCommand = defineCommand43({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -5610,23 +5734,23 @@ var initCommand = defineCommand42({
 });
 async function initSP(targetDir) {
   const dir = targetDir || "my-app";
-  if (existsSync12(join11(dir, "package.json"))) {
+  if (existsSync14(join13(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola34.start("Scaffolding SP starter...");
+  consola35.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola34.success("Scaffolded from openape-sp-starter");
-  consola34.start("Installing dependencies...");
+  consola35.success("Scaffolded from openape-sp-starter");
+  consola35.start("Installing dependencies...");
   installDeps(dir);
-  consola34.success("Dependencies installed");
-  const envExample = join11(dir, ".env.example");
-  const envFile = join11(dir, ".env");
-  if (existsSync12(envExample) && !existsSync12(envFile)) {
+  consola35.success("Dependencies installed");
+  const envExample = join13(dir, ".env.example");
+  const envFile = join13(dir, ".env");
+  if (existsSync14(envExample) && !existsSync14(envFile)) {
     copyFileSync(envExample, envFile);
-    consola34.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola35.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola34.box([
+  consola35.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -5635,7 +5759,7 @@ async function initSP(targetDir) {
 }
 async function initIdP(targetDir) {
   const dir = targetDir || "my-idp";
-  if (existsSync12(join11(dir, "package.json"))) {
+  if (existsSync14(join13(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
   const domain = await promptText("Domain for the IdP", "localhost");
@@ -5645,15 +5769,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola34.start("Scaffolding IdP starter...");
+  consola35.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola34.success("Scaffolded from openape-idp-starter");
-  consola34.start("Installing dependencies...");
+  consola35.success("Scaffolded from openape-idp-starter");
+  consola35.start("Installing dependencies...");
   installDeps(dir);
-  consola34.success("Dependencies installed");
+  consola35.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola34.success("Secrets generated");
+  consola35.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -5667,11 +5791,11 @@ async function initIdP(targetDir) {
     `NUXT_OPENAPE_RP_ID=${domain}`,
     `NUXT_OPENAPE_RP_ORIGIN=${origin}`
   ].join("\n");
-  writeFileSync8(join11(dir, ".env"), `${envContent}
+  writeFileSync9(join13(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola34.success(".env created");
+  consola35.success(".env created");
   console.log("");
-  consola34.box([
+  consola35.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -5688,11 +5812,11 @@ async function initIdP(targetDir) {
 
 // src/commands/enroll.ts
 import { Buffer as Buffer5 } from "buffer";
-import { existsSync as existsSync13, readFileSync as readFileSync11 } from "fs";
+import { existsSync as existsSync15, readFileSync as readFileSync12 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
-import { defineCommand as defineCommand43 } from "citty";
-import consola35 from "consola";
+import { defineCommand as defineCommand44 } from "citty";
+import consola36 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
@@ -5704,7 +5828,7 @@ function openBrowser2(url) {
 }
 async function pollForEnrollment(idp, agentEmail, keyPath) {
   const resolvedKey = resolveKeyPath(keyPath);
-  const keyContent = readFileSync11(resolvedKey, "utf-8");
+  const keyContent = readFileSync12(resolvedKey, "utf-8");
   const privateKey = loadEd25519PrivateKey(keyContent);
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const authenticateUrl = await getAgentAuthenticateEndpoint(idp);
@@ -5735,7 +5859,7 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand43({
+var enrollCommand = defineCommand44({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -5755,38 +5879,38 @@ var enrollCommand = defineCommand43({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola35.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
+    const idp = args.idp || await consola36.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola35.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
+    const agentName = args.name || await consola36.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola35.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
+    const keyPath = args.key || await consola36.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
       if (typeof r === "symbol") throw new CliExit(0);
       return r;
     }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolveKeyPath(keyPath);
     let publicKey;
-    if (existsSync13(resolvedKey)) {
+    if (existsSync15(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola35.success(`Using existing key ${keyPath}`);
+      consola36.success(`Using existing key ${keyPath}`);
     } else {
-      consola35.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola36.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola35.success(`Key pair generated at ${keyPath}`);
+      consola36.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola35.info("Opening browser for enrollment...");
-    consola35.info(`\u2192 ${idp}/enroll`);
+    consola36.info("Opening browser for enrollment...");
+    consola36.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola35.prompt(
+    const agentEmail = await consola36.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
     ).then((r) => {
@@ -5796,7 +5920,7 @@ var enrollCommand = defineCommand43({
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola35.start("Verifying enrollment...");
+    consola36.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -5808,18 +5932,18 @@ var enrollCommand = defineCommand43({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola35.success(`Agent enrolled as ${agentEmail}`);
-    consola35.success("Config saved to ~/.config/apes/");
+    consola36.success(`Agent enrolled as ${agentEmail}`);
+    consola36.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola35.info("Verify with: apes whoami");
+    consola36.info("Verify with: apes whoami");
   }
 });
 
 // src/commands/register-user.ts
-import { existsSync as existsSync14, readFileSync as readFileSync12 } from "fs";
-import { defineCommand as defineCommand44 } from "citty";
-import consola36 from "consola";
-var registerUserCommand = defineCommand44({
+import { existsSync as existsSync16, readFileSync as readFileSync13 } from "fs";
+import { defineCommand as defineCommand45 } from "citty";
+import consola37 from "consola";
+var registerUserCommand = defineCommand45({
   meta: {
     name: "register-user",
     description: "Register a sub-user with SSH key"
@@ -5855,8 +5979,8 @@ var registerUserCommand = defineCommand44({
       throw new CliError("No IdP URL configured. Run `apes login` first.");
     }
     let publicKey = args.key;
-    if (existsSync14(args.key)) {
-      publicKey = readFileSync12(args.key, "utf-8").trim();
+    if (existsSync16(args.key)) {
+      publicKey = readFileSync13(args.key, "utf-8").trim();
     }
     if (!publicKey.startsWith("ssh-ed25519 ")) {
       throw new CliError("Public key must be in ssh-ed25519 format.");
@@ -5874,18 +5998,18 @@ var registerUserCommand = defineCommand44({
         ...userType ? { type: userType } : {}
       }
     });
-    consola36.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola37.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/utils/index.ts
-import { defineCommand as defineCommand46 } from "citty";
+import { defineCommand as defineCommand47 } from "citty";
 
 // src/commands/utils/dig.ts
-import { defineCommand as defineCommand45 } from "citty";
-import consola37 from "consola";
+import { defineCommand as defineCommand46 } from "citty";
+import consola38 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var digCommand = defineCommand45({
+var digCommand = defineCommand46({
   meta: {
     name: "dig",
     description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
@@ -5958,12 +6082,12 @@ var digCommand = defineCommand45({
     console.log(`  domain: ${domain}`);
     console.log("");
     if (!result.ddisa.found) {
-      consola37.warn(`No DDISA record at _ddisa.${domain}`);
+      consola38.warn(`No DDISA record at _ddisa.${domain}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`No DDISA record found for ${domain}`);
     }
-    consola37.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    consola38.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
     console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
     console.log(`  IdP URL:  ${result.ddisa.idp}`);
     if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
@@ -5973,13 +6097,13 @@ ${result.hint}`);
       return;
     }
     if (result.idpDiscovery.ok) {
-      consola37.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      consola38.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
       if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
       if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
       if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
       if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
     } else {
-      consola37.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      consola38.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
@@ -5988,7 +6112,7 @@ ${result.hint}`);
 });
 
 // src/commands/utils/index.ts
-var utilsCommand = defineCommand46({
+var utilsCommand = defineCommand47({
   meta: {
     name: "utils",
     description: "Admin/diagnostic utilities (dig, \u2026)"
@@ -5999,12 +6123,12 @@ var utilsCommand = defineCommand46({
 });
 
 // src/commands/sessions/index.ts
-import { defineCommand as defineCommand49 } from "citty";
+import { defineCommand as defineCommand50 } from "citty";
 
 // src/commands/sessions/list.ts
-import { defineCommand as defineCommand47 } from "citty";
-import consola38 from "consola";
-var sessionsListCommand = defineCommand47({
+import { defineCommand as defineCommand48 } from "citty";
+import consola39 from "consola";
+var sessionsListCommand = defineCommand48({
   meta: {
     name: "list",
     description: "List your active refresh-token families (one per logged-in device)."
@@ -6022,7 +6146,7 @@ var sessionsListCommand = defineCommand47({
       return;
     }
     if (result.data.length === 0) {
-      consola38.info("No active sessions.");
+      consola39.info("No active sessions.");
       return;
     }
     for (const f of result.data) {
@@ -6034,9 +6158,9 @@ var sessionsListCommand = defineCommand47({
 });
 
 // src/commands/sessions/remove.ts
-import { defineCommand as defineCommand48 } from "citty";
-import consola39 from "consola";
-var sessionsRemoveCommand = defineCommand48({
+import { defineCommand as defineCommand49 } from "citty";
+import consola40 from "consola";
+var sessionsRemoveCommand = defineCommand49({
   meta: {
     name: "remove",
     description: "Revoke one of your active refresh-token families by id."
@@ -6052,12 +6176,12 @@ var sessionsRemoveCommand = defineCommand48({
     const id = String(args.familyId).trim();
     if (!id) throw new CliError("familyId required");
     await apiFetch(`/api/me/sessions/${encodeURIComponent(id)}`, { method: "DELETE" });
-    consola39.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
+    consola40.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
   }
 });
 
 // src/commands/sessions/index.ts
-var sessionsCommand = defineCommand49({
+var sessionsCommand = defineCommand50({
   meta: {
     name: "sessions",
     description: "Manage your active refresh-token sessions across devices"
@@ -6069,10 +6193,10 @@ var sessionsCommand = defineCommand49({
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand50 } from "citty";
-import consola40 from "consola";
+import { defineCommand as defineCommand51 } from "citty";
+import consola41 from "consola";
 import { resolveDDISA as resolveDDISA3 } from "@openape/core";
-var dnsCheckCommand = defineCommand50({
+var dnsCheckCommand = defineCommand51({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -6086,7 +6210,7 @@ var dnsCheckCommand = defineCommand50({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola40.start(`Checking _ddisa.${domain}...`);
+    consola41.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA3(domain);
       if (!result) {
@@ -6095,7 +6219,7 @@ var dnsCheckCommand = defineCommand50({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola40.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola41.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -6104,14 +6228,14 @@ var dnsCheckCommand = defineCommand50({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola40.start(`Verifying IdP at ${result.idp}...`);
+      consola41.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola40.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola41.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola40.success(`IdP is reachable`);
+      consola41.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -6129,7 +6253,7 @@ var dnsCheckCommand = defineCommand50({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand51 } from "citty";
+import { defineCommand as defineCommand52 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -6165,7 +6289,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.5.0" : "0.0.0";
+  const version = true ? "1.6.1" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -6228,7 +6352,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand51({
+var healthCommand = defineCommand52({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -6246,8 +6370,8 @@ var healthCommand = defineCommand51({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand52 } from "citty";
-import consola41 from "consola";
+import { defineCommand as defineCommand53 } from "citty";
+import consola42 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -6297,7 +6421,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand52({
+var workflowsCommand = defineCommand53({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -6318,7 +6442,7 @@ var workflowsCommand = defineCommand52({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola41.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola42.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -6358,26 +6482,26 @@ var workflowsCommand = defineCommand52({
 });
 
 // src/version-check.ts
-import { existsSync as existsSync15, mkdirSync as mkdirSync5, readFileSync as readFileSync13, writeFileSync as writeFileSync9 } from "fs";
-import { homedir as homedir12 } from "os";
-import { join as join12 } from "path";
-import consola42 from "consola";
+import { existsSync as existsSync17, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync10 } from "fs";
+import { homedir as homedir13 } from "os";
+import { join as join14 } from "path";
+import consola43 from "consola";
 var PACKAGE_NAME = "@openape/apes";
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
-var CACHE_FILE = join12(homedir12(), ".config", "apes", ".version-check.json");
+var CACHE_FILE = join14(homedir13(), ".config", "apes", ".version-check.json");
 function readCache() {
-  if (!existsSync15(CACHE_FILE)) return null;
+  if (!existsSync17(CACHE_FILE)) return null;
   try {
-    return JSON.parse(readFileSync13(CACHE_FILE, "utf-8"));
+    return JSON.parse(readFileSync14(CACHE_FILE, "utf-8"));
   } catch {
     return null;
   }
 }
 function writeCache(entry) {
   try {
-    const dir = join12(homedir12(), ".config", "apes");
-    if (!existsSync15(dir)) mkdirSync5(dir, { recursive: true, mode: 448 });
-    writeFileSync9(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
+    const dir = join14(homedir13(), ".config", "apes");
+    if (!existsSync17(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
+    writeFileSync10(CACHE_FILE, JSON.stringify(entry), { mode: 384 });
   } catch {
   }
 }
@@ -6406,7 +6530,7 @@ async function fetchLatestVersion() {
 }
 function warnIfBehind(currentVersion, latest) {
   if (compareSemver(currentVersion, latest) < 0) {
-    consola42.warn(
+    consola43.warn(
       `apes ${currentVersion} is behind latest @openape/apes@${latest}. Run \`npm i -g @openape/apes@latest\` to update. (Suppress with APES_NO_UPDATE_CHECK=1.)`
     );
   }
@@ -6438,10 +6562,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.5.0"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.6.1"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.5.0"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.6.1"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -6465,7 +6589,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand53({
+var grantsCommand = defineCommand54({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -6486,7 +6610,7 @@ var grantsCommand = defineCommand53({
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand53({
+var configCommand = defineCommand54({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -6496,10 +6620,10 @@ var configCommand = defineCommand53({
     set: configSetCommand
   }
 });
-var main = defineCommand53({
+var main = defineCommand54({
   meta: {
     name: "apes",
-    version: "1.5.0",
+    version: "1.6.1",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -6555,20 +6679,20 @@ async function maybeRefreshAuth() {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.5.0").catch(() => {
+await maybeWarnStaleVersion("1.6.1").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola43.error(err.message);
+    consola44.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola43.error(err);
+    consola44.error(err);
   } else {
-    consola43.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola44.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });