@openape/apes 1.7.1 → 1.8.0

package/dist/cli.js

@@ -1,4 +1,9 @@
 #!/usr/bin/env node
+import {
+  checkSudoRejection,
+  isApesSelfDispatch,
+  notifyGrantPending
+} from "./chunk-3COOEDPF.js";
 import {
   CliError,
   CliExit,
@@ -9,10 +14,15 @@ import {
   readPublicKeyComment
 } from "./chunk-ION3CWD5.js";
 import {
-  checkSudoRejection,
-  isApesSelfDispatch,
-  notifyGrantPending
-} from "./chunk-3COOEDPF.js";
+  Mi,
+  Mn,
+  br,
+  dt,
+  le,
+  qn,
+  ut,
+  ye
+} from "./chunk-WGF3SPIH.js";
 import {
   GENERIC_OPERATION_ID,
   buildGenericResolved,
@@ -48,7 +58,7 @@ import {
   getAgentChallengeEndpoint,
   getDelegationsEndpoint,
   getGrantsEndpoint
-} from "./chunk-N3THIFIS.js";
+} from "./chunk-QJJ7DG5C.js";
 import {
   AUTH_FILE,
   CONFIG_DIR,
@@ -61,9 +71,10 @@ import {
   saveAuth,
   saveConfig
 } from "./chunk-OBF7IMQ2.js";
+import "./chunk-7OCVIDC7.js";
 
 // src/cli.ts
-import consola47 from "consola";
+import consola51 from "consola";
 
 // src/ape-shell.ts
 import path from "path";
@@ -93,7 +104,7 @@ function rewriteApeShellArgs(argv, argv0) {
 }
 
 // src/cli.ts
-import { defineCommand as defineCommand58, runMain } from "citty";
+import { defineCommand as defineCommand61, runMain } from "citty";
 
 // src/commands/auth/login.ts
 import { Buffer as Buffer2 } from "buffer";
@@ -381,7 +392,7 @@ async function loginWithPKCE(idp) {
 async function loginWithKey(idp, keyPath, agentEmail) {
   const { readFileSync: readFileSync15 } = await import("fs");
   const { sign: sign3 } = await import("crypto");
-  const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-YBNNG5K5.js");
+  const { loadEd25519PrivateKey: loadEd25519PrivateKey2 } = await import("./ssh-key-6X3YZXSD.js");
   const challengeUrl = await getAgentChallengeEndpoint(idp);
   const challengeResp = await fetch(challengeUrl, {
     method: "POST",
@@ -760,7 +771,7 @@ async function waitForApproval(grantsUrl, grantId) {
     if (grant.status === "revoked") {
       throw new CliError("Grant revoked.");
     }
-    await new Promise((r) => setTimeout(r, interval));
+    await new Promise((r3) => setTimeout(r3, interval));
   }
   throw new CliError("Timed out waiting for approval.");
 }
@@ -1108,12 +1119,12 @@ var revokeCommand = defineCommand11({
       { method: "POST", body: { operations }, token }
     );
     let succeeded = 0;
-    for (const r of results) {
-      if (r.success) {
-        consola11.success(`Grant ${r.id} revoked.`);
+    for (const r3 of results) {
+      if (r3.success) {
+        consola11.success(`Grant ${r3.id} revoked.`);
         succeeded++;
       } else {
-        consola11.error(`Grant ${r.id}: ${r.error?.title || "Failed"}`);
+        consola11.error(`Grant ${r3.id}: ${r3.error?.title || "Failed"}`);
       }
     }
     if (succeeded < results.length) {
@@ -1133,32 +1144,32 @@ import consola12 from "consola";
 function getPollIntervalSeconds() {
   const envValue = process.env.APES_GRANT_POLL_INTERVAL;
   if (envValue) {
-    const n = Number(envValue);
-    if (Number.isFinite(n) && n > 0)
-      return Math.floor(n);
+    const n2 = Number(envValue);
+    if (Number.isFinite(n2) && n2 > 0)
+      return Math.floor(n2);
   }
   const cfg = loadConfig();
   const cfgValue = cfg.defaults?.grant_poll_interval_seconds;
   if (cfgValue) {
-    const n = Number(cfgValue);
-    if (Number.isFinite(n) && n > 0)
-      return Math.floor(n);
+    const n2 = Number(cfgValue);
+    if (Number.isFinite(n2) && n2 > 0)
+      return Math.floor(n2);
   }
   return 10;
 }
 function getPollMaxMinutes() {
   const envValue = process.env.APES_GRANT_POLL_MAX_MINUTES;
   if (envValue) {
-    const n = Number(envValue);
-    if (Number.isFinite(n) && n > 0)
-      return Math.floor(n);
+    const n2 = Number(envValue);
+    if (Number.isFinite(n2) && n2 > 0)
+      return Math.floor(n2);
   }
   const cfg = loadConfig();
   const cfgValue = cfg.defaults?.grant_poll_max_minutes;
   if (cfgValue) {
-    const n = Number(cfgValue);
-    if (Number.isFinite(n) && n > 0)
-      return Math.floor(n);
+    const n2 = Number(cfgValue);
+    if (Number.isFinite(n2) && n2 > 0)
+      return Math.floor(n2);
   }
   return 5;
 }
@@ -1175,7 +1186,7 @@ async function pollGrantUntilResolved(idp, grantId) {
       return { kind: "approved" };
     if (grant.status === "denied" || grant.status === "revoked" || grant.status === "used")
       return { kind: "terminal", status: grant.status };
-    await new Promise((r) => setTimeout(r, intervalMs));
+    await new Promise((r3) => setTimeout(r3, intervalMs));
   }
   return { kind: "timeout" };
 }
@@ -1754,16 +1765,793 @@ import consola18 from "consola";
 // src/lib/agent-bootstrap.ts
 import { Buffer as Buffer3 } from "buffer";
 import { createPrivateKey, sign } from "crypto";
+
+// ../../node_modules/.pnpm/ofetch@1.5.1/node_modules/ofetch/dist/node.mjs
+import http from "http";
+import https from "https";
+
+// ../../node_modules/.pnpm/node-fetch-native@1.6.7/node_modules/node-fetch-native/dist/index.mjs
+import "http";
+import "https";
+import "zlib";
+import "stream";
+import "buffer";
+import "util";
+import "url";
+import "net";
+import "fs";
+import "path";
+var o = !!globalThis.process?.env?.FORCE_NODE_FETCH;
+var r = !o && globalThis.fetch || Mi;
+var p = !o && globalThis.Blob || ut;
+var F = !o && globalThis.File || qn;
+var h = !o && globalThis.FormData || br;
+var n = !o && globalThis.Headers || ye;
+var c = !o && globalThis.Request || dt;
+var R = !o && globalThis.Response || le;
+var T = !o && globalThis.AbortController || Mn;
+
+// ../../node_modules/.pnpm/destr@2.0.5/node_modules/destr/dist/index.mjs
+var suspectProtoRx = /"(?:_|\\u0{2}5[Ff]){2}(?:p|\\u0{2}70)(?:r|\\u0{2}72)(?:o|\\u0{2}6[Ff])(?:t|\\u0{2}74)(?:o|\\u0{2}6[Ff])(?:_|\\u0{2}5[Ff]){2}"\s*:/;
+var suspectConstructorRx = /"(?:c|\\u0063)(?:o|\\u006[Ff])(?:n|\\u006[Ee])(?:s|\\u0073)(?:t|\\u0074)(?:r|\\u0072)(?:u|\\u0075)(?:c|\\u0063)(?:t|\\u0074)(?:o|\\u006[Ff])(?:r|\\u0072)"\s*:/;
+var JsonSigRx = /^\s*["[{]|^\s*-?\d{1,16}(\.\d{1,17})?([Ee][+-]?\d+)?\s*$/;
+function jsonParseTransform(key, value) {
+  if (key === "__proto__" || key === "constructor" && value && typeof value === "object" && "prototype" in value) {
+    warnKeyDropped(key);
+    return;
+  }
+  return value;
+}
+function warnKeyDropped(key) {
+  console.warn(`[destr] Dropping "${key}" key to prevent prototype pollution.`);
+}
+function destr(value, options = {}) {
+  if (typeof value !== "string") {
+    return value;
+  }
+  if (value[0] === '"' && value[value.length - 1] === '"' && value.indexOf("\\") === -1) {
+    return value.slice(1, -1);
+  }
+  const _value = value.trim();
+  if (_value.length <= 9) {
+    switch (_value.toLowerCase()) {
+      case "true": {
+        return true;
+      }
+      case "false": {
+        return false;
+      }
+      case "undefined": {
+        return void 0;
+      }
+      case "null": {
+        return null;
+      }
+      case "nan": {
+        return Number.NaN;
+      }
+      case "infinity": {
+        return Number.POSITIVE_INFINITY;
+      }
+      case "-infinity": {
+        return Number.NEGATIVE_INFINITY;
+      }
+    }
+  }
+  if (!JsonSigRx.test(value)) {
+    if (options.strict) {
+      throw new SyntaxError("[destr] Invalid JSON");
+    }
+    return value;
+  }
+  try {
+    if (suspectProtoRx.test(value) || suspectConstructorRx.test(value)) {
+      if (options.strict) {
+        throw new Error("[destr] Possible prototype pollution");
+      }
+      return JSON.parse(value, jsonParseTransform);
+    }
+    return JSON.parse(value);
+  } catch (error) {
+    if (options.strict) {
+      throw error;
+    }
+    return value;
+  }
+}
+
+// ../../node_modules/.pnpm/ufo@1.6.3/node_modules/ufo/dist/index.mjs
+var r2 = String.fromCharCode;
+var HASH_RE = /#/g;
+var AMPERSAND_RE = /&/g;
+var SLASH_RE = /\//g;
+var EQUAL_RE = /=/g;
+var PLUS_RE = /\+/g;
+var ENC_CARET_RE = /%5e/gi;
+var ENC_BACKTICK_RE = /%60/gi;
+var ENC_PIPE_RE = /%7c/gi;
+var ENC_SPACE_RE = /%20/gi;
+function encode(text) {
+  return encodeURI("" + text).replace(ENC_PIPE_RE, "|");
+}
+function encodeQueryValue(input) {
+  return encode(typeof input === "string" ? input : JSON.stringify(input)).replace(PLUS_RE, "%2B").replace(ENC_SPACE_RE, "+").replace(HASH_RE, "%23").replace(AMPERSAND_RE, "%26").replace(ENC_BACKTICK_RE, "`").replace(ENC_CARET_RE, "^").replace(SLASH_RE, "%2F");
+}
+function encodeQueryKey(text) {
+  return encodeQueryValue(text).replace(EQUAL_RE, "%3D");
+}
+function decode(text = "") {
+  try {
+    return decodeURIComponent("" + text);
+  } catch {
+    return "" + text;
+  }
+}
+function decodeQueryKey(text) {
+  return decode(text.replace(PLUS_RE, " "));
+}
+function decodeQueryValue(text) {
+  return decode(text.replace(PLUS_RE, " "));
+}
+function parseQuery(parametersString = "") {
+  const object = /* @__PURE__ */ Object.create(null);
+  if (parametersString[0] === "?") {
+    parametersString = parametersString.slice(1);
+  }
+  for (const parameter of parametersString.split("&")) {
+    const s = parameter.match(/([^=]+)=?(.*)/) || [];
+    if (s.length < 2) {
+      continue;
+    }
+    const key = decodeQueryKey(s[1]);
+    if (key === "__proto__" || key === "constructor") {
+      continue;
+    }
+    const value = decodeQueryValue(s[2] || "");
+    if (object[key] === void 0) {
+      object[key] = value;
+    } else if (Array.isArray(object[key])) {
+      object[key].push(value);
+    } else {
+      object[key] = [object[key], value];
+    }
+  }
+  return object;
+}
+function encodeQueryItem(key, value) {
+  if (typeof value === "number" || typeof value === "boolean") {
+    value = String(value);
+  }
+  if (!value) {
+    return encodeQueryKey(key);
+  }
+  if (Array.isArray(value)) {
+    return value.map(
+      (_value) => `${encodeQueryKey(key)}=${encodeQueryValue(_value)}`
+    ).join("&");
+  }
+  return `${encodeQueryKey(key)}=${encodeQueryValue(value)}`;
+}
+function stringifyQuery(query) {
+  return Object.keys(query).filter((k) => query[k] !== void 0).map((k) => encodeQueryItem(k, query[k])).filter(Boolean).join("&");
+}
+var PROTOCOL_STRICT_REGEX = /^[\s\w\0+.-]{2,}:([/\\]{1,2})/;
+var PROTOCOL_REGEX = /^[\s\w\0+.-]{2,}:([/\\]{2})?/;
+var PROTOCOL_RELATIVE_REGEX = /^([/\\]\s*){2,}[^/\\]/;
+var TRAILING_SLASH_RE = /\/$|\/\?|\/#/;
+var JOIN_LEADING_SLASH_RE = /^\.?\//;
+function hasProtocol(inputString, opts = {}) {
+  if (typeof opts === "boolean") {
+    opts = { acceptRelative: opts };
+  }
+  if (opts.strict) {
+    return PROTOCOL_STRICT_REGEX.test(inputString);
+  }
+  return PROTOCOL_REGEX.test(inputString) || (opts.acceptRelative ? PROTOCOL_RELATIVE_REGEX.test(inputString) : false);
+}
+function hasTrailingSlash(input = "", respectQueryAndFragment) {
+  if (!respectQueryAndFragment) {
+    return input.endsWith("/");
+  }
+  return TRAILING_SLASH_RE.test(input);
+}
+function withoutTrailingSlash(input = "", respectQueryAndFragment) {
+  if (!respectQueryAndFragment) {
+    return (hasTrailingSlash(input) ? input.slice(0, -1) : input) || "/";
+  }
+  if (!hasTrailingSlash(input, true)) {
+    return input || "/";
+  }
+  let path2 = input;
+  let fragment = "";
+  const fragmentIndex = input.indexOf("#");
+  if (fragmentIndex !== -1) {
+    path2 = input.slice(0, fragmentIndex);
+    fragment = input.slice(fragmentIndex);
+  }
+  const [s0, ...s] = path2.split("?");
+  const cleanPath = s0.endsWith("/") ? s0.slice(0, -1) : s0;
+  return (cleanPath || "/") + (s.length > 0 ? `?${s.join("?")}` : "") + fragment;
+}
+function withTrailingSlash(input = "", respectQueryAndFragment) {
+  if (!respectQueryAndFragment) {
+    return input.endsWith("/") ? input : input + "/";
+  }
+  if (hasTrailingSlash(input, true)) {
+    return input || "/";
+  }
+  let path2 = input;
+  let fragment = "";
+  const fragmentIndex = input.indexOf("#");
+  if (fragmentIndex !== -1) {
+    path2 = input.slice(0, fragmentIndex);
+    fragment = input.slice(fragmentIndex);
+    if (!path2) {
+      return fragment;
+    }
+  }
+  const [s0, ...s] = path2.split("?");
+  return s0 + "/" + (s.length > 0 ? `?${s.join("?")}` : "") + fragment;
+}
+function withBase(input, base) {
+  if (isEmptyURL(base) || hasProtocol(input)) {
+    return input;
+  }
+  const _base = withoutTrailingSlash(base);
+  if (input.startsWith(_base)) {
+    const nextChar = input[_base.length];
+    if (!nextChar || nextChar === "/" || nextChar === "?") {
+      return input;
+    }
+  }
+  return joinURL(_base, input);
+}
+function withQuery(input, query) {
+  const parsed = parseURL(input);
+  const mergedQuery = { ...parseQuery(parsed.search), ...query };
+  parsed.search = stringifyQuery(mergedQuery);
+  return stringifyParsedURL(parsed);
+}
+function isEmptyURL(url) {
+  return !url || url === "/";
+}
+function isNonEmptyURL(url) {
+  return url && url !== "/";
+}
+function joinURL(base, ...input) {
+  let url = base || "";
+  for (const segment of input.filter((url2) => isNonEmptyURL(url2))) {
+    if (url) {
+      const _segment = segment.replace(JOIN_LEADING_SLASH_RE, "");
+      url = withTrailingSlash(url) + _segment;
+    } else {
+      url = segment;
+    }
+  }
+  return url;
+}
+var protocolRelative = /* @__PURE__ */ Symbol.for("ufo:protocolRelative");
+function parseURL(input = "", defaultProto) {
+  const _specialProtoMatch = input.match(
+    /^[\s\0]*(blob:|data:|javascript:|vbscript:)(.*)/i
+  );
+  if (_specialProtoMatch) {
+    const [, _proto, _pathname = ""] = _specialProtoMatch;
+    return {
+      protocol: _proto.toLowerCase(),
+      pathname: _pathname,
+      href: _proto + _pathname,
+      auth: "",
+      host: "",
+      search: "",
+      hash: ""
+    };
+  }
+  if (!hasProtocol(input, { acceptRelative: true })) {
+    return defaultProto ? parseURL(defaultProto + input) : parsePath(input);
+  }
+  const [, protocol = "", auth, hostAndPath = ""] = input.replace(/\\/g, "/").match(/^[\s\0]*([\w+.-]{2,}:)?\/\/([^/@]+@)?(.*)/) || [];
+  let [, host = "", path2 = ""] = hostAndPath.match(/([^#/?]*)(.*)?/) || [];
+  if (protocol === "file:") {
+    path2 = path2.replace(/\/(?=[A-Za-z]:)/, "");
+  }
+  const { pathname, search, hash } = parsePath(path2);
+  return {
+    protocol: protocol.toLowerCase(),
+    auth: auth ? auth.slice(0, Math.max(0, auth.length - 1)) : "",
+    host,
+    pathname,
+    search,
+    hash,
+    [protocolRelative]: !protocol
+  };
+}
+function parsePath(input = "") {
+  const [pathname = "", search = "", hash = ""] = (input.match(/([^#?]*)(\?[^#]*)?(#.*)?/) || []).splice(1);
+  return {
+    pathname,
+    search,
+    hash
+  };
+}
+function stringifyParsedURL(parsed) {
+  const pathname = parsed.pathname || "";
+  const search = parsed.search ? (parsed.search.startsWith("?") ? "" : "?") + parsed.search : "";
+  const hash = parsed.hash || "";
+  const auth = parsed.auth ? parsed.auth + "@" : "";
+  const host = parsed.host || "";
+  const proto = parsed.protocol || parsed[protocolRelative] ? (parsed.protocol || "") + "//" : "";
+  return proto + auth + host + pathname + search + hash;
+}
+
+// ../../node_modules/.pnpm/ofetch@1.5.1/node_modules/ofetch/dist/shared/ofetch.CWycOUEr.mjs
+var FetchError = class extends Error {
+  constructor(message, opts) {
+    super(message, opts);
+    this.name = "FetchError";
+    if (opts?.cause && !this.cause) {
+      this.cause = opts.cause;
+    }
+  }
+};
+function createFetchError(ctx) {
+  const errorMessage = ctx.error?.message || ctx.error?.toString() || "";
+  const method = ctx.request?.method || ctx.options?.method || "GET";
+  const url = ctx.request?.url || String(ctx.request) || "/";
+  const requestStr = `[${method}] ${JSON.stringify(url)}`;
+  const statusStr = ctx.response ? `${ctx.response.status} ${ctx.response.statusText}` : "<no response>";
+  const message = `${requestStr}: ${statusStr}${errorMessage ? ` ${errorMessage}` : ""}`;
+  const fetchError = new FetchError(
+    message,
+    ctx.error ? { cause: ctx.error } : void 0
+  );
+  for (const key of ["request", "options", "response"]) {
+    Object.defineProperty(fetchError, key, {
+      get() {
+        return ctx[key];
+      }
+    });
+  }
+  for (const [key, refKey] of [
+    ["data", "_data"],
+    ["status", "status"],
+    ["statusCode", "status"],
+    ["statusText", "statusText"],
+    ["statusMessage", "statusText"]
+  ]) {
+    Object.defineProperty(fetchError, key, {
+      get() {
+        return ctx.response && ctx.response[refKey];
+      }
+    });
+  }
+  return fetchError;
+}
+var payloadMethods = new Set(
+  Object.freeze(["PATCH", "POST", "PUT", "DELETE"])
+);
+function isPayloadMethod(method = "GET") {
+  return payloadMethods.has(method.toUpperCase());
+}
+function isJSONSerializable(value) {
+  if (value === void 0) {
+    return false;
+  }
+  const t = typeof value;
+  if (t === "string" || t === "number" || t === "boolean" || t === null) {
+    return true;
+  }
+  if (t !== "object") {
+    return false;
+  }
+  if (Array.isArray(value)) {
+    return true;
+  }
+  if (value.buffer) {
+    return false;
+  }
+  if (value instanceof FormData || value instanceof URLSearchParams) {
+    return false;
+  }
+  return value.constructor && value.constructor.name === "Object" || typeof value.toJSON === "function";
+}
+var textTypes = /* @__PURE__ */ new Set([
+  "image/svg",
+  "application/xml",
+  "application/xhtml",
+  "application/html"
+]);
+var JSON_RE = /^application\/(?:[\w!#$%&*.^`~-]*\+)?json(;.+)?$/i;
+function detectResponseType(_contentType = "") {
+  if (!_contentType) {
+    return "json";
+  }
+  const contentType = _contentType.split(";").shift() || "";
+  if (JSON_RE.test(contentType)) {
+    return "json";
+  }
+  if (contentType === "text/event-stream") {
+    return "stream";
+  }
+  if (textTypes.has(contentType) || contentType.startsWith("text/")) {
+    return "text";
+  }
+  return "blob";
+}
+function resolveFetchOptions(request, input, defaults, Headers2) {
+  const headers = mergeHeaders(
+    input?.headers ?? request?.headers,
+    defaults?.headers,
+    Headers2
+  );
+  let query;
+  if (defaults?.query || defaults?.params || input?.params || input?.query) {
+    query = {
+      ...defaults?.params,
+      ...defaults?.query,
+      ...input?.params,
+      ...input?.query
+    };
+  }
+  return {
+    ...defaults,
+    ...input,
+    query,
+    params: query,
+    headers
+  };
+}
+function mergeHeaders(input, defaults, Headers2) {
+  if (!defaults) {
+    return new Headers2(input);
+  }
+  const headers = new Headers2(defaults);
+  if (input) {
+    for (const [key, value] of Symbol.iterator in input || Array.isArray(input) ? input : new Headers2(input)) {
+      headers.set(key, value);
+    }
+  }
+  return headers;
+}
+async function callHooks(context, hooks) {
+  if (hooks) {
+    if (Array.isArray(hooks)) {
+      for (const hook of hooks) {
+        await hook(context);
+      }
+    } else {
+      await hooks(context);
+    }
+  }
+}
+var retryStatusCodes = /* @__PURE__ */ new Set([
+  408,
+  // Request Timeout
+  409,
+  // Conflict
+  425,
+  // Too Early (Experimental)
+  429,
+  // Too Many Requests
+  500,
+  // Internal Server Error
+  502,
+  // Bad Gateway
+  503,
+  // Service Unavailable
+  504
+  // Gateway Timeout
+]);
+var nullBodyResponses = /* @__PURE__ */ new Set([101, 204, 205, 304]);
+function createFetch(globalOptions = {}) {
+  const {
+    fetch: fetch3 = globalThis.fetch,
+    Headers: Headers2 = globalThis.Headers,
+    AbortController: AbortController3 = globalThis.AbortController
+  } = globalOptions;
+  async function onError(context) {
+    const isAbort = context.error && context.error.name === "AbortError" && !context.options.timeout || false;
+    if (context.options.retry !== false && !isAbort) {
+      let retries;
+      if (typeof context.options.retry === "number") {
+        retries = context.options.retry;
+      } else {
+        retries = isPayloadMethod(context.options.method) ? 0 : 1;
+      }
+      const responseCode = context.response && context.response.status || 500;
+      if (retries > 0 && (Array.isArray(context.options.retryStatusCodes) ? context.options.retryStatusCodes.includes(responseCode) : retryStatusCodes.has(responseCode))) {
+        const retryDelay = typeof context.options.retryDelay === "function" ? context.options.retryDelay(context) : context.options.retryDelay || 0;
+        if (retryDelay > 0) {
+          await new Promise((resolve5) => setTimeout(resolve5, retryDelay));
+        }
+        return $fetchRaw(context.request, {
+          ...context.options,
+          retry: retries - 1
+        });
+      }
+    }
+    const error = createFetchError(context);
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(error, $fetchRaw);
+    }
+    throw error;
+  }
+  const $fetchRaw = async function $fetchRaw2(_request, _options = {}) {
+    const context = {
+      request: _request,
+      options: resolveFetchOptions(
+        _request,
+        _options,
+        globalOptions.defaults,
+        Headers2
+      ),
+      response: void 0,
+      error: void 0
+    };
+    if (context.options.method) {
+      context.options.method = context.options.method.toUpperCase();
+    }
+    if (context.options.onRequest) {
+      await callHooks(context, context.options.onRequest);
+      if (!(context.options.headers instanceof Headers2)) {
+        context.options.headers = new Headers2(
+          context.options.headers || {}
+          /* compat */
+        );
+      }
+    }
+    if (typeof context.request === "string") {
+      if (context.options.baseURL) {
+        context.request = withBase(context.request, context.options.baseURL);
+      }
+      if (context.options.query) {
+        context.request = withQuery(context.request, context.options.query);
+        delete context.options.query;
+      }
+      if ("query" in context.options) {
+        delete context.options.query;
+      }
+      if ("params" in context.options) {
+        delete context.options.params;
+      }
+    }
+    if (context.options.body && isPayloadMethod(context.options.method)) {
+      if (isJSONSerializable(context.options.body)) {
+        const contentType = context.options.headers.get("content-type");
+        if (typeof context.options.body !== "string") {
+          context.options.body = contentType === "application/x-www-form-urlencoded" ? new URLSearchParams(
+            context.options.body
+          ).toString() : JSON.stringify(context.options.body);
+        }
+        if (!contentType) {
+          context.options.headers.set("content-type", "application/json");
+        }
+        if (!context.options.headers.has("accept")) {
+          context.options.headers.set("accept", "application/json");
+        }
+      } else if (
+        // ReadableStream Body
+        "pipeTo" in context.options.body && typeof context.options.body.pipeTo === "function" || // Node.js Stream Body
+        typeof context.options.body.pipe === "function"
+      ) {
+        if (!("duplex" in context.options)) {
+          context.options.duplex = "half";
+        }
+      }
+    }
+    let abortTimeout;
+    if (!context.options.signal && context.options.timeout) {
+      const controller = new AbortController3();
+      abortTimeout = setTimeout(() => {
+        const error = new Error(
+          "[TimeoutError]: The operation was aborted due to timeout"
+        );
+        error.name = "TimeoutError";
+        error.code = 23;
+        controller.abort(error);
+      }, context.options.timeout);
+      context.options.signal = controller.signal;
+    }
+    try {
+      context.response = await fetch3(
+        context.request,
+        context.options
+      );
+    } catch (error) {
+      context.error = error;
+      if (context.options.onRequestError) {
+        await callHooks(
+          context,
+          context.options.onRequestError
+        );
+      }
+      return await onError(context);
+    } finally {
+      if (abortTimeout) {
+        clearTimeout(abortTimeout);
+      }
+    }
+    const hasBody = (context.response.body || // https://github.com/unjs/ofetch/issues/324
+    // https://github.com/unjs/ofetch/issues/294
+    // https://github.com/JakeChampion/fetch/issues/1454
+    context.response._bodyInit) && !nullBodyResponses.has(context.response.status) && context.options.method !== "HEAD";
+    if (hasBody) {
+      const responseType = (context.options.parseResponse ? "json" : context.options.responseType) || detectResponseType(context.response.headers.get("content-type") || "");
+      switch (responseType) {
+        case "json": {
+          const data = await context.response.text();
+          const parseFunction = context.options.parseResponse || destr;
+          context.response._data = parseFunction(data);
+          break;
+        }
+        case "stream": {
+          context.response._data = context.response.body || context.response._bodyInit;
+          break;
+        }
+        default: {
+          context.response._data = await context.response[responseType]();
+        }
+      }
+    }
+    if (context.options.onResponse) {
+      await callHooks(
+        context,
+        context.options.onResponse
+      );
+    }
+    if (!context.options.ignoreResponseError && context.response.status >= 400 && context.response.status < 600) {
+      if (context.options.onResponseError) {
+        await callHooks(
+          context,
+          context.options.onResponseError
+        );
+      }
+      return await onError(context);
+    }
+    return context.response;
+  };
+  const $fetch = async function $fetch2(request, options) {
+    const r3 = await $fetchRaw(request, options);
+    return r3._data;
+  };
+  $fetch.raw = $fetchRaw;
+  $fetch.native = (...args) => fetch3(...args);
+  $fetch.create = (defaultOptions = {}, customGlobalOptions = {}) => createFetch({
+    ...globalOptions,
+    ...customGlobalOptions,
+    defaults: {
+      ...globalOptions.defaults,
+      ...customGlobalOptions.defaults,
+      ...defaultOptions
+    }
+  });
+  return $fetch;
+}
+
+// ../../node_modules/.pnpm/ofetch@1.5.1/node_modules/ofetch/dist/node.mjs
+function createNodeFetch() {
+  const useKeepAlive = JSON.parse(process.env.FETCH_KEEP_ALIVE || "false");
+  if (!useKeepAlive) {
+    return r;
+  }
+  const agentOptions = { keepAlive: true };
+  const httpAgent = new http.Agent(agentOptions);
+  const httpsAgent = new https.Agent(agentOptions);
+  const nodeFetchOptions = {
+    agent(parsedURL) {
+      return parsedURL.protocol === "http:" ? httpAgent : httpsAgent;
+    }
+  };
+  return function nodeFetchWithKeepAlive(input, init) {
+    return r(input, { ...nodeFetchOptions, ...init });
+  };
+}
+var fetch2 = globalThis.fetch ? (...args) => globalThis.fetch(...args) : createNodeFetch();
+var Headers = globalThis.Headers || n;
+var AbortController2 = globalThis.AbortController || T;
+var ofetch = createFetch({ fetch: fetch2, Headers, AbortController: AbortController2 });
+
+// ../cli-auth/dist/index.js
+var AuthError = class extends Error {
+  status;
+  hint;
+  constructor(status, message, hint) {
+    super(hint ? `${message}
+${hint}` : message);
+    this.name = "AuthError";
+    this.status = status;
+    this.hint = hint;
+  }
+};
+var TOKEN_EXCHANGE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange";
+var ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+async function exchangeWithDelegation(req) {
+  const url = `${req.idp.replace(/\/$/, "")}/api/oauth/token-exchange`;
+  try {
+    return await ofetch(url, {
+      method: "POST",
+      body: {
+        grant_type: TOKEN_EXCHANGE_GRANT_TYPE,
+        actor_token: req.actorToken,
+        actor_token_type: ACCESS_TOKEN_TYPE,
+        ...req.subjectToken ? { subject_token: req.subjectToken, subject_token_type: ACCESS_TOKEN_TYPE } : {},
+        ...req.audience ? { audience: req.audience } : {},
+        ...req.delegationGrantId ? { delegation_grant_id: req.delegationGrantId } : {}
+      }
+    });
+  } catch (err) {
+    const status = err.status ?? err.statusCode ?? 0;
+    const data = err.data;
+    const title = data?.title ?? `Delegation token-exchange failed (HTTP ${status})`;
+    throw new AuthError(status, title, data?.detail);
+  }
+}
+
+// src/lib/agent-bootstrap.ts
 var AGENT_NAME_REGEX = /^[a-z][a-z0-9-]{0,23}$/;
 var SSH_ED25519_PREFIX = "ssh-ed25519 ";
 var SSH_ED25519_REGEX = /^ssh-ed25519 [A-Za-z0-9+/=]+(\s.*)?$/;
+var ENROLL_AUDIENCE = "enroll-agent";
 async function registerAgentAtIdp(input) {
+  const delegated = await tryDelegatedEnrollToken(input.idp);
   return await apiFetch("/api/enroll", {
     method: "POST",
     body: { name: input.name, publicKey: input.publicKey },
-    idp: input.idp
+    idp: input.idp,
+    ...delegated ? { headers: { Authorization: `Bearer ${delegated}` } } : {}
   });
 }
+async function tryDelegatedEnrollToken(idp) {
+  try {
+    const auth = loadAuth();
+    if (!auth?.access_token) return null;
+    const claims = decodeJwtClaims(auth.access_token);
+    if (claims?.act !== "agent") return null;
+    const ownerEmail = auth.owner_email;
+    if (typeof ownerEmail !== "string" || !ownerEmail) return null;
+    const myEmail = auth.email;
+    if (typeof myEmail !== "string" || !myEmail) return null;
+    const idpUrl = idp ?? auth.idp;
+    if (!idpUrl) return null;
+    const grantId = await findEnrollDelegationGrantId(idpUrl, ownerEmail, myEmail);
+    if (!grantId) return null;
+    const result = await exchangeWithDelegation({
+      idp: idpUrl,
+      actorToken: auth.access_token,
+      audience: ENROLL_AUDIENCE,
+      delegationGrantId: grantId
+    });
+    return result.access_token;
+  } catch {
+    return null;
+  }
+}
+async function findEnrollDelegationGrantId(idp, delegator, delegate) {
+  const url = `${idp.replace(/\/$/, "")}/api/grants?status=approved&limit=200&requester=${encodeURIComponent(delegator)}`;
+  const res = await apiFetch(url);
+  const now = Math.floor(Date.now() / 1e3);
+  for (const g of res.data ?? []) {
+    if (g.type !== "delegation") continue;
+    if (g.status !== "approved") continue;
+    if (g.request.delegate !== delegate) continue;
+    const aud = g.request.audience;
+    if (aud !== "*" && aud !== ENROLL_AUDIENCE) continue;
+    if (g.expires_at && g.expires_at <= now) continue;
+    return g.id;
+  }
+  return null;
+}
+function decodeJwtClaims(token) {
+  try {
+    const part = token.split(".")[1];
+    if (!part) return null;
+    const padded = part + "=".repeat((4 - part.length % 4) % 4);
+    const json = Buffer3.from(padded, "base64").toString("utf8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
 async function issueAgentToken(input) {
   const privateKey = createPrivateKey(input.privateKeyPem);
   const challengeUrl = await getAgentChallengeEndpoint(input.idp);
@@ -2423,16 +3211,16 @@ var listAgentsCommand = defineCommand22({
       consola20.info(args["include-inactive"] ? "No agents found." : "No active agents found. Use --include-inactive to show deactivated.");
       return;
     }
-    const nameW = Math.max(4, ...rows.map((r) => r.name.length));
-    const emailW = Math.max(5, ...rows.map((r) => r.email.length));
+    const nameW = Math.max(4, ...rows.map((r3) => r3.name.length));
+    const emailW = Math.max(5, ...rows.map((r3) => r3.email.length));
     const header = `${"NAME".padEnd(nameW)}  ${"EMAIL".padEnd(emailW)}  ACTIVE  OS-USER  HOME`;
     console.log(header);
     console.log("-".repeat(header.length));
-    for (const r of rows) {
-      const active = r.isActive ? "\u2713" : "\u2717";
-      const os = r.osUser ? "\u2713" : "\u2717";
-      const homeCol = r.home ?? (isDarwin() ? "(missing)" : "(non-darwin)");
-      console.log(`${r.name.padEnd(nameW)}  ${r.email.padEnd(emailW)}  ${active.padEnd(6)}  ${os.padEnd(7)}  ${homeCol}`);
+    for (const r3 of rows) {
+      const active = r3.isActive ? "\u2713" : "\u2717";
+      const os = r3.osUser ? "\u2713" : "\u2717";
+      const homeCol = r3.home ?? (isDarwin() ? "(missing)" : "(non-darwin)");
+      console.log(`${r3.name.padEnd(nameW)}  ${r3.email.padEnd(emailW)}  ${active.padEnd(6)}  ${os.padEnd(7)}  ${homeCol}`);
     }
   }
 });
@@ -2559,12 +3347,12 @@ var fileTools = [
     },
     execute: async (args) => {
       const a = args;
-      const p = jailPath(a.path);
-      const content = readFileSync4(p, "utf8");
+      const p2 = jailPath(a.path);
+      const content = readFileSync4(p2, "utf8");
       if (Buffer.byteLength(content, "utf8") > MAX_BYTES) {
-        return { path: p, truncated: true, content: content.slice(0, MAX_BYTES) };
+        return { path: p2, truncated: true, content: content.slice(0, MAX_BYTES) };
       }
-      return { path: p, truncated: false, content };
+      return { path: p2, truncated: false, content };
     }
   },
   {
@@ -2584,10 +3372,10 @@ var fileTools = [
       if (Buffer.byteLength(a.content, "utf8") > MAX_BYTES) {
         throw new Error(`content exceeds ${MAX_BYTES} byte cap`);
       }
-      const p = jailPath(a.path);
-      mkdirSync(dirname(p), { recursive: true });
-      writeFileSync2(p, a.content, { encoding: "utf8" });
-      return { path: p, bytes: Buffer.byteLength(a.content, "utf8") };
+      const p2 = jailPath(a.path);
+      mkdirSync(dirname(p2), { recursive: true });
+      writeFileSync2(p2, a.content, { encoding: "utf8" });
+      return { path: p2, bytes: Buffer.byteLength(a.content, "utf8") };
     }
   }
 ];
@@ -3076,7 +3864,7 @@ async function postRunResultToChat(opts) {
     if (!contactsRes.ok) return;
     const contacts = await contactsRes.json();
     const ownerLower = opts.ownerEmail.toLowerCase();
-    const ownerRow = contacts.find((c) => c.peerEmail.toLowerCase() === ownerLower && c.connected && c.roomId);
+    const ownerRow = contacts.find((c2) => c2.peerEmail.toLowerCase() === ownerLower && c2.connected && c2.roomId);
     if (!ownerRow?.roomId) {
       consola22.info("chat DM skipped \u2014 no active room with owner (accept the contact request in chat to enable)");
       return;
@@ -3406,8 +4194,8 @@ import { existsSync as existsSync7, mkdirSync as mkdirSync2, readFileSync as rea
 import { generateKeyPairSync } from "crypto";
 import { homedir as homedir7 } from "os";
 import { dirname as dirname2, resolve as resolve3 } from "path";
-function resolveKeyPath(p) {
-  return resolve3(p.replace(/^~/, homedir7()));
+function resolveKeyPath(p2) {
+  return resolve3(p2.replace(/^~/, homedir7()));
 }
 function buildSshEd25519Line(rawPub) {
   const keyTypeStr = "ssh-ed25519";
@@ -3684,7 +4472,15 @@ and try again.`
         email: registration.email,
         expiresAt: Math.floor(Date.now() / 1e3) + expiresIn,
         keyPath: `${homeDir}/.ssh/id_ed25519`,
-        ownerEmail: auth.email
+        // The IdP resolves the owner transitively (when the caller
+        // is itself an agent — e.g. a Nest spawning a child — the
+        // human at the top of the chain becomes owner). Use the
+        // server-resolved owner, not the local caller's auth.email,
+        // otherwise the agent's auth.json will carry the Nest's
+        // email and troop will reject sync calls because the
+        // encoded owner-domain in the agent email doesn't match
+        // the auth.json's owner_email domain.
+        ownerEmail: registration.owner
       });
       const includeClaudeHook = !args["no-claude-hook"];
       const claudeOauthToken = await resolveClaudeToken({
@@ -3924,7 +4720,7 @@ var agentsCommand = defineCommand28({
 });
 
 // src/commands/nest/index.ts
-import { defineCommand as defineCommand34 } from "citty";
+import { defineCommand as defineCommand37 } from "citty";
 
 // src/commands/nest/authorize.ts
 import { execFileSync as execFileSync9 } from "child_process";
@@ -4016,7 +4812,19 @@ var enrollNestCommand = defineCommand29({
 
 // src/commands/nest/authorize.ts
 var DEFAULT_ALLOW_PATTERNS = [
-  // Outer spawn-grant — what the nest's HTTP handler invokes.
+  // Caller → Nest API gates. The new-style flow: `apes nest <op>`
+  // requests a grant with audience='nest' and command=['nest','<op>',
+  // ...]. Patrick's YOLO auto-approves these so the local Nest API
+  // is gated cryptographically without a per-call human prompt.
+  "nest status",
+  "nest list",
+  // spawn uses a wildcard-name grant (one approval, any name)
+  "nest spawn",
+  // destroy stays per-name (typed in command), so the YOLO pattern
+  // matches the per-name shape `nest destroy igor18`.
+  "nest destroy *",
+  // Inner spawn/destroy grants the nest itself triggers via
+  // `apes run --as root --wait -- apes agents spawn|destroy`.
   "apes agents spawn *",
   "apes agents destroy *",
   "apes agents sync",
@@ -4027,11 +4835,12 @@ var DEFAULT_ALLOW_PATTERNS = [
   // glob below limits the auto-approval to that exact lifecycle path
   // — `bash *` would be unsafe.
   "bash *apes-spawn-*setup.sh",
-  // Bridge invocation the supervisor uses to keep agent processes
-  // running. Pattern is intentionally precise — not a generic
-  // `apes run --as *` wildcard — so a compromised nest can't pivot
-  // to running arbitrary commands as arbitrary users.
-  "apes run --as * -- openape-chat-bridge"
+  // Bridge invocation. The grant request escapes-helper sends to the
+  // IdP contains the *inner* command only — `apes run --as <agent> --`
+  // is the wrapper that gets unwrapped before grant creation. So the
+  // YOLO target string is just `openape-chat-bridge`, not the full
+  // wrapped invocation.
+  "openape-chat-bridge"
 ];
 var authorizeNestCommand = defineCommand30({
   meta: {
@@ -4079,13 +4888,148 @@ var authorizeNestCommand = defineCommand30({
   }
 });
 
+// src/commands/nest/destroy.ts
+import process2 from "process";
+import { defineCommand as defineCommand31 } from "citty";
+import consola28 from "consola";
+
+// src/lib/nest-grant-flow.ts
+import { hostname as hostname5 } from "os";
+import consola27 from "consola";
+var NEST_AUDIENCE = "nest";
+async function requestNestGrant(opts) {
+  const auth = loadAuth();
+  if (!auth) {
+    throw new CliError("Not logged in. Run `apes login` first.");
+  }
+  const idp = getIdpUrl(opts.idp) ?? void 0;
+  if (!idp) {
+    throw new CliError("No IdP URL resolved. Pass --idp or run `apes login` first.");
+  }
+  const grantsUrl = await getGrantsEndpoint(idp);
+  const targetHost = opts.targetHost ?? hostname5();
+  const approval = opts.approval ?? "always";
+  const reusableId = await findReusableNestGrant({
+    grantsUrl,
+    requester: auth.email,
+    command: opts.command,
+    targetHost
+  });
+  if (reusableId) {
+    const { authz_jwt: authz_jwt2 } = await apiFetch(`${grantsUrl}/${reusableId}/token`, {
+      method: "POST"
+    });
+    return authz_jwt2;
+  }
+  consola27.info(`Requesting nest grant: ${opts.command.join(" ")}`);
+  const grant = await apiFetch(grantsUrl, {
+    method: "POST",
+    body: {
+      requester: auth.email,
+      target_host: targetHost,
+      audience: NEST_AUDIENCE,
+      grant_type: approval,
+      command: opts.command,
+      reason: opts.reason ?? opts.command.join(" ")
+    }
+  });
+  let approved = grant.status === "approved";
+  const maxWait = 15 * 60 * 1e3;
+  const interval = 3e3;
+  const start = Date.now();
+  while (!approved && Date.now() - start < maxWait) {
+    const status = await apiFetch(`${grantsUrl}/${grant.id}`);
+    if (status.status === "approved") {
+      approved = true;
+      break;
+    }
+    if (status.status === "denied" || status.status === "revoked") {
+      throw new CliError(`Grant ${status.status}.`);
+    }
+    if (!approved) {
+      consola27.info(`Waiting for approval: ${idp}/grant-approval?grant_id=${grant.id}`);
+      await new Promise((r3) => setTimeout(r3, interval));
+    }
+  }
+  if (!approved) {
+    throw new CliError(
+      `Grant approval timed out after 15 min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id}.`
+    );
+  }
+  const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
+    method: "POST"
+  });
+  return authz_jwt;
+}
+function nestBaseUrl(port) {
+  const p2 = port ?? Number(process.env.OPENAPE_NEST_PORT ?? 9091);
+  return `http://127.0.0.1:${p2}`;
+}
+async function findReusableNestGrant(opts) {
+  try {
+    const grants = await apiFetch(
+      `${opts.grantsUrl}?requester=${encodeURIComponent(opts.requester)}&status=approved&limit=50`
+    );
+    const now = Math.floor(Date.now() / 1e3);
+    const match = grants.data.find((g) => {
+      const r3 = g.request;
+      if (r3.audience !== NEST_AUDIENCE) return false;
+      if (r3.target_host !== opts.targetHost) return false;
+      if (r3.grant_type === "once") return false;
+      if (r3.grant_type === "timed" && g.expires_at && g.expires_at <= now) return false;
+      const cmd = r3.command ?? [];
+      if (cmd.length !== opts.command.length) return false;
+      return cmd.every((c2, i) => c2 === opts.command[i]);
+    });
+    return match?.id ?? null;
+  } catch {
+    return null;
+  }
+}
+
+// src/commands/nest/destroy.ts
+var destroyNestCommand = defineCommand31({
+  meta: {
+    name: "destroy",
+    description: "Tear down an agent on the local nest (removes macOS user, hard-deletes IdP record, drops bridge plist). Requires a DDISA `nest destroy <name>` grant."
+  },
+  args: {
+    name: { type: "positional", required: true, description: "Agent name to destroy" },
+    port: { type: "string", description: "Override nest port (default: 9091)" }
+  },
+  async run({ args }) {
+    const name = String(args.name);
+    const token = await requestNestGrant({ command: ["nest", "destroy", name] });
+    const base = nestBaseUrl(args.port ? Number(args.port) : void 0);
+    try {
+      const res = await fetch(`${base}/agents/${encodeURIComponent(name)}`, {
+        method: "DELETE",
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new CliError(`nest DELETE /agents/${name} failed: ${res.status} ${text}`);
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
+        consola28.error(`Nest daemon is not running at ${base}`);
+        consola28.info("  Run:  apes nest install");
+        process2.exit(2);
+      }
+      throw err;
+    }
+    consola28.success(`Destroyed ${name}`);
+  }
+});
+
 // src/commands/nest/install.ts
 import { execFileSync as execFileSync10 } from "child_process";
 import { existsSync as existsSync12, mkdirSync as mkdirSync5, readFileSync as readFileSync11, writeFileSync as writeFileSync7 } from "fs";
 import { homedir as homedir11, userInfo as userInfo2 } from "os";
 import { dirname as dirname3, join as join10 } from "path";
-import { defineCommand as defineCommand31 } from "citty";
-import consola27 from "consola";
+import { defineCommand as defineCommand32 } from "citty";
+import consola29 from "consola";
 
 // src/commands/nest/apes-agents-adapter.ts
 var APES_AGENTS_ADAPTER_TOML = `schema = "openape-shapes/v1"
@@ -4202,7 +5146,7 @@ function installAdapter2() {
   }
   if (existing === APES_AGENTS_ADAPTER_TOML) return false;
   writeFileSync7(target, APES_AGENTS_ADAPTER_TOML, { mode: 420 });
-  consola27.success(`Wrote shapes adapter ${target}`);
+  consola29.success(`Wrote shapes adapter ${target}`);
   return true;
 }
 function findBinary(name) {
@@ -4212,12 +5156,12 @@ function findBinary(name) {
     "/usr/local/bin",
     "/usr/bin"
   ]) {
-    const p = join10(dir, name);
-    if (existsSync12(p)) return p;
+    const p2 = join10(dir, name);
+    if (existsSync12(p2)) return p2;
   }
   throw new Error(`could not locate ${name} on PATH; install it first`);
 }
-var installNestCommand = defineCommand31({
+var installNestCommand = defineCommand32({
   meta: {
     name: "install",
     description: "Install + start the local nest-daemon (idempotent \u2014 re-running just restarts)"
@@ -4236,10 +5180,10 @@ var installNestCommand = defineCommand31({
     }
     const nestBin = findBinary("openape-nest");
     const apesBin = findBinary("apes");
-    consola27.info(`Installing nest at ${plistPath()}`);
-    consola27.info(`  nest binary: ${nestBin}`);
-    consola27.info(`  apes binary: ${apesBin}`);
-    consola27.info(`  HTTP port:   ${port}`);
+    consola29.info(`Installing nest at ${plistPath()}`);
+    consola29.info(`  nest binary: ${nestBin}`);
+    consola29.info(`  apes binary: ${apesBin}`);
+    consola29.info(`  HTTP port:   ${port}`);
     installAdapter2();
     mkdirSync5(join10(homeDir, "Library", "LaunchAgents"), { recursive: true });
     mkdirSync5(NEST_DATA_DIR, { recursive: true });
@@ -4251,9 +5195,9 @@ var installNestCommand = defineCommand31({
     }
     if (existing !== desired) {
       writeFileSync7(plistPath(), desired, { mode: 420 });
-      consola27.success("Wrote launchd plist");
+      consola29.success("Wrote launchd plist");
     } else {
-      consola27.info("plist already up to date");
+      consola29.info("plist already up to date");
     }
     const uid = userInfo2().uid;
     try {
@@ -4261,45 +5205,156 @@ var installNestCommand = defineCommand31({
     } catch {
     }
     execFileSync10("/bin/launchctl", ["bootstrap", `gui/${uid}`, plistPath()], { stdio: "inherit" });
-    consola27.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
-    consola27.info("");
-    consola27.info("Next steps for zero-prompt spawn \u2014 both one-time:");
-    consola27.info("");
-    consola27.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
-    consola27.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
-    consola27.info("");
-    consola27.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
+    consola29.success(`Nest daemon bootstrapped \u2014 http://127.0.0.1:${port}`);
+    consola29.info("");
+    consola29.info("Next steps for zero-prompt spawn \u2014 both one-time:");
+    consola29.info("");
+    consola29.info("  1. apes nest enroll       # register nest as DDISA agent (creates own auth.json)");
+    consola29.info("  2. apes nest authorize    # set YOLO-policy on the nest agent");
+    consola29.info("");
+    consola29.info("After that, every `POST http://127.0.0.1:9091/agents` runs without DDISA prompts.");
+  }
+});
+
+// src/commands/nest/list.ts
+import process3 from "process";
+import { defineCommand as defineCommand33 } from "citty";
+import consola30 from "consola";
+var listNestCommand = defineCommand33({
+  meta: {
+    name: "list",
+    description: "List agents registered with the local nest. Goes through DDISA grants \u2014 YOLO auto-approves under the standard nest policy."
+  },
+  args: {
+    port: { type: "string", description: "Override nest port (default: 9091)" },
+    json: { type: "boolean", description: "JSON output for scripts" }
+  },
+  async run({ args }) {
+    const token = await requestNestGrant({ command: ["nest", "list"] });
+    const base = nestBaseUrl(args.port ? Number(args.port) : void 0);
+    let resp;
+    try {
+      const res = await fetch(`${base}/agents`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new CliError(`nest GET /agents failed: ${res.status} ${text}`);
+      }
+      resp = await res.json();
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
+        consola30.error(`Nest daemon is not running at ${base}`);
+        consola30.info("  Run:  apes nest install");
+        process3.exit(2);
+      }
+      throw err;
+    }
+    if (args.json) {
+      console.log(JSON.stringify(resp, null, 2));
+      return;
+    }
+    if (resp.agents.length === 0) {
+      consola30.info("(no agents registered with this nest)");
+      return;
+    }
+    consola30.info(`${resp.agents.length} agent(s) registered with this nest:`);
+    for (const a of resp.agents) {
+      const bridge = a.bridge ? " bridge=on" : "";
+      consola30.info(`  ${a.name.padEnd(16)} uid=${String(a.uid).padEnd(5)} home=${a.home}${bridge}`);
+    }
+  }
+});
+
+// src/commands/nest/spawn.ts
+import process4 from "process";
+import { defineCommand as defineCommand34 } from "citty";
+import consola31 from "consola";
+var spawnNestCommand = defineCommand34({
+  meta: {
+    name: "spawn",
+    description: "Spawn a new agent on the local nest. Requires a DDISA `nest spawn <name>` grant \u2014 auto-approved by Patrick's policy on first use, reused on subsequent calls."
+  },
+  args: {
+    name: { type: "positional", required: true, description: "Agent name (lowercase, [a-z0-9-], max 24 chars)" },
+    "no-bridge": { type: "boolean", description: "Skip installing the chat-bridge daemon (default: install it)" },
+    "bridge-key": { type: "string", description: "Override LITELLM_API_KEY (default: read from ~/litellm/.env)" },
+    "bridge-base-url": { type: "string", description: "Override LITELLM_BASE_URL (default: read from ~/litellm/.env)" },
+    "bridge-model": { type: "string", description: "Override APE_CHAT_BRIDGE_MODEL" },
+    "port": { type: "string", description: "Override nest port (default: 9091)" }
+  },
+  async run({ args }) {
+    const name = String(args.name);
+    const token = await requestNestGrant({ command: ["nest", "spawn"] });
+    const base = nestBaseUrl(args.port ? Number(args.port) : void 0);
+    const reqBody = {
+      name,
+      bridge: !args["no-bridge"]
+    };
+    if (typeof args["bridge-key"] === "string") reqBody.bridgeKey = args["bridge-key"];
+    if (typeof args["bridge-base-url"] === "string") reqBody.bridgeBaseUrl = args["bridge-base-url"];
+    if (typeof args["bridge-model"] === "string") reqBody.bridgeModel = args["bridge-model"];
+    let resp;
+    try {
+      const res = await fetch(`${base}/agents`, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(reqBody)
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new CliError(`nest POST /agents failed: ${res.status} ${text}`);
+      }
+      resp = await res.json();
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
+        consola31.error(`Nest daemon is not running at ${base}`);
+        consola31.info("  Run:  apes nest install");
+        process4.exit(2);
+      }
+      throw err;
+    }
+    consola31.success(`Spawned ${resp.name} (uid=${resp.uid}, home=${resp.home})`);
   }
 });
 
 // src/commands/nest/status.ts
-import process2 from "process";
-import { defineCommand as defineCommand32 } from "citty";
-import consola28 from "consola";
-var DEFAULT_PORT = 9091;
-var statusNestCommand = defineCommand32({
+import process5 from "process";
+import { defineCommand as defineCommand35 } from "citty";
+import consola32 from "consola";
+var statusNestCommand = defineCommand35({
   meta: {
     name: "status",
-    description: "Print state of the local nest-daemon (agents registered, processes supervised)"
+    description: "Print health of the local nest-daemon (agents registered). Goes through DDISA grants."
   },
   args: {
     port: { type: "string", description: "Override nest port (default: 9091)" },
     json: { type: "boolean", description: "JSON output for scripts" }
   },
   async run({ args }) {
-    const port = Number(args.port ?? process2.env.OPENAPE_NEST_PORT ?? DEFAULT_PORT);
-    const url = `http://127.0.0.1:${port}/status`;
+    const token = await requestNestGrant({ command: ["nest", "status"] });
+    const base = nestBaseUrl(args.port ? Number(args.port) : void 0);
     let status;
     try {
-      const res = await fetch(url);
-      if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      const res = await fetch(`${base}/status`, {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new CliError(`nest GET /status failed: ${res.status} ${text}`);
+      }
       status = await res.json();
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       if (msg.includes("ECONNREFUSED") || msg.includes("fetch failed")) {
-        consola28.error(`Nest daemon is not running at http://127.0.0.1:${port}`);
-        consola28.info("  Run:  apes nest install");
-        process2.exit(2);
+        consola32.error(`Nest daemon is not running at ${base}`);
+        consola32.info("  Run:  apes nest install");
+        process5.exit(2);
       }
       throw err;
     }
@@ -4307,34 +5362,19 @@ var statusNestCommand = defineCommand32({
       console.log(JSON.stringify(status, null, 2));
       return;
     }
-    consola28.info(`Nest at http://127.0.0.1:${port} \u2014 ${status.agents} agent(s) registered, ${status.processes.length} supervised`);
-    if (status.processes.length === 0) {
-      consola28.info("  (no processes running)");
-      return;
-    }
-    for (const p of status.processes) {
-      const uptime = humanDuration(p.uptimeSec);
-      const crashTag = p.consecutiveCrashes > 0 ? ` \u26A0 ${p.consecutiveCrashes} crash(es)` : "";
-      consola28.info(`  ${p.name.padEnd(16)} pid=${String(p.pid).padEnd(6)} up=${uptime}${crashTag}`);
-    }
+    consola32.info(`Nest at ${base} \u2014 ${status.agents} agent(s) registered`);
   }
 });
-function humanDuration(sec) {
-  if (sec < 60) return `${sec}s`;
-  if (sec < 3600) return `${Math.floor(sec / 60)}m`;
-  if (sec < 86400) return `${Math.floor(sec / 3600)}h`;
-  return `${Math.floor(sec / 86400)}d`;
-}
 
 // src/commands/nest/uninstall.ts
 import { execFileSync as execFileSync11 } from "child_process";
 import { existsSync as existsSync13, unlinkSync } from "fs";
 import { homedir as homedir12, userInfo as userInfo3 } from "os";
 import { join as join11 } from "path";
-import { defineCommand as defineCommand33 } from "citty";
-import consola29 from "consola";
+import { defineCommand as defineCommand36 } from "citty";
+import consola33 from "consola";
 var PLIST_LABEL2 = "ai.openape.nest";
-var uninstallNestCommand = defineCommand33({
+var uninstallNestCommand = defineCommand36({
   meta: {
     name: "uninstall",
     description: "Stop + remove the local nest-daemon (registry + agents preserved)"
@@ -4344,40 +5384,43 @@ var uninstallNestCommand = defineCommand33({
     const path2 = join11(homedir12(), "Library", "LaunchAgents", `${PLIST_LABEL2}.plist`);
     try {
       execFileSync11("/bin/launchctl", ["bootout", `gui/${uid}/${PLIST_LABEL2}`], { stdio: "ignore" });
-      consola29.success("Nest daemon stopped");
+      consola33.success("Nest daemon stopped");
     } catch {
-      consola29.info("Nest daemon was not loaded");
+      consola33.info("Nest daemon was not loaded");
     }
     if (existsSync13(path2)) {
       unlinkSync(path2);
-      consola29.success(`Removed ${path2}`);
+      consola33.success(`Removed ${path2}`);
     }
-    consola29.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
+    consola33.info("Registry at ~/.openape/nest/agents.json kept \u2014 re-run `apes nest install` to resume supervision.");
   }
 });
 
 // src/commands/nest/index.ts
-var nestCommand = defineCommand34({
+var nestCommand = defineCommand37({
   meta: {
     name: "nest",
-    description: "Manage the local Nest control-plane daemon (install / enroll / authorize / status / uninstall). One-time setup: `install` (launchd) \u2192 `enroll` (own DDISA identity) \u2192 `authorize` (YOLO-policy). After that, `apes agents spawn` runs without per-call DDISA approvals."
+    description: "Manage the local Nest control-plane daemon. One-time setup: `install` (launchd) \u2192 `enroll` (own DDISA identity) \u2192 `authorize` (YOLO-policy). Day-to-day: `status` / `list` (read-only) and `spawn` / `destroy` (mutating) \u2014 every API call is gated by a DDISA grant audited at the IdP, YOLO-approved silently under the policy `apes nest authorize` sets up."
   },
   subCommands: {
     install: installNestCommand,
     enroll: enrollNestCommand,
     authorize: authorizeNestCommand,
     status: statusNestCommand,
+    list: listNestCommand,
+    spawn: spawnNestCommand,
+    destroy: destroyNestCommand,
     uninstall: uninstallNestCommand
   }
 });
 
 // src/commands/yolo/index.ts
-import { defineCommand as defineCommand38 } from "citty";
+import { defineCommand as defineCommand41 } from "citty";
 
 // src/commands/yolo/clear.ts
-import { defineCommand as defineCommand35 } from "citty";
-import consola30 from "consola";
-var yoloClearCommand = defineCommand35({
+import { defineCommand as defineCommand38 } from "citty";
+import consola34 from "consola";
+var yoloClearCommand = defineCommand38({
   meta: {
     name: "clear",
     description: "Remove the YOLO-policy from a DDISA agent (subsequent grants need human approval)"
@@ -4406,15 +5449,15 @@ var yoloClearCommand = defineCommand35({
       const text = await res.text().catch(() => "");
       throw new CliError(`DELETE /yolo-policy failed (${res.status}): ${text}`);
     }
-    consola30.success(`YOLO-policy cleared on ${email}`);
+    consola34.success(`YOLO-policy cleared on ${email}`);
   }
 });
 
 // src/commands/yolo/set.ts
-import { defineCommand as defineCommand36 } from "citty";
-import consola31 from "consola";
+import { defineCommand as defineCommand39 } from "citty";
+import consola35 from "consola";
 var VALID_MODES = ["allow-list", "deny-list"];
-var yoloSetCommand = defineCommand36({
+var yoloSetCommand = defineCommand39({
   meta: {
     name: "set",
     description: "Write a YOLO-policy on a DDISA agent you own"
@@ -4462,12 +5505,12 @@ var yoloSetCommand = defineCommand36({
     const denyPatterns = parseList(args.deny);
     const denyRiskThreshold = args["deny-risk"] ?? null;
     const expiresAt = parseExpiresIn(args["expires-in"]);
-    consola31.info(`Setting YOLO-policy on ${email}`);
-    consola31.info(`  mode:           ${mode}`);
-    if (allowPatterns.length) consola31.info(`  allow_patterns: ${allowPatterns.join(", ")}`);
-    if (denyPatterns.length) consola31.info(`  deny_patterns:  ${denyPatterns.join(", ")}`);
-    if (denyRiskThreshold) consola31.info(`  deny_risk:      ${denyRiskThreshold}`);
-    if (expiresAt) consola31.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
+    consola35.info(`Setting YOLO-policy on ${email}`);
+    consola35.info(`  mode:           ${mode}`);
+    if (allowPatterns.length) consola35.info(`  allow_patterns: ${allowPatterns.join(", ")}`);
+    if (denyPatterns.length) consola35.info(`  deny_patterns:  ${denyPatterns.join(", ")}`);
+    if (denyRiskThreshold) consola35.info(`  deny_risk:      ${denyRiskThreshold}`);
+    if (expiresAt) consola35.info(`  expires_at:     ${new Date(expiresAt * 1e3).toISOString()}`);
     const url = `${idp}/api/users/${encodeURIComponent(email)}/yolo-policy`;
     const res = await fetch(url, {
       method: "PUT",
@@ -4487,27 +5530,27 @@ var yoloSetCommand = defineCommand36({
       const text = await res.text().catch(() => "");
       throw new CliError(`PUT /yolo-policy failed (${res.status}): ${text}`);
     }
-    consola31.success(`YOLO-policy applied to ${email}`);
+    consola35.success(`YOLO-policy applied to ${email}`);
   }
 });
 function parseList(s) {
   if (!s) return [];
-  return s.split(",").map((p) => p.trim()).filter(Boolean);
+  return s.split(",").map((p2) => p2.trim()).filter(Boolean);
 }
 function parseExpiresIn(s) {
   if (!s) return null;
   const m = s.match(/^(\d+)([hdw])$/);
   if (!m) throw new CliError(`Invalid --expires-in "${s}" \u2014 expected forms like 30d, 6h, 2w`);
-  const n = Number(m[1]);
+  const n2 = Number(m[1]);
   const unit = m[2];
   const seconds = unit === "h" ? 3600 : unit === "d" ? 86400 : 7 * 86400;
-  return Math.floor(Date.now() / 1e3) + n * seconds;
+  return Math.floor(Date.now() / 1e3) + n2 * seconds;
 }
 
 // src/commands/yolo/show.ts
-import { defineCommand as defineCommand37 } from "citty";
-import consola32 from "consola";
-var yoloShowCommand = defineCommand37({
+import { defineCommand as defineCommand40 } from "citty";
+import consola36 from "consola";
+var yoloShowCommand = defineCommand40({
   meta: {
     name: "show",
     description: "Print the YOLO-policy currently set on a DDISA agent"
@@ -4544,17 +5587,17 @@ var yoloShowCommand = defineCommand37({
       console.log(JSON.stringify(policy, null, 2));
       return;
     }
-    consola32.info(`YOLO-policy for ${email}`);
-    consola32.info(`  mode:           ${policy.mode}`);
-    consola32.info(`  allow_patterns: ${policy.allowPatterns.length ? policy.allowPatterns.join(", ") : "(none)"}`);
-    consola32.info(`  deny_patterns:  ${policy.denyPatterns.length ? policy.denyPatterns.join(", ") : "(none)"}`);
-    consola32.info(`  deny_risk:      ${policy.denyRiskThreshold ?? "(none)"}`);
-    consola32.info(`  expires_at:     ${policy.expiresAt ? new Date(policy.expiresAt * 1e3).toISOString() : "(never)"}`);
+    consola36.info(`YOLO-policy for ${email}`);
+    consola36.info(`  mode:           ${policy.mode}`);
+    consola36.info(`  allow_patterns: ${policy.allowPatterns.length ? policy.allowPatterns.join(", ") : "(none)"}`);
+    consola36.info(`  deny_patterns:  ${policy.denyPatterns.length ? policy.denyPatterns.join(", ") : "(none)"}`);
+    consola36.info(`  deny_risk:      ${policy.denyRiskThreshold ?? "(none)"}`);
+    consola36.info(`  expires_at:     ${policy.expiresAt ? new Date(policy.expiresAt * 1e3).toISOString() : "(never)"}`);
   }
 });
 
 // src/commands/yolo/index.ts
-var yoloCommand = defineCommand38({
+var yoloCommand = defineCommand41({
   meta: {
     name: "yolo",
     description: "Manage YOLO-policies on DDISA agents you own \u2014 auto-approve grant patterns at the IdP layer (allow-list) or block dangerous ones outright (deny-list)."
@@ -4567,15 +5610,15 @@ var yoloCommand = defineCommand38({
 });
 
 // src/commands/adapter/index.ts
-import { defineCommand as defineCommand39 } from "citty";
-import consola33 from "consola";
-var adapterCommand = defineCommand39({
+import { defineCommand as defineCommand42 } from "citty";
+import consola37 from "consola";
+var adapterCommand = defineCommand42({
   meta: {
     name: "adapter",
     description: "Manage CLI adapters"
   },
   subCommands: {
-    list: defineCommand39({
+    list: defineCommand42({
       meta: {
         name: "list",
         description: "List available adapters"
@@ -4606,7 +5649,7 @@ var adapterCommand = defineCommand39({
 `);
             return;
           }
-          consola33.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
+          consola37.info(`Registry: ${index2.adapters.length} adapters (${index2.generated_at})`);
           for (const a of index2.adapters) {
             const installed = isInstalled(a.id, false) ? " [installed]" : "";
             console.log(`  ${a.id.padEnd(12)} ${a.name.padEnd(24)} ${a.category}${installed}`);
@@ -4628,7 +5671,7 @@ var adapterCommand = defineCommand39({
           return;
         }
         if (local.length === 0) {
-          consola33.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
+          consola37.info("No adapters installed. Use `apes adapter list --remote` to see available adapters.");
           return;
         }
         for (const a of local) {
@@ -4636,7 +5679,7 @@ var adapterCommand = defineCommand39({
         }
       }
     }),
-    install: defineCommand39({
+    install: defineCommand42({
       meta: {
         name: "install",
         description: "Install an adapter from the registry"
@@ -4665,24 +5708,24 @@ var adapterCommand = defineCommand39({
         for (const id of ids) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola33.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
+            consola37.error(`Adapter "${id}" not found in registry. Use \`apes adapter search ${id}\` to search.`);
             continue;
           }
           const conflicts = findConflictingAdapters(entry.executable, id);
           if (conflicts.length > 0) {
-            for (const c of conflicts) {
-              consola33.warn(`Conflicting adapter found: ${c.path} (id: ${c.adapterId}, executable: ${c.executable})`);
-              consola33.warn(`  Remove it with: apes adapter remove ${c.adapterId}`);
+            for (const c2 of conflicts) {
+              consola37.warn(`Conflicting adapter found: ${c2.path} (id: ${c2.adapterId}, executable: ${c2.executable})`);
+              consola37.warn(`  Remove it with: apes adapter remove ${c2.adapterId}`);
             }
           }
           const result = await installAdapter(entry, { local });
           const verb = result.updated ? "Updated" : "Installed";
-          consola33.success(`${verb} ${result.id} \u2192 ${result.path}`);
-          consola33.info(`Digest: ${result.digest}`);
+          consola37.success(`${verb} ${result.id} \u2192 ${result.path}`);
+          consola37.info(`Digest: ${result.digest}`);
         }
       }
     }),
-    remove: defineCommand39({
+    remove: defineCommand42({
       meta: {
         name: "remove",
         description: "Remove an installed adapter"
@@ -4705,9 +5748,9 @@ var adapterCommand = defineCommand39({
         let failed = false;
         for (const id of ids) {
           if (removeAdapter(id, local)) {
-            consola33.success(`Removed adapter: ${id}`);
+            consola37.success(`Removed adapter: ${id}`);
           } else {
-            consola33.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
+            consola37.error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
             failed = true;
           }
         }
@@ -4715,7 +5758,7 @@ var adapterCommand = defineCommand39({
           throw new CliError("Some adapters could not be removed");
       }
     }),
-    info: defineCommand39({
+    info: defineCommand42({
       meta: {
         name: "info",
         description: "Show detailed adapter information"
@@ -4757,7 +5800,7 @@ var adapterCommand = defineCommand39({
         }
       }
     }),
-    search: defineCommand39({
+    search: defineCommand42({
       meta: {
         name: "search",
         description: "Search adapters in the registry"
@@ -4789,7 +5832,7 @@ var adapterCommand = defineCommand39({
           return;
         }
         if (results.length === 0) {
-          consola33.info(`No adapters matching "${query}"`);
+          consola37.info(`No adapters matching "${query}"`);
           return;
         }
         for (const a of results) {
@@ -4798,7 +5841,7 @@ var adapterCommand = defineCommand39({
         }
       }
     }),
-    update: defineCommand39({
+    update: defineCommand42({
       meta: {
         name: "update",
         description: "Update installed adapters"
@@ -4824,33 +5867,33 @@ var adapterCommand = defineCommand39({
         const targetId = args.id ? String(args.id) : void 0;
         const targets = targetId ? [targetId] : index.adapters.map((a) => a.id).filter((id) => isInstalled(id, false));
         if (targets.length === 0) {
-          consola33.info("No adapters installed to update.");
+          consola37.info("No adapters installed to update.");
           return;
         }
         for (const id of targets) {
           const entry = findAdapter(index, id);
           if (!entry) {
-            consola33.warn(`${id}: not found in registry, skipping`);
+            consola37.warn(`${id}: not found in registry, skipping`);
             continue;
           }
           const localDigest = getInstalledDigest(id, false);
           if (localDigest === entry.digest) {
-            consola33.info(`${id}: already up to date`);
+            consola37.info(`${id}: already up to date`);
             continue;
           }
           if (localDigest && !args.yes) {
-            consola33.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
-            consola33.info(`  Old: ${localDigest}`);
-            consola33.info(`  New: ${entry.digest}`);
-            consola33.info("  Use --yes to confirm");
+            consola37.warn(`${id}: digest will change \u2014 existing grants for this adapter will be invalidated`);
+            consola37.info(`  Old: ${localDigest}`);
+            consola37.info(`  New: ${entry.digest}`);
+            consola37.info("  Use --yes to confirm");
             continue;
           }
           const result = await installAdapter(entry);
-          consola33.success(`Updated ${result.id} \u2192 ${result.path}`);
+          consola37.success(`Updated ${result.id} \u2192 ${result.path}`);
         }
       }
     }),
-    verify: defineCommand39({
+    verify: defineCommand42({
       meta: {
         name: "verify",
         description: "Verify installed adapter against registry digest"
@@ -4883,7 +5926,7 @@ var adapterCommand = defineCommand39({
         if (!localDigest)
           throw new Error(`Adapter "${id}" is not installed${local ? " locally" : ""}`);
         if (localDigest === entry.digest) {
-          consola33.success(`${id}: digest matches registry`);
+          consola37.success(`${id}: digest matches registry`);
         } else {
           console.log(`  Local:    ${localDigest}`);
           console.log(`  Registry: ${entry.digest}`);
@@ -4896,10 +5939,10 @@ var adapterCommand = defineCommand39({
 
 // src/commands/run.ts
 import { execFileSync as execFileSync12 } from "child_process";
-import { hostname as hostname5 } from "os";
+import { hostname as hostname6 } from "os";
 import { basename } from "path";
-import { defineCommand as defineCommand40 } from "citty";
-import consola34 from "consola";
+import { defineCommand as defineCommand43 } from "citty";
+import consola38 from "consola";
 function shouldWaitForGrant(args) {
   return args.wait === true || process.env.APE_WAIT === "1";
 }
@@ -4917,16 +5960,16 @@ function getUserMode() {
 function getAsyncExitCode() {
   const envValue = process.env.APES_ASYNC_EXIT_CODE;
   if (envValue !== void 0 && envValue !== "") {
-    const n = Number(envValue);
-    if (Number.isFinite(n) && n >= 0 && n <= 255)
-      return Math.floor(n);
+    const n2 = Number(envValue);
+    if (Number.isFinite(n2) && n2 >= 0 && n2 <= 255)
+      return Math.floor(n2);
   }
   const cfg = loadConfig();
   const cfgValue = cfg.defaults?.async_exit_code;
   if (cfgValue !== void 0 && cfgValue !== "") {
-    const n = Number(cfgValue);
-    if (Number.isFinite(n) && n >= 0 && n <= 255)
-      return Math.floor(n);
+    const n2 = Number(cfgValue);
+    if (Number.isFinite(n2) && n2 >= 0 && n2 <= 255)
+      return Math.floor(n2);
   }
   return 75;
 }
@@ -4936,7 +5979,7 @@ function printPendingGrantInfo(grant, idp) {
   const statusCmd = `apes grants status ${grant.id}`;
   const executeCmd = `apes grants run ${grant.id}`;
   if (mode === "human") {
-    consola34.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
+    consola38.success(`Grant ${grant.id} created \u2014 awaiting your approval`);
     console.log(`  Approve in browser:  ${approveUrl}`);
     console.log(`  Check status:        ${statusCmd}`);
     console.log(`  Run after approval:  ${executeCmd}`);
@@ -4946,7 +5989,7 @@ function printPendingGrantInfo(grant, idp) {
     return;
   }
   const maxMin = getPollMaxMinutes();
-  consola34.success(`Grant ${grant.id} created (pending approval)`);
+  consola38.success(`Grant ${grant.id} created (pending approval)`);
   console.log(`  Approve:   ${approveUrl}`);
   console.log(`  Status:    ${statusCmd} [--json]`);
   console.log(`  Execute:   ${executeCmd} --wait`);
@@ -4968,7 +6011,7 @@ function printPendingGrantInfo(grant, idp) {
   console.log('  Tip: Approve as "timed" or "always" in the browser to let this');
   console.log("  grant be reused on subsequent invocations without re-approval.");
 }
-var runCommand = defineCommand40({
+var runCommand = defineCommand43({
   meta: {
     name: "run",
     description: "Execute a grant-secured command"
@@ -5057,7 +6100,7 @@ async function runShellMode(command, args) {
   const adapterHandled = await tryAdapterModeFromShell(command, idp, args);
   if (adapterHandled) return;
   const grantsUrl = await getGrantsEndpoint(idp);
-  const targetHost = args.host || hostname5();
+  const targetHost = args.host || hostname6();
   try {
     const grants = await apiFetch(
       `${grantsUrl}?requester=${encodeURIComponent(auth.email)}&status=approved&limit=20`
@@ -5071,7 +6114,7 @@ async function runShellMode(command, args) {
     }
   } catch {
   }
-  consola34.info(`Requesting ape-shell session grant on ${targetHost}`);
+  consola38.info(`Requesting ape-shell session grant on ${targetHost}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -5091,8 +6134,8 @@ async function runShellMode(command, args) {
     host: targetHost
   });
   if (shouldWaitForGrant(args)) {
-    consola34.info(`Grant requested: ${grant.id}`);
-    consola34.info("Waiting for approval...");
+    consola38.info(`Grant requested: ${grant.id}`);
+    consola38.info("Waiting for approval...");
     const maxWait = 3e5;
     const interval = 3e3;
     const start = Date.now();
@@ -5102,7 +6145,7 @@ async function runShellMode(command, args) {
         break;
       if (status.status === "denied" || status.status === "revoked")
         throw new CliError(`Grant ${status.status}.`);
-      await new Promise((r) => setTimeout(r, interval));
+      await new Promise((r3) => setTimeout(r3, interval));
     }
     execShellCommand(command);
     return;
@@ -5123,13 +6166,13 @@ async function tryAdapterModeFromShell(command, idp, args) {
   try {
     resolved = await resolveCommand(loaded, [normalizedExecutable, ...parsed.argv]);
   } catch (err) {
-    consola34.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
+    consola38.debug(`ape-shell: adapter resolve failed for "${parsed.raw}":`, err);
     return false;
   }
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola34.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
+      consola38.info(`Reusing grant ${existingGrantId} for: ${resolved.detail.display}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return true;
@@ -5137,27 +6180,27 @@ async function tryAdapterModeFromShell(command, idp, args) {
   } catch {
   }
   const approval = args.approval ?? "once";
-  consola34.info(`Requesting grant for: ${resolved.detail.display}`);
+  consola38.info(`Requesting grant for: ${resolved.detail.display}`);
   const grant = await createShapesGrant(resolved, {
     idp,
     approval,
     reason: args.reason || `ape-shell: ${resolved.detail.display}`
   });
   if (grant.similar_grants?.similar_grants?.length) {
-    const n = grant.similar_grants.similar_grants.length;
-    consola34.info("");
-    consola34.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    const n2 = grant.similar_grants.similar_grants.length;
+    consola38.info("");
+    consola38.info(`  Similar grant(s) found (${n2}). Your approver can extend an existing grant to cover this request.`);
   }
   notifyGrantPending({
     grantId: grant.id,
     approveUrl: `${idp}/grant-approval?grant_id=${grant.id}`,
     command: resolved.detail?.display || parsed?.raw || "unknown",
     audience: resolved.adapter?.cli?.audience ?? "shapes",
-    host: args.host || hostname5()
+    host: args.host || hostname6()
   });
   if (shouldWaitForGrant(args)) {
-    consola34.info(`Grant requested: ${grant.id}`);
-    consola34.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola38.info(`Grant requested: ${grant.id}`);
+    consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new CliError(`Grant ${status}`);
@@ -5231,7 +6274,7 @@ async function runAdapterMode(command, rawArgs, args) {
   try {
     const existingGrantId = await findExistingGrant(resolved, idp);
     if (existingGrantId) {
-      consola34.info(`Reusing existing grant: ${existingGrantId}`);
+      consola38.info(`Reusing existing grant: ${existingGrantId}`);
       const token = await fetchGrantToken(idp, existingGrantId);
       await verifyAndExecute(token, resolved, existingGrantId);
       return;
@@ -5244,18 +6287,18 @@ async function runAdapterMode(command, rawArgs, args) {
     ...args.reason ? { reason: args.reason } : {}
   });
   if (grant.similar_grants?.similar_grants?.length) {
-    const n = grant.similar_grants.similar_grants.length;
-    consola34.info("");
-    consola34.info(`  Similar grant(s) found (${n}). Your approver can extend an existing grant to cover this request.`);
+    const n2 = grant.similar_grants.similar_grants.length;
+    consola38.info("");
+    consola38.info(`  Similar grant(s) found (${n2}). Your approver can extend an existing grant to cover this request.`);
     if (grant.similar_grants.widened_details?.length) {
       const wider = grant.similar_grants.widened_details.map((d) => d.permission).join(", ");
-      consola34.info(`  Broader scope: ${wider}`);
+      consola38.info(`  Broader scope: ${wider}`);
     }
-    consola34.info("");
+    consola38.info("");
   }
   if (shouldWaitForGrant(args)) {
-    consola34.info(`Grant requested: ${grant.id}`);
-    consola34.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+    consola38.info(`Grant requested: ${grant.id}`);
+    consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
     const status = await waitForGrantStatus(idp, grant.id);
     if (status !== "approved")
       throw new Error(`Grant ${status}`);
@@ -5274,8 +6317,8 @@ async function runAudienceMode(audience, action, args) {
   const idp = getIdpUrl(args.idp);
   const grantsUrl = await getGrantsEndpoint(idp);
   const command = action.split(" ");
-  const targetHost = args.host || hostname5();
-  consola34.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
+  const targetHost = args.host || hostname6();
+  consola38.info(`Requesting ${audience} grant on ${targetHost}: ${command.join(" ")}`);
   const grant = await apiFetch(grantsUrl, {
     method: "POST",
     body: {
@@ -5292,9 +6335,9 @@ async function runAudienceMode(audience, action, args) {
     printPendingGrantInfo(grant, idp);
     throw new CliExit(getAsyncExitCode());
   }
-  consola34.success(`Grant requested: ${grant.id}`);
-  consola34.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
-  consola34.info("Waiting for approval...");
+  consola38.success(`Grant requested: ${grant.id}`);
+  consola38.info(`Approve at: ${idp}/grant-approval?grant_id=${grant.id}`);
+  consola38.info("Waiting for approval...");
   const maxWait = 15 * 60 * 1e3;
   const interval = 3e3;
   const start = Date.now();
@@ -5302,14 +6345,14 @@ async function runAudienceMode(audience, action, args) {
   while (Date.now() - start < maxWait) {
     const status = await apiFetch(`${grantsUrl}/${grant.id}`);
     if (status.status === "approved") {
-      consola34.success("Grant approved!");
+      consola38.success("Grant approved!");
       approved = true;
       break;
     }
     if (status.status === "denied" || status.status === "revoked") {
       throw new CliError(`Grant ${status.status}.`);
     }
-    await new Promise((r) => setTimeout(r, interval));
+    await new Promise((r3) => setTimeout(r3, interval));
   }
   if (!approved) {
     const minutes = Math.round(maxWait / 6e4);
@@ -5317,12 +6360,12 @@ async function runAudienceMode(audience, action, args) {
       `Grant approval timed out after ${minutes} min (still pending). Check your DDISA inbox at ${idp}/grant-approval?grant_id=${grant.id} \u2014 if approved later, re-run the same \`apes run\` command and it will reuse the grant.`
     );
   }
-  consola34.info("Fetching grant token...");
+  consola38.info("Fetching grant token...");
   const { authz_jwt } = await apiFetch(`${grantsUrl}/${grant.id}/token`, {
     method: "POST"
   });
   if (audience === "escapes") {
-    consola34.info(`Executing: ${command.join(" ")}`);
+    consola38.info(`Executing: ${command.join(" ")}`);
     try {
       const { APES_SHELL_WRAPPER: _wrapperMarker, ...inheritedEnv } = process.env;
       execFileSync12(args["escapes-path"] || "escapes", ["--grant", authz_jwt, "--", ...command], {
@@ -5340,8 +6383,8 @@ async function runAudienceMode(audience, action, args) {
 
 // src/commands/proxy.ts
 import { spawn as spawn2 } from "child_process";
-import { defineCommand as defineCommand41 } from "citty";
-import consola35 from "consola";
+import { defineCommand as defineCommand44 } from "citty";
+import consola39 from "consola";
 
 // src/proxy/config.ts
 function buildDefaultProxyConfigToml(opts) {
@@ -5484,10 +6527,10 @@ function resolveProxyConfigOptions() {
       77
     );
   }
-  consola35.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
+  consola39.info(`[apes proxy] IdP-mediated mode \u2014 agent=${auth.email}, idp=${auth.idp}`);
   return { agentEmail: auth.email, idpUrl: auth.idp, mediated: true };
 }
-var proxyCommand = defineCommand41({
+var proxyCommand = defineCommand44({
   meta: {
     name: "proxy",
     description: "Run a command with HTTPS_PROXY routed through the OpenApe egress proxy."
@@ -5509,12 +6552,12 @@ var proxyCommand = defineCommand41({
     let close = null;
     if (reuseUrl) {
       proxyUrl = reuseUrl;
-      consola35.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
+      consola39.info(`[apes proxy] reusing existing proxy at ${proxyUrl}`);
     } else {
       const ephemeral = await startEphemeralProxy(buildDefaultProxyConfigToml(resolveProxyConfigOptions()));
       proxyUrl = ephemeral.url;
       close = ephemeral.close;
-      consola35.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
+      consola39.info(`[apes proxy] started ephemeral proxy at ${proxyUrl}`);
     }
     const noProxy = process.env.NO_PROXY ?? process.env.no_proxy ?? "127.0.0.1,localhost";
     const childEnv = {
@@ -5546,7 +6589,7 @@ var proxyCommand = defineCommand41({
         else resolveExit(code ?? 0);
       });
       child.once("error", (err) => {
-        consola35.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
+        consola39.error(`[apes proxy] failed to spawn '${wrapped[0]}':`, err.message);
         resolveExit(127);
       });
     });
@@ -5560,8 +6603,8 @@ function signalNumber(signal) {
 }
 
 // src/commands/explain.ts
-import { defineCommand as defineCommand42 } from "citty";
-var explainCommand = defineCommand42({
+import { defineCommand as defineCommand45 } from "citty";
+var explainCommand = defineCommand45({
   meta: {
     name: "explain",
     description: "Show what permission a command would need"
@@ -5599,9 +6642,9 @@ var explainCommand = defineCommand42({
 });
 
 // src/commands/config/get.ts
-import { defineCommand as defineCommand43 } from "citty";
-import consola36 from "consola";
-var configGetCommand = defineCommand43({
+import { defineCommand as defineCommand46 } from "citty";
+import consola40 from "consola";
+var configGetCommand = defineCommand46({
   meta: {
     name: "get",
     description: "Get a configuration value"
@@ -5621,7 +6664,7 @@ var configGetCommand = defineCommand43({
         if (idp)
           console.log(idp);
         else
-          consola36.info("No IdP configured.");
+          consola40.info("No IdP configured.");
         break;
       }
       case "email": {
@@ -5629,7 +6672,7 @@ var configGetCommand = defineCommand43({
         if (auth?.email)
           console.log(auth.email);
         else
-          consola36.info("Not logged in.");
+          consola40.info("Not logged in.");
         break;
       }
       default: {
@@ -5642,7 +6685,7 @@ var configGetCommand = defineCommand43({
           if (sectionObj && field in sectionObj) {
             console.log(sectionObj[field]);
           } else {
-            consola36.info(`Key "${key}" not set.`);
+            consola40.info(`Key "${key}" not set.`);
           }
         } else {
           throw new CliError(`Unknown key: "${key}". Use: idp, email, defaults.idp, defaults.approval, agent.key, agent.email`);
@@ -5653,9 +6696,9 @@ var configGetCommand = defineCommand43({
 });
 
 // src/commands/config/set.ts
-import { defineCommand as defineCommand44 } from "citty";
-import consola37 from "consola";
-var configSetCommand = defineCommand44({
+import { defineCommand as defineCommand47 } from "citty";
+import consola41 from "consola";
+var configSetCommand = defineCommand47({
   meta: {
     name: "set",
     description: "Set a configuration value"
@@ -5691,12 +6734,12 @@ var configSetCommand = defineCommand44({
       throw new CliError(`Unknown section: "${section}". Use: defaults, agent`);
     }
     saveConfig(config);
-    consola37.success(`Set ${key} = ${value}`);
+    consola41.success(`Set ${key} = ${value}`);
   }
 });
 
 // src/commands/fetch/index.ts
-import { defineCommand as defineCommand45 } from "citty";
+import { defineCommand as defineCommand48 } from "citty";
 async function doRequest(method, url, body, contentType, raw, showHeaders) {
   const token = getAuthToken();
   if (!token) {
@@ -5732,13 +6775,13 @@ async function doRequest(method, url, body, contentType, raw, showHeaders) {
     throw new CliError(`HTTP ${response.status} ${response.statusText}`);
   }
 }
-var fetchCommand = defineCommand45({
+var fetchCommand = defineCommand48({
   meta: {
     name: "fetch",
     description: "Make authenticated HTTP requests"
   },
   subCommands: {
-    get: defineCommand45({
+    get: defineCommand48({
       meta: {
         name: "get",
         description: "GET request with auth token"
@@ -5764,7 +6807,7 @@ var fetchCommand = defineCommand45({
         await doRequest("GET", String(args.url), void 0, "application/json", Boolean(args.raw), Boolean(args.headers));
       }
     }),
-    post: defineCommand45({
+    post: defineCommand48({
       meta: {
         name: "post",
         description: "POST request with auth token"
@@ -5803,8 +6846,8 @@ var fetchCommand = defineCommand45({
 });
 
 // src/commands/mcp/index.ts
-import { defineCommand as defineCommand46 } from "citty";
-var mcpCommand = defineCommand46({
+import { defineCommand as defineCommand49 } from "citty";
+var mcpCommand = defineCommand49({
   meta: {
     name: "mcp",
     description: "Start MCP server for AI agents"
@@ -5827,7 +6870,7 @@ var mcpCommand = defineCommand46({
     if (transport !== "stdio" && transport !== "sse") {
       throw new Error('Transport must be "stdio" or "sse"');
     }
-    const { startMcpServer } = await import("./server-JBBJXDDS.js");
+    const { startMcpServer } = await import("./server-6B26NNLZ.js");
     await startMcpServer(transport, port);
   }
 });
@@ -5837,8 +6880,8 @@ import { existsSync as existsSync14, copyFileSync, writeFileSync as writeFileSyn
 import { randomBytes } from "crypto";
 import { execFileSync as execFileSync13 } from "child_process";
 import { join as join13 } from "path";
-import { defineCommand as defineCommand47 } from "citty";
-import consola38 from "consola";
+import { defineCommand as defineCommand50 } from "citty";
+import consola42 from "consola";
 var DEFAULT_IDP_URL = "https://id.openape.at";
 async function downloadTemplate(repo, targetDir) {
   const { downloadTemplate: gigetDownload } = await import("giget");
@@ -5855,20 +6898,20 @@ function installDeps(dir) {
   }
 }
 async function promptChoice(message, choices) {
-  const result = await consola38.prompt(message, { type: "select", options: choices });
+  const result = await consola42.prompt(message, { type: "select", options: choices });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result;
 }
 async function promptText(message, defaultValue) {
-  const result = await consola38.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
+  const result = await consola42.prompt(message, { type: "text", default: defaultValue, placeholder: defaultValue });
   if (typeof result === "symbol") {
     throw new CliExit(0);
   }
   return result || defaultValue || "";
 }
-var initCommand = defineCommand47({
+var initCommand = defineCommand50({
   meta: {
     name: "init",
     description: "Scaffold a new OpenApe project"
@@ -5913,20 +6956,20 @@ async function initSP(targetDir) {
   if (existsSync14(join13(dir, "package.json"))) {
     throw new CliError(`Directory "${dir}" already contains a project.`);
   }
-  consola38.start("Scaffolding SP starter...");
+  consola42.start("Scaffolding SP starter...");
   await downloadTemplate("openape-ai/openape-sp-starter", dir);
-  consola38.success("Scaffolded from openape-sp-starter");
-  consola38.start("Installing dependencies...");
+  consola42.success("Scaffolded from openape-sp-starter");
+  consola42.start("Installing dependencies...");
   installDeps(dir);
-  consola38.success("Dependencies installed");
+  consola42.success("Dependencies installed");
   const envExample = join13(dir, ".env.example");
   const envFile = join13(dir, ".env");
   if (existsSync14(envExample) && !existsSync14(envFile)) {
     copyFileSync(envExample, envFile);
-    consola38.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
+    consola42.success(`\`.env\` created (using Free IdP at ${DEFAULT_IDP_URL})`);
   }
   console.log("");
-  consola38.box([
+  consola42.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -5945,15 +6988,15 @@ async function initIdP(targetDir) {
     "s3 (S3-compatible)"
   ]);
   const adminEmail = await promptText("Admin email");
-  consola38.start("Scaffolding IdP starter...");
+  consola42.start("Scaffolding IdP starter...");
   await downloadTemplate("openape-ai/openape-idp-starter", dir);
-  consola38.success("Scaffolded from openape-idp-starter");
-  consola38.start("Installing dependencies...");
+  consola42.success("Scaffolded from openape-idp-starter");
+  consola42.start("Installing dependencies...");
   installDeps(dir);
-  consola38.success("Dependencies installed");
+  consola42.success("Dependencies installed");
   const sessionSecret = randomBytes(32).toString("hex");
   const managementToken = randomBytes(32).toString("hex");
-  consola38.success("Secrets generated");
+  consola42.success("Secrets generated");
   const isLocalhost = domain === "localhost";
   const origin = isLocalhost ? "http://localhost:3000" : `https://${domain}`;
   const envContent = [
@@ -5969,9 +7012,9 @@ async function initIdP(targetDir) {
   ].join("\n");
   writeFileSync9(join13(dir, ".env"), `${envContent}
 `, { mode: 384 });
-  consola38.success(".env created");
+  consola42.success(".env created");
   console.log("");
-  consola38.box([
+  consola42.box([
     `cd ${dir}`,
     "npm run dev",
     "",
@@ -5991,8 +7034,8 @@ import { Buffer as Buffer5 } from "buffer";
 import { existsSync as existsSync15, readFileSync as readFileSync12 } from "fs";
 import { execFile as execFile2 } from "child_process";
 import { sign as sign2 } from "crypto";
-import { defineCommand as defineCommand48 } from "citty";
-import consola39 from "consola";
+import { defineCommand as defineCommand51 } from "citty";
+import consola43 from "consola";
 var DEFAULT_IDP_URL2 = "https://id.openape.at";
 var DEFAULT_KEY_PATH = "~/.ssh/id_ed25519";
 var POLL_INTERVAL = 3e3;
@@ -6035,7 +7078,7 @@ async function pollForEnrollment(idp, agentEmail, keyPath) {
   }
   throw new Error("Enrollment timed out. Please check the browser and try again.");
 }
-var enrollCommand = defineCommand48({
+var enrollCommand = defineCommand51({
   meta: {
     name: "enroll",
     description: "Enroll an agent with an Identity Provider"
@@ -6055,48 +7098,48 @@ var enrollCommand = defineCommand48({
     }
   },
   async run({ args }) {
-    const idp = args.idp || await consola39.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r) => {
-      if (typeof r === "symbol") throw new CliExit(0);
-      return r;
+    const idp = args.idp || await consola43.prompt("IdP URL", { type: "text", default: DEFAULT_IDP_URL2, placeholder: DEFAULT_IDP_URL2 }).then((r3) => {
+      if (typeof r3 === "symbol") throw new CliExit(0);
+      return r3;
     }) || DEFAULT_IDP_URL2;
-    const agentName = args.name || await consola39.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r) => {
-      if (typeof r === "symbol") throw new CliExit(0);
-      return r;
+    const agentName = args.name || await consola43.prompt("Agent name", { type: "text", placeholder: "deploy-bot" }).then((r3) => {
+      if (typeof r3 === "symbol") throw new CliExit(0);
+      return r3;
     });
     if (!agentName) {
       throw new CliError("Agent name is required.");
     }
-    const keyPath = args.key || await consola39.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r) => {
-      if (typeof r === "symbol") throw new CliExit(0);
-      return r;
+    const keyPath = args.key || await consola43.prompt("Ed25519 key", { type: "text", default: DEFAULT_KEY_PATH, placeholder: DEFAULT_KEY_PATH }).then((r3) => {
+      if (typeof r3 === "symbol") throw new CliExit(0);
+      return r3;
     }) || DEFAULT_KEY_PATH;
     const resolvedKey = resolveKeyPath(keyPath);
     let publicKey;
     if (existsSync15(resolvedKey)) {
       publicKey = readPublicKey(resolvedKey);
-      consola39.success(`Using existing key ${keyPath}`);
+      consola43.success(`Using existing key ${keyPath}`);
     } else {
-      consola39.start(`Generating Ed25519 key pair at ${keyPath}...`);
+      consola43.start(`Generating Ed25519 key pair at ${keyPath}...`);
       publicKey = generateAndSaveKey(keyPath);
-      consola39.success(`Key pair generated at ${keyPath}`);
+      consola43.success(`Key pair generated at ${keyPath}`);
     }
     const encodedKey = encodeURIComponent(publicKey);
     const enrollUrl = `${idp}/enroll?name=${encodeURIComponent(agentName)}&key=${encodedKey}`;
-    consola39.info("Opening browser for enrollment...");
-    consola39.info(`\u2192 ${idp}/enroll`);
+    consola43.info("Opening browser for enrollment...");
+    consola43.info(`\u2192 ${idp}/enroll`);
     openBrowser2(enrollUrl);
     console.log("");
-    const agentEmail = await consola39.prompt(
+    const agentEmail = await consola43.prompt(
       "Agent email (shown in browser after enrollment)",
       { type: "text", placeholder: `agent+${agentName}@...` }
-    ).then((r) => {
-      if (typeof r === "symbol") throw new CliExit(0);
-      return r;
+    ).then((r3) => {
+      if (typeof r3 === "symbol") throw new CliExit(0);
+      return r3;
     });
     if (!agentEmail) {
       throw new CliError("Agent email is required to verify enrollment.");
     }
-    consola39.start("Verifying enrollment...");
+    consola43.start("Verifying enrollment...");
     const { token, expiresIn } = await pollForEnrollment(idp, agentEmail, keyPath);
     saveAuth({
       idp,
@@ -6108,18 +7151,18 @@ var enrollCommand = defineCommand48({
     config.defaults = { ...config.defaults, idp };
     config.agent = { key: keyPath, email: agentEmail };
     saveConfig(config);
-    consola39.success(`Agent enrolled as ${agentEmail}`);
-    consola39.success("Config saved to ~/.config/apes/");
+    consola43.success(`Agent enrolled as ${agentEmail}`);
+    consola43.success("Config saved to ~/.config/apes/");
     console.log("");
-    consola39.info("Verify with: apes whoami");
+    consola43.info("Verify with: apes whoami");
   }
 });
 
 // src/commands/register-user.ts
 import { existsSync as existsSync16, readFileSync as readFileSync13 } from "fs";
-import { defineCommand as defineCommand49 } from "citty";
-import consola40 from "consola";
-var registerUserCommand = defineCommand49({
+import { defineCommand as defineCommand52 } from "citty";
+import consola44 from "consola";
+var registerUserCommand = defineCommand52({
   meta: {
     name: "register-user",
     description: "Register a sub-user with SSH key"
@@ -6174,18 +7217,18 @@ var registerUserCommand = defineCommand49({
         ...userType ? { type: userType } : {}
       }
     });
-    consola40.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
+    consola44.success(`User registered: ${result.email} (type: ${result.type}, owner: ${result.owner})`);
   }
 });
 
 // src/commands/utils/index.ts
-import { defineCommand as defineCommand51 } from "citty";
+import { defineCommand as defineCommand54 } from "citty";
 
 // src/commands/utils/dig.ts
-import { defineCommand as defineCommand50 } from "citty";
-import consola41 from "consola";
+import { defineCommand as defineCommand53 } from "citty";
+import consola45 from "consola";
 import { resolveDDISA as resolveDDISA2 } from "@openape/core";
-var digCommand = defineCommand50({
+var digCommand = defineCommand53({
   meta: {
     name: "dig",
     description: "Resolve DDISA IdP for a domain or email (admin/diag tool)"
@@ -6258,12 +7301,12 @@ var digCommand = defineCommand50({
     console.log(`  domain: ${domain}`);
     console.log("");
     if (!result.ddisa.found) {
-      consola41.warn(`No DDISA record at _ddisa.${domain}`);
+      consola45.warn(`No DDISA record at _ddisa.${domain}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`No DDISA record found for ${domain}`);
     }
-    consola41.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
+    consola45.success(`_ddisa.${domain} \u2192 ${result.ddisa.idp}`);
     console.log(`  Version:  ${result.ddisa.version || "ddisa1"}`);
     console.log(`  IdP URL:  ${result.ddisa.idp}`);
     if (result.ddisa.mode) console.log(`  Mode:     ${result.ddisa.mode}`);
@@ -6273,13 +7316,13 @@ ${result.hint}`);
       return;
     }
     if (result.idpDiscovery.ok) {
-      consola41.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
+      consola45.success(`IdP reachable (${result.idpDiscovery.status ?? 200})`);
       if (result.idpDiscovery.issuer) console.log(`  Issuer:   ${result.idpDiscovery.issuer}`);
       if (result.idpDiscovery.ddisaVersion) console.log(`  DDISA:    v${result.idpDiscovery.ddisaVersion}`);
       if (result.idpDiscovery.authMethods?.length) console.log(`  Auth:     ${result.idpDiscovery.authMethods.join(", ")}`);
       if (result.idpDiscovery.grantTypes?.length) console.log(`  Grants:   ${result.idpDiscovery.grantTypes.join(", ")}`);
     } else {
-      consola41.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
+      consola45.warn(`IdP discovery failed${result.idpDiscovery.status ? ` (HTTP ${result.idpDiscovery.status})` : ""}`);
       if (result.hint) console.log(`
 ${result.hint}`);
       throw new CliError(`IdP at ${result.ddisa.idp} not reachable`);
@@ -6288,7 +7331,7 @@ ${result.hint}`);
 });
 
 // src/commands/utils/index.ts
-var utilsCommand = defineCommand51({
+var utilsCommand = defineCommand54({
   meta: {
     name: "utils",
     description: "Admin/diagnostic utilities (dig, \u2026)"
@@ -6299,12 +7342,12 @@ var utilsCommand = defineCommand51({
 });
 
 // src/commands/sessions/index.ts
-import { defineCommand as defineCommand54 } from "citty";
+import { defineCommand as defineCommand57 } from "citty";
 
 // src/commands/sessions/list.ts
-import { defineCommand as defineCommand52 } from "citty";
-import consola42 from "consola";
-var sessionsListCommand = defineCommand52({
+import { defineCommand as defineCommand55 } from "citty";
+import consola46 from "consola";
+var sessionsListCommand = defineCommand55({
   meta: {
     name: "list",
     description: "List your active refresh-token families (one per logged-in device)."
@@ -6322,7 +7365,7 @@ var sessionsListCommand = defineCommand52({
       return;
     }
     if (result.data.length === 0) {
-      consola42.info("No active sessions.");
+      consola46.info("No active sessions.");
       return;
     }
     for (const f of result.data) {
@@ -6334,9 +7377,9 @@ var sessionsListCommand = defineCommand52({
 });
 
 // src/commands/sessions/remove.ts
-import { defineCommand as defineCommand53 } from "citty";
-import consola43 from "consola";
-var sessionsRemoveCommand = defineCommand53({
+import { defineCommand as defineCommand56 } from "citty";
+import consola47 from "consola";
+var sessionsRemoveCommand = defineCommand56({
   meta: {
     name: "remove",
     description: "Revoke one of your active refresh-token families by id."
@@ -6352,12 +7395,12 @@ var sessionsRemoveCommand = defineCommand53({
     const id = String(args.familyId).trim();
     if (!id) throw new CliError("familyId required");
     await apiFetch(`/api/me/sessions/${encodeURIComponent(id)}`, { method: "DELETE" });
-    consola43.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
+    consola47.success(`Session ${id} revoked. The device using it will need to \`apes login\` again on its next refresh.`);
   }
 });
 
 // src/commands/sessions/index.ts
-var sessionsCommand = defineCommand54({
+var sessionsCommand = defineCommand57({
   meta: {
     name: "sessions",
     description: "Manage your active refresh-token sessions across devices"
@@ -6369,10 +7412,10 @@ var sessionsCommand = defineCommand54({
 });
 
 // src/commands/dns-check.ts
-import { defineCommand as defineCommand55 } from "citty";
-import consola44 from "consola";
+import { defineCommand as defineCommand58 } from "citty";
+import consola48 from "consola";
 import { resolveDDISA as resolveDDISA3 } from "@openape/core";
-var dnsCheckCommand = defineCommand55({
+var dnsCheckCommand = defineCommand58({
   meta: {
     name: "dns-check",
     description: "Validate DDISA DNS TXT records for a domain"
@@ -6386,7 +7429,7 @@ var dnsCheckCommand = defineCommand55({
   },
   async run({ args }) {
     const domain = args.domain;
-    consola44.start(`Checking _ddisa.${domain}...`);
+    consola48.start(`Checking _ddisa.${domain}...`);
     try {
       const result = await resolveDDISA3(domain);
       if (!result) {
@@ -6395,7 +7438,7 @@ var dnsCheckCommand = defineCommand55({
         console.log(`  _ddisa.${domain} TXT "v=ddisa1 idp=https://id.${domain}"`);
         throw new CliError(`No DDISA record found for ${domain}`);
       }
-      consola44.success(`_ddisa.${domain} \u2192 ${result.idp}`);
+      consola48.success(`_ddisa.${domain} \u2192 ${result.idp}`);
       console.log("");
       console.log(`  Version:  ${result.version || "ddisa1"}`);
       console.log(`  IdP URL:  ${result.idp}`);
@@ -6404,14 +7447,14 @@ var dnsCheckCommand = defineCommand55({
       if (result.priority !== void 0)
         console.log(`  Priority: ${result.priority}`);
       console.log("");
-      consola44.start(`Verifying IdP at ${result.idp}...`);
+      consola48.start(`Verifying IdP at ${result.idp}...`);
       const discoResp = await fetch(`${result.idp}/.well-known/openid-configuration`);
       if (!discoResp.ok) {
-        consola44.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
+        consola48.warn(`IdP discovery failed (${discoResp.status}). Is the IdP running at ${result.idp}?`);
         return;
       }
       const disco = await discoResp.json();
-      consola44.success(`IdP is reachable`);
+      consola48.success(`IdP is reachable`);
       console.log(`  Issuer:   ${disco.issuer}`);
       console.log(`  DDISA:    v${disco.ddisa_version || "?"}`);
       if (disco.ddisa_auth_methods_supported) {
@@ -6429,7 +7472,7 @@ var dnsCheckCommand = defineCommand55({
 // src/commands/health.ts
 import { exec } from "child_process";
 import { promisify } from "util";
-import { defineCommand as defineCommand56 } from "citty";
+import { defineCommand as defineCommand59 } from "citty";
 var execAsync = promisify(exec);
 async function resolveApeShellPath() {
   try {
@@ -6465,7 +7508,7 @@ async function bestEffortGrantCount(idp) {
   }
 }
 async function runHealth(args) {
-  const version = true ? "1.7.1" : "0.0.0";
+  const version = true ? "1.8.0" : "0.0.0";
   const auth = loadAuth();
   if (!auth) {
     throw new CliError("Not logged in. Run `apes login` first.", 1);
@@ -6528,7 +7571,7 @@ async function runHealth(args) {
     throw new CliError(`IdP ${auth.idp} unreachable: ${idpProbe.error}`, 1);
   }
 }
-var healthCommand = defineCommand56({
+var healthCommand = defineCommand59({
   meta: {
     name: "health",
     description: "Report CLI diagnostic state (auth, IdP, grants, binaries)"
@@ -6546,8 +7589,8 @@ var healthCommand = defineCommand56({
 });
 
 // src/commands/workflows.ts
-import { defineCommand as defineCommand57 } from "citty";
-import consola45 from "consola";
+import { defineCommand as defineCommand60 } from "citty";
+import consola49 from "consola";
 
 // src/guides/index.ts
 var guides = [
@@ -6597,7 +7640,7 @@ var guides = [
 ];
 
 // src/commands/workflows.ts
-var workflowsCommand = defineCommand57({
+var workflowsCommand = defineCommand60({
   meta: {
     name: "workflows",
     description: "Discover workflow guides"
@@ -6618,7 +7661,7 @@ var workflowsCommand = defineCommand57({
     if (args.id) {
       const guide = guides.find((g) => g.id === String(args.id));
       if (!guide) {
-        consola45.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
+        consola49.info(`Available: ${guides.map((g) => g.id).join(", ")}`);
         throw new CliError(`Guide not found: ${args.id}`);
       }
       if (args.json) {
@@ -6661,7 +7704,7 @@ var workflowsCommand = defineCommand57({
 import { existsSync as existsSync17, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync10 } from "fs";
 import { homedir as homedir13 } from "os";
 import { join as join14 } from "path";
-import consola46 from "consola";
+import consola50 from "consola";
 var PACKAGE_NAME = "@openape/apes";
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
 var CACHE_FILE = join14(homedir13(), ".config", "apes", ".version-check.json");
@@ -6706,7 +7749,7 @@ async function fetchLatestVersion() {
 }
 function warnIfBehind(currentVersion, latest) {
   if (compareSemver(currentVersion, latest) < 0) {
-    consola46.warn(
+    consola50.warn(
       `apes ${currentVersion} is behind latest @openape/apes@${latest}. Run \`npm i -g @openape/apes@latest\` to update. (Suppress with APES_NO_UPDATE_CHECK=1.)`
     );
   }
@@ -6738,10 +7781,10 @@ if (shellRewrite) {
   if (shellRewrite.action === "rewrite") {
     process.argv = shellRewrite.argv;
   } else if (shellRewrite.action === "version") {
-    console.log(`ape-shell ${"1.7.1"} (OpenApe DDISA shell wrapper)`);
+    console.log(`ape-shell ${"1.8.0"} (OpenApe DDISA shell wrapper)`);
     process.exit(0);
   } else if (shellRewrite.action === "help") {
-    console.log(`ape-shell ${"1.7.1"} \u2014 OpenApe DDISA shell wrapper`);
+    console.log(`ape-shell ${"1.8.0"} \u2014 OpenApe DDISA shell wrapper`);
     console.log("");
     console.log("Usage:");
     console.log("  ape-shell                 Start interactive grant-mediated REPL");
@@ -6756,7 +7799,7 @@ if (shellRewrite) {
     console.log("  --help, -h      Show this help message");
     process.exit(0);
   } else if (shellRewrite.action === "interactive") {
-    const { runInteractiveShell } = await import("./orchestrator-EH6V5ATG.js");
+    const { runInteractiveShell } = await import("./orchestrator-2QS5KXFL.js");
     await runInteractiveShell();
     process.exit(0);
   } else {
@@ -6765,7 +7808,7 @@ if (shellRewrite) {
   }
 }
 var debug = process.argv.includes("--debug");
-var grantsCommand = defineCommand58({
+var grantsCommand = defineCommand61({
   meta: {
     name: "grants",
     description: "Grant management"
@@ -6786,7 +7829,7 @@ var grantsCommand = defineCommand58({
     "delegation-revoke": delegationRevokeCommand
   }
 });
-var configCommand = defineCommand58({
+var configCommand = defineCommand61({
   meta: {
     name: "config",
     description: "Configuration management"
@@ -6796,10 +7839,10 @@ var configCommand = defineCommand58({
     set: configSetCommand
   }
 });
-var main = defineCommand58({
+var main = defineCommand61({
   meta: {
     name: "apes",
-    version: "1.7.1",
+    version: "1.8.0",
     description: "Unified CLI for OpenApe"
   },
   subCommands: {
@@ -6847,29 +7890,29 @@ var NO_REFRESH_COMMANDS = /* @__PURE__ */ new Set([
 async function maybeRefreshAuth() {
   const sub = process.argv[2];
   if (!sub || NO_REFRESH_COMMANDS.has(sub)) return;
-  const { loadAuth: loadAuth2 } = await import("./config-MOB5DJ6H.js");
+  const { loadAuth: loadAuth2 } = await import("./config-DA2L3XOV.js");
   if (!loadAuth2()) return;
   try {
-    const { ensureFreshToken } = await import("./http-5F7FX4V7.js");
+    const { ensureFreshToken } = await import("./http-JWS5LV2U.js");
     await ensureFreshToken();
   } catch {
   }
 }
 await maybeRefreshAuth();
-await maybeWarnStaleVersion("1.7.1").catch(() => {
+await maybeWarnStaleVersion("1.8.0").catch(() => {
 });
 runMain(main).catch((err) => {
   if (err instanceof CliExit) {
     process.exit(err.exitCode);
   }
   if (err instanceof CliError) {
-    consola47.error(err.message);
+    consola51.error(err.message);
     process.exit(err.exitCode);
   }
   if (debug) {
-    consola47.error(err);
+    consola51.error(err);
   } else {
-    consola47.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
+    consola51.error(err instanceof ApiError ? err.message : err instanceof Error ? err.message : String(err));
   }
   process.exit(1);
 });