[{"data":1,"prerenderedAt":1742},["ShallowReactive",2],{"navigation":3,"/ecosystem/shapes":145,"/ecosystem/shapes-surround":1737},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":61,"body":147,"description":1731,"extension":1732,"links":1733,"meta":1734,"navigation":267,"path":62,"seo":1735,"stem":63,"__hash__":1736},"docs/3.ecosystem/3.shapes.md",{"type":148,"value":149,"toc":1712},"minimark",[150,155,173,177,187,191,217,221,379,383,393,398,401,407,411,520,527,531,534,578,582,585,775,779,965,969,977,983,989,996,1027,1031,1115,1119,1125,1221,1225,1228,1248,1251,1255,1265,1271,1279,1469,1481,1485,1708],[151,152,154],"h1",{"id":153},"openapeshapes","@openape/shapes",[156,157,158,159,163,164,168,169,172],"p",{},"Shapes is the execution layer for agents. It wraps existing CLI tools and ensures every command runs within the boundaries set by ",[160,161,162],"a",{"href":82},"grants",". Instead of giving agents blanket access to ",[165,166,167],"code",{},"kubectl"," or ",[165,170,171],{},"aws",", Shapes maps each command to a structured permission and checks it against the agent's approved grants.",[174,175,34],"h2",{"id":176},"how-it-works",[178,179,184],"pre",{"className":180,"code":182,"language":183},[181],"language-text","Agent: \"gh repo delete myorg/old-repo\"\n         ↓\nShapes: Load adapter for \"gh\"\n         ↓\nParser: Match operation \"repo.delete\"\n         ↓\nResolver: Build permission \"gh:repo.delete(owner=myorg,name=old-repo)\"\n         ↓\nGrant check: Does a valid grant cover this?\n  → Yes → Execute command\n  → No  → Request grant, wait for human approval\n","text",[165,185,182],{"__ignoreMap":186},"",[174,188,190],{"id":189},"installation","Installation",[178,192,196],{"className":193,"code":194,"language":195,"meta":186,"style":186},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","npm install -g @openape/shapes\n","bash",[165,197,198],{"__ignoreMap":186},[199,200,203,207,211,214],"span",{"class":201,"line":202},"line",1,[199,204,206],{"class":205},"sBMFI","npm",[199,208,210],{"class":209},"sfazB"," install",[199,212,213],{"class":209}," -g",[199,215,216],{"class":209}," @openape/shapes\n",[174,218,220],{"id":219},"quick-start","Quick Start",[178,222,224],{"className":193,"code":223,"language":195,"meta":186,"style":186},"# See what permissions a command requires (without executing)\nshapes explain -- gh repo list myorg\n# → gh:repo.list (risk: low) — List repositories for owner myorg\n\n# Request a grant and execute\nshapes request --idp https://id.example.com --approval once -- gh issue create --repo myorg/app --title \"Bug\"\n# → Requests grant... waiting for approval... approved! Executing.\n\n# Execute with a pre-approved grant token\nshapes --grant \u003Cjwt> -- kubectl get pods -n production\n",[165,225,226,232,256,262,269,275,324,330,335,341],{"__ignoreMap":186},[199,227,228],{"class":201,"line":202},[199,229,231],{"class":230},"sHwdD","# See what permissions a command requires (without executing)\n",[199,233,235,238,241,244,247,250,253],{"class":201,"line":234},2,[199,236,237],{"class":205},"shapes",[199,239,240],{"class":209}," explain",[199,242,243],{"class":209}," --",[199,245,246],{"class":209}," gh",[199,248,249],{"class":209}," repo",[199,251,252],{"class":209}," list",[199,254,255],{"class":209}," myorg\n",[199,257,259],{"class":201,"line":258},3,[199,260,261],{"class":230},"# → gh:repo.list (risk: low) — List repositories for owner myorg\n",[199,263,265],{"class":201,"line":264},4,[199,266,268],{"emptyLinePlaceholder":267},true,"\n",[199,270,272],{"class":201,"line":271},5,[199,273,274],{"class":230},"# Request a grant and execute\n",[199,276,278,280,283,286,289,292,295,297,299,302,305,308,311,314,318,321],{"class":201,"line":277},6,[199,279,237],{"class":205},[199,281,282],{"class":209}," request",[199,284,285],{"class":209}," --idp",[199,287,288],{"class":209}," https://id.example.com",[199,290,291],{"class":209}," --approval",[199,293,294],{"class":209}," once",[199,296,243],{"class":209},[199,298,246],{"class":209},[199,300,301],{"class":209}," issue",[199,303,304],{"class":209}," create",[199,306,307],{"class":209}," --repo",[199,309,310],{"class":209}," myorg/app",[199,312,313],{"class":209}," --title",[199,315,317],{"class":316},"sMK4o"," \"",[199,319,320],{"class":209},"Bug",[199,322,323],{"class":316},"\"\n",[199,325,327],{"class":201,"line":326},7,[199,328,329],{"class":230},"# → Requests grant... waiting for approval... approved! Executing.\n",[199,331,333],{"class":201,"line":332},8,[199,334,268],{"emptyLinePlaceholder":267},[199,336,338],{"class":201,"line":337},9,[199,339,340],{"class":230},"# Execute with a pre-approved grant token\n",[199,342,344,346,349,352,355,359,362,364,367,370,373,376],{"class":201,"line":343},10,[199,345,237],{"class":205},[199,347,348],{"class":209}," --grant",[199,350,351],{"class":316}," \u003C",[199,353,354],{"class":209},"jw",[199,356,358],{"class":357},"sTEyZ","t",[199,360,361],{"class":316},">",[199,363,243],{"class":209},[199,365,366],{"class":209}," kubectl",[199,368,369],{"class":209}," get",[199,371,372],{"class":209}," pods",[199,374,375],{"class":209}," -n",[199,377,378],{"class":209}," production\n",[174,380,382],{"id":381},"the-shapes-registry","The Shapes Registry",[156,384,385,386,392],{},"The ",[160,387,391],{"href":388,"rel":389},"https://github.com/openape-ai/shapes-registry",[390],"nofollow","Shapes Registry"," is the catalog of available adapters. It defines which CLI tools can be wrapped and how their commands map to permissions.",[394,395,397],"h3",{"id":396},"registry-structure","Registry Structure",[156,399,400],{},"The registry is a GitHub repository with TOML adapter definitions:",[178,402,405],{"className":403,"code":404,"language":183},[181],"shapes-registry/\n├── registry.json          # Generated index (auto-built)\n├── adapters/\n│   ├── gh/\n│   │   ├── adapter.toml   # Operation definitions\n│   │   ├── meta.json      # Metadata\n│   │   └── README.md\n│   ├── kubectl/\n│   ├── az/\n│   ├── exo/\n│   ├── o365mail/          # 20 operations for Outlook mail\n│   ├── ls/\n│   ├── cat/\n│   ├── chmod/\n│   └── ...\n",[165,406,404],{"__ignoreMap":186},[394,408,410],{"id":409},"discovering-and-installing-adapters","Discovering and Installing Adapters",[178,412,414],{"className":193,"code":413,"language":195,"meta":186,"style":186},"# Search the registry\nshapes adapter search github\n# → gh — GitHub CLI (devtools)\n\n# Install an adapter\nshapes adapter install gh\n\n# List installed adapters\nshapes adapter list\n\n# Update all adapters\nshapes adapter update\n\n# Verify adapter integrity (SHA-256 digest)\nshapes adapter verify gh\n",[165,415,416,421,434,439,443,448,459,463,468,477,481,487,497,502,508],{"__ignoreMap":186},[199,417,418],{"class":201,"line":202},[199,419,420],{"class":230},"# Search the registry\n",[199,422,423,425,428,431],{"class":201,"line":234},[199,424,237],{"class":205},[199,426,427],{"class":209}," adapter",[199,429,430],{"class":209}," search",[199,432,433],{"class":209}," github\n",[199,435,436],{"class":201,"line":258},[199,437,438],{"class":230},"# → gh — GitHub CLI (devtools)\n",[199,440,441],{"class":201,"line":264},[199,442,268],{"emptyLinePlaceholder":267},[199,444,445],{"class":201,"line":271},[199,446,447],{"class":230},"# Install an adapter\n",[199,449,450,452,454,456],{"class":201,"line":277},[199,451,237],{"class":205},[199,453,427],{"class":209},[199,455,210],{"class":209},[199,457,458],{"class":209}," gh\n",[199,460,461],{"class":201,"line":326},[199,462,268],{"emptyLinePlaceholder":267},[199,464,465],{"class":201,"line":332},[199,466,467],{"class":230},"# List installed adapters\n",[199,469,470,472,474],{"class":201,"line":337},[199,471,237],{"class":205},[199,473,427],{"class":209},[199,475,476],{"class":209}," list\n",[199,478,479],{"class":201,"line":343},[199,480,268],{"emptyLinePlaceholder":267},[199,482,484],{"class":201,"line":483},11,[199,485,486],{"class":230},"# Update all adapters\n",[199,488,490,492,494],{"class":201,"line":489},12,[199,491,237],{"class":205},[199,493,427],{"class":209},[199,495,496],{"class":209}," update\n",[199,498,500],{"class":201,"line":499},13,[199,501,268],{"emptyLinePlaceholder":267},[199,503,505],{"class":201,"line":504},14,[199,506,507],{"class":230},"# Verify adapter integrity (SHA-256 digest)\n",[199,509,511,513,515,518],{"class":201,"line":510},15,[199,512,237],{"class":205},[199,514,427],{"class":209},[199,516,517],{"class":209}," verify",[199,519,458],{"class":209},[156,521,522,523,526],{},"Adapters are cached locally at ",[165,524,525],{},"~/.openape/shapes/adapters/",". The registry is fetched from GitHub and cached for 1 hour.",[394,528,530],{"id":529},"adapter-resolution-order","Adapter Resolution Order",[156,532,533],{},"When Shapes loads an adapter, it searches in this order:",[535,536,537,548,556,564,572],"ol",{},[538,539,540,544,545],"li",{},[541,542,543],"strong",{},"Project-local:"," ",[165,546,547],{},".openape/shapes/adapters/{id}.toml",[538,549,550,544,553],{},[541,551,552],{},"User home:",[165,554,555],{},"~/.openape/shapes/adapters/{id}.toml",[538,557,558,544,561],{},[541,559,560],{},"System:",[165,562,563],{},"/etc/openape/shapes/adapters/",[538,565,566,544,569],{},[541,567,568],{},"Bundled:",[165,570,571],{},"node_modules/@openape/shapes/adapters/",[538,573,574,577],{},[541,575,576],{},"Fallback:"," scan all directories for matching executable name",[174,579,581],{"id":580},"adapter-format","Adapter Format",[156,583,584],{},"Each adapter is a TOML file that maps CLI commands to operations:",[178,586,590],{"className":587,"code":588,"language":589,"meta":186,"style":186},"language-toml shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","schema = \"openape-shapes/v1\"\n\n[cli]\nid = \"gh\"\nexecutable = \"gh\"\nversion = \"1\"\n\n[[operation]]\nid = \"repo.list\"\ncommand = [\"repo\", \"list\"]\npositionals = [\"owner\"]\ndisplay = \"List repositories for owner {owner}\"\naction = \"list\"\nrisk = \"low\"\nresource_chain = [\"owner:login={owner}\", \"repo:*\"]\n\n[[operation]]\nid = \"issue.create\"\ncommand = [\"issue\", \"create\"]\nrequired_options = [\"repo\", \"title\"]\ndisplay = \"Create issue in {repo}: {title}\"\naction = \"create\"\nrisk = \"medium\"\nresource_chain = [\"repo:owner={repo|owner},name={repo|name}\", \"issue:*\"]\n\n[[operation]]\nid = \"repo.delete\"\ncommand = [\"repo\", \"delete\"]\npositionals = [\"repo\"]\ndisplay = \"Delete repository {repo}\"\naction = \"delete\"\nrisk = \"critical\"\nexact_command = true\nresource_chain = [\"repo:owner={repo|owner},name={repo|name}\"]\n","toml",[165,591,592,597,601,606,611,616,621,625,630,635,640,645,650,655,660,665,670,675,681,687,693,699,705,711,717,722,727,733,739,745,751,757,763,769],{"__ignoreMap":186},[199,593,594],{"class":201,"line":202},[199,595,596],{},"schema = \"openape-shapes/v1\"\n",[199,598,599],{"class":201,"line":234},[199,600,268],{"emptyLinePlaceholder":267},[199,602,603],{"class":201,"line":258},[199,604,605],{},"[cli]\n",[199,607,608],{"class":201,"line":264},[199,609,610],{},"id = \"gh\"\n",[199,612,613],{"class":201,"line":271},[199,614,615],{},"executable = \"gh\"\n",[199,617,618],{"class":201,"line":277},[199,619,620],{},"version = \"1\"\n",[199,622,623],{"class":201,"line":326},[199,624,268],{"emptyLinePlaceholder":267},[199,626,627],{"class":201,"line":332},[199,628,629],{},"[[operation]]\n",[199,631,632],{"class":201,"line":337},[199,633,634],{},"id = \"repo.list\"\n",[199,636,637],{"class":201,"line":343},[199,638,639],{},"command = [\"repo\", \"list\"]\n",[199,641,642],{"class":201,"line":483},[199,643,644],{},"positionals = [\"owner\"]\n",[199,646,647],{"class":201,"line":489},[199,648,649],{},"display = \"List repositories for owner {owner}\"\n",[199,651,652],{"class":201,"line":499},[199,653,654],{},"action = \"list\"\n",[199,656,657],{"class":201,"line":504},[199,658,659],{},"risk = \"low\"\n",[199,661,662],{"class":201,"line":510},[199,663,664],{},"resource_chain = [\"owner:login={owner}\", \"repo:*\"]\n",[199,666,668],{"class":201,"line":667},16,[199,669,268],{"emptyLinePlaceholder":267},[199,671,673],{"class":201,"line":672},17,[199,674,629],{},[199,676,678],{"class":201,"line":677},18,[199,679,680],{},"id = \"issue.create\"\n",[199,682,684],{"class":201,"line":683},19,[199,685,686],{},"command = [\"issue\", \"create\"]\n",[199,688,690],{"class":201,"line":689},20,[199,691,692],{},"required_options = [\"repo\", \"title\"]\n",[199,694,696],{"class":201,"line":695},21,[199,697,698],{},"display = \"Create issue in {repo}: {title}\"\n",[199,700,702],{"class":201,"line":701},22,[199,703,704],{},"action = \"create\"\n",[199,706,708],{"class":201,"line":707},23,[199,709,710],{},"risk = \"medium\"\n",[199,712,714],{"class":201,"line":713},24,[199,715,716],{},"resource_chain = [\"repo:owner={repo|owner},name={repo|name}\", \"issue:*\"]\n",[199,718,720],{"class":201,"line":719},25,[199,721,268],{"emptyLinePlaceholder":267},[199,723,725],{"class":201,"line":724},26,[199,726,629],{},[199,728,730],{"class":201,"line":729},27,[199,731,732],{},"id = \"repo.delete\"\n",[199,734,736],{"class":201,"line":735},28,[199,737,738],{},"command = [\"repo\", \"delete\"]\n",[199,740,742],{"class":201,"line":741},29,[199,743,744],{},"positionals = [\"repo\"]\n",[199,746,748],{"class":201,"line":747},30,[199,749,750],{},"display = \"Delete repository {repo}\"\n",[199,752,754],{"class":201,"line":753},31,[199,755,756],{},"action = \"delete\"\n",[199,758,760],{"class":201,"line":759},32,[199,761,762],{},"risk = \"critical\"\n",[199,764,766],{"class":201,"line":765},33,[199,767,768],{},"exact_command = true\n",[199,770,772],{"class":201,"line":771},34,[199,773,774],{},"resource_chain = [\"repo:owner={repo|owner},name={repo|name}\"]\n",[394,776,778],{"id":777},"operation-fields","Operation Fields",[780,781,782,798],"table",{},[783,784,785],"thead",{},[786,787,788,792,795],"tr",{},[789,790,791],"th",{},"Field",[789,793,794],{},"Required",[789,796,797],{},"Description",[799,800,801,819,834,847,863,879,913,937,949],"tbody",{},[786,802,803,809,812],{},[804,805,806],"td",{},[165,807,808],{},"id",[804,810,811],{},"Yes",[804,813,814,815,818],{},"Unique operation ID (e.g., ",[165,816,817],{},"repo.list",")",[786,820,821,826,828],{},[804,822,823],{},[165,824,825],{},"command",[804,827,811],{},[804,829,830,831,818],{},"Command prefix to match (e.g., ",[165,832,833],{},"[\"repo\", \"list\"]",[786,835,836,841,844],{},[804,837,838],{},[165,839,840],{},"positionals",[804,842,843],{},"No",[804,845,846],{},"Positional argument names",[786,848,849,854,856],{},[804,850,851],{},[165,852,853],{},"required_options",[804,855,843],{},[804,857,858,859,862],{},"Required ",[165,860,861],{},"--option"," names",[786,864,865,870,872],{},[804,866,867],{},[165,868,869],{},"display",[804,871,811],{},[804,873,874,875,878],{},"Human-readable description with ",[165,876,877],{},"{binding}"," templates",[786,880,881,886,888],{},[804,882,883],{},[165,884,885],{},"action",[804,887,811],{},[804,889,890,891,894,895,894,898,894,901,894,904,894,907,894,910],{},"Action type: ",[165,892,893],{},"read",", ",[165,896,897],{},"list",[165,899,900],{},"create",[165,902,903],{},"edit",[165,905,906],{},"delete",[165,908,909],{},"send",[165,911,912],{},"draft",[786,914,915,920,922],{},[804,916,917],{},[165,918,919],{},"risk",[804,921,811],{},[804,923,924,925,894,928,894,931,894,934],{},"Risk level: ",[165,926,927],{},"low",[165,929,930],{},"medium",[165,932,933],{},"high",[165,935,936],{},"critical",[786,938,939,944,946],{},[804,940,941],{},[165,942,943],{},"resource_chain",[804,945,811],{},[804,947,948],{},"Hierarchical resource selectors",[786,950,951,956,958],{},[804,952,953],{},[165,954,955],{},"exact_command",[804,957,843],{},[804,959,960,961,964],{},"If ",[165,962,963],{},"true",", only exact argv match is allowed (for destructive operations)",[394,966,968],{"id":967},"resource-chains","Resource Chains",[156,970,971,972,976],{},"Resource chains describe ",[973,974,975],"em",{},"what"," is being accessed, hierarchically:",[178,978,981],{"className":979,"code":980,"language":183},[181],"owner:login=myorg → repo:name=myapp → issue:id=42\n",[165,982,980],{"__ignoreMap":186},[156,984,985,986],{},"Format: ",[165,987,988],{},"resource[:selector1=value1,selector2=value2]",[156,990,991,992,995],{},"Bindings use ",[165,993,994],{},"{name}"," templates resolved from parsed arguments:",[997,998,999,1005,1015,1021],"ul",{},[538,1000,1001,1004],{},[165,1002,1003],{},"{owner}"," — from positional argument",[538,1006,1007,1010,1011,1014],{},[165,1008,1009],{},"{repo|owner}"," — extract owner part from ",[165,1012,1013],{},"owner/name"," format",[538,1016,1017,1020],{},[165,1018,1019],{},"{repo|name}"," — extract name part",[538,1022,1023,1026],{},[165,1024,1025],{},"*"," — wildcard (matches any)",[394,1028,1030],{"id":1029},"risk-levels","Risk Levels",[780,1032,1033,1046],{},[783,1034,1035],{},[786,1036,1037,1040,1043],{},[789,1038,1039],{},"Level",[789,1041,1042],{},"When to use",[789,1044,1045],{},"Approval behavior",[799,1047,1048,1064,1082,1097],{},[786,1049,1050,1054,1057],{},[804,1051,1052],{},[165,1053,927],{},[804,1055,1056],{},"Read-only, listing operations",[804,1058,1059,1060,1063],{},"May auto-approve with ",[165,1061,1062],{},"always"," grants",[786,1065,1066,1070,1073],{},[804,1067,1068],{},[165,1069,930],{},[804,1071,1072],{},"Create, edit operations",[804,1074,1075,1076,168,1079,1063],{},"Typically ",[165,1077,1078],{},"once",[165,1080,1081],{},"timed",[786,1083,1084,1088,1091],{},[804,1085,1086],{},[165,1087,933],{},[804,1089,1090],{},"Delete, modify permissions",[804,1092,1093,1094,1096],{},"Requires explicit ",[165,1095,1078],{}," grant",[786,1098,1099,1103,1106],{},[804,1100,1101],{},[165,1102,936],{},[804,1104,1105],{},"Destructive, irreversible",[804,1107,1108,1109,1111,1112],{},"Requires ",[165,1110,1078],{}," grant + ",[165,1113,1114],{},"exact_command = true",[174,1116,1118],{"id":1117},"integration-with-grapes","Integration with grapes",[156,1120,1121,1124],{},[160,1122,1123],{"href":58},"grapes"," uses Shapes for structured capability requests:",[178,1126,1128],{"className":193,"code":1127,"language":195,"meta":186,"style":186},"# Command-based (parses the actual CLI command)\ngrapes request \"gh issue create --repo myorg/app --title Bug\" --audience shapes --wait\n\n# Capability-based (specify resources and actions directly)\ngrapes request-capability gh \\\n  --resource repo \\\n  --action list \\\n  --selector owner.login=myorg \\\n  --approval timed --duration 1h\n",[165,1129,1130,1135,1158,1162,1167,1179,1188,1197,1207],{"__ignoreMap":186},[199,1131,1132],{"class":201,"line":202},[199,1133,1134],{"class":230},"# Command-based (parses the actual CLI command)\n",[199,1136,1137,1139,1141,1143,1146,1149,1152,1155],{"class":201,"line":234},[199,1138,1123],{"class":205},[199,1140,282],{"class":209},[199,1142,317],{"class":316},[199,1144,1145],{"class":209},"gh issue create --repo myorg/app --title Bug",[199,1147,1148],{"class":316},"\"",[199,1150,1151],{"class":209}," --audience",[199,1153,1154],{"class":209}," shapes",[199,1156,1157],{"class":209}," --wait\n",[199,1159,1160],{"class":201,"line":258},[199,1161,268],{"emptyLinePlaceholder":267},[199,1163,1164],{"class":201,"line":264},[199,1165,1166],{"class":230},"# Capability-based (specify resources and actions directly)\n",[199,1168,1169,1171,1174,1176],{"class":201,"line":271},[199,1170,1123],{"class":205},[199,1172,1173],{"class":209}," request-capability",[199,1175,246],{"class":209},[199,1177,1178],{"class":357}," \\\n",[199,1180,1181,1184,1186],{"class":201,"line":277},[199,1182,1183],{"class":209},"  --resource",[199,1185,249],{"class":209},[199,1187,1178],{"class":357},[199,1189,1190,1193,1195],{"class":201,"line":326},[199,1191,1192],{"class":209},"  --action",[199,1194,252],{"class":209},[199,1196,1178],{"class":357},[199,1198,1199,1202,1205],{"class":201,"line":332},[199,1200,1201],{"class":209},"  --selector",[199,1203,1204],{"class":209}," owner.login=myorg",[199,1206,1178],{"class":357},[199,1208,1209,1212,1215,1218],{"class":201,"line":337},[199,1210,1211],{"class":209},"  --approval",[199,1213,1214],{"class":209}," timed",[199,1216,1217],{"class":209}," --duration",[199,1219,1220],{"class":209}," 1h\n",[174,1222,1224],{"id":1223},"digest-verification","Digest Verification",[156,1226,1227],{},"Security is enforced through SHA-256 digest verification at multiple points:",[535,1229,1230,1236,1242],{},[538,1231,1232,1235],{},[541,1233,1234],{},"Installation:"," Downloaded adapter TOML must match the registry digest",[538,1237,1238,1241],{},[541,1239,1240],{},"Grant request:"," The adapter digest is included in the grant request",[538,1243,1244,1247],{},[541,1245,1246],{},"Execution:"," The runtime adapter digest must match the grant's digest",[156,1249,1250],{},"This ensures that an adapter cannot be tampered with between grant approval and command execution.",[174,1252,1254],{"id":1253},"writing-a-custom-adapter","Writing a Custom Adapter",[535,1256,1257],{},[538,1258,1259,1260,1264],{},"Create a directory in the ",[160,1261,1263],{"href":388,"rel":1262},[390],"shapes-registry",":",[178,1266,1269],{"className":1267,"code":1268,"language":183},[181],"adapters/my-tool/\n├── adapter.toml    # Operation definitions\n├── meta.json       # Metadata for the registry\n└── README.md       # Documentation\n",[165,1270,1268],{"__ignoreMap":186},[535,1272,1273],{"start":234},[538,1274,1275,1276,1264],{},"Define metadata in ",[165,1277,1278],{},"meta.json",[178,1280,1284],{"className":1281,"code":1282,"language":1283,"meta":186,"style":186},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"id\": \"my-tool\",\n  \"name\": \"My Tool\",\n  \"description\": \"Grant-aware wrapper for my-tool CLI\",\n  \"author\": \"your-org\",\n  \"category\": \"devtools\",\n  \"tags\": [\"ci\", \"deployment\"],\n  \"executable\": \"my-tool\",\n  \"min_shapes_version\": \"0.3.0\"\n}\n","json",[165,1285,1286,1291,1313,1333,1353,1373,1393,1427,1446,1464],{"__ignoreMap":186},[199,1287,1288],{"class":201,"line":202},[199,1289,1290],{"class":316},"{\n",[199,1292,1293,1296,1299,1301,1303,1305,1308,1310],{"class":201,"line":234},[199,1294,1295],{"class":316},"  \"",[199,1297,808],{"class":1298},"spNyl",[199,1300,1148],{"class":316},[199,1302,1264],{"class":316},[199,1304,317],{"class":316},[199,1306,1307],{"class":209},"my-tool",[199,1309,1148],{"class":316},[199,1311,1312],{"class":316},",\n",[199,1314,1315,1317,1320,1322,1324,1326,1329,1331],{"class":201,"line":258},[199,1316,1295],{"class":316},[199,1318,1319],{"class":1298},"name",[199,1321,1148],{"class":316},[199,1323,1264],{"class":316},[199,1325,317],{"class":316},[199,1327,1328],{"class":209},"My Tool",[199,1330,1148],{"class":316},[199,1332,1312],{"class":316},[199,1334,1335,1337,1340,1342,1344,1346,1349,1351],{"class":201,"line":264},[199,1336,1295],{"class":316},[199,1338,1339],{"class":1298},"description",[199,1341,1148],{"class":316},[199,1343,1264],{"class":316},[199,1345,317],{"class":316},[199,1347,1348],{"class":209},"Grant-aware wrapper for my-tool CLI",[199,1350,1148],{"class":316},[199,1352,1312],{"class":316},[199,1354,1355,1357,1360,1362,1364,1366,1369,1371],{"class":201,"line":271},[199,1356,1295],{"class":316},[199,1358,1359],{"class":1298},"author",[199,1361,1148],{"class":316},[199,1363,1264],{"class":316},[199,1365,317],{"class":316},[199,1367,1368],{"class":209},"your-org",[199,1370,1148],{"class":316},[199,1372,1312],{"class":316},[199,1374,1375,1377,1380,1382,1384,1386,1389,1391],{"class":201,"line":277},[199,1376,1295],{"class":316},[199,1378,1379],{"class":1298},"category",[199,1381,1148],{"class":316},[199,1383,1264],{"class":316},[199,1385,317],{"class":316},[199,1387,1388],{"class":209},"devtools",[199,1390,1148],{"class":316},[199,1392,1312],{"class":316},[199,1394,1395,1397,1400,1402,1404,1407,1409,1412,1414,1417,1419,1422,1424],{"class":201,"line":326},[199,1396,1295],{"class":316},[199,1398,1399],{"class":1298},"tags",[199,1401,1148],{"class":316},[199,1403,1264],{"class":316},[199,1405,1406],{"class":316}," [",[199,1408,1148],{"class":316},[199,1410,1411],{"class":209},"ci",[199,1413,1148],{"class":316},[199,1415,1416],{"class":316},",",[199,1418,317],{"class":316},[199,1420,1421],{"class":209},"deployment",[199,1423,1148],{"class":316},[199,1425,1426],{"class":316},"],\n",[199,1428,1429,1431,1434,1436,1438,1440,1442,1444],{"class":201,"line":332},[199,1430,1295],{"class":316},[199,1432,1433],{"class":1298},"executable",[199,1435,1148],{"class":316},[199,1437,1264],{"class":316},[199,1439,317],{"class":316},[199,1441,1307],{"class":209},[199,1443,1148],{"class":316},[199,1445,1312],{"class":316},[199,1447,1448,1450,1453,1455,1457,1459,1462],{"class":201,"line":337},[199,1449,1295],{"class":316},[199,1451,1452],{"class":1298},"min_shapes_version",[199,1454,1148],{"class":316},[199,1456,1264],{"class":316},[199,1458,317],{"class":316},[199,1460,1461],{"class":209},"0.3.0",[199,1463,323],{"class":316},[199,1465,1466],{"class":201,"line":343},[199,1467,1468],{"class":316},"}\n",[535,1470,1471,1478],{"start":258},[538,1472,1473,1474,1477],{},"Define operations in ",[165,1475,1476],{},"adapter.toml"," following the TOML format above",[538,1479,1480],{},"Submit a PR to the shapes-registry — the CI will validate the adapter format and compute the digest",[174,1482,1484],{"id":1483},"cli-reference","CLI Reference",[178,1486,1488],{"className":193,"code":1487,"language":195,"meta":186,"style":186},"# Adapter management\nshapes adapter search \u003Cquery>       # Search registry\nshapes adapter install \u003Cid>         # Install adapter\nshapes adapter remove \u003Cid>          # Remove adapter\nshapes adapter list [--remote]      # List adapters\nshapes adapter info \u003Cid>            # Show adapter details\nshapes adapter update [\u003Cid>]        # Update adapters\nshapes adapter verify \u003Cid>          # Verify digest\n\n# Execution\nshapes explain -- \u003Ccli> [args...]   # Explain required permissions\nshapes request -- \u003Ccli> [args...]   # Request grant + execute\nshapes --grant \u003Cjwt> -- \u003Ccli> [args...]  # Execute with pre-approved grant\n",[165,1489,1490,1495,1516,1537,1557,1571,1591,1606,1625,1629,1634,1657,1678],{"__ignoreMap":186},[199,1491,1492],{"class":201,"line":202},[199,1493,1494],{"class":230},"# Adapter management\n",[199,1496,1497,1499,1501,1503,1505,1508,1511,1513],{"class":201,"line":234},[199,1498,237],{"class":205},[199,1500,427],{"class":209},[199,1502,430],{"class":209},[199,1504,351],{"class":316},[199,1506,1507],{"class":209},"quer",[199,1509,1510],{"class":357},"y",[199,1512,361],{"class":316},[199,1514,1515],{"class":230},"       # Search registry\n",[199,1517,1518,1520,1522,1524,1526,1529,1532,1534],{"class":201,"line":258},[199,1519,237],{"class":205},[199,1521,427],{"class":209},[199,1523,210],{"class":209},[199,1525,351],{"class":316},[199,1527,1528],{"class":209},"i",[199,1530,1531],{"class":357},"d",[199,1533,361],{"class":316},[199,1535,1536],{"class":230},"         # Install adapter\n",[199,1538,1539,1541,1543,1546,1548,1550,1552,1554],{"class":201,"line":264},[199,1540,237],{"class":205},[199,1542,427],{"class":209},[199,1544,1545],{"class":209}," remove",[199,1547,351],{"class":316},[199,1549,1528],{"class":209},[199,1551,1531],{"class":357},[199,1553,361],{"class":316},[199,1555,1556],{"class":230},"          # Remove adapter\n",[199,1558,1559,1561,1563,1565,1568],{"class":201,"line":271},[199,1560,237],{"class":205},[199,1562,427],{"class":209},[199,1564,252],{"class":209},[199,1566,1567],{"class":357}," [--remote]      ",[199,1569,1570],{"class":230},"# List adapters\n",[199,1572,1573,1575,1577,1580,1582,1584,1586,1588],{"class":201,"line":277},[199,1574,237],{"class":205},[199,1576,427],{"class":209},[199,1578,1579],{"class":209}," info",[199,1581,351],{"class":316},[199,1583,1528],{"class":209},[199,1585,1531],{"class":357},[199,1587,361],{"class":316},[199,1589,1590],{"class":230},"            # Show adapter details\n",[199,1592,1593,1595,1597,1600,1603],{"class":201,"line":326},[199,1594,237],{"class":205},[199,1596,427],{"class":209},[199,1598,1599],{"class":209}," update",[199,1601,1602],{"class":357}," [\u003Cid>]        ",[199,1604,1605],{"class":230},"# Update adapters\n",[199,1607,1608,1610,1612,1614,1616,1618,1620,1622],{"class":201,"line":332},[199,1609,237],{"class":205},[199,1611,427],{"class":209},[199,1613,517],{"class":209},[199,1615,351],{"class":316},[199,1617,1528],{"class":209},[199,1619,1531],{"class":357},[199,1621,361],{"class":316},[199,1623,1624],{"class":230},"          # Verify digest\n",[199,1626,1627],{"class":201,"line":337},[199,1628,268],{"emptyLinePlaceholder":267},[199,1630,1631],{"class":201,"line":343},[199,1632,1633],{"class":230},"# Execution\n",[199,1635,1636,1638,1640,1642,1644,1647,1649,1651,1654],{"class":201,"line":483},[199,1637,237],{"class":205},[199,1639,240],{"class":209},[199,1641,243],{"class":209},[199,1643,351],{"class":316},[199,1645,1646],{"class":209},"cl",[199,1648,1528],{"class":357},[199,1650,361],{"class":316},[199,1652,1653],{"class":357}," [args...]   ",[199,1655,1656],{"class":230},"# Explain required permissions\n",[199,1658,1659,1661,1663,1665,1667,1669,1671,1673,1675],{"class":201,"line":489},[199,1660,237],{"class":205},[199,1662,282],{"class":209},[199,1664,243],{"class":209},[199,1666,351],{"class":316},[199,1668,1646],{"class":209},[199,1670,1528],{"class":357},[199,1672,361],{"class":316},[199,1674,1653],{"class":357},[199,1676,1677],{"class":230},"# Request grant + execute\n",[199,1679,1680,1682,1684,1686,1688,1690,1692,1694,1696,1698,1700,1702,1705],{"class":201,"line":499},[199,1681,237],{"class":205},[199,1683,348],{"class":209},[199,1685,351],{"class":316},[199,1687,354],{"class":209},[199,1689,358],{"class":357},[199,1691,361],{"class":316},[199,1693,243],{"class":209},[199,1695,351],{"class":316},[199,1697,1646],{"class":209},[199,1699,1528],{"class":357},[199,1701,361],{"class":316},[199,1703,1704],{"class":357}," [args...]  ",[199,1706,1707],{"class":230},"# Execute with pre-approved grant\n",[1709,1710,1711],"style",{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}",{"title":186,"searchDepth":258,"depth":234,"links":1713},[1714,1715,1716,1717,1722,1727,1728,1729,1730],{"id":176,"depth":234,"text":34},{"id":189,"depth":234,"text":190},{"id":219,"depth":234,"text":220},{"id":381,"depth":234,"text":382,"children":1718},[1719,1720,1721],{"id":396,"depth":258,"text":397},{"id":409,"depth":258,"text":410},{"id":529,"depth":258,"text":530},{"id":580,"depth":234,"text":581,"children":1723},[1724,1725,1726],{"id":777,"depth":258,"text":778},{"id":967,"depth":258,"text":968},{"id":1029,"depth":258,"text":1030},{"id":1117,"depth":234,"text":1118},{"id":1223,"depth":234,"text":1224},{"id":1253,"depth":234,"text":1254},{"id":1483,"depth":234,"text":1484},"Grant-constrained execution layer — run any CLI through structured permissions.","md",null,{},{"title":61,"description":1731},"m0s9kT69tGSncEatz4H5kfydVhoCAahnhpga1bSJP20",[1738,1740],{"title":57,"path":58,"stem":59,"description":1739,"children":-1},"Universal Grant Management CLI — request, approve, delegate, and execute.",{"title":65,"path":66,"stem":67,"description":1741,"children":-1},"Setuid-root Rust binary for local privilege elevation via AuthZ-JWT.",1774221116104]