[{"data":1,"prerenderedAt":1493},["ShallowReactive",2],{"navigation":3,"/guides/capabilities-guide":145,"/guides/capabilities-guide-surround":1488},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":38,"body":147,"description":1482,"extension":1483,"links":1484,"meta":1485,"navigation":236,"path":39,"seo":1486,"stem":40,"__hash__":1487},"docs/2.guides/2.capabilities-guide.md",{"type":148,"value":149,"toc":1466},"minimark",[150,154,168,173,183,191,195,297,301,304,309,389,393,477,484,488,597,601,604,666,669,688,695,709,713,716,781,784,796,800,803,973,977,980,1054,1060,1064,1171,1175,1178,1261,1347,1351,1455,1462],[151,152,38],"h1",{"id":153},"capabilities-guide",[155,156,157,158,162,163,167],"p",{},"Capabilities let you define ",[159,160,161],"strong",{},"what your agent is allowed to do"," at a high level, without micro-managing individual commands. Instead of approving every ",[164,165,166],"code",{},"gh issue comment"," separately, you grant a capability like \"create comments on issues in this repo.\"",[169,170,172],"h2",{"id":171},"how-capabilities-work","How Capabilities Work",[174,175,180],"pre",{"className":176,"code":178,"language":179},[177],"language-text","Capability: \"gh:issue.comment.create (repo=myorg/app)\"\n     ↓\nCovers any command that matches:\n  gh issue comment \"some text\" --repo myorg/app\n  gh issue comment --repo myorg/app \"other text\"\n     ↓\nDoes NOT cover:\n  gh issue close --repo myorg/app        ← different action\n  gh issue comment --repo myorg/OTHER    ← different repo\n","text",[164,181,178],{"__ignoreMap":182},"",[155,184,185,186,190],{},"Capabilities are powered by ",[187,188,189],"a",{"href":62},"Shapes adapters"," — each adapter knows how to map CLI commands to structured permissions.",[169,192,194],{"id":193},"quick-start","Quick Start",[174,196,200],{"className":197,"code":198,"language":199,"meta":182,"style":182},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Install\nnpm i -g @openape/grapes @openape/shapes\n\n# Install the GitHub CLI adapter\nshapes adapter install gh\n\n# Login as agent\ngrapes login --idp https://id.example.com --key ~/.ssh/agent_key --email agent+reviewer@example.com\n","bash",[164,201,202,211,231,238,244,259,264,270],{"__ignoreMap":182},[203,204,207],"span",{"class":205,"line":206},"line",1,[203,208,210],{"class":209},"sHwdD","# Install\n",[203,212,214,218,222,225,228],{"class":205,"line":213},2,[203,215,217],{"class":216},"sBMFI","npm",[203,219,221],{"class":220},"sfazB"," i",[203,223,224],{"class":220}," -g",[203,226,227],{"class":220}," @openape/grapes",[203,229,230],{"class":220}," @openape/shapes\n",[203,232,234],{"class":205,"line":233},3,[203,235,237],{"emptyLinePlaceholder":236},true,"\n",[203,239,241],{"class":205,"line":240},4,[203,242,243],{"class":209},"# Install the GitHub CLI adapter\n",[203,245,247,250,253,256],{"class":205,"line":246},5,[203,248,249],{"class":216},"shapes",[203,251,252],{"class":220}," adapter",[203,254,255],{"class":220}," install",[203,257,258],{"class":220}," gh\n",[203,260,262],{"class":205,"line":261},6,[203,263,237],{"emptyLinePlaceholder":236},[203,265,267],{"class":205,"line":266},7,[203,268,269],{"class":209},"# Login as agent\n",[203,271,273,276,279,282,285,288,291,294],{"class":205,"line":272},8,[203,274,275],{"class":216},"grapes",[203,277,278],{"class":220}," login",[203,280,281],{"class":220}," --idp",[203,283,284],{"class":220}," https://id.example.com",[203,286,287],{"class":220}," --key",[203,289,290],{"class":220}," ~/.ssh/agent_key",[203,292,293],{"class":220}," --email",[203,295,296],{"class":220}," agent+reviewer@example.com\n",[169,298,300],{"id":299},"use-case-agent-as-pr-reviewer","Use Case: Agent as PR Reviewer",[155,302,303],{},"Grant the agent permission to read PRs and create review comments in a specific repo.",[305,306,308],"h3",{"id":307},"step-1-see-whats-available","Step 1: See what's available",[174,310,312],{"className":197,"code":311,"language":199,"meta":182,"style":182},"# What can the gh adapter do?\nshapes adapter info gh\n\n# What permissions does a specific command need?\nshapes explain -- gh pr review 42 --repo myorg/app --comment --body \"LGTM\"\n# → gh:pr.review (repo=myorg/app, pr=42) — risk: medium\n",[164,313,314,319,330,334,339,384],{"__ignoreMap":182},[203,315,316],{"class":205,"line":206},[203,317,318],{"class":209},"# What can the gh adapter do?\n",[203,320,321,323,325,328],{"class":205,"line":213},[203,322,249],{"class":216},[203,324,252],{"class":220},[203,326,327],{"class":220}," info",[203,329,258],{"class":220},[203,331,332],{"class":205,"line":233},[203,333,237],{"emptyLinePlaceholder":236},[203,335,336],{"class":205,"line":240},[203,337,338],{"class":209},"# What permissions does a specific command need?\n",[203,340,341,343,346,349,352,355,358,362,365,368,371,374,378,381],{"class":205,"line":246},[203,342,249],{"class":216},[203,344,345],{"class":220}," explain",[203,347,348],{"class":220}," --",[203,350,351],{"class":220}," gh",[203,353,354],{"class":220}," pr",[203,356,357],{"class":220}," review",[203,359,361],{"class":360},"sbssI"," 42",[203,363,364],{"class":220}," --repo",[203,366,367],{"class":220}," myorg/app",[203,369,370],{"class":220}," --comment",[203,372,373],{"class":220}," --body",[203,375,377],{"class":376},"sMK4o"," \"",[203,379,380],{"class":220},"LGTM",[203,382,383],{"class":376},"\"\n",[203,385,386],{"class":205,"line":261},[203,387,388],{"class":209},"# → gh:pr.review (repo=myorg/app, pr=42) — risk: medium\n",[305,390,392],{"id":391},"step-2-grant-review-capability","Step 2: Grant review capability",[174,394,396],{"className":197,"code":395,"language":199,"meta":182,"style":182},"# Grant: create PR reviews in myorg/app (timed, 8 hours)\ngrapes request-capability gh \\\n  --resource repo --selector repo.owner=myorg,repo.name=app \\\n  --action review \\\n  --approval timed --duration 8h \\\n  --reason \"Daily PR review session\" \\\n  --wait\n",[164,397,398,403,416,432,441,457,472],{"__ignoreMap":182},[203,399,400],{"class":205,"line":206},[203,401,402],{"class":209},"# Grant: create PR reviews in myorg/app (timed, 8 hours)\n",[203,404,405,407,410,412],{"class":205,"line":213},[203,406,275],{"class":216},[203,408,409],{"class":220}," request-capability",[203,411,351],{"class":220},[203,413,415],{"class":414},"sTEyZ"," \\\n",[203,417,418,421,424,427,430],{"class":205,"line":233},[203,419,420],{"class":220},"  --resource",[203,422,423],{"class":220}," repo",[203,425,426],{"class":220}," --selector",[203,428,429],{"class":220}," repo.owner=myorg,repo.name=app",[203,431,415],{"class":414},[203,433,434,437,439],{"class":205,"line":240},[203,435,436],{"class":220},"  --action",[203,438,357],{"class":220},[203,440,415],{"class":414},[203,442,443,446,449,452,455],{"class":205,"line":246},[203,444,445],{"class":220},"  --approval",[203,447,448],{"class":220}," timed",[203,450,451],{"class":220}," --duration",[203,453,454],{"class":220}," 8h",[203,456,415],{"class":414},[203,458,459,462,464,467,470],{"class":205,"line":261},[203,460,461],{"class":220},"  --reason",[203,463,377],{"class":376},[203,465,466],{"class":220},"Daily PR review session",[203,468,469],{"class":376},"\"",[203,471,415],{"class":414},[203,473,474],{"class":205,"line":266},[203,475,476],{"class":220},"  --wait\n",[155,478,479,480,483],{},"A human approves the grant. For the next 8 hours, the agent can review any PR in ",[164,481,482],{},"myorg/app",".",[305,485,487],{"id":486},"step-3-agent-executes","Step 3: Agent executes",[174,489,491],{"className":197,"code":490,"language":199,"meta":182,"style":182},"# These all work within the granted capability:\nshapes --grant $(grapes token \u003Cgrant-id>) -- gh pr review 42 --repo myorg/app --comment --body \"Looks good\"\nshapes --grant $(grapes token \u003Cgrant-id>) -- gh pr review 43 --repo myorg/app --request-changes --body \"Fix the tests\"\n",[164,492,493,498,550],{"__ignoreMap":182},[203,494,495],{"class":205,"line":206},[203,496,497],{"class":209},"# These all work within the granted capability:\n",[203,499,500,502,505,508,510,513,516,519,522,525,527,529,531,533,535,537,539,541,543,545,548],{"class":205,"line":213},[203,501,249],{"class":216},[203,503,504],{"class":220}," --grant",[203,506,507],{"class":376}," $(",[203,509,275],{"class":216},[203,511,512],{"class":220}," token",[203,514,515],{"class":376}," \u003C",[203,517,518],{"class":220},"grant-i",[203,520,521],{"class":414},"d",[203,523,524],{"class":376},">)",[203,526,348],{"class":220},[203,528,351],{"class":220},[203,530,354],{"class":220},[203,532,357],{"class":220},[203,534,361],{"class":360},[203,536,364],{"class":220},[203,538,367],{"class":220},[203,540,370],{"class":220},[203,542,373],{"class":220},[203,544,377],{"class":376},[203,546,547],{"class":220},"Looks good",[203,549,383],{"class":376},[203,551,552,554,556,558,560,562,564,566,568,570,572,574,576,578,581,583,585,588,590,592,595],{"class":205,"line":233},[203,553,249],{"class":216},[203,555,504],{"class":220},[203,557,507],{"class":376},[203,559,275],{"class":216},[203,561,512],{"class":220},[203,563,515],{"class":376},[203,565,518],{"class":220},[203,567,521],{"class":414},[203,569,524],{"class":376},[203,571,348],{"class":220},[203,573,351],{"class":220},[203,575,354],{"class":220},[203,577,357],{"class":220},[203,579,580],{"class":360}," 43",[203,582,364],{"class":220},[203,584,367],{"class":220},[203,586,587],{"class":220}," --request-changes",[203,589,373],{"class":220},[203,591,377],{"class":376},[203,593,594],{"class":220},"Fix the tests",[203,596,383],{"class":376},[169,598,600],{"id":599},"use-case-read-only-monitoring","Use Case: Read-Only Monitoring",[155,602,603],{},"Grant the agent permission to list and read — but never modify.",[174,605,607],{"className":197,"code":606,"language":199,"meta":182,"style":182},"# Grant: list and read repos (standing permission)\ngrapes request-capability gh \\\n  --resource repo --selector repo.owner=myorg \\\n  --action list,read \\\n  --approval always \\\n  --reason \"Continuous monitoring\"\n",[164,608,609,614,624,637,646,655],{"__ignoreMap":182},[203,610,611],{"class":205,"line":206},[203,612,613],{"class":209},"# Grant: list and read repos (standing permission)\n",[203,615,616,618,620,622],{"class":205,"line":213},[203,617,275],{"class":216},[203,619,409],{"class":220},[203,621,351],{"class":220},[203,623,415],{"class":414},[203,625,626,628,630,632,635],{"class":205,"line":233},[203,627,420],{"class":220},[203,629,423],{"class":220},[203,631,426],{"class":220},[203,633,634],{"class":220}," repo.owner=myorg",[203,636,415],{"class":414},[203,638,639,641,644],{"class":205,"line":240},[203,640,436],{"class":220},[203,642,643],{"class":220}," list,read",[203,645,415],{"class":414},[203,647,648,650,653],{"class":205,"line":246},[203,649,445],{"class":220},[203,651,652],{"class":220}," always",[203,654,415],{"class":414},[203,656,657,659,661,664],{"class":205,"line":261},[203,658,461],{"class":220},[203,660,377],{"class":376},[203,662,663],{"class":220},"Continuous monitoring",[203,665,383],{"class":376},[155,667,668],{},"Once approved, the agent can:",[670,671,672,678,683],"ul",{},[673,674,675],"li",{},[164,676,677],{},"gh repo list myorg",[673,679,680],{},[164,681,682],{},"gh repo view myorg/app",[673,684,685],{},[164,686,687],{},"gh issue list --repo myorg/app",[155,689,690,691,694],{},"But ",[159,692,693],{},"cannot",":",[670,696,697,703],{},[673,698,699,702],{},[164,700,701],{},"gh issue create"," (action: create)",[673,704,705,708],{},[164,706,707],{},"gh repo delete"," (action: delete)",[169,710,712],{"id":711},"use-case-issue-triage","Use Case: Issue Triage",[155,714,715],{},"Grant the agent permission to label and comment on issues.",[174,717,719],{"className":197,"code":718,"language":199,"meta":182,"style":182},"# Grant: comment on issues + edit labels in myorg/app\ngrapes request-capability gh \\\n  --resource repo --selector repo.owner=myorg,repo.name=app \\\n  --action comment,edit \\\n  --approval timed --duration 24h \\\n  --reason \"Issue triage sprint\"\n",[164,720,721,726,736,748,757,770],{"__ignoreMap":182},[203,722,723],{"class":205,"line":206},[203,724,725],{"class":209},"# Grant: comment on issues + edit labels in myorg/app\n",[203,727,728,730,732,734],{"class":205,"line":213},[203,729,275],{"class":216},[203,731,409],{"class":220},[203,733,351],{"class":220},[203,735,415],{"class":414},[203,737,738,740,742,744,746],{"class":205,"line":233},[203,739,420],{"class":220},[203,741,423],{"class":220},[203,743,426],{"class":220},[203,745,429],{"class":220},[203,747,415],{"class":414},[203,749,750,752,755],{"class":205,"line":240},[203,751,436],{"class":220},[203,753,754],{"class":220}," comment,edit",[203,756,415],{"class":414},[203,758,759,761,763,765,768],{"class":205,"line":246},[203,760,445],{"class":220},[203,762,448],{"class":220},[203,764,451],{"class":220},[203,766,767],{"class":220}," 24h",[203,769,415],{"class":414},[203,771,772,774,776,779],{"class":205,"line":261},[203,773,461],{"class":220},[203,775,377],{"class":376},[203,777,778],{"class":220},"Issue triage sprint",[203,780,383],{"class":376},[155,782,783],{},"The agent can now:",[670,785,786,791],{},[673,787,788],{},[164,789,790],{},"gh issue comment 42 --repo myorg/app --body \"Triaged as P2\"",[673,792,793],{},[164,794,795],{},"gh issue edit 42 --repo myorg/app --add-label \"bug\"",[169,797,799],{"id":798},"use-case-infrastructure-operations","Use Case: Infrastructure Operations",[155,801,802],{},"Grant access to specific Kubernetes namespaces.",[174,804,806],{"className":197,"code":805,"language":199,"meta":182,"style":182},"# Install the kubectl adapter\nshapes adapter install kubectl\n\n# Grant: read pods in production namespace\ngrapes request-capability kubectl \\\n  --resource namespace --selector namespace.name=production \\\n  --resource pod \\\n  --action list,read \\\n  --approval always \\\n  --reason \"Production monitoring\"\n\n# Grant: restart pods in staging (one-time)\ngrapes request-capability kubectl \\\n  --resource namespace --selector namespace.name=staging \\\n  --resource pod \\\n  --action delete \\\n  --approval once \\\n  --reason \"Restart stuck pod\"\n",[164,807,808,813,824,828,833,844,858,867,875,884,896,901,907,918,932,941,951,961],{"__ignoreMap":182},[203,809,810],{"class":205,"line":206},[203,811,812],{"class":209},"# Install the kubectl adapter\n",[203,814,815,817,819,821],{"class":205,"line":213},[203,816,249],{"class":216},[203,818,252],{"class":220},[203,820,255],{"class":220},[203,822,823],{"class":220}," kubectl\n",[203,825,826],{"class":205,"line":233},[203,827,237],{"emptyLinePlaceholder":236},[203,829,830],{"class":205,"line":240},[203,831,832],{"class":209},"# Grant: read pods in production namespace\n",[203,834,835,837,839,842],{"class":205,"line":246},[203,836,275],{"class":216},[203,838,409],{"class":220},[203,840,841],{"class":220}," kubectl",[203,843,415],{"class":414},[203,845,846,848,851,853,856],{"class":205,"line":261},[203,847,420],{"class":220},[203,849,850],{"class":220}," namespace",[203,852,426],{"class":220},[203,854,855],{"class":220}," namespace.name=production",[203,857,415],{"class":414},[203,859,860,862,865],{"class":205,"line":266},[203,861,420],{"class":220},[203,863,864],{"class":220}," pod",[203,866,415],{"class":414},[203,868,869,871,873],{"class":205,"line":272},[203,870,436],{"class":220},[203,872,643],{"class":220},[203,874,415],{"class":414},[203,876,878,880,882],{"class":205,"line":877},9,[203,879,445],{"class":220},[203,881,652],{"class":220},[203,883,415],{"class":414},[203,885,887,889,891,894],{"class":205,"line":886},10,[203,888,461],{"class":220},[203,890,377],{"class":376},[203,892,893],{"class":220},"Production monitoring",[203,895,383],{"class":376},[203,897,899],{"class":205,"line":898},11,[203,900,237],{"emptyLinePlaceholder":236},[203,902,904],{"class":205,"line":903},12,[203,905,906],{"class":209},"# Grant: restart pods in staging (one-time)\n",[203,908,910,912,914,916],{"class":205,"line":909},13,[203,911,275],{"class":216},[203,913,409],{"class":220},[203,915,841],{"class":220},[203,917,415],{"class":414},[203,919,921,923,925,927,930],{"class":205,"line":920},14,[203,922,420],{"class":220},[203,924,850],{"class":220},[203,926,426],{"class":220},[203,928,929],{"class":220}," namespace.name=staging",[203,931,415],{"class":414},[203,933,935,937,939],{"class":205,"line":934},15,[203,936,420],{"class":220},[203,938,864],{"class":220},[203,940,415],{"class":414},[203,942,944,946,949],{"class":205,"line":943},16,[203,945,436],{"class":220},[203,947,948],{"class":220}," delete",[203,950,415],{"class":414},[203,952,954,956,959],{"class":205,"line":953},17,[203,955,445],{"class":220},[203,957,958],{"class":220}," once",[203,960,415],{"class":414},[203,962,964,966,968,971],{"class":205,"line":963},18,[203,965,461],{"class":220},[203,967,377],{"class":376},[203,969,970],{"class":220},"Restart stuck pod",[203,972,383],{"class":376},[169,974,976],{"id":975},"use-case-mail-operations","Use Case: Mail Operations",[155,978,979],{},"Grant the agent permission to draft (but not send) emails.",[174,981,983],{"className":197,"code":982,"language":199,"meta":182,"style":182},"# Install the mail adapter\nshapes adapter install o365mail\n\n# Grant: draft emails only\ngrapes request-capability o365mail \\\n  --action draft \\\n  --approval timed --duration 4h \\\n  --reason \"Draft weekly report emails\"\n",[164,984,985,990,1001,1005,1010,1021,1030,1043],{"__ignoreMap":182},[203,986,987],{"class":205,"line":206},[203,988,989],{"class":209},"# Install the mail adapter\n",[203,991,992,994,996,998],{"class":205,"line":213},[203,993,249],{"class":216},[203,995,252],{"class":220},[203,997,255],{"class":220},[203,999,1000],{"class":220}," o365mail\n",[203,1002,1003],{"class":205,"line":233},[203,1004,237],{"emptyLinePlaceholder":236},[203,1006,1007],{"class":205,"line":240},[203,1008,1009],{"class":209},"# Grant: draft emails only\n",[203,1011,1012,1014,1016,1019],{"class":205,"line":246},[203,1013,275],{"class":216},[203,1015,409],{"class":220},[203,1017,1018],{"class":220}," o365mail",[203,1020,415],{"class":414},[203,1022,1023,1025,1028],{"class":205,"line":261},[203,1024,436],{"class":220},[203,1026,1027],{"class":220}," draft",[203,1029,415],{"class":414},[203,1031,1032,1034,1036,1038,1041],{"class":205,"line":266},[203,1033,445],{"class":220},[203,1035,448],{"class":220},[203,1037,451],{"class":220},[203,1039,1040],{"class":220}," 4h",[203,1042,415],{"class":414},[203,1044,1045,1047,1049,1052],{"class":205,"line":272},[203,1046,461],{"class":220},[203,1048,377],{"class":376},[203,1050,1051],{"class":220},"Draft weekly report emails",[203,1053,383],{"class":376},[155,1055,1056,1057,1059],{},"The agent can create drafts but ",[159,1058,693],{}," send them — sending is a separate action that requires its own grant.",[169,1061,1063],{"id":1062},"capability-vs-command-grants","Capability vs. Command Grants",[1065,1066,1067,1082],"table",{},[1068,1069,1070],"thead",{},[1071,1072,1073,1076,1079],"tr",{},[1074,1075],"th",{},[1074,1077,1078],{},"Capability Grant",[1074,1080,1081],{},"Command Grant",[1083,1084,1085,1099,1112,1125,1138,1155],"tbody",{},[1071,1086,1087,1093,1096],{},[1088,1089,1090],"td",{},[159,1091,1092],{},"Scope",[1088,1094,1095],{},"Covers any matching command",[1088,1097,1098],{},"Covers one exact command",[1071,1100,1101,1106,1109],{},[1088,1102,1103],{},[159,1104,1105],{},"Example",[1088,1107,1108],{},"\"read any repo in myorg\"",[1088,1110,1111],{},"\"gh repo view myorg/app\"",[1071,1113,1114,1119,1122],{},[1088,1115,1116],{},[159,1117,1118],{},"Flexibility",[1088,1120,1121],{},"Agent can operate within bounds",[1088,1123,1124],{},"Agent runs exactly one command",[1071,1126,1127,1132,1135],{},[1088,1128,1129],{},[159,1130,1131],{},"Use when",[1088,1133,1134],{},"Agent needs ongoing access",[1088,1136,1137],{},"One-off operation",[1071,1139,1140,1145,1150],{},[1088,1141,1142],{},[159,1143,1144],{},"Request via",[1088,1146,1147],{},[164,1148,1149],{},"grapes request-capability",[1088,1151,1152],{},[164,1153,1154],{},"grapes request \"exact command\"",[1071,1156,1157,1162,1165],{},[1088,1158,1159],{},[159,1160,1161],{},"Matching",[1088,1163,1164],{},"Resource chain + action",[1088,1166,1167,1170],{},[164,1168,1169],{},"cmd_hash"," (SHA-256 of exact argv)",[169,1172,1174],{"id":1173},"risk-levels-and-approval","Risk Levels and Approval",[155,1176,1177],{},"Shapes adapters define risk levels for each operation. Use these to guide your approval strategy:",[1065,1179,1180,1193],{},[1068,1181,1182],{},[1071,1183,1184,1187,1190],{},[1074,1185,1186],{},"Risk",[1074,1188,1189],{},"Examples",[1074,1191,1192],{},"Recommended Approval",[1083,1194,1195,1211,1227,1243],{},[1071,1196,1197,1202,1205],{},[1088,1198,1199],{},[164,1200,1201],{},"low",[1088,1203,1204],{},"list, read, view",[1088,1206,1207,1210],{},[164,1208,1209],{},"always"," (standing)",[1071,1212,1213,1218,1221],{},[1088,1214,1215],{},[164,1216,1217],{},"medium",[1088,1219,1220],{},"create, comment, edit",[1088,1222,1223,1226],{},[164,1224,1225],{},"timed"," (hours/days)",[1071,1228,1229,1234,1237],{},[1088,1230,1231],{},[164,1232,1233],{},"high",[1088,1235,1236],{},"delete, modify permissions",[1088,1238,1239,1242],{},[164,1240,1241],{},"once"," (single use)",[1071,1244,1245,1250,1253],{},[1088,1246,1247],{},[164,1248,1249],{},"critical",[1088,1251,1252],{},"drop database, force push",[1088,1254,1255,1257,1258],{},[164,1256,1241],{}," + ",[164,1259,1260],{},"exact_command",[174,1262,1264],{"className":197,"code":1263,"language":199,"meta":182,"style":182},"# Low risk → standing permission\ngrapes request-capability gh --action list,read --approval always\n\n# Medium risk → time-limited\ngrapes request-capability gh --action create,comment --approval timed --duration 8h\n\n# High risk → one-time only\ngrapes request-capability gh --action delete --approval once\n",[164,1265,1266,1271,1290,1294,1299,1321,1325,1330],{"__ignoreMap":182},[203,1267,1268],{"class":205,"line":206},[203,1269,1270],{"class":209},"# Low risk → standing permission\n",[203,1272,1273,1275,1277,1279,1282,1284,1287],{"class":205,"line":213},[203,1274,275],{"class":216},[203,1276,409],{"class":220},[203,1278,351],{"class":220},[203,1280,1281],{"class":220}," --action",[203,1283,643],{"class":220},[203,1285,1286],{"class":220}," --approval",[203,1288,1289],{"class":220}," always\n",[203,1291,1292],{"class":205,"line":233},[203,1293,237],{"emptyLinePlaceholder":236},[203,1295,1296],{"class":205,"line":240},[203,1297,1298],{"class":209},"# Medium risk → time-limited\n",[203,1300,1301,1303,1305,1307,1309,1312,1314,1316,1318],{"class":205,"line":246},[203,1302,275],{"class":216},[203,1304,409],{"class":220},[203,1306,351],{"class":220},[203,1308,1281],{"class":220},[203,1310,1311],{"class":220}," create,comment",[203,1313,1286],{"class":220},[203,1315,448],{"class":220},[203,1317,451],{"class":220},[203,1319,1320],{"class":220}," 8h\n",[203,1322,1323],{"class":205,"line":261},[203,1324,237],{"emptyLinePlaceholder":236},[203,1326,1327],{"class":205,"line":266},[203,1328,1329],{"class":209},"# High risk → one-time only\n",[203,1331,1332,1334,1336,1338,1340,1342,1344],{"class":205,"line":272},[203,1333,275],{"class":216},[203,1335,409],{"class":220},[203,1337,351],{"class":220},[203,1339,1281],{"class":220},[203,1341,948],{"class":220},[203,1343,1286],{"class":220},[203,1345,1346],{"class":220}," once\n",[169,1348,1350],{"id":1349},"exploring-available-adapters","Exploring Available Adapters",[174,1352,1354],{"className":197,"code":1353,"language":199,"meta":182,"style":182},"# Search the registry\nshapes adapter search github\nshapes adapter search kubernetes\nshapes adapter search mail\n\n# See all remote adapters\nshapes adapter list --remote\n\n# After installing, see what operations are available\nshapes adapter info gh\nshapes adapter info kubectl\nshapes adapter info o365mail\n",[164,1355,1356,1361,1373,1384,1395,1399,1404,1416,1420,1425,1435,1445],{"__ignoreMap":182},[203,1357,1358],{"class":205,"line":206},[203,1359,1360],{"class":209},"# Search the registry\n",[203,1362,1363,1365,1367,1370],{"class":205,"line":213},[203,1364,249],{"class":216},[203,1366,252],{"class":220},[203,1368,1369],{"class":220}," search",[203,1371,1372],{"class":220}," github\n",[203,1374,1375,1377,1379,1381],{"class":205,"line":233},[203,1376,249],{"class":216},[203,1378,252],{"class":220},[203,1380,1369],{"class":220},[203,1382,1383],{"class":220}," kubernetes\n",[203,1385,1386,1388,1390,1392],{"class":205,"line":240},[203,1387,249],{"class":216},[203,1389,252],{"class":220},[203,1391,1369],{"class":220},[203,1393,1394],{"class":220}," mail\n",[203,1396,1397],{"class":205,"line":246},[203,1398,237],{"emptyLinePlaceholder":236},[203,1400,1401],{"class":205,"line":261},[203,1402,1403],{"class":209},"# See all remote adapters\n",[203,1405,1406,1408,1410,1413],{"class":205,"line":266},[203,1407,249],{"class":216},[203,1409,252],{"class":220},[203,1411,1412],{"class":220}," list",[203,1414,1415],{"class":220}," --remote\n",[203,1417,1418],{"class":205,"line":272},[203,1419,237],{"emptyLinePlaceholder":236},[203,1421,1422],{"class":205,"line":877},[203,1423,1424],{"class":209},"# After installing, see what operations are available\n",[203,1426,1427,1429,1431,1433],{"class":205,"line":886},[203,1428,249],{"class":216},[203,1430,252],{"class":220},[203,1432,327],{"class":220},[203,1434,258],{"class":220},[203,1436,1437,1439,1441,1443],{"class":205,"line":898},[203,1438,249],{"class":216},[203,1440,252],{"class":220},[203,1442,327],{"class":220},[203,1444,823],{"class":220},[203,1446,1447,1449,1451,1453],{"class":205,"line":903},[203,1448,249],{"class":216},[203,1450,252],{"class":220},[203,1452,327],{"class":220},[203,1454,1000],{"class":220},[155,1456,1457,1458,1461],{},"Each adapter's operations define exactly which commands map to which permissions. Use ",[164,1459,1460],{},"shapes explain"," to check any specific command before requesting a capability.",[1463,1464,1465],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}",{"title":182,"searchDepth":233,"depth":213,"links":1467},[1468,1469,1470,1475,1476,1477,1478,1479,1480,1481],{"id":171,"depth":213,"text":172},{"id":193,"depth":213,"text":194},{"id":299,"depth":213,"text":300,"children":1471},[1472,1473,1474],{"id":307,"depth":233,"text":308},{"id":391,"depth":233,"text":392},{"id":486,"depth":233,"text":487},{"id":599,"depth":213,"text":600},{"id":711,"depth":213,"text":712},{"id":798,"depth":213,"text":799},{"id":975,"depth":213,"text":976},{"id":1062,"depth":213,"text":1063},{"id":1173,"depth":213,"text":1174},{"id":1349,"depth":213,"text":1350},"Set up what your agent can do — from read-only access to full automation.","md",null,{},{"title":38,"description":1482},"Hr7GYVPdetnZwWdA4dMOdWg7HFxyx0sPiCqv3cnsfqg",[1489,1491],{"title":34,"path":35,"stem":36,"description":1490,"children":-1},"The DDISA login flow and grant system explained.",{"title":42,"path":43,"stem":44,"description":1492,"children":-1},"Set up a complete OpenApe environment with IdP, Service Provider, and Agent from scratch.",1774221117377]