[{"data":1,"prerenderedAt":800},["ShallowReactive",2],{"navigation":3,"/ecosystem":145,"/ecosystem-surround":795},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":55,"body":147,"description":788,"extension":789,"links":790,"meta":791,"navigation":792,"path":51,"seo":793,"stem":52,"__hash__":794},"docs/3.ecosystem/1.index.md",{"type":148,"value":149,"toc":772},"minimark",[150,154,159,163,174,183,186,274,281,284,294,350,356,375,443,446,450,453,459,516,518,522,533,539,543,638,642,716,720,768],[151,152,50],"h1",{"id":153},"ecosystem",[155,156,158],"h2",{"id":157},"agent-gate-applications","Agent Gate Applications",[160,161,162],"p",{},"Three applications form the core of how agents interact with the world through OpenApe. Together, they ensure that agents can only do what humans have explicitly approved.",[164,165,170],"pre",{"className":166,"code":168,"language":169},[167],"language-text","┌───────────────────────────────────────────────────┐\n│ Agent Gate Applications │\n│ │\n│ grapes shapes escapes │\n│ ──────── ──────── ──────── │\n│ Grant System Execution Layer Privilege │\n│ Escalation │\n│ │\n│ Request, approve Execute any CLI, For actions │\n│ and manage constrained by the agent │\n│ grants grants + registry should never │\n│ normally do │\n│ │\n│ \"May I?\" \"Do it \"Exception- │\n│ (within bounds)\" ally, with │\n│ approval\" │\n└───────────────────────────────────────────────────┘\n","text",[171,172,168],"code",{"__ignoreMap":173},"",[175,176,178,182],"h3",{"id":177},"grapes-the-grant-system",[179,180,181],"a",{"href":58},"grapes"," — The Grant System",[160,184,185],{},"The foundation. Without a grant, nothing happens. Grapes handles the complete grant lifecycle: requesting, approving, denying, revoking, and delegating. It's the CLI that both agents and humans use to interact with the OpenApe permission system.",[164,187,191],{"className":188,"code":189,"language":190,"meta":173,"style":173},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","grapes request \"systemctl restart nginx\" --audience escapes --wait\ngrapes approve \u003Cgrant-id>\ngrapes run escapes \"apt-get upgrade\" --approval timed --duration 1h\n","bash",[171,192,193,224,245],{"__ignoreMap":173},[194,195,198,201,205,209,212,215,218,221],"span",{"class":196,"line":197},"line",1,[194,199,181],{"class":200},"sBMFI",[194,202,204],{"class":203},"sfazB"," request",[194,206,208],{"class":207},"sMK4o"," \"",[194,210,211],{"class":203},"systemctl restart nginx",[194,213,214],{"class":207},"\"",[194,216,217],{"class":203}," --audience",[194,219,220],{"class":203}," escapes",[194,222,223],{"class":203}," --wait\n",[194,225,227,229,232,235,238,242],{"class":196,"line":226},2,[194,228,181],{"class":200},[194,230,231],{"class":203}," approve",[194,233,234],{"class":207}," \u003C",[194,236,237],{"class":203},"grant-i",[194,239,241],{"class":240},"sTEyZ","d",[194,243,244],{"class":207},">\n",[194,246,248,250,253,255,257,260,262,265,268,271],{"class":196,"line":247},3,[194,249,181],{"class":200},[194,251,252],{"class":203}," run",[194,254,220],{"class":203},[194,256,208],{"class":207},[194,258,259],{"class":203},"apt-get upgrade",[194,261,214],{"class":207},[194,263,264],{"class":203}," --approval",[194,266,267],{"class":203}," timed",[194,269,270],{"class":203}," --duration",[194,272,273],{"class":203}," 1h\n",[175,275,277,280],{"id":276},"shapes-the-execution-layer",[179,278,279],{"href":62},"shapes"," — The Execution Layer",[160,282,283],{},"The normal path for agent operations. Shapes wraps existing CLI tools (kubectl, aws, gh, az, etc.) and maps their commands to structured permissions. Instead of granting blanket access, each command is parsed into a resource chain and evaluated against grants.",[160,285,286,287,293],{},"The ",[179,288,292],{"href":289,"rel":290},"https://github.com/openape-ai/shapes-registry",[291],"nofollow","Shapes Registry"," is the catalog of available adapters — it defines which tools can be wrapped and how their commands map to permissions.",[164,295,297],{"className":188,"code":296,"language":190,"meta":173,"style":173},"shapes explain -- gh repo list myorg # What permissions does this need?\nshapes request -- gh issue create --repo myorg/myrepo # Request grant + execute\n",[171,298,299,325],{"__ignoreMap":173},[194,300,301,303,306,309,312,315,318,321],{"class":196,"line":197},[194,302,279],{"class":200},[194,304,305],{"class":203}," explain",[194,307,308],{"class":203}," --",[194,310,311],{"class":203}," gh",[194,313,314],{"class":203}," repo",[194,316,317],{"class":203}," list",[194,319,320],{"class":203}," myorg",[194,322,324],{"class":323},"sHwdD"," # What permissions does this need?\n",[194,326,327,329,331,333,335,338,341,344,347],{"class":196,"line":226},[194,328,279],{"class":200},[194,330,204],{"class":203},[194,332,308],{"class":203},[194,334,311],{"class":203},[194,336,337],{"class":203}," issue",[194,339,340],{"class":203}," create",[194,342,343],{"class":203}," --repo",[194,345,346],{"class":203}," myorg/myrepo",[194,348,349],{"class":323}," # Request grant + execute\n",[175,351,353,355],{"id":352},"escapes-privilege-escalation",[179,354,65],{"href":66}," — Privilege Escalation",[160,357,358,359,363,364,366,367,370,371,374],{},"The exception path. When an agent needs to do something it should ",[360,361,362],"strong",{},"never"," normally have rights for — installing software for another user, modifying system configuration, accessing restricted resources — ",[171,365,65],{}," provides controlled, audited privilege elevation. ",[360,368,369],{},"Es","calated privileges, ",[360,372,373],{},"with apes",".",[164,376,378],{"className":188,"code":377,"language":190,"meta":173,"style":173},"escapes --grant \u003Cjwt> -- apt-get install -y nginx\nescapes --run-as deploy --grant \u003Cjwt> -- systemctl restart app\n",[171,379,380,412],{"__ignoreMap":173},[194,381,382,384,387,389,392,395,398,400,403,406,409],{"class":196,"line":197},[194,383,65],{"class":200},[194,385,386],{"class":203}," --grant",[194,388,234],{"class":207},[194,390,391],{"class":203},"jw",[194,393,394],{"class":240},"t",[194,396,397],{"class":207},">",[194,399,308],{"class":203},[194,401,402],{"class":203}," apt-get",[194,404,405],{"class":203}," install",[194,407,408],{"class":203}," -y",[194,410,411],{"class":203}," nginx\n",[194,413,414,416,419,422,424,426,428,430,432,434,437,440],{"class":196,"line":226},[194,415,65],{"class":200},[194,417,418],{"class":203}," --run-as",[194,420,421],{"class":203}," deploy",[194,423,386],{"class":203},[194,425,234],{"class":207},[194,427,391],{"class":203},[194,429,394],{"class":240},[194,431,397],{"class":207},[194,433,308],{"class":203},[194,435,436],{"class":203}," systemctl",[194,438,439],{"class":203}," restart",[194,441,442],{"class":203}," app\n",[444,445],"hr",{},[155,447,449],{"id":448},"agent-infrastructure","Agent Infrastructure",[160,451,452],{},"Built on top of the gatekeeping trinity. These packages add grant-based access control to specific channels — HTTP traffic and browser automation.",[164,454,457],{"className":455,"code":456,"language":169},[167],"┌───────────────────────────────────────────────────┐\n│ Agent Infrastructure │\n│ │\n│ proxy browser │\n│ ───────────── ───────────── │\n│ HTTP traffic control Web automation │\n│ Grant-based rules Playwright + grants │\n│ per domain/method/path + delegation login │\n│ │\n│ Uses: grants, shapes rules │\n└───────────────────────────────────────────────────┘\n",[171,458,456],{"__ignoreMap":173},[460,461,462,478],"table",{},[463,464,465],"thead",{},[466,467,468,472,475],"tr",{},[469,470,471],"th",{},"Package",[469,473,474],{},"Description",[469,476,477],{},"Docs",[479,480,481,499],"tbody",{},[466,482,483,491,494],{},[484,485,486],"td",{},[179,487,488],{"href":70},[171,489,490],{},"@openape/proxy",[484,492,493],{},"Forward proxy — enforces grant-based rules on all agent HTTP traffic",[484,495,496],{},[179,497,498],{"href":70},"Proxy",[466,500,501,508,511],{},[484,502,503],{},[179,504,505],{"href":74},[171,506,507],{},"@openape/browser",[484,509,510],{},"Headless browser — intercepts routes, enforces grants, supports delegation login",[484,512,513],{},[179,514,515],{"href":74},"Browser",[444,517],{},[155,519,521],{"id":520},"development-packages","Development Packages",[160,523,524,525,528,529,532],{},"Libraries and modules for developers who want to build grant-aware applications. The ",[171,526,527],{},"@openape/grants"," SDK lets ",[360,530,531],{},"anyone"," integrate grants into their own apps — not just Nuxt, not just Node.js.",[164,534,537],{"className":535,"code":536,"language":169},[167],"┌───────────────────────────────────────────────────┐\n│ Framework Modules │\n│ nuxt-auth-idp nuxt-auth-sp │\n├───────────────────────────────────────────────────┤\n│ Protocol Packages │\n│ @openape/auth @openape/grants │\n├───────────────────────────────────────────────────┤\n│ Foundation │\n│ @openape/core │\n└───────────────────────────────────────────────────┘\n",[171,538,536],{"__ignoreMap":173},[175,540,542],{"id":541},"packages","Packages",[460,544,545,555],{},[463,546,547],{},[466,548,549,551,553],{},[469,550,471],{},[469,552,474],{},[469,554,477],{},[479,556,557,570,587,606,621],{},[466,558,559,564,567],{},[484,560,561],{},[171,562,563],{},"@openape/core",[484,565,566],{},"DNS discovery, crypto, PKCE, JWT utilities",[484,568,569],{},"—",[466,571,572,579,582],{},[484,573,574],{},[179,575,576],{"href":78},[171,577,578],{},"@openape/auth",[484,580,581],{},"OIDC login protocol — IdP and SP sides",[484,583,584],{},[179,585,586],{"href":78},"Auth",[466,588,589,595,601],{},[484,590,591],{},[179,592,593],{"href":82},[171,594,527],{},[484,596,597,598],{},"Grant lifecycle, AuthZ-JWT issuance — ",[360,599,600],{},"use this to build grant-aware apps",[484,602,603],{},[179,604,605],{"href":82},"Grants",[466,607,608,613,616],{},[484,609,610],{},[171,611,612],{},"@openape/nuxt-auth-idp",[484,614,615],{},"Drop-in Nuxt module: run your own IdP",[484,617,618],{},[179,619,620],{"href":109},"IdP Config",[466,622,623,630,633],{},[484,624,625],{},[179,626,627],{"href":86},[171,628,629],{},"@openape/nuxt-auth-sp",[484,631,632],{},"Drop-in Nuxt module: login via OpenApe",[484,634,635],{},[179,636,637],{"href":86},"SP Guide",[175,639,641],{"id":640},"use-cases","Use Cases",[460,643,644,654],{},[463,645,646],{},[466,647,648,651],{},[469,649,650],{},"I want to...",[469,652,653],{},"Use",[479,655,656,667,682,694,705],{},[466,657,658,661],{},[484,659,660],{},"Add login to my app",[484,662,663],{},[179,664,665],{"href":86},[171,666,85],{},[466,668,669,672],{},[484,670,671],{},"Run my own IdP",[484,673,674,677,678,681],{},[171,675,676],{},"nuxt-auth-idp"," (",[179,679,680],{"href":109},"config",")",[466,683,684,687],{},[484,685,686],{},"Build grant-aware apps (any framework)",[484,688,689,691,692],{},[171,690,527],{}," + ",[171,693,578],{},[466,695,696,699],{},[484,697,698],{},"Control agent HTTP traffic",[484,700,701],{},[179,702,703],{"href":70},[171,704,490],{},[466,706,707,710],{},[484,708,709],{},"Automate browser tasks with grants",[484,711,712],{},[179,713,714],{"href":74},[171,715,507],{},[155,717,719],{"id":718},"design-principles","Design Principles",[721,722,723,730,736,742,748,754],"ol",{},[724,725,726,729],"li",{},[360,727,728],{},"Separation"," — Auth ≠ Grants. Not every app needs both.",[724,731,732,735],{},[360,733,734],{},"Layered"," — Core → Protocol → Framework → Agent Tools",[724,737,738,741],{},[360,739,740],{},"Default deny"," — No grant = no access. Agents start with zero permissions.",[724,743,744,747],{},[360,745,746],{},"Passkeys-only"," — No passwords. NIS2 compliant by design.",[724,749,750,753],{},[360,751,752],{},"Auditable"," — Every action traceable: who requested, who approved, what happened.",[724,755,756,759,760,764,765,374],{},[360,757,758],{},"Minimal tokens"," — AuthN says ",[761,762,763],"em",{},"who",", AuthZ says ",[761,766,767],{},"what may they do",[769,770,771],"style",{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}",{"title":173,"searchDepth":247,"depth":226,"links":773},[774,782,783,787],{"id":157,"depth":226,"text":158,"children":775},[776,778,780],{"id":177,"depth":247,"text":777},"grapes — The Grant System",{"id":276,"depth":247,"text":779},"shapes — The Execution Layer",{"id":352,"depth":247,"text":781},"escapes — Privilege Escalation",{"id":448,"depth":226,"text":449},{"id":520,"depth":226,"text":521,"children":784},[785,786],{"id":541,"depth":247,"text":542},{"id":640,"depth":247,"text":641},{"id":718,"depth":226,"text":719},"The OpenApe package ecosystem.","md",null,{},true,{"title":55,"description":788},"nGWdLR5ZvhRr7d6Qa2UFrL1yrk-H0d4TsHD3GN03OiI",[796,798],{"title":46,"path":47,"stem":48,"description":797,"children":-1},"Let agents act on behalf of users with controlled, auditable delegations.",{"title":57,"path":58,"stem":59,"description":799,"children":-1},"Universal Grant Management CLI — request, approve, delegate, and execute.",1774221116104]