claudemesh-cli 0.6.0 → 0.6.2

package/dist/index.js

@@ -39930,6 +39930,81 @@ var require_libsodium_wrappers = __commonJS((exports) => {
   })(exports);
 });
 
+// src/crypto/keypair.ts
+var exports_keypair = {};
+__export(exports_keypair, {
+  generateKeypair: () => generateKeypair2,
+  ensureSodium: () => ensureSodium
+});
+async function ensureSodium() {
+  if (!ready) {
+    await import_libsodium_wrappers.default.ready;
+    ready = true;
+  }
+  return import_libsodium_wrappers.default;
+}
+async function generateKeypair2() {
+  const s = await ensureSodium();
+  const kp = s.crypto_sign_keypair();
+  return {
+    publicKey: s.to_hex(kp.publicKey),
+    secretKey: s.to_hex(kp.privateKey)
+  };
+}
+var import_libsodium_wrappers, ready = false;
+var init_keypair = __esm(() => {
+  import_libsodium_wrappers = __toESM(require_libsodium_wrappers(), 1);
+});
+
+// src/crypto/file-crypto.ts
+var exports_file_crypto = {};
+__export(exports_file_crypto, {
+  sealKeyForPeer: () => sealKeyForPeer,
+  openSealedKey: () => openSealedKey,
+  encryptFile: () => encryptFile,
+  decryptFile: () => decryptFile
+});
+async function encryptFile(plaintext) {
+  const sodium2 = await ensureSodium();
+  const key = sodium2.randombytes_buf(sodium2.crypto_secretbox_KEYBYTES);
+  const nonce = sodium2.randombytes_buf(sodium2.crypto_secretbox_NONCEBYTES);
+  const ciphertext = sodium2.crypto_secretbox_easy(plaintext, nonce, key);
+  return {
+    ciphertext,
+    nonce: sodium2.to_base64(nonce, sodium2.base64_variants.ORIGINAL),
+    key
+  };
+}
+async function decryptFile(ciphertext, nonceB64, key) {
+  const sodium2 = await ensureSodium();
+  try {
+    const nonce = sodium2.from_base64(nonceB64, sodium2.base64_variants.ORIGINAL);
+    return sodium2.crypto_secretbox_open_easy(ciphertext, nonce, key);
+  } catch {
+    return null;
+  }
+}
+async function sealKeyForPeer(kf, recipientPubkeyHex) {
+  const sodium2 = await ensureSodium();
+  const recipientCurve = sodium2.crypto_sign_ed25519_pk_to_curve25519(sodium2.from_hex(recipientPubkeyHex));
+  const sealed = sodium2.crypto_box_seal(kf, recipientCurve);
+  return sodium2.to_base64(sealed, sodium2.base64_variants.ORIGINAL);
+}
+async function openSealedKey(sealedB64, myPubkeyHex, mySecretKeyHex) {
+  const sodium2 = await ensureSodium();
+  try {
+    const myCurvePub = sodium2.crypto_sign_ed25519_pk_to_curve25519(sodium2.from_hex(myPubkeyHex));
+    const myCurveSec = sodium2.crypto_sign_ed25519_sk_to_curve25519(sodium2.from_hex(mySecretKeyHex));
+    const sealed = sodium2.from_base64(sealedB64, sodium2.base64_variants.ORIGINAL);
+    return sodium2.crypto_box_seal_open(sealed, myCurvePub, myCurveSec);
+  } catch {
+    return null;
+  }
+}
+var init_file_crypto = __esm(() => {
+  init_keypair();
+});
+
 // ../../node_modules/citty/dist/_chunks/libs/scule.mjs
 var NUMBER_CHAR_RE = /\d/;
 var STR_SPLITTERS = [
@@ -46963,7 +47038,7 @@ var TOOLS = [
   },
   {
     name: "share_file",
-    description: "Share a persistent file with the mesh. All current and future peers can access it.",
+    description: "Share a persistent file with the mesh. All current and future peers can access it. If `to` is specified, the file is E2E encrypted and only accessible to that peer (and you).",
     inputSchema: {
       type: "object",
       properties: {
@@ -46976,6 +47051,10 @@ var TOOLS = [
           type: "array",
           items: { type: "string" },
           description: "Tags for categorization"
+        },
+        to: {
+          type: "string",
+          description: "Peer display name or pubkey hex — if set, file is E2E encrypted for this peer only"
         }
       },
       required: ["path"]
@@ -47029,6 +47108,18 @@ var TOOLS = [
       required: ["id"]
     }
   },
+  {
+    name: "grant_file_access",
+    description: "Grant a peer access to an E2E encrypted file you shared. You must be the owner.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        fileId: { type: "string", description: "File ID" },
+        to: { type: "string", description: "Peer display name or pubkey hex to grant access to" }
+      },
+      required: ["fileId", "to"]
+    }
+  },
   {
     name: "vector_store",
     description: "Store an embedding in a per-mesh Qdrant collection. Auto-creates the collection on first use.",
@@ -47321,26 +47412,8 @@ var wrapper_default = import_websocket.default;
 // src/ws/client.ts
 import { randomBytes } from "node:crypto";
 
-// src/crypto/keypair.ts
-var import_libsodium_wrappers = __toESM(require_libsodium_wrappers(), 1);
-var ready = false;
-async function ensureSodium() {
-  if (!ready) {
-    await import_libsodium_wrappers.default.ready;
-    ready = true;
-  }
-  return import_libsodium_wrappers.default;
-}
-async function generateKeypair2() {
-  const s = await ensureSodium();
-  const kp = s.crypto_sign_keypair();
-  return {
-    publicKey: s.to_hex(kp.publicKey),
-    secretKey: s.to_hex(kp.privateKey)
-  };
-}
-
 // src/crypto/envelope.ts
+init_keypair();
 var HEX_PUBKEY = /^[0-9a-f]{64}$/;
 function isDirectTarget(targetSpec) {
   return HEX_PUBKEY.test(targetSpec);
@@ -47371,6 +47444,7 @@ async function decryptDirect(envelope, senderPubkeyHex, recipientSecretKeyHex) {
 }
 
 // src/crypto/hello-sig.ts
+init_keypair();
 async function signHello(meshId, memberId, pubkey, secretKeyHex) {
   const s = await ensureSodium();
   const timestamp = Date.now();
@@ -47380,6 +47454,7 @@ async function signHello(meshId, memberId, pubkey, secretKeyHex) {
 }
 
 // src/ws/client.ts
+init_keypair();
 var MAX_QUEUED = 100;
 var HELLO_ACK_TIMEOUT_MS = 5000;
 var BACKOFF_CAPS = [1000, 2000, 4000, 8000, 16000, 30000];
@@ -47401,6 +47476,7 @@ class BrokerClient {
   stateChangeHandlers = new Set;
   sessionPubkey = null;
   sessionSecretKey = null;
+  grantFileAccessResolvers = [];
   closed = false;
   reconnectAttempt = 0;
   helloTimer = null;
@@ -47421,6 +47497,12 @@ class BrokerClient {
   get pushHistory() {
     return this.pushBuffer;
   }
+  getSessionPubkey() {
+    return this.sessionPubkey;
+  }
+  getSessionSecretKey() {
+    return this.sessionSecretKey;
+  }
   async connect() {
     if (this.closed)
       throw new Error("client is closed");
@@ -47767,7 +47849,10 @@ class BrokerClient {
         "X-File-Name": fileName,
         "X-Tags": JSON.stringify(opts.tags ?? []),
         "X-Persistent": String(opts.persistent ?? true),
-        "X-Target-Spec": opts.targetSpec ?? ""
+        "X-Target-Spec": opts.targetSpec ?? "",
+        ...opts.encrypted ? { "X-Encrypted": "true" } : {},
+        ...opts.ownerPubkey ? { "X-Owner-Pubkey": opts.ownerPubkey } : {},
+        ...opts.fileKeys?.length ? { "X-File-Keys": JSON.stringify(opts.fileKeys) } : {}
       },
       body: data,
       signal: AbortSignal.timeout(30000)
@@ -47778,6 +47863,22 @@ class BrokerClient {
     }
     return body.fileId;
   }
+  async grantFileAccess(fileId, peerPubkey, sealedKey) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return false;
+    return new Promise((resolve) => {
+      const resolvers = this.grantFileAccessResolvers;
+      resolvers.push(resolve);
+      this.ws.send(JSON.stringify({ type: "grant_file_access", fileId, peerPubkey, sealedKey }));
+      setTimeout(() => {
+        const idx = resolvers.indexOf(resolve);
+        if (idx !== -1) {
+          resolvers.splice(idx, 1);
+          resolve(false);
+        }
+      }, 5000);
+    });
+  }
   async vectorStore(collection, text, metadata) {
     if (!this.ws || this.ws.readyState !== this.ws.OPEN)
       return null;
@@ -48178,7 +48279,12 @@ class BrokerClient {
       const resolver = this.fileUrlResolvers.shift();
       if (resolver) {
         if (msg.url) {
-          resolver({ url: String(msg.url), name: String(msg.name ?? "") });
+          resolver({
+            url: String(msg.url),
+            name: String(msg.name ?? ""),
+            encrypted: msg.encrypted ? true : undefined,
+            sealedKey: msg.sealedKey ? String(msg.sealedKey) : undefined
+          });
         } else {
           resolver(null);
         }
@@ -48199,6 +48305,12 @@ class BrokerClient {
         resolver(accesses);
       return;
     }
+    if (msg.type === "grant_file_access_ok") {
+      const resolver = this.grantFileAccessResolvers.shift();
+      if (resolver)
+        resolver(true);
+      return;
+    }
     if (msg.type === "vector_stored") {
       const resolver = this.vectorStoredResolvers.shift();
       if (resolver)
@@ -48795,7 +48907,7 @@ ${lines.join(`
         return text(`Forgotten: ${id}`);
       }
       case "share_file": {
-        const { path: filePath, name: fileName, tags } = args ?? {};
+        const { path: filePath, name: fileName, tags, to: fileTo } = args ?? {};
         if (!filePath)
           return text("share_file: `path` required", true);
         const { existsSync: existsSync2 } = await import("node:fs");
@@ -48804,6 +48916,56 @@ ${lines.join(`
         const client = allClients()[0];
         if (!client)
           return text("share_file: not connected", true);
+        if (fileTo) {
+          const { encryptFile: encryptFile2, sealKeyForPeer: sealKeyForPeer2 } = await Promise.resolve().then(() => (init_file_crypto(), exports_file_crypto));
+          const { readFileSync: readFileSync2, writeFileSync: writeFileSync2, mkdtempSync, unlinkSync, rmdirSync } = await import("node:fs");
+          const { tmpdir } = await import("node:os");
+          const { join: join2, basename } = await import("node:path");
+          const peers = await client.listPeers();
+          const targetPeer = peers.find((p) => p.pubkey === fileTo || p.displayName === fileTo);
+          if (!targetPeer) {
+            return text(`share_file: peer not found: ${fileTo}`, true);
+          }
+          const plaintext = readFileSync2(filePath);
+          const { ciphertext, nonce, key } = await encryptFile2(new Uint8Array(plaintext));
+          const sealedForTarget = await sealKeyForPeer2(key, targetPeer.pubkey);
+          const myPubkey = client.getSessionPubkey();
+          const sealedForSelf = myPubkey ? await sealKeyForPeer2(key, myPubkey) : null;
+          const fileKeys = [
+            { peerPubkey: targetPeer.pubkey, sealedKey: sealedForTarget },
+            ...sealedForSelf && myPubkey ? [{ peerPubkey: myPubkey, sealedKey: sealedForSelf }] : []
+          ];
+          const { ensureSodium: ensureSodium2 } = await Promise.resolve().then(() => (init_keypair(), exports_keypair));
+          const sodium2 = await ensureSodium2();
+          const nonceBytes = sodium2.from_base64(nonce, sodium2.base64_variants.ORIGINAL);
+          const combined = new Uint8Array(nonceBytes.length + ciphertext.length);
+          combined.set(nonceBytes, 0);
+          combined.set(ciphertext, nonceBytes.length);
+          const baseName = fileName ?? basename(filePath);
+          const tmpDir = mkdtempSync(join2(tmpdir(), "cm-"));
+          const tmpPath = join2(tmpDir, baseName);
+          writeFileSync2(tmpPath, combined);
+          try {
+            const fileId = await client.uploadFile(tmpPath, client.meshId, client.meshSlug, {
+              name: baseName,
+              tags,
+              persistent: true,
+              encrypted: true,
+              ownerPubkey: myPubkey ?? undefined,
+              fileKeys
+            });
+            return text(`Shared (E2E encrypted): ${baseName} → ${targetPeer.displayName} (${fileId})`);
+          } catch (e) {
+            return text(`share_file: upload failed — ${e instanceof Error ? e.message : String(e)}`, true);
+          } finally {
+            try {
+              unlinkSync(tmpPath);
+            } catch {}
+            try {
+              rmdirSync(tmpDir);
+            } catch {}
+          }
+        }
         try {
           const fileId = await client.uploadFile(filePath, client.meshId, client.meshSlug, {
             name: fileName,
@@ -48825,6 +48987,34 @@ ${lines.join(`
         const result = await client.getFile(id);
         if (!result)
           return text(`get_file: file ${id} not found`, true);
+        if (result.encrypted && result.sealedKey) {
+          const { openSealedKey: openSealedKey2, decryptFile: decryptFile2 } = await Promise.resolve().then(() => (init_file_crypto(), exports_file_crypto));
+          const { ensureSodium: ensureSodium2 } = await Promise.resolve().then(() => (init_keypair(), exports_keypair));
+          const myPubkey = client.getSessionPubkey();
+          const mySecret = client.getSessionSecretKey();
+          if (!myPubkey || !mySecret) {
+            return text("get_file: no session keypair — cannot decrypt", true);
+          }
+          const kf = await openSealedKey2(result.sealedKey, myPubkey, mySecret);
+          if (!kf)
+            return text("get_file: failed to open sealed key", true);
+          const resp = await fetch(result.url, { signal: AbortSignal.timeout(30000) });
+          if (!resp.ok)
+            return text(`get_file: download failed (${resp.status})`, true);
+          const buf = new Uint8Array(await resp.arrayBuffer());
+          const sodium2 = await ensureSodium2();
+          const NONCE_BYTES = sodium2.crypto_secretbox_NONCEBYTES;
+          const nonce = sodium2.to_base64(buf.slice(0, NONCE_BYTES), sodium2.base64_variants.ORIGINAL);
+          const ciphertext = buf.slice(NONCE_BYTES);
+          const plaintext = await decryptFile2(ciphertext, nonce, kf);
+          if (!plaintext)
+            return text("get_file: decryption failed", true);
+          const { writeFileSync: writeFileSync3, mkdirSync: mkdirSync3 } = await import("node:fs");
+          const { dirname: dirname3 } = await import("node:path");
+          mkdirSync3(dirname3(save_to), { recursive: true });
+          writeFileSync3(save_to, plaintext);
+          return text(`Downloaded and decrypted: ${result.name} → ${save_to}`);
+        }
         const res = await fetch(result.url, { signal: AbortSignal.timeout(30000) });
         if (!res.ok)
           return text(`get_file: download failed (${res.status})`, true);
@@ -49167,6 +49357,38 @@ ${rows.join(`
         return text(results.join(`
 `));
       }
+      case "grant_file_access": {
+        const { fileId, to: grantTo } = args ?? {};
+        if (!fileId || !grantTo)
+          return text("grant_file_access: `fileId` and `to` required", true);
+        const client = allClients()[0];
+        if (!client)
+          return text("grant_file_access: not connected", true);
+        const peers = await client.listPeers();
+        const targetPeer = peers.find((p) => p.pubkey === grantTo || p.displayName === grantTo);
+        if (!targetPeer)
+          return text(`grant_file_access: peer not found: ${grantTo}`, true);
+        const result = await client.getFile(fileId);
+        if (!result)
+          return text("grant_file_access: file not found", true);
+        if (!result.encrypted)
+          return text("grant_file_access: file is not encrypted", true);
+        if (!result.sealedKey)
+          return text("grant_file_access: no key available (are you the owner?)", true);
+        const { openSealedKey: openSealedKey2, sealKeyForPeer: sealKeyForPeer2 } = await Promise.resolve().then(() => (init_file_crypto(), exports_file_crypto));
+        const myPubkey = client.getSessionPubkey();
+        const mySecret = client.getSessionSecretKey();
+        if (!myPubkey || !mySecret)
+          return text("grant_file_access: no session keypair", true);
+        const kf = await openSealedKey2(result.sealedKey, myPubkey, mySecret);
+        if (!kf)
+          return text("grant_file_access: cannot decrypt your own key", true);
+        const sealedForPeer = await sealKeyForPeer2(kf, targetPeer.pubkey);
+        const ok = await client.grantFileAccess(fileId, targetPeer.pubkey, sealedForPeer);
+        if (!ok)
+          return text("grant_file_access: broker did not confirm", true);
+        return text(`Access granted: ${targetPeer.displayName} can now download file ${fileId}`);
+      }
       default:
         return text(`Unknown tool: ${name}`, true);
     }
@@ -49399,6 +49621,73 @@ function writeClaudeSettings(obj) {
   writeFileSync2(CLAUDE_SETTINGS, JSON.stringify(obj, null, 2) + `
 `, "utf-8");
 }
+var CLAUDEMESH_TOOLS = [
+  "mcp__claudemesh__send_message",
+  "mcp__claudemesh__list_peers",
+  "mcp__claudemesh__check_messages",
+  "mcp__claudemesh__set_summary",
+  "mcp__claudemesh__set_status",
+  "mcp__claudemesh__join_group",
+  "mcp__claudemesh__leave_group",
+  "mcp__claudemesh__get_state",
+  "mcp__claudemesh__set_state",
+  "mcp__claudemesh__list_state",
+  "mcp__claudemesh__remember",
+  "mcp__claudemesh__recall",
+  "mcp__claudemesh__forget",
+  "mcp__claudemesh__share_file",
+  "mcp__claudemesh__get_file",
+  "mcp__claudemesh__list_files",
+  "mcp__claudemesh__file_status",
+  "mcp__claudemesh__delete_file",
+  "mcp__claudemesh__vector_store",
+  "mcp__claudemesh__vector_search",
+  "mcp__claudemesh__vector_delete",
+  "mcp__claudemesh__list_collections",
+  "mcp__claudemesh__graph_query",
+  "mcp__claudemesh__graph_execute",
+  "mcp__claudemesh__mesh_info",
+  "mcp__claudemesh__ping_mesh",
+  "mcp__claudemesh__message_status",
+  "mcp__claudemesh__share_context",
+  "mcp__claudemesh__get_context",
+  "mcp__claudemesh__list_contexts",
+  "mcp__claudemesh__create_task",
+  "mcp__claudemesh__claim_task",
+  "mcp__claudemesh__complete_task",
+  "mcp__claudemesh__list_tasks",
+  "mcp__claudemesh__create_stream",
+  "mcp__claudemesh__publish",
+  "mcp__claudemesh__subscribe",
+  "mcp__claudemesh__list_streams",
+  "mcp__claudemesh__mesh_execute",
+  "mcp__claudemesh__mesh_query",
+  "mcp__claudemesh__mesh_schema"
+];
+function installAllowedTools() {
+  const settings = readClaudeSettings();
+  const existing = new Set(settings.allowedTools ?? []);
+  const toAdd = CLAUDEMESH_TOOLS.filter((t) => !existing.has(t));
+  if (toAdd.length > 0) {
+    settings.allowedTools = [...Array.from(existing), ...toAdd];
+    writeClaudeSettings(settings);
+  }
+  return { added: toAdd, unchanged: CLAUDEMESH_TOOLS.length - toAdd.length };
+}
+function uninstallAllowedTools() {
+  if (!existsSync2(CLAUDE_SETTINGS))
+    return 0;
+  const settings = readClaudeSettings();
+  const existing = settings.allowedTools ?? [];
+  const toolSet = new Set(CLAUDEMESH_TOOLS);
+  const kept = existing.filter((t) => !toolSet.has(t));
+  const removed = existing.length - kept.length;
+  if (removed > 0) {
+    settings.allowedTools = kept;
+    writeClaudeSettings(settings);
+  }
+  return removed;
+}
 function installHooks() {
   const settings = readClaudeSettings();
   const hooks = (settings.hooks ??= {}) ?? {};
@@ -49475,6 +49764,19 @@ function runInstall(args = []) {
   console.log(`✓ MCP server "${MCP_NAME}" ${action}`);
   console.log(dim(`  config:  ${CLAUDE_CONFIG}`));
   console.log(dim(`  command: ${desired.command}${desired.args?.length ? " " + desired.args.join(" ") : ""}`));
+  try {
+    const { added, unchanged } = installAllowedTools();
+    if (added.length > 0) {
+      console.log(`✓ allowedTools: ${added.length} claudemesh tools pre-approved${unchanged > 0 ? `, ${unchanged} already present` : ""}`);
+      console.log(dim(`  This lets claudemesh tools run without --dangerously-skip-permissions.`));
+      console.log(dim(`  Your existing allowedTools entries were preserved.`));
+    } else {
+      console.log(`✓ allowedTools: all ${unchanged} claudemesh tools already pre-approved`);
+    }
+    console.log(dim(`  config:  ${CLAUDE_SETTINGS}`));
+  } catch (e) {
+    console.error(`⚠  allowedTools update failed: ${e instanceof Error ? e.message : String(e)}`);
+  }
   if (!skipHooks) {
     try {
       const { added, unchanged } = installHooks();
@@ -49508,6 +49810,16 @@ function runUninstall() {
   } else {
     console.log(`· MCP server "${MCP_NAME}" not present`);
   }
+  try {
+    const removed = uninstallAllowedTools();
+    if (removed > 0) {
+      console.log(`✓ allowedTools: ${removed} claudemesh tools removed`);
+    } else {
+      console.log("· No claudemesh allowedTools to remove");
+    }
+  } catch (e) {
+    console.error(`⚠  allowedTools removal failed: ${e instanceof Error ? e.message : String(e)}`);
+  }
   try {
     const removed = uninstallHooks();
     if (removed > 0) {
@@ -49523,6 +49835,7 @@ function runUninstall() {
 }
 
 // src/invite/parse.ts
+init_keypair();
 function validatePayload(obj) {
   if (!obj || typeof obj !== "object")
     throw new Error("invite payload is not an object");
@@ -49643,6 +49956,7 @@ async function enrollWithBroker2(args) {
 }
 
 // src/commands/join.ts
+init_keypair();
 init_config();
 init_env();
 import { writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "node:fs";
@@ -49911,12 +50225,12 @@ async function confirmPermissions() {
   const yellow = (s) => useColor ? `\x1B[33m${s}\x1B[39m` : s;
   console.log(yellow(bold2("  Autonomous mode")));
   console.log("");
-  console.log("  Claude will send and receive peer messages without asking");
-  console.log("  you first. Peers exchange text only — no file access,");
-  console.log("  no tool calls, no code execution.");
+  console.log("  Claude will run with --dangerously-skip-permissions, bypassing");
+  console.log("  ALL permission prompts — not just claudemesh tools.");
+  console.log("  Peers exchange text only — no file access, no tool calls.");
   console.log("");
-  console.log(dim("  Same as: claude --dangerously-skip-permissions"));
-  console.log(dim("  Skip this prompt: claudemesh launch -y"));
+  console.log(dim("  Without -y: only claudemesh tools are pre-approved (via allowedTools)."));
+  console.log(dim("  Use -y for autonomous agents. Omit it for shared/multi-person meshes."));
   console.log("");
   const rl = createInterface({ input: process.stdin, output: process.stdout });
   return new Promise((resolve2, reject) => {
@@ -50089,7 +50403,7 @@ async function runLaunch(flags, rawArgs) {
   const claudeArgs = [
     "--dangerously-load-development-channels",
     "server:claudemesh",
-    "--dangerously-skip-permissions",
+    ...args.skipPermConfirm ? ["--dangerously-skip-permissions"] : [],
     ...args.systemPrompt ? ["--system-prompt", args.systemPrompt] : [],
     ...filtered
   ];
@@ -50142,7 +50456,7 @@ init_config();
 // package.json
 var package_default = {
   name: "claudemesh-cli",
-  version: "0.6.0",
+  version: "0.6.2",
   description: "Claude Code MCP client for claudemesh — peer mesh messaging between Claude sessions.",
   keywords: [
     "claude-code",
@@ -50550,6 +50864,185 @@ function runWelcome() {
   console.log("");
 }
 
+// src/commands/connect.ts
+import { hostname as hostname3 } from "node:os";
+init_config();
+async function withMesh(opts, fn) {
+  const config2 = loadConfig();
+  if (config2.meshes.length === 0) {
+    console.error("No meshes joined. Run `claudemesh join <url>` first.");
+    process.exit(1);
+  }
+  let mesh;
+  if (opts.meshSlug) {
+    const found = config2.meshes.find((m) => m.slug === opts.meshSlug);
+    if (!found) {
+      console.error(`Mesh "${opts.meshSlug}" not found. Joined: ${config2.meshes.map((m) => m.slug).join(", ")}`);
+      process.exit(1);
+    }
+    mesh = found;
+  } else if (config2.meshes.length === 1) {
+    mesh = config2.meshes[0];
+  } else {
+    console.error(`Multiple meshes joined. Specify one with --mesh <slug>.
+Joined: ${config2.meshes.map((m) => m.slug).join(", ")}`);
+    process.exit(1);
+  }
+  const displayName = opts.displayName ?? config2.displayName ?? `${hostname3()}-${process.pid}`;
+  const client = new BrokerClient(mesh, { displayName });
+  try {
+    await client.connect();
+    const result = await fn(client, mesh);
+    return result;
+  } finally {
+    client.close();
+  }
+}
+
+// src/commands/peers.ts
+async function runPeers(flags) {
+  const useColor = !process.env.NO_COLOR && process.env.TERM !== "dumb" && process.stdout.isTTY;
+  const dim = (s) => useColor ? `\x1B[2m${s}\x1B[22m` : s;
+  const bold2 = (s) => useColor ? `\x1B[1m${s}\x1B[22m` : s;
+  const green = (s) => useColor ? `\x1B[32m${s}\x1B[39m` : s;
+  const yellow = (s) => useColor ? `\x1B[33m${s}\x1B[39m` : s;
+  await withMesh({ meshSlug: flags.mesh ?? null }, async (client, mesh) => {
+    const peers = await client.listPeers();
+    if (flags.json) {
+      console.log(JSON.stringify(peers, null, 2));
+      return;
+    }
+    if (peers.length === 0) {
+      console.log(dim(`No peers connected on mesh "${mesh.slug}".`));
+      return;
+    }
+    console.log(bold2(`Peers on ${mesh.slug}`) + dim(` (${peers.length})`));
+    console.log("");
+    for (const p of peers) {
+      const groups = p.groups.length ? " [" + p.groups.map((g) => `@${g.name}${g.role ? `:${g.role}` : ""}`).join(", ") + "]" : "";
+      const statusIcon = p.status === "working" ? yellow("●") : green("●");
+      const name = bold2(p.displayName);
+      const summary = p.summary ? dim(`  ${p.summary}`) : "";
+      console.log(`  ${statusIcon} ${name}${groups}${summary}`);
+    }
+    console.log("");
+  });
+}
+
+// src/commands/send.ts
+async function runSend(flags, to, message) {
+  const priority = flags.priority === "now" ? "now" : flags.priority === "low" ? "low" : "next";
+  await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    let targetSpec = to;
+    if (!to.startsWith("@") && to !== "*" && !/^[0-9a-f]{64}$/i.test(to)) {
+      const peers = await client.listPeers();
+      const match = peers.find((p) => p.displayName.toLowerCase() === to.toLowerCase());
+      if (!match) {
+        const names = peers.map((p) => p.displayName).join(", ");
+        console.error(`Peer "${to}" not found. Online: ${names || "(none)"}`);
+        process.exit(1);
+      }
+      targetSpec = match.pubkey;
+    }
+    const result = await client.send(targetSpec, message, priority);
+    if (result.ok) {
+      console.log(`✓ Sent to ${to}${result.messageId ? ` (${result.messageId.slice(0, 8)})` : ""}`);
+    } else {
+      console.error(`✗ Send failed: ${result.error ?? "unknown error"}`);
+      process.exit(1);
+    }
+  });
+}
+
+// src/commands/inbox.ts
+function formatMessage(msg, useColor) {
+  const dim = (s) => useColor ? `\x1B[2m${s}\x1B[22m` : s;
+  const bold2 = (s) => useColor ? `\x1B[1m${s}\x1B[22m` : s;
+  const text2 = msg.plaintext ?? `[encrypted: ${msg.ciphertext.slice(0, 32)}…]`;
+  const from = msg.senderPubkey.slice(0, 8);
+  const time3 = new Date(msg.createdAt).toLocaleTimeString();
+  const kindTag = msg.kind === "direct" ? "→ direct" : msg.kind;
+  return `  ${bold2(from)} ${dim(`[${kindTag}] ${time3}`)}
+  ${text2}`;
+}
+async function runInbox(flags) {
+  const useColor = !process.env.NO_COLOR && process.env.TERM !== "dumb" && process.stdout.isTTY;
+  const dim = (s) => useColor ? `\x1B[2m${s}\x1B[22m` : s;
+  const bold2 = (s) => useColor ? `\x1B[1m${s}\x1B[22m` : s;
+  const waitMs = (flags.wait ?? 1) * 1000;
+  await withMesh({ meshSlug: flags.mesh ?? null }, async (client, mesh) => {
+    await new Promise((resolve2) => setTimeout(resolve2, waitMs));
+    const messages = client.drainPushBuffer();
+    if (flags.json) {
+      console.log(JSON.stringify(messages, null, 2));
+      return;
+    }
+    if (messages.length === 0) {
+      console.log(dim(`No messages on mesh "${mesh.slug}".`));
+      return;
+    }
+    console.log(bold2(`Inbox — ${mesh.slug}`) + dim(` (${messages.length} message${messages.length === 1 ? "" : "s"})`));
+    console.log("");
+    for (const msg of messages) {
+      console.log(formatMessage(msg, useColor));
+      console.log("");
+    }
+  });
+}
+
+// src/commands/state.ts
+async function runStateGet(flags, key) {
+  const useColor = !process.env.NO_COLOR && process.env.TERM !== "dumb" && process.stdout.isTTY;
+  const dim = (s) => useColor ? `\x1B[2m${s}\x1B[22m` : s;
+  await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    const entry = await client.getState(key);
+    if (!entry) {
+      console.log(dim(`(not set)`));
+      return;
+    }
+    if (flags.json) {
+      console.log(JSON.stringify(entry, null, 2));
+      return;
+    }
+    const val = typeof entry.value === "string" ? entry.value : JSON.stringify(entry.value);
+    console.log(val);
+    console.log(dim(`  set by ${entry.updatedBy} at ${new Date(entry.updatedAt).toLocaleString()}`));
+  });
+}
+async function runStateSet(flags, key, value) {
+  let parsed;
+  try {
+    parsed = JSON.parse(value);
+  } catch {
+    parsed = value;
+  }
+  await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    await client.setState(key, parsed);
+    console.log(`✓ ${key} = ${JSON.stringify(parsed)}`);
+  });
+}
+async function runStateList(flags) {
+  const useColor = !process.env.NO_COLOR && process.env.TERM !== "dumb" && process.stdout.isTTY;
+  const dim = (s) => useColor ? `\x1B[2m${s}\x1B[22m` : s;
+  const bold2 = (s) => useColor ? `\x1B[1m${s}\x1B[22m` : s;
+  await withMesh({ meshSlug: flags.mesh ?? null }, async (client, mesh) => {
+    const entries = await client.listState();
+    if (flags.json) {
+      console.log(JSON.stringify(entries, null, 2));
+      return;
+    }
+    if (entries.length === 0) {
+      console.log(dim(`No state on mesh "${mesh.slug}".`));
+      return;
+    }
+    for (const e of entries) {
+      const val = typeof e.value === "string" ? e.value : JSON.stringify(e.value);
+      console.log(`${bold2(e.key)}: ${val}`);
+      console.log(dim(`  ${e.updatedBy} · ${new Date(e.updatedAt).toLocaleString()}`));
+    }
+  });
+}
+
 // src/index.ts
 var launch = defineCommand({
   meta: {
@@ -50672,6 +51165,69 @@ var main = defineCommand({
       }
     }),
     leave,
+    peers: defineCommand({
+      meta: { name: "peers", description: "List connected peers in the mesh" },
+      args: {
+        mesh: { type: "string", description: "Mesh slug (auto-selected if only one joined)" },
+        json: { type: "boolean", description: "Output as JSON", default: false }
+      },
+      async run({ args }) {
+        await runPeers(args);
+      }
+    }),
+    send: defineCommand({
+      meta: { name: "send", description: "Send a message to a peer, group, or broadcast" },
+      args: {
+        to: { type: "positional", description: "Recipient: display name, @group, pubkey, or *", required: true },
+        message: { type: "positional", description: "Message text", required: true },
+        mesh: { type: "string", description: "Mesh slug (auto-selected if only one joined)" },
+        priority: { type: "string", description: "now | next (default) | low" }
+      },
+      async run({ args }) {
+        await runSend(args, args.to, args.message);
+      }
+    }),
+    inbox: defineCommand({
+      meta: { name: "inbox", description: "Read pending peer messages" },
+      args: {
+        mesh: { type: "string", description: "Mesh slug (auto-selected if only one joined)" },
+        json: { type: "boolean", description: "Output as JSON", default: false },
+        wait: { type: "string", description: "Seconds to wait for broker delivery (default: 1)" }
+      },
+      async run({ args }) {
+        await runInbox({ ...args, wait: args.wait ? parseInt(args.wait, 10) : undefined });
+      }
+    }),
+    state: defineCommand({
+      meta: { name: "state", description: "Read or write shared mesh state" },
+      args: {
+        action: { type: "positional", description: "get | set | list", required: true },
+        key: { type: "positional", description: "State key (required for get/set)" },
+        value: { type: "positional", description: "Value to set (required for set)" },
+        mesh: { type: "string", description: "Mesh slug (auto-selected if only one joined)" },
+        json: { type: "boolean", description: "Output as JSON", default: false }
+      },
+      async run({ args }) {
+        if (args.action === "list") {
+          await runStateList(args);
+        } else if (args.action === "get") {
+          if (!args.key) {
+            console.error("Usage: claudemesh state get <key>");
+            process.exit(1);
+          }
+          await runStateGet(args, args.key);
+        } else if (args.action === "set") {
+          if (!args.key || !args.value) {
+            console.error("Usage: claudemesh state set <key> <value>");
+            process.exit(1);
+          }
+          await runStateSet(args, args.key, args.value);
+        } else {
+          console.error(`Unknown action "${args.action}". Use: get, set, list`);
+          process.exit(1);
+        }
+      }
+    }),
     status: defineCommand({
       meta: { name: "status", description: "Check broker reachability for each joined mesh" },
       async run() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claudemesh-cli",
-  "version": "0.6.0",
+  "version": "0.6.2",
   "description": "Claude Code MCP client for claudemesh — peer mesh messaging between Claude sessions.",
   "keywords": [
     "claude-code",