claudemesh-cli 1.0.0-alpha.30 → 1.0.0-alpha.32

package/dist/entrypoints/mcp.js

@@ -3465,6 +3465,693 @@ var init_exit_codes = __esm(() => {
   };
 });
 
+// src/constants/timings.ts
+var TIMINGS;
+var init_timings = __esm(() => {
+  TIMINGS = {
+    DEVICE_CODE_POLL_MS: 1500,
+    DEVICE_CODE_TIMEOUT_MS: 5 * 60 * 1000,
+    WS_RECONNECT_BASE_MS: 1000,
+    WS_RECONNECT_MAX_MS: 30000,
+    UPDATE_CHECK_INTERVAL_MS: 24 * 60 * 60 * 1000,
+    TELEGRAM_CONNECT_TIMEOUT_MS: 5 * 60 * 1000,
+    TELEGRAM_POLL_INTERVAL_MS: 2000,
+    API_TIMEOUT_MS: 15000,
+    API_RETRY_COUNT: 2
+  };
+});
+
+// src/constants/urls.ts
+var exports_urls = {};
+__export(exports_urls, {
+  env: () => env,
+  VERSION: () => VERSION,
+  URLS: () => URLS
+});
+var URLS, VERSION = "1.0.0-alpha.32", env;
+var init_urls = __esm(() => {
+  URLS = {
+    BROKER: process.env.CLAUDEMESH_BROKER_URL ?? "wss://ic.claudemesh.com/ws",
+    API_BASE: process.env.CLAUDEMESH_API_URL ?? "https://claudemesh.com",
+    DASHBOARD: "https://claudemesh.com/dashboard",
+    NPM_REGISTRY: "https://registry.npmjs.org/claudemesh-cli"
+  };
+  env = {
+    CLAUDEMESH_BROKER_URL: URLS.BROKER,
+    CLAUDEMESH_CONFIG_DIR: process.env.CLAUDEMESH_CONFIG_DIR || undefined,
+    CLAUDEMESH_DEBUG: process.env.CLAUDEMESH_DEBUG === "1" || process.env.CLAUDEMESH_DEBUG === "true"
+  };
+});
+
+// src/services/logger/logger.ts
+function timestamp() {
+  return new Date().toISOString();
+}
+function log(msg, ...args) {
+  if (!isQuiet)
+    console.log(msg, ...args);
+}
+function debug(msg, ...args) {
+  if (isDebug)
+    console.error(`[${timestamp()}] DEBUG ${msg}`, ...args);
+}
+function warn(msg, ...args) {
+  console.error(`⚠ ${msg}`, ...args);
+}
+var isDebug, isQuiet;
+var init_logger = __esm(() => {
+  isDebug = process.env.CLAUDEMESH_DEBUG === "1" || process.env.CLAUDEMESH_DEBUG === "true";
+  isQuiet = process.argv.includes("-q") || process.argv.includes("--quiet");
+});
+
+// src/services/logger/facade.ts
+var init_facade4 = __esm(() => {
+  init_logger();
+});
+
+// src/services/api/errors.ts
+var ApiError, NetworkError;
+var init_errors2 = __esm(() => {
+  ApiError = class ApiError extends Error {
+    status;
+    statusText;
+    body;
+    constructor(status, statusText, body) {
+      super(`API error ${status}: ${statusText}`);
+      this.status = status;
+      this.statusText = statusText;
+      this.body = body;
+      this.name = "ApiError";
+    }
+    get isUnauthorized() {
+      return this.status === 401;
+    }
+    get isNotFound() {
+      return this.status === 404;
+    }
+    get isConflict() {
+      return this.status === 409;
+    }
+    get isRateLimited() {
+      return this.status === 429;
+    }
+  };
+  NetworkError = class NetworkError extends Error {
+    url;
+    constructor(url, cause) {
+      super(`Network error reaching ${url}`);
+      this.url = url;
+      this.name = "NetworkError";
+      this.cause = cause;
+    }
+  };
+});
+
+// src/services/api/client.ts
+async function request(opts) {
+  const base = opts.baseUrl ?? URLS.API_BASE;
+  const url = `${base}${opts.path}`;
+  const method = opts.method ?? "GET";
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), opts.timeoutMs ?? TIMINGS.API_TIMEOUT_MS);
+  const headers = {
+    "Content-Type": "application/json",
+    Accept: "application/json",
+    "User-Agent": "claudemesh-cli/1.0"
+  };
+  if (opts.token)
+    headers.Authorization = `Bearer ${opts.token}`;
+  debug(`${method} ${url}`);
+  try {
+    const res = await fetch(url, {
+      method,
+      headers,
+      body: opts.body ? JSON.stringify(opts.body) : undefined,
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      let body;
+      try {
+        body = await res.json();
+      } catch {
+        body = await res.text();
+      }
+      throw new ApiError(res.status, res.statusText, body);
+    }
+    const text = await res.text();
+    if (!text)
+      return;
+    return JSON.parse(text);
+  } catch (err) {
+    if (err instanceof ApiError)
+      throw err;
+    throw new NetworkError(url, err);
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function get(path, token) {
+  return request({ path, token });
+}
+async function post(path, body, token) {
+  return request({ path, method: "POST", body, token });
+}
+var init_client = __esm(() => {
+  init_urls();
+  init_timings();
+  init_facade4();
+  init_errors2();
+});
+
+// src/services/api/my.ts
+var exports_my = {};
+__export(exports_my, {
+  revokeSession: () => revokeSession,
+  renameMesh: () => renameMesh,
+  getProfile: () => getProfile,
+  getMeshes: () => getMeshes,
+  createMesh: () => createMesh,
+  createInvite: () => createInvite,
+  cliSync: () => cliSync
+});
+async function getProfile(token) {
+  return get("/api/my/profile", token);
+}
+async function getMeshes(token) {
+  return get("/api/my/meshes", token);
+}
+async function createMesh(token, body) {
+  return post("/api/my/meshes", body, token);
+}
+async function renameMesh(token, slug, newName) {
+  return request({
+    path: `/api/my/meshes/${slug}`,
+    method: "PATCH",
+    body: { name: newName },
+    token
+  });
+}
+async function createInvite(token, meshSlug, body) {
+  return post(`/api/my/meshes/${meshSlug}/invites`, body, token);
+}
+async function revokeSession(token) {
+  const BROKER_HTTP = (await Promise.resolve().then(() => (init_urls(), exports_urls))).URLS.BROKER.replace("wss://", "https://").replace("ws://", "http://").replace("/ws", "");
+  return request({
+    path: "/cli/session/revoke",
+    method: "POST",
+    body: { token },
+    baseUrl: BROKER_HTTP
+  });
+}
+async function cliSync(token) {
+  return post("/cli-sync", undefined, token);
+}
+var init_my = __esm(() => {
+  init_client();
+});
+
+// src/services/api/public.ts
+var exports_public = {};
+__export(exports_public, {
+  requestDeviceCode: () => requestDeviceCode,
+  pollDeviceCode: () => pollDeviceCode,
+  claimInvite: () => claimInvite
+});
+async function claimInvite(code, body) {
+  return post(`/api/public/invites/${code}/claim`, body);
+}
+async function requestDeviceCode(deviceInfo) {
+  return request({
+    path: "/cli/device-code",
+    method: "POST",
+    body: deviceInfo,
+    baseUrl: BROKER_HTTP
+  });
+}
+async function pollDeviceCode(deviceCode) {
+  return request({
+    path: `/cli/device-code/${deviceCode}`,
+    baseUrl: BROKER_HTTP
+  });
+}
+var BROKER_HTTP;
+var init_public = __esm(() => {
+  init_client();
+  init_urls();
+  BROKER_HTTP = URLS.BROKER.replace("wss://", "https://").replace("ws://", "http://").replace("/ws", "");
+});
+
+// src/services/api/facade.ts
+var init_facade5 = __esm(() => {
+  init_client();
+  init_errors2();
+  init_my();
+  init_public();
+});
+
+// src/services/device/info.ts
+import { hostname as hostname2, platform as platform2, arch, release } from "node:os";
+function getDeviceInfo() {
+  return {
+    hostname: hostname2(),
+    platform: platform2(),
+    arch: arch(),
+    osRelease: release(),
+    nodeVersion: process.version
+  };
+}
+var init_info = () => {};
+
+// src/services/device/facade.ts
+var init_facade6 = __esm(() => {
+  init_info();
+});
+
+// src/services/spawn/claude.ts
+import { spawnSync } from "node:child_process";
+import { existsSync as existsSync2 } from "node:fs";
+function findClaudeBinary() {
+  const candidates = [
+    process.env.CLAUDE_BIN,
+    "/usr/local/bin/claude",
+    `${process.env.HOME}/.local/bin/claude`,
+    `${process.env.HOME}/.npm/bin/claude`
+  ].filter(Boolean);
+  for (const bin of candidates) {
+    if (existsSync2(bin))
+      return bin;
+  }
+  const which = spawnSync("which", ["claude"], { encoding: "utf-8" });
+  if (which.status === 0 && which.stdout.trim())
+    return which.stdout.trim();
+  return null;
+}
+function spawnClaude(opts) {
+  const bin = findClaudeBinary();
+  if (!bin)
+    throw new Error("Claude binary not found. Install with: npm i -g @anthropic-ai/claude-code");
+  return spawnSync(bin, opts.args, {
+    stdio: "inherit",
+    env: { ...process.env, ...opts.env },
+    cwd: opts.cwd
+  });
+}
+var init_claude = () => {};
+
+// src/services/spawn/browser.ts
+import { execFile } from "node:child_process";
+import { platform as platform3 } from "node:os";
+function openBrowser(url) {
+  return new Promise((resolve, reject) => {
+    const os = platform3();
+    let bin;
+    let args;
+    if (os === "darwin") {
+      bin = "open";
+      args = [url];
+    } else if (os === "win32") {
+      bin = "cmd";
+      args = ["/c", "start", "", url];
+    } else {
+      bin = "xdg-open";
+      args = [url];
+    }
+    execFile(bin, args, (err) => {
+      if (err)
+        reject(err);
+      else
+        resolve();
+    });
+  });
+}
+var init_browser = () => {};
+
+// src/services/spawn/facade.ts
+var exports_facade3 = {};
+__export(exports_facade3, {
+  spawnClaude: () => spawnClaude,
+  openBrowser: () => openBrowser,
+  findClaudeBinary: () => findClaudeBinary
+});
+var init_facade7 = __esm(() => {
+  init_claude();
+  init_browser();
+});
+
+// src/services/auth/token-store.ts
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, unlinkSync, existsSync as existsSync3, openSync as openSync2, closeSync as closeSync2 } from "node:fs";
+function getStoredToken() {
+  if (!existsSync3(PATHS.AUTH_FILE))
+    return null;
+  try {
+    const raw = readFileSync2(PATHS.AUTH_FILE, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function storeToken(auth) {
+  ensureConfigDir();
+  const data = { ...auth, stored_at: new Date().toISOString() };
+  const content = JSON.stringify(data, null, 2) + `
+`;
+  const fd = openSync2(PATHS.AUTH_FILE, "w", 384);
+  try {
+    writeFileSync2(fd, content, "utf-8");
+  } finally {
+    closeSync2(fd);
+  }
+}
+function clearToken() {
+  try {
+    unlinkSync(PATHS.AUTH_FILE);
+  } catch {}
+}
+var init_token_store = __esm(() => {
+  init_paths();
+  init_facade();
+});
+
+// src/services/auth/errors.ts
+var AuthError, DeviceCodeExpired, NotSignedIn;
+var init_errors3 = __esm(() => {
+  AuthError = class AuthError extends Error {
+    constructor(message) {
+      super(message);
+      this.name = "AuthError";
+    }
+  };
+  DeviceCodeExpired = class DeviceCodeExpired extends AuthError {
+    constructor() {
+      super("Device code expired. Run `claudemesh login` again.");
+    }
+  };
+  NotSignedIn = class NotSignedIn extends AuthError {
+    constructor() {
+      super("Not signed in. Run `claudemesh login` first.");
+    }
+  };
+});
+
+// src/services/auth/device-code.ts
+import { createInterface as createInterface2 } from "node:readline";
+function parseJwtUser(token) {
+  try {
+    const parts = token.split(".");
+    if (parts[1]) {
+      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+      if (payload.exp && payload.exp < Date.now() / 1000)
+        throw new Error("expired");
+      return {
+        id: payload.sub ?? "",
+        display_name: payload.name ?? payload.email ?? "",
+        email: payload.email ?? ""
+      };
+    }
+  } catch {}
+  throw new Error("Invalid token");
+}
+async function loginWithDeviceCode() {
+  const device = getDeviceInfo();
+  const { device_code, user_code, session_id, verification_url, token_url } = await exports_public.requestDeviceCode({
+    hostname: device.hostname,
+    platform: device.platform,
+    arch: device.arch
+  });
+  const browserUrl = `${verification_url}?session=${session_id}`;
+  const isTTY2 = process.stdout.isTTY && !process.env.NO_COLOR;
+  const orange2 = (s) => isTTY2 ? `\x1B[38;5;208m${s}\x1B[0m` : s;
+  const bold2 = (s) => isTTY2 ? `\x1B[1m${s}\x1B[0m` : s;
+  const dim2 = (s) => isTTY2 ? `\x1B[2m${s}\x1B[0m` : s;
+  log("");
+  log("  " + orange2("claudemesh") + " — sign in to connect your terminal");
+  log("");
+  log("  ┌──────────────────────────────────┐");
+  log("  │                                  │");
+  log("  │   Your code:  " + bold2(user_code) + "          │");
+  log("  │                                  │");
+  log("  └──────────────────────────────────┘");
+  log("");
+  log("  " + dim2("Confirm this code matches your browser."));
+  log("");
+  log("  " + dim2("If the browser didn't open, visit:"));
+  log("  " + browserUrl);
+  log("");
+  log("  " + dim2("Can't use a browser? Generate a token at:"));
+  log("  " + (token_url || verification_url.replace("/cli-auth", "/token")));
+  log("  " + dim2("Then paste it below."));
+  log("");
+  log("  Waiting… " + dim2("(paste token or Ctrl-C to cancel)"));
+  try {
+    await openBrowser(browserUrl);
+  } catch {
+    warn("  Could not open browser automatically.");
+  }
+  return new Promise((resolve, reject) => {
+    let done = false;
+    const rl = createInterface2({ input: process.stdin, output: process.stdout });
+    rl.on("line", (line) => {
+      if (done)
+        return;
+      const trimmed = line.trim();
+      if (trimmed.split(".").length === 3 && trimmed.length > 50) {
+        done = true;
+        rl.close();
+        try {
+          const user = parseJwtUser(trimmed);
+          storeToken({ session_token: trimmed, user, token_source: "manual" });
+          resolve({ user, session_token: trimmed });
+        } catch (e) {
+          reject(new Error("Invalid or expired token. Generate a new one."));
+        }
+      }
+    });
+    const startTime = Date.now();
+    const poll = async () => {
+      while (!done && Date.now() - startTime < TIMINGS.DEVICE_CODE_TIMEOUT_MS) {
+        await new Promise((r) => setTimeout(r, TIMINGS.DEVICE_CODE_POLL_MS));
+        if (done)
+          return;
+        try {
+          const result = await exports_public.pollDeviceCode(device_code);
+          if (result.status === "approved" && result.session_token && result.user) {
+            if (done)
+              return;
+            done = true;
+            rl.close();
+            storeToken({ session_token: result.session_token, user: result.user, token_source: "device-code" });
+            resolve({ user: result.user, session_token: result.session_token });
+            return;
+          }
+          if (result.status === "expired") {
+            if (done)
+              return;
+            done = true;
+            rl.close();
+            reject(new DeviceCodeExpired);
+            return;
+          }
+        } catch {}
+      }
+      if (!done) {
+        done = true;
+        rl.close();
+        reject(new DeviceCodeExpired);
+      }
+    };
+    poll();
+  });
+}
+var init_device_code = __esm(() => {
+  init_timings();
+  init_facade5();
+  init_facade6();
+  init_facade7();
+  init_facade4();
+  init_token_store();
+  init_errors3();
+});
+
+// src/services/auth/client.ts
+function requireToken() {
+  const auth = getStoredToken();
+  if (!auth)
+    throw new NotSignedIn;
+  return auth.session_token;
+}
+async function whoAmI() {
+  const auth = getStoredToken();
+  if (!auth)
+    return { signed_in: false };
+  try {
+    const profile = await exports_my.getProfile(auth.session_token);
+    const meshes = await exports_my.getMeshes(auth.session_token);
+    const owned = meshes.filter((m) => m.role === "owner").length;
+    return {
+      signed_in: true,
+      user: profile,
+      token_source: auth.token_source,
+      meshes: { owned, guest: meshes.length - owned }
+    };
+  } catch (err) {
+    if (err instanceof ApiError && err.isUnauthorized) {
+      clearToken();
+      return { signed_in: false };
+    }
+    throw err;
+  }
+}
+async function logout() {
+  const token = requireToken();
+  let revoked = false;
+  try {
+    await exports_my.revokeSession(token);
+    revoked = true;
+  } catch {}
+  clearToken();
+  return { revoked };
+}
+async function register(callbackPort) {
+  const { openBrowser: openBrowser2 } = await Promise.resolve().then(() => (init_facade7(), exports_facade3));
+  const url = `https://claudemesh.com/register?source=cli&callback=http://localhost:${callbackPort}`;
+  await openBrowser2(url);
+}
+var init_client2 = __esm(() => {
+  init_facade5();
+  init_facade5();
+  init_token_store();
+  init_errors3();
+});
+
+// src/services/auth/dashboard-sync.ts
+async function syncWithBroker(syncToken, peerPubkey, displayName, brokerBaseUrl) {
+  const base = brokerBaseUrl ?? deriveHttpUrl(URLS.BROKER);
+  const res = await fetch(`${base}/cli-sync`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      sync_token: syncToken,
+      peer_pubkey: peerPubkey,
+      display_name: displayName
+    })
+  });
+  if (!res.ok) {
+    const body2 = await res.text();
+    let msg;
+    try {
+      msg = JSON.parse(body2).error ?? body2;
+    } catch {
+      msg = body2;
+    }
+    throw new Error(`Broker sync failed (${res.status}): ${msg}`);
+  }
+  const body = await res.json();
+  if (!body.ok)
+    throw new Error(`Broker sync failed: ${body.error ?? "unknown error"}`);
+  return { account_id: body.account_id, meshes: body.meshes };
+}
+function deriveHttpUrl(wssUrl) {
+  const url = new URL(wssUrl);
+  url.protocol = url.protocol === "wss:" ? "https:" : "http:";
+  url.pathname = url.pathname.replace(/\/ws\/?$/, "");
+  return url.toString().replace(/\/$/, "");
+}
+var init_dashboard_sync = __esm(() => {
+  init_urls();
+});
+
+// src/services/auth/callback-listener.ts
+import { createServer } from "node:http";
+function startCallbackListener() {
+  return new Promise((resolveStart) => {
+    let resolveToken;
+    let resolved = false;
+    const tokenPromise = new Promise((r) => {
+      resolveToken = r;
+    });
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, "http://localhost");
+      if (req.method === "OPTIONS") {
+        res.writeHead(204, {
+          "Access-Control-Allow-Origin": "https://claudemesh.com",
+          "Access-Control-Allow-Methods": "GET",
+          "Access-Control-Allow-Headers": "Content-Type"
+        });
+        res.end();
+        return;
+      }
+      if (url.pathname === "/ping") {
+        res.writeHead(200, {
+          "Content-Type": "text/plain",
+          "Access-Control-Allow-Origin": "https://claudemesh.com"
+        });
+        res.end("ok");
+        return;
+      }
+      if (url.pathname === "/callback") {
+        const token = url.searchParams.get("token");
+        if (token && !resolved) {
+          resolved = true;
+          res.writeHead(200, {
+            "Content-Type": "text/html",
+            "Access-Control-Allow-Origin": "https://claudemesh.com"
+          });
+          res.end("<html><body><h2>Done! You can close this tab.</h2></body></html>");
+          resolveToken(token);
+          setTimeout(() => server.close(), 500);
+        } else {
+          res.writeHead(400, { "Content-Type": "text/plain" });
+          res.end("Missing token");
+        }
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      resolveStart({
+        port: addr.port,
+        token: tokenPromise,
+        close: () => server.close()
+      });
+    });
+  });
+}
+var init_callback_listener = () => {};
+
+// src/services/auth/facade.ts
+var exports_facade4 = {};
+__export(exports_facade4, {
+  whoAmI: () => whoAmI,
+  syncWithBroker: () => syncWithBroker,
+  storeToken: () => storeToken,
+  startCallbackListener: () => startCallbackListener,
+  register: () => register,
+  logout: () => logout,
+  loginWithDeviceCode: () => loginWithDeviceCode,
+  getStoredToken: () => getStoredToken,
+  generatePairingCode: () => generatePairingCode,
+  clearToken: () => clearToken,
+  NotSignedIn: () => NotSignedIn,
+  DeviceCodeExpired: () => DeviceCodeExpired,
+  AuthError: () => AuthError
+});
+import { randomBytes as randomBytes3 } from "node:crypto";
+function generatePairingCode() {
+  const bytes = randomBytes3(4);
+  return Array.from(bytes, (b) => CHARS[b % CHARS.length]).join("");
+}
+var CHARS = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789";
+var init_facade8 = __esm(() => {
+  init_device_code();
+  init_client2();
+  init_dashboard_sync();
+  init_token_store();
+  init_callback_listener();
+  init_errors3();
+});
+
 // src/commands/grants.ts
 var exports_grants = {};
 __export(exports_grants, {
@@ -3474,23 +4161,47 @@ __export(exports_grants, {
   runBlock: () => runBlock,
   isAllowed: () => isAllowed
 });
-import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
+import { existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "node:fs";
 import { homedir as homedir2 } from "node:os";
 import { join as join2 } from "node:path";
+async function syncToBroker(meshSlug, grants) {
+  const auth = getStoredToken();
+  if (!auth)
+    return;
+  let userId = "";
+  try {
+    const payload = JSON.parse(Buffer.from(auth.session_token.split(".")[1], "base64url").toString());
+    userId = payload.sub ?? "";
+  } catch {
+    return;
+  }
+  if (!userId)
+    return;
+  try {
+    await request({
+      path: `/cli/mesh/${meshSlug}/grants`,
+      method: "POST",
+      body: { user_id: userId, grants },
+      baseUrl: BROKER_HTTP2
+    });
+  } catch (e) {
+    render.warn(`broker grant sync failed — client filter still active: ${e instanceof Error ? e.message : e}`);
+  }
+}
 function readGrants() {
-  if (!existsSync2(GRANT_FILE))
+  if (!existsSync4(GRANT_FILE))
     return {};
   try {
-    return JSON.parse(readFileSync2(GRANT_FILE, "utf-8"));
+    return JSON.parse(readFileSync3(GRANT_FILE, "utf-8"));
   } catch {
     return {};
   }
 }
 function writeGrants(g) {
   const dir = join2(homedir2(), ".claudemesh");
-  if (!existsSync2(dir))
+  if (!existsSync4(dir))
     mkdirSync2(dir, { recursive: true });
-  writeFileSync2(GRANT_FILE, JSON.stringify(g, null, 2), { mode: 384 });
+  writeFileSync3(GRANT_FILE, JSON.stringify(g, null, 2), { mode: 384 });
 }
 function resolveCaps(input) {
   if (input.includes("all"))
@@ -3538,6 +4249,7 @@ async function runGrant(peer, caps, opts = {}) {
   meshGrants[resolved.pubkey] = merged;
   store[mesh] = meshGrants;
   writeGrants(store);
+  await syncToBroker(mesh, { [resolved.pubkey]: merged });
   render.ok(`Granted ${wanted.join(", ")} to ${resolved.displayName} on ${mesh}.`);
   render.kv([["now", merged.join(", ")]]);
   return EXIT.SUCCESS;
@@ -3565,6 +4277,7 @@ async function runRevoke(peer, caps, opts = {}) {
   meshGrants[resolved.pubkey] = after;
   store[mesh] = meshGrants;
   writeGrants(store);
+  await syncToBroker(mesh, { [resolved.pubkey]: after });
   render.ok(`Revoked ${wanted.join(", ")} from ${resolved.displayName} on ${mesh}.`);
   render.kv([["now", after.length ? after.join(", ") : "(none)"]]);
   return EXIT.SUCCESS;
@@ -3589,6 +4302,7 @@ async function runBlock(peer, opts = {}) {
   meshGrants[resolved.pubkey] = [];
   store[mesh] = meshGrants;
   writeGrants(store);
+  await syncToBroker(mesh, { [resolved.pubkey]: [] });
   render.ok(`Blocked ${resolved.displayName} on ${mesh} (all capabilities revoked).`);
   render.hint(`Undo with: claudemesh grant ${resolved.displayName} all --mesh ${mesh}`);
   return EXIT.SUCCESS;
@@ -3628,12 +4342,16 @@ function isAllowed(meshSlug, peerPubkey, cap) {
     return DEFAULT_CAPS.includes(cap);
   return entry.includes(cap);
 }
-var ALL_CAPS, DEFAULT_CAPS, GRANT_FILE;
+var BROKER_HTTP2, ALL_CAPS, DEFAULT_CAPS, GRANT_FILE;
 var init_grants = __esm(() => {
   init_facade();
   init_connect();
   init_render();
   init_exit_codes();
+  init_facade8();
+  init_facade5();
+  init_urls();
+  BROKER_HTTP2 = URLS.BROKER.replace("wss://", "https://").replace("ws://", "http://").replace("/ws", "");
   ALL_CAPS = ["read", "dm", "broadcast", "state-read", "state-write", "file-read"];
   DEFAULT_CAPS = ["read", "dm", "broadcast", "state-read"];
   GRANT_FILE = join2(homedir2(), ".claudemesh", "grants.json");
@@ -4039,9 +4757,9 @@ ${manifest.allowed_tools.map((t) => `  - ${t}`).join(`
         const results = [];
         const seen = new Set;
         for (const target of targets) {
-          const { client, targetSpec, error } = await resolveClient(target);
+          const { client, targetSpec, error: error2 } = await resolveClient(target);
           if (!client) {
-            results.push(`✗ ${target}: ${error ?? "no client resolved"}`);
+            results.push(`✗ ${target}: ${error2 ?? "no client resolved"}`);
             continue;
           }
           if (seen.has(targetSpec))
@@ -4102,13 +4820,13 @@ ${peerLines.join(`
           }
         }
         try {
-          const { writeFileSync: writeFileSync3, mkdirSync: mkdirSync3, existsSync: existsSync3 } = await import("node:fs");
+          const { writeFileSync: writeFileSync4, mkdirSync: mkdirSync3, existsSync: existsSync5 } = await import("node:fs");
           const { join: joinPath } = await import("node:path");
           const { homedir: homedir3 } = await import("node:os");
           const dir = joinPath(homedir3(), ".claudemesh");
-          if (!existsSync3(dir))
+          if (!existsSync5(dir))
             mkdirSync3(dir, { recursive: true });
-          writeFileSync3(joinPath(dir, "peer-cache.json"), JSON.stringify(statusCache));
+          writeFileSync4(joinPath(dir, "peer-cache.json"), JSON.stringify(statusCache));
         } catch {}
         return text(sections.join(`
 
@@ -4350,15 +5068,15 @@ ${lines.join(`
         const { path: filePath, name: fileName, tags, to: fileTo } = args ?? {};
         if (!filePath)
           return text("share_file: `path` required", true);
-        const { existsSync: existsSync3 } = await import("node:fs");
-        if (!existsSync3(filePath))
+        const { existsSync: existsSync5 } = await import("node:fs");
+        if (!existsSync5(filePath))
           return text(`share_file: file not found: ${filePath}`, true);
         const client = allClients()[0];
         if (!client)
           return text("share_file: not connected", true);
         if (fileTo) {
           const { encryptFile: encryptFile2, sealKeyForPeer: sealKeyForPeer2 } = await Promise.resolve().then(() => (init_file_crypto(), exports_file_crypto));
-          const { readFileSync: readFileSync3, writeFileSync: writeFileSync3, mkdtempSync, unlinkSync, rmdirSync } = await import("node:fs");
+          const { readFileSync: readFileSync4, writeFileSync: writeFileSync4, mkdtempSync, unlinkSync: unlinkSync2, rmdirSync } = await import("node:fs");
           const { tmpdir } = await import("node:os");
           const { join: join3, basename } = await import("node:path");
           const peers = await client.listPeers();
@@ -4366,7 +5084,7 @@ ${lines.join(`
           if (!targetPeer) {
             return text(`share_file: peer not found: ${fileTo}`, true);
           }
-          const plaintext = readFileSync3(filePath);
+          const plaintext = readFileSync4(filePath);
           const { ciphertext, nonce, key } = await encryptFile2(new Uint8Array(plaintext));
           const sealedForTarget = await sealKeyForPeer2(key, targetPeer.pubkey);
           const myPubkey = client.getSessionPubkey();
@@ -4385,7 +5103,7 @@ ${lines.join(`
           const baseName = basename(rawName).replace(/[^a-zA-Z0-9._-]/g, "_").slice(0, 255);
           const tmpDir = mkdtempSync(join3(tmpdir(), "cm-"));
           const tmpPath = join3(tmpDir, baseName);
-          writeFileSync3(tmpPath, combined);
+          writeFileSync4(tmpPath, combined);
           try {
             const fileId = await client.uploadFile(tmpPath, client.meshId, client.meshSlug, {
               name: baseName,
@@ -4400,7 +5118,7 @@ ${lines.join(`
             return text(`share_file: upload failed — ${e instanceof Error ? e.message : String(e)}`, true);
           } finally {
             try {
-              unlinkSync(tmpPath);
+              unlinkSync2(tmpPath);
             } catch {}
             try {
               rmdirSync(tmpDir);
@@ -4460,10 +5178,10 @@ ${lines.join(`
           const plaintext = await decryptFile2(ciphertext, nonce, kf);
           if (!plaintext)
             return text(genericErr, true);
-          const { writeFileSync: writeFileSync4, mkdirSync: mkdirSync4 } = await import("node:fs");
+          const { writeFileSync: writeFileSync5, mkdirSync: mkdirSync4 } = await import("node:fs");
           const { dirname: dirname2 } = await import("node:path");
           mkdirSync4(dirname2(save_to), { recursive: true });
-          writeFileSync4(save_to, plaintext);
+          writeFileSync5(save_to, plaintext);
           return text(`Downloaded and decrypted: ${result.name} → ${save_to}`);
         }
         let res = await fetch(result.url, { signal: AbortSignal.timeout(1e4) }).catch(() => null);
@@ -4473,10 +5191,10 @@ ${lines.join(`
         }
         if (!res.ok)
           return text(`get_file: download failed (${res.status})`, true);
-        const { writeFileSync: writeFileSync3, mkdirSync: mkdirSync3 } = await import("node:fs");
+        const { writeFileSync: writeFileSync4, mkdirSync: mkdirSync3 } = await import("node:fs");
         const { dirname } = await import("node:path");
         mkdirSync3(dirname(save_to), { recursive: true });
-        writeFileSync3(save_to, Buffer.from(await res.arrayBuffer()));
+        writeFileSync4(save_to, Buffer.from(await res.arrayBuffer()));
         return text(`Downloaded: ${result.name} → ${save_to}`);
       }
       case "list_files": {
@@ -5234,10 +5952,10 @@ ${lines.join(`
         const entryType = vType ?? "env";
         let plaintextBytes;
         if (entryType === "file") {
-          const { existsSync: existsSync3, readFileSync: readFileSync3 } = await import("node:fs");
-          if (!existsSync3(value))
+          const { existsSync: existsSync5, readFileSync: readFileSync4 } = await import("node:fs");
+          if (!existsSync5(value))
             return text(`vault_set: file not found: ${value}`, true);
-          plaintextBytes = new Uint8Array(readFileSync3(value));
+          plaintextBytes = new Uint8Array(readFileSync4(value));
         } else {
           plaintextBytes = new TextEncoder().encode(value);
         }
@@ -5804,4 +6522,4 @@ startMcpServer().catch((err) => {
   process.exit(1);
 });
 
-//# debugId=89A595C2EEA0442364756E2164756E21
+//# debugId=1491A1F07755C64D64756E2164756E21