claudemesh-cli 1.0.0-alpha.4 → 1.0.0-alpha.40

package/dist/entrypoints/mcp.js

@@ -1299,6 +1299,7 @@ class BrokerClient {
   outbound = [];
   pushHandlers = new Set;
   pushBuffer = [];
+  pushChain = Promise.resolve();
   listPeersResolvers = new Map;
   stateResolvers = new Map;
   stateListResolvers = new Map;
@@ -1423,8 +1424,10 @@ class BrokerClient {
           this.startStatsReporting();
           if (msg.restored) {
             const groups = msg.restoredGroups ? msg.restoredGroups.map((g) => g.role ? `@${g.name}:${g.role}` : `@${g.name}`).join(", ") : "none";
-            process.stderr.write(`[claudemesh] session restored — last seen ${msg.lastSeenAt ?? "unknown"}, groups: ${groups}
+            if (!this.opts.quiet) {
+              process.stderr.write(`[claudemesh] session restored — last seen ${msg.lastSeenAt ?? "unknown"}, groups: ${groups}
 `);
+            }
             if (msg.restoredStats) {
               const rs = msg.restoredStats;
               this._statsCounters.messagesIn = rs.messagesIn ?? 0;
@@ -2443,6 +2446,22 @@ class BrokerClient {
       return;
     this.ws.send(JSON.stringify(payload));
   }
+  async sendAndWait(payload, timeoutMs = 1e4) {
+    const reqId = `rw-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    return new Promise((resolve, reject) => {
+      const timer = setTimeout(() => {
+        this.genericResolvers.delete(reqId);
+        reject(new Error("sendAndWait timeout"));
+      }, timeoutMs);
+      this.genericResolvers.set(reqId, (msg) => {
+        clearTimeout(timer);
+        this.genericResolvers.delete(reqId);
+        resolve(msg);
+      });
+      this.sendRaw({ ...payload, _reqId: reqId });
+    });
+  }
+  genericResolvers = new Map;
   close() {
     this.closed = true;
     this.stopStatsReporting();
@@ -2643,13 +2662,17 @@ class BrokerClient {
   }
   handleServerMessage(msg) {
     const msgReqId = msg._reqId;
+    if (msgReqId && this.genericResolvers.has(msgReqId)) {
+      const resolve = this.genericResolvers.get(msgReqId);
+      resolve(msg);
+      return;
+    }
     if (msg.type === "ack") {
       const pending = this.pendingSends.get(String(msg.id ?? ""));
       if (pending) {
-        pending.resolve({
-          ok: true,
-          messageId: String(msg.messageId ?? "")
-        });
+        const queued = msg.queued !== false;
+        const errStr = typeof msg.error === "string" ? msg.error : undefined;
+        pending.resolve(queued ? { ok: true, messageId: String(msg.messageId ?? "") } : { ok: false, error: errStr ?? "broker rejected send" });
         this.pendingSends.delete(pending.id);
       }
       return;
@@ -2664,7 +2687,7 @@ class BrokerClient {
       const nonce = String(msg.nonce ?? "");
       const ciphertext = String(msg.ciphertext ?? "");
       const senderPubkey = String(msg.senderPubkey ?? "");
-      (async () => {
+      this.pushChain = this.pushChain.then(async () => {
         const isSystem = msg.subtype === "system" || senderPubkey === "system";
         const kind = isSystem ? "broadcast" : senderPubkey ? "direct" : "unknown";
         let plaintext = null;
@@ -2689,7 +2712,13 @@ class BrokerClient {
             plaintext = `[${event}]`;
           }
         } else if (senderPubkey && nonce && ciphertext) {
-          plaintext = await decryptDirect({ nonce, ciphertext }, senderPubkey, this.sessionSecretKey ?? this.mesh.secretKey);
+          const envelope = { nonce, ciphertext };
+          if (this.sessionSecretKey) {
+            plaintext = await decryptDirect(envelope, senderPubkey, this.sessionSecretKey);
+          }
+          if (plaintext === null) {
+            plaintext = await decryptDirect(envelope, senderPubkey, this.mesh.secretKey);
+          }
         }
         if (plaintext === null && ciphertext && !senderPubkey) {
           try {
@@ -2735,7 +2764,9 @@ class BrokerClient {
             h(push);
           } catch {}
         }
-      })();
+      }).catch((e) => {
+        this.debug(`push handler chain error: ${e instanceof Error ? e.message : e}`);
+      });
       return;
     }
     if (msg.type === "state_result") {
@@ -3181,11 +3212,17 @@ class BrokerClient {
       send();
   }
   scheduleReconnect() {
+    if (this.reconnectTimer) {
+      this.debug("reconnect already scheduled — skipping");
+      return;
+    }
     this.setConnStatus("reconnecting");
-    const delay = BACKOFF_CAPS[Math.min(this.reconnectAttempt, BACKOFF_CAPS.length - 1)];
+    const base = BACKOFF_CAPS[Math.min(this.reconnectAttempt, BACKOFF_CAPS.length - 1)];
+    const delay = Math.floor(Math.random() * base);
     this.reconnectAttempt += 1;
-    this.debug(`reconnect in ${delay}ms (attempt ${this.reconnectAttempt})`);
+    this.debug(`reconnect in ${delay}ms (attempt ${this.reconnectAttempt}, base ${base}ms)`);
     this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
       if (this.closed)
         return;
       this.connect().catch((e) => {
@@ -3286,6 +3323,1072 @@ var init_facade3 = __esm(() => {
   init_errors();
 });
 
+// src/commands/connect.ts
+import { hostname } from "node:os";
+import { createInterface } from "node:readline";
+async function pickMesh(meshes) {
+  console.log(`
+  Select mesh:`);
+  meshes.forEach((m, i) => {
+    console.log(`    ${i + 1}) ${m.slug}`);
+  });
+  console.log("");
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question("  Choice [1]: ", (answer) => {
+      rl.close();
+      const idx = parseInt(answer || "1", 10) - 1;
+      if (idx >= 0 && idx < meshes.length) {
+        resolve(meshes[idx]);
+      } else {
+        console.error("  Invalid choice, using first mesh.");
+        resolve(meshes[0]);
+      }
+    });
+  });
+}
+async function withMesh(opts, fn) {
+  const config = readConfig();
+  if (config.meshes.length === 0) {
+    console.error("No meshes joined. Run `claudemesh join <url>` first.");
+    process.exit(1);
+  }
+  let mesh;
+  if (opts.meshSlug) {
+    const found = config.meshes.find((m) => m.slug === opts.meshSlug);
+    if (!found) {
+      console.error(`Mesh "${opts.meshSlug}" not found. Joined: ${config.meshes.map((m) => m.slug).join(", ")}`);
+      process.exit(1);
+    }
+    mesh = found;
+  } else if (config.meshes.length === 1) {
+    mesh = config.meshes[0];
+  } else {
+    mesh = await pickMesh(config.meshes);
+  }
+  const displayName = opts.displayName ?? config.displayName ?? `${hostname()}-${process.pid}`;
+  const client = new BrokerClient(mesh, { displayName, quiet: true });
+  try {
+    await client.connect();
+    const result = await fn(client, mesh);
+    return result;
+  } finally {
+    client.close();
+  }
+}
+var init_connect = __esm(() => {
+  init_facade3();
+  init_facade();
+});
+
+// src/ui/styles.ts
+function moveTo(row, col) {
+  return isTTY ? `\x1B[${row};${col}H` : "";
+}
+function visibleLength(s) {
+  return s.replace(/\x1b\[[^m]*m/g, "").length;
+}
+var isTTY, esc = (code) => (s) => isTTY ? `${code}${s}\x1B[0m` : s, orange, clay, amber, bold, dim, green, yellow, red, cyan, boldOrange, HIDE_CURSOR, SHOW_CURSOR, CLEAR_SCREEN, CLEAR_LINE, icons;
+var init_styles = __esm(() => {
+  isTTY = process.stdout.isTTY && !process.env.NO_COLOR && process.env.TERM !== "dumb";
+  orange = esc("\x1B[38;5;208m");
+  clay = esc("\x1B[38;5;173m");
+  amber = esc("\x1B[38;5;214m");
+  bold = esc("\x1B[1m");
+  dim = esc("\x1B[2m");
+  green = esc("\x1B[32m");
+  yellow = esc("\x1B[33m");
+  red = esc("\x1B[31m");
+  cyan = esc("\x1B[36m");
+  boldOrange = esc("\x1B[1m\x1B[38;5;208m");
+  HIDE_CURSOR = isTTY ? "\x1B[?25l" : "";
+  SHOW_CURSOR = isTTY ? "\x1B[?25h" : "";
+  CLEAR_SCREEN = isTTY ? "\x1B[2J\x1B[H" : "";
+  CLEAR_LINE = isTTY ? "\x1B[K" : "";
+  icons = {
+    check: "✔",
+    cross: "✘",
+    warn: "⚠",
+    arrow: "→",
+    bullet: "●",
+    dash: "—",
+    ellipsis: "…"
+  };
+});
+
+// src/ui/render.ts
+var OUT, ERR, INDENT = "  ", render;
+var init_render = __esm(() => {
+  init_styles();
+  OUT = process.stdout;
+  ERR = process.stderr;
+  render = {
+    blank() {
+      OUT.write(`
+`);
+    },
+    ok(msg, detail) {
+      const d = detail ? ` ${dim("(" + detail + ")")}` : "";
+      OUT.write(`${INDENT}${green(icons.check)} ${msg}${d}
+`);
+    },
+    warn(msg, hint) {
+      OUT.write(`${INDENT}${yellow(icons.warn)} ${msg}
+`);
+      if (hint)
+        OUT.write(`${INDENT}  ${dim(hint)}
+`);
+    },
+    err(msg, hint) {
+      ERR.write(`${INDENT}${red(icons.cross)} ${msg}
+`);
+      if (hint)
+        ERR.write(`${INDENT}  ${dim(hint)}
+`);
+    },
+    info(msg) {
+      OUT.write(`${INDENT}${msg}
+`);
+    },
+    section(title) {
+      OUT.write(`
+${INDENT}${dim("—")} ${clay(title)}
+
+`);
+    },
+    heading(title) {
+      OUT.write(`${INDENT}${bold(title)}
+`);
+    },
+    kv(pairs, opts) {
+      const pad = opts?.padTo ?? Math.max(...pairs.map(([k]) => k.length)) + 2;
+      for (const [k, v] of pairs) {
+        OUT.write(`${INDENT}${dim(k.padEnd(pad, " "))}${v}
+`);
+      }
+    },
+    code(snippet) {
+      for (const line of snippet.split(`
+`)) {
+        OUT.write(`${INDENT}  ${cyan(line)}
+`);
+      }
+    },
+    link(url) {
+      OUT.write(`${INDENT}${clay(url)}
+`);
+    },
+    hint(msg) {
+      OUT.write(`${INDENT}${dim(icons.arrow + " " + msg)}
+`);
+    }
+  };
+});
+
+// src/constants/exit-codes.ts
+var EXIT;
+var init_exit_codes = __esm(() => {
+  EXIT = {
+    SUCCESS: 0,
+    USER_CANCELLED: 1,
+    AUTH_FAILED: 2,
+    INVALID_ARGS: 3,
+    NETWORK_ERROR: 4,
+    NOT_FOUND: 5,
+    ALREADY_EXISTS: 6,
+    PERMISSION_DENIED: 7,
+    INTERNAL_ERROR: 8,
+    CLAUDE_MISSING: 9
+  };
+});
+
+// src/constants/timings.ts
+var TIMINGS;
+var init_timings = __esm(() => {
+  TIMINGS = {
+    DEVICE_CODE_POLL_MS: 1500,
+    DEVICE_CODE_TIMEOUT_MS: 5 * 60 * 1000,
+    WS_RECONNECT_BASE_MS: 1000,
+    WS_RECONNECT_MAX_MS: 30000,
+    UPDATE_CHECK_INTERVAL_MS: 24 * 60 * 60 * 1000,
+    TELEGRAM_CONNECT_TIMEOUT_MS: 5 * 60 * 1000,
+    TELEGRAM_POLL_INTERVAL_MS: 2000,
+    API_TIMEOUT_MS: 15000,
+    API_RETRY_COUNT: 2
+  };
+});
+
+// src/constants/urls.ts
+var exports_urls = {};
+__export(exports_urls, {
+  env: () => env,
+  VERSION: () => VERSION,
+  URLS: () => URLS
+});
+var URLS, VERSION = "1.0.0-alpha.40", env;
+var init_urls = __esm(() => {
+  URLS = {
+    BROKER: process.env.CLAUDEMESH_BROKER_URL ?? "wss://ic.claudemesh.com/ws",
+    API_BASE: process.env.CLAUDEMESH_API_URL ?? "https://claudemesh.com",
+    DASHBOARD: "https://claudemesh.com/dashboard",
+    NPM_REGISTRY: "https://registry.npmjs.org/claudemesh-cli"
+  };
+  env = {
+    CLAUDEMESH_BROKER_URL: URLS.BROKER,
+    CLAUDEMESH_CONFIG_DIR: process.env.CLAUDEMESH_CONFIG_DIR || undefined,
+    CLAUDEMESH_DEBUG: process.env.CLAUDEMESH_DEBUG === "1" || process.env.CLAUDEMESH_DEBUG === "true"
+  };
+});
+
+// src/services/logger/logger.ts
+function timestamp() {
+  return new Date().toISOString();
+}
+function log(msg, ...args) {
+  if (!isQuiet)
+    console.log(msg, ...args);
+}
+function debug(msg, ...args) {
+  if (isDebug)
+    console.error(`[${timestamp()}] DEBUG ${msg}`, ...args);
+}
+function warn(msg, ...args) {
+  console.error(`⚠ ${msg}`, ...args);
+}
+var isDebug, isQuiet;
+var init_logger = __esm(() => {
+  isDebug = process.env.CLAUDEMESH_DEBUG === "1" || process.env.CLAUDEMESH_DEBUG === "true";
+  isQuiet = process.argv.includes("-q") || process.argv.includes("--quiet");
+});
+
+// src/services/logger/facade.ts
+var init_facade4 = __esm(() => {
+  init_logger();
+});
+
+// src/services/api/errors.ts
+var ApiError, NetworkError;
+var init_errors2 = __esm(() => {
+  ApiError = class ApiError extends Error {
+    status;
+    statusText;
+    body;
+    constructor(status, statusText, body) {
+      super(`API error ${status}: ${statusText}`);
+      this.status = status;
+      this.statusText = statusText;
+      this.body = body;
+      this.name = "ApiError";
+    }
+    get isUnauthorized() {
+      return this.status === 401;
+    }
+    get isNotFound() {
+      return this.status === 404;
+    }
+    get isConflict() {
+      return this.status === 409;
+    }
+    get isRateLimited() {
+      return this.status === 429;
+    }
+  };
+  NetworkError = class NetworkError extends Error {
+    url;
+    constructor(url, cause) {
+      super(`Network error reaching ${url}`);
+      this.url = url;
+      this.name = "NetworkError";
+      this.cause = cause;
+    }
+  };
+});
+
+// src/services/api/client.ts
+async function request(opts) {
+  const base = opts.baseUrl ?? URLS.API_BASE;
+  const url = `${base}${opts.path}`;
+  const method = opts.method ?? "GET";
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), opts.timeoutMs ?? TIMINGS.API_TIMEOUT_MS);
+  const headers = {
+    "Content-Type": "application/json",
+    Accept: "application/json",
+    "User-Agent": "claudemesh-cli/1.0"
+  };
+  if (opts.token)
+    headers.Authorization = `Bearer ${opts.token}`;
+  debug(`${method} ${url}`);
+  try {
+    const res = await fetch(url, {
+      method,
+      headers,
+      body: opts.body ? JSON.stringify(opts.body) : undefined,
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      let body;
+      try {
+        body = await res.json();
+      } catch {
+        body = await res.text();
+      }
+      throw new ApiError(res.status, res.statusText, body);
+    }
+    const text = await res.text();
+    if (!text)
+      return;
+    return JSON.parse(text);
+  } catch (err) {
+    if (err instanceof ApiError)
+      throw err;
+    throw new NetworkError(url, err);
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function get(path, token) {
+  return request({ path, token });
+}
+async function post(path, body, token) {
+  return request({ path, method: "POST", body, token });
+}
+var init_client = __esm(() => {
+  init_urls();
+  init_timings();
+  init_facade4();
+  init_errors2();
+});
+
+// src/services/api/my.ts
+var exports_my = {};
+__export(exports_my, {
+  revokeSession: () => revokeSession,
+  renameMesh: () => renameMesh,
+  getProfile: () => getProfile,
+  getMeshes: () => getMeshes,
+  createMesh: () => createMesh,
+  createInvite: () => createInvite,
+  cliSync: () => cliSync
+});
+async function getProfile(token) {
+  return get("/api/my/profile", token);
+}
+async function getMeshes(token) {
+  return get("/api/my/meshes", token);
+}
+async function createMesh(token, body) {
+  return post("/api/my/meshes", body, token);
+}
+async function renameMesh(token, slug, newName) {
+  return request({
+    path: `/api/my/meshes/${slug}`,
+    method: "PATCH",
+    body: { name: newName },
+    token
+  });
+}
+async function createInvite(token, meshSlug, body) {
+  return post(`/api/my/meshes/${meshSlug}/invites`, body, token);
+}
+async function revokeSession(token) {
+  const BROKER_HTTP = (await Promise.resolve().then(() => (init_urls(), exports_urls))).URLS.BROKER.replace("wss://", "https://").replace("ws://", "http://").replace("/ws", "");
+  return request({
+    path: "/cli/session/revoke",
+    method: "POST",
+    body: { token },
+    baseUrl: BROKER_HTTP
+  });
+}
+async function cliSync(token) {
+  return post("/cli-sync", undefined, token);
+}
+var init_my = __esm(() => {
+  init_client();
+});
+
+// src/services/api/public.ts
+var exports_public = {};
+__export(exports_public, {
+  requestDeviceCode: () => requestDeviceCode,
+  pollDeviceCode: () => pollDeviceCode,
+  claimInvite: () => claimInvite
+});
+async function claimInvite(code, body) {
+  return post(`/api/public/invites/${code}/claim`, body);
+}
+async function requestDeviceCode(deviceInfo) {
+  return request({
+    path: "/cli/device-code",
+    method: "POST",
+    body: deviceInfo,
+    baseUrl: BROKER_HTTP
+  });
+}
+async function pollDeviceCode(deviceCode) {
+  return request({
+    path: `/cli/device-code/${deviceCode}`,
+    baseUrl: BROKER_HTTP
+  });
+}
+var BROKER_HTTP;
+var init_public = __esm(() => {
+  init_client();
+  init_urls();
+  BROKER_HTTP = URLS.BROKER.replace("wss://", "https://").replace("ws://", "http://").replace("/ws", "");
+});
+
+// src/services/api/facade.ts
+var init_facade5 = __esm(() => {
+  init_client();
+  init_errors2();
+  init_my();
+  init_public();
+});
+
+// src/services/device/info.ts
+import { hostname as hostname2, platform as platform2, arch, release } from "node:os";
+function getDeviceInfo() {
+  return {
+    hostname: hostname2(),
+    platform: platform2(),
+    arch: arch(),
+    osRelease: release(),
+    nodeVersion: process.version
+  };
+}
+var init_info = () => {};
+
+// src/services/device/facade.ts
+var init_facade6 = __esm(() => {
+  init_info();
+});
+
+// src/services/spawn/claude.ts
+import { spawnSync } from "node:child_process";
+import { existsSync as existsSync2 } from "node:fs";
+function findClaudeBinary() {
+  const candidates = [
+    process.env.CLAUDE_BIN,
+    "/usr/local/bin/claude",
+    `${process.env.HOME}/.local/bin/claude`,
+    `${process.env.HOME}/.npm/bin/claude`
+  ].filter(Boolean);
+  for (const bin of candidates) {
+    if (existsSync2(bin))
+      return bin;
+  }
+  const which = spawnSync("which", ["claude"], { encoding: "utf-8" });
+  if (which.status === 0 && which.stdout.trim())
+    return which.stdout.trim();
+  return null;
+}
+function spawnClaude(opts) {
+  const bin = findClaudeBinary();
+  if (!bin)
+    throw new Error("Claude binary not found. Install with: npm i -g @anthropic-ai/claude-code");
+  return spawnSync(bin, opts.args, {
+    stdio: "inherit",
+    env: { ...process.env, ...opts.env },
+    cwd: opts.cwd
+  });
+}
+var init_claude = () => {};
+
+// src/services/spawn/browser.ts
+import { execFile } from "node:child_process";
+import { platform as platform3 } from "node:os";
+function openBrowser(url) {
+  return new Promise((resolve, reject) => {
+    const os = platform3();
+    let bin;
+    let args;
+    if (os === "darwin") {
+      bin = "open";
+      args = [url];
+    } else if (os === "win32") {
+      bin = "cmd";
+      args = ["/c", "start", "", url];
+    } else {
+      bin = "xdg-open";
+      args = [url];
+    }
+    execFile(bin, args, (err) => {
+      if (err)
+        reject(err);
+      else
+        resolve();
+    });
+  });
+}
+var init_browser = () => {};
+
+// src/services/spawn/facade.ts
+var exports_facade3 = {};
+__export(exports_facade3, {
+  spawnClaude: () => spawnClaude,
+  openBrowser: () => openBrowser,
+  findClaudeBinary: () => findClaudeBinary
+});
+var init_facade7 = __esm(() => {
+  init_claude();
+  init_browser();
+});
+
+// src/services/auth/token-store.ts
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, unlinkSync, existsSync as existsSync3, openSync as openSync2, closeSync as closeSync2 } from "node:fs";
+function getStoredToken() {
+  if (!existsSync3(PATHS.AUTH_FILE))
+    return null;
+  try {
+    const raw = readFileSync2(PATHS.AUTH_FILE, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function storeToken(auth) {
+  ensureConfigDir();
+  const data = { ...auth, stored_at: new Date().toISOString() };
+  const content = JSON.stringify(data, null, 2) + `
+`;
+  const fd = openSync2(PATHS.AUTH_FILE, "w", 384);
+  try {
+    writeFileSync2(fd, content, "utf-8");
+  } finally {
+    closeSync2(fd);
+  }
+}
+function clearToken() {
+  try {
+    unlinkSync(PATHS.AUTH_FILE);
+  } catch {}
+}
+var init_token_store = __esm(() => {
+  init_paths();
+  init_facade();
+});
+
+// src/services/auth/errors.ts
+var AuthError, DeviceCodeExpired, NotSignedIn;
+var init_errors3 = __esm(() => {
+  AuthError = class AuthError extends Error {
+    constructor(message) {
+      super(message);
+      this.name = "AuthError";
+    }
+  };
+  DeviceCodeExpired = class DeviceCodeExpired extends AuthError {
+    constructor() {
+      super("Device code expired. Run `claudemesh login` again.");
+    }
+  };
+  NotSignedIn = class NotSignedIn extends AuthError {
+    constructor() {
+      super("Not signed in. Run `claudemesh login` first.");
+    }
+  };
+});
+
+// src/services/auth/device-code.ts
+import { createInterface as createInterface2 } from "node:readline";
+function parseJwtUser(token) {
+  try {
+    const parts = token.split(".");
+    if (parts[1]) {
+      const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+      if (payload.exp && payload.exp < Date.now() / 1000)
+        throw new Error("expired");
+      return {
+        id: payload.sub ?? "",
+        display_name: payload.name ?? payload.email ?? "",
+        email: payload.email ?? ""
+      };
+    }
+  } catch {}
+  throw new Error("Invalid token");
+}
+async function loginWithDeviceCode() {
+  const device = getDeviceInfo();
+  const { device_code, user_code, session_id, verification_url, token_url } = await exports_public.requestDeviceCode({
+    hostname: device.hostname,
+    platform: device.platform,
+    arch: device.arch
+  });
+  const browserUrl = `${verification_url}?session=${session_id}`;
+  const isTTY2 = process.stdout.isTTY && !process.env.NO_COLOR;
+  const orange2 = (s) => isTTY2 ? `\x1B[38;5;208m${s}\x1B[0m` : s;
+  const bold2 = (s) => isTTY2 ? `\x1B[1m${s}\x1B[0m` : s;
+  const dim2 = (s) => isTTY2 ? `\x1B[2m${s}\x1B[0m` : s;
+  log("");
+  log("  " + orange2("claudemesh") + " — sign in to connect your terminal");
+  log("");
+  log("  ┌──────────────────────────────────┐");
+  log("  │                                  │");
+  log("  │   Your code:  " + bold2(user_code) + "          │");
+  log("  │                                  │");
+  log("  └──────────────────────────────────┘");
+  log("");
+  log("  " + dim2("Confirm this code matches your browser."));
+  log("");
+  log("  " + dim2("If the browser didn't open, visit:"));
+  log("  " + browserUrl);
+  log("");
+  log("  " + dim2("Can't use a browser? Generate a token at:"));
+  log("  " + (token_url || verification_url.replace("/cli-auth", "/token")));
+  log("  " + dim2("Then paste it below."));
+  log("");
+  log("  Waiting… " + dim2("(paste token or Ctrl-C to cancel)"));
+  try {
+    await openBrowser(browserUrl);
+  } catch {
+    warn("  Could not open browser automatically.");
+  }
+  return new Promise((resolve, reject) => {
+    let done = false;
+    const rl = createInterface2({ input: process.stdin, output: process.stdout });
+    rl.on("line", (line) => {
+      if (done)
+        return;
+      const trimmed = line.trim();
+      if (trimmed.split(".").length === 3 && trimmed.length > 50) {
+        done = true;
+        rl.close();
+        try {
+          const user = parseJwtUser(trimmed);
+          storeToken({ session_token: trimmed, user, token_source: "manual" });
+          resolve({ user, session_token: trimmed });
+        } catch (e) {
+          reject(new Error("Invalid or expired token. Generate a new one."));
+        }
+      }
+    });
+    const startTime = Date.now();
+    const poll = async () => {
+      while (!done && Date.now() - startTime < TIMINGS.DEVICE_CODE_TIMEOUT_MS) {
+        await new Promise((r) => setTimeout(r, TIMINGS.DEVICE_CODE_POLL_MS));
+        if (done)
+          return;
+        try {
+          const result = await exports_public.pollDeviceCode(device_code);
+          if (result.status === "approved" && result.session_token && result.user) {
+            if (done)
+              return;
+            done = true;
+            rl.close();
+            storeToken({ session_token: result.session_token, user: result.user, token_source: "device-code" });
+            resolve({ user: result.user, session_token: result.session_token });
+            return;
+          }
+          if (result.status === "expired") {
+            if (done)
+              return;
+            done = true;
+            rl.close();
+            reject(new DeviceCodeExpired);
+            return;
+          }
+        } catch {}
+      }
+      if (!done) {
+        done = true;
+        rl.close();
+        reject(new DeviceCodeExpired);
+      }
+    };
+    poll();
+  });
+}
+var init_device_code = __esm(() => {
+  init_timings();
+  init_facade5();
+  init_facade6();
+  init_facade7();
+  init_facade4();
+  init_token_store();
+  init_errors3();
+});
+
+// src/services/auth/client.ts
+function requireToken() {
+  const auth = getStoredToken();
+  if (!auth)
+    throw new NotSignedIn;
+  return auth.session_token;
+}
+async function whoAmI() {
+  const auth = getStoredToken();
+  if (!auth)
+    return { signed_in: false };
+  try {
+    const profile = await exports_my.getProfile(auth.session_token);
+    const meshes = await exports_my.getMeshes(auth.session_token);
+    const owned = meshes.filter((m) => m.role === "owner").length;
+    return {
+      signed_in: true,
+      user: profile,
+      token_source: auth.token_source,
+      meshes: { owned, guest: meshes.length - owned }
+    };
+  } catch (err) {
+    if (err instanceof ApiError && err.isUnauthorized) {
+      clearToken();
+      return { signed_in: false };
+    }
+    throw err;
+  }
+}
+async function logout() {
+  const token = requireToken();
+  let revoked = false;
+  try {
+    await exports_my.revokeSession(token);
+    revoked = true;
+  } catch {}
+  clearToken();
+  return { revoked };
+}
+async function register(callbackPort) {
+  const { openBrowser: openBrowser2 } = await Promise.resolve().then(() => (init_facade7(), exports_facade3));
+  const url = `https://claudemesh.com/register?source=cli&callback=http://localhost:${callbackPort}`;
+  await openBrowser2(url);
+}
+var init_client2 = __esm(() => {
+  init_facade5();
+  init_facade5();
+  init_token_store();
+  init_errors3();
+});
+
+// src/services/auth/dashboard-sync.ts
+async function syncWithBroker(syncToken, peerPubkey, displayName, brokerBaseUrl) {
+  const base = brokerBaseUrl ?? deriveHttpUrl(URLS.BROKER);
+  const res = await fetch(`${base}/cli-sync`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      sync_token: syncToken,
+      peer_pubkey: peerPubkey,
+      display_name: displayName
+    })
+  });
+  if (!res.ok) {
+    const body2 = await res.text();
+    let msg;
+    try {
+      msg = JSON.parse(body2).error ?? body2;
+    } catch {
+      msg = body2;
+    }
+    throw new Error(`Broker sync failed (${res.status}): ${msg}`);
+  }
+  const body = await res.json();
+  if (!body.ok)
+    throw new Error(`Broker sync failed: ${body.error ?? "unknown error"}`);
+  return { account_id: body.account_id, meshes: body.meshes };
+}
+function deriveHttpUrl(wssUrl) {
+  const url = new URL(wssUrl);
+  url.protocol = url.protocol === "wss:" ? "https:" : "http:";
+  url.pathname = url.pathname.replace(/\/ws\/?$/, "");
+  return url.toString().replace(/\/$/, "");
+}
+var init_dashboard_sync = __esm(() => {
+  init_urls();
+});
+
+// src/services/auth/callback-listener.ts
+import { createServer } from "node:http";
+function startCallbackListener() {
+  return new Promise((resolveStart) => {
+    let resolveToken;
+    let resolved = false;
+    const tokenPromise = new Promise((r) => {
+      resolveToken = r;
+    });
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, "http://localhost");
+      if (req.method === "OPTIONS") {
+        res.writeHead(204, {
+          "Access-Control-Allow-Origin": "https://claudemesh.com",
+          "Access-Control-Allow-Methods": "GET",
+          "Access-Control-Allow-Headers": "Content-Type"
+        });
+        res.end();
+        return;
+      }
+      if (url.pathname === "/ping") {
+        res.writeHead(200, {
+          "Content-Type": "text/plain",
+          "Access-Control-Allow-Origin": "https://claudemesh.com"
+        });
+        res.end("ok");
+        return;
+      }
+      if (url.pathname === "/callback") {
+        const token = url.searchParams.get("token");
+        if (token && !resolved) {
+          resolved = true;
+          res.writeHead(200, {
+            "Content-Type": "text/html",
+            "Access-Control-Allow-Origin": "https://claudemesh.com"
+          });
+          res.end("<html><body><h2>Done! You can close this tab.</h2></body></html>");
+          resolveToken(token);
+          setTimeout(() => server.close(), 500);
+        } else {
+          res.writeHead(400, { "Content-Type": "text/plain" });
+          res.end("Missing token");
+        }
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      resolveStart({
+        port: addr.port,
+        token: tokenPromise,
+        close: () => server.close()
+      });
+    });
+  });
+}
+var init_callback_listener = () => {};
+
+// src/services/auth/facade.ts
+var exports_facade4 = {};
+__export(exports_facade4, {
+  whoAmI: () => whoAmI,
+  syncWithBroker: () => syncWithBroker,
+  storeToken: () => storeToken,
+  startCallbackListener: () => startCallbackListener,
+  register: () => register,
+  logout: () => logout,
+  loginWithDeviceCode: () => loginWithDeviceCode,
+  getStoredToken: () => getStoredToken,
+  generatePairingCode: () => generatePairingCode,
+  clearToken: () => clearToken,
+  NotSignedIn: () => NotSignedIn,
+  DeviceCodeExpired: () => DeviceCodeExpired,
+  AuthError: () => AuthError
+});
+import { randomBytes as randomBytes3 } from "node:crypto";
+function generatePairingCode() {
+  const bytes = randomBytes3(4);
+  return Array.from(bytes, (b) => CHARS[b % CHARS.length]).join("");
+}
+var CHARS = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789";
+var init_facade8 = __esm(() => {
+  init_device_code();
+  init_client2();
+  init_dashboard_sync();
+  init_token_store();
+  init_callback_listener();
+  init_errors3();
+});
+
+// src/commands/grants.ts
+var exports_grants = {};
+__export(exports_grants, {
+  runRevoke: () => runRevoke,
+  runGrants: () => runGrants,
+  runGrant: () => runGrant,
+  runBlock: () => runBlock,
+  isAllowed: () => isAllowed
+});
+import { existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { join as join2 } from "node:path";
+async function syncToBroker(meshSlug, grants) {
+  const auth = getStoredToken();
+  if (!auth)
+    return;
+  try {
+    await request({
+      path: `/cli/mesh/${meshSlug}/grants`,
+      method: "POST",
+      body: { grants },
+      baseUrl: BROKER_HTTP2,
+      token: auth.session_token
+    });
+  } catch (e) {
+    render.warn(`broker grant sync failed — client filter still active: ${e instanceof Error ? e.message : e}`);
+  }
+}
+function readGrants() {
+  if (!existsSync4(GRANT_FILE))
+    return {};
+  try {
+    return JSON.parse(readFileSync3(GRANT_FILE, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writeGrants(g) {
+  const dir = join2(homedir2(), ".claudemesh");
+  if (!existsSync4(dir))
+    mkdirSync2(dir, { recursive: true });
+  writeFileSync3(GRANT_FILE, JSON.stringify(g, null, 2), { mode: 384 });
+}
+function resolveCaps(input) {
+  if (input.includes("all"))
+    return [...ALL_CAPS];
+  return input.filter((c) => ALL_CAPS.includes(c));
+}
+async function resolvePeer(meshSlug, name) {
+  return await withMesh({ meshSlug }, async (client) => {
+    const peers = await client.listPeers();
+    const match = peers.find((p) => p.displayName === name || p.pubkey === name || p.pubkey.startsWith(name) || p.memberPubkey === name || p.memberPubkey && p.memberPubkey.startsWith(name));
+    if (!match)
+      return null;
+    const key = match.memberPubkey ?? match.pubkey;
+    return { displayName: match.displayName, pubkey: key };
+  });
+}
+function pickMesh2(slug) {
+  const cfg = readConfig();
+  if (slug)
+    return cfg.meshes.find((m) => m.slug === slug) ? slug : null;
+  return cfg.meshes[0]?.slug ?? null;
+}
+async function runGrant(peer, caps, opts = {}) {
+  if (!peer || caps.length === 0) {
+    render.err("Usage: claudemesh grant <peer> <capability...>");
+    render.hint(`Capabilities: ${ALL_CAPS.join(", ")}, all`);
+    return EXIT.INVALID_ARGS;
+  }
+  const mesh = pickMesh2(opts.mesh);
+  if (!mesh) {
+    render.err("No matching mesh — join one first.");
+    return EXIT.NOT_FOUND;
+  }
+  const resolved = await resolvePeer(mesh, peer);
+  if (!resolved) {
+    render.err(`Peer "${peer}" not found on ${mesh}.`);
+    return EXIT.NOT_FOUND;
+  }
+  const wanted = resolveCaps(caps);
+  if (wanted.length === 0) {
+    render.err(`Unknown capabilities: ${caps.join(", ")}`);
+    return EXIT.INVALID_ARGS;
+  }
+  const store = readGrants();
+  const meshGrants = store[mesh] ?? {};
+  const existing = meshGrants[resolved.pubkey] ?? DEFAULT_CAPS.slice();
+  const merged = Array.from(new Set([...existing, ...wanted]));
+  meshGrants[resolved.pubkey] = merged;
+  store[mesh] = meshGrants;
+  writeGrants(store);
+  await syncToBroker(mesh, { [resolved.pubkey]: merged });
+  render.ok(`Granted ${wanted.join(", ")} to ${resolved.displayName} on ${mesh}.`);
+  render.kv([["now", merged.join(", ")]]);
+  return EXIT.SUCCESS;
+}
+async function runRevoke(peer, caps, opts = {}) {
+  if (!peer || caps.length === 0) {
+    render.err("Usage: claudemesh revoke <peer> <capability...>");
+    return EXIT.INVALID_ARGS;
+  }
+  const mesh = pickMesh2(opts.mesh);
+  if (!mesh) {
+    render.err("No matching mesh.");
+    return EXIT.NOT_FOUND;
+  }
+  const resolved = await resolvePeer(mesh, peer);
+  if (!resolved) {
+    render.err(`Peer "${peer}" not found on ${mesh}.`);
+    return EXIT.NOT_FOUND;
+  }
+  const wanted = caps.includes("all") ? ALL_CAPS.slice() : resolveCaps(caps);
+  const store = readGrants();
+  const meshGrants = store[mesh] ?? {};
+  const existing = meshGrants[resolved.pubkey] ?? DEFAULT_CAPS.slice();
+  const after = existing.filter((c) => !wanted.includes(c));
+  meshGrants[resolved.pubkey] = after;
+  store[mesh] = meshGrants;
+  writeGrants(store);
+  await syncToBroker(mesh, { [resolved.pubkey]: after });
+  render.ok(`Revoked ${wanted.join(", ")} from ${resolved.displayName} on ${mesh}.`);
+  render.kv([["now", after.length ? after.join(", ") : "(none)"]]);
+  return EXIT.SUCCESS;
+}
+async function runBlock(peer, opts = {}) {
+  if (!peer) {
+    render.err("Usage: claudemesh block <peer>");
+    return EXIT.INVALID_ARGS;
+  }
+  const mesh = pickMesh2(opts.mesh);
+  if (!mesh) {
+    render.err("No matching mesh.");
+    return EXIT.NOT_FOUND;
+  }
+  const resolved = await resolvePeer(mesh, peer);
+  if (!resolved) {
+    render.err(`Peer "${peer}" not found on ${mesh}.`);
+    return EXIT.NOT_FOUND;
+  }
+  const store = readGrants();
+  const meshGrants = store[mesh] ?? {};
+  meshGrants[resolved.pubkey] = [];
+  store[mesh] = meshGrants;
+  writeGrants(store);
+  await syncToBroker(mesh, { [resolved.pubkey]: [] });
+  render.ok(`Blocked ${resolved.displayName} on ${mesh} (all capabilities revoked).`);
+  render.hint(`Undo with: claudemesh grant ${resolved.displayName} all --mesh ${mesh}`);
+  return EXIT.SUCCESS;
+}
+async function runGrants(opts = {}) {
+  const mesh = pickMesh2(opts.mesh);
+  if (!mesh) {
+    render.err("No matching mesh.");
+    return EXIT.NOT_FOUND;
+  }
+  const store = readGrants();
+  const meshGrants = store[mesh] ?? {};
+  if (opts.json) {
+    console.log(JSON.stringify({ schema_version: "1.0", mesh, grants: meshGrants }, null, 2));
+    return EXIT.SUCCESS;
+  }
+  render.section(`grants on ${mesh}`);
+  const peerPubkeys = Object.keys(meshGrants);
+  if (peerPubkeys.length === 0) {
+    render.info("(no overrides — all peers use default caps: " + DEFAULT_CAPS.join(", ") + ")");
+    return EXIT.SUCCESS;
+  }
+  await withMesh({ meshSlug: mesh }, async (client) => {
+    const peers = await client.listPeers();
+    const byPk = new Map(peers.map((p) => [p.pubkey, p.displayName]));
+    for (const [pk, caps] of Object.entries(meshGrants)) {
+      const name = byPk.get(pk) ?? `${pk.slice(0, 10)}…`;
+      render.kv([[name, caps.length ? caps.join(", ") : "(blocked)"]]);
+    }
+  });
+  return EXIT.SUCCESS;
+}
+function isAllowed(meshSlug, peerPubkey, cap) {
+  const store = readGrants();
+  const entry = store[meshSlug]?.[peerPubkey];
+  if (entry === undefined)
+    return DEFAULT_CAPS.includes(cap);
+  return entry.includes(cap);
+}
+var BROKER_HTTP2, ALL_CAPS, DEFAULT_CAPS, GRANT_FILE;
+var init_grants = __esm(() => {
+  init_facade();
+  init_connect();
+  init_render();
+  init_exit_codes();
+  init_facade8();
+  init_facade5();
+  init_urls();
+  BROKER_HTTP2 = URLS.BROKER.replace("wss://", "https://").replace("ws://", "http://").replace("/ws", "");
+  ALL_CAPS = ["read", "dm", "broadcast", "state-read", "state-write", "file-read"];
+  DEFAULT_CAPS = ["read", "dm", "broadcast", "state-read"];
+  GRANT_FILE = join2(homedir2(), ".claudemesh", "grants.json");
+});
+
 // src/mcp/server.ts
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
@@ -3350,8 +4453,10 @@ async function resolveClient(to) {
     };
   }
   const nameLower = target.toLowerCase();
+  const candidates = [];
   for (const c of targetClients) {
     const peers = await c.listPeers();
+    candidates.push({ mesh: c.meshSlug, peers });
     const match = peers.find((p) => p.displayName.toLowerCase() === nameLower);
     if (match)
       return { client: c, targetSpec: match.pubkey };
@@ -3362,13 +4467,11 @@ async function resolveClient(to) {
       return { client: c, targetSpec: partials[0].pubkey };
     }
   }
-  if (targetClients.length === 1) {
-    return { client: targetClients[0], targetSpec: target };
-  }
+  const known = candidates.flatMap((c) => c.peers.map((p) => `${c.mesh}/${p.displayName}`));
   return {
     client: null,
     targetSpec: target,
-    error: `peer "${target}" not found in any mesh (joined: ${clients2.map((c) => c.meshSlug).join(", ")})`
+    error: `peer "${target}" not found. ` + (known.length ? `Known peers: ${known.slice(0, 10).join(", ")}${known.length > 10 ? ", …" : ""}` : "No connected peers on your mesh(es). Use pubkey hex, @group, or * for broadcast.")
   };
 }
 async function resolvePeerName(client, pubkey) {
@@ -3686,9 +4789,9 @@ ${manifest.allowed_tools.map((t) => `  - ${t}`).join(`
         const results = [];
         const seen = new Set;
         for (const target of targets) {
-          const { client, targetSpec, error } = await resolveClient(target);
+          const { client, targetSpec, error: error2 } = await resolveClient(target);
           if (!client) {
-            results.push(`✗ ${target}: ${error ?? "no client resolved"}`);
+            results.push(`✗ ${target}: ${error2 ?? "no client resolved"}`);
             continue;
           }
           if (seen.has(targetSpec))
@@ -3710,13 +4813,23 @@ ${manifest.allowed_tools.map((t) => `  - ${t}`).join(`
         if (clients2.length === 0)
           return text(mesh_slug ? `list_peers: no joined mesh "${mesh_slug}"` : "list_peers: no joined meshes", true);
         const sections = [];
+        const statusCache = {};
         for (const c of clients2) {
           const peers = await c.listPeers();
           const header = `## ${c.meshSlug} (${c.status}, mesh ${c.meshId.slice(0, 8)}…)`;
+          statusCache[c.meshSlug] = {
+            total: peers.length,
+            online: peers.filter((p) => p.status !== "offline").length,
+            updatedAt: new Date().toISOString(),
+            you: process.env.CLAUDEMESH_DISPLAY_NAME ?? undefined
+          };
           if (peers.length === 0) {
             sections.push(`${header}
 No peers connected.`);
           } else {
+            const pubkeyCounts = new Map;
+            for (const p of peers)
+              pubkeyCounts.set(p.pubkey, (pubkeyCounts.get(p.pubkey) ?? 0) + 1);
             const peerLines = peers.map((p) => {
               const summary = p.summary ? ` — "${p.summary}"` : "";
               const groupsStr = p.groups?.length ? ` [${p.groups.map((g) => `@${g.name}${g.role ? ":" + g.role : ""}`).join(", ")}]` : "";
@@ -3734,13 +4847,24 @@ No peers connected.`);
               const profileAvatar = p.profile?.avatar ? `${p.profile.avatar} ` : "";
               const profileTitle = p.profile?.title ? ` (${p.profile.title})` : "";
               const hiddenTag = p.visible === false ? " [hidden]" : "";
-              return `- ${profileAvatar}**${p.displayName}**${profileTitle} [${p.status}]${localityTag}${hiddenTag}${groupsStr}${metaStr} (${p.pubkey.slice(0, 12)}…)${cwdStr}${summary}`;
+              const sameKeyCount = pubkeyCounts.get(p.pubkey) ?? 1;
+              const sameKeyTag = sameKeyCount > 1 ? ` [shares key with ${sameKeyCount - 1} other session(s)]` : "";
+              return `- ${profileAvatar}**${p.displayName}**${profileTitle} [${p.status}]${localityTag}${hiddenTag}${sameKeyTag}${groupsStr}${metaStr} (${p.pubkey.slice(0, 12)}…)${cwdStr}${summary}`;
             });
             sections.push(`${header}
 ${peerLines.join(`
 `)}`);
           }
         }
+        try {
+          const { writeFileSync: writeFileSync4, mkdirSync: mkdirSync3, existsSync: existsSync5 } = await import("node:fs");
+          const { join: joinPath } = await import("node:path");
+          const { homedir: homedir3 } = await import("node:os");
+          const dir = joinPath(homedir3(), ".claudemesh");
+          if (!existsSync5(dir))
+            mkdirSync3(dir, { recursive: true });
+          writeFileSync4(joinPath(dir, "peer-cache.json"), JSON.stringify(statusCache));
+        } catch {}
         return text(sections.join(`
 
 `));
@@ -3762,8 +4886,8 @@ ${peerLines.join(`
           return text(`Message ${id} not found or timed out.`);
         const recipientLines = result.recipients.map((r) => `  - ${r.name} (${r.pubkey.slice(0, 12)}…): ${r.status}`);
         return text(`Message ${id.slice(0, 12)}… → ${result.targetSpec}
-` + `Delivered: ${result.delivered}${result.deliveredAt ? ` at ${result.deliveredAt}` : ""}
-` + `Recipients:
+Delivered: ${result.delivered}${result.deliveredAt ? ` at ${result.deliveredAt}` : ""}
+Recipients:
 ${recipientLines.join(`
 `)}`);
       }
@@ -3981,23 +5105,23 @@ ${lines.join(`
         const { path: filePath, name: fileName, tags, to: fileTo } = args ?? {};
         if (!filePath)
           return text("share_file: `path` required", true);
-        const { existsSync: existsSync2 } = await import("node:fs");
-        if (!existsSync2(filePath))
+        const { existsSync: existsSync5 } = await import("node:fs");
+        if (!existsSync5(filePath))
           return text(`share_file: file not found: ${filePath}`, true);
         const client = allClients()[0];
         if (!client)
           return text("share_file: not connected", true);
         if (fileTo) {
           const { encryptFile: encryptFile2, sealKeyForPeer: sealKeyForPeer2 } = await Promise.resolve().then(() => (init_file_crypto(), exports_file_crypto));
-          const { readFileSync: readFileSync2, writeFileSync: writeFileSync2, mkdtempSync, unlinkSync, rmdirSync } = await import("node:fs");
+          const { readFileSync: readFileSync4, writeFileSync: writeFileSync4, mkdtempSync, unlinkSync: unlinkSync2, rmdirSync } = await import("node:fs");
           const { tmpdir } = await import("node:os");
-          const { join: join2, basename } = await import("node:path");
+          const { join: join3, basename } = await import("node:path");
           const peers = await client.listPeers();
           const targetPeer = peers.find((p) => p.pubkey === fileTo || p.displayName === fileTo);
           if (!targetPeer) {
             return text(`share_file: peer not found: ${fileTo}`, true);
           }
-          const plaintext = readFileSync2(filePath);
+          const plaintext = readFileSync4(filePath);
           const { ciphertext, nonce, key } = await encryptFile2(new Uint8Array(plaintext));
           const sealedForTarget = await sealKeyForPeer2(key, targetPeer.pubkey);
           const myPubkey = client.getSessionPubkey();
@@ -4014,9 +5138,9 @@ ${lines.join(`
           combined.set(ciphertext, nonceBytes.length);
           const rawName = fileName ?? basename(filePath);
           const baseName = basename(rawName).replace(/[^a-zA-Z0-9._-]/g, "_").slice(0, 255);
-          const tmpDir = mkdtempSync(join2(tmpdir(), "cm-"));
-          const tmpPath = join2(tmpDir, baseName);
-          writeFileSync2(tmpPath, combined);
+          const tmpDir = mkdtempSync(join3(tmpdir(), "cm-"));
+          const tmpPath = join3(tmpDir, baseName);
+          writeFileSync4(tmpPath, combined);
           try {
             const fileId = await client.uploadFile(tmpPath, client.meshId, client.meshSlug, {
               name: baseName,
@@ -4031,7 +5155,7 @@ ${lines.join(`
             return text(`share_file: upload failed — ${e instanceof Error ? e.message : String(e)}`, true);
           } finally {
             try {
-              unlinkSync(tmpPath);
+              unlinkSync2(tmpPath);
             } catch {}
             try {
               rmdirSync(tmpDir);
@@ -4091,10 +5215,10 @@ ${lines.join(`
           const plaintext = await decryptFile2(ciphertext, nonce, kf);
           if (!plaintext)
             return text(genericErr, true);
-          const { writeFileSync: writeFileSync3, mkdirSync: mkdirSync3 } = await import("node:fs");
+          const { writeFileSync: writeFileSync5, mkdirSync: mkdirSync4 } = await import("node:fs");
           const { dirname: dirname2 } = await import("node:path");
-          mkdirSync3(dirname2(save_to), { recursive: true });
-          writeFileSync3(save_to, plaintext);
+          mkdirSync4(dirname2(save_to), { recursive: true });
+          writeFileSync5(save_to, plaintext);
           return text(`Downloaded and decrypted: ${result.name} → ${save_to}`);
         }
         let res = await fetch(result.url, { signal: AbortSignal.timeout(1e4) }).catch(() => null);
@@ -4104,10 +5228,10 @@ ${lines.join(`
         }
         if (!res.ok)
           return text(`get_file: download failed (${res.status})`, true);
-        const { writeFileSync: writeFileSync2, mkdirSync: mkdirSync2 } = await import("node:fs");
+        const { writeFileSync: writeFileSync4, mkdirSync: mkdirSync3 } = await import("node:fs");
         const { dirname } = await import("node:path");
-        mkdirSync2(dirname(save_to), { recursive: true });
-        writeFileSync2(save_to, Buffer.from(await res.arrayBuffer()));
+        mkdirSync3(dirname(save_to), { recursive: true });
+        writeFileSync4(save_to, Buffer.from(await res.arrayBuffer()));
         return text(`Downloaded: ${result.name} → ${save_to}`);
       }
       case "list_files": {
@@ -4865,10 +5989,10 @@ ${lines.join(`
         const entryType = vType ?? "env";
         let plaintextBytes;
         if (entryType === "file") {
-          const { existsSync: existsSync2, readFileSync: readFileSync2 } = await import("node:fs");
-          if (!existsSync2(value))
+          const { existsSync: existsSync5, readFileSync: readFileSync4 } = await import("node:fs");
+          if (!existsSync5(value))
             return text(`vault_set: file not found: ${value}`, true);
-          plaintextBytes = new Uint8Array(readFileSync2(value));
+          plaintextBytes = new Uint8Array(readFileSync4(value));
         } else {
           plaintextBytes = new TextEncoder().encode(value);
         }
@@ -5196,6 +6320,17 @@ ${lines.join(`
         }
         const fromPubkey = msg.senderPubkey || "";
         const fromName = fromPubkey ? await resolvePeerName(client, fromPubkey) : "unknown";
+        if (fromPubkey) {
+          try {
+            const { isAllowed: isAllowed2 } = await Promise.resolve().then(() => (init_grants(), exports_grants));
+            const kindCap = msg.kind === "broadcast" ? "broadcast" : "dm";
+            if (!isAllowed2(client.meshSlug, fromPubkey, kindCap)) {
+              process.stderr.write(`[claudemesh] dropped ${kindCap} from ${fromName} (not granted)
+`);
+              return;
+            }
+          } catch {}
+        }
         if (messageMode === "inbox") {
           try {
             await server.notification({
@@ -5208,7 +6343,10 @@ ${lines.join(`
           } catch {}
           return;
         }
-        const content = msg.plaintext ?? decryptFailedWarning(fromPubkey);
+        const body = msg.plaintext ?? decryptFailedWarning(fromPubkey);
+        const prioBadge = msg.priority === "now" ? "[URGENT] " : msg.priority === "low" ? "[low] " : "";
+        const kindBadge = msg.kind === "broadcast" ? " (broadcast)" : "";
+        const content = `${prioBadge}${fromName}${kindBadge}: ${body}`;
         try {
           await server.notification({
             method: "notifications/claude/channel",
@@ -5227,7 +6365,7 @@ ${lines.join(`
               }
             }
           });
-          process.stderr.write(`[claudemesh] pushed: from=${fromName} content=${content.slice(0, 60)}
+          process.stderr.write(`[claudemesh] pushed: from=${fromName} content=${body.slice(0, 60)}
 `);
         } catch (pushErr) {
           process.stderr.write(`[claudemesh] push FAILED: ${pushErr}
@@ -5421,4 +6559,4 @@ startMcpServer().catch((err) => {
   process.exit(1);
 });
 
-//# debugId=F4442514279DCE8564756E2164756E21
+//# debugId=CCA5747403B744DA64756E2164756E21