claudemesh-cli 1.5.0 → 1.6.1

package/dist/entrypoints/cli.js

@@ -88,7 +88,7 @@ __export(exports_urls, {
   VERSION: () => VERSION,
   URLS: () => URLS
 });
-var URLS, VERSION = "1.5.0", env;
+var URLS, VERSION = "1.6.1", env;
 var init_urls = __esm(() => {
   URLS = {
     BROKER: process.env.CLAUDEMESH_BROKER_URL ?? "wss://ic.claudemesh.com/ws",
@@ -751,10 +751,25 @@ function requireToken() {
     throw new NotSignedIn;
   return auth.session_token;
 }
+function localView() {
+  const cfg = readConfig();
+  if (cfg.meshes.length === 0)
+    return;
+  return {
+    config_path: PATHS.CONFIG_FILE,
+    meshes: cfg.meshes.map((m) => ({
+      slug: m.slug,
+      mesh_id: m.meshId,
+      member_id: m.memberId,
+      pubkey_prefix: m.pubkey.slice(0, 12)
+    }))
+  };
+}
 async function whoAmI() {
   const auth = getStoredToken();
+  const local = localView();
   if (!auth)
-    return { signed_in: false };
+    return { signed_in: false, local };
   try {
     const profile = await exports_my.getProfile(auth.session_token);
     const meshes = await exports_my.getMeshes(auth.session_token);
@@ -763,12 +778,13 @@ async function whoAmI() {
       signed_in: true,
       user: profile,
       token_source: auth.token_source,
-      meshes: { owned, guest: meshes.length - owned }
+      meshes: { owned, guest: meshes.length - owned },
+      local
     };
   } catch (err) {
     if (err instanceof ApiError && err.isUnauthorized) {
       clearToken();
-      return { signed_in: false };
+      return { signed_in: false, local };
     }
     throw err;
   }
@@ -791,6 +807,8 @@ async function register(callbackPort) {
 var init_client2 = __esm(() => {
   init_facade3();
   init_facade3();
+  init_facade();
+  init_paths();
   init_token_store();
   init_errors2();
 });
@@ -1132,6 +1150,13 @@ class BrokerClient {
   grantFileAccessResolvers = new Map;
   peerFileResponseResolvers = new Map;
   peerDirResponseResolvers = new Map;
+  topicCreatedResolvers = new Map;
+  topicListResolvers = new Map;
+  topicMembersResolvers = new Map;
+  topicHistoryResolvers = new Map;
+  apiKeyCreatedResolvers = new Map;
+  apiKeyListResolvers = new Map;
+  apiKeyRevokeResolvers = new Map;
   sharedDirs = [process.cwd()];
   _serviceCatalog = [];
   get serviceCatalog() {
@@ -1434,6 +1459,128 @@ class BrokerClient {
       return;
     this.ws.send(JSON.stringify({ type: "leave_group", name }));
   }
+  async topicCreate(args) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return null;
+    return new Promise((resolve) => {
+      const reqId = this.makeReqId();
+      this.topicCreatedResolvers.set(reqId, {
+        resolve,
+        timer: setTimeout(() => {
+          if (this.topicCreatedResolvers.delete(reqId))
+            resolve(null);
+        }, 5000)
+      });
+      this.ws.send(JSON.stringify({ type: "topic_create", _reqId: reqId, ...args }));
+    });
+  }
+  async topicList() {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return [];
+    return new Promise((resolve) => {
+      const reqId = this.makeReqId();
+      this.topicListResolvers.set(reqId, {
+        resolve,
+        timer: setTimeout(() => {
+          if (this.topicListResolvers.delete(reqId))
+            resolve([]);
+        }, 5000)
+      });
+      this.ws.send(JSON.stringify({ type: "topic_list", _reqId: reqId }));
+    });
+  }
+  async topicJoin(topic, role) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return;
+    this.ws.send(JSON.stringify({ type: "topic_join", topic, role }));
+  }
+  async topicLeave(topic) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return;
+    this.ws.send(JSON.stringify({ type: "topic_leave", topic }));
+  }
+  async topicMembers(topic) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return [];
+    return new Promise((resolve) => {
+      const reqId = this.makeReqId();
+      this.topicMembersResolvers.set(reqId, {
+        resolve,
+        timer: setTimeout(() => {
+          if (this.topicMembersResolvers.delete(reqId))
+            resolve([]);
+        }, 5000)
+      });
+      this.ws.send(JSON.stringify({ type: "topic_members", _reqId: reqId, topic }));
+    });
+  }
+  async topicHistory(args) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return [];
+    return new Promise((resolve) => {
+      const reqId = this.makeReqId();
+      this.topicHistoryResolvers.set(reqId, {
+        resolve,
+        timer: setTimeout(() => {
+          if (this.topicHistoryResolvers.delete(reqId))
+            resolve([]);
+        }, 5000)
+      });
+      this.ws.send(JSON.stringify({ type: "topic_history", _reqId: reqId, ...args }));
+    });
+  }
+  async topicMarkRead(topic) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return;
+    this.ws.send(JSON.stringify({ type: "topic_mark_read", topic }));
+  }
+  async apiKeyCreate(args) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return null;
+    return new Promise((resolve) => {
+      const reqId = this.makeReqId();
+      this.apiKeyCreatedResolvers.set(reqId, {
+        resolve,
+        timer: setTimeout(() => {
+          if (this.apiKeyCreatedResolvers.delete(reqId))
+            resolve(null);
+        }, 5000)
+      });
+      this.ws.send(JSON.stringify({ type: "apikey_create", _reqId: reqId, ...args }));
+    });
+  }
+  async apiKeyList() {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN)
+      return [];
+    return new Promise((resolve) => {
+      const reqId = this.makeReqId();
+      this.apiKeyListResolvers.set(reqId, {
+        resolve,
+        timer: setTimeout(() => {
+          if (this.apiKeyListResolvers.delete(reqId))
+            resolve([]);
+        }, 5000)
+      });
+      this.ws.send(JSON.stringify({ type: "apikey_list", _reqId: reqId }));
+    });
+  }
+  async apiKeyRevoke(id) {
+    if (!this.ws || this.ws.readyState !== this.ws.OPEN) {
+      return { ok: false, code: "not_connected", message: "broker not connected" };
+    }
+    return new Promise((resolve) => {
+      const reqId = this.makeReqId();
+      this.apiKeyRevokeResolvers.set(reqId, {
+        resolve,
+        timer: setTimeout(() => {
+          if (this.apiKeyRevokeResolvers.delete(reqId)) {
+            resolve({ ok: false, code: "timeout", message: "broker did not respond within 5s" });
+          }
+        }, 5000)
+      });
+      this.ws.send(JSON.stringify({ type: "apikey_revoke", id, _reqId: reqId }));
+    });
+  }
   async setState(key, value) {
     if (!this.ws || this.ws.readyState !== this.ws.OPEN)
       return;
@@ -2514,6 +2661,65 @@ class BrokerClient {
       this.resolveFromMap(this.listPeersResolvers, msgReqId, peers);
       return;
     }
+    if (msg.type === "topic_created") {
+      const r = msg.topic ?? {};
+      this.resolveFromMap(this.topicCreatedResolvers, msgReqId, {
+        id: r.id,
+        name: r.name,
+        created: !!msg.created
+      });
+      return;
+    }
+    if (msg.type === "topic_list_response") {
+      this.resolveFromMap(this.topicListResolvers, msgReqId, msg.topics ?? []);
+      return;
+    }
+    if (msg.type === "topic_members_response") {
+      this.resolveFromMap(this.topicMembersResolvers, msgReqId, msg.members ?? []);
+      return;
+    }
+    if (msg.type === "topic_history_response") {
+      this.resolveFromMap(this.topicHistoryResolvers, msgReqId, msg.messages ?? []);
+      return;
+    }
+    if (msg.type === "apikey_created") {
+      this.resolveFromMap(this.apiKeyCreatedResolvers, msgReqId, {
+        id: String(msg.id ?? ""),
+        secret: String(msg.secret ?? ""),
+        label: String(msg.label ?? ""),
+        prefix: String(msg.prefix ?? ""),
+        capabilities: msg.capabilities ?? [],
+        topicScopes: msg.topicScopes ?? null,
+        createdAt: String(msg.createdAt ?? "")
+      });
+      return;
+    }
+    if (msg.type === "apikey_list_response") {
+      this.resolveFromMap(this.apiKeyListResolvers, msgReqId, msg.keys ?? []);
+      return;
+    }
+    if (msg.type === "apikey_revoke_response") {
+      const status = String(msg.status ?? "");
+      if (status === "revoked") {
+        this.resolveFromMap(this.apiKeyRevokeResolvers, msgReqId, {
+          ok: true,
+          id: String(msg.id ?? "")
+        });
+      } else if (status === "not_found") {
+        this.resolveFromMap(this.apiKeyRevokeResolvers, msgReqId, {
+          ok: false,
+          code: "not_found",
+          message: "no api key matches that id in this mesh"
+        });
+      } else if (status === "not_unique") {
+        this.resolveFromMap(this.apiKeyRevokeResolvers, msgReqId, {
+          ok: false,
+          code: "not_unique",
+          message: `prefix matches ${Number(msg.matches ?? 0)} keys; use the full id`
+        });
+      }
+      return;
+    }
     if (msg.type === "push") {
       this._statsCounters.messagesIn++;
       const nonce = String(msg.nonce ?? "");
@@ -6598,7 +6804,17 @@ async function runSend(flags, to, message) {
   }
   await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
     let targetSpec = to;
-    if (!to.startsWith("@") && to !== "*" && !/^[0-9a-f]{64}$/i.test(to)) {
+    if (to.startsWith("#") && !/^#[0-9a-z_-]{20,}$/i.test(to)) {
+      const name = to.slice(1);
+      const topics = await client.topicList();
+      const match = topics.find((t) => t.name === name);
+      if (!match) {
+        const names = topics.map((t) => "#" + t.name).join(", ");
+        render.err(`Topic "${to}" not found.`, `topics: ${names || "(none)"}`);
+        process.exit(1);
+      }
+      targetSpec = "#" + match.id;
+    } else if (!to.startsWith("@") && !to.startsWith("#") && to !== "*" && !/^[0-9a-f]{64}$/i.test(to)) {
       const peers = await client.listPeers();
       const match = peers.find((p) => p.displayName.toLowerCase() === to.toLowerCase());
       if (!match) {
@@ -7358,18 +7574,33 @@ async function whoami(opts) {
   const result = await whoAmI();
   if (opts.json) {
     console.log(JSON.stringify({ schema_version: "1.0", ...result }, null, 2));
-    return EXIT.SUCCESS;
+    return result.signed_in || result.local ? EXIT.SUCCESS : EXIT.AUTH_FAILED;
   }
-  if (!result.signed_in) {
-    render.err("Not signed in", "Run `claudemesh login` to sign in.");
+  if (!result.signed_in && !result.local) {
+    render.err("Not signed in", "Run `claudemesh login` to sign in or `claudemesh <invite>` to join.");
     return EXIT.AUTH_FAILED;
   }
   render.section("whoami");
-  render.kv([
-    ["user", `${bold(result.user.display_name)} ${dim(`(${result.user.email})`)}`],
-    ["token", `${result.token_source} ${dim("(~/.claudemesh/auth.json)")}`],
-    ...result.meshes ? [["meshes", `${result.meshes.owned} owned · ${result.meshes.guest} guest`]] : []
-  ]);
+  if (result.signed_in) {
+    render.kv([
+      ["user", `${bold(result.user.display_name)} ${dim(`(${result.user.email})`)}`],
+      ["token", `${result.token_source} ${dim("(~/.claudemesh/auth.json)")}`],
+      ...result.meshes ? [["meshes", `${result.meshes.owned} owned · ${result.meshes.guest} guest`]] : []
+    ]);
+  } else {
+    render.kv([
+      ["web", dim("not signed in · run `claudemesh login` for account features")]
+    ]);
+  }
+  if (result.local) {
+    render.blank();
+    render.kv([
+      ["local", `${result.local.meshes.length} mesh${result.local.meshes.length === 1 ? "" : "es"} · ${dim(result.local.config_path)}`]
+    ]);
+    for (const m of result.local.meshes) {
+      console.log(`    ${clay("●")} ${bold(m.slug)}  ${dim(`member ${m.member_id.slice(0, 8)}…  pk ${m.pubkey_prefix}…`)}`);
+    }
+  }
   render.blank();
   return EXIT.SUCCESS;
 }
@@ -10378,6 +10609,1045 @@ var init_platform_actions = __esm(() => {
   init_exit_codes();
 });
 
+// ../../packages/sdk/dist/crypto.js
+var require_crypto = __commonJS((exports) => {
+  var __importDefault = exports && exports.__importDefault || function(mod) {
+    return mod && mod.__esModule ? mod : { default: mod };
+  };
+  Object.defineProperty(exports, "__esModule", { value: true });
+  exports.generateKeyPair = generateKeyPair;
+  exports.signHello = signHello2;
+  exports.isDirectTarget = isDirectTarget2;
+  exports.encryptDirect = encryptDirect2;
+  exports.decryptDirect = decryptDirect2;
+  var libsodium_wrappers_1 = __importDefault(__require("libsodium-wrappers"));
+  var ready2 = false;
+  async function ensureSodium3() {
+    if (!ready2) {
+      await libsodium_wrappers_1.default.ready;
+      ready2 = true;
+    }
+    return libsodium_wrappers_1.default;
+  }
+  async function generateKeyPair() {
+    const s = await ensureSodium3();
+    const kp = s.crypto_sign_keypair();
+    return {
+      publicKey: s.to_hex(kp.publicKey),
+      secretKey: s.to_hex(kp.privateKey)
+    };
+  }
+  async function signHello2(meshId, memberId, pubkey, secretKeyHex) {
+    const s = await ensureSodium3();
+    const timestamp2 = Date.now();
+    const canonical = `${meshId}|${memberId}|${pubkey}|${timestamp2}`;
+    const sig = s.crypto_sign_detached(s.from_string(canonical), s.from_hex(secretKeyHex));
+    return { timestamp: timestamp2, signature: s.to_hex(sig) };
+  }
+  var HEX_PUBKEY2 = /^[0-9a-f]{64}$/;
+  function isDirectTarget2(targetSpec) {
+    return HEX_PUBKEY2.test(targetSpec);
+  }
+  async function encryptDirect2(message, recipientPubkeyHex, senderSecretKeyHex) {
+    const s = await ensureSodium3();
+    const recipientPub = s.crypto_sign_ed25519_pk_to_curve25519(s.from_hex(recipientPubkeyHex));
+    const senderSec = s.crypto_sign_ed25519_sk_to_curve25519(s.from_hex(senderSecretKeyHex));
+    const nonce = s.randombytes_buf(s.crypto_box_NONCEBYTES);
+    const ciphertext = s.crypto_box_easy(s.from_string(message), nonce, recipientPub, senderSec);
+    return {
+      nonce: s.to_base64(nonce, s.base64_variants.ORIGINAL),
+      ciphertext: s.to_base64(ciphertext, s.base64_variants.ORIGINAL)
+    };
+  }
+  async function decryptDirect2(envelope, senderPubkeyHex, recipientSecretKeyHex) {
+    const s = await ensureSodium3();
+    try {
+      const senderPub = s.crypto_sign_ed25519_pk_to_curve25519(s.from_hex(senderPubkeyHex));
+      const recipientSec = s.crypto_sign_ed25519_sk_to_curve25519(s.from_hex(recipientSecretKeyHex));
+      const nonce = s.from_base64(envelope.nonce, s.base64_variants.ORIGINAL);
+      const ciphertext = s.from_base64(envelope.ciphertext, s.base64_variants.ORIGINAL);
+      const plain = s.crypto_box_open_easy(ciphertext, nonce, senderPub, recipientSec);
+      return s.to_string(plain);
+    } catch {
+      return null;
+    }
+  }
+});
+
+// ../../packages/sdk/dist/client.js
+var require_client = __commonJS((exports) => {
+  var __importDefault = exports && exports.__importDefault || function(mod) {
+    return mod && mod.__esModule ? mod : { default: mod };
+  };
+  Object.defineProperty(exports, "__esModule", { value: true });
+  exports.MeshClient = undefined;
+  var node_events_1 = __require("node:events");
+  var node_crypto_1 = __require("node:crypto");
+  var ws_1 = __importDefault(__require("ws"));
+  var crypto_js_1 = require_crypto();
+  var MAX_QUEUED2 = 100;
+  var HELLO_ACK_TIMEOUT_MS2 = 5000;
+  var BACKOFF_CAPS2 = [1000, 2000, 4000, 8000, 16000, 30000];
+
+  class MeshClient extends node_events_1.EventEmitter {
+    opts;
+    ws = null;
+    _status = "closed";
+    pendingSends = new Map;
+    outbound = [];
+    closed = false;
+    reconnectAttempt = 0;
+    helloTimer = null;
+    reconnectTimer = null;
+    sessionPubkey = null;
+    sessionSecretKey = null;
+    listPeersResolvers = new Map;
+    stateResolvers = new Map;
+    constructor(opts) {
+      super();
+      this.opts = opts;
+    }
+    get status() {
+      return this._status;
+    }
+    get pubkey() {
+      return this.sessionPubkey;
+    }
+    async connect() {
+      if (this.closed)
+        throw new Error("client is closed");
+      this._status = "connecting";
+      const ws = new ws_1.default(this.opts.brokerUrl);
+      this.ws = ws;
+      return new Promise((resolve3, reject) => {
+        const onOpen = async () => {
+          this.debug("ws open -> generating session keypair + signing hello");
+          try {
+            if (!this.sessionPubkey) {
+              const sessionKP = await (0, crypto_js_1.generateKeyPair)();
+              this.sessionPubkey = sessionKP.publicKey;
+              this.sessionSecretKey = sessionKP.secretKey;
+            }
+            const { timestamp: timestamp2, signature } = await (0, crypto_js_1.signHello)(this.opts.meshId, this.opts.memberId, this.opts.pubkey, this.opts.secretKey);
+            ws.send(JSON.stringify({
+              type: "hello",
+              meshId: this.opts.meshId,
+              memberId: this.opts.memberId,
+              pubkey: this.opts.pubkey,
+              sessionPubkey: this.sessionPubkey,
+              displayName: this.opts.displayName,
+              sessionId: `sdk-${process.pid}-${Date.now()}`,
+              pid: process.pid,
+              peerType: this.opts.peerType ?? "connector",
+              channel: this.opts.channel ?? "sdk",
+              timestamp: timestamp2,
+              signature
+            }));
+          } catch (e) {
+            reject(new Error(`hello sign failed: ${e instanceof Error ? e.message : e}`));
+            return;
+          }
+          this.helloTimer = setTimeout(() => {
+            this.debug("hello_ack timeout");
+            ws.close();
+            reject(new Error("hello_ack timeout"));
+          }, HELLO_ACK_TIMEOUT_MS2);
+        };
+        const onMessage = (raw) => {
+          let msg;
+          try {
+            msg = JSON.parse(raw.toString());
+          } catch {
+            return;
+          }
+          if (msg.type === "hello_ack") {
+            if (this.helloTimer)
+              clearTimeout(this.helloTimer);
+            this.helloTimer = null;
+            this._status = "open";
+            this.reconnectAttempt = 0;
+            this.flushOutbound();
+            this.emit("connected");
+            resolve3();
+            return;
+          }
+          this.handleServerMessage(msg);
+        };
+        const onClose = () => {
+          if (this.helloTimer)
+            clearTimeout(this.helloTimer);
+          this.helloTimer = null;
+          const wasOpen = this._status === "open" || this._status === "reconnecting";
+          this.ws = null;
+          if (!wasOpen && this._status === "connecting") {
+            reject(new Error("ws closed before hello_ack"));
+          }
+          if (!this.closed) {
+            this.emit("disconnected");
+            this.scheduleReconnect();
+          } else {
+            this._status = "closed";
+            this.emit("disconnected");
+          }
+        };
+        const onError = (err) => {
+          this.debug(`ws error: ${err.message}`);
+        };
+        ws.on("open", onOpen);
+        ws.on("message", onMessage);
+        ws.on("close", onClose);
+        ws.on("error", onError);
+      });
+    }
+    disconnect() {
+      this.closed = true;
+      if (this.helloTimer)
+        clearTimeout(this.helloTimer);
+      if (this.reconnectTimer)
+        clearTimeout(this.reconnectTimer);
+      if (this.ws) {
+        try {
+          this.ws.close();
+        } catch {}
+      }
+      this._status = "closed";
+    }
+    async send(to, message, priority = "next") {
+      let targetSpec = to;
+      if (!(0, crypto_js_1.isDirectTarget)(to) && to !== "*" && !to.startsWith("@") && !to.startsWith("#")) {
+        const peers = await this.listPeers();
+        const match = peers.find((p) => p.displayName.toLowerCase() === to.toLowerCase());
+        if (match) {
+          targetSpec = match.pubkey;
+        }
+      }
+      const id = (0, node_crypto_1.randomBytes)(8).toString("hex");
+      let nonce;
+      let ciphertext;
+      if ((0, crypto_js_1.isDirectTarget)(targetSpec)) {
+        const env2 = await (0, crypto_js_1.encryptDirect)(message, targetSpec, this.sessionSecretKey ?? this.opts.secretKey);
+        nonce = env2.nonce;
+        ciphertext = env2.ciphertext;
+      } else {
+        nonce = (0, node_crypto_1.randomBytes)(24).toString("base64");
+        ciphertext = Buffer.from(message, "utf-8").toString("base64");
+      }
+      return new Promise((resolve3) => {
+        if (this.pendingSends.size >= MAX_QUEUED2) {
+          resolve3({ ok: false, error: "outbound queue full" });
+          return;
+        }
+        this.pendingSends.set(id, {
+          id,
+          targetSpec,
+          priority,
+          nonce,
+          ciphertext,
+          resolve: resolve3
+        });
+        const dispatch = () => {
+          if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+            return;
+          this.ws.send(JSON.stringify({
+            type: "send",
+            id,
+            targetSpec,
+            priority,
+            nonce,
+            ciphertext
+          }));
+        };
+        if (this._status === "open")
+          dispatch();
+        else {
+          if (this.outbound.length >= MAX_QUEUED2) {
+            this.pendingSends.delete(id);
+            resolve3({ ok: false, error: "outbound queue full" });
+            return;
+          }
+          this.outbound.push(dispatch);
+        }
+        setTimeout(() => {
+          if (this.pendingSends.has(id)) {
+            this.pendingSends.delete(id);
+            resolve3({ ok: false, error: "ack timeout" });
+          }
+        }, 1e4);
+      });
+    }
+    async broadcast(message, priority = "next") {
+      return this.send("*", message, priority);
+    }
+    async listPeers() {
+      if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+        return [];
+      return new Promise((resolve3) => {
+        const reqId = this.makeReqId();
+        this.listPeersResolvers.set(reqId, {
+          resolve: resolve3,
+          timer: setTimeout(() => {
+            if (this.listPeersResolvers.delete(reqId))
+              resolve3([]);
+          }, 5000)
+        });
+        this.ws.send(JSON.stringify({ type: "list_peers", _reqId: reqId }));
+      });
+    }
+    async getState(key) {
+      if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+        return null;
+      return new Promise((resolve3) => {
+        const reqId = this.makeReqId();
+        this.stateResolvers.set(reqId, {
+          resolve: (result) => resolve3(result ? String(result.value) : null),
+          timer: setTimeout(() => {
+            if (this.stateResolvers.delete(reqId))
+              resolve3(null);
+          }, 5000)
+        });
+        this.ws.send(JSON.stringify({ type: "get_state", key, _reqId: reqId }));
+      });
+    }
+    async setState(key, value) {
+      if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+        return;
+      this.ws.send(JSON.stringify({ type: "set_state", key, value }));
+    }
+    async setSummary(summary) {
+      if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+        return;
+      this.ws.send(JSON.stringify({ type: "set_summary", summary }));
+    }
+    async setStatus(status) {
+      if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+        return;
+      this.ws.send(JSON.stringify({ type: "set_status", status }));
+    }
+    async createTopic(args) {
+      if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+        return;
+      this.ws.send(JSON.stringify({ type: "topic_create", ...args }));
+    }
+    async joinTopic(topic, role) {
+      if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+        return;
+      this.ws.send(JSON.stringify({ type: "topic_join", topic, role }));
+    }
+    async leaveTopic(topic) {
+      if (!this.ws || this.ws.readyState !== ws_1.default.OPEN)
+        return;
+      this.ws.send(JSON.stringify({ type: "topic_leave", topic }));
+    }
+    makeReqId() {
+      return Math.random().toString(36).slice(2) + Date.now().toString(36);
+    }
+    flushOutbound() {
+      const queued = this.outbound.slice();
+      this.outbound.length = 0;
+      for (const send of queued)
+        send();
+    }
+    scheduleReconnect() {
+      this._status = "reconnecting";
+      const delay = BACKOFF_CAPS2[Math.min(this.reconnectAttempt, BACKOFF_CAPS2.length - 1)];
+      this.reconnectAttempt += 1;
+      this.debug(`reconnect in ${delay}ms (attempt ${this.reconnectAttempt})`);
+      this.reconnectTimer = setTimeout(() => {
+        if (this.closed)
+          return;
+        this.connect().catch((e) => {
+          this.debug(`reconnect failed: ${e instanceof Error ? e.message : e}`);
+        });
+      }, delay);
+    }
+    handleServerMessage(msg) {
+      const reqId = msg._reqId;
+      if (msg.type === "ack") {
+        const pending = this.pendingSends.get(String(msg.id ?? ""));
+        if (pending) {
+          pending.resolve({
+            ok: true,
+            messageId: String(msg.messageId ?? "")
+          });
+          this.pendingSends.delete(pending.id);
+        }
+        return;
+      }
+      if (msg.type === "peers_list") {
+        const peers = msg.peers ?? [];
+        this.resolveFromMap(this.listPeersResolvers, reqId, peers);
+        return;
+      }
+      if (msg.type === "push") {
+        this.handlePush(msg);
+        return;
+      }
+      if (msg.type === "state_result") {
+        if (msg.key) {
+          this.resolveFromMap(this.stateResolvers, reqId, {
+            key: String(msg.key),
+            value: msg.value,
+            updatedBy: String(msg.updatedBy ?? ""),
+            updatedAt: String(msg.updatedAt ?? "")
+          });
+        } else {
+          this.resolveFromMap(this.stateResolvers, reqId, null);
+        }
+        return;
+      }
+      if (msg.type === "state_change") {
+        this.emit("state_change", {
+          key: String(msg.key ?? ""),
+          value: msg.value,
+          updatedBy: String(msg.updatedBy ?? "")
+        });
+        return;
+      }
+      if (msg.type === "error") {
+        this.debug(`broker error: ${msg.code} ${msg.message}`);
+        const id = msg.id ? String(msg.id) : null;
+        if (id) {
+          const pending = this.pendingSends.get(id);
+          if (pending) {
+            pending.resolve({
+              ok: false,
+              error: `${msg.code}: ${msg.message}`
+            });
+            this.pendingSends.delete(id);
+          }
+        }
+        return;
+      }
+    }
+    async handlePush(msg) {
+      const nonce = String(msg.nonce ?? "");
+      const ciphertext = String(msg.ciphertext ?? "");
+      const senderPubkey = String(msg.senderPubkey ?? "");
+      const kind = senderPubkey ? "direct" : "unknown";
+      let plaintext = null;
+      if (senderPubkey && nonce && ciphertext) {
+        plaintext = await (0, crypto_js_1.decryptDirect)({ nonce, ciphertext }, senderPubkey, this.sessionSecretKey ?? this.opts.secretKey);
+      }
+      if (plaintext === null && ciphertext && !senderPubkey) {
+        try {
+          plaintext = Buffer.from(ciphertext, "base64").toString("utf-8");
+        } catch {
+          plaintext = null;
+        }
+      }
+      if (plaintext === null && ciphertext) {
+        try {
+          const decoded = Buffer.from(ciphertext, "base64").toString("utf-8");
+          if (/^[\x20-\x7E\s\u00A0-\uFFFF]*$/.test(decoded) && decoded.length > 0) {
+            plaintext = decoded;
+          }
+        } catch {
+          plaintext = null;
+        }
+      }
+      const push = {
+        messageId: String(msg.messageId ?? ""),
+        meshId: String(msg.meshId ?? ""),
+        senderPubkey,
+        priority: msg.priority ?? "next",
+        nonce,
+        ciphertext,
+        createdAt: String(msg.createdAt ?? ""),
+        receivedAt: new Date().toISOString(),
+        plaintext,
+        kind,
+        ...msg.subtype ? { subtype: msg.subtype } : {},
+        ...msg.event ? { event: String(msg.event) } : {},
+        ...msg.eventData ? { eventData: msg.eventData } : {}
+      };
+      this.emit("message", push);
+      if (push.event === "peer_joined" && push.eventData) {
+        this.emit("peer_joined", push.eventData);
+      }
+      if (push.event === "peer_left" && push.eventData) {
+        this.emit("peer_left", push.eventData);
+      }
+    }
+    resolveFromMap(map, reqId, value) {
+      let entry = reqId ? map.get(reqId) : undefined;
+      if (!entry) {
+        const first = map.entries().next().value;
+        if (first) {
+          entry = first[1];
+          map.delete(first[0]);
+        }
+      } else {
+        map.delete(reqId);
+      }
+      if (entry) {
+        clearTimeout(entry.timer);
+        entry.resolve(value);
+        return true;
+      }
+      return false;
+    }
+    debug(msg) {
+      if (this.opts.debug)
+        console.error(`[claudemesh-sdk] ${msg}`);
+    }
+  }
+  exports.MeshClient = MeshClient;
+});
+
+// ../../packages/sdk/dist/bridge.js
+var require_bridge = __commonJS((exports) => {
+  Object.defineProperty(exports, "__esModule", { value: true });
+  exports.Bridge = undefined;
+  var node_events_1 = __require("node:events");
+  var client_js_1 = require_client();
+  var HOP_PREFIX_RE = /^__cmh(\d+):/;
+  var MAX_HOPS_DEFAULT = 2;
+
+  class Bridge extends node_events_1.EventEmitter {
+    clientA;
+    clientB;
+    maxHops;
+    opts;
+    started = false;
+    constructor(opts) {
+      super();
+      this.opts = opts;
+      this.maxHops = opts.maxHops ?? MAX_HOPS_DEFAULT;
+      this.clientA = new client_js_1.MeshClient(opts.a.client);
+      this.clientB = new client_js_1.MeshClient(opts.b.client);
+    }
+    async start() {
+      if (this.started)
+        return;
+      this.started = true;
+      await Promise.all([this.clientA.connect(), this.clientB.connect()]);
+      await Promise.all([
+        this.clientA.joinTopic(this.opts.a.topic, this.opts.a.role),
+        this.clientB.joinTopic(this.opts.b.topic, this.opts.b.role)
+      ]);
+      this.clientA.on("message", (m) => this.handleIncoming("a", m).catch((e) => this.emit("error", e instanceof Error ? e : new Error(String(e)))));
+      this.clientB.on("message", (m) => this.handleIncoming("b", m).catch((e) => this.emit("error", e instanceof Error ? e : new Error(String(e)))));
+    }
+    async stop() {
+      if (!this.started)
+        return;
+      this.started = false;
+      this.clientA.disconnect();
+      this.clientB.disconnect();
+    }
+    async handleIncoming(fromSide, msg) {
+      if (msg.subtype === "system")
+        return;
+      const text = msg.plaintext;
+      if (!text)
+        return;
+      const ownA = this.clientA.pubkey;
+      const ownB = this.clientB.pubkey;
+      if (msg.senderPubkey === ownA || msg.senderPubkey === ownB) {
+        this.emit("dropped", { from: fromSide, reason: "echo", hop: -1 });
+        return;
+      }
+      if (this.opts.filter) {
+        const ok = await this.opts.filter(msg, fromSide);
+        if (!ok) {
+          this.emit("dropped", { from: fromSide, reason: "filter", hop: -1 });
+          return;
+        }
+      }
+      const m = text.match(HOP_PREFIX_RE);
+      const currentHop = m ? Number(m[1]) : 0;
+      const nextHop = currentHop + 1;
+      if (nextHop > this.maxHops) {
+        this.emit("dropped", { from: fromSide, reason: "max_hops", hop: currentHop });
+        return;
+      }
+      const stripped = m ? text.slice(m[0].length) : text;
+      const forwarded = `__cmh${nextHop}:${stripped}`;
+      const targetClient = fromSide === "a" ? this.clientB : this.clientA;
+      const targetTopic = fromSide === "a" ? this.opts.b.topic : this.opts.a.topic;
+      await targetClient.send(`#${targetTopic}`, forwarded, "next");
+      this.emit("forwarded", {
+        from: fromSide,
+        to: fromSide === "a" ? "b" : "a",
+        hop: nextHop,
+        bytes: forwarded.length
+      });
+    }
+  }
+  exports.Bridge = Bridge;
+});
+
+// ../../packages/sdk/dist/index.js
+var require_dist = __commonJS((exports) => {
+  Object.defineProperty(exports, "__esModule", { value: true });
+  exports.Bridge = exports.generateKeyPair = exports.MeshClient = undefined;
+  var client_js_1 = require_client();
+  Object.defineProperty(exports, "MeshClient", { enumerable: true, get: function() {
+    return client_js_1.MeshClient;
+  } });
+  var crypto_js_1 = require_crypto();
+  Object.defineProperty(exports, "generateKeyPair", { enumerable: true, get: function() {
+    return crypto_js_1.generateKeyPair;
+  } });
+  var bridge_js_1 = require_bridge();
+  Object.defineProperty(exports, "Bridge", { enumerable: true, get: function() {
+    return bridge_js_1.Bridge;
+  } });
+});
+
+// src/commands/bridge.ts
+var exports_bridge = {};
+__export(exports_bridge, {
+  runBridge: () => runBridge,
+  bridgeConfigTemplate: () => bridgeConfigTemplate
+});
+import { readFileSync as readFileSync14, existsSync as existsSync20 } from "node:fs";
+function parseConfig(text) {
+  const trimmed = text.trim();
+  if (trimmed.startsWith("{"))
+    return JSON.parse(trimmed);
+  const root = {};
+  let cursor = null;
+  for (const raw of text.split(`
+`)) {
+    const line = raw.replace(/#.*$/, "").trimEnd();
+    if (!line.trim())
+      continue;
+    const top = line.match(/^(a|b)\s*:\s*$/);
+    if (top) {
+      cursor = {};
+      root[top[1]] = cursor;
+      continue;
+    }
+    const flat = line.match(/^(\w+)\s*:\s*(.+)$/);
+    if (flat && /^\s/.test(line) && cursor) {
+      cursor[flat[1]] = parseScalar(flat[2]);
+    } else if (flat) {
+      const v = parseScalar(flat[2]);
+      if (typeof v === "number")
+        root[flat[1]] = v;
+    }
+  }
+  return root;
+}
+function parseScalar(raw) {
+  const v = raw.trim().replace(/^["'](.*)["']$/, "$1");
+  if (v === "true")
+    return true;
+  if (v === "false")
+    return false;
+  if (/^-?\d+(\.\d+)?$/.test(v))
+    return Number(v);
+  return v;
+}
+async function runBridge(configPath) {
+  if (!configPath) {
+    render.err("Usage: claudemesh bridge run <config.yaml>");
+    return EXIT.INVALID_ARGS;
+  }
+  if (!existsSync20(configPath)) {
+    render.err(`config file not found: ${configPath}`);
+    return EXIT.NOT_FOUND;
+  }
+  let cfg;
+  try {
+    cfg = parseConfig(readFileSync14(configPath, "utf-8"));
+  } catch (e) {
+    render.err(`failed to parse ${configPath}: ${e instanceof Error ? e.message : String(e)}`);
+    return EXIT.INVALID_ARGS;
+  }
+  if (!cfg.a || !cfg.b) {
+    render.err("config must define 'a:' and 'b:' sections");
+    return EXIT.INVALID_ARGS;
+  }
+  for (const [name, side] of [["a", cfg.a], ["b", cfg.b]]) {
+    if (!side.broker_url || !side.mesh_id || !side.member_id || !side.pubkey || !side.secret_key || !side.topic) {
+      render.err(`config side '${name}' missing required fields: broker_url, mesh_id, member_id, pubkey, secret_key, topic`);
+      return EXIT.INVALID_ARGS;
+    }
+  }
+  const { Bridge } = await Promise.resolve().then(() => __toESM(require_dist(), 1));
+  const bridge = new Bridge({
+    a: {
+      client: {
+        brokerUrl: cfg.a.broker_url,
+        meshId: cfg.a.mesh_id,
+        memberId: cfg.a.member_id,
+        pubkey: cfg.a.pubkey,
+        secretKey: cfg.a.secret_key,
+        displayName: cfg.a.display_name ?? "bridge",
+        peerType: "connector",
+        channel: "bridge"
+      },
+      topic: cfg.a.topic,
+      role: cfg.a.role
+    },
+    b: {
+      client: {
+        brokerUrl: cfg.b.broker_url,
+        meshId: cfg.b.mesh_id,
+        memberId: cfg.b.member_id,
+        pubkey: cfg.b.pubkey,
+        secretKey: cfg.b.secret_key,
+        displayName: cfg.b.display_name ?? "bridge",
+        peerType: "connector",
+        channel: "bridge"
+      },
+      topic: cfg.b.topic,
+      role: cfg.b.role
+    },
+    maxHops: cfg.max_hops
+  });
+  bridge.on("forwarded", (e) => {
+    process.stdout.write(`${dim(new Date().toISOString())}  ${green("→")} ${e.from}→${e.to} hop=${e.hop} ${dim(`${e.bytes}b`)}
+`);
+  });
+  bridge.on("dropped", (e) => {
+    process.stdout.write(`${dim(new Date().toISOString())}  ${yellow("·")} drop from=${e.from} reason=${e.reason}${e.hop >= 0 ? ` hop=${e.hop}` : ""}
+`);
+  });
+  bridge.on("error", (e) => {
+    process.stderr.write(`${red("✘")} ${e.message}
+`);
+  });
+  try {
+    await bridge.start();
+  } catch (e) {
+    render.err(`bridge failed to start: ${e instanceof Error ? e.message : String(e)}`);
+    return EXIT.NETWORK_ERROR;
+  }
+  render.ok("bridge running", `${clay("#" + cfg.a.topic)} ${dim("⟷")} ${clay("#" + cfg.b.topic)}`);
+  process.stderr.write(`${dim(`  meshes: ${cfg.a.mesh_id.slice(0, 8)} ⟷ ${cfg.b.mesh_id.slice(0, 8)}  max_hops: ${cfg.max_hops ?? 2}`)}
+`);
+  process.stderr.write(`${dim("  Ctrl-C to stop.")}
+
+`);
+  await new Promise((resolve3) => {
+    const stop = async () => {
+      process.stderr.write(`
+${dim("stopping bridge...")}
+`);
+      await bridge.stop();
+      resolve3();
+    };
+    process.on("SIGINT", stop);
+    process.on("SIGTERM", stop);
+  });
+  return EXIT.SUCCESS;
+}
+function bridgeConfigTemplate() {
+  return `# claudemesh bridge config
+# Spec: .artifacts/specs/2026-05-02-v0.2.0-scope.md
+#
+# A bridge holds memberships in two meshes and forwards messages on a
+# single topic between them. Loop prevention via plaintext hop counter
+# (visible in message body — minor wart, fixed in v0.3.0).
+#
+# Tip: \`claudemesh peer verify\` shows the keys/ids you need below.
+
+max_hops: 2
+
+a:
+  broker_url: wss://ic.claudemesh.com/ws
+  mesh_id: <mesh A id>
+  member_id: <bridge member id in mesh A>
+  pubkey: <ed25519 public key hex, 32 bytes>
+  secret_key: <ed25519 secret key hex, 64 bytes>
+  topic: incidents
+  display_name: bridge
+  role: member
+
+b:
+  broker_url: wss://ic.claudemesh.com/ws
+  mesh_id: <mesh B id>
+  member_id: <bridge member id in mesh B>
+  pubkey: <ed25519 public key hex>
+  secret_key: <ed25519 secret key hex>
+  topic: incidents
+`;
+}
+var init_bridge = __esm(() => {
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
+// src/commands/apikey.ts
+var exports_apikey = {};
+__export(exports_apikey, {
+  runApiKeyRevoke: () => runApiKeyRevoke,
+  runApiKeyList: () => runApiKeyList,
+  runApiKeyCreate: () => runApiKeyCreate
+});
+function parseCapabilities(raw) {
+  if (!raw)
+    return ["send", "read"];
+  const parts = raw.split(",").map((s) => s.trim()).filter(Boolean);
+  const valid = new Set(["send", "read", "state_write", "admin"]);
+  return parts.filter((p) => valid.has(p));
+}
+async function runApiKeyCreate(label, flags) {
+  if (!label) {
+    render.err("Usage: claudemesh apikey create <label> [--cap send,read] [--topic deploys]");
+    return EXIT.INVALID_ARGS;
+  }
+  const caps = parseCapabilities(flags.cap);
+  if (caps.length === 0) {
+    render.err("at least one capability required: --cap send,read,state_write,admin");
+    return EXIT.INVALID_ARGS;
+  }
+  const topicScopes = flags.topic ? flags.topic.split(",").map((s) => s.trim()).filter(Boolean) : undefined;
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    const result = await client.apiKeyCreate({
+      label,
+      capabilities: caps,
+      topicScopes,
+      expiresAt: flags.expires
+    });
+    if (!result) {
+      render.err("apikey create failed");
+      return EXIT.INTERNAL_ERROR;
+    }
+    if (flags.json) {
+      console.log(JSON.stringify(result, null, 2));
+      return EXIT.SUCCESS;
+    }
+    render.ok("created", `${bold(result.label)} ${dim(result.id.slice(0, 8))}`);
+    process.stdout.write(`
+  ${yellow("⚠ secret shown once — copy it now:")}
+
+`);
+    process.stdout.write(`  ${green(result.secret)}
+
+`);
+    process.stdout.write(`  ${dim(`capabilities: ${result.capabilities.join(", ")}`)}
+`);
+    if (result.topicScopes?.length) {
+      process.stdout.write(`  ${dim(`topics: ${result.topicScopes.map((t) => "#" + t).join(", ")}`)}
+`);
+    } else {
+      process.stdout.write(`  ${dim("topics: all (no scope)")}
+`);
+    }
+    return EXIT.SUCCESS;
+  });
+}
+async function runApiKeyList(flags) {
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    const keys = await client.apiKeyList();
+    if (flags.json) {
+      console.log(JSON.stringify(keys, null, 2));
+      return EXIT.SUCCESS;
+    }
+    if (keys.length === 0) {
+      render.info(dim("no api keys in this mesh."));
+      return EXIT.SUCCESS;
+    }
+    render.section(`api keys (${keys.length})`);
+    for (const k of keys) {
+      const status = k.revokedAt ? red("revoked") : k.expiresAt && new Date(k.expiresAt) < new Date ? yellow("expired") : green("active");
+      const lastUsed = k.lastUsedAt ? new Date(k.lastUsedAt).toLocaleDateString() : "never";
+      const scope = k.topicScopes?.length ? k.topicScopes.map((t) => "#" + t).join(",") : "all topics";
+      process.stdout.write(`  ${bold(k.label)}  ${status}  ${dim(k.id.slice(0, 8))}
+`);
+      process.stdout.write(`    ${dim(`${k.prefix}…  caps: ${k.capabilities.join(",")}  scope: ${scope}  last_used: ${lastUsed}`)}
+`);
+    }
+    return EXIT.SUCCESS;
+  });
+}
+async function runApiKeyRevoke(id, flags) {
+  if (!id) {
+    render.err("Usage: claudemesh apikey revoke <id>");
+    return EXIT.INVALID_ARGS;
+  }
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    const result = await client.apiKeyRevoke(id);
+    if (!result.ok) {
+      if (flags.json) {
+        console.log(JSON.stringify({ ok: false, code: result.code, message: result.message }));
+      } else {
+        render.err(`${result.code}: ${result.message}`);
+      }
+      return result.code === "not_found" ? EXIT.NOT_FOUND : result.code === "not_unique" ? EXIT.INVALID_ARGS : EXIT.INTERNAL_ERROR;
+    }
+    if (flags.json)
+      console.log(JSON.stringify({ revoked: result.id }));
+    else
+      render.ok("revoked", clay(result.id.slice(0, 8)));
+    return EXIT.SUCCESS;
+  });
+}
+var init_apikey = __esm(() => {
+  init_connect();
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
+// src/commands/topic.ts
+var exports_topic = {};
+__export(exports_topic, {
+  runTopicMembers: () => runTopicMembers,
+  runTopicMarkRead: () => runTopicMarkRead,
+  runTopicList: () => runTopicList,
+  runTopicLeave: () => runTopicLeave,
+  runTopicJoin: () => runTopicJoin,
+  runTopicHistory: () => runTopicHistory,
+  runTopicCreate: () => runTopicCreate
+});
+async function runTopicCreate(name, flags) {
+  if (!name) {
+    render.err("Usage: claudemesh topic create <name> [--description X] [--visibility V]");
+    return EXIT.INVALID_ARGS;
+  }
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    const result = await client.topicCreate({
+      name,
+      description: flags.description,
+      visibility: flags.visibility
+    });
+    if (!result) {
+      render.err("topic create failed");
+      return EXIT.INTERNAL_ERROR;
+    }
+    if (flags.json) {
+      console.log(JSON.stringify(result));
+      return EXIT.SUCCESS;
+    }
+    if (result.created) {
+      render.ok("created", `${clay("#" + name)} ${dim(result.id.slice(0, 8))}`);
+    } else {
+      render.info(dim(`already exists: #${name} ${result.id.slice(0, 8)}`));
+    }
+    return EXIT.SUCCESS;
+  });
+}
+async function runTopicList(flags) {
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    const topics = await client.topicList();
+    if (flags.json) {
+      console.log(JSON.stringify(topics, null, 2));
+      return EXIT.SUCCESS;
+    }
+    if (topics.length === 0) {
+      render.info(dim("no topics in this mesh."));
+      return EXIT.SUCCESS;
+    }
+    render.section(`topics (${topics.length})`);
+    for (const t of topics) {
+      const vis = t.visibility === "public" ? green(t.visibility) : dim(t.visibility);
+      process.stdout.write(`  ${clay("#" + t.name)}  ${vis}  ${dim(`${t.memberCount} member${t.memberCount === 1 ? "" : "s"}`)}
+`);
+      if (t.description)
+        process.stdout.write(`    ${dim(t.description)}
+`);
+    }
+    return EXIT.SUCCESS;
+  });
+}
+async function runTopicJoin(topic, flags) {
+  if (!topic) {
+    render.err("Usage: claudemesh topic join <topic> [--role lead|member|observer]");
+    return EXIT.INVALID_ARGS;
+  }
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    await client.topicJoin(topic, flags.role);
+    if (flags.json)
+      console.log(JSON.stringify({ joined: topic }));
+    else
+      render.ok("joined", clay("#" + topic));
+    return EXIT.SUCCESS;
+  });
+}
+async function runTopicLeave(topic, flags) {
+  if (!topic) {
+    render.err("Usage: claudemesh topic leave <topic>");
+    return EXIT.INVALID_ARGS;
+  }
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    await client.topicLeave(topic);
+    if (flags.json)
+      console.log(JSON.stringify({ left: topic }));
+    else
+      render.ok("left", clay("#" + topic));
+    return EXIT.SUCCESS;
+  });
+}
+async function runTopicMembers(topic, flags) {
+  if (!topic) {
+    render.err("Usage: claudemesh topic members <topic>");
+    return EXIT.INVALID_ARGS;
+  }
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    const members = await client.topicMembers(topic);
+    if (flags.json) {
+      console.log(JSON.stringify(members, null, 2));
+      return EXIT.SUCCESS;
+    }
+    if (members.length === 0) {
+      render.info(dim(`no members in ${clay("#" + topic)}.`));
+      return EXIT.SUCCESS;
+    }
+    render.section(`${clay("#" + topic)} members (${members.length})`);
+    for (const m of members) {
+      process.stdout.write(`  ${bold(m.displayName)}  ${dim(m.role)}  ${dim(m.pubkey.slice(0, 8))}
+`);
+    }
+    return EXIT.SUCCESS;
+  });
+}
+async function runTopicHistory(topic, flags) {
+  if (!topic) {
+    render.err("Usage: claudemesh topic history <topic> [--limit N] [--before <id>]");
+    return EXIT.INVALID_ARGS;
+  }
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    const limit = flags.limit ? Number(flags.limit) : undefined;
+    const messages = await client.topicHistory({
+      topic,
+      limit,
+      beforeId: flags.before
+    });
+    if (flags.json) {
+      console.log(JSON.stringify(messages, null, 2));
+      return EXIT.SUCCESS;
+    }
+    if (messages.length === 0) {
+      render.info(dim(`no messages in ${clay("#" + topic)}.`));
+      return EXIT.SUCCESS;
+    }
+    const ordered = [...messages].reverse();
+    render.section(`${clay("#" + topic)} history (${ordered.length})`);
+    for (const m of ordered) {
+      const t = new Date(m.createdAt).toLocaleString();
+      process.stdout.write(`  ${dim(t)}  ${bold(m.senderPubkey.slice(0, 8))}  ${dim("(encrypted, " + m.ciphertext.length + "b)")}
+`);
+    }
+    return EXIT.SUCCESS;
+  });
+}
+async function runTopicMarkRead(topic, flags) {
+  if (!topic) {
+    render.err("Usage: claudemesh topic read <topic>");
+    return EXIT.INVALID_ARGS;
+  }
+  return await withMesh({ meshSlug: flags.mesh ?? null }, async (client) => {
+    await client.topicMarkRead(topic);
+    if (flags.json)
+      console.log(JSON.stringify({ read: topic }));
+    else
+      render.ok("marked read", clay("#" + topic));
+    return EXIT.SUCCESS;
+  });
+}
+var init_topic = __esm(() => {
+  init_connect();
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
 // src/mcp/tools/definitions.ts
 var TOOLS;
 var init_definitions = __esm(() => {
@@ -10386,7 +11656,7 @@ var init_definitions = __esm(() => {
 
 // src/services/bridge/server.ts
 import { createServer as createServer2 } from "node:net";
-import { mkdirSync as mkdirSync7, unlinkSync as unlinkSync2, existsSync as existsSync20, chmodSync as chmodSync5 } from "node:fs";
+import { mkdirSync as mkdirSync7, unlinkSync as unlinkSync2, existsSync as existsSync21, chmodSync as chmodSync5 } from "node:fs";
 async function resolveTarget2(client, to) {
   if (to.startsWith("@") || to === "*" || /^[0-9a-f]{64}$/i.test(to)) {
     return { ok: true, spec: to };
@@ -10500,10 +11770,10 @@ function handleConnection(socket, client) {
 function startBridgeServer(client) {
   const path = socketPath(client.meshSlug);
   const dir = socketDir();
-  if (!existsSync20(dir)) {
+  if (!existsSync21(dir)) {
     mkdirSync7(dir, { recursive: true, mode: 448 });
   }
-  if (existsSync20(path)) {
+  if (existsSync21(path)) {
     try {
       unlinkSync2(path);
     } catch {}
@@ -11553,6 +12823,21 @@ function classifyInvocation(command, positionals) {
     case "task": {
       return { resource: "task", verb: sub || "list", isWrite: isWrite(sub) };
     }
+    case "topic": {
+      const verb = sub || "list";
+      const writeVerbs = new Set(["create", "join", "leave"]);
+      return { resource: "topic", verb, isWrite: writeVerbs.has(verb) };
+    }
+    case "apikey":
+    case "api-key": {
+      const verb = sub || "list";
+      const writeVerbs = new Set(["create", "revoke"]);
+      return { resource: "apikey", verb, isWrite: writeVerbs.has(verb) };
+    }
+    case "bridge": {
+      const verb = sub || "init";
+      return { resource: "bridge", verb, isWrite: verb === "run" };
+    }
     case "vector":
     case "graph":
     case "context":
@@ -11656,7 +12941,9 @@ var DEFAULT_POLICY = {
     { resource: "watch", verb: "remove", decision: "prompt", reason: "removes URL watcher" },
     { resource: "sql", verb: "execute", decision: "prompt", reason: "raw SQL write to mesh DB" },
     { resource: "graph", verb: "execute", decision: "prompt", reason: "graph mutation" },
-    { resource: "mesh", verb: "delete", decision: "prompt", reason: "deletes the mesh for everyone" }
+    { resource: "mesh", verb: "delete", decision: "prompt", reason: "deletes the mesh for everyone" },
+    { resource: "apikey", verb: "create", decision: "prompt", reason: "issues a long-lived credential" },
+    { resource: "apikey", verb: "revoke", decision: "prompt", reason: "irreversibly disables a credential" }
   ]
 };
 var USER_POLICY_PATH = join(homedir(), ".claudemesh", "policy.yaml");
@@ -11915,6 +13202,25 @@ Profile / presence  (resource form)
   claudemesh group join @<name>    join a group (--role X)
   claudemesh group leave @<name>   leave a group
 
+API keys  (REST + external WS auth, v0.2.0)
+  claudemesh apikey create <label>  issue [--cap send,read] [--topic deploys]
+  claudemesh apikey list             show keys (status, last-used, scope)
+  claudemesh apikey revoke <id>      revoke a key
+
+Bridge  (forward a topic between two meshes, v0.2.0)
+  claudemesh bridge init             print config template
+  claudemesh bridge run <config>     run bridge as a long-lived process
+
+Topic  (conversation scope, v0.2.0)
+  claudemesh topic create <name>   create a topic [--description --visibility]
+  claudemesh topic list            list topics in the mesh
+  claudemesh topic join <topic>    subscribe (via name or id)
+  claudemesh topic leave <topic>   unsubscribe
+  claudemesh topic members <t>     list topic subscribers
+  claudemesh topic history <t>     fetch message history [--limit --before]
+  claudemesh topic read <topic>    mark all as read
+  claudemesh send "#topic" "msg"   send to a topic
+
 Schedule  (resource form)
   claudemesh schedule msg <m>      one-shot or recurring     (alias: remind)
   claudemesh schedule list         list pending
@@ -12618,6 +13924,86 @@ async function main() {
       }
       break;
     }
+    case "bridge": {
+      const sub = positionals[0];
+      if (sub === "run") {
+        const { runBridge: runBridge2 } = await Promise.resolve().then(() => (init_bridge(), exports_bridge));
+        process.exit(await runBridge2(positionals[1] ?? ""));
+      } else if (sub === "init" || sub === "config") {
+        const { bridgeConfigTemplate: bridgeConfigTemplate2 } = await Promise.resolve().then(() => (init_bridge(), exports_bridge));
+        console.log(bridgeConfigTemplate2());
+        process.exit(EXIT.SUCCESS);
+      } else {
+        console.error("Usage: claudemesh bridge <run <config.yaml> | init>");
+        process.exit(EXIT.INVALID_ARGS);
+      }
+      break;
+    }
+    case "apikey":
+    case "api-key": {
+      const sub = positionals[0];
+      const f = {
+        mesh: flags.mesh,
+        json: !!flags.json,
+        cap: flags.cap,
+        topic: flags.topic,
+        expires: flags.expires
+      };
+      const arg = positionals[1] ?? "";
+      if (sub === "create") {
+        const { runApiKeyCreate: runApiKeyCreate2 } = await Promise.resolve().then(() => (init_apikey(), exports_apikey));
+        process.exit(await runApiKeyCreate2(arg, f));
+      } else if (sub === "list") {
+        const { runApiKeyList: runApiKeyList2 } = await Promise.resolve().then(() => (init_apikey(), exports_apikey));
+        process.exit(await runApiKeyList2(f));
+      } else if (sub === "revoke") {
+        const { runApiKeyRevoke: runApiKeyRevoke2 } = await Promise.resolve().then(() => (init_apikey(), exports_apikey));
+        process.exit(await runApiKeyRevoke2(arg, f));
+      } else {
+        console.error("Usage: claudemesh apikey <create|list|revoke>");
+        process.exit(EXIT.INVALID_ARGS);
+      }
+      break;
+    }
+    case "topic": {
+      const sub = positionals[0];
+      const f = {
+        mesh: flags.mesh,
+        json: !!flags.json,
+        description: flags.description,
+        visibility: flags.visibility,
+        role: flags.role,
+        limit: flags.limit,
+        before: flags.before
+      };
+      const arg = positionals[1] ?? "";
+      if (sub === "create") {
+        const { runTopicCreate: runTopicCreate2 } = await Promise.resolve().then(() => (init_topic(), exports_topic));
+        process.exit(await runTopicCreate2(arg, f));
+      } else if (sub === "list") {
+        const { runTopicList: runTopicList2 } = await Promise.resolve().then(() => (init_topic(), exports_topic));
+        process.exit(await runTopicList2(f));
+      } else if (sub === "join") {
+        const { runTopicJoin: runTopicJoin2 } = await Promise.resolve().then(() => (init_topic(), exports_topic));
+        process.exit(await runTopicJoin2(arg, f));
+      } else if (sub === "leave") {
+        const { runTopicLeave: runTopicLeave2 } = await Promise.resolve().then(() => (init_topic(), exports_topic));
+        process.exit(await runTopicLeave2(arg, f));
+      } else if (sub === "members") {
+        const { runTopicMembers: runTopicMembers2 } = await Promise.resolve().then(() => (init_topic(), exports_topic));
+        process.exit(await runTopicMembers2(arg, f));
+      } else if (sub === "history") {
+        const { runTopicHistory: runTopicHistory2 } = await Promise.resolve().then(() => (init_topic(), exports_topic));
+        process.exit(await runTopicHistory2(arg, f));
+      } else if (sub === "read") {
+        const { runTopicMarkRead: runTopicMarkRead2 } = await Promise.resolve().then(() => (init_topic(), exports_topic));
+        process.exit(await runTopicMarkRead2(arg, f));
+      } else {
+        console.error("Usage: claudemesh topic <create|list|join|leave|members|history|read>");
+        process.exit(EXIT.INVALID_ARGS);
+      }
+      break;
+    }
     case "task": {
       const sub = positionals[0];
       const f = { mesh: flags.mesh, json: !!flags.json };
@@ -12666,4 +14052,4 @@ main().catch((err) => {
   process.exit(EXIT.INTERNAL_ERROR);
 });
 
-//# debugId=C75596237B999F1364756E2164756E21
+//# debugId=131DC57DB8537D5464756E2164756E21