claudemesh-cli 1.6.1 → 1.8.0

package/README.md

@@ -2,7 +2,11 @@
 
 Peer mesh for Claude Code sessions. Connect multiple Claude Code instances into a shared mesh with real-time messaging, shared state, memory, file sharing, vector store, scheduled jobs, and more — all driven from the `claudemesh` CLI. The MCP server is a tool-less push-pipe that delivers inbound peer messages to Claude as `<channel>` interrupts; everything else lives behind CLI verbs that Claude learns from the auto-installed `claudemesh` skill.
 
-> **What's new in 1.6.0:** topics (channel pub/sub), API keys for human/REST clients, and bridge peers that forward a topic between two meshes. New verbs: `claudemesh topic`, `claudemesh apikey`, `claudemesh bridge`. A REST surface at `https://claudemesh.com/api/v1/*` (messages, topics, peers, history) accepts `Authorization: Bearer cm_...` keys, so any HTTPS client can participate without WebSocket + ed25519 plumbing. **Note**: REST lives on the web host (`claudemesh.com`), not the broker host (`ic.claudemesh.com`) — the broker only speaks WebSocket.
+> **What's new in 1.8.0:** per-topic end-to-end encryption (v0.3.0 phase 3, CLI side). `claudemesh topic post <topic> <msg>` encrypts the body with `crypto_secretbox` under the topic's symmetric key — broker stores ciphertext only. `claudemesh topic tail` now decrypts v2 messages on render and runs a background re-seal loop every 30s, so new topic joiners get their sealed keys without manual action. `topic-key` cache is process-only — kill the CLI, the key forgets. Web dashboard reads v1 plaintext for now (phase 3.5 brings browser-side identity).
+>
+> **What was new in 1.7.0:** terminal parity for the v1.6.x server features. New verbs: `claudemesh topic tail` (live SSE message stream — Ctrl-C to exit), `claudemesh notification list` (recent `@you` mentions across topics), `claudemesh member list` (mesh roster with online dots, distinct from `peer list`'s live-session view). Each command auto-mints a 5-minute read-only apikey via the WebSocket and revokes it on exit, so no token plumbing is needed.
+>
+> **What was new in 1.6.0:** topics (channel pub/sub), API keys for human/REST clients, and bridge peers that forward a topic between two meshes. New verbs: `claudemesh topic`, `claudemesh apikey`, `claudemesh bridge`. A REST surface at `https://claudemesh.com/api/v1/*` (messages, topics, peers, history) accepts `Authorization: Bearer cm_...` keys, so any HTTPS client can participate without WebSocket + ed25519 plumbing. **Note**: REST lives on the web host (`claudemesh.com`), not the broker host (`ic.claudemesh.com`) — the broker only speaks WebSocket.
 >
 > **Migration note (1.5.0):** the previous 79 MCP tools (`send_message`, `list_peers`, `remember`, …) are removed. Use the matching CLI verbs (`claudemesh send`, `claudemesh peers`, `claudemesh remember`). Run `claudemesh install` and the bundled skill teaches Claude the full surface.
 
@@ -43,6 +47,10 @@ USAGE
   claudemesh profile         view or edit your profile
 
   claudemesh topic ...       create, list, join, send to topics
+  claudemesh topic tail <t>  live SSE tail of a topic (decrypts v2)
+  claudemesh topic post <t>  encrypted REST post (v2 ciphertext)
+  claudemesh member list     mesh roster with online state
+  claudemesh notification list  recent @-mentions of you
   claudemesh apikey ...      issue, list, revoke API keys (REST clients)
   claudemesh bridge ...      forward a topic between two meshes
 

package/dist/entrypoints/cli.js

@@ -88,7 +88,7 @@ __export(exports_urls, {
   VERSION: () => VERSION,
   URLS: () => URLS
 });
-var URLS, VERSION = "1.6.1", env;
+var URLS, VERSION = "1.8.0", env;
 var init_urls = __esm(() => {
   URLS = {
     BROKER: process.env.CLAUDEMESH_BROKER_URL ?? "wss://ic.claudemesh.com/ws",
@@ -11648,6 +11648,558 @@ var init_topic = __esm(() => {
   init_exit_codes();
 });
 
+// src/services/api/with-rest-key.ts
+async function withRestKey(opts, fn) {
+  return withMesh({ meshSlug: opts.meshSlug ?? null }, async (client, mesh) => {
+    const result = await client.apiKeyCreate({
+      label: `cli-${opts.purpose ?? "rest"}-${process.pid}`,
+      capabilities: opts.capabilities ?? ["read"],
+      topicScopes: opts.topicScopes ?? undefined,
+      expiresAt: new Date(Date.now() + 5 * 60 * 1000).toISOString()
+    });
+    if (!result || !result.secret) {
+      throw new Error("apikey mint failed — broker did not return a secret");
+    }
+    try {
+      return await fn({
+        secret: result.secret,
+        meshId: mesh.meshId,
+        meshSlug: mesh.slug,
+        client,
+        mesh
+      });
+    } finally {
+      try {
+        await client.apiKeyRevoke(result.id);
+      } catch {}
+    }
+  });
+}
+var init_with_rest_key = __esm(() => {
+  init_connect();
+});
+
+// src/services/crypto/topic-key.ts
+function cacheKey(apiKeySecret, topicName) {
+  return `${apiKeySecret.slice(0, 12)}:${topicName}`;
+}
+async function getTopicKey(args) {
+  const cacheId = cacheKey(args.apiKeySecret, args.topicName);
+  if (!args.fresh) {
+    const cached = cache.get(cacheId);
+    if (cached)
+      return { ok: true, topicKey: cached.topicKey };
+  }
+  let sealed;
+  try {
+    sealed = await request({
+      path: `/api/v1/topics/${encodeURIComponent(args.topicName)}/key`,
+      token: args.apiKeySecret
+    });
+  } catch (e) {
+    if (e instanceof ApiError) {
+      if (e.status === 404)
+        return { ok: false, error: "not_sealed" };
+      if (e.status === 409)
+        return { ok: false, error: "topic_unencrypted" };
+    }
+    return {
+      ok: false,
+      error: "network",
+      message: e instanceof Error ? e.message : String(e)
+    };
+  }
+  const sodium4 = (await import("libsodium-wrappers")).default;
+  await sodium4.ready;
+  let recipientX25519Secret;
+  try {
+    const ed = sodium4.from_hex(args.memberSecretKeyHex);
+    recipientX25519Secret = sodium4.crypto_sign_ed25519_sk_to_curve25519(ed);
+  } catch {
+    return { ok: false, error: "bad_member_secret" };
+  }
+  let topicKey;
+  try {
+    const blob = sodium4.from_base64(sealed.encryptedKey, sodium4.base64_variants.ORIGINAL);
+    const nonce = sodium4.from_base64(sealed.nonce, sodium4.base64_variants.ORIGINAL);
+    if (blob.length < 32 + sodium4.crypto_box_MACBYTES) {
+      return {
+        ok: false,
+        error: "decrypt_failed",
+        message: "sealed key blob too short to contain sender pubkey + cipher"
+      };
+    }
+    const senderX25519 = blob.slice(0, 32);
+    const cipher = blob.slice(32);
+    topicKey = sodium4.crypto_box_open_easy(cipher, nonce, senderX25519, recipientX25519Secret);
+  } catch (e) {
+    return {
+      ok: false,
+      error: "decrypt_failed",
+      message: e instanceof Error ? e.message : String(e)
+    };
+  }
+  cache.set(cacheId, { topicKey, fetchedAt: Date.now() });
+  return { ok: true, topicKey };
+}
+async function encryptMessage(topicKey, plaintext) {
+  const sodium4 = (await import("libsodium-wrappers")).default;
+  await sodium4.ready;
+  const nonceBytes = sodium4.randombytes_buf(sodium4.crypto_secretbox_NONCEBYTES);
+  const cipher = sodium4.crypto_secretbox_easy(sodium4.from_string(plaintext), nonceBytes, topicKey);
+  return {
+    ciphertext: sodium4.to_base64(cipher, sodium4.base64_variants.ORIGINAL),
+    nonce: sodium4.to_base64(nonceBytes, sodium4.base64_variants.ORIGINAL)
+  };
+}
+async function decryptMessage(topicKey, ciphertextB64, nonceB64) {
+  try {
+    const sodium4 = (await import("libsodium-wrappers")).default;
+    await sodium4.ready;
+    const cipher = sodium4.from_base64(ciphertextB64, sodium4.base64_variants.ORIGINAL);
+    const nonce = sodium4.from_base64(nonceB64, sodium4.base64_variants.ORIGINAL);
+    const plain = sodium4.crypto_secretbox_open_easy(cipher, nonce, topicKey);
+    return sodium4.to_string(plain);
+  } catch {
+    return null;
+  }
+}
+async function sealTopicKeyFor(topicKey, recipientPubkeyHex, ourMemberSecretKeyHex) {
+  try {
+    const sodium4 = (await import("libsodium-wrappers")).default;
+    await sodium4.ready;
+    const recipientX25519 = sodium4.crypto_sign_ed25519_pk_to_curve25519(sodium4.from_hex(recipientPubkeyHex));
+    const ourEdSecret = sodium4.from_hex(ourMemberSecretKeyHex);
+    const ourX25519Secret = sodium4.crypto_sign_ed25519_sk_to_curve25519(ourEdSecret);
+    const ourEdPublic = ourEdSecret.slice(32, 64);
+    const ourX25519Public = sodium4.crypto_sign_ed25519_pk_to_curve25519(ourEdPublic);
+    const nonceBytes = sodium4.randombytes_buf(sodium4.crypto_box_NONCEBYTES);
+    const cipher = sodium4.crypto_box_easy(topicKey, nonceBytes, recipientX25519, ourX25519Secret);
+    const blob = new Uint8Array(32 + cipher.length);
+    blob.set(ourX25519Public, 0);
+    blob.set(cipher, 32);
+    return {
+      encryptedKey: sodium4.to_base64(blob, sodium4.base64_variants.ORIGINAL),
+      nonce: sodium4.to_base64(nonceBytes, sodium4.base64_variants.ORIGINAL)
+    };
+  } catch {
+    return null;
+  }
+}
+var cache;
+var init_topic_key = __esm(() => {
+  init_client();
+  init_errors();
+  cache = new Map;
+});
+
+// src/commands/topic-tail.ts
+var exports_topic_tail = {};
+__export(exports_topic_tail, {
+  runTopicTail: () => runTopicTail
+});
+function decodeV1(b64) {
+  try {
+    return Buffer.from(b64, "base64").toString("utf-8");
+  } catch {
+    return "[decode failed]";
+  }
+}
+async function decryptForRender(m, topicKey) {
+  if ((m.bodyVersion ?? 1) === 1)
+    return decodeV1(m.ciphertext);
+  if (!topicKey)
+    return "[encrypted — no topic key]";
+  const plain = await decryptMessage(topicKey, m.ciphertext, m.nonce);
+  return plain ?? "[decrypt failed]";
+}
+function fmtTime(iso) {
+  try {
+    return new Date(iso).toLocaleTimeString([], {
+      hour: "2-digit",
+      minute: "2-digit",
+      second: "2-digit"
+    });
+  } catch {
+    return iso;
+  }
+}
+async function printMessage(m, topicKey, json) {
+  const text = await decryptForRender(m, topicKey);
+  if (json) {
+    console.log(JSON.stringify({ ...m, message: text }));
+    return;
+  }
+  const v2Marker = (m.bodyVersion ?? 1) === 2 ? dim("\uD83D\uDD12 ") : "";
+  process.stdout.write(`  ${dim(fmtTime(m.createdAt))}  ${bold(m.senderName || m.senderPubkey.slice(0, 8))}  ${v2Marker}${text}
+`);
+}
+async function* readSseStream(reader) {
+  const decoder = new TextDecoder;
+  let buffer = "";
+  while (true) {
+    const { value, done } = await reader.read();
+    if (done)
+      break;
+    buffer += decoder.decode(value, { stream: true });
+    let idx;
+    while ((idx = buffer.indexOf(`
+
+`)) !== -1) {
+      const block = buffer.slice(0, idx);
+      buffer = buffer.slice(idx + 2);
+      const ev = { event: "message", data: "" };
+      const dataLines = [];
+      for (const line of block.split(`
+`)) {
+        if (!line || line.startsWith(":"))
+          continue;
+        const colon = line.indexOf(":");
+        if (colon < 0)
+          continue;
+        const field = line.slice(0, colon);
+        const val = line.slice(colon + 1).replace(/^ /, "");
+        if (field === "event")
+          ev.event = val;
+        else if (field === "id")
+          ev.id = val;
+        else if (field === "data")
+          dataLines.push(val);
+      }
+      ev.data = dataLines.join(`
+`);
+      yield ev;
+    }
+  }
+}
+async function runTopicTail(name, flags) {
+  if (!name) {
+    render.err("Usage: claudemesh topic tail <topic> [--limit N]");
+    return EXIT.INVALID_ARGS;
+  }
+  const cleanName = name.replace(/^#/, "");
+  const limit = flags.limit ? Number(flags.limit) : 20;
+  return withRestKey({
+    meshSlug: flags.mesh ?? null,
+    purpose: `tail-${cleanName}`,
+    capabilities: ["read"],
+    topicScopes: [cleanName]
+  }, async ({ secret, meshSlug, mesh }) => {
+    const keyResult = await getTopicKey({
+      apiKeySecret: secret,
+      memberSecretKeyHex: mesh.secretKey,
+      topicName: cleanName
+    });
+    const topicKey = keyResult.ok ? keyResult.topicKey ?? null : null;
+    let resealTimer = null;
+    if (topicKey) {
+      const reseal = async () => {
+        try {
+          const pending = await request({
+            path: `/api/v1/topics/${encodeURIComponent(cleanName)}/pending-seals`,
+            token: secret
+          });
+          for (const target of pending.pending) {
+            const sealed = await sealTopicKeyFor(topicKey, target.pubkey, mesh.secretKey);
+            if (!sealed)
+              continue;
+            try {
+              await request({
+                path: `/api/v1/topics/${encodeURIComponent(cleanName)}/seal`,
+                method: "POST",
+                token: secret,
+                body: {
+                  memberId: target.memberId,
+                  encryptedKey: sealed.encryptedKey,
+                  nonce: sealed.nonce
+                }
+              });
+              if (!flags.json) {
+                render.info(dim(`re-sealed topic key for ${target.displayName}`));
+              }
+            } catch {}
+          }
+        } catch {}
+      };
+      reseal();
+      resealTimer = setInterval(reseal, 30000);
+    }
+    if (!flags.json && !keyResult.ok) {
+      if (keyResult.error === "topic_unencrypted") {
+        render.info(dim("topic is on v1 (plaintext) — encryption will activate after creator-seal"));
+      } else if (keyResult.error === "not_sealed") {
+        render.warn(yellow("no topic key sealed for you yet — wait for a holder to re-seal"));
+      } else if (keyResult.error === "decrypt_failed") {
+        render.warn(yellow(`topic key fetched but decrypt failed: ${keyResult.message ?? ""}`));
+      }
+    }
+    if (!flags.forwardOnly && limit > 0) {
+      try {
+        const history = await request({
+          path: `/api/v1/topics/${encodeURIComponent(cleanName)}/messages?limit=${limit}`,
+          token: secret
+        });
+        if (!flags.json) {
+          render.section(`${clay("#" + cleanName)} on ${dim(meshSlug)} — backfill ${history.messages.length}, then live`);
+        }
+        for (const m of history.messages.slice().reverse()) {
+          await printMessage(m, topicKey, flags.json ?? false);
+        }
+      } catch (err) {
+        render.warn(`backfill failed: ${err.message}`);
+      }
+    }
+    const url = `${URLS.API_BASE}/api/v1/topics/${encodeURIComponent(cleanName)}/stream`;
+    const ctl = new AbortController;
+    const onSig = () => ctl.abort();
+    process.once("SIGINT", onSig);
+    process.once("SIGTERM", onSig);
+    try {
+      const res = await fetch(url, {
+        headers: { Authorization: `Bearer ${secret}` },
+        signal: ctl.signal
+      });
+      if (!res.ok || !res.body) {
+        render.err(`stream open failed: ${res.status}`);
+        return EXIT.INTERNAL_ERROR;
+      }
+      if (!flags.json) {
+        render.info(dim("tailing — Ctrl-C to exit"));
+      }
+      const reader = res.body.getReader();
+      for await (const ev of readSseStream(reader)) {
+        if (ev.event === "ready" || ev.event === "heartbeat")
+          continue;
+        if (ev.event === "error") {
+          try {
+            const parsed = JSON.parse(ev.data);
+            render.err(`stream error: ${parsed.error ?? "unknown"}`);
+          } catch {
+            render.err("stream error");
+          }
+          continue;
+        }
+        if (ev.event === "message") {
+          try {
+            const m = JSON.parse(ev.data);
+            await printMessage(m, topicKey, flags.json ?? false);
+          } catch {}
+        }
+      }
+      return EXIT.SUCCESS;
+    } catch (err) {
+      if (ctl.signal.aborted)
+        return EXIT.SUCCESS;
+      render.err(`tail aborted: ${err.message}`);
+      return EXIT.INTERNAL_ERROR;
+    } finally {
+      process.removeListener("SIGINT", onSig);
+      process.removeListener("SIGTERM", onSig);
+      if (resealTimer)
+        clearInterval(resealTimer);
+    }
+  });
+}
+var init_topic_tail = __esm(() => {
+  init_urls();
+  init_with_rest_key();
+  init_client();
+  init_topic_key();
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
+// src/commands/topic-post.ts
+var exports_topic_post = {};
+__export(exports_topic_post, {
+  runTopicPost: () => runTopicPost
+});
+async function runTopicPost(topicName, message, flags) {
+  if (!topicName || !message) {
+    render.err("Usage: claudemesh topic post <topic> <message>");
+    return EXIT.INVALID_ARGS;
+  }
+  const cleanName = topicName.replace(/^#/, "");
+  const mentions = [];
+  const mentionRe = /(^|[^A-Za-z0-9_-])@([A-Za-z0-9_-]{1,64})(?=$|[^A-Za-z0-9_-])/g;
+  let m;
+  while ((m = mentionRe.exec(message)) !== null) {
+    mentions.push(m[2].toLowerCase());
+    if (mentions.length >= 16)
+      break;
+  }
+  return withRestKey({
+    meshSlug: flags.mesh ?? null,
+    purpose: `post-${cleanName}`,
+    capabilities: ["read", "send"],
+    topicScopes: [cleanName]
+  }, async ({ secret, mesh }) => {
+    let bodyVersion = 1;
+    let ciphertext;
+    let nonce;
+    if (flags.plaintext) {
+      ciphertext = Buffer.from(message, "utf-8").toString("base64");
+      nonce = Buffer.from(new Uint8Array(24)).toString("base64");
+    } else {
+      const keyResult = await getTopicKey({
+        apiKeySecret: secret,
+        memberSecretKeyHex: mesh.secretKey,
+        topicName: cleanName
+      });
+      if (keyResult.ok && keyResult.topicKey) {
+        const enc = await encryptMessage(keyResult.topicKey, message);
+        ciphertext = enc.ciphertext;
+        nonce = enc.nonce;
+        bodyVersion = 2;
+      } else if (keyResult.error === "topic_unencrypted") {
+        ciphertext = Buffer.from(message, "utf-8").toString("base64");
+        nonce = Buffer.from(new Uint8Array(24)).toString("base64");
+      } else {
+        render.err(`cannot encrypt for #${cleanName}: ${keyResult.error ?? "unknown"}${keyResult.message ? " — " + keyResult.message : ""}`);
+        return EXIT.INTERNAL_ERROR;
+      }
+    }
+    const result = await request({
+      path: "/api/v1/messages",
+      method: "POST",
+      token: secret,
+      body: {
+        topic: cleanName,
+        ciphertext,
+        nonce,
+        bodyVersion,
+        ...mentions.length > 0 ? { mentions } : {}
+      }
+    });
+    if (flags.json) {
+      console.log(JSON.stringify({ ...result, bodyVersion, mentions }));
+      return EXIT.SUCCESS;
+    }
+    const versionTag = bodyVersion === 2 ? green("\uD83D\uDD12 v2") : dim("v1");
+    render.ok("posted", `${clay("#" + cleanName)}  ${versionTag}  ${dim(`(${result.notifications} mentions)`)}`);
+    return EXIT.SUCCESS;
+  });
+}
+var init_topic_post = __esm(() => {
+  init_with_rest_key();
+  init_client();
+  init_topic_key();
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
+// src/commands/notification.ts
+var exports_notification = {};
+__export(exports_notification, {
+  runNotificationList: () => runNotificationList
+});
+function decodeCiphertext(b64) {
+  try {
+    return Buffer.from(b64, "base64").toString("utf-8");
+  } catch {
+    return "[decode failed]";
+  }
+}
+function fmtRelative(iso) {
+  const ms = Date.now() - new Date(iso).getTime();
+  if (ms < 60000)
+    return "now";
+  if (ms < 3600000)
+    return `${Math.floor(ms / 60000)}m`;
+  if (ms < 86400000)
+    return `${Math.floor(ms / 3600000)}h`;
+  return `${Math.floor(ms / 86400000)}d`;
+}
+async function runNotificationList(flags) {
+  return withRestKey({ meshSlug: flags.mesh ?? null, purpose: "notifications" }, async ({ secret }) => {
+    const qs = flags.since ? `?since=${encodeURIComponent(flags.since)}` : "";
+    const result = await request({
+      path: `/api/v1/notifications${qs}`,
+      token: secret
+    });
+    if (flags.json) {
+      const decoded = result.notifications.map((n) => ({
+        ...n,
+        message: decodeCiphertext(n.ciphertext)
+      }));
+      console.log(JSON.stringify({ ...result, notifications: decoded }, null, 2));
+      return EXIT.SUCCESS;
+    }
+    if (result.notifications.length === 0) {
+      render.info(dim(`no mentions of @${result.mentionedAs} since ${result.since}.`));
+      return EXIT.SUCCESS;
+    }
+    render.section(`mentions of @${bold(result.mentionedAs)} (${result.notifications.length})`);
+    for (const n of result.notifications) {
+      const when = fmtRelative(n.createdAt);
+      const msg = decodeCiphertext(n.ciphertext).replace(/\s+/g, " ").trim();
+      const snippet = msg.length > 100 ? msg.slice(0, 97) + "…" : msg;
+      process.stdout.write(`  ${clay("#" + n.topicName)}  ${dim(when)}  ${bold(n.senderName)}
+`);
+      process.stdout.write(`    ${snippet}
+`);
+    }
+    return EXIT.SUCCESS;
+  });
+}
+var init_notification = __esm(() => {
+  init_with_rest_key();
+  init_client();
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
+// src/commands/member.ts
+var exports_member = {};
+__export(exports_member, {
+  runMemberList: () => runMemberList
+});
+function statusGlyph(m) {
+  if (!m.online)
+    return dim("○");
+  if (m.status === "dnd")
+    return red("●");
+  if (m.status === "working")
+    return yellow("●");
+  return green("●");
+}
+async function runMemberList(flags) {
+  return withRestKey({ meshSlug: flags.mesh ?? null, purpose: "members" }, async ({ secret, meshSlug }) => {
+    const result = await request({
+      path: "/api/v1/members",
+      token: secret
+    });
+    const filtered = flags.online ? result.members.filter((m) => m.online) : result.members;
+    if (flags.json) {
+      console.log(JSON.stringify({ members: filtered }, null, 2));
+      return EXIT.SUCCESS;
+    }
+    if (filtered.length === 0) {
+      render.info(dim(flags.online ? `no online members in ${meshSlug}.` : `no members in ${meshSlug}.`));
+      return EXIT.SUCCESS;
+    }
+    const onlineCount = result.members.filter((m) => m.online).length;
+    render.section(`${clay(meshSlug)} members (${onlineCount}/${result.members.length} online)`);
+    for (const m of filtered) {
+      const tag = m.isHuman ? dim("human") : dim("bot");
+      const summary = m.summary ? ` — ${dim(m.summary)}` : "";
+      process.stdout.write(`  ${statusGlyph(m)} ${bold(m.displayName)}  ${tag}  ${dim(m.role)}  ${dim(m.pubkey.slice(0, 8))}${summary}
+`);
+    }
+    return EXIT.SUCCESS;
+  });
+}
+var init_member = __esm(() => {
+  init_with_rest_key();
+  init_client();
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
 // src/mcp/tools/definitions.ts
 var TOOLS;
 var init_definitions = __esm(() => {
@@ -13219,7 +13771,11 @@ Topic  (conversation scope, v0.2.0)
   claudemesh topic members <t>     list topic subscribers
   claudemesh topic history <t>     fetch message history [--limit --before]
   claudemesh topic read <topic>    mark all as read
-  claudemesh send "#topic" "msg"   send to a topic
+  claudemesh topic tail <topic>    live SSE tail [--limit --forward-only]
+  claudemesh topic post <t> <msg>  encrypted REST post (v0.3.0 v2)
+  claudemesh send "#topic" "msg"   send to a topic (WS path, v1 plaintext)
+  claudemesh member list           mesh roster with online state [--online]
+  claudemesh notification list     recent @-mentions of you [--since <ISO>]
 
 Schedule  (resource form)
   claudemesh schedule msg <m>      one-shot or recurring     (alias: remind)
@@ -13998,8 +14554,60 @@ async function main() {
       } else if (sub === "read") {
         const { runTopicMarkRead: runTopicMarkRead2 } = await Promise.resolve().then(() => (init_topic(), exports_topic));
         process.exit(await runTopicMarkRead2(arg, f));
+      } else if (sub === "tail") {
+        const tailFlags = {
+          mesh: flags.mesh,
+          json: !!flags.json,
+          limit: flags.limit,
+          forwardOnly: !!flags["forward-only"]
+        };
+        const { runTopicTail: runTopicTail2 } = await Promise.resolve().then(() => (init_topic_tail(), exports_topic_tail));
+        process.exit(await runTopicTail2(arg, tailFlags));
+      } else if (sub === "post") {
+        const postFlags = {
+          mesh: flags.mesh,
+          json: !!flags.json,
+          plaintext: !!flags.plaintext
+        };
+        const message = positionals.slice(2).join(" ");
+        const { runTopicPost: runTopicPost2 } = await Promise.resolve().then(() => (init_topic_post(), exports_topic_post));
+        process.exit(await runTopicPost2(arg, message, postFlags));
+      } else {
+        console.error("Usage: claudemesh topic <create|list|join|leave|members|history|read|tail|post>");
+        process.exit(EXIT.INVALID_ARGS);
+      }
+      break;
+    }
+    case "notification":
+    case "notifications": {
+      const sub = positionals[0] ?? "list";
+      const f = {
+        mesh: flags.mesh,
+        json: !!flags.json,
+        since: flags.since
+      };
+      if (sub === "list") {
+        const { runNotificationList: runNotificationList2 } = await Promise.resolve().then(() => (init_notification(), exports_notification));
+        process.exit(await runNotificationList2(f));
+      } else {
+        console.error("Usage: claudemesh notification list [--since <ISO>]");
+        process.exit(EXIT.INVALID_ARGS);
+      }
+      break;
+    }
+    case "member":
+    case "members": {
+      const sub = positionals[0] ?? "list";
+      const f = {
+        mesh: flags.mesh,
+        json: !!flags.json,
+        online: !!flags.online
+      };
+      if (sub === "list") {
+        const { runMemberList: runMemberList2 } = await Promise.resolve().then(() => (init_member(), exports_member));
+        process.exit(await runMemberList2(f));
       } else {
-        console.error("Usage: claudemesh topic <create|list|join|leave|members|history|read>");
+        console.error("Usage: claudemesh member list [--online]");
         process.exit(EXIT.INVALID_ARGS);
       }
       break;
@@ -14052,4 +14660,4 @@ main().catch((err) => {
   process.exit(EXIT.INTERNAL_ERROR);
 });
 
-//# debugId=131DC57DB8537D5464756E2164756E21
+//# debugId=25484051F3F24E9464756E2164756E21