claudemesh-cli 1.7.0 → 1.9.2

package/README.md

@@ -2,7 +2,11 @@
 
 Peer mesh for Claude Code sessions. Connect multiple Claude Code instances into a shared mesh with real-time messaging, shared state, memory, file sharing, vector store, scheduled jobs, and more — all driven from the `claudemesh` CLI. The MCP server is a tool-less push-pipe that delivers inbound peer messages to Claude as `<channel>` interrupts; everything else lives behind CLI verbs that Claude learns from the auto-installed `claudemesh` skill.
 
-> **What's new in 1.7.0:** terminal parity for the v1.6.x server features. New verbs: `claudemesh topic tail` (live SSE message stream — Ctrl-C to exit), `claudemesh notification list` (recent `@you` mentions across topics), `claudemesh member list` (mesh roster with online dots, distinct from `peer list`'s live-session view). Each command auto-mints a 5-minute read-only apikey via the WebSocket and revokes it on exit, so no token plumbing is needed.
+> **What's new in 1.9.x:** topic threading + multi-session reliability fixes. `claudemesh topic post <topic> <msg> --reply-to <id>` threads a reply onto a previous topic message (full id or 8+ char prefix); `topic tail` renders `↳ in reply to <name>: "<snippet>"` above replies and shows a copyable `#xxxxxxxx` short id on every row. `<channel>` MCP attrs now carry `from_member_id`, `from_pubkey` (stable), `from_session_pubkey` (ephemeral), `message_id`, `topic`, `reply_to_id` — everything the recipient needs to reply directly. Broker fixes (v0.3.2): replies to a stale session pubkey now resolve to the owning member's live session instead of bouncing with "not online", and broadcast `*` no longer loopbacks decrypt-fail warnings to the sender's sibling sessions.
+>
+> **What was new in 1.8.0:** per-topic end-to-end encryption (v0.3.0 phase 3, CLI side). `claudemesh topic post <topic> <msg>` encrypts the body with `crypto_secretbox` under the topic's symmetric key — broker stores ciphertext only. `claudemesh topic tail` now decrypts v2 messages on render and runs a background re-seal loop every 30s, so new topic joiners get their sealed keys without manual action. `topic-key` cache is process-only — kill the CLI, the key forgets. Web dashboard reads v1 plaintext for now (phase 3.5 brings browser-side identity).
+>
+> **What was new in 1.7.0:** terminal parity for the v1.6.x server features. New verbs: `claudemesh topic tail` (live SSE message stream — Ctrl-C to exit), `claudemesh notification list` (recent `@you` mentions across topics), `claudemesh member list` (mesh roster with online dots, distinct from `peer list`'s live-session view). Each command auto-mints a 5-minute read-only apikey via the WebSocket and revokes it on exit, so no token plumbing is needed.
 >
 > **What was new in 1.6.0:** topics (channel pub/sub), API keys for human/REST clients, and bridge peers that forward a topic between two meshes. New verbs: `claudemesh topic`, `claudemesh apikey`, `claudemesh bridge`. A REST surface at `https://claudemesh.com/api/v1/*` (messages, topics, peers, history) accepts `Authorization: Bearer cm_...` keys, so any HTTPS client can participate without WebSocket + ed25519 plumbing. **Note**: REST lives on the web host (`claudemesh.com`), not the broker host (`ic.claudemesh.com`) — the broker only speaks WebSocket.
 >
@@ -45,7 +49,8 @@ USAGE
   claudemesh profile         view or edit your profile
 
   claudemesh topic ...       create, list, join, send to topics
-  claudemesh topic tail <t>  live SSE tail of a topic
+  claudemesh topic tail <t>  live SSE tail of a topic (decrypts v2)
+  claudemesh topic post <t>  encrypted REST post (v2 ciphertext)
   claudemesh member list     mesh roster with online state
   claudemesh notification list  recent @-mentions of you
   claudemesh apikey ...      issue, list, revoke API keys (REST clients)

package/dist/entrypoints/cli.js

@@ -88,7 +88,7 @@ __export(exports_urls, {
   VERSION: () => VERSION,
   URLS: () => URLS
 });
-var URLS, VERSION = "1.7.0", env;
+var URLS, VERSION = "1.9.2", env;
 var init_urls = __esm(() => {
   URLS = {
     BROKER: process.env.CLAUDEMESH_BROKER_URL ?? "wss://ic.claudemesh.com/ws",
@@ -2779,6 +2779,11 @@ class BrokerClient {
           messageId: String(msg.messageId ?? ""),
           meshId: String(msg.meshId ?? ""),
           senderPubkey,
+          ...msg.senderMemberPubkey ? { senderMemberPubkey: String(msg.senderMemberPubkey) } : {},
+          ...msg.senderMemberId ? { senderMemberId: String(msg.senderMemberId) } : {},
+          ...msg.senderName ? { senderName: String(msg.senderName) } : {},
+          ...msg.topic ? { topic: String(msg.topic) } : {},
+          ...msg.replyToId ? { replyToId: String(msg.replyToId) } : {},
           priority: msg.priority ?? "next",
           nonce,
           ciphertext,
@@ -11679,18 +11684,151 @@ var init_with_rest_key = __esm(() => {
   init_connect();
 });
 
+// src/services/crypto/topic-key.ts
+function cacheKey(apiKeySecret, topicName) {
+  return `${apiKeySecret.slice(0, 12)}:${topicName}`;
+}
+async function getTopicKey(args) {
+  const cacheId = cacheKey(args.apiKeySecret, args.topicName);
+  if (!args.fresh) {
+    const cached = cache.get(cacheId);
+    if (cached)
+      return { ok: true, topicKey: cached.topicKey };
+  }
+  let sealed;
+  try {
+    sealed = await request({
+      path: `/api/v1/topics/${encodeURIComponent(args.topicName)}/key`,
+      token: args.apiKeySecret
+    });
+  } catch (e) {
+    if (e instanceof ApiError) {
+      if (e.status === 404)
+        return { ok: false, error: "not_sealed" };
+      if (e.status === 409)
+        return { ok: false, error: "topic_unencrypted" };
+    }
+    return {
+      ok: false,
+      error: "network",
+      message: e instanceof Error ? e.message : String(e)
+    };
+  }
+  const sodium4 = (await import("libsodium-wrappers")).default;
+  await sodium4.ready;
+  let recipientX25519Secret;
+  try {
+    const ed = sodium4.from_hex(args.memberSecretKeyHex);
+    recipientX25519Secret = sodium4.crypto_sign_ed25519_sk_to_curve25519(ed);
+  } catch {
+    return { ok: false, error: "bad_member_secret" };
+  }
+  let topicKey;
+  try {
+    const blob = sodium4.from_base64(sealed.encryptedKey, sodium4.base64_variants.ORIGINAL);
+    const nonce = sodium4.from_base64(sealed.nonce, sodium4.base64_variants.ORIGINAL);
+    if (blob.length < 32 + sodium4.crypto_box_MACBYTES) {
+      return {
+        ok: false,
+        error: "decrypt_failed",
+        message: "sealed key blob too short to contain sender pubkey + cipher"
+      };
+    }
+    const senderX25519 = blob.slice(0, 32);
+    const cipher = blob.slice(32);
+    topicKey = sodium4.crypto_box_open_easy(cipher, nonce, senderX25519, recipientX25519Secret);
+  } catch (e) {
+    return {
+      ok: false,
+      error: "decrypt_failed",
+      message: e instanceof Error ? e.message : String(e)
+    };
+  }
+  cache.set(cacheId, { topicKey, fetchedAt: Date.now() });
+  return { ok: true, topicKey };
+}
+async function encryptMessage(topicKey, plaintext) {
+  const sodium4 = (await import("libsodium-wrappers")).default;
+  await sodium4.ready;
+  const nonceBytes = sodium4.randombytes_buf(sodium4.crypto_secretbox_NONCEBYTES);
+  const cipher = sodium4.crypto_secretbox_easy(sodium4.from_string(plaintext), nonceBytes, topicKey);
+  return {
+    ciphertext: sodium4.to_base64(cipher, sodium4.base64_variants.ORIGINAL),
+    nonce: sodium4.to_base64(nonceBytes, sodium4.base64_variants.ORIGINAL)
+  };
+}
+async function decryptMessage(topicKey, ciphertextB64, nonceB64) {
+  try {
+    const sodium4 = (await import("libsodium-wrappers")).default;
+    await sodium4.ready;
+    const cipher = sodium4.from_base64(ciphertextB64, sodium4.base64_variants.ORIGINAL);
+    const nonce = sodium4.from_base64(nonceB64, sodium4.base64_variants.ORIGINAL);
+    const plain = sodium4.crypto_secretbox_open_easy(cipher, nonce, topicKey);
+    return sodium4.to_string(plain);
+  } catch {
+    return null;
+  }
+}
+async function sealTopicKeyFor(topicKey, recipientPubkeyHex, ourMemberSecretKeyHex) {
+  try {
+    const sodium4 = (await import("libsodium-wrappers")).default;
+    await sodium4.ready;
+    const recipientX25519 = sodium4.crypto_sign_ed25519_pk_to_curve25519(sodium4.from_hex(recipientPubkeyHex));
+    const ourEdSecret = sodium4.from_hex(ourMemberSecretKeyHex);
+    const ourX25519Secret = sodium4.crypto_sign_ed25519_sk_to_curve25519(ourEdSecret);
+    const ourEdPublic = ourEdSecret.slice(32, 64);
+    const ourX25519Public = sodium4.crypto_sign_ed25519_pk_to_curve25519(ourEdPublic);
+    const nonceBytes = sodium4.randombytes_buf(sodium4.crypto_box_NONCEBYTES);
+    const cipher = sodium4.crypto_box_easy(topicKey, nonceBytes, recipientX25519, ourX25519Secret);
+    const blob = new Uint8Array(32 + cipher.length);
+    blob.set(ourX25519Public, 0);
+    blob.set(cipher, 32);
+    return {
+      encryptedKey: sodium4.to_base64(blob, sodium4.base64_variants.ORIGINAL),
+      nonce: sodium4.to_base64(nonceBytes, sodium4.base64_variants.ORIGINAL)
+    };
+  } catch {
+    return null;
+  }
+}
+var cache;
+var init_topic_key = __esm(() => {
+  init_client();
+  init_errors();
+  cache = new Map;
+});
+
 // src/commands/topic-tail.ts
 var exports_topic_tail = {};
 __export(exports_topic_tail, {
   runTopicTail: () => runTopicTail
 });
-function decodeCiphertext(b64) {
+function rememberRendered(cache2, m, text) {
+  cache2.set(m.id, {
+    name: m.senderName || m.senderPubkey.slice(0, 8),
+    snippet: text.replace(/\s+/g, " ").slice(0, 60)
+  });
+  if (cache2.size > RECENT_CACHE_MAX) {
+    const firstKey = cache2.keys().next().value;
+    if (firstKey)
+      cache2.delete(firstKey);
+  }
+}
+function decodeV1(b64) {
   try {
     return Buffer.from(b64, "base64").toString("utf-8");
   } catch {
     return "[decode failed]";
   }
 }
+async function decryptForRender(m, topicKey) {
+  if ((m.bodyVersion ?? 1) === 1)
+    return decodeV1(m.ciphertext);
+  if (!topicKey)
+    return "[encrypted — no topic key]";
+  const plain = await decryptMessage(topicKey, m.ciphertext, m.nonce);
+  return plain ?? "[decrypt failed]";
+}
 function fmtTime(iso) {
   try {
     return new Date(iso).toLocaleTimeString([], {
@@ -11702,14 +11840,24 @@ function fmtTime(iso) {
     return iso;
   }
 }
-function printMessage(m, json) {
-  const text = decodeCiphertext(m.ciphertext);
+async function printMessage(m, topicKey, json, cache2) {
+  const text = await decryptForRender(m, topicKey);
   if (json) {
     console.log(JSON.stringify({ ...m, message: text }));
+    rememberRendered(cache2, m, text);
     return;
   }
-  process.stdout.write(`  ${dim(fmtTime(m.createdAt))}  ${bold(m.senderName || m.senderPubkey.slice(0, 8))}  ${text}
+  const v2Marker = (m.bodyVersion ?? 1) === 2 ? dim("\uD83D\uDD12 ") : "";
+  if (m.replyToId) {
+    const parent = cache2.get(m.replyToId);
+    const ref = parent ? `${parent.name}: "${parent.snippet}${parent.snippet.length === 60 ? "…" : ""}"` : `${m.replyToId.slice(0, 8)}…`;
+    process.stdout.write(`  ${dim("↳ in reply to " + ref)}
+`);
+  }
+  const idTag = dim(`#${m.id.slice(0, 8)}`);
+  process.stdout.write(`  ${dim(fmtTime(m.createdAt))}  ${bold(m.senderName || m.senderPubkey.slice(0, 8))}  ${idTag}  ${v2Marker}${text}
 `);
+  rememberRendered(cache2, m, text);
 }
 async function* readSseStream(reader) {
   const decoder = new TextDecoder;
@@ -11761,7 +11909,56 @@ async function runTopicTail(name, flags) {
     purpose: `tail-${cleanName}`,
     capabilities: ["read"],
     topicScopes: [cleanName]
-  }, async ({ secret, meshSlug }) => {
+  }, async ({ secret, meshSlug, mesh }) => {
+    const keyResult = await getTopicKey({
+      apiKeySecret: secret,
+      memberSecretKeyHex: mesh.secretKey,
+      topicName: cleanName
+    });
+    const topicKey = keyResult.ok ? keyResult.topicKey ?? null : null;
+    const snippetCache = new Map;
+    let resealTimer = null;
+    if (topicKey) {
+      const reseal = async () => {
+        try {
+          const pending = await request({
+            path: `/api/v1/topics/${encodeURIComponent(cleanName)}/pending-seals`,
+            token: secret
+          });
+          for (const target of pending.pending) {
+            const sealed = await sealTopicKeyFor(topicKey, target.pubkey, mesh.secretKey);
+            if (!sealed)
+              continue;
+            try {
+              await request({
+                path: `/api/v1/topics/${encodeURIComponent(cleanName)}/seal`,
+                method: "POST",
+                token: secret,
+                body: {
+                  memberId: target.memberId,
+                  encryptedKey: sealed.encryptedKey,
+                  nonce: sealed.nonce
+                }
+              });
+              if (!flags.json) {
+                render.info(dim(`re-sealed topic key for ${target.displayName}`));
+              }
+            } catch {}
+          }
+        } catch {}
+      };
+      reseal();
+      resealTimer = setInterval(reseal, 30000);
+    }
+    if (!flags.json && !keyResult.ok) {
+      if (keyResult.error === "topic_unencrypted") {
+        render.info(dim("topic is on v1 (plaintext) — encryption will activate after creator-seal"));
+      } else if (keyResult.error === "not_sealed") {
+        render.warn(yellow("no topic key sealed for you yet — wait for a holder to re-seal"));
+      } else if (keyResult.error === "decrypt_failed") {
+        render.warn(yellow(`topic key fetched but decrypt failed: ${keyResult.message ?? ""}`));
+      }
+    }
     if (!flags.forwardOnly && limit > 0) {
       try {
         const history = await request({
@@ -11772,7 +11969,7 @@ async function runTopicTail(name, flags) {
           render.section(`${clay("#" + cleanName)} on ${dim(meshSlug)} — backfill ${history.messages.length}, then live`);
         }
         for (const m of history.messages.slice().reverse()) {
-          printMessage(m, flags.json ?? false);
+          await printMessage(m, topicKey, flags.json ?? false, snippetCache);
         }
       } catch (err) {
         render.warn(`backfill failed: ${err.message}`);
@@ -11811,7 +12008,7 @@ async function runTopicTail(name, flags) {
         if (ev.event === "message") {
           try {
             const m = JSON.parse(ev.data);
-            printMessage(m, flags.json ?? false);
+            await printMessage(m, topicKey, flags.json ?? false, snippetCache);
           } catch {}
         }
       }
@@ -11824,13 +12021,120 @@ async function runTopicTail(name, flags) {
     } finally {
       process.removeListener("SIGINT", onSig);
       process.removeListener("SIGTERM", onSig);
+      if (resealTimer)
+        clearInterval(resealTimer);
     }
   });
 }
+var RECENT_CACHE_MAX = 256;
 var init_topic_tail = __esm(() => {
   init_urls();
   init_with_rest_key();
   init_client();
+  init_topic_key();
+  init_render();
+  init_styles();
+  init_exit_codes();
+});
+
+// src/commands/topic-post.ts
+var exports_topic_post = {};
+__export(exports_topic_post, {
+  runTopicPost: () => runTopicPost
+});
+async function runTopicPost(topicName, message, flags) {
+  if (!topicName || !message) {
+    render.err("Usage: claudemesh topic post <topic> <message>");
+    return EXIT.INVALID_ARGS;
+  }
+  const cleanName = topicName.replace(/^#/, "");
+  const mentions = [];
+  const mentionRe = /(^|[^A-Za-z0-9_-])@([A-Za-z0-9_-]{1,64})(?=$|[^A-Za-z0-9_-])/g;
+  let m;
+  while ((m = mentionRe.exec(message)) !== null) {
+    mentions.push(m[2].toLowerCase());
+    if (mentions.length >= 16)
+      break;
+  }
+  return withRestKey({
+    meshSlug: flags.mesh ?? null,
+    purpose: `post-${cleanName}`,
+    capabilities: ["read", "send"],
+    topicScopes: [cleanName]
+  }, async ({ secret, mesh }) => {
+    let bodyVersion = 1;
+    let ciphertext;
+    let nonce;
+    if (flags.plaintext) {
+      ciphertext = Buffer.from(message, "utf-8").toString("base64");
+      nonce = Buffer.from(new Uint8Array(24)).toString("base64");
+    } else {
+      const keyResult = await getTopicKey({
+        apiKeySecret: secret,
+        memberSecretKeyHex: mesh.secretKey,
+        topicName: cleanName
+      });
+      if (keyResult.ok && keyResult.topicKey) {
+        const enc = await encryptMessage(keyResult.topicKey, message);
+        ciphertext = enc.ciphertext;
+        nonce = enc.nonce;
+        bodyVersion = 2;
+      } else if (keyResult.error === "topic_unencrypted") {
+        ciphertext = Buffer.from(message, "utf-8").toString("base64");
+        nonce = Buffer.from(new Uint8Array(24)).toString("base64");
+      } else {
+        render.err(`cannot encrypt for #${cleanName}: ${keyResult.error ?? "unknown"}${keyResult.message ? " — " + keyResult.message : ""}`);
+        return EXIT.INTERNAL_ERROR;
+      }
+    }
+    let replyToId;
+    if (flags.replyTo) {
+      if (flags.replyTo.length >= 16) {
+        replyToId = flags.replyTo;
+      } else if (flags.replyTo.length >= 6) {
+        const recent = await request({
+          path: `/api/v1/topics/${encodeURIComponent(cleanName)}/messages?limit=200`,
+          method: "GET",
+          token: secret
+        });
+        const hit = recent.messages?.find((r) => r.id.startsWith(flags.replyTo));
+        if (!hit) {
+          render.err(`--reply-to ${flags.replyTo}: no recent message id starts with that prefix`);
+          return EXIT.INVALID_ARGS;
+        }
+        replyToId = hit.id;
+      } else {
+        render.err("--reply-to needs at least 6 characters of the message id");
+        return EXIT.INVALID_ARGS;
+      }
+    }
+    const result = await request({
+      path: "/api/v1/messages",
+      method: "POST",
+      token: secret,
+      body: {
+        topic: cleanName,
+        ciphertext,
+        nonce,
+        bodyVersion,
+        ...mentions.length > 0 ? { mentions } : {},
+        ...replyToId ? { replyToId } : {}
+      }
+    });
+    if (flags.json) {
+      console.log(JSON.stringify({ ...result, bodyVersion, mentions }));
+      return EXIT.SUCCESS;
+    }
+    const versionTag = bodyVersion === 2 ? green("\uD83D\uDD12 v2") : dim("v1");
+    const replyTag = result.replyToId ? `  ${dim("↳ " + result.replyToId.slice(0, 8))}` : "";
+    render.ok("posted", `${clay("#" + cleanName)}  ${versionTag}${replyTag}  ${dim(`(${result.notifications} mentions)`)}`);
+    return EXIT.SUCCESS;
+  });
+}
+var init_topic_post = __esm(() => {
+  init_with_rest_key();
+  init_client();
+  init_topic_key();
   init_render();
   init_styles();
   init_exit_codes();
@@ -11841,7 +12145,7 @@ var exports_notification = {};
 __export(exports_notification, {
   runNotificationList: () => runNotificationList
 });
-function decodeCiphertext2(b64) {
+function decodeCiphertext(b64) {
   try {
     return Buffer.from(b64, "base64").toString("utf-8");
   } catch {
@@ -11868,7 +12172,7 @@ async function runNotificationList(flags) {
     if (flags.json) {
       const decoded = result.notifications.map((n) => ({
         ...n,
-        message: decodeCiphertext2(n.ciphertext)
+        message: decodeCiphertext(n.ciphertext)
       }));
       console.log(JSON.stringify({ ...result, notifications: decoded }, null, 2));
       return EXIT.SUCCESS;
@@ -11880,7 +12184,7 @@ async function runNotificationList(flags) {
     render.section(`mentions of @${bold(result.mentionedAs)} (${result.notifications.length})`);
     for (const n of result.notifications) {
       const when = fmtRelative(n.createdAt);
-      const msg = decodeCiphertext2(n.ciphertext).replace(/\s+/g, " ").trim();
+      const msg = decodeCiphertext(n.ciphertext).replace(/\s+/g, " ").trim();
       const snippet = msg.length > 100 ? msg.slice(0, 97) + "…" : msg;
       process.stdout.write(`  ${clay("#" + n.topicName)}  ${dim(when)}  ${bold(n.senderName)}
 `);
@@ -12191,7 +12495,16 @@ async function startMcpServer() {
 You are "${myName}"${myRole ? ` (${myRole})` : ""} — a peer in the claudemesh network. Your groups: ${myGroups}. You are one of several Claude Code sessions connected to the same mesh. No orchestrator exists — peers are equals. Your identity comes from your name and group roles, not from a central authority.
 
 ## Responding to messages
-When you receive a <channel source="claudemesh" ...> message, RESPOND IMMEDIATELY. Pause your current task, reply via send_message, then resume. Read from_name, mesh_slug, and priority from the channel attributes. Reply by setting \`to\` to the sender's from_name (display name). Stay in character per your system prompt. Do not ignore low-priority messages — acknowledge them briefly even if you defer action.
+When you receive a <channel source="claudemesh" ...> message, RESPOND IMMEDIATELY. Pause your current task, reply via send_message (or \`claudemesh topic post --reply-to <message_id>\` for topic threads), then resume. Stay in character per your system prompt. Do not ignore low-priority messages — acknowledge them briefly even if you defer action.
+
+The channel attributes carry everything you need to reply — no extra lookups:
+- \`from_name\` — sender display name. Use as the \`to\` arg when replying to a DM.
+- \`from_pubkey\` / \`from_member_id\` — stable ids. Use \`from_member_id\` if the sender's display name might change.
+- \`mesh_slug\` — pass via \`--mesh\` if your default mesh differs.
+- \`priority\` — \`now\` / \`next\` / \`low\`.
+- \`message_id\` — id of THIS message. To thread a reply onto it in a topic, run \`claudemesh topic post <topic> "<text>" --reply-to <message_id>\`.
+- \`topic\` — set when the message arrived through a topic (vs DM). Reply in the same topic.
+- \`reply_to_id\` — set when the incoming message is itself a reply. Render thread context if you re-narrate.
 
 If the channel meta contains \`subtype: reminder\`, this is a scheduled reminder you set for yourself — act on it immediately (no reply needed).
 
@@ -12551,20 +12864,27 @@ ${manifest.allowed_tools.map((t) => `  - ${t}`).join(`
         const prioBadge = msg.priority === "now" ? "[URGENT] " : msg.priority === "low" ? "[low] " : "";
         const kindBadge = msg.kind === "broadcast" ? " (broadcast)" : "";
         const content = `${prioBadge}${fromName}${kindBadge}: ${body}`;
+        const fromMemberPubkey = msg.senderMemberPubkey ?? fromPubkey;
         try {
           await server.notification({
             method: "notifications/claude/channel",
             params: {
               content,
               meta: {
-                from_id: fromPubkey,
+                from_id: fromMemberPubkey,
+                from_pubkey: fromMemberPubkey,
+                from_session_pubkey: fromPubkey,
                 from_name: fromName,
+                ...msg.senderMemberId ? { from_member_id: msg.senderMemberId } : {},
                 mesh_slug: client.meshSlug,
                 mesh_id: client.meshId,
                 priority: msg.priority,
                 sent_at: msg.createdAt,
                 delivered_at: msg.receivedAt,
                 kind: msg.kind,
+                message_id: msg.messageId,
+                ...msg.topic ? { topic: msg.topic } : {},
+                ...msg.replyToId ? { reply_to_id: msg.replyToId } : {},
                 ...msg.subtype ? { subtype: msg.subtype } : {}
               }
             }
@@ -13518,7 +13838,8 @@ Topic  (conversation scope, v0.2.0)
   claudemesh topic history <t>     fetch message history [--limit --before]
   claudemesh topic read <topic>    mark all as read
   claudemesh topic tail <topic>    live SSE tail [--limit --forward-only]
-  claudemesh send "#topic" "msg"   send to a topic
+  claudemesh topic post <t> <msg>  encrypted REST post (v0.3.0 v2) [--reply-to <id>]
+  claudemesh send "#topic" "msg"   send to a topic (WS path, v1 plaintext)
   claudemesh member list           mesh roster with online state [--online]
   claudemesh notification list     recent @-mentions of you [--since <ISO>]
 
@@ -14308,8 +14629,18 @@ async function main() {
         };
         const { runTopicTail: runTopicTail2 } = await Promise.resolve().then(() => (init_topic_tail(), exports_topic_tail));
         process.exit(await runTopicTail2(arg, tailFlags));
+      } else if (sub === "post") {
+        const postFlags = {
+          mesh: flags.mesh,
+          json: !!flags.json,
+          plaintext: !!flags.plaintext,
+          replyTo: flags["reply-to"] || flags.replyTo
+        };
+        const message = positionals.slice(2).join(" ");
+        const { runTopicPost: runTopicPost2 } = await Promise.resolve().then(() => (init_topic_post(), exports_topic_post));
+        process.exit(await runTopicPost2(arg, message, postFlags));
       } else {
-        console.error("Usage: claudemesh topic <create|list|join|leave|members|history|read|tail>");
+        console.error("Usage: claudemesh topic <create|list|join|leave|members|history|read|tail|post>");
         process.exit(EXIT.INVALID_ARGS);
       }
       break;
@@ -14396,4 +14727,4 @@ main().catch((err) => {
   process.exit(EXIT.INTERNAL_ERROR);
 });
 
-//# debugId=81FA5977F36B50C364756E2164756E21
+//# debugId=25CA2A7E4B8DBD3564756E2164756E21