clawvault 2.6.1 → 3.0.0

package/dist/commands/tailscale.cjs

@@ -0,0 +1,1532 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/commands/tailscale.ts
+var tailscale_exports = {};
+__export(tailscale_exports, {
+  registerTailscaleCommands: () => registerTailscaleCommands,
+  registerTailscaleDiscoverCommand: () => registerTailscaleDiscoverCommand,
+  registerTailscaleServeCommand: () => registerTailscaleServeCommand,
+  registerTailscaleStatusCommand: () => registerTailscaleStatusCommand,
+  registerTailscaleSyncCommand: () => registerTailscaleSyncCommand,
+  tailscaleDiscoverCommand: () => tailscaleDiscoverCommand,
+  tailscaleServeCommand: () => tailscaleServeCommand,
+  tailscaleStatusCommand: () => tailscaleStatusCommand,
+  tailscaleSyncCommand: () => tailscaleSyncCommand
+});
+module.exports = __toCommonJS(tailscale_exports);
+var path4 = __toESM(require("path"), 1);
+
+// src/lib/config.ts
+var fs = __toESM(require("fs"), 1);
+var path = __toESM(require("path"), 1);
+function findNearestVaultPath(startPath = process.cwd()) {
+  let current = path.resolve(startPath);
+  while (true) {
+    if (fs.existsSync(path.join(current, ".clawvault.json"))) {
+      return current;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) {
+      return null;
+    }
+    current = parent;
+  }
+}
+function resolveVaultPath(options = {}) {
+  if (options.explicitPath) {
+    return path.resolve(options.explicitPath);
+  }
+  if (process.env.CLAWVAULT_PATH) {
+    return path.resolve(process.env.CLAWVAULT_PATH);
+  }
+  const discovered = findNearestVaultPath(options.cwd ?? process.cwd());
+  if (discovered) {
+    return discovered;
+  }
+  throw new Error("No vault path found. Set CLAWVAULT_PATH, use --vault, or run inside a vault.");
+}
+
+// src/lib/tailscale.ts
+var import_child_process = require("child_process");
+var fs3 = __toESM(require("fs"), 1);
+var path3 = __toESM(require("path"), 1);
+var http = __toESM(require("http"), 1);
+var https = __toESM(require("https"), 1);
+
+// src/lib/webdav.ts
+var fs2 = __toESM(require("fs"), 1);
+var path2 = __toESM(require("path"), 1);
+var WEBDAV_PREFIX = "/webdav";
+var BLOCKED_PATHS = [
+  ".clawvault",
+  ".git",
+  ".obsidian",
+  "node_modules"
+];
+var SUPPORTED_METHODS = ["GET", "PUT", "DELETE", "MKCOL", "PROPFIND", "OPTIONS", "HEAD", "MOVE", "COPY"];
+function toRequestSegments(requestPath) {
+  return requestPath.replace(/\\/g, "/").split("/").filter(Boolean);
+}
+function isWithinRoot(fullPath, rootPath) {
+  const resolvedRoot = path2.resolve(rootPath);
+  const relative2 = path2.relative(resolvedRoot, fullPath);
+  return !(relative2.startsWith("..") || path2.isAbsolute(relative2));
+}
+function isPathSafe(requestPath, rootPath) {
+  const pathParts = toRequestSegments(requestPath);
+  if (pathParts.includes("..")) {
+    return false;
+  }
+  const normalizedRelativePath = path2.normalize(pathParts.join(path2.sep));
+  const fullPath = path2.resolve(rootPath, normalizedRelativePath);
+  if (!isWithinRoot(fullPath, rootPath)) {
+    return false;
+  }
+  for (const part of pathParts) {
+    if (BLOCKED_PATHS.includes(part)) {
+      return false;
+    }
+  }
+  return true;
+}
+function resolveWebDAVPath(requestPath, rootPath) {
+  const pathParts = toRequestSegments(requestPath);
+  if (pathParts.includes("..")) {
+    return null;
+  }
+  const normalizedRelativePath = path2.normalize(pathParts.join(path2.sep));
+  const fullPath = path2.resolve(rootPath, normalizedRelativePath);
+  if (!isWithinRoot(fullPath, rootPath)) {
+    return null;
+  }
+  return fullPath;
+}
+function checkAuth(req, auth) {
+  if (!auth) {
+    return true;
+  }
+  const authHeader = req.headers.authorization;
+  if (!authHeader || !authHeader.startsWith("Basic ")) {
+    return false;
+  }
+  const base64Credentials = authHeader.slice(6);
+  const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8");
+  const [username, password] = credentials.split(":");
+  return username === auth.username && password === auth.password;
+}
+function escapeXml(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+function formatWebDAVDate(date) {
+  return date.toUTCString();
+}
+function generatePropfindEntry(href, stats, isCollection) {
+  const resourceType = isCollection ? "<D:resourcetype><D:collection/></D:resourcetype>" : "<D:resourcetype/>";
+  const contentLength = stats && !isCollection ? `<D:getcontentlength>${stats.size}</D:getcontentlength>` : "";
+  const lastModified = stats ? `<D:getlastmodified>${formatWebDAVDate(stats.mtime)}</D:getlastmodified>` : "";
+  const etag = stats ? `<D:getetag>"${stats.mtime.getTime().toString(16)}-${stats.size.toString(16)}"</D:getetag>` : "";
+  const contentType = !isCollection ? "<D:getcontenttype>application/octet-stream</D:getcontenttype>" : "";
+  return `  <D:response>
+    <D:href>${escapeXml(href)}</D:href>
+    <D:propstat>
+      <D:prop>
+        ${resourceType}
+        ${contentLength}
+        ${lastModified}
+        ${etag}
+        ${contentType}
+      </D:prop>
+      <D:status>HTTP/1.1 200 OK</D:status>
+    </D:propstat>
+  </D:response>`;
+}
+function generatePropfindResponse(entries) {
+  const responseEntries = entries.map(
+    (e) => generatePropfindEntry(e.href, e.stats, e.isCollection)
+  ).join("\n");
+  return `<?xml version="1.0" encoding="utf-8"?>
+<D:multistatus xmlns:D="DAV:">
+${responseEntries}
+</D:multistatus>`;
+}
+function handleOptions(res, prefix) {
+  res.writeHead(200, {
+    "Allow": SUPPORTED_METHODS.join(", "),
+    "DAV": "1, 2",
+    "Content-Length": "0",
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": SUPPORTED_METHODS.join(", "),
+    "Access-Control-Allow-Headers": "Content-Type, Depth, Destination, Overwrite, Authorization",
+    "MS-Author-Via": "DAV"
+  });
+  res.end();
+}
+function handleHead(res, filePath) {
+  try {
+    const stats = fs2.statSync(filePath);
+    if (stats.isDirectory()) {
+      res.writeHead(200, {
+        "Content-Type": "httpd/unix-directory",
+        "Last-Modified": formatWebDAVDate(stats.mtime),
+        "ETag": `"${stats.mtime.getTime().toString(16)}"`,
+        "Access-Control-Allow-Origin": "*"
+      });
+    } else {
+      res.writeHead(200, {
+        "Content-Type": "application/octet-stream",
+        "Content-Length": stats.size.toString(),
+        "Last-Modified": formatWebDAVDate(stats.mtime),
+        "ETag": `"${stats.mtime.getTime().toString(16)}-${stats.size.toString(16)}"`,
+        "Access-Control-Allow-Origin": "*"
+      });
+    }
+    res.end();
+  } catch (err) {
+    res.writeHead(404, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+    res.end("Not Found");
+  }
+}
+function handleGet(res, filePath) {
+  try {
+    const stats = fs2.statSync(filePath);
+    if (stats.isDirectory()) {
+      const entries = fs2.readdirSync(filePath);
+      const listing = entries.join("\n");
+      res.writeHead(200, {
+        "Content-Type": "text/plain",
+        "Content-Length": Buffer.byteLength(listing).toString(),
+        "Access-Control-Allow-Origin": "*"
+      });
+      res.end(listing);
+    } else {
+      const content = fs2.readFileSync(filePath);
+      res.writeHead(200, {
+        "Content-Type": "application/octet-stream",
+        "Content-Length": content.length.toString(),
+        "Last-Modified": formatWebDAVDate(stats.mtime),
+        "ETag": `"${stats.mtime.getTime().toString(16)}-${stats.size.toString(16)}"`,
+        "Access-Control-Allow-Origin": "*"
+      });
+      res.end(content);
+    }
+  } catch (err) {
+    res.writeHead(404, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+    res.end("Not Found");
+  }
+}
+function handlePut(res, filePath, body) {
+  try {
+    const exists = fs2.existsSync(filePath);
+    const dir = path2.dirname(filePath);
+    if (!fs2.existsSync(dir)) {
+      fs2.mkdirSync(dir, { recursive: true });
+    }
+    fs2.writeFileSync(filePath, body);
+    const status = exists ? 204 : 201;
+    res.writeHead(status, {
+      "Content-Length": "0",
+      "Access-Control-Allow-Origin": "*"
+    });
+    res.end();
+  } catch (err) {
+    res.writeHead(500, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+    res.end(`Error: ${err}`);
+  }
+}
+function handleDelete(res, filePath) {
+  try {
+    if (!fs2.existsSync(filePath)) {
+      res.writeHead(404, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Not Found");
+      return;
+    }
+    const stats = fs2.statSync(filePath);
+    if (stats.isDirectory()) {
+      fs2.rmSync(filePath, { recursive: true });
+    } else {
+      fs2.unlinkSync(filePath);
+    }
+    res.writeHead(204, {
+      "Content-Length": "0",
+      "Access-Control-Allow-Origin": "*"
+    });
+    res.end();
+  } catch (err) {
+    res.writeHead(500, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+    res.end(`Error: ${err}`);
+  }
+}
+function handleMkcol(res, filePath) {
+  try {
+    if (fs2.existsSync(filePath)) {
+      res.writeHead(405, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Resource already exists");
+      return;
+    }
+    const parent = path2.dirname(filePath);
+    if (!fs2.existsSync(parent)) {
+      res.writeHead(409, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Parent directory does not exist");
+      return;
+    }
+    fs2.mkdirSync(filePath);
+    res.writeHead(201, {
+      "Content-Length": "0",
+      "Access-Control-Allow-Origin": "*"
+    });
+    res.end();
+  } catch (err) {
+    res.writeHead(500, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+    res.end(`Error: ${err}`);
+  }
+}
+function handlePropfind(res, filePath, webdavPath, prefix, depth) {
+  try {
+    if (!fs2.existsSync(filePath)) {
+      res.writeHead(404, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Not Found");
+      return;
+    }
+    const stats = fs2.statSync(filePath);
+    const entries = [];
+    const normalizedWebdavPath = webdavPath.startsWith("/") ? webdavPath : "/" + webdavPath;
+    const href = prefix + normalizedWebdavPath;
+    entries.push({
+      href: href.endsWith("/") || stats.isDirectory() ? href : href,
+      stats,
+      isCollection: stats.isDirectory()
+    });
+    if (stats.isDirectory() && depth !== "0") {
+      try {
+        const children = fs2.readdirSync(filePath);
+        for (const child of children) {
+          if (BLOCKED_PATHS.includes(child)) {
+            continue;
+          }
+          const childPath = path2.join(filePath, child);
+          const childWebdavPath = normalizedWebdavPath.endsWith("/") ? normalizedWebdavPath + child : normalizedWebdavPath + "/" + child;
+          try {
+            const childStats = fs2.statSync(childPath);
+            entries.push({
+              href: prefix + childWebdavPath,
+              stats: childStats,
+              isCollection: childStats.isDirectory()
+            });
+          } catch {
+          }
+        }
+      } catch {
+      }
+    }
+    const xml = generatePropfindResponse(entries);
+    res.writeHead(207, {
+      "Content-Type": "application/xml; charset=utf-8",
+      "Content-Length": Buffer.byteLength(xml).toString(),
+      "Access-Control-Allow-Origin": "*"
+    });
+    res.end(xml);
+  } catch (err) {
+    res.writeHead(500, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+    res.end(`Error: ${err}`);
+  }
+}
+function handleMove(res, sourcePath, destinationPath, overwrite) {
+  try {
+    if (!fs2.existsSync(sourcePath)) {
+      res.writeHead(404, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Source not found");
+      return;
+    }
+    if (!destinationPath) {
+      res.writeHead(400, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Destination header required");
+      return;
+    }
+    const destExists = fs2.existsSync(destinationPath);
+    if (destExists && !overwrite) {
+      res.writeHead(412, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Destination exists and Overwrite is F");
+      return;
+    }
+    const destDir = path2.dirname(destinationPath);
+    if (!fs2.existsSync(destDir)) {
+      fs2.mkdirSync(destDir, { recursive: true });
+    }
+    if (destExists) {
+      const destStats = fs2.statSync(destinationPath);
+      if (destStats.isDirectory()) {
+        fs2.rmSync(destinationPath, { recursive: true });
+      } else {
+        fs2.unlinkSync(destinationPath);
+      }
+    }
+    fs2.renameSync(sourcePath, destinationPath);
+    const status = destExists ? 204 : 201;
+    res.writeHead(status, {
+      "Content-Length": "0",
+      "Access-Control-Allow-Origin": "*"
+    });
+    res.end();
+  } catch (err) {
+    res.writeHead(500, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+    res.end(`Error: ${err}`);
+  }
+}
+function handleCopy(res, sourcePath, destinationPath, overwrite) {
+  try {
+    if (!fs2.existsSync(sourcePath)) {
+      res.writeHead(404, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Source not found");
+      return;
+    }
+    if (!destinationPath) {
+      res.writeHead(400, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Destination header required");
+      return;
+    }
+    const destExists = fs2.existsSync(destinationPath);
+    if (destExists && !overwrite) {
+      res.writeHead(412, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Destination exists and Overwrite is F");
+      return;
+    }
+    const destDir = path2.dirname(destinationPath);
+    if (!fs2.existsSync(destDir)) {
+      fs2.mkdirSync(destDir, { recursive: true });
+    }
+    const sourceStats = fs2.statSync(sourcePath);
+    if (sourceStats.isDirectory()) {
+      copyDirRecursive(sourcePath, destinationPath);
+    } else {
+      fs2.copyFileSync(sourcePath, destinationPath);
+    }
+    const status = destExists ? 204 : 201;
+    res.writeHead(status, {
+      "Content-Length": "0",
+      "Access-Control-Allow-Origin": "*"
+    });
+    res.end();
+  } catch (err) {
+    res.writeHead(500, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+    res.end(`Error: ${err}`);
+  }
+}
+function copyDirRecursive(src, dest) {
+  if (!fs2.existsSync(dest)) {
+    fs2.mkdirSync(dest, { recursive: true });
+  }
+  const entries = fs2.readdirSync(src, { withFileTypes: true });
+  for (const entry of entries) {
+    const srcPath = path2.join(src, entry.name);
+    const destPath = path2.join(dest, entry.name);
+    if (entry.isDirectory()) {
+      copyDirRecursive(srcPath, destPath);
+    } else {
+      fs2.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+function parseDestinationHeader(destinationHeader, prefix, rootPath) {
+  if (!destinationHeader) {
+    return null;
+  }
+  try {
+    let destPath;
+    if (destinationHeader.startsWith("http://") || destinationHeader.startsWith("https://")) {
+      const url = new URL(destinationHeader);
+      destPath = decodeURIComponent(url.pathname);
+    } else {
+      destPath = decodeURIComponent(destinationHeader);
+    }
+    if (destPath.startsWith(prefix)) {
+      destPath = destPath.slice(prefix.length);
+    }
+    return resolveWebDAVPath(destPath, rootPath);
+  } catch {
+    return null;
+  }
+}
+function createWebDAVHandler(config) {
+  const { rootPath, prefix = WEBDAV_PREFIX, auth } = config;
+  return async (req, res) => {
+    const rawUrl = req.url || "/";
+    if (rawUrl.includes("..")) {
+      if (rawUrl.startsWith(prefix)) {
+        res.writeHead(403, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+        res.end("Forbidden");
+        return true;
+      }
+    }
+    const url = new URL(rawUrl, `http://${req.headers.host || "localhost"}`);
+    const pathname = decodeURIComponent(url.pathname);
+    if (!pathname.startsWith(prefix)) {
+      return false;
+    }
+    let webdavPath = pathname.slice(prefix.length);
+    if (!webdavPath.startsWith("/")) {
+      webdavPath = "/" + webdavPath;
+    }
+    if (req.method === "OPTIONS") {
+      handleOptions(res, prefix);
+      return true;
+    }
+    if (!checkAuth(req, auth)) {
+      res.writeHead(401, {
+        "WWW-Authenticate": 'Basic realm="ClawVault WebDAV"',
+        "Content-Type": "text/plain",
+        "Access-Control-Allow-Origin": "*"
+      });
+      res.end("Unauthorized");
+      return true;
+    }
+    if (!isPathSafe(webdavPath, rootPath)) {
+      res.writeHead(403, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Forbidden");
+      return true;
+    }
+    const filePath = resolveWebDAVPath(webdavPath, rootPath);
+    if (!filePath) {
+      res.writeHead(403, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+      res.end("Forbidden");
+      return true;
+    }
+    const depth = req.headers.depth || "infinity";
+    const overwrite = req.headers.overwrite?.toUpperCase() !== "F";
+    const destinationHeader = req.headers.destination;
+    switch (req.method) {
+      case "HEAD":
+        handleHead(res, filePath);
+        return true;
+      case "GET":
+        handleGet(res, filePath);
+        return true;
+      case "PUT": {
+        const chunks = [];
+        for await (const chunk of req) {
+          chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+        }
+        const body = Buffer.concat(chunks);
+        handlePut(res, filePath, body);
+        return true;
+      }
+      case "DELETE":
+        handleDelete(res, filePath);
+        return true;
+      case "MKCOL":
+        handleMkcol(res, filePath);
+        return true;
+      case "PROPFIND":
+        handlePropfind(res, filePath, webdavPath, prefix, depth);
+        return true;
+      case "MOVE": {
+        const destPath = parseDestinationHeader(destinationHeader, prefix, rootPath);
+        if (destPath && destinationHeader) {
+          const destWebdavPath = destinationHeader.includes(prefix) ? destinationHeader.slice(destinationHeader.indexOf(prefix) + prefix.length) : destinationHeader;
+          if (!isPathSafe(destWebdavPath, rootPath)) {
+            res.writeHead(403, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+            res.end("Forbidden");
+            return true;
+          }
+        }
+        handleMove(res, filePath, destPath, overwrite);
+        return true;
+      }
+      case "COPY": {
+        const destPath = parseDestinationHeader(destinationHeader, prefix, rootPath);
+        if (destPath && destinationHeader) {
+          const destWebdavPath = destinationHeader.includes(prefix) ? destinationHeader.slice(destinationHeader.indexOf(prefix) + prefix.length) : destinationHeader;
+          if (!isPathSafe(destWebdavPath, rootPath)) {
+            res.writeHead(403, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+            res.end("Forbidden");
+            return true;
+          }
+        }
+        handleCopy(res, filePath, destPath, overwrite);
+        return true;
+      }
+      default:
+        res.writeHead(405, {
+          "Allow": SUPPORTED_METHODS.join(", "),
+          "Content-Type": "text/plain",
+          "Access-Control-Allow-Origin": "*"
+        });
+        res.end("Method Not Allowed");
+        return true;
+    }
+  };
+}
+
+// src/lib/tailscale.ts
+var crypto = __toESM(require("crypto"), 1);
+var DEFAULT_SERVE_PORT = 8384;
+var CLAWVAULT_SERVE_PATH = "/.clawvault";
+function hasTailscale() {
+  const probe = (0, import_child_process.spawnSync)("tailscale", ["version"], {
+    stdio: "pipe",
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  return !probe.error && probe.status === 0;
+}
+function getTailscaleVersion() {
+  const result = (0, import_child_process.spawnSync)("tailscale", ["version"], {
+    stdio: "pipe",
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  if (result.error || result.status !== 0) {
+    return null;
+  }
+  const lines = result.stdout.trim().split("\n");
+  return lines[0] || null;
+}
+function getTailscaleStatus() {
+  const status = {
+    installed: false,
+    running: false,
+    connected: false,
+    peers: []
+  };
+  if (!hasTailscale()) {
+    status.error = "Tailscale CLI not found. Install from https://tailscale.com/download";
+    return status;
+  }
+  status.installed = true;
+  const result = (0, import_child_process.spawnSync)("tailscale", ["status", "--json"], {
+    stdio: "pipe",
+    encoding: "utf-8",
+    timeout: 1e4
+  });
+  if (result.error) {
+    status.error = `Failed to get Tailscale status: ${result.error.message}`;
+    return status;
+  }
+  if (result.status !== 0) {
+    status.error = result.stderr?.trim() || "Tailscale daemon not running";
+    return status;
+  }
+  try {
+    const data = JSON.parse(result.stdout);
+    status.running = true;
+    status.backendState = data.BackendState;
+    status.connected = data.BackendState === "Running";
+    status.tailnetName = data.CurrentTailnet?.Name;
+    if (data.Self) {
+      status.selfIP = data.Self.TailscaleIPs?.[0];
+      status.selfHostname = data.Self.HostName;
+      status.selfDNSName = data.Self.DNSName;
+    }
+    if (data.Peer) {
+      for (const [_, peerData] of Object.entries(data.Peer)) {
+        const peer = {
+          hostname: peerData.HostName || "",
+          dnsName: peerData.DNSName || "",
+          tailscaleIPs: peerData.TailscaleIPs || [],
+          online: peerData.Online || false,
+          os: peerData.OS,
+          exitNode: peerData.ExitNode,
+          tags: peerData.Tags,
+          lastSeen: peerData.LastSeen
+        };
+        status.peers.push(peer);
+      }
+    }
+  } catch (err) {
+    status.error = `Failed to parse Tailscale status: ${err}`;
+  }
+  return status;
+}
+function findPeer(hostname) {
+  const status = getTailscaleStatus();
+  if (!status.connected) {
+    return null;
+  }
+  const normalizedSearch = hostname.toLowerCase();
+  let peer = status.peers.find(
+    (p) => p.hostname.toLowerCase() === normalizedSearch
+  );
+  if (peer) return peer;
+  peer = status.peers.find(
+    (p) => p.dnsName.toLowerCase().startsWith(normalizedSearch)
+  );
+  if (peer) return peer;
+  peer = status.peers.find(
+    (p) => p.hostname.toLowerCase().includes(normalizedSearch)
+  );
+  return peer || null;
+}
+function getOnlinePeers() {
+  const status = getTailscaleStatus();
+  return status.peers.filter((p) => p.online);
+}
+function resolvePeerIP(hostname) {
+  const peer = findPeer(hostname);
+  return peer?.tailscaleIPs[0] || null;
+}
+function calculateChecksum(filePath) {
+  const content = fs3.readFileSync(filePath);
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+function generateVaultManifest(vaultPath) {
+  const configPath = path3.join(vaultPath, ".clawvault.json");
+  if (!fs3.existsSync(configPath)) {
+    throw new Error(`Not a ClawVault: ${vaultPath}`);
+  }
+  const config = JSON.parse(fs3.readFileSync(configPath, "utf-8"));
+  const files = [];
+  function walkDir(dir, relativePath = "") {
+    const entries = fs3.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path3.join(dir, entry.name);
+      const relPath = path3.join(relativePath, entry.name);
+      if (entry.name.startsWith(".") && entry.name !== ".clawvault.json") {
+        continue;
+      }
+      if (entry.name === "node_modules") {
+        continue;
+      }
+      if (entry.isDirectory()) {
+        walkDir(fullPath, relPath);
+      } else if (entry.isFile() && (entry.name.endsWith(".md") || entry.name === ".clawvault.json")) {
+        const stats = fs3.statSync(fullPath);
+        const category = relativePath.split(path3.sep)[0] || "root";
+        files.push({
+          path: relPath,
+          size: stats.size,
+          modified: stats.mtime.toISOString(),
+          checksum: calculateChecksum(fullPath),
+          category
+        });
+      }
+    }
+  }
+  walkDir(vaultPath);
+  return {
+    name: config.name,
+    version: config.version || "1.0.0",
+    lastUpdated: (/* @__PURE__ */ new Date()).toISOString(),
+    files
+  };
+}
+function compareManifests(local, remote) {
+  const localFiles = new Map(local.files.map((f) => [f.path, f]));
+  const remoteFiles = new Map(remote.files.map((f) => [f.path, f]));
+  const toPush = [];
+  const toPull = [];
+  const conflicts = [];
+  const unchanged = [];
+  for (const [filePath, localFile] of localFiles) {
+    const remoteFile = remoteFiles.get(filePath);
+    if (!remoteFile) {
+      toPush.push(localFile);
+    } else if (localFile.checksum === remoteFile.checksum) {
+      unchanged.push(filePath);
+    } else {
+      const localTime = new Date(localFile.modified).getTime();
+      const remoteTime = new Date(remoteFile.modified).getTime();
+      if (localTime > remoteTime) {
+        toPush.push(localFile);
+      } else if (remoteTime > localTime) {
+        toPull.push(remoteFile);
+      } else {
+        conflicts.push({ path: filePath, local: localFile, remote: remoteFile });
+      }
+    }
+  }
+  for (const [filePath, remoteFile] of remoteFiles) {
+    if (!localFiles.has(filePath)) {
+      toPull.push(remoteFile);
+    }
+  }
+  return { toPush, toPull, conflicts, unchanged };
+}
+function serveVault(vaultPath, options = {}) {
+  const port = options.port || DEFAULT_SERVE_PORT;
+  const pathPrefix = options.pathPrefix || CLAWVAULT_SERVE_PATH;
+  if (!fs3.existsSync(path3.join(vaultPath, ".clawvault.json"))) {
+    throw new Error(`Not a ClawVault: ${vaultPath}`);
+  }
+  const webdavHandler = createWebDAVHandler({
+    rootPath: vaultPath,
+    prefix: WEBDAV_PREFIX,
+    auth: options.webdavAuth
+  });
+  const server = http.createServer(async (req, res) => {
+    const url = new URL(req.url || "/", `http://localhost:${port}`);
+    const pathname = url.pathname;
+    if (pathname.startsWith(WEBDAV_PREFIX)) {
+      try {
+        const handled = await webdavHandler(req, res);
+        if (handled) return;
+      } catch (err) {
+        res.writeHead(500, { "Content-Type": "text/plain", "Access-Control-Allow-Origin": "*" });
+        res.end(`WebDAV Error: ${err}`);
+        return;
+      }
+    }
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+    if (req.method === "OPTIONS") {
+      res.writeHead(200);
+      res.end();
+      return;
+    }
+    if (pathname === `${pathPrefix}/health`) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ status: "ok", vault: path3.basename(vaultPath) }));
+      return;
+    }
+    if (pathname === `${pathPrefix}/manifest`) {
+      try {
+        const manifest = generateVaultManifest(vaultPath);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(manifest));
+      } catch (err) {
+        res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: String(err) }));
+      }
+      return;
+    }
+    if (pathname.startsWith(`${pathPrefix}/files/`)) {
+      const relativePath = decodeURIComponent(pathname.slice(`${pathPrefix}/files/`.length));
+      const filePath = path3.join(vaultPath, relativePath);
+      const resolvedPath = path3.resolve(filePath);
+      const resolvedVault = path3.resolve(vaultPath);
+      if (!resolvedPath.startsWith(resolvedVault)) {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Access denied" }));
+        return;
+      }
+      if (!fs3.existsSync(filePath)) {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "File not found" }));
+        return;
+      }
+      try {
+        const content = fs3.readFileSync(filePath, "utf-8");
+        const stats = fs3.statSync(filePath);
+        res.writeHead(200, {
+          "Content-Type": "text/markdown",
+          "Content-Length": Buffer.byteLength(content),
+          "Last-Modified": stats.mtime.toUTCString()
+        });
+        res.end(content);
+      } catch (err) {
+        res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: String(err) }));
+      }
+      return;
+    }
+    if (pathname.startsWith(`${pathPrefix}/upload/`) && req.method === "POST") {
+      const relativePath = decodeURIComponent(pathname.slice(`${pathPrefix}/upload/`.length));
+      const filePath = path3.join(vaultPath, relativePath);
+      const resolvedPath = path3.resolve(filePath);
+      const resolvedVault = path3.resolve(vaultPath);
+      if (!resolvedPath.startsWith(resolvedVault)) {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Access denied" }));
+        return;
+      }
+      let body = "";
+      req.on("data", (chunk) => {
+        body += chunk;
+      });
+      req.on("end", () => {
+        try {
+          const dir = path3.dirname(filePath);
+          if (!fs3.existsSync(dir)) {
+            fs3.mkdirSync(dir, { recursive: true });
+          }
+          fs3.writeFileSync(filePath, body, "utf-8");
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ success: true, path: relativePath }));
+        } catch (err) {
+          res.writeHead(500, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: String(err) }));
+        }
+      });
+      return;
+    }
+    if (pathname === pathPrefix || pathname === `${pathPrefix}/`) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        service: "clawvault-sync",
+        version: "1.0.0",
+        vault: path3.basename(vaultPath),
+        endpoints: {
+          health: `${pathPrefix}/health`,
+          manifest: `${pathPrefix}/manifest`,
+          files: `${pathPrefix}/files/<path>`,
+          upload: `${pathPrefix}/upload/<path>`,
+          webdav: `${WEBDAV_PREFIX}/`
+        }
+      }));
+      return;
+    }
+    res.writeHead(404, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Not found" }));
+  });
+  server.listen(port, "0.0.0.0");
+  return {
+    server,
+    port,
+    stop: () => new Promise((resolve4, reject) => {
+      server.close((err) => {
+        if (err) reject(err);
+        else resolve4();
+      });
+    })
+  };
+}
+async function fetchRemoteManifest(host, port = DEFAULT_SERVE_PORT, useHttps = false) {
+  return new Promise((resolve4, reject) => {
+    const protocol = useHttps ? https : http;
+    const url = `${useHttps ? "https" : "http"}://${host}:${port}${CLAWVAULT_SERVE_PATH}/manifest`;
+    const req = protocol.get(url, { timeout: 1e4 }, (res) => {
+      let data = "";
+      res.on("data", (chunk) => {
+        data += chunk;
+      });
+      res.on("end", () => {
+        if (res.statusCode !== 200) {
+          reject(new Error(`Failed to fetch manifest: HTTP ${res.statusCode}`));
+          return;
+        }
+        try {
+          resolve4(JSON.parse(data));
+        } catch (err) {
+          reject(new Error(`Invalid manifest response: ${err}`));
+        }
+      });
+    });
+    req.on("error", reject);
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("Request timed out"));
+    });
+  });
+}
+async function fetchRemoteFile(host, filePath, port = DEFAULT_SERVE_PORT, useHttps = false) {
+  return new Promise((resolve4, reject) => {
+    const protocol = useHttps ? https : http;
+    const encodedPath = encodeURIComponent(filePath).replace(/%2F/g, "/");
+    const url = `${useHttps ? "https" : "http"}://${host}:${port}${CLAWVAULT_SERVE_PATH}/files/${encodedPath}`;
+    const req = protocol.get(url, { timeout: 3e4 }, (res) => {
+      let data = "";
+      res.on("data", (chunk) => {
+        data += chunk;
+      });
+      res.on("end", () => {
+        if (res.statusCode !== 200) {
+          reject(new Error(`Failed to fetch file: HTTP ${res.statusCode}`));
+          return;
+        }
+        resolve4(data);
+      });
+    });
+    req.on("error", reject);
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("Request timed out"));
+    });
+  });
+}
+async function pushFileToRemote(host, filePath, content, port = DEFAULT_SERVE_PORT, useHttps = false) {
+  return new Promise((resolve4, reject) => {
+    const protocol = useHttps ? https : http;
+    const encodedPath = encodeURIComponent(filePath).replace(/%2F/g, "/");
+    const url = new URL(`${useHttps ? "https" : "http"}://${host}:${port}${CLAWVAULT_SERVE_PATH}/upload/${encodedPath}`);
+    const options = {
+      hostname: url.hostname,
+      port: url.port,
+      path: url.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "text/markdown",
+        "Content-Length": Buffer.byteLength(content)
+      },
+      timeout: 3e4
+    };
+    const req = protocol.request(options, (res) => {
+      let data = "";
+      res.on("data", (chunk) => {
+        data += chunk;
+      });
+      res.on("end", () => {
+        if (res.statusCode !== 200) {
+          reject(new Error(`Failed to push file: HTTP ${res.statusCode}`));
+          return;
+        }
+        resolve4();
+      });
+    });
+    req.on("error", reject);
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("Request timed out"));
+    });
+    req.write(content);
+    req.end();
+  });
+}
+async function syncWithPeer(vaultPath, options) {
+  const startTime = Date.now();
+  const result = {
+    pushed: [],
+    pulled: [],
+    deleted: [],
+    unchanged: [],
+    errors: [],
+    stats: {
+      bytesTransferred: 0,
+      filesProcessed: 0,
+      duration: 0
+    }
+  };
+  const {
+    peer,
+    port = DEFAULT_SERVE_PORT,
+    direction = "bidirectional",
+    dryRun = false,
+    deleteOrphans = false,
+    categories,
+    https: useHttps = false
+  } = options;
+  let host = peer;
+  if (!peer.match(/^\d+\.\d+\.\d+\.\d+$/)) {
+    const resolvedIP = resolvePeerIP(peer);
+    if (!resolvedIP) {
+      result.errors.push(`Could not resolve peer: ${peer}`);
+      result.stats.duration = Date.now() - startTime;
+      return result;
+    }
+    host = resolvedIP;
+  }
+  try {
+    const localManifest = generateVaultManifest(vaultPath);
+    const remoteManifest = await fetchRemoteManifest(host, port, useHttps);
+    let { toPush, toPull, conflicts, unchanged } = compareManifests(localManifest, remoteManifest);
+    if (categories && categories.length > 0) {
+      const categorySet = new Set(categories);
+      toPush = toPush.filter((f) => categorySet.has(f.category));
+      toPull = toPull.filter((f) => categorySet.has(f.category));
+    }
+    result.unchanged = unchanged;
+    for (const conflict of conflicts) {
+      result.errors.push(`Conflict: ${conflict.path} (local and remote have same timestamp but different content)`);
+    }
+    if (direction === "push" || direction === "bidirectional") {
+      for (const file of toPush) {
+        try {
+          if (!dryRun) {
+            const content = fs3.readFileSync(path3.join(vaultPath, file.path), "utf-8");
+            await pushFileToRemote(host, file.path, content, port, useHttps);
+            result.stats.bytesTransferred += file.size;
+          }
+          result.pushed.push(file.path);
+          result.stats.filesProcessed++;
+        } catch (err) {
+          result.errors.push(`Failed to push ${file.path}: ${err}`);
+        }
+      }
+    }
+    if (direction === "pull" || direction === "bidirectional") {
+      for (const file of toPull) {
+        try {
+          if (!dryRun) {
+            const content = await fetchRemoteFile(host, file.path, port, useHttps);
+            const filePath = path3.join(vaultPath, file.path);
+            const dir = path3.dirname(filePath);
+            if (!fs3.existsSync(dir)) {
+              fs3.mkdirSync(dir, { recursive: true });
+            }
+            fs3.writeFileSync(filePath, content, "utf-8");
+            result.stats.bytesTransferred += file.size;
+          }
+          result.pulled.push(file.path);
+          result.stats.filesProcessed++;
+        } catch (err) {
+          result.errors.push(`Failed to pull ${file.path}: ${err}`);
+        }
+      }
+    }
+    if (deleteOrphans && direction === "pull") {
+      const remoteFiles = new Set(remoteManifest.files.map((f) => f.path));
+      for (const file of localManifest.files) {
+        if (!remoteFiles.has(file.path)) {
+          if (!categories || categories.includes(file.category)) {
+            try {
+              if (!dryRun) {
+                fs3.unlinkSync(path3.join(vaultPath, file.path));
+              }
+              result.deleted.push(file.path);
+            } catch (err) {
+              result.errors.push(`Failed to delete ${file.path}: ${err}`);
+            }
+          }
+        }
+      }
+    }
+  } catch (err) {
+    result.errors.push(`Sync failed: ${err}`);
+  }
+  result.stats.duration = Date.now() - startTime;
+  return result;
+}
+function configureTailscaleServe(localPort, options = {}) {
+  if (!hasTailscale()) {
+    return null;
+  }
+  const args = ["serve"];
+  if (options.funnel) {
+    args.push("--bg");
+    args.push("funnel");
+  } else if (options.background) {
+    args.push("--bg");
+  }
+  args.push(`localhost:${localPort}`);
+  const proc = (0, import_child_process.spawn)("tailscale", args, {
+    stdio: "inherit",
+    detached: options.background
+  });
+  if (options.background) {
+    proc.unref();
+  }
+  return proc;
+}
+function stopTailscaleServe() {
+  if (!hasTailscale()) {
+    return false;
+  }
+  const result = (0, import_child_process.spawnSync)("tailscale", ["serve", "off"], {
+    stdio: "pipe",
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  return result.status === 0;
+}
+async function checkPeerClawVault(host, port = DEFAULT_SERVE_PORT) {
+  try {
+    const response = await new Promise((resolve4) => {
+      const req = http.get(
+        `http://${host}:${port}${CLAWVAULT_SERVE_PATH}/health`,
+        { timeout: 5e3 },
+        (res) => {
+          resolve4(res.statusCode === 200);
+        }
+      );
+      req.on("error", () => resolve4(false));
+      req.on("timeout", () => {
+        req.destroy();
+        resolve4(false);
+      });
+    });
+    return response;
+  } catch {
+    return false;
+  }
+}
+async function discoverClawVaultPeers(port = DEFAULT_SERVE_PORT) {
+  const status = getTailscaleStatus();
+  if (!status.connected) {
+    return [];
+  }
+  const clawvaultPeers = [];
+  const checkPromises = status.peers.filter((p) => p.online).map(async (peer) => {
+    const ip = peer.tailscaleIPs[0];
+    if (!ip) return;
+    const isServing = await checkPeerClawVault(ip, port);
+    if (isServing) {
+      peer.clawvaultServing = true;
+      peer.clawvaultPort = port;
+      clawvaultPeers.push(peer);
+    }
+  });
+  await Promise.all(checkPromises);
+  return clawvaultPeers;
+}
+
+// src/commands/tailscale.ts
+async function tailscaleStatusCommand(options = {}) {
+  const status = getTailscaleStatus();
+  if (options.json) {
+    console.log(JSON.stringify(status, null, 2));
+    return status;
+  }
+  if (!status.installed) {
+    console.log("Tailscale: Not installed");
+    console.log("  Install from: https://tailscale.com/download");
+    return status;
+  }
+  const version = getTailscaleVersion();
+  console.log(`Tailscale: ${version || "installed"}`);
+  if (!status.running) {
+    console.log("  Status: Daemon not running");
+    if (status.error) {
+      console.log(`  Error: ${status.error}`);
+    }
+    return status;
+  }
+  console.log(`  Status: ${status.backendState}`);
+  if (status.connected) {
+    console.log(`  Tailnet: ${status.tailnetName || "unknown"}`);
+    console.log(`  Self IP: ${status.selfIP || "unknown"}`);
+    console.log(`  Hostname: ${status.selfHostname || "unknown"}`);
+    if (status.selfDNSName) {
+      console.log(`  DNS Name: ${status.selfDNSName}`);
+    }
+    if (options.peers || status.peers.length > 0) {
+      const onlinePeers = status.peers.filter((p) => p.online);
+      const offlinePeers = status.peers.filter((p) => !p.online);
+      console.log(`
+Peers (${onlinePeers.length} online, ${offlinePeers.length} offline):`);
+      for (const peer of onlinePeers) {
+        const ip = peer.tailscaleIPs[0] || "no-ip";
+        const os = peer.os ? ` (${peer.os})` : "";
+        const clawvault = peer.clawvaultServing ? " [ClawVault]" : "";
+        console.log(`  \u25CF ${peer.hostname}${os} - ${ip}${clawvault}`);
+      }
+      if (options.peers) {
+        for (const peer of offlinePeers) {
+          const ip = peer.tailscaleIPs[0] || "no-ip";
+          const os = peer.os ? ` (${peer.os})` : "";
+          console.log(`  \u25CB ${peer.hostname}${os} - ${ip} [offline]`);
+        }
+      }
+    }
+  } else {
+    console.log("  Status: Not connected to tailnet");
+    if (status.error) {
+      console.log(`  Error: ${status.error}`);
+    }
+  }
+  return status;
+}
+function registerTailscaleStatusCommand(program) {
+  program.command("tailscale-status").alias("ts-status").description("Show Tailscale connection status and peers").option("--json", "Output as JSON").option("--peers", "Show all peers including offline").action(async (rawOptions) => {
+    await tailscaleStatusCommand({
+      json: rawOptions.json,
+      peers: rawOptions.peers
+    });
+  });
+}
+async function tailscaleSyncCommand(options) {
+  const vaultPath = resolveVaultPath({ explicitPath: options.vaultPath });
+  const status = getTailscaleStatus();
+  if (!status.installed) {
+    const error = {
+      pushed: [],
+      pulled: [],
+      deleted: [],
+      unchanged: [],
+      errors: ["Tailscale not installed. Install from https://tailscale.com/download"],
+      stats: { bytesTransferred: 0, filesProcessed: 0, duration: 0 }
+    };
+    if (options.json) {
+      console.log(JSON.stringify(error, null, 2));
+    } else {
+      console.error("Error: Tailscale not installed");
+    }
+    return error;
+  }
+  if (!status.connected) {
+    const error = {
+      pushed: [],
+      pulled: [],
+      deleted: [],
+      unchanged: [],
+      errors: ["Not connected to Tailscale. Run `tailscale up` to connect."],
+      stats: { bytesTransferred: 0, filesProcessed: 0, duration: 0 }
+    };
+    if (options.json) {
+      console.log(JSON.stringify(error, null, 2));
+    } else {
+      console.error("Error: Not connected to Tailscale");
+    }
+    return error;
+  }
+  const peer = findPeer(options.peer);
+  if (!peer) {
+    const error = {
+      pushed: [],
+      pulled: [],
+      deleted: [],
+      unchanged: [],
+      errors: [`Peer not found: ${options.peer}`],
+      stats: { bytesTransferred: 0, filesProcessed: 0, duration: 0 }
+    };
+    if (options.json) {
+      console.log(JSON.stringify(error, null, 2));
+    } else {
+      console.error(`Error: Peer not found: ${options.peer}`);
+      console.log("\nAvailable online peers:");
+      for (const p of getOnlinePeers()) {
+        console.log(`  - ${p.hostname} (${p.tailscaleIPs[0]})`);
+      }
+    }
+    return error;
+  }
+  if (!peer.online) {
+    const error = {
+      pushed: [],
+      pulled: [],
+      deleted: [],
+      unchanged: [],
+      errors: [`Peer is offline: ${peer.hostname}`],
+      stats: { bytesTransferred: 0, filesProcessed: 0, duration: 0 }
+    };
+    if (options.json) {
+      console.log(JSON.stringify(error, null, 2));
+    } else {
+      console.error(`Error: Peer is offline: ${peer.hostname}`);
+    }
+    return error;
+  }
+  const syncOptions = {
+    peer: peer.tailscaleIPs[0],
+    port: options.port || DEFAULT_SERVE_PORT,
+    direction: options.direction || "bidirectional",
+    dryRun: options.dryRun,
+    deleteOrphans: options.deleteOrphans,
+    categories: options.categories,
+    https: options.https
+  };
+  if (!options.json && !options.dryRun) {
+    console.log(`Syncing with ${peer.hostname} (${peer.tailscaleIPs[0]})...`);
+  }
+  const result = await syncWithPeer(vaultPath, syncOptions);
+  if (options.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    const prefix = options.dryRun ? "[dry-run] " : "";
+    if (result.pushed.length > 0) {
+      console.log(`
+${prefix}Pushed ${result.pushed.length} file(s):`);
+      for (const file of result.pushed.slice(0, 10)) {
+        console.log(`  \u2192 ${file}`);
+      }
+      if (result.pushed.length > 10) {
+        console.log(`  ... and ${result.pushed.length - 10} more`);
+      }
+    }
+    if (result.pulled.length > 0) {
+      console.log(`
+${prefix}Pulled ${result.pulled.length} file(s):`);
+      for (const file of result.pulled.slice(0, 10)) {
+        console.log(`  \u2190 ${file}`);
+      }
+      if (result.pulled.length > 10) {
+        console.log(`  ... and ${result.pulled.length - 10} more`);
+      }
+    }
+    if (result.deleted.length > 0) {
+      console.log(`
+${prefix}Deleted ${result.deleted.length} file(s):`);
+      for (const file of result.deleted.slice(0, 10)) {
+        console.log(`  \u2717 ${file}`);
+      }
+      if (result.deleted.length > 10) {
+        console.log(`  ... and ${result.deleted.length - 10} more`);
+      }
+    }
+    if (result.errors.length > 0) {
+      console.log(`
+Errors (${result.errors.length}):`);
+      for (const error of result.errors) {
+        console.log(`  ! ${error}`);
+      }
+    }
+    console.log(`
+Summary:`);
+    console.log(`  Pushed: ${result.pushed.length}`);
+    console.log(`  Pulled: ${result.pulled.length}`);
+    console.log(`  Deleted: ${result.deleted.length}`);
+    console.log(`  Unchanged: ${result.unchanged.length}`);
+    console.log(`  Errors: ${result.errors.length}`);
+    console.log(`  Duration: ${result.stats.duration}ms`);
+    console.log(`  Transferred: ${formatBytes(result.stats.bytesTransferred)}`);
+  }
+  return result;
+}
+function formatBytes(bytes) {
+  if (bytes === 0) return "0 B";
+  const k = 1024;
+  const sizes = ["B", "KB", "MB", "GB"];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${parseFloat((bytes / Math.pow(k, i)).toFixed(2))} ${sizes[i]}`;
+}
+function registerTailscaleSyncCommand(program) {
+  program.command("tailscale-sync").alias("ts-sync").description("Sync vault with a peer on the Tailscale network").requiredOption("--peer <hostname>", "Peer hostname or IP to sync with").option("-v, --vault <path>", "Vault path").option("--port <number>", "Port on the peer", parseInt).option("--direction <dir>", "Sync direction: push, pull, or bidirectional", "bidirectional").option("--dry-run", "Show what would be synced without making changes").option("--delete-orphans", "Delete files that exist locally but not on peer (pull only)").option("--categories <list>", "Comma-separated list of categories to sync").option("--https", "Use HTTPS for connection").option("--json", "Output as JSON").action(async (rawOptions) => {
+    await tailscaleSyncCommand({
+      peer: rawOptions.peer,
+      vaultPath: rawOptions.vault,
+      port: rawOptions.port,
+      direction: rawOptions.direction,
+      dryRun: rawOptions.dryRun,
+      deleteOrphans: rawOptions.deleteOrphans,
+      categories: rawOptions.categories?.split(",").map((c) => c.trim()),
+      https: rawOptions.https,
+      json: rawOptions.json
+    });
+  });
+}
+var activeServeInstance = null;
+async function tailscaleServeCommand(options) {
+  if (options.stop) {
+    if (activeServeInstance) {
+      await activeServeInstance.stop();
+      activeServeInstance = null;
+      console.log("ClawVault serve stopped.");
+    }
+    stopTailscaleServe();
+    return;
+  }
+  const vaultPath = resolveVaultPath({ explicitPath: options.vaultPath });
+  const port = options.port || DEFAULT_SERVE_PORT;
+  const status = getTailscaleStatus();
+  console.log(`Starting ClawVault serve...`);
+  console.log(`  Vault: ${path4.basename(vaultPath)}`);
+  console.log(`  Port: ${port}`);
+  activeServeInstance = serveVault(vaultPath, { port });
+  console.log(`  Local URL: http://localhost:${port}/.clawvault`);
+  if (status.connected) {
+    console.log(`  Tailscale URL: http://${status.selfIP}:${port}/.clawvault`);
+    if (status.selfDNSName) {
+      const dnsHost = status.selfDNSName.replace(/\.$/, "");
+      console.log(`  MagicDNS URL: http://${dnsHost}:${port}/.clawvault`);
+    }
+    if (options.funnel || options.background) {
+      console.log("\nConfiguring Tailscale serve...");
+      configureTailscaleServe(port, {
+        funnel: options.funnel,
+        background: options.background
+      });
+      if (options.funnel) {
+        console.log("  Funnel enabled - vault is accessible from the public internet");
+      }
+    }
+  } else {
+    console.log("\n  Note: Not connected to Tailscale. Only local access available.");
+  }
+  console.log("\nEndpoints:");
+  console.log(`  Health: /.clawvault/health`);
+  console.log(`  Manifest: /.clawvault/manifest`);
+  console.log(`  Files: /.clawvault/files/<path>`);
+  if (!options.background) {
+    console.log("\nPress Ctrl+C to stop serving.");
+    process.on("SIGINT", async () => {
+      console.log("\nStopping ClawVault serve...");
+      if (activeServeInstance) {
+        await activeServeInstance.stop();
+        activeServeInstance = null;
+      }
+      stopTailscaleServe();
+      process.exit(0);
+    });
+    await new Promise(() => {
+    });
+  }
+}
+function registerTailscaleServeCommand(program) {
+  program.command("tailscale-serve").alias("ts-serve").description("Serve vault for sync over Tailscale").option("-v, --vault <path>", "Vault path").option("--port <number>", `Port to serve on (default: ${DEFAULT_SERVE_PORT})`, parseInt).option("--funnel", "Expose via Tailscale Funnel (public internet)").option("--background", "Run in background").option("--stop", "Stop serving").action(async (rawOptions) => {
+    await tailscaleServeCommand({
+      vaultPath: rawOptions.vault,
+      port: rawOptions.port,
+      funnel: rawOptions.funnel,
+      background: rawOptions.background,
+      stop: rawOptions.stop
+    });
+  });
+}
+async function tailscaleDiscoverCommand(options = {}) {
+  const port = options.port || DEFAULT_SERVE_PORT;
+  const status = getTailscaleStatus();
+  if (!status.connected) {
+    if (options.json) {
+      console.log(JSON.stringify({ error: "Not connected to Tailscale", peers: [] }));
+    } else {
+      console.error("Error: Not connected to Tailscale");
+    }
+    return [];
+  }
+  if (!options.json) {
+    console.log("Discovering ClawVault peers on tailnet...");
+  }
+  const peers = await discoverClawVaultPeers(port);
+  if (options.json) {
+    console.log(JSON.stringify({ peers }, null, 2));
+  } else {
+    if (peers.length === 0) {
+      console.log("\nNo ClawVault peers found.");
+      console.log("  Run `clawvault tailscale-serve` on other devices to enable sync.");
+    } else {
+      console.log(`
+Found ${peers.length} ClawVault peer(s):`);
+      for (const peer of peers) {
+        const ip = peer.tailscaleIPs[0] || "no-ip";
+        const os = peer.os ? ` (${peer.os})` : "";
+        console.log(`  \u25CF ${peer.hostname}${os}`);
+        console.log(`    IP: ${ip}`);
+        console.log(`    Port: ${peer.clawvaultPort}`);
+        if (peer.dnsName) {
+          console.log(`    DNS: ${peer.dnsName.replace(/\.$/, "")}`);
+        }
+      }
+    }
+  }
+  return peers;
+}
+function registerTailscaleDiscoverCommand(program) {
+  program.command("tailscale-discover").alias("ts-discover").description("Discover ClawVault peers on the Tailscale network").option("--port <number>", `Port to check (default: ${DEFAULT_SERVE_PORT})`, parseInt).option("--json", "Output as JSON").action(async (rawOptions) => {
+    await tailscaleDiscoverCommand({
+      port: rawOptions.port,
+      json: rawOptions.json
+    });
+  });
+}
+function registerTailscaleCommands(program) {
+  registerTailscaleStatusCommand(program);
+  registerTailscaleSyncCommand(program);
+  registerTailscaleServeCommand(program);
+  registerTailscaleDiscoverCommand(program);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  registerTailscaleCommands,
+  registerTailscaleDiscoverCommand,
+  registerTailscaleServeCommand,
+  registerTailscaleStatusCommand,
+  registerTailscaleSyncCommand,
+  tailscaleDiscoverCommand,
+  tailscaleServeCommand,
+  tailscaleStatusCommand,
+  tailscaleSyncCommand
+});