pal-explorer-cli 0.4.0

package/lib/commands/org.js

@@ -0,0 +1,273 @@
+import chalk from 'chalk';
+
+async function getAuthHeaders() {
+  const { fetchFirst } = await import('../core/discoveryClient.js');
+  const { getIdentity } = await import('../core/identity.js');
+
+  const identity = await getIdentity();
+  if (!identity?.publicKey) {
+    console.error(chalk.red('No identity. Run pe init first.'));
+    process.exitCode = 1;
+    return null;
+  }
+
+  const keysRes = await fetchFirst(`/api/v1/keys/${encodeURIComponent(identity.publicKey)}`);
+  const keys = keysRes ? await keysRes.json() : [];
+  if (!keys?.length) {
+    console.error(chalk.red('No API key. Create one: pe api-keys create'));
+    process.exitCode = 1;
+    return null;
+  }
+
+  return { 'Content-Type': 'application/json', 'x-api-key': keys[0].key };
+}
+
+async function apiRequest(method, path, body) {
+  const { getPrimaryServer } = await import('../core/discoveryClient.js');
+  const headers = await getAuthHeaders();
+  if (!headers) return null;
+
+  const baseUrl = getPrimaryServer();
+  const opts = { method, headers, signal: AbortSignal.timeout(10000) };
+  if (body) opts.body = JSON.stringify(body);
+
+  const res = await fetch(`${baseUrl}${path}`, opts);
+  return res;
+}
+
+export default function orgCommand(program) {
+  const cmd = program
+    .command('org')
+    .description('manage organizations for enterprise extension management')
+    .addHelpText('after', `
+Examples:
+  $ pe org create "Acme Corp"          Create an organization
+  $ pe org list                        List your organizations
+  $ pe org info abc123                 Show org details and members
+  $ pe org invite abc123 alice         Add a member by handle
+  $ pe org remove abc123 alice         Remove a member
+  $ pe org subscribe abc123 analytics  Subscribe org to an extension
+  $ pe org unsubscribe abc123 analytics Cancel extension subscription
+  $ pe org billing abc123              Show billing summary
+`);
+
+  cmd
+    .command('create <name>')
+    .description('create an organization')
+    .action(async (name) => {
+      try {
+        const res = await apiRequest('POST', '/api/v1/orgs', { name });
+        if (!res) return;
+        const data = await res.json();
+        if (res.ok && data?.id) {
+          console.log(chalk.green(`\u2714 Created organization "${name}"`));
+          console.log(`  ID: ${chalk.white(data.id)}`);
+        } else {
+          console.error(chalk.red(`Failed: ${data?.error || 'Unknown error'}`));
+          process.exitCode = 1;
+        }
+      } catch (err) {
+        console.error(chalk.red(`Create failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('list')
+    .description('list your organizations')
+    .action(async () => {
+      try {
+        const res = await apiRequest('GET', '/api/v1/orgs');
+        if (!res) return;
+        const data = await res.json();
+        if (!data?.orgs?.length) {
+          console.log(chalk.gray('No organizations.'));
+          console.log(chalk.gray('  pe org create <name>'));
+          return;
+        }
+        console.log('');
+        console.log(chalk.cyan('Organizations:'));
+        console.log(chalk.gray('\u2500'.repeat(50)));
+        for (const org of data.orgs) {
+          const role = org.role === 'owner' ? chalk.yellow('owner') : chalk.gray(org.role);
+          console.log(`  ${chalk.white(org.name)} ${chalk.gray(`(${org.id})`)}`);
+          console.log(`    Role: ${role}  Members: ${chalk.cyan(org.memberCount || 0)}  Subscriptions: ${chalk.cyan(org.subscriptionCount || 0)}`);
+        }
+        console.log('');
+      } catch (err) {
+        console.error(chalk.red(`List failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('info <id>')
+    .description('show org details, members, and subscriptions')
+    .action(async (id) => {
+      try {
+        const res = await apiRequest('GET', `/api/v1/orgs/${encodeURIComponent(id)}`);
+        if (!res) return;
+        if (!res.ok) {
+          const err = await res.json().catch(() => ({}));
+          console.error(chalk.red(`Not found: ${err?.error || 'Organization not found'}`));
+          process.exitCode = 1;
+          return;
+        }
+        const data = await res.json();
+        console.log('');
+        console.log(chalk.cyan.bold(data.name));
+        console.log(chalk.gray('\u2500'.repeat(50)));
+        console.log(`  ID:      ${chalk.white(data.id)}`);
+        console.log(`  Created: ${chalk.gray(new Date(data.createdAt).toLocaleDateString())}`);
+        console.log(`  Plan:    ${chalk.yellow(data.plan || 'free')}`);
+
+        if (data.members?.length) {
+          console.log('');
+          console.log(chalk.cyan('  Members:'));
+          for (const m of data.members) {
+            const roleColor = m.role === 'owner' ? chalk.yellow : m.role === 'admin' ? chalk.cyan : chalk.gray;
+            console.log(`    ${chalk.white('@' + m.handle)} ${roleColor(m.role)}`);
+          }
+        }
+
+        if (data.subscriptions?.length) {
+          console.log('');
+          console.log(chalk.cyan('  Subscriptions:'));
+          for (const sub of data.subscriptions) {
+            const status = sub.active ? chalk.green('active') : chalk.red('cancelled');
+            console.log(`    ${chalk.white(sub.extName)} ${status} ${chalk.gray('$' + (sub.price || 0).toFixed(2) + '/mo')}`);
+          }
+        }
+        console.log('');
+      } catch (err) {
+        console.error(chalk.red(`Info failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('invite <id> <handle>')
+    .description('add a member to an organization')
+    .action(async (id, handle) => {
+      try {
+        const res = await apiRequest('POST', `/api/v1/orgs/${encodeURIComponent(id)}/members`, { handle });
+        if (!res) return;
+        const data = await res.json();
+        if (res.ok && data?.success) {
+          console.log(chalk.green(`\u2714 Invited @${handle} to organization`));
+        } else {
+          console.error(chalk.red(`Failed: ${data?.error || 'Unknown error'}`));
+          process.exitCode = 1;
+        }
+      } catch (err) {
+        console.error(chalk.red(`Invite failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('remove <id> <handle>')
+    .description('remove a member from an organization')
+    .action(async (id, handle) => {
+      try {
+        const res = await apiRequest('DELETE', `/api/v1/orgs/${encodeURIComponent(id)}/members/${encodeURIComponent(handle)}`);
+        if (!res) return;
+        const data = await res.json();
+        if (res.ok && data?.success) {
+          console.log(chalk.green(`\u2714 Removed @${handle} from organization`));
+        } else {
+          console.error(chalk.red(`Failed: ${data?.error || 'Unknown error'}`));
+          process.exitCode = 1;
+        }
+      } catch (err) {
+        console.error(chalk.red(`Remove failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('subscribe <id> <ext-name>')
+    .description('subscribe organization to an enterprise extension')
+    .action(async (id, extName) => {
+      try {
+        const res = await apiRequest('POST', `/api/v1/orgs/${encodeURIComponent(id)}/subscriptions`, { extName });
+        if (!res) return;
+        const data = await res.json();
+        if (res.ok && data?.success) {
+          console.log(chalk.green(`\u2714 Subscribed to "${extName}"`));
+          if (data.price) console.log(`  Price: ${chalk.yellow('$' + data.price.toFixed(2) + '/mo')}`);
+        } else {
+          console.error(chalk.red(`Failed: ${data?.error || 'Unknown error'}`));
+          process.exitCode = 1;
+        }
+      } catch (err) {
+        console.error(chalk.red(`Subscribe failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('unsubscribe <id> <ext-name>')
+    .description('cancel an extension subscription')
+    .action(async (id, extName) => {
+      try {
+        const res = await apiRequest('DELETE', `/api/v1/orgs/${encodeURIComponent(id)}/subscriptions/${encodeURIComponent(extName)}`);
+        if (!res) return;
+        const data = await res.json();
+        if (res.ok && data?.success) {
+          console.log(chalk.green(`\u2714 Unsubscribed from "${extName}"`));
+        } else {
+          console.error(chalk.red(`Failed: ${data?.error || 'Unknown error'}`));
+          process.exitCode = 1;
+        }
+      } catch (err) {
+        console.error(chalk.red(`Unsubscribe failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('billing <id>')
+    .description('show billing summary for an organization')
+    .action(async (id) => {
+      try {
+        const res = await apiRequest('GET', `/api/v1/orgs/${encodeURIComponent(id)}/billing`);
+        if (!res) return;
+        if (!res.ok) {
+          const err = await res.json().catch(() => ({}));
+          console.error(chalk.red(`Failed: ${err?.error || 'Unknown error'}`));
+          process.exitCode = 1;
+          return;
+        }
+        const data = await res.json();
+        console.log('');
+        console.log(chalk.cyan.bold('Organization Billing'));
+        console.log(chalk.gray('\u2500'.repeat(40)));
+        console.log(`  Plan:            ${chalk.yellow(data.plan || 'free')}`);
+        console.log(`  Monthly Total:   ${chalk.white('$' + (data.monthlyTotal || 0).toFixed(2))}`);
+        console.log(`  Active Seats:    ${chalk.cyan(data.activeSeats || 0)}`);
+        console.log(`  Subscriptions:   ${chalk.cyan(data.subscriptionCount || 0)}`);
+
+        if (data.subscriptions?.length) {
+          console.log('');
+          console.log(chalk.cyan('  Active Subscriptions:'));
+          for (const sub of data.subscriptions) {
+            console.log(`    ${chalk.white(sub.extName)} ${chalk.gray('$' + (sub.price || 0).toFixed(2) + '/mo')} ${chalk.gray('since ' + new Date(sub.startDate).toLocaleDateString())}`);
+          }
+        }
+
+        if (data.invoices?.length) {
+          console.log('');
+          console.log(chalk.cyan('  Recent Invoices:'));
+          for (const inv of data.invoices) {
+            const statusColor = inv.status === 'paid' ? chalk.green : inv.status === 'pending' ? chalk.yellow : chalk.red;
+            console.log(`    ${chalk.gray(new Date(inv.date).toLocaleDateString())} $${inv.amount.toFixed(2)} ${statusColor(inv.status)}`);
+          }
+        }
+        console.log('');
+      } catch (err) {
+        console.error(chalk.red(`Billing failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+}

package/lib/commands/pal.js

@@ -0,0 +1,180 @@
+import chalk from 'chalk';
+import { getFriends, saveFriends } from '../core/users.js';
+import { decodeInvite } from './invite.js';
+import { getSharesForPal, removeRecipientFromShare, rotateShareKey } from '../core/shares.js';
+import { resolveHandle as resolveHandleFull } from '../core/resolver.js';
+import { getPrimaryServer } from '../core/discoveryClient.js';
+
+async function resolveHandle(handle) {
+  const data = await resolveHandleFull(handle);
+  if (!data) return null;
+  return data.publicKey || data.publicKeys?.[0] || null;
+}
+
+async function addPal(id, resolvedName, handle) {
+  const friends = getFriends();
+
+  const existing = friends.find(f => f.id === id);
+  if (existing) {
+    console.log(chalk.yellow(`This ID is already in your list as '${existing.name}'.`));
+    return false;
+  }
+
+  const palName = resolvedName || 'Unnamed Pal';
+  if (friends.find(f => f.name === palName)) {
+    console.log(chalk.red(`Error: The name '${palName}' is already taken. Please provide a unique nickname.`));
+    return false;
+  }
+
+  const newPal = { id, name: palName, handle: handle || null, addedAt: new Date().toISOString() };
+  friends.push(newPal);
+  saveFriends(friends);
+  return newPal;
+}
+
+export default function palCommand(program) {
+  const pal = program.command('pal').description('manage your list of pals (friends)')
+    .addHelpText('after', `
+Examples:
+  $ pe pal add @alice               Add pal by handle
+  $ pe pal add pal://... bob        Add pal from invite link
+  $ pe pal add abc123def456 carol   Add pal by public key
+  $ pe pal list                     Show all pals
+  $ pe pal remove @alice            Remove a pal (rotates affected share keys)
+`);
+
+  pal
+    .command('add <target> [name]')
+    .description('add a pal by @handle, invite link (pal://...), or raw public key')
+    .action(async (target, name) => {
+      // --- Mode 1: Magic invite link ---
+      if (target.startsWith('pal://')) {
+        const decoded = decodeInvite(target);
+        if (!decoded) {
+          console.log(chalk.red('Invalid invite link.'));
+          process.exitCode = 1;
+          return;
+        }
+        const palName = name || decoded.n || 'Unnamed Pal';
+        const result = await addPal(decoded.pk, palName, decoded.h);
+        if (result) {
+          console.log(chalk.green(`✔ Added pal: ${result.name}${decoded.h ? ` (@${decoded.h})` : ''}`));
+        }
+        return;
+      }
+
+      // --- Mode 2: Handle lookup (@handle or plain handle string) ---
+      const isHandle = target.startsWith('@') || (!target.match(/^[0-9a-fA-F]{20,}$/));
+      if (isHandle) {
+        const handle = target.startsWith('@') ? target.slice(1) : target;
+        process.stdout.write(chalk.gray(`Resolving @${handle}... `));
+        let publicKey;
+        try {
+          publicKey = await resolveHandle(handle);
+        } catch {
+          console.log(chalk.red(`\nCould not reach discovery server(s)`));
+          process.exitCode = 1;
+          return;
+        }
+        if (!publicKey) {
+          console.log(chalk.red(`\nHandle @${handle} not found.`));
+          process.exitCode = 1;
+          return;
+        }
+        console.log(chalk.green('found.'));
+        const palName = name || handle;
+        const result = await addPal(publicKey, palName, handle);
+        if (result) {
+          console.log(chalk.green(`✔ Added pal: ${result.name} (@${handle})`));
+        }
+        return;
+      }
+
+      // --- Mode 3: Raw public key ---
+      const palName = name || 'Unnamed Pal';
+      const result = await addPal(target, palName, null);
+      if (result) {
+        console.log(chalk.green(`✔ Added pal: ${result.name} (${target})`));
+      }
+    });
+
+  pal
+    .command('list')
+    .description('list all your pals with online status')
+    .action(async () => {
+      const friends = getFriends();
+      if (friends.length === 0) {
+        if (program.opts().json) {
+          console.log(JSON.stringify({ pals: [] }, null, 2));
+          return;
+        }
+        console.log(chalk.gray('Your pal list is empty. Use `pe pal add @handle` or `pe invite` to add friends.'));
+        return;
+      }
+
+      const discoveryUrl = getPrimaryServer();
+      for (const f of friends) {
+        if (f.handle) {
+          try {
+            const res = await fetch(`${discoveryUrl}/api/v1/presence/${encodeURIComponent(f.handle)}`, {
+              signal: AbortSignal.timeout(3000),
+            });
+            if (res.ok) {
+              const p = await res.json();
+              f._online = p.online;
+              f._lastSeen = p.devices?.[0]?.lastSeen;
+            }
+          } catch {}
+        }
+      }
+
+      if (program.opts().json) {
+        const pals = friends.map(f => ({ id: f.id, name: f.name, handle: f.handle, online: !!f._online, lastSeen: f._lastSeen || null }));
+        console.log(JSON.stringify({ pals }, null, 2));
+        return;
+      }
+
+      console.log('');
+      console.log(chalk.cyan('Your Pals:'));
+      friends.forEach(f => {
+        const handle = f.handle ? chalk.cyan(` @${f.handle}`) : '';
+        const statusIcon = f._online ? chalk.green('\u25cf') : chalk.gray('\u25cb');
+        const statusText = f._online ? chalk.green('online') : chalk.gray('offline');
+        console.log(`${statusIcon} ${chalk.white(f.name)}${handle} ${statusText} [${chalk.gray(f.id)}]`);
+      });
+    });
+
+  pal
+    .command('remove <id>')
+    .description('remove a pal from your list by their public key or @handle')
+    .action(async (id) => {
+      const friends = getFriends();
+      const target = id.startsWith('@') ? id.slice(1) : id;
+      const removed = friends.find(f => f.id === target || f.handle === target);
+      const filtered = friends.filter(f => f.id !== target && f.handle !== target);
+      if (!removed) {
+        console.log(chalk.red('Pal not found.'));
+        return;
+      }
+      saveFriends(filtered);
+      console.log(chalk.green('✔ Pal removed.'));
+
+      // Rotate keys for any shares this pal was a recipient of
+      const affectedShares = getSharesForPal(removed.id);
+      if (affectedShares.length > 0) {
+        console.log(chalk.blue(`Rotating keys for ${affectedShares.length} affected share(s)...`));
+        for (const share of affectedShares) {
+          try {
+            removeRecipientFromShare(share.id, removed.id);
+            if (share.visibility === 'private') {
+              await rotateShareKey(share.id);
+              console.log(chalk.gray(`  ✔ Rotated key for "${share.name || share.id}"`));
+            }
+          } catch (err) {
+            console.log(chalk.yellow(`  Warning: Could not rotate key for ${share.id}: ${err.message}`));
+          }
+        }
+        console.log(chalk.green('Key rotation complete. Re-run `pe serve` to seed with new keys.'));
+      }
+    });
+}

package/lib/commands/permissions.js

@@ -0,0 +1,216 @@
+import chalk from 'chalk';
+import { listShares, updateShare, getShareSummary, VISIBILITY_LEVELS } from '../core/shares.js';
+import { getGroups } from '../core/groups.js';
+import config from '../utils/config.js';
+import path from 'path';
+
+const VIS_COLORS = {
+  public: 'green', global: 'green', private: 'red',
+  group: 'blue', network: 'cyan', 'link-only': 'yellow',
+};
+
+function visLabel(v) {
+  const color = VIS_COLORS[v] || 'white';
+  return chalk[color](v.toUpperCase());
+}
+
+export default function permissionsCommand(program) {
+  const cmd = program
+    .command('permissions')
+    .description('unified view of all shares and their permissions')
+    .addHelpText('after', `
+Examples:
+  $ pe permissions                        Show all shares with permissions
+  $ pe permissions --compact              Compact one-line-per-share view
+  $ pe permissions set <id> --visibility group --group team
+  $ pe permissions set <id> --streamable  Mark share as streamable media
+  $ pe permissions set <id> --add-pal alice
+  $ pe permissions set <id> --remove-pal bob
+`)
+    .option('--compact', 'One-line-per-share view')
+    .option('--json', 'Output as JSON')
+    .action((opts) => {
+      const summary = getShareSummary();
+      const groups = getGroups();
+
+      if (opts.json) {
+        console.log(JSON.stringify(summary, null, 2));
+        return;
+      }
+
+      if (summary.length === 0) {
+        console.log(chalk.gray('No active shares.'));
+        return;
+      }
+
+      console.log('');
+      console.log(chalk.bold(`  Shares & Permissions (${summary.length} total)`));
+      console.log(chalk.gray('  ─'.repeat(30)));
+      console.log('');
+
+      if (opts.compact) {
+        // Compact table view
+        const maxName = Math.max(12, ...summary.map(s => s.name.length));
+        const header = `  ${'NAME'.padEnd(maxName)}  ${'VISIBILITY'.padEnd(12)}  ${'STREAM'.padEnd(6)}  ${'RECIPIENTS'.padEnd(24)}  ID`;
+        console.log(chalk.gray(header));
+        console.log(chalk.gray('  ' + '─'.repeat(header.length)));
+
+        for (const s of summary) {
+          const recips = [];
+          if (s.recipients.length) recips.push(s.recipients.join(', '));
+          if (s.groups.length) {
+            const gNames = s.groups.map(gId => groups.find(g => g.id === gId)?.name || gId);
+            recips.push(`[${gNames.join(', ')}]`);
+          }
+          if (s.networks.length) recips.push(`{${s.networks.join(', ')}}`);
+          const recipStr = recips.join(', ') || chalk.gray('everyone');
+
+          console.log(`  ${chalk.white(s.name.padEnd(maxName))}  ${visLabel(s.visibility).padEnd(12 + 10)}  ${s.streamable ? chalk.magenta('yes') : chalk.gray('no ').padEnd(6)}  ${recipStr.substring(0, 24).padEnd(24)}  ${chalk.gray(s.id)}`);
+        }
+      } else {
+        // Detailed view
+        for (const s of summary) {
+          const gNames = s.groups.map(gId => groups.find(g => g.id === gId)?.name || gId);
+
+          console.log(`  ${chalk.bold.white(s.name)} ${chalk.gray(`(${s.id})`)}`);
+          console.log(`    Path:       ${chalk.gray(s.path)}`);
+          console.log(`    Visibility: ${visLabel(s.visibility)}`);
+          console.log(`    Streamable: ${s.streamable ? chalk.magenta('Yes — media streaming enabled') : chalk.gray('No')}`);
+
+          if (s.visibility === 'public' || s.visibility === 'global') {
+            console.log(`    Access:     ${chalk.green('Everyone')}`);
+          } else if (s.visibility === 'group' && gNames.length) {
+            console.log(`    Groups:     ${chalk.blue(gNames.join(', '))}`);
+          } else if (s.visibility === 'network' && s.networks.length) {
+            console.log(`    Networks:   ${chalk.cyan(s.networks.join(', '))}`);
+          } else if (s.visibility === 'link-only') {
+            console.log(`    Access:     ${chalk.yellow('Link-only (anyone with the link)')}`);
+          }
+
+          if (s.recipients.length) {
+            console.log(`    Recipients: ${chalk.white(s.recipients.join(', '))}`);
+          }
+
+          console.log(`    Recursive:  ${s.recursive ? 'Yes' : 'No'}`);
+          if (s.hasMagnet) console.log(`    Magnet:     ${chalk.green('Active')}`);
+          if (s.hasPassword) console.log(`    Password:   ${chalk.yellow('Protected')}`);
+          console.log('');
+        }
+      }
+    });
+
+  cmd
+    .command('set <id>')
+    .description('edit share permissions')
+    .option('--visibility <type>', `Set visibility: ${VISIBILITY_LEVELS.join(', ')}`)
+    .option('--streamable', 'Enable media streaming for this share')
+    .option('--no-streamable', 'Disable media streaming')
+    .option('--add-pal <name>', 'Add a pal as recipient')
+    .option('--remove-pal <name>', 'Remove a pal from recipients')
+    .option('--add-group <name>', 'Add a group')
+    .option('--remove-group <name>', 'Remove a group')
+    .option('--add-network <id>', 'Add a network')
+    .option('--remove-network <id>', 'Remove a network')
+    .option('--recursive', 'Enable recursive sharing')
+    .option('--no-recursive', 'Disable recursive sharing')
+    .option('--writable', 'Allow recipients to write/modify files')
+    .option('--read-only', 'Restrict recipients to read-only access')
+    .action(async (id, opts) => {
+      try {
+        const shares = listShares();
+        const share = shares.find(s => s.id === id || s.path === path.resolve(id));
+        if (!share) {
+          console.log(chalk.red('Share not found.'));
+          process.exitCode = 1;
+          return;
+        }
+
+        const updates = {};
+
+        if (opts.visibility) {
+          if (!VISIBILITY_LEVELS.includes(opts.visibility)) {
+            console.log(chalk.red(`Invalid visibility. Options: ${VISIBILITY_LEVELS.join(', ')}`));
+            process.exitCode = 1;
+            return;
+          }
+          updates.visibility = opts.visibility;
+        }
+
+        if (opts.streamable !== undefined) {
+          updates.streamable = opts.streamable;
+        }
+
+        if (opts.recursive !== undefined) {
+          updates.recursive = opts.recursive;
+        }
+
+        if (opts.writable) {
+          updates.permissions = { ...share.permissions, write: true };
+        }
+        if (opts.readOnly) {
+          updates.permissions = { ...share.permissions, write: false };
+        }
+
+        if (opts.addPal) {
+          const { getFriends } = await import('../core/users.js');
+          const friends = getFriends();
+          const pal = friends.find(f => f.name === opts.addPal || f.handle === opts.addPal);
+          if (!pal) { console.log(chalk.red(`Pal '${opts.addPal}' not found.`)); process.exitCode = 1; return; }
+          const recipients = share.recipients || [];
+          if (!recipients.find(r => r.id === pal.id)) {
+            recipients.push({ id: pal.id, name: pal.name, handle: pal.handle });
+            updates.recipients = recipients;
+          }
+        }
+
+        if (opts.removePal) {
+          const recipients = (share.recipients || []).filter(
+            r => r.name !== opts.removePal && r.handle !== opts.removePal
+          );
+          updates.recipients = recipients;
+        }
+
+        if (opts.addGroup) {
+          const { getGroup } = await import('../core/groups.js');
+          const group = getGroup(opts.addGroup);
+          if (!group) { console.log(chalk.red(`Group '${opts.addGroup}' not found.`)); process.exitCode = 1; return; }
+          const groups = share.sharedWithGroups || [];
+          if (!groups.includes(group.id)) {
+            groups.push(group.id);
+            updates.sharedWithGroups = groups;
+          }
+        }
+
+        if (opts.removeGroup) {
+          const { getGroup } = await import('../core/groups.js');
+          const group = getGroup(opts.removeGroup);
+          updates.sharedWithGroups = (share.sharedWithGroups || []).filter(gId => gId !== group?.id);
+        }
+
+        if (opts.addNetwork) {
+          const networks = share.sharedWithNetworks || [];
+          if (!networks.includes(opts.addNetwork)) networks.push(opts.addNetwork);
+          updates.sharedWithNetworks = networks;
+        }
+
+        if (opts.removeNetwork) {
+          updates.sharedWithNetworks = (share.sharedWithNetworks || []).filter(n => n !== opts.removeNetwork);
+        }
+
+        if (Object.keys(updates).length === 0) {
+          console.log(chalk.yellow('No changes specified.'));
+          return;
+        }
+
+        const updated = updateShare(id, updates);
+        console.log(chalk.green(`Share updated: ${updated.name || path.basename(updated.path)}`));
+
+        for (const [key, value] of Object.entries(updates)) {
+          console.log(chalk.gray(`  ${key}: ${JSON.stringify(value)}`));
+        }
+      } catch (err) {
+        console.log(chalk.red(`Error: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+}