pal-explorer-cli 0.4.0

package/lib/commands/share.js

@@ -0,0 +1,323 @@
+import chalk from 'chalk';
+import path from 'path';
+import fs from 'fs';
+import { addShare, storeShareKey } from '../core/shares.js';
+import { getGroup } from '../core/groups.js';
+import config from '../utils/config.js';
+import logger from '../utils/logger.js';
+import { requireRole, getFriends } from '../core/users.js';
+import { checkLimit } from '../core/pro.js';
+
+export default function shareCommand(program) {
+  program
+    .command('share-rename <id> <name>')
+    .description('rename a shared resource')
+    .action((id, name) => {
+      if (!name || !name.trim()) {
+        console.log(chalk.red('Error: name cannot be empty.'));
+        process.exitCode = 1;
+        return;
+      }
+      const shares = config.get('shares') || [];
+      const share = shares.find(s => s.id === id);
+      if (!share) {
+        console.log(chalk.red('Share not found.'));
+        process.exitCode = 1;
+        return;
+      }
+      share.name = name;
+      config.set('shares', shares);
+      console.log(chalk.green(`✔ Share renamed to: ${name}`));
+    });
+
+  program
+    .command('share <file>')
+    .description('share a file, folder, or drive via P2P')
+    .option('-v, --visibility <type>', 'Visibility: global, private, group, network, link-only', 'global')
+    .option('-w, --with <pals...>', 'Specific pals to share with (names or IDs)')
+    .option('--with-group <group>', 'Share with all members of a group')
+    .option('--with-network <network>', 'Share with a network')
+    .option('--streamable', 'Enable media streaming (audio/video playback without download)')
+    .option('--no-recursive', 'Share only top-level files in folder (no subfolders)')
+    .option('--expires <duration>', 'Auto-expire after duration (e.g. 1h, 3d, 7d, 30d)')
+    .option('--max-downloads <n>', 'Auto-expire after N downloads (0 = unlimited)', '0')
+    .option('--password <pwd>', 'Password-protect this share')
+    .addHelpText('after', `
+Examples:
+  $ pe share ./photos                         Share a folder publicly (recursive)
+  $ pe share ./photos --no-recursive          Share only top-level files in folder
+  $ pe share ./docs -v private -w alice       Share privately with pal "alice"
+  $ pe share ./project --with-group team      Share with entire group
+  $ pe share ./file.zip --password secret123  Password-protected share
+  $ pe share ./file.zip                       Share a single file
+  $ pe share ./music --streamable             Share as streaming media server
+  $ pe share ./report.pdf --expires 3d        Share for 3 days then auto-expire
+  $ pe share ./file.zip --max-downloads 5     Expire after 5 downloads
+  $ pe share ./docs -v network --with-network mynet
+
+Note: Private shares create an encrypted copy of your files for E2E seeding.
+This uses additional disk space equal to the original share size.
+`)
+    .action(async (filePath, options) => {
+      if (!filePath || !filePath.trim()) {
+        console.log(chalk.red('Error: file path cannot be empty.'));
+        process.exitCode = 1;
+        return;
+      }
+      const VALID_VISIBILITIES = ['global', 'private', 'group', 'network', 'link-only', 'public'];
+      if (!VALID_VISIBILITIES.includes(options.visibility)) {
+        console.log(chalk.red(`Invalid visibility '${options.visibility}'. Must be one of: ${VALID_VISIBILITIES.join(', ')}`));
+        process.exitCode = 1;
+        return;
+      }
+      const maxDl = parseInt(options.maxDownloads);
+      if (isNaN(maxDl) || maxDl < 0) {
+        console.log(chalk.red('--max-downloads must be a non-negative integer.'));
+        process.exitCode = 1;
+        return;
+      }
+      const absolutePath = path.resolve(filePath);
+      try {
+        try { requireRole('user'); } catch (e) {
+          console.log(chalk.red(e.message));
+          process.exitCode = 1;
+          return;
+        }
+        if (!fs.existsSync(absolutePath)) {
+          console.log(chalk.red(`Path does not exist: ${absolutePath}`));
+          process.exitCode = 1;
+          return;
+        }
+        const friends = getFriends();
+
+        // Validate pals if provided
+        let recipients = [];
+        if (options.withGroup) {
+          const group = getGroup(options.withGroup);
+          if (!group) {
+            console.log(chalk.red(`Group '${options.withGroup}' not found.`));
+            process.exitCode = 1;
+            return;
+          }
+          if (group.members.length === 0) {
+            console.log(chalk.yellow(`Group '${group.name}' has no members.`));
+            process.exitCode = 1;
+            return;
+          }
+          recipients = group.members.map(m => {
+            const pal = friends.find(f => f.id === m.id);
+            return pal || { name: m.name, id: m.id, handle: m.handle };
+          });
+          console.log(chalk.cyan(`Sharing with group '${group.name}' (${recipients.length} members)`));
+        }
+        if (options.with) {
+          const palRecipients = options.with.map(nameOrId => {
+            const stripped = nameOrId.replace(/^@/, '');
+            const pal = friends.find(f =>
+              f.id === stripped || f.name === stripped || f.handle === stripped || f.publicKey === stripped
+            );
+            if (!pal) {
+              console.warn(chalk.yellow(`Warning: Pal '${stripped}' not found in your list.`));
+              return { name: stripped, id: 'unknown' };
+            }
+            return pal;
+          });
+          // Merge, avoid duplicates by id
+          for (const r of palRecipients) {
+            if (!recipients.find(e => e.id === r.id)) {
+              recipients.push(r);
+            }
+          }
+        }
+
+        checkLimit('maxShareRecipients', recipients.length);
+
+        console.log(chalk.blue(`Preparing to share: ${absolutePath}`));
+
+        let type = 'file';
+        try {
+          const stat = fs.statSync(absolutePath);
+          if (stat.isDirectory()) {
+            const parsed = path.parse(absolutePath);
+            type = parsed.dir === parsed.root || absolutePath === parsed.root ? 'drive' : 'folder';
+          }
+        } catch {
+          // path doesn't exist yet — default to 'file'
+        }
+
+        const recursive = options.recursive !== false;
+        let expiresIn = 0;
+        if (options.expires) {
+          expiresIn = parseDuration(options.expires);
+          if (!expiresIn) {
+            console.log(chalk.red('Invalid --expires format. Use: 1h, 3d, 7d, 30d'));
+            process.exitCode = 1;
+            return;
+          }
+        }
+        const maxDownloads = parseInt(options.maxDownloads) || 0;
+        const password = options.password || null;
+        const share = addShare(absolutePath, type, options.visibility, { read: true }, recipients, { recursive, expiresIn, maxDownloads, password });
+
+        // Set streamable flag
+        if (options.streamable) {
+          const shares = config.get('shares');
+          const idx = shares.findIndex(s => s.id === share.id);
+          if (idx !== -1) {
+            shares[idx].streamable = true;
+            config.set('shares', shares);
+          }
+          console.log(chalk.magenta('  Media streaming enabled for this share'));
+        }
+
+        // Set network association
+        if (options.withNetwork) {
+          const shares = config.get('shares');
+          const idx = shares.findIndex(s => s.id === share.id);
+          if (idx !== -1) {
+            shares[idx].sharedWithNetworks = [options.withNetwork];
+            config.set('shares', shares);
+          }
+        }
+
+        // Persist group association
+        if (options.withGroup) {
+          const group = getGroup(options.withGroup);
+          if (group) {
+            const shares = config.get('shares');
+            const idx = shares.findIndex(s => s.id === share.id);
+            if (idx !== -1) {
+              shares[idx].sharedWithGroups = [group.id];
+              config.set('shares', shares);
+            }
+          }
+        }
+
+        // Encrypt for private shares that have named recipients
+        if (options.visibility === 'private' && share.recipients.length > 0) {
+          const { generateShareKey, encryptDirectory, getEncryptedShareDir, encryptShareKeyForRecipient } = await import('../crypto/shareEncryption.js');
+          const shareKey = generateShareKey();
+          const encDir = getEncryptedShareDir(share.id);
+          console.log(chalk.gray('Encrypting files for private share...'));
+          const encStart = Date.now();
+          const encSpinner = setInterval(() => {
+            const elapsed = ((Date.now() - encStart) / 1000).toFixed(0);
+            process.stdout.write(`\r${chalk.gray(`  Encrypting... ${elapsed}s`)}`);
+          }, 1000);
+          try {
+            encryptDirectory(absolutePath, encDir, shareKey);
+          } finally {
+            clearInterval(encSpinner);
+            process.stdout.write('\r' + ' '.repeat(40) + '\r');
+          }
+
+          // Wrap the shareKey for each recipient
+          const encryptedShareKeys = {};
+          for (const recipient of share.recipients) {
+            const pal = friends.find(f => f.name === recipient.name || f.id === recipient.id || f.handle === recipient.handle);
+            if (pal?.id && pal.id !== 'unknown') {
+              encryptedShareKeys[pal.id] = encryptShareKeyForRecipient(shareKey, pal.id);
+            }
+          }
+
+          // Store share key securely in credential store
+          await storeShareKey(share.id, shareKey.toString('hex'));
+
+          // Persist encryption metadata onto the stored share (without shareKeyHex)
+          const shares = config.get('shares');
+          const idx = shares.findIndex(s => s.id === share.id);
+          if (idx !== -1) {
+            shares[idx].encryptedPath = encDir;
+            shares[idx].encryptedShareKeys = encryptedShareKeys;
+            config.set('shares', shares);
+          }
+
+          console.log(chalk.green('Encryption complete.'));
+
+          // Warn about disk overhead for private shares
+          try {
+            const stat = fs.statSync(absolutePath);
+            if (stat.isDirectory()) {
+              let totalSize = 0;
+              const walk = (dir) => {
+                for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+                  const full = path.join(dir, entry.name);
+                  if (entry.isFile()) totalSize += fs.statSync(full).size;
+                  else if (entry.isDirectory()) walk(full);
+                }
+              };
+              walk(absolutePath);
+              const sizeMB = (totalSize / 1024 / 1024).toFixed(0);
+              if (totalSize > 1024 * 1024 * 1024) {
+                const sizeGB = (totalSize / 1024 / 1024 / 1024).toFixed(1);
+                console.log(chalk.yellow(`  Warning: Private shares create an encrypted copy (~${sizeGB} GB additional disk space).`));
+                console.log(chalk.yellow(`  Total disk usage for this share: ~${(totalSize * 2 / 1024 / 1024 / 1024).toFixed(1)} GB (original + encrypted copy).`));
+              } else if (totalSize > 50 * 1024 * 1024) {
+                console.log(chalk.yellow(`  Note: Private shares create an encrypted copy (~${sizeMB} MB additional disk space).`));
+              }
+            }
+          } catch {}
+        }
+
+        logger.info(`Share added: ${absolutePath}`, { visibility: options.visibility, type, id: share.id });
+        console.log(chalk.green(`✔ Resource added to ${options.visibility} share list!`));
+        if (recipients.length > 0) {
+           console.log(chalk.cyan(`  Shared with: ${recipients.map(r => r.name).join(', ')}`));
+        }
+
+        // Send PAL/1.0 share.offer envelopes to recipients
+        if (options.visibility === 'private' && recipients.length > 0) {
+          try {
+            const { getIdentity } = await import('../core/identity.js');
+            const identity = await getIdentity();
+            if (identity?.privateKey) {
+              const { initiateShare } = await import('../protocol/negotiation.js');
+              const { postTo, getPrimaryServer } = await import('../core/discoveryClient.js');
+              const keyPair = {
+                publicKey: Buffer.from(identity.publicKey, 'hex'),
+                privateKey: Buffer.from(identity.privateKey, 'hex'),
+              };
+              let sent = 0;
+              for (const r of recipients) {
+                const pal = friends.find(f => f.id === r.id);
+                if (pal?.id && pal.id !== 'unknown') {
+                  const result = await initiateShare(keyPair, pal.id, share, options.policy || {});
+                  if (result.ok) {
+                    await postTo(getPrimaryServer(), '/api/v1/messages', {
+                      toHandle: pal.handle || pal.name,
+                      fromHandle: identity.handle || identity.name,
+                      payload: result.envelope,
+                    });
+                    sent++;
+                  }
+                }
+              }
+              if (sent > 0) console.log(chalk.gray(`  PAL/1.0 share offers sent to ${sent} recipient(s)`));
+            }
+          } catch {
+            // Protocol notifications are best-effort
+          }
+        }
+
+        if (share.password) console.log(chalk.yellow('  Password protected'));
+        if (share.expiresAt) console.log(chalk.gray(`  Expires: ${new Date(share.expiresAt).toLocaleString()}`));
+        if (share.maxDownloads) console.log(chalk.gray(`  Max downloads: ${share.maxDownloads}`));
+        console.log(chalk.white('To start seeding, use: pe serve'));
+        console.log(chalk.gray(`ID: ${share.id}`));
+      } catch (err) {
+        logger.error(`Share failed: ${err.message}`, { path: absolutePath });
+        console.error(chalk.red(`Error: ${err.message}`));
+      }
+    });
+}
+
+function parseDuration(str) {
+  const match = str.match(/^(\d+)([dhm])$/);
+  if (!match) return null;
+  const n = parseInt(match[1]);
+  const unit = match[2];
+  if (unit === 'd') return n * 86400000;
+  if (unit === 'h') return n * 3600000;
+  if (unit === 'm') return n * 60000;
+  return null;
+}

package/lib/commands/sso.js

@@ -0,0 +1,200 @@
+import chalk from 'chalk';
+
+export default function ssoCommand(program) {
+  const cmd = program
+    .command('sso')
+    .description('manage enterprise SSO (SAML/OIDC)')
+    .addHelpText('after', `
+Examples:
+  $ pe sso configure --provider oidc --issuer https://auth.example.com --client-id abc --client-secret xyz
+  $ pe sso configure --provider saml --issuer https://idp.example.com/metadata
+  $ pe sso login                             Initiate SSO login
+  $ pe sso status                            Show current SSO configuration
+  $ pe sso enforce --on                      Enforce mandatory SSO
+  $ pe sso enforce --off                     Disable mandatory SSO
+`)
+    .action(() => {
+      cmd.outputHelp();
+    });
+
+  cmd
+    .command('configure')
+    .description('configure SSO provider (SAML or OIDC)')
+    .requiredOption('--provider <type>', 'SSO provider type (saml or oidc)')
+    .option('--issuer <url>', 'IdP issuer URL')
+    .option('--client-id <id>', 'OIDC client ID')
+    .option('--client-secret <secret>', 'OIDC client secret')
+    .action(async (opts) => {
+      try {
+        const provider = opts.provider.toLowerCase();
+        if (provider !== 'saml' && provider !== 'oidc') {
+          console.log(chalk.red('Provider must be "saml" or "oidc".'));
+          process.exitCode = 1;
+          return;
+        }
+
+        if (provider === 'oidc' && (!opts.clientId || !opts.clientSecret)) {
+          console.log(chalk.red('OIDC requires --client-id and --client-secret.'));
+          process.exitCode = 1;
+          return;
+        }
+
+        if (!opts.issuer) {
+          console.log(chalk.red('--issuer is required.'));
+          process.exitCode = 1;
+          return;
+        }
+
+        const extConfig = (await import('../utils/config.js')).default;
+        const existing = extConfig.get('ext.sso-connector') || {};
+
+        const clientSecret = opts.clientSecret || existing.clientSecret || null;
+        const ssoConfig = {
+          ...existing,
+          provider,
+          issuer: opts.issuer,
+          clientId: opts.clientId || existing.clientId || null,
+          clientSecret: null,
+        };
+
+        if (clientSecret) {
+          try {
+            const keytar = (await import('keytar')).default;
+            await keytar.setPassword('palexplorer', 'sso.clientSecret', clientSecret);
+          } catch {
+            ssoConfig.clientSecret = clientSecret;
+          }
+        }
+
+        extConfig.set('ext.sso-connector', ssoConfig);
+
+        console.log(chalk.green(`✔ SSO configured`));
+        console.log(`  Provider: ${chalk.white(provider.toUpperCase())}`);
+        console.log(`  Issuer:   ${chalk.white(opts.issuer)}`);
+        if (provider === 'oidc') {
+          console.log(`  Client:   ${chalk.white(opts.clientId)}`);
+        }
+      } catch (err) {
+        console.log(chalk.red(`Failed to configure SSO: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('login')
+    .description('initiate SSO login')
+    .action(async () => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const cfg = extConfig.get('ext.sso-connector');
+
+        if (!cfg || !cfg.provider) {
+          console.log(chalk.red('SSO not configured. Run: pe sso configure'));
+          process.exitCode = 1;
+          return;
+        }
+
+        let redirectUrl;
+        if (cfg.provider === 'oidc') {
+          let clientId = cfg.clientId;
+          let clientSecret = cfg.clientSecret;
+          if (!clientSecret) {
+            try {
+              const keytar = (await import('keytar')).default;
+              clientSecret = await keytar.getPassword('palexplorer', 'sso.clientSecret');
+            } catch {}
+          }
+          const state = Math.random().toString(36).slice(2);
+          const params = new URLSearchParams({
+            response_type: 'code',
+            client_id: clientId,
+            redirect_uri: 'http://localhost:9876/callback',
+            scope: 'openid profile email',
+            state,
+          });
+          redirectUrl = `${cfg.issuer}/authorize?${params}`;
+        } else {
+          redirectUrl = `${cfg.issuer}/sso/saml?RelayState=palexplorer`;
+        }
+
+        console.log('');
+        console.log(chalk.cyan('SSO Login'));
+        console.log(`  Provider: ${chalk.white(cfg.provider.toUpperCase())}`);
+        console.log(`  Redirect: ${chalk.white(redirectUrl)}`);
+        console.log('');
+        console.log(chalk.gray('Open the URL above in your browser to authenticate.'));
+      } catch (err) {
+        console.log(chalk.red(`SSO login failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('status')
+    .description('show current SSO configuration')
+    .action(async () => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const cfg = extConfig.get('ext.sso-connector');
+
+        console.log('');
+        console.log(chalk.cyan.bold('SSO Configuration'));
+
+        if (!cfg || !cfg.provider) {
+          console.log(chalk.gray('  Not configured. Run: pe sso configure'));
+          console.log('');
+          return;
+        }
+
+        console.log(`  Provider:    ${chalk.white(cfg.provider.toUpperCase())}`);
+        console.log(`  Issuer:      ${chalk.white(cfg.issuer || 'not set')}`);
+        if (cfg.provider === 'oidc') {
+          console.log(`  Client ID:   ${chalk.white(cfg.clientId || 'not set')}`);
+          console.log(`  Client Secret: ${cfg.clientSecret ? chalk.gray('********') : chalk.yellow('not set')}`);
+        }
+        console.log(`  Enforce SSO: ${cfg.enforceSSO ? chalk.green('yes') : chalk.gray('no')}`);
+        console.log('');
+      } catch (err) {
+        console.log(chalk.red(`Failed to get SSO status: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('enforce')
+    .description('enable or disable mandatory SSO')
+    .option('--on', 'Enable mandatory SSO')
+    .option('--off', 'Disable mandatory SSO')
+    .action(async (opts) => {
+      try {
+        if (!opts.on && !opts.off) {
+          console.log(chalk.red('Specify --on or --off.'));
+          process.exitCode = 1;
+          return;
+        }
+
+        const extConfig = (await import('../utils/config.js')).default;
+        const cfg = extConfig.get('ext.sso-connector');
+
+        if (!cfg || !cfg.provider) {
+          console.log(chalk.red('SSO not configured. Run: pe sso configure'));
+          process.exitCode = 1;
+          return;
+        }
+
+        const enforce = !!opts.on;
+        extConfig.set('ext.sso-connector', { ...cfg, enforceSSO: enforce });
+
+        if (enforce) {
+          console.log(chalk.green('✔ Mandatory SSO enabled'));
+          console.log(chalk.gray('  All users must authenticate via SSO.'));
+        } else {
+          console.log(chalk.green('✔ Mandatory SSO disabled'));
+          console.log(chalk.gray('  Users can authenticate with local credentials.'));
+        }
+      } catch (err) {
+        console.log(chalk.red(`Failed to update enforcement: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+}

package/lib/commands/status.js

@@ -0,0 +1,136 @@
+import chalk from 'chalk';
+import fs from 'fs';
+import path from 'path';
+import config from '../utils/config.js';
+import { getIdentity } from '../core/identity.js';
+import { listShares } from '../core/shares.js';
+import { getTransfers } from '../core/transfers.js';
+import { getServers, checkServer } from '../core/discoveryClient.js';
+import { getConnectionState } from '../core/connectionManager.js';
+
+export default function statusCommand(program) {
+  program
+    .command('status')
+    .description('show system health dashboard')
+    .addHelpText('after', `
+Examples:
+  $ pe status                       Show system health dashboard
+`)
+    .action(async () => {
+      try {
+        const opts = program.opts();
+        const identity = await getIdentity();
+
+        if (opts.json) {
+          const shares = listShares();
+          const active = getTransfers() || [];
+          const pidPath = path.join(path.dirname(config.path), 'serve.pid');
+          const servers = getServers();
+          const checks = await Promise.all(servers.map(s => checkServer(s)));
+          const conn = getConnectionState();
+          const data = {
+            identity: identity ? { name: identity.name, handle: identity.handle, publicKey: identity.publicKey?.slice(0, 16) } : null,
+            network: { status: conn.status, connectedCount: conn.connectedCount || 0 },
+            daemon: fs.existsSync(pidPath) ? 'running' : 'stopped',
+            shares: { count: shares.length },
+            transfers: { active: active.length },
+            discoveryServers: checks
+          };
+          console.log(JSON.stringify(data, null, 2));
+          return;
+        }
+
+        // Identity
+        console.log('');
+        console.log(chalk.cyan.bold('Identity'));
+        if (identity) {
+          console.log(`  Name:       ${chalk.green(identity.name || 'Unknown')}`);
+          console.log(`  Handle:     ${chalk.green(identity.handle || 'Not linked')}`);
+          console.log(`  Public Key: ${chalk.yellow(identity.publicKey?.slice(0, 16) + '...')}`);
+        } else {
+          console.log(chalk.gray('  Not initialized. Run `pe init <name>` to get started.'));
+        }
+
+        // Network Connection
+        console.log('');
+        console.log(chalk.cyan.bold('Network'));
+        const conn = getConnectionState();
+        const connColor = conn.status === 'connected' ? chalk.green
+          : conn.status === 'connecting' ? chalk.yellow
+          : chalk.red;
+        console.log(`  Status:   ${connColor(conn.status)}`);
+        if (conn.protocol) {
+          console.log(`  Protocol: ${chalk.white(conn.protocol)} v${conn.protocolVersion}`);
+        }
+        if (conn.connectedCount > 0) {
+          console.log(`  Servers:  ${chalk.white(conn.connectedCount)} reachable`);
+        }
+
+        // Daemon
+        console.log('');
+        console.log(chalk.cyan.bold('Daemon'));
+        const pidPath = path.join(path.dirname(config.path), 'serve.pid');
+        if (fs.existsSync(pidPath)) {
+          const pid = fs.readFileSync(pidPath, 'utf8').trim();
+          try {
+            process.kill(parseInt(pid, 10), 0);
+            console.log(`  Status: ${chalk.green('Running')} (PID ${pid})`);
+          } catch {
+            console.log(`  Status: ${chalk.yellow('Stale PID file')} (process ${pid} not found)`);
+          }
+        } else {
+          console.log(`  Status: ${chalk.gray('Not running')}`);
+        }
+
+        // Shares
+        console.log('');
+        console.log(chalk.cyan.bold('Shares'));
+        const shares = listShares();
+        if (shares.length === 0) {
+          console.log(chalk.gray('  No active shares.'));
+        } else {
+          let totalSize = 0;
+          for (const s of shares) {
+            try {
+              const stat = fs.statSync(s.path);
+              totalSize += stat.isDirectory() ? 0 : stat.size;
+            } catch { /* skip */ }
+          }
+          console.log(`  Active: ${chalk.white(shares.length)}`);
+          if (totalSize > 0) {
+            console.log(`  Size:   ${chalk.white((totalSize / 1024 / 1024).toFixed(1) + ' MB')}`);
+          }
+        }
+
+        // Transfers
+        console.log('');
+        console.log(chalk.cyan.bold('Transfers'));
+        const active = getTransfers() || [];
+        if (active.length === 0) {
+          console.log(chalk.gray('  No active transfers.'));
+        } else {
+          console.log(`  Active: ${chalk.white(active.length)}`);
+        }
+
+        // Discovery servers
+        console.log('');
+        console.log(chalk.cyan.bold('Discovery Servers'));
+        const servers = getServers();
+        const checks = await Promise.all(servers.map(s => checkServer(s)));
+        for (let i = 0; i < checks.length; i++) {
+          const c = checks[i];
+          const primary = i === 0 ? chalk.cyan(' (primary)') : '';
+          if (c.reachable) {
+            console.log(`  ${chalk.green('●')} ${c.url}${primary}`);
+          } else {
+            console.log(`  ${chalk.red('●')} ${c.url} ${chalk.red('unreachable')}${primary}`);
+          }
+        }
+
+        console.log('');
+      } catch (err) {
+        console.error(chalk.red('Status check failed:'), err.message);
+        process.exitCode = 1;
+      }
+    });
+}