pal-explorer-cli 0.4.0

package/lib/commands/dept.js

@@ -0,0 +1,294 @@
+import chalk from 'chalk';
+
+export default function deptCommand(program) {
+  const cmd = program
+    .command('dept')
+    .description('department management within organizations (Enterprise)')
+    .addHelpText('after', `
+Examples:
+  $ pe dept create org123 "Engineering"      Create a department
+  $ pe dept list org123                      List departments
+  $ pe dept info org123 Engineering          Show department details
+  $ pe dept add org123 Engineering <pubkey>  Add a member
+  $ pe dept remove org123 Engineering <pubkey>
+  $ pe dept delete org123 Engineering        Delete a department
+  $ pe dept shares org123 Engineering        List department shares
+  $ pe dept policy org123 Engineering        Show department policies
+  $ pe dept policy org123 Engineering --set maxFileSize 100MB
+`)
+    .action(() => { cmd.outputHelp(); });
+
+  cmd
+    .command('create <orgId> <name>')
+    .description('create a department in an organization')
+    .action(async (orgId, name) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const key = `departments:${orgId}`;
+        const departments = extConfig.get(key) || [];
+        if (departments.find(d => d.name === name)) {
+          console.log(chalk.yellow(`Department already exists: ${name}`));
+          process.exitCode = 1;
+          return;
+        }
+        departments.push({
+          name,
+          createdAt: new Date().toISOString(),
+          members: [],
+          policies: {},
+        });
+        extConfig.set(key, departments);
+        console.log(chalk.green(`✔ Department created: ${name}`));
+        console.log(`  Organization: ${chalk.white(orgId)}`);
+      } catch (err) {
+        console.log(chalk.red(`Create failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('list <orgId>')
+    .description('list all departments in an organization')
+    .action(async (orgId) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const key = `departments:${orgId}`;
+        const departments = extConfig.get(key) || [];
+        if (departments.length === 0) {
+          console.log(chalk.dim('No departments.'));
+          console.log(chalk.dim(`  pe dept create ${orgId} <name>`));
+          return;
+        }
+        console.log(chalk.bold(`Departments in ${orgId} (${departments.length})\n`));
+        for (const d of departments) {
+          console.log(`  ${chalk.cyan(d.name)}`);
+          console.log(`    Members: ${chalk.white(d.members.length)}  Created: ${chalk.dim(d.createdAt)}`);
+        }
+      } catch (err) {
+        console.log(chalk.red(`List failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('info <orgId> <deptName>')
+    .description('show department details and members')
+    .action(async (orgId, deptName) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const key = `departments:${orgId}`;
+        const departments = extConfig.get(key) || [];
+        const dept = departments.find(d => d.name === deptName);
+        if (!dept) {
+          console.log(chalk.red(`Department not found: ${deptName}`));
+          process.exitCode = 1;
+          return;
+        }
+        console.log('');
+        console.log(chalk.bold.cyan(dept.name));
+        console.log(chalk.gray('─'.repeat(50)));
+        console.log(`  Organization: ${chalk.white(orgId)}`);
+        console.log(`  Created:      ${chalk.dim(dept.createdAt)}`);
+        console.log(`  Members:      ${chalk.white(dept.members.length)}`);
+
+        if (dept.members.length > 0) {
+          console.log('');
+          console.log(chalk.cyan('  Members:'));
+          for (const m of dept.members) {
+            const roleColor = m.role === 'dept-admin' ? chalk.yellow : chalk.gray;
+            const pubShort = m.publicKey.slice(0, 16) + '...';
+            console.log(`    ${chalk.white(pubShort)} ${roleColor(m.role)} ${chalk.dim('joined ' + m.joinedAt)}`);
+          }
+        }
+
+        const policyKeys = Object.keys(dept.policies || {});
+        if (policyKeys.length > 0) {
+          console.log('');
+          console.log(chalk.cyan('  Policies:'));
+          for (const k of policyKeys) {
+            console.log(`    ${chalk.white(k)}: ${chalk.dim(dept.policies[k])}`);
+          }
+        }
+        console.log('');
+      } catch (err) {
+        console.log(chalk.red(`Info failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('add <orgId> <deptName> <publicKey>')
+    .description('add a member to a department (requires dept-admin or org-admin)')
+    .option('--role <role>', 'member role', 'member')
+    .action(async (orgId, deptName, publicKey, opts) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const key = `departments:${orgId}`;
+        const departments = extConfig.get(key) || [];
+        const dept = departments.find(d => d.name === deptName);
+        if (!dept) {
+          console.log(chalk.red(`Department not found: ${deptName}`));
+          process.exitCode = 1;
+          return;
+        }
+        const VALID_ROLES = ['member', 'dept-admin'];
+        if (opts.role && !VALID_ROLES.includes(opts.role)) {
+          console.error(chalk.red(`Invalid role "${opts.role}". Allowed: ${VALID_ROLES.join(', ')}`));
+          process.exitCode = 1;
+          return;
+        }
+        if (dept.members.find(m => m.publicKey === publicKey)) {
+          console.log(chalk.yellow('Member already in department.'));
+          process.exitCode = 1;
+          return;
+        }
+        dept.members.push({
+          publicKey,
+          role: opts.role,
+          joinedAt: new Date().toISOString(),
+        });
+        extConfig.set(key, departments);
+        console.log(chalk.green(`✔ Member added to ${deptName}`));
+        console.log(`  Key: ${chalk.dim(publicKey.slice(0, 16) + '...')}`);
+        console.log(`  Role: ${chalk.white(opts.role)}`);
+      } catch (err) {
+        console.log(chalk.red(`Add failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('remove <orgId> <deptName> <publicKey>')
+    .description('remove a member from a department')
+    .action(async (orgId, deptName, publicKey) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const key = `departments:${orgId}`;
+        const departments = extConfig.get(key) || [];
+        const dept = departments.find(d => d.name === deptName);
+        if (!dept) {
+          console.log(chalk.red(`Department not found: ${deptName}`));
+          process.exitCode = 1;
+          return;
+        }
+        const idx = dept.members.findIndex(m => m.publicKey === publicKey);
+        if (idx === -1) {
+          console.log(chalk.yellow('Member not found in department.'));
+          process.exitCode = 1;
+          return;
+        }
+        dept.members.splice(idx, 1);
+        extConfig.set(key, departments);
+        console.log(chalk.green(`✔ Member removed from ${deptName}`));
+      } catch (err) {
+        console.log(chalk.red(`Remove failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('delete <orgId> <name>')
+    .description('delete a department')
+    .action(async (orgId, name) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const key = `departments:${orgId}`;
+        const departments = extConfig.get(key) || [];
+        const idx = departments.findIndex(d => d.name === name);
+        if (idx === -1) {
+          console.log(chalk.red(`Department not found: ${name}`));
+          process.exitCode = 1;
+          return;
+        }
+        const removed = departments.splice(idx, 1)[0];
+        extConfig.set(key, departments);
+        console.log(chalk.green(`✔ Department deleted: ${name}`));
+        console.log(`  Had ${chalk.white(removed.members.length)} member(s)`);
+      } catch (err) {
+        console.log(chalk.red(`Delete failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('shares <orgId> <deptName>')
+    .description('list shares scoped to a department')
+    .action(async (orgId, deptName) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const key = `departments:${orgId}`;
+        const departments = extConfig.get(key) || [];
+        const dept = departments.find(d => d.name === deptName);
+        if (!dept) {
+          console.log(chalk.red(`Department not found: ${deptName}`));
+          process.exitCode = 1;
+          return;
+        }
+
+        const config = (await import('../utils/config.js')).default;
+        const shares = config.get('shares') || [];
+        const deptShares = shares.filter(s => s.department === deptName && s.orgId === orgId);
+
+        if (deptShares.length === 0) {
+          console.log(chalk.dim(`No shares scoped to department ${deptName}.`));
+          return;
+        }
+        console.log(chalk.bold(`Shares for ${deptName} (${deptShares.length})\n`));
+        for (const s of deptShares) {
+          console.log(`  ${chalk.cyan(s.path || s.name)}`);
+          console.log(`    Visibility: ${chalk.dim(s.visibility || 'private')}  Created: ${chalk.dim(s.createdAt || 'unknown')}`);
+        }
+      } catch (err) {
+        console.log(chalk.red(`Shares failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('policy <orgId> <deptName>')
+    .description('show/set department policies')
+    .option('--set <key>', 'set a policy value (followed by value as argument)')
+    .action(async (orgId, deptName, opts, command) => {
+      try {
+        const extConfig = (await import('../utils/config.js')).default;
+        const key = `departments:${orgId}`;
+        const departments = extConfig.get(key) || [];
+        const dept = departments.find(d => d.name === deptName);
+        if (!dept) {
+          console.log(chalk.red(`Department not found: ${deptName}`));
+          process.exitCode = 1;
+          return;
+        }
+
+        if (opts.set) {
+          const value = command.args[0];
+          if (!value) {
+            console.log(chalk.red('Usage: pe dept policy <orgId> <deptName> --set <key> <value>'));
+            process.exitCode = 1;
+            return;
+          }
+          if (!dept.policies) dept.policies = {};
+          dept.policies[opts.set] = value;
+          extConfig.set(key, departments);
+          console.log(chalk.green(`✔ Policy set: ${opts.set} = ${value}`));
+          return;
+        }
+
+        // Show policies
+        const policies = dept.policies || {};
+        const policyKeys = Object.keys(policies);
+        if (policyKeys.length === 0) {
+          console.log(chalk.dim(`No policies set for ${deptName}.`));
+          console.log(chalk.dim(`  pe dept policy ${orgId} ${deptName} --set <key> <value>`));
+          return;
+        }
+        console.log(chalk.bold(`Policies for ${deptName}\n`));
+        for (const k of policyKeys) {
+          console.log(`  ${chalk.white(k)}: ${chalk.cyan(policies[k])}`);
+        }
+      } catch (err) {
+        console.log(chalk.red(`Policy failed: ${err.message}`));
+        process.exitCode = 1;
+      }
+    });
+}

package/lib/commands/device.js

@@ -0,0 +1,146 @@
+import chalk from 'chalk';
+import { getIdentity, getDeviceInfo, setDeviceName } from '../core/identity.js';
+import config from '../utils/config.js';
+import { getPrimaryServer } from '../core/discoveryClient.js';
+
+export default function deviceCommand(program) {
+  const cmd = program
+    .command('device')
+    .description('view and manage this device\'s identity')
+    .addHelpText('after', `
+Examples:
+  $ pe device list                  List linked devices
+  $ pe device rename "My Laptop"    Rename this device
+  $ pe device register              Register device on discovery server
+`);
+
+  // Default: show device info
+  cmd.action(async () => {
+    const identity = await getIdentity();
+    const device = getDeviceInfo();
+    if (!identity) {
+      console.log(chalk.red('No identity found. Run `pe init <name>` first.'));
+      process.exitCode = 1;
+      return;
+    }
+    if (program.opts().json) {
+      console.log(JSON.stringify({ device, identity: { name: identity.name, handle: identity.handle, publicKey: identity.publicKey } }, null, 2));
+      return;
+    }
+    console.log('');
+    console.log(chalk.cyan('This Device:'));
+    console.log(`  Device Name: ${chalk.white(device.name)}`);
+    console.log(`  Device ID:   ${chalk.gray(device.id)}`);
+    console.log(`  Identity:    ${chalk.white(identity.name)}${identity.handle ? chalk.cyan(` @${identity.handle}`) : ''}`);
+    console.log(`  Public Key:  ${chalk.gray(identity.publicKey)}`);
+    console.log(`  Created At:  ${chalk.gray(device.createdAt)}`);
+    console.log('');
+  });
+
+  cmd
+    .command('rename <name>')
+    .description('set a unique name for this device')
+    .action((name) => {
+      const updated = setDeviceName(name);
+      console.log(chalk.green(`✔ Device renamed to: ${updated.name}`));
+    });
+
+  cmd
+    .command('register <handle>')
+    .description('register this device with the discovery server under a handle')
+    .action(async (handle) => {
+      handle = handle.replace(/^@/, '');
+      const identity = await getIdentity();
+      const device = getDeviceInfo();
+
+      if (!identity || !identity.privateKey) {
+        console.log(chalk.red('No identity found. Run `pe init <name>` first.'));
+        process.exitCode = 1;
+        return;
+      }
+
+      const sodium = (await import('sodium-native')).default;
+      const privateKey = Buffer.from(identity.privateKey, 'hex');
+      const now = Date.now();
+      const message = `${handle}:${device.id}:${device.name}:${now}`;
+      const sig = Buffer.alloc(sodium.crypto_sign_BYTES);
+      sodium.crypto_sign_detached(sig, Buffer.from(message), privateKey);
+
+      const url = getPrimaryServer();
+      try {
+        process.stdout.write(chalk.gray(`Registering device '${device.name}' under @${handle}... `));
+        const res = await fetch(`${url}/devices/register`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            handle,
+            deviceId: device.id,
+            deviceName: device.name,
+            publicKey: identity.publicKey,
+            timestamp: now,
+            signature: sig.toString('hex')
+          })
+        });
+        const result = await res.json();
+        if (result.success) {
+          console.log(chalk.green('done.'));
+          console.log(chalk.green(`✔ Device registered. Total devices for @${handle}: ${result.devices?.length || 1}`));
+        } else {
+          console.log(chalk.red(`\nFailed: ${result.error}`));
+          process.exitCode = 1;
+        }
+      } catch {
+        console.log(chalk.red(`\nCould not reach discovery server at ${url}`));
+        process.exitCode = 1;
+      }
+    });
+
+  cmd
+    .command('list [handle]')
+    .description('list all devices registered under a handle (defaults to your own)')
+    .action(async (handle) => {
+      if (!handle) {
+        const id = config.get('identity');
+        handle = id?.handle;
+        if (!handle) {
+          console.log(chalk.yellow('No handle registered. Provide one: pe device list <handle>'));
+          process.exitCode = 1;
+          return;
+        }
+      }
+      const url = getPrimaryServer();
+      try {
+        const res = await fetch(`${url}/devices/${encodeURIComponent(handle)}`);
+        if (!res.ok) {
+          const err = await res.json().catch(() => ({}));
+          console.log(chalk.red(`Failed: ${err.error || res.statusText}`));
+          process.exitCode = 1;
+          return;
+        }
+        const data = await res.json();
+        const devices = data.devices || [];
+        if (devices.length === 0) {
+          if (program.opts().json) {
+            console.log(JSON.stringify({ handle, devices: [] }, null, 2));
+            return;
+          }
+          console.log(chalk.gray(`No devices found for @${handle}.`));
+          return;
+        }
+        if (program.opts().json) {
+          console.log(JSON.stringify({ handle, devices }, null, 2));
+          return;
+        }
+        console.log('');
+        console.log(chalk.cyan(`Devices for @${handle}:`));
+        devices.forEach(d => {
+          const status = d.status === 'online' ? chalk.green('online') : chalk.gray(d.status || 'offline');
+          console.log(`  ${chalk.white(d.deviceName)}  [${status}]  ${chalk.gray(d.deviceId)}`);
+          console.log(`    Last seen: ${chalk.gray(d.updatedAt || 'unknown')}`);
+        });
+      } catch {
+        console.log(chalk.red(`Could not reach discovery server at ${url}`));
+        process.exitCode = 1;
+      }
+    });
+}

package/lib/commands/download.js

@@ -0,0 +1,226 @@
+import WebTorrent from 'webtorrent';
+import chalk from 'chalk';
+import ora from 'ora';
+import path from 'path';
+import { trackTransfer, getTransfers, completeTransfer } from '../core/transfers.js';
+import { getIdentity } from '../core/identity.js';
+import { decryptFromDownload, getDecryptedDownloadDir } from '../crypto/streamEncryption.js';
+import logger from '../utils/logger.js';
+import { getNearbyPeers, startMdns, isRunning as isMdnsRunning } from '../core/mdnsService.js';
+import { injectLanPeers, tryLanHttpDownload } from '../utils/torrent.js';
+import config from '../utils/config.js';
+import { getDownloadDir } from '../utils/downloadDir.js';
+import fs from 'fs';
+
+function startMdnsIfNeeded() {
+  if (isMdnsRunning()) return;
+  const identity = config.get('identity');
+  if (identity?.publicKey) {
+    const pidPath = path.join(path.dirname(config.path), 'serve.pid');
+    const daemonRunning = fs.existsSync(pidPath);
+    startMdns(identity, { advertise: !daemonRunning });
+  }
+}
+
+export default function downloadCommand(program) {
+  program
+    .command('download <magnet> [moreMagnets...]')
+    .description('download file(s) from Magnet Link(s)')
+    .option('--key <encryptedShareKey>', 'Encrypted share key for decryption (for private shares)')
+    .option('--lan-only', 'Only download from LAN peers (skip public trackers)')
+    .option('--share-name <name>', 'Share name for LAN HTTP download')
+    .addHelpText('after', `
+Examples:
+  $ pe download "magnet:?xt=urn:btih:..."                     Download a public share
+  $ pe download "magnet:?xt=..." --key abc123                  Download encrypted share
+  $ pe download "magnet:?xt=..." "magnet:?xt=..."              Batch download multiple
+  $ pe download "magnet:?xt=..." --lan-only                    LAN peers only
+  $ pe download "magnet:?xt=..." --share-name Photos           Try direct HTTP from LAN first
+`)
+    .action(async (magnet, moreMagnets, opts) => {
+      // Start mDNS to discover LAN peers
+      startMdnsIfNeeded();
+      const lanPeers = getNearbyPeers();
+      if (lanPeers.length > 0) {
+        logger.info(`Found ${lanPeers.length} LAN peer(s) via mDNS`);
+      }
+
+      const allMagnets = [magnet, ...(moreMagnets || [])];
+
+      if (allMagnets.length > 1) {
+        console.log(chalk.blue(`Batch downloading ${allMagnets.length} items...`));
+        const client = new WebTorrent();
+        let completed = 0;
+        let failed = 0;
+
+        for (const m of allMagnets) {
+          if (!m.startsWith('magnet:?') && !/^[0-9a-fA-F]{40}$/.test(m)) {
+            console.error(chalk.red(`Skipping invalid magnet: ${m.slice(0, 50)}...`));
+            failed++;
+            continue;
+          }
+
+          try {
+            const dlDir = getDownloadDir();
+            if (!fs.existsSync(dlDir)) fs.mkdirSync(dlDir, { recursive: true });
+            await new Promise((resolve, reject) => {
+              const timeout = setTimeout(() => reject(new Error('Peer timeout (60s)')), 60000);
+              const addOpts = { path: dlDir };
+              const t = client.add(opts.lanOnly ? m : m, addOpts, (torrent) => {
+                clearTimeout(timeout);
+                console.log(chalk.cyan(`  Downloading: ${torrent.name}`));
+                trackTransfer(m, torrent.name, dlDir, null);
+                torrent.on('done', () => {
+                  console.log(chalk.green(`  ✔ ${torrent.name}`));
+                  completeTransfer(m);
+                  completed++;
+                  resolve();
+                });
+              });
+
+              // Inject LAN peers into each torrent
+              if (lanPeers.length > 0) {
+                injectLanPeers(t, lanPeers);
+              }
+
+              client.on('error', (err) => { clearTimeout(timeout); reject(err); });
+            });
+          } catch (err) {
+            console.error(chalk.red(`  ✖ Failed: ${err.message}`));
+            failed++;
+          }
+        }
+
+        console.log('');
+        console.log(chalk.green(`Completed: ${completed}`) + (failed > 0 ? chalk.red(` Failed: ${failed}`) : ''));
+        client.destroy();
+        process.exit(failed > 0 ? 1 : 0);
+        return;
+      }
+
+      // Single download
+      if (!magnet.startsWith('magnet:?') && !/^[0-9a-fA-F]{40}$/.test(magnet)) {
+        console.error(chalk.red('Invalid magnet URI. Must start with "magnet:?" or be a 40-character hex infohash.'));
+        process.exitCode = 1;
+        return;
+      }
+
+      const dlDir = getDownloadDir();
+      if (!fs.existsSync(dlDir)) fs.mkdirSync(dlDir, { recursive: true });
+
+      // Strategy 1: Try direct HTTP download from LAN peer (fastest)
+      if (opts.shareName && lanPeers.length > 0) {
+        console.log(chalk.blue(`Trying direct LAN download from ${lanPeers.length} nearby peer(s)...`));
+        const spinner = ora('Downloading via LAN HTTP...').start();
+        try {
+          const result = await tryLanHttpDownload(lanPeers, opts.shareName, dlDir, {
+            onProgress: (pct, fileName) => {
+              spinner.text = `LAN download... ${(pct * 100).toFixed(1)}% (${fileName})`;
+            },
+          });
+          if (result) {
+            spinner.succeed(chalk.green(`LAN download complete from ${result.peerIp} (${result.files.length} files, ${(result.totalBytes / 1024 / 1024).toFixed(2)} MB)`));
+            trackTransfer(magnet, opts.shareName, dlDir, opts.key || null);
+            completeTransfer(magnet);
+            process.exit(0);
+            return;
+          }
+          spinner.info(chalk.dim('No LAN peer serving this share. Falling back to BitTorrent...'));
+        } catch (err) {
+          spinner.info(chalk.dim(`LAN download failed: ${err.message}. Falling back to BitTorrent...`));
+        }
+      }
+
+      if (opts.lanOnly && lanPeers.length === 0) {
+        console.error(chalk.red('No LAN peers found. Remove --lan-only to use public trackers.'));
+        process.exitCode = 1;
+        return;
+      }
+
+      // Strategy 2: WebTorrent with LAN peer injection
+      logger.info('Starting download', { magnet: magnet.slice(0, 40) });
+      console.log(chalk.blue('Connecting to peers...'));
+      if (lanPeers.length > 0) {
+        console.log(chalk.cyan(`  ${lanPeers.length} LAN peer(s) will be injected for faster discovery`));
+      }
+      const spinner = ora('Finding peers...').start();
+
+      const client = new WebTorrent();
+
+      const peerTimeout = setTimeout(() => {
+        const torrents = client.torrents;
+        if (torrents.length > 0 && torrents[0].numPeers === 0) {
+          spinner.warn(chalk.yellow('⚠ No peers found after 120 seconds. Check that the share is being seeded.'));
+          client.destroy();
+          process.exitCode = 1;
+        }
+      }, 120000);
+
+      const addOpts = { path: dlDir };
+      const torrentSrc = opts.lanOnly ? magnet : magnet;
+
+      client.add(torrentSrc, addOpts, (torrent) => {
+        clearTimeout(peerTimeout);
+        spinner.succeed(chalk.green(`Connected! Downloading: ${torrent.name}`));
+
+        // Track transfer, storing the encrypted key if provided
+        trackTransfer(magnet, torrent.name, dlDir, opts.key || null);
+
+        const progressSpinner = ora('Downloading... 0%').start();
+
+        torrent.on('download', (bytes) => {
+          const progress = (torrent.progress * 100).toFixed(1);
+          progressSpinner.text = `Downloading... ${progress}% (${(torrent.downloaded / 1024 / 1024).toFixed(2)} MB / ${(torrent.length / 1024 / 1024).toFixed(2)} MB)`;
+        });
+
+        torrent.on('done', async () => {
+          logger.info(`Download complete: ${torrent.name}`, { size: torrent.length });
+          progressSpinner.succeed(chalk.green('Download Complete!'));
+          const downloadedDir = path.join(dlDir, torrent.name);
+          console.log(chalk.cyan(`File saved to: ${downloadedDir}`));
+
+          // Attempt decryption if an encrypted share key was provided
+          const transfers = getTransfers();
+          const thisTransfer = transfers.find(t => t.magnet === magnet);
+          if (thisTransfer?.encryptedShareKey) {
+            const identity = await getIdentity();
+            if (identity?.publicKey && identity?.privateKey) {
+              try {
+                const { decryptShareKey } = await import('../crypto/shareEncryption.js');
+                const shareKey = decryptShareKey(thisTransfer.encryptedShareKey, identity.publicKey, identity.privateKey);
+                const shareName = thisTransfer.name || 'download';
+                const outDir = getDecryptedDownloadDir(shareName);
+                console.log(chalk.blue('Decrypting E2EE files...'));
+                decryptFromDownload(downloadedDir, outDir, shareKey);
+                console.log(chalk.green(`Decrypted files saved to: ${outDir}`));
+              } catch (e) {
+                console.log(chalk.yellow(`Warning: Could not decrypt files — ${e.message}`));
+              }
+            } else {
+              console.log(chalk.yellow('Warning: No identity found — skipping decryption. Run `pe identity` to set up.'));
+            }
+          }
+
+          completeTransfer(magnet);
+          client.destroy();
+          process.exit(0);
+        });
+      });
+
+      // Inject LAN peers into the torrent right after adding
+      const currentTorrent = client.torrents[client.torrents.length - 1];
+      if (currentTorrent && lanPeers.length > 0) {
+        const injected = injectLanPeers(currentTorrent, lanPeers);
+        if (injected > 0) {
+          logger.info(`Injected ${injected} LAN peer(s) into torrent`);
+        }
+      }
+
+      client.on('error', (err) => {
+        logger.error(`Download failed: ${err.message}`, { magnet: magnet.slice(0, 40) });
+        spinner.fail(chalk.red('Download Failed'));
+        console.error(chalk.red(`Error: ${err.message}`));
+        process.exit(1);
+      });
+    });
+}