npm - pal-explorer-cli - Versions diffs - 0.4.11 → 0.4.13 - Mend

pal-explorer-cli 0.4.11 → 0.4.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/README.md +149 -149
package/bin/pal.js +63 -2
package/extensions/@palexplorer/analytics/extension.json +20 -1
package/extensions/@palexplorer/analytics/index.js +19 -9
package/extensions/@palexplorer/audit/extension.json +14 -0
package/extensions/@palexplorer/auth-email/extension.json +15 -0
package/extensions/@palexplorer/auth-oauth/extension.json +15 -0
package/extensions/@palexplorer/chat/extension.json +14 -0
package/extensions/@palexplorer/discovery/extension.json +17 -0
package/extensions/@palexplorer/discovery/index.js +1 -1
package/extensions/@palexplorer/email-notifications/extension.json +23 -0
package/extensions/@palexplorer/groups/extension.json +15 -0
package/extensions/@palexplorer/share-links/extension.json +15 -0
package/extensions/@palexplorer/sync/extension.json +16 -0
package/extensions/@palexplorer/user-mgmt/extension.json +15 -0
package/lib/capabilities.js +24 -24
package/lib/commands/analytics.js +175 -175
package/lib/commands/api-keys.js +131 -131
package/lib/commands/audit.js +235 -235
package/lib/commands/auth.js +137 -137
package/lib/commands/backup.js +76 -76
package/lib/commands/billing.js +148 -148
package/lib/commands/chat.js +217 -217
package/lib/commands/cloud-backup.js +231 -231
package/lib/commands/comment.js +99 -99
package/lib/commands/completion.js +203 -203
package/lib/commands/compliance.js +218 -218
package/lib/commands/config.js +136 -136
package/lib/commands/connect.js +44 -44
package/lib/commands/dept.js +294 -294
package/lib/commands/device.js +146 -146
package/lib/commands/download.js +240 -226
package/lib/commands/explorer.js +178 -178
package/lib/commands/extension.js +1060 -970
package/lib/commands/favorite.js +90 -90
package/lib/commands/federation.js +270 -270
package/lib/commands/file.js +533 -533
package/lib/commands/group.js +271 -271
package/lib/commands/gui-share.js +29 -29
package/lib/commands/init.js +61 -61
package/lib/commands/invite.js +59 -59
package/lib/commands/list.js +58 -58
package/lib/commands/log.js +116 -116
package/lib/commands/nearby.js +108 -108
package/lib/commands/network.js +251 -251
package/lib/commands/notify.js +198 -198
package/lib/commands/org.js +273 -273
package/lib/commands/pal.js +403 -180
package/lib/commands/permissions.js +216 -216
package/lib/commands/pin.js +97 -97
package/lib/commands/protocol.js +357 -357
package/lib/commands/rbac.js +147 -147
package/lib/commands/recover.js +36 -36
package/lib/commands/register.js +171 -171
package/lib/commands/relay.js +131 -131
package/lib/commands/remote.js +368 -368
package/lib/commands/revoke.js +50 -50
package/lib/commands/scanner.js +280 -280
package/lib/commands/schedule.js +344 -344
package/lib/commands/scim.js +203 -203
package/lib/commands/search.js +181 -181
package/lib/commands/serve.js +438 -438
package/lib/commands/server.js +350 -350
package/lib/commands/share-link.js +199 -199
package/lib/commands/share.js +336 -323
package/lib/commands/sso.js +200 -200
package/lib/commands/status.js +145 -145
package/lib/commands/stream.js +562 -562
package/lib/commands/su.js +187 -187
package/lib/commands/sync.js +979 -979
package/lib/commands/transfers.js +152 -152
package/lib/commands/uninstall.js +188 -188
package/lib/commands/update.js +204 -204
package/lib/commands/user.js +276 -276
package/lib/commands/vfs.js +84 -84
package/lib/commands/web-login.js +79 -79
package/lib/commands/web.js +52 -52
package/lib/commands/webhook.js +180 -180
package/lib/commands/whoami.js +59 -59
package/lib/commands/workspace.js +121 -121
package/lib/core/billing.js +16 -5
package/lib/core/dhtDiscovery.js +9 -2
package/lib/core/discoveryClient.js +13 -7
package/lib/core/extensions.js +142 -1
package/lib/core/identity.js +33 -2
package/lib/core/imageProcessor.js +109 -0
package/lib/core/imageTorrent.js +167 -0
package/lib/core/permissions.js +1 -1
package/lib/core/pro.js +11 -4
package/lib/core/serverList.js +4 -1
package/lib/core/shares.js +12 -1
package/lib/core/signalingServer.js +14 -2
package/lib/core/su.js +1 -1
package/lib/core/users.js +1 -1
package/lib/protocol/messages.js +12 -3
package/lib/utils/explorer.js +1 -1
package/lib/utils/help.js +357 -357
package/lib/utils/torrent.js +1 -0
package/package.json +4 -3

package/lib/commands/serve.js CHANGED Viewed

@@ -1,438 +1,438 @@
-import WebTorrent from 'webtorrent';
-import chalk from 'chalk';
-import path from 'path';
-import fs from 'fs';
-import { spawn } from 'child_process';
-import { fileURLToPath } from 'url';
-import { listShares, getShareKey, isShareExpired, expireOldShares } from '../core/shares.js';
-import { getTransfers, updateTransferProgress, completeTransfer } from '../core/transfers.js';
-import { encryptForSeed, getEncryptedSeedDir } from '../crypto/streamEncryption.js';
-import { generateShareKey } from '../crypto/shareEncryption.js';
-import config from '../utils/config.js';
-import logger from '../utils/logger.js';
-import { requireRole } from '../core/users.js';
-import { startWebServer } from '../core/webServer.js';
-import { getPrimaryServer, postTo } from '../core/discoveryClient.js';
-import { startMdns } from '../core/mdnsService.js';
-import { connect, getConnectionState } from '../core/connectionManager.js';
-import { startAsync as startSignaling, setMessageHandler, stop as stopSignaling } from '../core/signalingServer.js';
-import { DEFAULT_TRACKERS } from '../utils/torrent.js';
-import os from 'os';
-function getLanIp() {
-  const interfaces = os.networkInterfaces();
-  const candidates = [];
-  for (const name of Object.keys(interfaces)) {
-    for (const iface of interfaces[name]) {
-      if (iface.family === 'IPv4' && !iface.internal) {
-        // Prefer 192.168.x.x and 10.x.x.x over virtual adapters (172.x usually WSL/Docker)
-        const priority = iface.address.startsWith('192.168.') || iface.address.startsWith('10.') ? 0 : 1;
-        candidates.push({ address: iface.address, priority, name });
-      }
-    }
-  }
-  candidates.sort((a, b) => a.priority - b.priority);
-  return candidates[0]?.address || null;
-}
-const pidFile = () => path.join(path.dirname(config.path), 'serve.pid');
-export default function serveCommand(program) {
-  program
-    .command('serve')
-    .description('start the sharing daemon (seeds all active shares)')
-    .option('--daemon', 'Run as a background daemon')
-    .option('--stop', 'Stop a running daemon')
-    .option('--web', 'Start the web dashboard alongside the seeder')
-    .option('--web-port <port>', 'Web dashboard port (default: 8585)', '8585')
-    .option('--lan', 'Bind web server to 0.0.0.0 for LAN access')
-    .option('--public-ip <ip>', 'Public IP/hostname for serveUrl announcement (for VPS/cloud)')
-    .addHelpText('after', `
-Examples:
-  $ pe serve                        Start seeding in foreground
-  $ pe serve --daemon               Start as background daemon
-  $ pe serve --stop                 Stop the daemon
-  $ pe serve --web                  Start with web dashboard
-  $ pe serve --web --web-port 9090  Custom web dashboard port
-  $ pe serve --web --lan --public-ip 1.2.3.4  VPS with public IP
-`)
-    .action(async (opts) => {
-      try { requireRole('user'); } catch (e) {
-        console.log(chalk.red(e.message));
-        process.exitCode = 1;
-        return;
-      }
-      if (opts.stop) {
-        const pidPath = pidFile();
-        if (!fs.existsSync(pidPath)) {
-          console.log(chalk.yellow('No daemon PID file found.'));
-          return;
-        }
-        const pid = parseInt(fs.readFileSync(pidPath, 'utf8').trim(), 10);
-        try {
-          process.kill(pid, 0); // check if alive
-          process.kill(pid, 'SIGTERM');
-          fs.unlinkSync(pidPath);
-          console.log(chalk.green(`Daemon stopped (PID ${pid}).`));
-        } catch (err) {
-          fs.unlinkSync(pidPath);
-          if (err.code === 'ESRCH') {
-            console.log(chalk.yellow(`Daemon (PID ${pid}) was not running. Cleaned up stale PID file.`));
-          } else {
-            console.log(chalk.red(`Failed to stop daemon (PID ${pid}): ${err.message}`));
-            process.exitCode = 1;
-          }
-        }
-        return;
-      }
-      if (opts.daemon) {
-        const binPath = fileURLToPath(new URL('../../bin/pal.js', import.meta.url));
-        const args = [binPath, 'serve'];
-        if (opts.web) {
-          args.push('--web');
-          if (opts.webPort && opts.webPort !== '8585') args.push('--web-port', opts.webPort);
-          if (opts.lan) args.push('--lan');
-          if (opts.publicIp) args.push('--public-ip', opts.publicIp);
-        }
-        const child = spawn(process.execPath, args, {
-          detached: true,
-          stdio: 'ignore'
-        });
-        child.unref();
-        fs.writeFileSync(pidFile(), String(child.pid));
-        console.log(chalk.green(`Daemon started (PID: ${child.pid})`));
-        return;
-      }
-      // ── Start P2P services FIRST (signaling, mDNS, DHT) ──
-      // These must start before seeding so peers can query us immediately
-      // Start PAL/1.0 signaling server (port 7474)
-      let signalingActive = false;
-      try {
-        const { handleIncoming } = await import('../protocol/handler.js');
-        const identity = config.get('identity');
-        if (identity?.privateKey) {
-          const keyPair = {
-            publicKey: Buffer.from(identity.publicKey, 'hex'),
-            privateKey: Buffer.from(identity.privateKey, 'hex'),
-          };
-          setMessageHandler((envelope) => handleIncoming(envelope, keyPair));
-        }
-        const sigResult = await startSignaling();
-        signalingActive = sigResult.bound;
-        if (signalingActive) {
-          console.log(chalk.cyan('PAL/1.0 signaling server active (port 7474)'));
-        } else {
-          console.log(chalk.yellow(`Signaling server failed to bind (${sigResult.error || 'unknown'})`));
-        }
-      } catch (err) {
-        console.error(chalk.red(`Failed to start signaling: ${err.message}`));
-      }
-      // Start mDNS background advertisement (only if signaling bound successfully)
-      if (signalingActive) {
-        try {
-          const identity = config.get('identity');
-          if (identity) {
-            startMdns(identity, {});
-            console.log(chalk.cyan('mDNS discovery active (LAN peer detection)'));
-          }
-        } catch { /* non-fatal */ }
-      } else {
-        console.log(chalk.yellow('Skipping mDNS — signaling server not active (port in use by another instance?)'));
-      }
-      // Re-publish to DHT every 30 minutes
-      const identity = config.get('identity');
-      if (identity?.handle && identity?.privateKey && identity?.publicKey) {
-        const republishDHT = async () => {
-          try {
-            const { DHTDiscovery } = await import('../core/dhtDiscovery.js');
-            const dht = new DHTDiscovery();
-            const dhtHash = await dht.publish(identity.handle, identity.publicKey, identity.privateKey);
-            const cache = config.get('handleCache') || {};
-            if (!cache[identity.handle]) cache[identity.handle] = {};
-            cache[identity.handle].dhtHash = dhtHash;
-            config.set('handleCache', cache);
-            logger.info('DHT re-published', { handle: identity.handle, hash: dhtHash.slice(0, 12) });
-            dht.destroy();
-          } catch (err) {
-            logger.warn(`DHT re-publish failed: ${err.message}`);
-          }
-        };
-        republishDHT();
-        setInterval(republishDHT, 30 * 60 * 1000);
-      }
-      // Register device with discovery server so peers can find us
-      try {
-        const ident = config.get('identity');
-        const device = config.get('device');
-        if (ident?.handle && ident?.publicKey && device?.id) {
-          const { getIdentity: getFullIdentity } = await import('../core/identity.js');
-          const fullIdent = await getFullIdentity();
-          if (fullIdent?.privateKey) {
-            const { signMessage } = await import('../crypto/chatEncryption.js');
-            const timestamp = String(Date.now());
-            const sigMsg = `${ident.handle}:${device.id}:${device.name}:${timestamp}`;
-            const signature = signMessage(sigMsg, fullIdent.privateKey);
-            const serverUrl = getPrimaryServer();
-            postTo(serverUrl, '/devices/register', {
-              handle: ident.handle,
-              deviceId: device.id,
-              deviceName: device.name,
-              publicKey: ident.publicKey,
-              timestamp,
-              signature,
-            }).then(() => console.log(chalk.cyan('Device registered with discovery server')))
-              .catch(() => {});
-          }
-        }
-      } catch {}
-      // Connect to network in background (don't block serving)
-      const connState = getConnectionState();
-      if (connState.status !== 'connected') {
-        console.log(chalk.blue('Connecting to network...'));
-        connect({
-          onProgress: (step) => console.log(chalk.gray(`  ${step}`)),
-        }).catch(() => console.log(chalk.yellow('Network connect failed — serving locally only')));
-      }
-      // ── Seed shares via WebTorrent ──
-      const shares = listShares();
-      if (shares.length === 0) {
-        console.log(chalk.gray('No active shares to seed. Signaling server still running.'));
-      }
-      const client = new WebTorrent();
-      client.setMaxListeners(Math.max(shares.length, 10) + 20);
-      // Auto-expire old shares before seeding
-      expireOldShares();
-      if (shares.length > 0) {
-        logger.info('Starting Pal Explorer Seeder...', { shares: shares.length });
-        console.log(chalk.blue(`Seeding ${shares.length} share(s)...`));
-      }
-      for (const share of shares) {
-        try {
-          if (isShareExpired(share)) {
-            console.log(chalk.gray(`Skipping ${share.name}: expired`));
-            continue;
-          }
-          if (!fs.existsSync(share.path)) {
-            console.log(chalk.yellow(`Skipping ${share.name}: path not found (${share.path})`));
-            continue;
-          }
-          let seedPath = share.path;
-          // Non-recursive: seed only top-level files
-          if (share.recursive === false && fs.statSync(share.path).isDirectory()) {
-            const items = fs.readdirSync(share.path, { withFileTypes: true });
-            const topFiles = items.filter(i => i.isFile()).map(i => path.join(share.path, i.name));
-            if (topFiles.length === 0) {
-              console.log(chalk.yellow(`Skipping ${share.name}: no top-level files (non-recursive).`));
-              continue;
-            }
-            seedPath = topFiles;
-          }
-          if (share.visibility === 'private') {
-            const shareKeyHex = await getShareKey(share.id);
-            if (shareKeyHex) {
-              const shareKey = Buffer.from(shareKeyHex, 'hex');
-              const encDir = share.encryptedPath || getEncryptedSeedDir(share.id);
-              if (!fs.existsSync(path.join(encDir, '.manifest.enc'))) {
-                console.log(chalk.gray(`  Encrypting ${share.name} for E2EE seeding...`));
-                encryptForSeed(share.path, encDir, shareKey);
-                const allShares = config.get('shares') || [];
-                const entry = allShares.find(s => s.id === share.id);
-                if (entry) {
-                  entry.encryptedPath = encDir;
-                  config.set('shares', allShares);
-                }
-              }
-              seedPath = encDir;
-            } else if (share.encryptedPath && fs.existsSync(share.encryptedPath)) {
-              seedPath = share.encryptedPath;
-            }
-          }
-          console.log(chalk.yellow(`Initializing: ${share.name} (${share.visibility})`));
-          const options = {
-            name: share.name,
-            announce: share.visibility === 'private' ? [] : [...DEFAULT_TRACKERS]
-          };
-          client.seed(seedPath, options, async (torrent) => {
-            logger.info(`Seeding: ${share.name}`, { magnet: torrent.magnetURI, size: torrent.length });
-            console.log(chalk.green(`✔ Seeding: ${share.name}`));
-            if (share.visibility === 'global') {
-              console.log(chalk.cyan(`  Magnet: ${torrent.magnetURI}`));
-            } else {
-              console.log(chalk.red(`  [PRIVATE E2EE] Encrypted transfer only.`));
-              console.log(chalk.gray(`  Secret Magnet: ${torrent.magnetURI}`));
-            }
-            console.log(chalk.gray(`  Size: ${(torrent.length / 1024 / 1024).toFixed(2)} MB`));
-            const allShares = config.get('shares') || [];
-            const entry = allShares.find(s => s.path === share.path);
-            const isNewMagnet = entry && !entry.magnet;
-            if (entry) {
-              if (isNewMagnet) entry.magnet = torrent.magnetURI;
-              entry.files = torrent.files.map(f => ({ name: f.name, path: f.path, size: f.length }));
-              config.set('shares', allShares);
-            }
-            // Send share invite to recipients via discovery server inbox
-            if (isNewMagnet && share.visibility === 'private' && share.recipients?.length > 0) {
-              const ident = config.get('identity');
-              const discoveryUrl = getPrimaryServer();
-              const { getFriends } = await import('../core/users.js');
-              const friends = getFriends();
-              const encKeys = share.encryptedShareKeys || {};
-              for (const recipient of share.recipients) {
-                const pal = friends.find(f => f.id === recipient.id || f.name === recipient.name);
-                const handle = pal?.handle || recipient.handle;
-                if (!handle) continue;
-                const invite = {
-                  type: 'share-invite',
-                  shareName: share.name,
-                  shareId: share.id,
-                  magnet: torrent.magnetURI,
-                  encryptedShareKey: encKeys[pal?.id || recipient.id] || null,
-                  from: ident?.handle || ident?.name || 'unknown',
-                };
-                try {
-                  const res = await postTo(discoveryUrl, '/messages', { toHandle: handle, fromHandle: ident?.handle, payload: JSON.stringify(invite) });
-                  if (res.ok) {
-                    console.log(chalk.cyan(`  Sent share invite to @${handle}`));
-                  } else {
-                    console.log(chalk.yellow(`  Failed to notify @${handle}: ${res.status}`));
-                  }
-                } catch {
-                  console.log(chalk.yellow(`  Could not reach discovery server to notify @${handle}`));
-                }
-              }
-            }
-          });
-        } catch (err) {
-          logger.error(`Failed to seed ${share.name}: ${err.message}`, { share: share.id });
-          console.error(chalk.red(`Failed to seed ${share.name}: ${err.message}`));
-        }
-      }
-      // Auto-resume incomplete downloads (skip paused)
-      const pendingDownloads = getTransfers().filter(t => !t.paused && t.status !== 'completed');
-      if (pendingDownloads.length > 0) {
-        console.log(chalk.blue(`Resuming ${pendingDownloads.length} incomplete download(s)...`));
-        for (const t of pendingDownloads) {
-          try {
-            const torrent = client.add(t.magnet, { path: t.savePath });
-            torrent.on('download', () => updateTransferProgress(t.magnet, torrent.progress));
-            torrent.on('done', () => {
-              completeTransfer(t.magnet);
-              console.log(chalk.green(`✔ Download complete: ${t.name}`));
-            });
-            console.log(chalk.yellow(`  Resuming: ${t.name || t.magnet.slice(0, 40) + '...'}`));
-          } catch (err) {
-            console.error(chalk.red(`Failed to resume download: ${err.message}`));
-          }
-        }
-      }
-      // Start web dashboard if requested
-      if (opts.web) {
-        try {
-          const webPort = parseInt(opts.webPort, 10);
-          const bindAddress = opts.lan ? '0.0.0.0' : '127.0.0.1';
-          const { token } = await startWebServer(webPort, client, { bindAddress });
-          console.log('');
-          const announceIp = opts.publicIp || getLanIp() || 'localhost';
-          const webServeUrl = `http://${announceIp}:${webPort}`;
-          if (opts.lan) {
-            console.log(chalk.green(`Web dashboard running at ${webServeUrl}?token=${token}`));
-            console.log(chalk.dim(`  (LAN accessible, browse from other devices)`));
-          } else {
-            console.log(chalk.green(`Web dashboard running at http://localhost:${webPort}?token=${token}`));
-          }
-          const { hooks } = await import('../core/extensions.js');
-          await hooks.emit('on:server:start', { port: webPort, url: webServeUrl });
-        } catch (err) {
-          console.error(chalk.red(`Failed to start web dashboard: ${err.message}`));
-        }
-      }
-      // Store torrent port in config once WebTorrent is listening
-      const storeTorrentPort = () => {
-        const torrentPort = client.address()?.port || null;
-        if (torrentPort) {
-          config.set('torrentPort', torrentPort);
-          // Update mDNS with port info
-          try {
-            const ident = config.get('identity');
-            if (ident) {
-              const webPort = opts.web ? parseInt(opts.webPort, 10) : null;
-              import('../core/mdnsService.js').then(({ stopMdns }) => {
-                stopMdns();
-                startMdns(ident, { torrentPort, webPort });
-              });
-            }
-          } catch { /* non-fatal */ }
-        }
-      };
-      // Try immediately, then retry after a delay (WebTorrent may not be listening yet)
-      storeTorrentPort();
-      setTimeout(storeTorrentPort, 5000);
-      setTimeout(storeTorrentPort, 15000);
-      console.log('');
-      console.log(chalk.bgBlue('Daemon is running. Press Ctrl+C to stop sharing.'));
-      console.log('');
-      // Bug #20 fix: auto-seed new shares created after daemon started
-      const seededPaths = new Set(shares.map(s => s.path));
-      setInterval(() => {
-        try {
-          expireOldShares();
-          const currentShares = listShares();
-          for (const share of currentShares) {
-            if (seededPaths.has(share.path)) continue;
-            if (isShareExpired(share)) continue;
-            if (!fs.existsSync(share.path)) continue;
-            seededPaths.add(share.path);
-            const seedOpts = { name: share.name, announce: share.visibility === 'private' ? [] : [...DEFAULT_TRACKERS] };
-            client.seed(share.path, seedOpts, (torrent) => {
-              console.log(chalk.green(`✔ Auto-seeding new share: ${share.name}`));
-              const allShares = config.get('shares') || [];
-              const entry = allShares.find(s => s.path === share.path);
-              if (entry && !entry.magnet) {
-                entry.magnet = torrent.magnetURI;
-                entry.files = torrent.files.map(f => ({ name: f.name, path: f.path, size: f.length }));
-                config.set('shares', allShares);
-              }
-            });
-          }
-        } catch {}
-      }, 60000);
-      // Periodic stats every 30 seconds
-      setInterval(() => {
-        const up = (client.uploadSpeed / 1024).toFixed(1);
-        const down = (client.downloadSpeed / 1024).toFixed(1);
-        const count = client.torrents.length;
-        console.log(chalk.gray(`[stats] ↑ ${up} KB/s  ↓ ${down} KB/s  torrents: ${count}`));
-      }, 30000);
-    });
-}
+import WebTorrent from 'webtorrent';
+import chalk from 'chalk';
+import path from 'path';
+import fs from 'fs';
+import { spawn } from 'child_process';
+import { fileURLToPath } from 'url';
+import { listShares, getShareKey, isShareExpired, expireOldShares } from '../core/shares.js';
+import { getTransfers, updateTransferProgress, completeTransfer } from '../core/transfers.js';
+import { encryptForSeed, getEncryptedSeedDir } from '../crypto/streamEncryption.js';
+import { generateShareKey } from '../crypto/shareEncryption.js';
+import config from '../utils/config.js';
+import logger from '../utils/logger.js';
+import { requireRole } from '../core/users.js';
+import { startWebServer } from '../core/webServer.js';
+import { getPrimaryServer, postTo } from '../core/discoveryClient.js';
+import { startMdns } from '../core/mdnsService.js';
+import { connect, getConnectionState } from '../core/connectionManager.js';
+import { startAsync as startSignaling, setMessageHandler, stop as stopSignaling } from '../core/signalingServer.js';
+import { DEFAULT_TRACKERS } from '../utils/torrent.js';
+import os from 'os';
+function getLanIp() {
+  const interfaces = os.networkInterfaces();
+  const candidates = [];
+  for (const name of Object.keys(interfaces)) {
+    for (const iface of interfaces[name]) {
+      if (iface.family === 'IPv4' && !iface.internal) {
+        // Prefer 192.168.x.x and 10.x.x.x over virtual adapters (172.x usually WSL/Docker)
+        const priority = iface.address.startsWith('192.168.') || iface.address.startsWith('10.') ? 0 : 1;
+        candidates.push({ address: iface.address, priority, name });
+      }
+    }
+  }
+  candidates.sort((a, b) => a.priority - b.priority);
+  return candidates[0]?.address || null;
+}
+const pidFile = () => path.join(path.dirname(config.path), 'serve.pid');
+export default function serveCommand(program) {
+  program
+    .command('serve')
+    .description('start the sharing daemon (seeds all active shares)')
+    .option('--daemon', 'Run as a background daemon')
+    .option('--stop', 'Stop a running daemon')
+    .option('--web', 'Start the web dashboard alongside the seeder')
+    .option('--web-port <port>', 'Web dashboard port (default: 8585)', '8585')
+    .option('--lan', 'Bind web server to 0.0.0.0 for LAN access')
+    .option('--public-ip <ip>', 'Public IP/hostname for serveUrl announcement (for VPS/cloud)')
+    .addHelpText('after', `
+Examples:
+  $ pal serve                        Start seeding in foreground
+  $ pal serve --daemon               Start as background daemon
+  $ pal serve --stop                 Stop the daemon
+  $ pal serve --web                  Start with web dashboard
+  $ pal serve --web --web-port 9090  Custom web dashboard port
+  $ pal serve --web --lan --public-ip 1.2.3.4  VPS with public IP
+`)
+    .action(async (opts) => {
+      try { requireRole('user'); } catch (e) {
+        console.log(chalk.red(e.message));
+        process.exitCode = 1;
+        return;
+      }
+      if (opts.stop) {
+        const pidPath = pidFile();
+        if (!fs.existsSync(pidPath)) {
+          console.log(chalk.yellow('No daemon PID file found.'));
+          return;
+        }
+        const pid = parseInt(fs.readFileSync(pidPath, 'utf8').trim(), 10);
+        try {
+          process.kill(pid, 0); // check if alive
+          process.kill(pid, 'SIGTERM');
+          fs.unlinkSync(pidPath);
+          console.log(chalk.green(`Daemon stopped (PID ${pid}).`));
+        } catch (err) {
+          fs.unlinkSync(pidPath);
+          if (err.code === 'ESRCH') {
+            console.log(chalk.yellow(`Daemon (PID ${pid}) was not running. Cleaned up stale PID file.`));
+          } else {
+            console.log(chalk.red(`Failed to stop daemon (PID ${pid}): ${err.message}`));
+            process.exitCode = 1;
+          }
+        }
+        return;
+      }
+      if (opts.daemon) {
+        const binPath = fileURLToPath(new URL('../../bin/pal.js', import.meta.url));
+        const args = [binPath, 'serve'];
+        if (opts.web) {
+          args.push('--web');
+          if (opts.webPort && opts.webPort !== '8585') args.push('--web-port', opts.webPort);
+          if (opts.lan) args.push('--lan');
+          if (opts.publicIp) args.push('--public-ip', opts.publicIp);
+        }
+        const child = spawn(process.execPath, args, {
+          detached: true,
+          stdio: 'ignore'
+        });
+        child.unref();
+        fs.writeFileSync(pidFile(), String(child.pid));
+        console.log(chalk.green(`Daemon started (PID: ${child.pid})`));
+        return;
+      }
+      // ── Start P2P services FIRST (signaling, mDNS, DHT) ──
+      // These must start before seeding so peers can query us immediately
+      // Start PAL/1.0 signaling server (port 7474)
+      let signalingActive = false;
+      try {
+        const { handleIncoming } = await import('../protocol/handler.js');
+        const identity = config.get('identity');
+        if (identity?.privateKey) {
+          const keyPair = {
+            publicKey: Buffer.from(identity.publicKey, 'hex'),
+            privateKey: Buffer.from(identity.privateKey, 'hex'),
+          };
+          setMessageHandler((envelope) => handleIncoming(envelope, keyPair));
+        }
+        const sigResult = await startSignaling();
+        signalingActive = sigResult.bound;
+        if (signalingActive) {
+          console.log(chalk.cyan('PAL/1.0 signaling server active (port 7474)'));
+        } else {
+          console.log(chalk.yellow(`Signaling server failed to bind (${sigResult.error || 'unknown'})`));
+        }
+      } catch (err) {
+        console.error(chalk.red(`Failed to start signaling: ${err.message}`));
+      }
+      // Start mDNS background advertisement (only if signaling bound successfully)
+      if (signalingActive) {
+        try {
+          const identity = config.get('identity');
+          if (identity) {
+            startMdns(identity, {});
+            console.log(chalk.cyan('mDNS discovery active (LAN peer detection)'));
+          }
+        } catch { /* non-fatal */ }
+      } else {
+        console.log(chalk.yellow('Skipping mDNS — signaling server not active (port in use by another instance?)'));
+      }
+      // Re-publish to DHT every 30 minutes
+      const identity = config.get('identity');
+      if (identity?.handle && identity?.privateKey && identity?.publicKey) {
+        const republishDHT = async () => {
+          try {
+            const { DHTDiscovery } = await import('../core/dhtDiscovery.js');
+            const dht = new DHTDiscovery();
+            const dhtHash = await dht.publish(identity.handle, identity.publicKey, identity.privateKey);
+            const cache = config.get('handleCache') || {};
+            if (!cache[identity.handle]) cache[identity.handle] = {};
+            cache[identity.handle].dhtHash = dhtHash;
+            config.set('handleCache', cache);
+            logger.info('DHT re-published', { handle: identity.handle, hash: dhtHash.slice(0, 12) });
+            dht.destroy();
+          } catch (err) {
+            logger.warn(`DHT re-publish failed: ${err.message}`);
+          }
+        };
+        republishDHT();
+        setInterval(republishDHT, 30 * 60 * 1000);
+      }
+      // Register device with discovery server so peers can find us
+      try {
+        const ident = config.get('identity');
+        const device = config.get('device');
+        if (ident?.handle && ident?.publicKey && device?.id) {
+          const { getIdentity: getFullIdentity } = await import('../core/identity.js');
+          const fullIdent = await getFullIdentity();
+          if (fullIdent?.privateKey) {
+            const { signMessage } = await import('../crypto/chatEncryption.js');
+            const timestamp = String(Date.now());
+            const sigMsg = `${ident.handle}:${device.id}:${device.name}:${timestamp}`;
+            const signature = signMessage(sigMsg, fullIdent.privateKey);
+            const serverUrl = getPrimaryServer();
+            postTo(serverUrl, '/devices/register', {
+              handle: ident.handle,
+              deviceId: device.id,
+              deviceName: device.name,
+              publicKey: ident.publicKey,
+              timestamp,
+              signature,
+            }).then(() => console.log(chalk.cyan('Device registered with discovery server')))
+              .catch(() => {});
+          }
+        }
+      } catch {}
+      // Connect to network in background (don't block serving)
+      const connState = getConnectionState();
+      if (connState.status !== 'connected') {
+        console.log(chalk.blue('Connecting to network...'));
+        connect({
+          onProgress: (step) => console.log(chalk.gray(`  ${step}`)),
+        }).catch(() => console.log(chalk.yellow('Network connect failed — serving locally only')));
+      }
+      // ── Seed shares via WebTorrent ──
+      const shares = listShares();
+      if (shares.length === 0) {
+        console.log(chalk.gray('No active shares to seed. Signaling server still running.'));
+      }
+      const client = new WebTorrent();
+      client.setMaxListeners(Math.max(shares.length, 10) + 20);
+      // Auto-expire old shares before seeding
+      expireOldShares();
+      if (shares.length > 0) {
+        logger.info('Starting Pal Explorer Seeder...', { shares: shares.length });
+        console.log(chalk.blue(`Seeding ${shares.length} share(s)...`));
+      }
+      for (const share of shares) {
+        try {
+          if (isShareExpired(share)) {
+            console.log(chalk.gray(`Skipping ${share.name}: expired`));
+            continue;
+          }
+          if (!fs.existsSync(share.path)) {
+            console.log(chalk.yellow(`Skipping ${share.name}: path not found (${share.path})`));
+            continue;
+          }
+          let seedPath = share.path;
+          // Non-recursive: seed only top-level files
+          if (share.recursive === false && fs.statSync(share.path).isDirectory()) {
+            const items = fs.readdirSync(share.path, { withFileTypes: true });
+            const topFiles = items.filter(i => i.isFile()).map(i => path.join(share.path, i.name));
+            if (topFiles.length === 0) {
+              console.log(chalk.yellow(`Skipping ${share.name}: no top-level files (non-recursive).`));
+              continue;
+            }
+            seedPath = topFiles;
+          }
+          if (share.visibility === 'private') {
+            const shareKeyHex = await getShareKey(share.id);
+            if (shareKeyHex) {
+              const shareKey = Buffer.from(shareKeyHex, 'hex');
+              const encDir = share.encryptedPath || getEncryptedSeedDir(share.id);
+              if (!fs.existsSync(path.join(encDir, '.manifest.enc'))) {
+                console.log(chalk.gray(`  Encrypting ${share.name} for E2EE seeding...`));
+                encryptForSeed(share.path, encDir, shareKey);
+                const allShares = config.get('shares') || [];
+                const entry = allShares.find(s => s.id === share.id);
+                if (entry) {
+                  entry.encryptedPath = encDir;
+                  config.set('shares', allShares);
+                }
+              }
+              seedPath = encDir;
+            } else if (share.encryptedPath && fs.existsSync(share.encryptedPath)) {
+              seedPath = share.encryptedPath;
+            }
+          }
+          console.log(chalk.yellow(`Initializing: ${share.name} (${share.visibility})`));
+          const options = {
+            name: share.name,
+            announce: share.visibility === 'private' ? [] : [...DEFAULT_TRACKERS]
+          };
+          client.seed(seedPath, options, async (torrent) => {
+            logger.info(`Seeding: ${share.name}`, { magnet: torrent.magnetURI, size: torrent.length });
+            console.log(chalk.green(`✔ Seeding: ${share.name}`));
+            if (share.visibility === 'global') {
+              console.log(chalk.cyan(`  Magnet: ${torrent.magnetURI}`));
+            } else {
+              console.log(chalk.red(`  [PRIVATE E2EE] Encrypted transfer only.`));
+              console.log(chalk.gray(`  Secret Magnet: ${torrent.magnetURI}`));
+            }
+            console.log(chalk.gray(`  Size: ${(torrent.length / 1024 / 1024).toFixed(2)} MB`));
+            const allShares = config.get('shares') || [];
+            const entry = allShares.find(s => s.path === share.path);
+            const isNewMagnet = entry && !entry.magnet;
+            if (entry) {
+              if (isNewMagnet) entry.magnet = torrent.magnetURI;
+              entry.files = torrent.files.map(f => ({ name: f.name, path: f.path, size: f.length }));
+              config.set('shares', allShares);
+            }
+            // Send share invite to recipients via discovery server inbox
+            if (isNewMagnet && share.visibility === 'private' && share.recipients?.length > 0) {
+              const ident = config.get('identity');
+              const discoveryUrl = getPrimaryServer();
+              const { getFriends } = await import('../core/users.js');
+              const friends = getFriends();
+              const encKeys = share.encryptedShareKeys || {};
+              for (const recipient of share.recipients) {
+                const pal = friends.find(f => f.id === recipient.id || f.name === recipient.name);
+                const handle = pal?.handle || recipient.handle;
+                if (!handle) continue;
+                const invite = {
+                  type: 'share-invite',
+                  shareName: share.name,
+                  shareId: share.id,
+                  magnet: torrent.magnetURI,
+                  encryptedShareKey: encKeys[pal?.id || recipient.id] || null,
+                  from: ident?.handle || ident?.name || 'unknown',
+                };
+                try {
+                  const res = await postTo(discoveryUrl, '/messages', { toHandle: handle, fromHandle: ident?.handle, payload: JSON.stringify(invite) });
+                  if (res.ok) {
+                    console.log(chalk.cyan(`  Sent share invite to @${handle}`));
+                  } else {
+                    console.log(chalk.yellow(`  Failed to notify @${handle}: ${res.status}`));
+                  }
+                } catch {
+                  console.log(chalk.yellow(`  Could not reach discovery server to notify @${handle}`));
+                }
+              }
+            }
+          });
+        } catch (err) {
+          logger.error(`Failed to seed ${share.name}: ${err.message}`, { share: share.id });
+          console.error(chalk.red(`Failed to seed ${share.name}: ${err.message}`));
+        }
+      }
+      // Auto-resume incomplete downloads (skip paused)
+      const pendingDownloads = getTransfers().filter(t => !t.paused && t.status !== 'completed');
+      if (pendingDownloads.length > 0) {
+        console.log(chalk.blue(`Resuming ${pendingDownloads.length} incomplete download(s)...`));
+        for (const t of pendingDownloads) {
+          try {
+            const torrent = client.add(t.magnet, { path: t.savePath });
+            torrent.on('download', () => updateTransferProgress(t.magnet, torrent.progress));
+            torrent.on('done', () => {
+              completeTransfer(t.magnet);
+              console.log(chalk.green(`✔ Download complete: ${t.name}`));
+            });
+            console.log(chalk.yellow(`  Resuming: ${t.name || t.magnet.slice(0, 40) + '...'}`));
+          } catch (err) {
+            console.error(chalk.red(`Failed to resume download: ${err.message}`));
+          }
+        }
+      }
+      // Start web dashboard if requested
+      if (opts.web) {
+        try {
+          const webPort = parseInt(opts.webPort, 10);
+          const bindAddress = opts.lan ? '0.0.0.0' : '127.0.0.1';
+          const { token } = await startWebServer(webPort, client, { bindAddress });
+          console.log('');
+          const announceIp = opts.publicIp || getLanIp() || 'localhost';
+          const webServeUrl = `http://${announceIp}:${webPort}`;
+          if (opts.lan) {
+            console.log(chalk.green(`Web dashboard running at ${webServeUrl}?token=${token}`));
+            console.log(chalk.dim(`  (LAN accessible, browse from other devices)`));
+          } else {
+            console.log(chalk.green(`Web dashboard running at http://localhost:${webPort}?token=${token}`));
+          }
+          const { hooks } = await import('../core/extensions.js');
+          await hooks.emit('on:server:start', { port: webPort, url: webServeUrl });
+        } catch (err) {
+          console.error(chalk.red(`Failed to start web dashboard: ${err.message}`));
+        }
+      }
+      // Store torrent port in config once WebTorrent is listening
+      const storeTorrentPort = () => {
+        const torrentPort = client.address()?.port || null;
+        if (torrentPort) {
+          config.set('torrentPort', torrentPort);
+          // Update mDNS with port info
+          try {
+            const ident = config.get('identity');
+            if (ident) {
+              const webPort = opts.web ? parseInt(opts.webPort, 10) : null;
+              import('../core/mdnsService.js').then(({ stopMdns }) => {
+                stopMdns();
+                startMdns(ident, { torrentPort, webPort });
+              });
+            }
+          } catch { /* non-fatal */ }
+        }
+      };
+      // Try immediately, then retry after a delay (WebTorrent may not be listening yet)
+      storeTorrentPort();
+      setTimeout(storeTorrentPort, 5000);
+      setTimeout(storeTorrentPort, 15000);
+      console.log('');
+      console.log(chalk.bgBlue('Daemon is running. Press Ctrl+C to stop sharing.'));
+      console.log('');
+      // Bug #20 fix: auto-seed new shares created after daemon started
+      const seededPaths = new Set(shares.map(s => s.path));
+      setInterval(() => {
+        try {
+          expireOldShares();
+          const currentShares = listShares();
+          for (const share of currentShares) {
+            if (seededPaths.has(share.path)) continue;
+            if (isShareExpired(share)) continue;
+            if (!fs.existsSync(share.path)) continue;
+            seededPaths.add(share.path);
+            const seedOpts = { name: share.name, announce: share.visibility === 'private' ? [] : [...DEFAULT_TRACKERS] };
+            client.seed(share.path, seedOpts, (torrent) => {
+              console.log(chalk.green(`✔ Auto-seeding new share: ${share.name}`));
+              const allShares = config.get('shares') || [];
+              const entry = allShares.find(s => s.path === share.path);
+              if (entry && !entry.magnet) {
+                entry.magnet = torrent.magnetURI;
+                entry.files = torrent.files.map(f => ({ name: f.name, path: f.path, size: f.length }));
+                config.set('shares', allShares);
+              }
+            });
+          }
+        } catch {}
+      }, 60000);
+      // Periodic stats every 30 seconds
+      setInterval(() => {
+        const up = (client.uploadSpeed / 1024).toFixed(1);
+        const down = (client.downloadSpeed / 1024).toFixed(1);
+        const count = client.torrents.length;
+        console.log(chalk.gray(`[stats] ↑ ${up} KB/s  ↓ ${down} KB/s  torrents: ${count}`));
+      }, 30000);
+    });
+}