feat(cli): claudemesh daemon — peer mesh runtime (v0.9.0)

Long-lived process that holds a persistent WS to the broker and exposes
a local IPC surface (UDS + bearer-auth TCP loopback). Implements the
v0.9.0 spec under .artifacts/specs/.

Core:
- daemon up | status | version | down | accept-host
- daemon outbox list [--failed|--pending|--inflight|--done|--aborted]
- daemon outbox requeue <id> [--new-client-id <id>]
- daemon install-service / uninstall-service (macOS launchd, Linux systemd)

IPC routes:
- /v1/version, /v1/health
- /v1/send  (POST)  — full §4.5.1 idempotency lookup table
- /v1/inbox (GET)   — paged history
- /v1/events        — SSE stream of message/peer_join/peer_leave/broker_status
- /v1/peers         — broker passthrough
- /v1/profile       — summary/status/visible/avatar/title/bio/capabilities
- /v1/outbox + /v1/outbox/requeue — operator recovery

Storage (SQLite via node:sqlite / bun:sqlite):
- outbox.db: pending/inflight/done/dead/aborted with audit columns
- inbox.db: dedupe by client_message_id, decrypts DMs via existing crypto
- BEGIN IMMEDIATE serialization for daemon-local accept races

Identity:
- host_fingerprint.json (machine-id || first-stable-mac)
- refuse-on-mismatch policy with `daemon accept-host` recovery

CLI integration:
- claudemesh send detects the daemon and routes through /v1/send when
  present, falling back to bridge socket / cold path otherwise

Tests: 15-case coverage of the §4.5.1 IPC duplicate lookup table.

Spec arc preserved at .artifacts/specs/2026-05-03-daemon-{v1..v10}.md;
v0.9.0 implementation target locked at 2026-05-03-daemon-spec-v0.9.0.md;
deferred items at 2026-05-03-daemon-spec-broker-hardening-followups.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/cli/src/entrypoints/cli.ts

@@ -377,6 +377,30 @@ async function main(): Promise<void> {
     case "logout": { const { logout } = await import("~/commands/logout.js"); process.exit(await logout()); break; }
     case "whoami": { const { whoami } = await import("~/commands/whoami.js"); process.exit(await whoami({ json: !!flags.json })); break; }
 
+    // Daemon (v0.9.0)
+    case "daemon": {
+      const { runDaemonCommand } = await import("~/commands/daemon.js");
+      const sub = positionals[0];
+      const rest = positionals.slice(1);
+      const outboxStatus =
+        flags.failed   ? "dead"     :
+        flags.pending  ? "pending"  :
+        flags.inflight ? "inflight" :
+        flags.done     ? "done"     :
+        flags.aborted  ? "aborted"  : undefined;
+      const code = await runDaemonCommand(sub, {
+        json: !!flags.json,
+        noTcp: !!flags["no-tcp"],
+        publicHealth: !!flags["public-health"],
+        mesh: flags.mesh as string | undefined,
+        displayName: flags.name as string | undefined,
+        outboxStatus,
+        newClientId: flags["new-client-id"] as string | undefined,
+      }, rest);
+      process.exit(code);
+      break;
+    }
+
     // Setup
     case "install": { const { runInstall } = await import("~/commands/install.js"); runInstall(positionals); break; }
     case "uninstall": { const { uninstall } = await import("~/commands/uninstall.js"); process.exit(await uninstall()); break; }