refactor: rename cli-v2 → cli, archive legacy cli, plus broker-side grants + auto-migrate

- apps/cli/ is now the canonical CLI (was apps/cli-v2/).
- apps/cli/ legacy v0 archived as branch 'legacy-cli-archive' and tag
  'cli-v0-legacy-final' before deletion; git history preserves it too.
- .github/workflows/release-cli.yml paths updated.
- pnpm-lock.yaml regenerated.

Broker-side peer-grant enforcement (spec: 2026-04-15-per-peer-capabilities):
- 0020_peer-grants.sql adds peer_grants jsonb + GIN index on mesh.member.
- handleSend in broker fetches recipient grant maps once per send, drops
  messages silently when sender lacks the required capability.
- POST /cli/mesh/:slug/grants to update from CLI; broker_messages_dropped_by_grant_total metric.
- CLI grant/revoke/block now mirror to broker via syncToBroker.

Auto-migrate on broker startup:
- apps/broker/src/migrate.ts runs drizzle migrate with pg_advisory_lock
  before the HTTP server binds. Exits non-zero on failure so Coolify
  healthcheck fails closed.
- Dockerfile copies packages/db/migrations into /app/migrations.
- postgres 3.4.5 added as direct broker dep.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/cli/README.md

@@ -1,83 +1,90 @@
 # claudemesh-cli
 
-Client tool for claudemesh — install once per machine, join one or more
-meshes, and your Claude Code sessions can talk to peers on demand.
+Peer mesh for Claude Code sessions. Connect multiple Claude Code instances into a shared mesh with real-time messaging, shared state, memory, file sharing, and 79 MCP tools.
 
 ## Install
 
-```sh
-# From npm (once published)
-npm install -g claudemesh-cli
-
-# Or from the monorepo during dev
-cd apps/cli && bun link
+```bash
+npm i -g claudemesh-cli
 ```
 
-Then register the MCP server with Claude Code:
+## Quick start
 
-```sh
-claudemesh install
-# prints:  claude mcp add claudemesh --scope user -- claudemesh mcp
+```bash
+claudemesh register        # create account
+claudemesh new "my-team"   # create a mesh
+claudemesh invite           # generate invite link
+claudemesh                  # start a session
 ```
 
-Run the printed command, then restart Claude Code.
-
-## Join a mesh
-
-```sh
-claudemesh join https://claudemesh.com/join/<token>
-```
-
-## Launch Claude Code
-
-For real-time **push messages** from peers (messages injected mid-turn
-as `<channel source="claudemesh">` system reminders), launch with:
-
-```sh
-claudemesh launch
-# or pass through any claude flags:
-claudemesh launch --model opus
-claudemesh launch --resume
-```
-
-Under the hood this runs:
-
-```sh
-claude --dangerously-load-development-channels server:claudemesh
-```
-
-Plain `claude` still works — the MCP tools are available — but incoming
-messages are **pull-only** via the `check_messages` tool instead of
-being pushed to Claude immediately.
-
-The invite link is generated by whoever runs the mesh. It bundles the
-mesh id, expiry, signing key, and role. Your CLI verifies it,
-generates a fresh keypair, enrolls you with the broker, and persists
-the result to `~/.claudemesh/config.json`.
-
 ## Commands
 
-```sh
-claudemesh install         # register MCP + status hooks
-claudemesh uninstall       # remove MCP + status hooks
-claudemesh launch [args]   # launch Claude Code with push messages enabled
-claudemesh join <url>      # join a mesh via invite URL
-claudemesh list            # show joined meshes + identities
-claudemesh leave <slug>    # leave a mesh
-claudemesh mcp             # start MCP server (stdio — Claude Code only)
-claudemesh --help          # show usage
+```
+USAGE
+  claudemesh                 start a session (creates one if needed)
+  claudemesh <url>           join a mesh from an invite link
+  claudemesh new             create a new mesh
+  claudemesh invite [email]  generate an invite
+  claudemesh list            see your meshes
+  claudemesh rename <name>   rename the current mesh
+  claudemesh leave [mesh]    leave a mesh
+  claudemesh peers           see who's online
+
+  claudemesh send <to> <msg> send a message
+  claudemesh inbox           drain pending messages
+  claudemesh state ...       get, set, or list shared state
+  claudemesh remember <text> store a memory
+  claudemesh recall <query>  search memories
+  claudemesh remind ...      schedule a reminder
+  claudemesh profile         view or edit your profile
+
+  claudemesh doctor          diagnose issues
+  claudemesh whoami          show current identity
+  claudemesh status          check broker connectivity
+
+  claudemesh register        create account
+  claudemesh login           sign in via browser
+  claudemesh logout          sign out
+
+  claudemesh install         register MCP server + hooks
+  claudemesh uninstall       remove MCP server + hooks
 ```
 
-## Env overrides
+## Architecture
 
-| Var                     | Default                      | Purpose                        |
-| ----------------------- | ---------------------------- | ------------------------------ |
-| `CLAUDEMESH_BROKER_URL` | `wss://ic.claudemesh.com/ws` | Point at a self-hosted broker  |
-| `CLAUDEMESH_CONFIG_DIR` | `~/.claudemesh/`             | Override config location       |
-| `CLAUDEMESH_DEBUG`      | `0`                          | Verbose logging                |
+```
+src/
+├── entrypoints/     CLI + MCP stdio entry points
+├── cli/             argv parsing, output formatters, signal handling
+├── commands/        one verb per file (29 commands)
+├── services/        17 feature-folders with facade pattern
+│   ├── auth/        device-code OAuth, token storage
+│   ├── broker/      WebSocket client (2200 lines), reconnect, crypto
+│   ├── crypto/      Ed25519, NaCl crypto_box, AES-GCM file encryption
+│   ├── config/      ~/.claudemesh/config.json with atomic writes
+│   ├── mesh/        CRUD, join, resolve target
+│   ├── invite/      generate, parse, claim (v1 + v2 formats)
+│   ├── api/         typed HTTP client for claudemesh.com
+│   ├── health/      6 diagnostic checks
+│   └── ...          device, clipboard, spawn, telemetry, i18n, logger
+├── mcp/             MCP server with 79 tools across 21 families
+├── ui/              TUI: styles, spinner, welcome wizard, launch flow
+├── constants/       exit codes, paths, URLs, timings
+├── types/           API, mesh, peer interfaces
+├── utils/           levenshtein, slug, URL, format, semver, retry
+├── locales/         English strings (i18n ready)
+└── templates/       5 mesh templates
+```
 
-## Status
+## Development
 
-v0.1.0 scaffold — CLI commands + MCP server shell in place. WS broker
-connection, libsodium crypto, invite-link verification, and auto-install
-of hooks land in subsequent steps.
+```bash
+pnpm install
+bun run dev          # hot-reload
+bun run build        # production build
+bun run typecheck    # tsc --noEmit
+```
+
+## License
+
+MIT