refactor: rename cli-v2 → cli, archive legacy cli, plus broker-side grants + auto-migrate

- apps/cli/ is now the canonical CLI (was apps/cli-v2/).
- apps/cli/ legacy v0 archived as branch 'legacy-cli-archive' and tag
  'cli-v0-legacy-final' before deletion; git history preserves it too.
- .github/workflows/release-cli.yml paths updated.
- pnpm-lock.yaml regenerated.

Broker-side peer-grant enforcement (spec: 2026-04-15-per-peer-capabilities):
- 0020_peer-grants.sql adds peer_grants jsonb + GIN index on mesh.member.
- handleSend in broker fetches recipient grant maps once per send, drops
  messages silently when sender lacks the required capability.
- POST /cli/mesh/:slug/grants to update from CLI; broker_messages_dropped_by_grant_total metric.
- CLI grant/revoke/block now mirror to broker via syncToBroker.

Auto-migrate on broker startup:
- apps/broker/src/migrate.ts runs drizzle migrate with pg_advisory_lock
  before the HTTP server binds. Exits non-zero on failure so Coolify
  healthcheck fails closed.
- Dockerfile copies packages/db/migrations into /app/migrations.
- postgres 3.4.5 added as direct broker dep.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/cli/src/constants/exit-codes.ts

@@ -0,0 +1,14 @@
+export const EXIT = {
+  SUCCESS: 0,
+  USER_CANCELLED: 1,
+  AUTH_FAILED: 2,
+  INVALID_ARGS: 3,
+  NETWORK_ERROR: 4,
+  NOT_FOUND: 5,
+  ALREADY_EXISTS: 6,
+  PERMISSION_DENIED: 7,
+  INTERNAL_ERROR: 8,
+  CLAUDE_MISSING: 9,
+} as const;
+
+export type ExitCode = (typeof EXIT)[keyof typeof EXIT];

apps/cli/src/constants/index.ts

@@ -0,0 +1,5 @@
+export { EXIT } from "./exit-codes.js";
+export type { ExitCode } from "./exit-codes.js";
+export { PATHS } from "./paths.js";
+export { URLS } from "./urls.js";
+export { TIMINGS } from "./timings.js";

apps/cli/src/constants/paths.ts

@@ -0,0 +1,22 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+const home = homedir();
+
+export const PATHS = {
+  CONFIG_DIR: process.env.CLAUDEMESH_CONFIG_DIR || join(home, ".claudemesh"),
+  get CONFIG_FILE() {
+    return join(this.CONFIG_DIR, "config.json");
+  },
+  get AUTH_FILE() {
+    return join(this.CONFIG_DIR, "auth.json");
+  },
+  get KEYS_DIR() {
+    return join(this.CONFIG_DIR, "keys");
+  },
+  get LAST_USED_FILE() {
+    return join(this.CONFIG_DIR, "last-used.json");
+  },
+  CLAUDE_JSON: join(home, ".claude.json"),
+  CLAUDE_SETTINGS: join(home, ".claude", "settings.json"),
+} as const;

apps/cli/src/constants/timings.ts

@@ -0,0 +1,11 @@
+export const TIMINGS = {
+  DEVICE_CODE_POLL_MS: 1500,
+  DEVICE_CODE_TIMEOUT_MS: 5 * 60 * 1000,
+  WS_RECONNECT_BASE_MS: 1000,
+  WS_RECONNECT_MAX_MS: 30_000,
+  UPDATE_CHECK_INTERVAL_MS: 24 * 60 * 60 * 1000,
+  TELEGRAM_CONNECT_TIMEOUT_MS: 5 * 60 * 1000,
+  TELEGRAM_POLL_INTERVAL_MS: 2000,
+  API_TIMEOUT_MS: 15_000,
+  API_RETRY_COUNT: 2,
+} as const;

apps/cli/src/constants/urls.ts

@@ -0,0 +1,18 @@
+export const URLS = {
+  BROKER: process.env.CLAUDEMESH_BROKER_URL ?? "wss://ic.claudemesh.com/ws",
+  API_BASE: process.env.CLAUDEMESH_API_URL ?? "https://claudemesh.com",
+  DASHBOARD: "https://claudemesh.com/dashboard",
+  NPM_REGISTRY: "https://registry.npmjs.org/claudemesh-cli",
+} as const;
+
+// Injected at build time from package.json#version via `bun build --define`
+// (see build.ts). Falls back to a dev sentinel when running from source.
+declare const __CLAUDEMESH_VERSION__: string;
+export const VERSION: string =
+  typeof __CLAUDEMESH_VERSION__ !== "undefined" ? __CLAUDEMESH_VERSION__ : "0.0.0-dev";
+
+export const env = {
+  CLAUDEMESH_BROKER_URL: URLS.BROKER,
+  CLAUDEMESH_CONFIG_DIR: process.env.CLAUDEMESH_CONFIG_DIR || undefined,
+  CLAUDEMESH_DEBUG: process.env.CLAUDEMESH_DEBUG === "1" || process.env.CLAUDEMESH_DEBUG === "true",
+};