refactor: rename cli-v2 → cli, archive legacy cli, plus broker-side grants + auto-migrate

- apps/cli/ is now the canonical CLI (was apps/cli-v2/).
- apps/cli/ legacy v0 archived as branch 'legacy-cli-archive' and tag
  'cli-v0-legacy-final' before deletion; git history preserves it too.
- .github/workflows/release-cli.yml paths updated.
- pnpm-lock.yaml regenerated.

Broker-side peer-grant enforcement (spec: 2026-04-15-per-peer-capabilities):
- 0020_peer-grants.sql adds peer_grants jsonb + GIN index on mesh.member.
- handleSend in broker fetches recipient grant maps once per send, drops
  messages silently when sender lacks the required capability.
- POST /cli/mesh/:slug/grants to update from CLI; broker_messages_dropped_by_grant_total metric.
- CLI grant/revoke/block now mirror to broker via syncToBroker.

Auto-migrate on broker startup:
- apps/broker/src/migrate.ts runs drizzle migrate with pg_advisory_lock
  before the HTTP server binds. Exits non-zero on failure so Coolify
  healthcheck fails closed.
- Dockerfile copies packages/db/migrations into /app/migrations.
- postgres 3.4.5 added as direct broker dep.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/cli/src/services/crypto/box.ts

@@ -0,0 +1,59 @@
+import { ensureSodium } from "./keypair.js";
+
+export interface Envelope {
+  nonce: string;
+  ciphertext: string;
+}
+
+const HEX_PUBKEY = /^[0-9a-f]{64}$/;
+
+export function isDirectTarget(targetSpec: string): boolean {
+  return HEX_PUBKEY.test(targetSpec);
+}
+
+export async function encryptDirect(
+  message: string,
+  recipientPubkeyHex: string,
+  senderSecretKeyHex: string,
+): Promise<Envelope> {
+  const s = await ensureSodium();
+  const recipientPub = s.crypto_sign_ed25519_pk_to_curve25519(
+    s.from_hex(recipientPubkeyHex),
+  );
+  const senderSec = s.crypto_sign_ed25519_sk_to_curve25519(
+    s.from_hex(senderSecretKeyHex),
+  );
+  const nonce = s.randombytes_buf(s.crypto_box_NONCEBYTES);
+  const ct = s.crypto_box_easy(
+    s.from_string(message),
+    nonce,
+    recipientPub,
+    senderSec,
+  );
+  return {
+    nonce: s.to_base64(nonce, s.base64_variants.ORIGINAL),
+    ciphertext: s.to_base64(ct, s.base64_variants.ORIGINAL),
+  };
+}
+
+export async function decryptDirect(
+  envelope: Envelope,
+  senderPubkeyHex: string,
+  recipientSecretKeyHex: string,
+): Promise<string | null> {
+  const s = await ensureSodium();
+  try {
+    const senderPub = s.crypto_sign_ed25519_pk_to_curve25519(
+      s.from_hex(senderPubkeyHex),
+    );
+    const recipientSec = s.crypto_sign_ed25519_sk_to_curve25519(
+      s.from_hex(recipientSecretKeyHex),
+    );
+    const nonce = s.from_base64(envelope.nonce, s.base64_variants.ORIGINAL);
+    const ct = s.from_base64(envelope.ciphertext, s.base64_variants.ORIGINAL);
+    const plain = s.crypto_box_open_easy(ct, nonce, senderPub, recipientSec);
+    return s.to_string(plain);
+  } catch {
+    return null;
+  }
+}

apps/cli/src/services/crypto/facade.ts

@@ -0,0 +1,55 @@
+import { generateKeypair as _generateKeypair, ensureSodium } from "./keypair.js";
+import type { Ed25519Keypair } from "./keypair.js";
+import { encryptFile, decryptFile, sealKeyForPeer, openSealedKey } from "./file-crypto.js";
+import type { EncryptedFile } from "./file-crypto.js";
+import { encryptDirect, decryptDirect, isDirectTarget } from "./box.js";
+import type { Envelope } from "./box.js";
+import { randomBytes, randomHex } from "./random.js";
+
+export type { Ed25519Keypair, EncryptedFile, Envelope };
+
+export async function generateKeypair(): Promise<Ed25519Keypair> {
+  return _generateKeypair();
+}
+
+export async function sign(
+  message: string,
+  secretKeyHex: string,
+): Promise<string> {
+  const s = await ensureSodium();
+  const sig = s.crypto_sign_detached(
+    s.from_string(message),
+    s.from_hex(secretKeyHex),
+  );
+  return s.to_hex(sig);
+}
+
+export async function verify(
+  message: string,
+  signatureHex: string,
+  publicKeyHex: string,
+): Promise<boolean> {
+  const s = await ensureSodium();
+  try {
+    return s.crypto_sign_verify_detached(
+      s.from_hex(signatureHex),
+      s.from_string(message),
+      s.from_hex(publicKeyHex),
+    );
+  } catch {
+    return false;
+  }
+}
+
+export {
+  encryptFile as encrypt,
+  decryptFile as decrypt,
+  sealKeyForPeer as boxSeal,
+  openSealedKey as boxOpen,
+  encryptDirect,
+  decryptDirect,
+  isDirectTarget,
+  randomBytes,
+  randomHex,
+  ensureSodium,
+};

apps/cli/src/services/crypto/file-crypto.ts

@@ -0,0 +1,65 @@
+import { ensureSodium } from "./keypair.js";
+
+export interface EncryptedFile {
+  ciphertext: Uint8Array;
+  nonce: string;
+  key: Uint8Array;
+}
+
+export async function encryptFile(plaintext: Uint8Array): Promise<EncryptedFile> {
+  const s = await ensureSodium();
+  const key = s.randombytes_buf(s.crypto_secretbox_KEYBYTES);
+  const nonce = s.randombytes_buf(s.crypto_secretbox_NONCEBYTES);
+  const ciphertext = s.crypto_secretbox_easy(plaintext, nonce, key);
+  return {
+    ciphertext,
+    nonce: s.to_base64(nonce, s.base64_variants.ORIGINAL),
+    key,
+  };
+}
+
+export async function decryptFile(
+  ciphertext: Uint8Array,
+  nonceB64: string,
+  key: Uint8Array,
+): Promise<Uint8Array | null> {
+  const s = await ensureSodium();
+  try {
+    const nonce = s.from_base64(nonceB64, s.base64_variants.ORIGINAL);
+    return s.crypto_secretbox_open_easy(ciphertext, nonce, key);
+  } catch {
+    return null;
+  }
+}
+
+export async function sealKeyForPeer(
+  kf: Uint8Array,
+  recipientPubkeyHex: string,
+): Promise<string> {
+  const s = await ensureSodium();
+  const recipientCurve = s.crypto_sign_ed25519_pk_to_curve25519(
+    s.from_hex(recipientPubkeyHex),
+  );
+  const sealed = s.crypto_box_seal(kf, recipientCurve);
+  return s.to_base64(sealed, s.base64_variants.ORIGINAL);
+}
+
+export async function openSealedKey(
+  sealedB64: string,
+  myPubkeyHex: string,
+  mySecretKeyHex: string,
+): Promise<Uint8Array | null> {
+  const s = await ensureSodium();
+  try {
+    const myCurvePub = s.crypto_sign_ed25519_pk_to_curve25519(
+      s.from_hex(myPubkeyHex),
+    );
+    const myCurveSec = s.crypto_sign_ed25519_sk_to_curve25519(
+      s.from_hex(mySecretKeyHex),
+    );
+    const sealed = s.from_base64(sealedB64, s.base64_variants.ORIGINAL);
+    return s.crypto_box_seal_open(sealed, myCurvePub, myCurveSec);
+  } catch {
+    return null;
+  }
+}

apps/cli/src/services/crypto/index.ts

@@ -0,0 +1 @@
+export * from "./facade.js";

apps/cli/src/services/crypto/keypair.ts

@@ -0,0 +1,25 @@
+import sodium from "libsodium-wrappers";
+
+let ready = false;
+
+export async function ensureSodium(): Promise<typeof sodium> {
+  if (!ready) {
+    await sodium.ready;
+    ready = true;
+  }
+  return sodium;
+}
+
+export interface Ed25519Keypair {
+  publicKey: string;
+  secretKey: string;
+}
+
+export async function generateKeypair(): Promise<Ed25519Keypair> {
+  const s = await ensureSodium();
+  const kp = s.crypto_sign_keypair();
+  return {
+    publicKey: s.to_hex(kp.publicKey),
+    secretKey: s.to_hex(kp.privateKey),
+  };
+}

apps/cli/src/services/crypto/random.ts

@@ -0,0 +1,11 @@
+import { ensureSodium } from "./keypair.js";
+
+export async function randomBytes(n: number): Promise<Uint8Array> {
+  const s = await ensureSodium();
+  return s.randombytes_buf(n);
+}
+
+export async function randomHex(n: number): Promise<string> {
+  const s = await ensureSodium();
+  return s.to_hex(s.randombytes_buf(n));
+}