fix(cli): deduplicate --dangerously-load-development-channels flag

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claudemesh-cli",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "Claude Code MCP client for claudemesh — peer mesh messaging between Claude sessions.",
   "keywords": [
     "claude-code",

apps/cli/src/commands/launch.ts

@@ -195,10 +195,20 @@ export async function runLaunch(extraArgs: string[]): Promise<void> {
   if (!args.quiet) printBanner(displayName, mesh.slug);
 
   // 6. Spawn claude with ephemeral config + dev channel + display name.
+  //    Strip any user-supplied --dangerously-load-development-channels
+  //    to avoid duplicates — we always inject our own.
+  const filtered: string[] = [];
+  for (let i = 0; i < args.claudeArgs.length; i++) {
+    if (args.claudeArgs[i] === "--dangerously-load-development-channels") {
+      i++; // skip the next arg (the channel value) too
+      continue;
+    }
+    filtered.push(args.claudeArgs[i]!);
+  }
   const claudeArgs = [
     "--dangerously-load-development-channels",
     "server:claudemesh",
-    ...args.claudeArgs,
+    ...filtered,
   ];
 
   const isWindows = process.platform === "win32";

apps/cli/src/env.ts

@@ -1,27 +1,23 @@
-import { z } from "zod";
-
 /**
  * CLI environment config.
  *
  * Read once at startup. Overridable via env vars so users can point
  * at a self-hosted broker or a staging instance without rebuilding.
  */
-const envSchema = z.object({
-  CLAUDEMESH_BROKER_URL: z.string().default("wss://ic.claudemesh.com/ws"),
-  CLAUDEMESH_CONFIG_DIR: z.string().optional(),
-  CLAUDEMESH_DEBUG: z.coerce.boolean().default(false),
-});
 
-export type CliEnv = z.infer<typeof envSchema>;
+export interface CliEnv {
+  CLAUDEMESH_BROKER_URL: string;
+  CLAUDEMESH_CONFIG_DIR: string | undefined;
+  CLAUDEMESH_DEBUG: boolean;
+}
 
 export function loadEnv(): CliEnv {
-  const parsed = envSchema.safeParse(process.env);
+  return {
-  if (!parsed.success) {
+    CLAUDEMESH_BROKER_URL:
-    console.error("[claudemesh] invalid environment:");
+      process.env.CLAUDEMESH_BROKER_URL ?? "wss://ic.claudemesh.com/ws",
-    console.error(z.treeifyError(parsed.error));
+    CLAUDEMESH_CONFIG_DIR: process.env.CLAUDEMESH_CONFIG_DIR || undefined,
-    process.exit(1);
+    CLAUDEMESH_DEBUG: process.env.CLAUDEMESH_DEBUG === "1" || process.env.CLAUDEMESH_DEBUG === "true",
-  }
+  };
-  return parsed.data;
 }
 
 export const env = loadEnv();

apps/cli/src/invite/parse.ts

@@ -5,22 +5,19 @@
  * verification and one-time-use invite-token tracking land in Step 18.
  */
 
-import { z } from "zod";
 import { ensureSodium } from "../crypto/keypair";
 
-const invitePayloadSchema = z.object({
+export interface InvitePayload {
-  v: z.literal(1),
+  v: 1;
-  mesh_id: z.string().min(1),
+  mesh_id: string;
-  mesh_slug: z.string().min(1),
+  mesh_slug: string;
-  broker_url: z.string().min(1),
+  broker_url: string;
-  expires_at: z.number().int().positive(),
+  expires_at: number;
-  mesh_root_key: z.string().min(1),
+  mesh_root_key: string;
-  role: z.enum(["admin", "member"]),
+  role: "admin" | "member";
-  owner_pubkey: z.string().regex(/^[0-9a-f]{64}$/i),
+  owner_pubkey: string;
-  signature: z.string().regex(/^[0-9a-f]{128}$/i),
+  signature: string;
-});
+}
-
-export type InvitePayload = z.infer<typeof invitePayloadSchema>;
 
 export interface ParsedInvite {
   payload: InvitePayload;
@@ -28,6 +25,21 @@ export interface ParsedInvite {
   token: string; // base64url(JSON) — DB lookup key (everything after ic://join/)
 }
 
+function validatePayload(obj: unknown): InvitePayload {
+  if (!obj || typeof obj !== "object") throw new Error("invite payload is not an object");
+  const o = obj as Record<string, unknown>;
+  if (o.v !== 1) throw new Error("invite payload: v must be 1");
+  if (typeof o.mesh_id !== "string" || !o.mesh_id) throw new Error("invite payload: mesh_id required");
+  if (typeof o.mesh_slug !== "string" || !o.mesh_slug) throw new Error("invite payload: mesh_slug required");
+  if (typeof o.broker_url !== "string" || !o.broker_url) throw new Error("invite payload: broker_url required");
+  if (typeof o.expires_at !== "number" || o.expires_at <= 0) throw new Error("invite payload: expires_at must be a positive number");
+  if (typeof o.mesh_root_key !== "string" || !o.mesh_root_key) throw new Error("invite payload: mesh_root_key required");
+  if (o.role !== "admin" && o.role !== "member") throw new Error("invite payload: role must be admin or member");
+  if (typeof o.owner_pubkey !== "string" || !/^[0-9a-f]{64}$/i.test(o.owner_pubkey)) throw new Error("invite payload: owner_pubkey must be 64 hex chars");
+  if (typeof o.signature !== "string" || !/^[0-9a-f]{128}$/i.test(o.signature)) throw new Error("invite payload: signature must be 128 hex chars");
+  return o as unknown as InvitePayload;
+}
+
 /** Canonical invite bytes — must match broker's canonicalInvite(). */
 export function canonicalInvite(p: {
   v: number;
@@ -96,41 +108,34 @@ export async function parseInviteLink(link: string): Promise<ParsedInvite> {
     );
   }
 
-  const parsed = invitePayloadSchema.safeParse(obj);
+  const payload = validatePayload(obj);
-  if (!parsed.success) {
-    throw new Error(
-      `invite link shape invalid: ${parsed.error.issues.map((i) => i.path.join(".") + ": " + i.message).join("; ")}`,
-    );
-  }
 
   // Expiry check (unix seconds).
   const nowSeconds = Math.floor(Date.now() / 1000);
-  if (parsed.data.expires_at < nowSeconds) {
+  if (payload.expires_at < nowSeconds) {
     throw new Error(
-      `invite expired: expires_at=${parsed.data.expires_at}, now=${nowSeconds}`,
+      `invite expired: expires_at=${payload.expires_at}, now=${nowSeconds}`,
     );
   }
 
   // Verify the ed25519 signature against the embedded owner_pubkey.
-  // Client-side verification gives immediate feedback on tampered
-  // links; broker re-verifies authoritatively on /join.
   const s = await ensureSodium();
   const canonical = canonicalInvite({
-    v: parsed.data.v,
+    v: payload.v,
-    mesh_id: parsed.data.mesh_id,
+    mesh_id: payload.mesh_id,
-    mesh_slug: parsed.data.mesh_slug,
+    mesh_slug: payload.mesh_slug,
-    broker_url: parsed.data.broker_url,
+    broker_url: payload.broker_url,
-    expires_at: parsed.data.expires_at,
+    expires_at: payload.expires_at,
-    mesh_root_key: parsed.data.mesh_root_key,
+    mesh_root_key: payload.mesh_root_key,
-    role: parsed.data.role,
+    role: payload.role,
-    owner_pubkey: parsed.data.owner_pubkey,
+    owner_pubkey: payload.owner_pubkey,
   });
   const sigOk = (() => {
     try {
       return s.crypto_sign_verify_detached(
-        s.from_hex(parsed.data.signature),
+        s.from_hex(payload.signature),
         s.from_string(canonical),
-        s.from_hex(parsed.data.owner_pubkey),
+        s.from_hex(payload.owner_pubkey),
       );
     } catch {
       return false;
@@ -140,7 +145,7 @@ export async function parseInviteLink(link: string): Promise<ParsedInvite> {
     throw new Error("invite signature invalid (link tampered?)");
   }
 
-  return { payload: parsed.data, raw: link, token: encoded };
+  return { payload, raw: link, token: encoded };
 }
 
 /**
@@ -155,8 +160,6 @@ export function encodeInviteLink(payload: InvitePayload): string {
 
 /**
  * Sign and assemble an invite payload → ic://join/... link.
- * The canonical bytes (everything except signature) are signed with
- * the mesh owner's ed25519 secret key.
  */
 export async function buildSignedInvite(args: {
   v: 1;

apps/cli/src/state/config.ts

@@ -15,38 +15,38 @@ import {
 } from "node:fs";
 import { homedir } from "node:os";
 import { join, dirname } from "node:path";
-import { z } from "zod";
 import { env } from "../env";
 
-const joinedMeshSchema = z.object({
+export interface JoinedMesh {
-  meshId: z.string(),
+  meshId: string;
-  memberId: z.string(),
+  memberId: string;
-  slug: z.string(),
+  slug: string;
-  name: z.string(),
+  name: string;
-  pubkey: z.string(), // ed25519 hex (32 bytes = 64 chars)
+  pubkey: string; // ed25519 hex (32 bytes = 64 chars)
-  secretKey: z.string(), // ed25519 hex (64 bytes = 128 chars)
+  secretKey: string; // ed25519 hex (64 bytes = 128 chars)
-  brokerUrl: z.string(),
+  brokerUrl: string;
-  joinedAt: z.string(),
+  joinedAt: string;
-});
+}
 
-const configSchema = z.object({
+export interface Config {
-  version: z.literal(1).default(1),
+  version: 1;
-  meshes: z.array(joinedMeshSchema).default([]),
+  meshes: JoinedMesh[];
-});
+}
-
-export type JoinedMesh = z.infer<typeof joinedMeshSchema>;
-export type Config = z.infer<typeof configSchema>;
 
 const CONFIG_DIR = env.CLAUDEMESH_CONFIG_DIR ?? join(homedir(), ".claudemesh");
 const CONFIG_PATH = join(CONFIG_DIR, "config.json");
 
 export function loadConfig(): Config {
   if (!existsSync(CONFIG_PATH)) {
-    return configSchema.parse({ version: 1, meshes: [] });
+    return { version: 1, meshes: [] };
   }
   try {
     const raw = readFileSync(CONFIG_PATH, "utf-8");
-    return configSchema.parse(JSON.parse(raw));
+    const parsed = JSON.parse(raw);
+    if (!parsed || !Array.isArray(parsed.meshes)) {
+      return { version: 1, meshes: [] };
+    }
+    return { version: 1, meshes: parsed.meshes };
   } catch (e) {
     throw new Error(
       `Failed to load ${CONFIG_PATH}: ${e instanceof Error ? e.message : String(e)}`,