feat(cli): M-Tool 1-3 — CLI, templates, Gitea publishing pipeline

Phase B complete: Shade now has a full developer tooling story.

@shade/cli
- shade init with project scaffolding from templates
- shade fingerprint (own or peer)
- shade publish (re-upload bundle)
- shade rotate (--identity for full rotation, otherwise signed prekey)
- shade peer add/list/verify/remove
- shade dashboard (opens observer in browser)
- shade doctor (diagnose config, storage, prekey server reachability)
- Config from .shaderc.json or SHADE_* env vars

Templates (in packages/shade-cli/templates/)
- bun-server — Bun + Hono backend with /send + /receive endpoints
- chat-demo — Two-process Alice/Bob chat over HTTP

Publishing pipeline (Gitea npm registry)
- .gitea/workflows/test.yml — CI on push/PR with PostgreSQL service
- .gitea/workflows/publish.yml — publish on git tag v*
- scripts/publish-all.ts — local publish helper with DRY_RUN support
- scripts/bump-version.ts — lockstep version bump across all packages
- Root package.json scripts: version, publish:dry, publish:all

Also: /health endpoint now lives in createPrekeyRoutes so doctor can
probe it without needing the full standalone setup.

Dry-run verified: all 11 packages pack cleanly.
246 tests passing, 0 failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/shade-cli/templates/bun-server/.env.example

@@ -0,0 +1,8 @@
+Override the prekey server URL
+SHADE_PREKEY_SERVER=http://localhost:3900
+
+Storage location (SQLite file)
+SHADE_DB_PATH=sqlite:./.shade/client.db
+
+Observer dashboard token (min 16 chars)
+SHADE_OBSERVER_TOKEN=change-me-to-at-least-16-chars

packages/shade-cli/templates/bun-server/.shaderc.json

@@ -0,0 +1,5 @@
+{
+  "prekeyServer": "__PREKEY_SERVER__",
+  "storage": "sqlite:./.shade/client.db",
+  "address": "__PROJECT_NAME__"
+}

packages/shade-cli/templates/bun-server/README.md

@@ -0,0 +1,46 @@
+# __PROJECT_NAME__
+
+A Shade-enabled Bun + Hono server. Encrypted messages in/out via two HTTP endpoints.
+
+## Prerequisites
+
+A running Shade prekey server. The default is `__PREKEY_SERVER__`. You can either:
+- Run one locally: `docker run -p 3900:3900 shade-prekey-server`
+- Override with `SHADE_PREKEY_SERVER=...` in `.env`
+
+## Run
+
+```bash
+bun install
+bun run start
+```
+
+The server registers itself with the prekey server on startup.
+
+## Endpoints
+
+### Send an encrypted message
+
+```bash
+curl -X POST http://localhost:3000/send \
+  -H "Content-Type: application/json" \
+  -d '{"to": "peer-name", "message": "hello"}'
+```
+
+Returns a `ShadeEnvelope` you can forward to the peer via any transport.
+
+### Receive an encrypted envelope
+
+```bash
+curl -X POST http://localhost:3000/receive \
+  -H "Content-Type: application/json" \
+  -d '{"from": "peer-name", "envelope": {...}}'
+```
+
+Returns the decrypted plaintext.
+
+## Next steps
+
+- Wire a real delivery layer (WebSocket, HTTP push, etc.)
+- Run `shade dashboard` to watch live activity
+- Compare fingerprints with peers out-of-band before trusting sessions

packages/shade-cli/templates/bun-server/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "__PROJECT_NAME__",
+  "version": "0.0.1",
+  "type": "module",
+  "scripts": {
+    "start": "bun run src/index.ts",
+    "dev": "bun --watch run src/index.ts",
+    "test": "bun test"
+  },
+  "dependencies": {
+    "@shade/sdk": "^0.1.0",
+    "hono": "^4.12.0"
+  }
+}

packages/shade-cli/templates/bun-server/src/index.ts

@@ -0,0 +1,46 @@
+import { Hono } from 'hono';
+import { createShade } from '@shade/sdk';
+
+/**
+ * __PROJECT_NAME__ — Shade-enabled Bun server template.
+ *
+ * Exposes two endpoints:
+ *   POST /send     — encrypt a message to a peer
+ *   POST /receive  — decrypt an incoming envelope
+ */
+
+const shade = await createShade({
+  prekeyServer: process.env.SHADE_PREKEY_SERVER ?? '__PREKEY_SERVER__',
+  storage: process.env.SHADE_DB_PATH ?? 'sqlite:./.shade/client.db',
+  address: '__PROJECT_NAME__',
+});
+
+console.log(`Shade initialized as ${shade.myAddress}`);
+console.log(`Fingerprint: ${await shade.fingerprint}`);
+
+shade.onMessage((from, msg) => {
+  console.log(`[${from}] ${msg}`);
+});
+
+const app = new Hono();
+
+app.get('/', (c) => c.text(`__PROJECT_NAME__ — Shade-enabled backend`));
+
+app.post('/send', async (c) => {
+  const { to, message } = await c.req.json();
+  const envelope = await shade.send(to, message);
+  return c.json({ envelope });
+});
+
+app.post('/receive', async (c) => {
+  const { from, envelope } = await c.req.json();
+  const plaintext = await shade.receive(from, envelope);
+  return c.json({ plaintext });
+});
+
+export default {
+  port: Number(process.env.PORT ?? 3000),
+  fetch: app.fetch,
+};
+
+console.log(`Server listening on :${process.env.PORT ?? 3000}`);

packages/shade-cli/templates/chat-demo/README.md

@@ -0,0 +1,17 @@
+# __PROJECT_NAME__
+
+Two-process chat demo: Alice and Bob talk via the Shade SDK over a simple
+HTTP relay. Shows how easy it is to add E2EE to any transport.
+
+## Run
+
+Start a prekey server first (e.g. `docker run -p 3900:3900 shade-prekey-server`).
+
+Then in two terminals:
+
+```bash
+bun run bob     # starts Bob's process on :4001
+bun run alice   # starts Alice's process on :4000
+```
+
+Alice will send a message to Bob; both will print the activity.

packages/shade-cli/templates/chat-demo/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "__PROJECT_NAME__",
+  "version": "0.0.1",
+  "type": "module",
+  "scripts": {
+    "alice": "bun run src/alice.ts",
+    "bob": "bun run src/bob.ts"
+  },
+  "dependencies": {
+    "@shade/sdk": "^0.1.0"
+  }
+}

packages/shade-cli/templates/chat-demo/src/alice.ts

@@ -0,0 +1,27 @@
+import { createShade } from '@shade/sdk';
+
+const alice = await createShade({
+  prekeyServer: '__PREKEY_SERVER__',
+  storage: 'sqlite:./.shade/alice.db',
+  address: 'alice',
+});
+
+console.log(`Alice ready. Fingerprint: ${await alice.fingerprint}`);
+
+// Send a message to Bob
+const envelope = await alice.send('bob', 'Hey Bob, this is encrypted!');
+
+// Forward to Bob's process (simple HTTP)
+const res = await fetch('http://localhost:4001/receive', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ from: 'alice', envelope }),
+});
+
+if (res.ok) {
+  console.log('✓ Message delivered');
+} else {
+  console.error('Failed to deliver:', await res.text());
+}
+
+await alice.shutdown();

packages/shade-cli/templates/chat-demo/src/bob.ts

@@ -0,0 +1,24 @@
+import { Hono } from 'hono';
+import { createShade } from '@shade/sdk';
+
+const bob = await createShade({
+  prekeyServer: '__PREKEY_SERVER__',
+  storage: 'sqlite:./.shade/bob.db',
+  address: 'bob',
+});
+
+console.log(`Bob ready. Fingerprint: ${await bob.fingerprint}`);
+
+bob.onMessage((from, msg) => {
+  console.log(`\n📨 [${from}] ${msg}\n`);
+});
+
+const app = new Hono();
+app.post('/receive', async (c) => {
+  const { from, envelope } = await c.req.json();
+  await bob.receive(from, envelope);
+  return c.json({ ok: true });
+});
+
+export default { port: 4001, fetch: app.fetch };
+console.log('Bob listening on :4001');