function cmd::unblock::run() {
  local name="" identity="" type=""
  local ips=() subnets=() ports=() services=()
  local all=false quiet=false force=false
  local reason=""

  while [[ $# -gt 0 ]]; do
    case "$1" in
      --name)    name="$2";           shift 2 ;;
      --identity) identity="$2";      shift 2 ;;
      --type)    type="$2";           shift 2 ;;
      --ip)      ips+=("$2");         shift 2 ;;
      --force)   force=true;          shift   ;;
      --quiet)   quiet=true;          shift   ;;
      --subnet)  subnets+=("$2");     shift 2 ;;
      --port)    ports+=("$2");       shift 2 ;;
      --service) services+=("$2");    shift 2 ;;
      --reason)  reason="$2";         shift 2 ;;
      --all)     all=true;            shift   ;;
      --help)    cmd::unblock::help;  return  ;;
      *)
        log::error "Unknown flag: $1"
        cmd::unblock::help
        return 1
        ;;
    esac
  done

  # --identity: unblock all peers for this identity
  if [[ -n "$identity" ]]; then
    cmd::unblock::_unblock_identity "$identity" "$quiet" || return 1
    return 0
  fi

  if [[ -z "$name" ]]; then
    log::error "Missing required flag: --name or --identity"
    cmd::unblock::help
    return 1
  fi

  name=$(peers::resolve_and_require "$name" "$type") || return 1

  if ! peers::is_blocked "$name" && ! block::has_file "$name"; then
    log::wg_warning "Client is not blocked: ${name}"
    return 0
  fi

  if [[ ${#ips[@]} -eq 0 && ${#subnets[@]} -eq 0 && \
        ${#ports[@]} -eq 0 && ${#services[@]} -eq 0 ]]; then
    all=true
  fi

  local client_ip
  client_ip=$(peers::get_ip "$name") || return 1

  if $all; then
    cmd::unblock::_unblock_all "$name" "$client_ip" "$quiet"
    return 0
  fi

  # Unblock specific IPs
  for ip in "${ips[@]}"; do
    fw::unblock_ip "$client_ip" "$ip"
    block::remove_rule "$name" "ip" "$ip"
    $quiet || log::wg_success "${ip} has been unblocked for ${name}"
  done

  # Unblock specific subnets
  for subnet in "${subnets[@]}"; do
    fw::unblock_subnet "$client_ip" "$subnet"
    block::remove_rule "$name" "subnet" "$subnet"
    $quiet || log::wg_success "${subnet} has been unblocked for ${name}"
  done

  # Unblock specific ports
  for entry in "${ports[@]}"; do
    local target port proto
    IFS=":" read -r target port proto <<< "$entry"
    proto="${proto:-tcp}"
    fw::unblock_port "$client_ip" "$target" "$port" "$proto"
    block::remove_rule "$name" "port" "$target" "$port" "$proto"
    $quiet || log::wg_success "${target}:${port}:${proto} has been unblocked for ${name}"
  done

  # Unblock services
  for svc in "${services[@]}"; do
    local resolved_lines=()
    mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null)
    if [[ ${#resolved_lines[@]} -eq 0 ]]; then
      log::error "Service not found: ${svc}"
      return 1
    fi

    local is_blocked=false
    for resolved in "${resolved_lines[@]}"; do
      if [[ "$resolved" == *:*:* ]]; then
        local b_ip b_port b_proto
        IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
        fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null && \
          { is_blocked=true; break; }
      else
        fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null && \
          { is_blocked=true; break; }
      fi
    done

    if ! $is_blocked; then
      $quiet || log::wg_warning "${svc} is not blocked for ${name}"
      continue
    fi

    for resolved in "${resolved_lines[@]}"; do
      if [[ "$resolved" == *:*:* ]]; then
        local b_ip b_port b_proto
        IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
        fw::unblock_port "$client_ip" "$b_ip" "$b_port" "$b_proto"
        block::remove_rule "$name" "port" "$b_ip" "$b_port" "$b_proto"
      else
        fw::unblock_ip "$client_ip" "$resolved"
        block::remove_rule "$name" "ip" "$resolved"
      fi
    done

    $quiet || log::wg_success "${svc} has been unblocked for ${name}"
  done

  block::cleanup "$name"
  return 0
}