function cmd::identity::help() {
  cat <<EOF
Usage: wgctl identity <subcommand> [options]

Manage peer identities.

Subcommands:
  list                          List all identities
  show   --name <name>          Show identity details and device status
  add    --name <name>          Manually attach a peer to an identity
         --peer <peer>
  remove --name <name>          Remove identity and all associated peers
  migrate [--dry-run]           Create identities from existing peer names

  rule assign   --name <name>   Assign a rule to an identity
                --rule <rule>
  rule unassign --name <name>   Remove rule from an identity
  rule show     --name <name>   Show current identity rule

  options --name <name>         Set identity options
          [--policy <policy>]
          [--set-strict-rule | --unset-strict-rule]
          [--set-auto-apply  | --unset-auto-apply]

Examples:
  wgctl identity list
  wgctl identity show --name nuno
  wgctl identity rule assign --name nuno --rule admin
  wgctl identity rule unassign --name nuno
  wgctl identity options --name guests-identity --policy guest
  wgctl identity options --name nuno --set-strict-rule
EOF
}
function cmd::rule::help() {
  cat <<EOF
Usage: wgctl rule <subcommand> [options]

Manage firewall rules with inheritance support.
Rules can extend base rules to compose reusable access policies.
Service names from 'wgctl net' can be used instead of raw IPs/ports.

Subcommands:
  list, ls                    List all rules
  show, inspect               Show rule details and inheritance
  add, new, create            Create a new rule
  update, edit                Update a rule and re-apply to peers
  remove, rm, del             Remove a rule
  assign                      Assign a rule to a peer
  unassign                    Remove rule from a peer
  reapply                     Re-apply rule to all assigned peers
  migrate                     Apply default rules to unassigned peers

Options for list:
  --base                      Show only base rules
  --no-base                   Hide base rules section
  --group <name>              Filter by group (case insensitive)
  --detailed                  Show rule entries inline

Options for add:
  --name <name>               Rule name
  --desc <description>        Description
  --group <group>             Display group (e.g. VM Rules, Users)
  --extends <rule,...>        Inherit from base rules (comma-separated)
  --base                      Create as base rule (not directly assignable)
  --allow-ip <ip/cidr>        Allow IP or subnet (repeatable)
  --allow-port <ip:port:proto> Allow specific port (repeatable)
  --block-ip <ip/cidr>        Block IP or subnet (repeatable)
  --block-port <ip:port:proto> Block specific port (repeatable)
  --block-service <name>      Block named service (repeatable)
  --allow-service <name>      Allow named service (repeatable)
  --dns-redirect              Force DNS through Pi-hole

Options for update:
  (same as add, plus:)
  --add-extends <rule,...>    Add inherited base rules
  --remove-extends <rule,...> Remove inherited base rules
  --remove-allow-ip <ip>      Remove allow IP entry
  --remove-allow-port <entry> Remove allow port entry
  --remove-block-ip <ip>      Remove block IP entry
  --remove-block-port <entry> Remove block port entry

Options for show:
  --name <name>               Rule name
  --resolved                  Show resolved/merged entries
  --no-peers                  Hide assigned peers

Options for reapply:
  --name <name>               Rule name
  --all                       Reapply all rules

Examples:
  wgctl rule list
  wgctl rule list --detailed
  wgctl rule list --group "VM Rules"
  wgctl rule show --name guest
  wgctl rule show --name moonlight-02 --resolved
  wgctl rule add --name no-proxmox --base --block-service proxmox
  wgctl rule add --name dev-01 --desc "Dev access" --extends no-lan
  wgctl rule assign --name dev-01 --peer laptop-nuno
  wgctl rule reapply --all
EOF
}
