function cmd::peer::update_tunnel() {
  local name="" type="" all=false mode="" force=false

  while [[ $# -gt 0 ]]; do
    case "$1" in
      --name)  name="$2";        shift 2 ;;
      --type)  type="$2";        shift 2 ;;
      --all)   all=true;         shift   ;;
      --mode)  mode="$2";        shift 2 ;;
      --force) force=true;       shift   ;;
      --help)  cmd::peer::help;  return  ;;
      *) log::error "Unknown flag: $1"; return 1 ;;
    esac
  done

  [[ -z "$name" && "$all" == "false" ]] && \
    log::error "Specify --name or --all" && return 1
  [[ -z "$mode" ]] && \
    log::error "Missing required flag: --mode (split|full)" && return 1
  [[ "$mode" != "split" && "$mode" != "full" ]] && \
    log::error "Invalid mode: ${mode} (must be split or full)" && return 1

  local allowed_ips
  allowed_ips=$(config::allowed_ips_for "$mode")

  # Collect target peers
  local peers=()
  if $all; then
    if ! $force; then
      read -r -p "Update tunnel mode to '${mode}' for ALL peers? [y/N] " confirm
      case "$confirm" in [yY]*) ;; *) log::info "Aborted"; return 0 ;; esac
    fi
    while IFS= read -r conf; do
      peers+=("$(basename "$conf" .conf)")
    done < <(find "$(ctx::clients)" -name "*.conf" 2>/dev/null)
  else
    name=$(peers::resolve_and_require "$name" "$type") || return 1
    peers=("$name")
  fi

  local updated=0
  for peer_name in "${peers[@]}"; do
    local conf
    conf="$(ctx::clients)/${peer_name}.conf"
    [[ ! -f "$conf" ]] && continue

    # Replace AllowedIPs line in-place
    sed -i "s|^AllowedIPs = .*|AllowedIPs = ${allowed_ips}|" "$conf"
    (( updated++ )) || true
    log::debug "Updated tunnel for: ${peer_name}"
  done

  log::wg_success "Updated tunnel to '${mode}' (${allowed_ips}) for ${updated} peer(s)"
  log::wg "Peers must reconnect to apply the new tunnel mode"
}