diff --git a/.jules/scribe.md b/.jules/scribe.md
index 48b090c..2a1de2a 100644
--- a/.jules/scribe.md
+++ b/.jules/scribe.md
@@ -12,3 +12,8 @@
 **Gap:** The documentation stated the SWIM protocol period was 1000ms (1s), but the implementation uses 5000ms (5s) in both `src/config.zig` and `src/discovery/swim.zig`.
 **Learning:** The documentation likely reflected an early design decision or standard SWIM defaults, but the implementation settled on a more conservative 5s interval for WAN stability, and docs were not updated.
 **Prevention:** Add a CI check that grep's `docs/guide/configuration.md` for values that match constants exported in `src/config.zig`.
+
+## 2026-03-05 - Missing CLI Commands in Reference Documentation
+**Gap:** Several implemented CLI commands (`connect`, `org-keygen`, `org-sign`, `org-vouch`, `upgrade`) and flags (`--org` for `trust`) were present in `src/main.zig` but missing from `docs/reference/cli.md`.
+**Learning:** `src/main.zig` uses hardcoded argument parsing without a central CLI generator, making it easy to add new commands without updating documentation.
+**Prevention:** Add a CI check that verifies every command listed in the `usage` string in `src/main.zig` is documented in `docs/reference/cli.md`.
diff --git a/docs/reference/cli.md b/docs/reference/cli.md
index 750324c..5935630 100644
--- a/docs/reference/cli.md
+++ b/docs/reference/cli.md
@@ -36,13 +36,14 @@ meshguard export > my-node.pub
 Add a peer's public key to your authorized keys.
 
 ```bash
-meshguard trust <key-or-path> [--name <name>]
+meshguard trust <key-or-path> [--name <name>] [--org]
 ```
 
 | Argument        | Description                                            |
 | --------------- | ------------------------------------------------------ |
 | `<key-or-path>` | Base64 public key string _or_ path to a `.pub` file    |
 | `--name`        | Human-readable name (default: auto-generated from key) |
+| `--org`         | Trust an organization's public key                     |
 
 **Validation**:
 
@@ -117,6 +118,77 @@ meshguard status
 
 ---
 
+## `meshguard connect`
+
+Direct peer connection via token exchange (bypassing seed nodes) and performs a coordinated UDP hole punch.
+
+```bash
+meshguard connect --generate [--in <minutes>]
+meshguard connect --join <mg://token>
+```
+
+| Flag         | Description                                     |
+| ------------ | ----------------------------------------------- |
+| `--generate` | Generate a token to share with the peer         |
+| `--join`     | Join a connection using the peer's token        |
+| `--in`       | Punch delay in minutes (default: 1 minute)      |
+
+---
+
+## `meshguard org-keygen`
+
+Generate a new organization keypair.
+
+```bash
+meshguard org-keygen
+```
+
+**Output files** (in `$MESHGUARD_CONFIG_DIR/org/`):
+- `org.key` — secret key
+- `org.pub` — public key
+
+---
+
+## `meshguard org-sign`
+
+Sign a node's public key with the organization's private key, producing a NodeCertificate.
+
+```bash
+meshguard org-sign <node.pub> [--name <label>] [--expires <unix-timestamp>]
+```
+
+| Argument     | Description                                     |
+| ------------ | ----------------------------------------------- |
+| `<node.pub>` | Node's public key file                          |
+| `--name`     | Node name label                                 |
+| `--expires`  | Expiration as a Unix timestamp (default: never) |
+
+---
+
+## `meshguard org-vouch`
+
+Vouch for an external node (auto-propagates to org members).
+
+```bash
+meshguard org-vouch <node.pub>
+```
+
+| Argument     | Description                                     |
+| ------------ | ----------------------------------------------- |
+| `<node.pub>` | Node's public key file                          |
+
+---
+
+## `meshguard upgrade`
+
+Upgrade meshguard to the latest release from GitHub.
+
+```bash
+meshguard upgrade
+```
+
+---
+
 ## `meshguard version`
 
 Print the version.