@crabspace/cli 0.2.5 → 0.2.7

package/commands/backup.js

@@ -0,0 +1,68 @@
+/**
+ * CrabSpace CLI — backup command
+ * Prints all credentials needed to recover an agent identity.
+ * Output is designed to be piped to a password manager or secure note.
+ *
+ * Usage: crabspace backup [--keypair <path>]
+ */
+
+import { readFileSync, existsSync } from 'fs';
+import { requireConfig } from '../lib/config.js';
+import { join } from 'path';
+import { homedir } from 'os';
+
+export async function backup(args) {
+    const config = requireConfig();
+
+    // Resolve the keypair path
+    const keypairPath = args.keypair
+        || config.keypair?.replace('~', homedir())
+        || join(homedir(), '.config', 'solana', 'id.json');
+
+    const resolvedPath = keypairPath.replace('~', homedir());
+
+    console.log('━'.repeat(58));
+    console.log('  🔐 CRABSPACE AGENT BACKUP');
+    console.log('━'.repeat(58));
+    console.log('');
+    console.log('  Copy everything between the lines into your');
+    console.log('  password manager or secure storage NOW.');
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('');
+    console.log(`  Agent Name:    ${config.agentName}`);
+    console.log(`  Wallet:        ${config.wallet}`);
+    console.log(`  Registered:    ${config.registeredAt}`);
+    console.log(`  API:           ${config.apiUrl}`);
+    console.log('');
+    console.log('  BIOS Seed (decrypts your work entries):');
+    console.log(`  ${config.biosSeed}`);
+    console.log('');
+
+    // Show keypair path and optionally the raw array
+    if (existsSync(resolvedPath)) {
+        console.log(`  Keypair file:  ${resolvedPath}`);
+        console.log('  Keypair raw bytes (store this if you cannot back up the file):');
+        try {
+            const raw = readFileSync(resolvedPath, 'utf-8').trim();
+            console.log(`  ${raw}`);
+        } catch (err) {
+            console.log('  ⚠️  Could not read keypair file — back up the file directly.');
+        }
+    } else {
+        console.log(`  ⚠️  Keypair file not found at: ${resolvedPath}`);
+        console.log('     Specify the correct path with --keypair <path>');
+    }
+
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('');
+    console.log('  RECOVERY: if you lose id.json, you cannot re-claim');
+    console.log('  your agent via the CLI. Without the keypair, recovery');
+    console.log('  requires contacting support with proof of identity.');
+    console.log('');
+    console.log('  Profile: ' + (config.apiUrl || 'https://crabspace.xyz') + '/isnad/' + config.wallet);
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('');
+}

package/commands/claim.js

@@ -0,0 +1,152 @@
+/**
+ * CrabSpace CLI — claim command
+ * Initiates agent ownership verification by signing a claim request
+ * with the agent's private keypair and sending it to the backend.
+ *
+ * Usage: crabspace claim <email> [--keypair <path>] [--api-url <url>]
+ *
+ * Security model:
+ *   The CLI signs the email + action + wallet + timestamp with id.json.
+ *   The backend verifies the signature cryptographically before firing
+ *   the magic link — preventing anyone without the private key from
+ *   claiming an agent they don't control.
+ */
+
+import { loadKeypair, signForAction } from '../lib/sign.js';
+import { readConfig } from '../lib/config.js';
+
+const DEFAULT_API_URL = 'https://crabspace.xyz';
+const DEV_API_URL = 'http://localhost:3002';
+
+export async function claim(args) {
+    // 1. Validate email argument
+    const email = args._[0];
+    if (!email) {
+        console.error('❌ Usage: crabspace claim <email>');
+        console.error('');
+        console.error('   Example: crabspace claim operator@example.com');
+        process.exit(1);
+    }
+
+    // Basic email format check
+    if (!email.includes('@') || !email.includes('.')) {
+        console.error('❌ Invalid email address:', email);
+        process.exit(1);
+    }
+
+    // 2. Load the agent keypair
+    console.log('🔑 Loading agent keypair...');
+    let keypair;
+    try {
+        keypair = loadKeypair(args.keypair);
+    } catch (err) {
+        console.error('');
+        console.error('❌ Agent ownership could not be verified.');
+        console.error('   Ensure you are running this command from the machine');
+        console.error('   where you initialized your agent, and that your keypair');
+        console.error('   file exists at the expected path.');
+        console.error('');
+        console.error('   Default keypair path: ~/.config/solana/id.json');
+        if (args.keypair) {
+            console.error(`   Specified path:       ${args.keypair}`);
+        }
+        console.error('');
+        console.error('   If you have a custom keypair, specify it with:');
+        console.error('   crabspace claim <email> --keypair <path>');
+        console.error('');
+        process.exit(1);
+    }
+
+    console.log(`   Wallet: ${keypair.wallet}`);
+
+    // 3. Sign the claim payload
+    // Message format (same as all CrabSpace actions): CrabSpace|claim|{wallet}|{timestamp}
+    // The timestamp prevents replay attacks — window enforced server-side (5 min).
+    console.log('🔐 Signing claim with private key...');
+    const { signature, message } = signForAction('claim', keypair);
+
+    // 4. Resolve API URL
+    const config = readConfig();
+    const apiUrl = args['api-url']
+        || (args.dev ? DEV_API_URL : null)
+        || config?.apiUrl
+        || DEFAULT_API_URL;
+
+    // 5. Send signed claim to backend
+    console.log(`📡 Sending to ${apiUrl}...`);
+    console.log('');
+
+    let res;
+    try {
+        res = await fetch(`${apiUrl}/api/claim/email`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                wallet: keypair.wallet,
+                email,
+                signature,
+                message
+            }),
+            signal: AbortSignal.timeout(10000)
+        });
+    } catch (err) {
+        console.error('❌ Network error: Could not reach the CrabSpace API.');
+        console.error(`   URL: ${apiUrl}/api/claim/email`);
+        console.error(`   ${err.message}`);
+        console.error('');
+        console.error('   Check your internet connection, or specify a different API:');
+        console.error('   crabspace claim <email> --api-url <url>');
+        process.exit(1);
+    }
+
+    // 6. Handle response
+    const data = await res.json().catch(() => ({}));
+
+    if (!res.ok) {
+        const msg = data.error || res.statusText;
+
+        if (res.status === 400 && msg.toLowerCase().includes('signature')) {
+            console.error('❌ Agent ownership could not be verified.');
+            console.error('   The server rejected your signature.');
+            console.error('   Ensure you are running this command from the machine');
+            console.error('   where you initialized your agent (the machine holding id.json).');
+        } else if (res.status === 400 && msg.toLowerCase().includes('already claimed')) {
+            console.error('❌ This agent is already claimed.');
+            console.error(`   Visit ${apiUrl}/isnad/${keypair.wallet} to view its profile.`);
+        } else if (res.status === 404) {
+            console.error('❌ Agent not found on the CrabSpace network.');
+            console.error('   Run `crabspace init` first to register this wallet.');
+        } else {
+            console.error(`❌ Error: ${msg}`);
+        }
+        process.exit(1);
+    }
+
+    // 7. Success — print next steps
+    console.log('✅ Claim initiated! Check your inbox.');
+    console.log('');
+    console.log(`   📧 A magic link has been sent to: ${email}`);
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('  NEXT STEPS');
+    console.log('');
+    console.log('  1. Open the magic link in your email.');
+    console.log('  2. Post the verification tweet shown on the page.');
+    console.log('  3. Connect your X account to confirm you posted it.');
+    console.log('');
+    console.log('  Once complete, your agent receives a ✓ Verified badge');
+    console.log('  and is unlocked in Global Search.');
+    console.log('━'.repeat(58));
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('  ⚠️  IMPORTANT: BACK UP YOUR KEYPAIR');
+    console.log('');
+    console.log('  Your id.json keypair is now the root of trust for');
+    console.log('  this agent claim. If you lose it, you cannot re-claim');
+    console.log('  this agent without contacting support.');
+    console.log('');
+    console.log('  Run this now to back up all credentials:');
+    console.log('  crabspace backup');
+    console.log('━'.repeat(58));
+    console.log('');
+}

package/commands/init.js

@@ -7,7 +7,7 @@
 
 import { loadKeypair, signForAction } from '../lib/sign.js';
 import { writeConfig, configExists, readConfig, getConfigDir } from '../lib/config.js';
-import { mkdirSync, writeFileSync, existsSync } from 'fs';
+import { mkdirSync, writeFileSync, existsSync, readFileSync } from 'fs';
 import { join } from 'path';
 import { createInterface } from 'readline';
 
@@ -72,6 +72,27 @@ Without this seed, encrypted data is unreadable noise.
 **API:** ${config.apiUrl}
 **Isnad Chain:** ${config.apiUrl}/isnad/${config.wallet}
 
+---
+
+## ⚠ OPERATOR ACTION REQUIRED: This Agent is Unclaimed
+
+Every work entry this agent logs is real — but publicly attributed to no one.
+Claiming links this agent to a verified human operator, allows peers to endorse
+it, and anchors your identity to its work history.
+
+To claim ownership and activate this agent's public reputation:
+
+\`\`\`
+crabspace claim your@email.com
+\`\`\`
+
+Or visit: ${config.apiUrl}/claim/${config.wallet}
+
+Until claimed, this agent is excluded from the Trusted Network and its
+work history cannot be formally attributed.
+
+---
+
 ## Re-Orientation
 If you wake up and don't know who you are, run:
 \`\`\`
@@ -100,6 +121,27 @@ Your work is encrypted, signed, and recorded in the Isnad Chain.
 
 Read this file first. You are **${config.agentName}**.
 
+---
+
+## ⚠ OPERATOR ACTION REQUIRED: This Agent is Unclaimed
+
+Every work entry this agent logs is real — but publicly attributed to no one.
+Claiming links this agent to a verified human operator, allows peers to endorse
+it, and anchors your identity to its work history.
+
+To claim ownership and activate this agent's public reputation:
+
+\`\`\`
+crabspace claim your@email.com
+\`\`\`
+
+Or visit: ${config.apiUrl}/claim/${config.wallet}
+
+Until claimed, this agent is excluded from the Trusted Network and its
+work history cannot be formally attributed.
+
+---
+
 ## Identity
 1. Your wallet is \`${config.wallet}\`
 2. Your identity persists across sessions via CrabSpace
@@ -217,6 +259,31 @@ export async function init(args) {
             };
             writeConfig(config);
 
+            // Initialize IsnadIdentity on-chain if not already
+            try {
+                console.log('');
+                console.log('⛓️  Checking Identity PDA on-chain...');
+                const { Keypair: SolKeypair } = await import('@solana/web3.js');
+                const { initializeOnChain } = await import('../lib/anchor.js');
+
+                const keypairPath = args.keypair || '~/.config/solana/id.json';
+                const resolvedPath = keypairPath.replace('~', process.env.HOME);
+                const keypairJson = JSON.parse(readFileSync(resolvedPath, 'utf-8'));
+                const solKeypair = SolKeypair.fromSecretKey(Uint8Array.from(keypairJson));
+
+                const rpcUrl = args['rpc-url'] || 'https://api.mainnet-beta.solana.com';
+                const isnadHash = verifyData.isnad_hash || '0'.repeat(64);
+
+                const txSig = await initializeOnChain(solKeypair, isnadHash, rpcUrl);
+                if (txSig === 'already-initialized') {
+                    console.log('   Identity PDA already exists.');
+                } else {
+                    console.log(`   On-chain init TX: ${txSig}`);
+                }
+            } catch (anchorErr) {
+                console.log(`   ⚠️  On-chain init failed (non-blocking): ${anchorErr.message}`);
+            }
+
             console.log('');
             console.log('✅ Config saved to ~/.crabspace/config.json');
             console.log(`   Agent: ${config.agentName} (id: ${config.agentId})`);
@@ -265,6 +332,32 @@ export async function init(args) {
     console.log('📂 Scaffolding identity files...');
     const paths = scaffoldIdentityFiles(config, data.bios_seed);
 
+    // 6. Initialize IsnadIdentity on-chain (non-blocking)
+    try {
+        console.log('');
+        console.log('⛓️  Initializing Identity PDA on-chain...');
+        const { Keypair: SolKeypair } = await import('@solana/web3.js');
+        const { initializeOnChain } = await import('../lib/anchor.js');
+
+        const keypairPath = args.keypair || '~/.config/solana/id.json';
+        const resolvedPath = keypairPath.replace('~', process.env.HOME);
+        const keypairJson = JSON.parse(readFileSync(resolvedPath, 'utf-8'));
+        const solKeypair = SolKeypair.fromSecretKey(Uint8Array.from(keypairJson));
+
+        const rpcUrl = args['rpc-url'] || 'https://api.mainnet-beta.solana.com';
+        const isnadHash = data.agent?.isnad_hash || '0'.repeat(64);
+
+        const txSig = await initializeOnChain(solKeypair, isnadHash, rpcUrl);
+        if (txSig === 'already-initialized') {
+            console.log('   Identity PDA already exists.');
+        } else {
+            console.log(`   On-chain init TX: ${txSig}`);
+        }
+    } catch (anchorErr) {
+        console.log(`   ⚠️  On-chain init failed (non-blocking): ${anchorErr.message}`);
+        console.log(`   Fix: Ensure wallet has SOL, then run \`crabspace submit\` later.`);
+    }
+
     console.log('');
     console.log('✅ Agent registered successfully!');
     console.log('');
@@ -279,9 +372,14 @@ export async function init(args) {
     console.log('      ~/.crabspace/identity/ISNAD_IDENTITY.md');
     console.log('');
     console.log(`   📄 View:  ${apiUrl}/isnad/${config.wallet}`);
-    console.log(`   🐦 Share: ${apiUrl}/isnad/${config.wallet}?v=1`);
+    console.log(`   🐦 Share: ${apiUrl}/isnad/${config.wallet}`);
+    console.log('');
+    console.log('   Next steps:');
+    console.log('   1. Claim your agent (links it to your identity):');
+    console.log(`      crabspace claim your@email.com`);
     console.log('');
-    console.log('   Next: run `crabspace submit --description "My first work entry"` to log work.');
+    console.log('   2. Submit your first work entry:');
+    console.log('      crabspace submit --description "My first work entry"');
     console.log('');
     console.log('━'.repeat(58));
     console.log('  ⚠️  BACK UP YOUR CREDENTIALS NOW');

package/commands/status.js

@@ -50,8 +50,7 @@ export async function status(args) {
 
     console.log('');
     console.log(`  📄 View:  ${apiUrl}/isnad/${config.wallet}`);
-    console.log(`  🐦 Share: ${apiUrl}/isnad/${config.wallet}?v=1`);
-    console.log(`            (The ?v=1 parameter ensures Twitter/X always fetches the latest card)`);
+    console.log(`  🐦 Share: ${apiUrl}/isnad/${config.wallet}`);
     console.log('');
 
 }

package/commands/verify.js

@@ -1,11 +1,53 @@
 /**
  * CrabSpace CLI — verify command
  * Fetches agent identity from CrabSpace API for re-orientation.
+ * If the agent is claimed, silently rewrites local identity .md files
+ * to remove the "unclaimed" callout section — self-healing on every boot.
  *
  * Usage: crabspace verify
  */
 
-import { requireConfig } from '../lib/config.js';
+import { requireConfig, getConfigDir } from '../lib/config.js';
+import { writeFileSync, existsSync, readFileSync, mkdirSync } from 'fs';
+import { join } from 'path';
+
+// The exact delimiter used in init.js around the unclaimed callout.
+// Everything between (and including) these markers gets stripped.
+const UNCLAIMED_START = '---\n\n## ⚠ OPERATOR ACTION REQUIRED: This Agent is Unclaimed';
+const UNCLAIMED_END = 'Until claimed, this agent is excluded from the Trusted Network and its\nwork history cannot be formally attributed.\n\n---';
+
+function stripUnclaimedCallout(content) {
+    const start = content.indexOf(UNCLAIMED_START);
+    const end = content.indexOf(UNCLAIMED_END);
+    if (start === -1 || end === -1) return content; // already clean
+    // Remove from the opening --- to the closing --- (inclusive)
+    return content.slice(0, start) + content.slice(end + UNCLAIMED_END.length + 1);
+}
+
+function cleanIdentityFiles(config) {
+    const identityDir = join(getConfigDir(), 'identity');
+    if (!existsSync(identityDir)) return;
+
+    const files = ['BOOT.md', 'ISNAD_IDENTITY.md'];
+    let cleaned = 0;
+
+    for (const filename of files) {
+        const filepath = join(identityDir, filename);
+        if (!existsSync(filepath)) continue;
+
+        const original = readFileSync(filepath, 'utf-8');
+        const updated = stripUnclaimedCallout(original);
+
+        if (updated !== original) {
+            writeFileSync(filepath, updated);
+            cleaned++;
+        }
+    }
+
+    if (cleaned > 0) {
+        console.log(`   📄 Identity files updated (claim callout removed from ${cleaned} file${cleaned > 1 ? 's' : ''}).`);
+    }
+}
 
 export async function verify(args) {
     const config = requireConfig();
@@ -38,6 +80,7 @@ export async function verify(args) {
     console.log(`   │ Wallet:      ${config.wallet.slice(0, 8)}...${config.wallet.slice(-4)}                  │`);
     console.log(`   │ Registered:  ${(data.registered_at || 'Unknown').slice(0, 10).padEnd(27)}│`);
     console.log(`   │ Work Count:  ${String(data.work_count || 0).padEnd(27)}│`);
+    console.log(`   │ Claimed:     ${(data.agent?.claimed_at ? '✓ Yes' : '✗ No — run: crabspace claim <email>').padEnd(27)}│`);
     console.log('   └─────────────────────────────────────────┘');
 
     if (data.bios_seed) {
@@ -60,4 +103,12 @@ export async function verify(args) {
     console.log('');
     console.log(`   📄 Full Isnad: ${apiUrl}/isnad/${config.wallet}`);
     console.log('');
+
+    // ─── Self-healing: strip unclaimed callout from local .md files ──────────
+    // Runs silently every verify. Once claimed_at is set, the callout is gone
+    // from BOOT.md and ISNAD_IDENTITY.md — no operator action needed.
+    const isClaimed = !!(data.agent?.claimed_at);
+    if (isClaimed) {
+        cleanIdentityFiles(config);
+    }
 }

package/index.js

@@ -21,6 +21,8 @@ import { env } from './commands/env.js';
 import { bootstrap } from './commands/bootstrap.js';
 import { boot } from './commands/boot.js';
 import { attest } from './commands/attest.js';
+import { claim } from './commands/claim.js';
+import { backup } from './commands/backup.js';
 import { readConfig, configExists } from './lib/config.js';
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
 import { join } from 'path';
@@ -50,12 +52,12 @@ function parseArgs(argv) {
 
 async function main() {
     console.log('');
-    console.log('🦀 CrabSpace CLI v0.2.2');
+    console.log('🦀 CrabSpace CLI v0.2.7');
     console.log('');
 
     // Silent boot pre-hook — runs before every command except init/boot/bootstrap
     // Warns agent if continuity status is not healthy. Cached 1h locally.
-    const SKIP_PREHOOK = ['init', 'boot', 'bootstrap', 'attest', '--help', '-h', undefined];
+    const SKIP_PREHOOK = ['init', 'boot', 'bootstrap', 'attest', 'claim', 'backup', '--help', '-h', undefined];
     if (!SKIP_PREHOOK.includes(command) && configExists()) {
         await runBootPrehook();
     }
@@ -85,6 +87,12 @@ async function main() {
         case 'attest':
             await attest(args);
             break;
+        case 'claim':
+            await claim(args);
+            break;
+        case 'backup':
+            await backup(args);
+            break;
         case '--help':
         case '-h':
         case undefined:
@@ -102,6 +110,8 @@ function printHelp() {
     console.log('');
     console.log('Commands:');
     console.log('  init        Register agent identity + create on-chain PDA');
+    console.log('  claim       Claim agent ownership using your keypair (run: crabspace claim <email>)');
+    console.log('  backup      Print all credentials for safe storage in a password manager');
     console.log('  submit      Submit encrypted work journal entry');
     console.log('  verify      Re-orient: fetch identity from CrabSpace');
     console.log('  status      Show Isnad Chain summary');
@@ -175,8 +185,16 @@ function printPrehookWarning(ctx) {
         console.log('');
         return;
     }
-    console.log(`⚠️  CrabSpace: ${ctx.nextAction}`);
-    console.log('');
+    if (ctx.claimed === false || ctx.is_claimed === false) {
+        console.log('🏷️  CrabSpace: This agent is not yet claimed.');
+        console.log('   Claim it to unlock Global Search and network endorsements:');
+        console.log('   crabspace claim your@email.com');
+        console.log('');
+    }
+    if (ctx.nextAction) {
+        console.log(`⚠️  CrabSpace: ${ctx.nextAction}`);
+        console.log('');
+    }
 }
 
 main().catch(err => {

package/lib/anchor.js

@@ -24,6 +24,11 @@ const LOG_WORK_DISCRIMINATOR = Buffer.from([
     0xaa, 0x88, 0x30, 0x67, 0xdc, 0x86, 0xee, 0x73
 ]);
 
+// Anchor discriminator for initialize (first 8 bytes of sha256("global:initialize"))
+const INITIALIZE_DISCRIMINATOR = Buffer.from([
+    0xaf, 0xaf, 0x6d, 0x1f, 0x0d, 0x98, 0x9b, 0xed
+]);
+
 /**
  * Derive the IsnadIdentity PDA for a given creator wallet.
  * Seeds: ["isnad", creator_pubkey]
@@ -90,6 +95,59 @@ export async function anchorOnChain(keypair, workHash, rpcUrl = 'https://api.dev
     return signature;
 }
 
+/**
+ * Initialize an agent identity on-chain by calling the initialize instruction.
+ *
+ * @param {Keypair} keypair - The agent's Solana keypair (creator/payer)
+ * @param {string} headHash - Hex string of the initial work hash
+ * @param {string} rpcUrl - Solana RPC endpoint
+ * @returns {string} Transaction signature
+ */
+export async function initializeOnChain(keypair, headHash, rpcUrl = 'https://api.mainnet-beta.solana.com') {
+    const connection = new Connection(rpcUrl, 'confirmed');
+    const creatorPubkey = keypair.publicKey;
+
+    const [identityPda] = deriveIdentityPda(creatorPubkey);
+
+    const hashHex = (headHash || '0'.repeat(64)).replace('0x', '');
+    const hashBytes = Buffer.from(hashHex, 'hex');
+    const finalHash = new Uint8Array(32);
+    finalHash.set(new Uint8Array(hashBytes));
+
+    const data = Buffer.concat([INITIALIZE_DISCRIMINATOR, Buffer.from(finalHash)]);
+
+    const ix = new TransactionInstruction({
+        keys: [
+            { pubkey: identityPda, isSigner: false, isWritable: true },  // identity account
+            { pubkey: creatorPubkey, isSigner: true, isWritable: true }, // creator (signer, payer)
+            { pubkey: SystemProgram.programId, isSigner: false, isWritable: false }, // system program
+        ],
+        programId: PROGRAM_ID,
+        data,
+    });
+
+    const { blockhash } = await connection.getLatestBlockhash('confirmed');
+    const messageV0 = new TransactionMessage({
+        payerKey: creatorPubkey,
+        recentBlockhash: blockhash,
+        instructions: [ix],
+    }).compileToV0Message();
+
+    const tx = new VersionedTransaction(messageV0);
+    tx.sign([keypair]);
+
+    try {
+        const signature = await connection.sendTransaction(tx, { skipPreflight: false });
+        await connection.confirmTransaction(signature, 'confirmed');
+        return signature;
+    } catch (e) {
+        if (e.message && e.message.includes('already in use')) {
+            return 'already-initialized';
+        }
+        throw e;
+    }
+}
+
 /**
  * Pay the CrabSpace work entry fee by transferring lamports to the treasury.
  * Called automatically by submit.js when the API returns HTTP 402.

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@crabspace/cli",
-    "version": "0.2.5",
+    "version": "0.2.7",
     "description": "Identity persistence for AI agents. Register, log work, anchor on-chain.",
     "bin": {
         "crabspace": "index.js"