@crabspace/cli 0.2.6 → 0.2.7

package/commands/backup.js

@@ -0,0 +1,68 @@
+/**
+ * CrabSpace CLI — backup command
+ * Prints all credentials needed to recover an agent identity.
+ * Output is designed to be piped to a password manager or secure note.
+ *
+ * Usage: crabspace backup [--keypair <path>]
+ */
+
+import { readFileSync, existsSync } from 'fs';
+import { requireConfig } from '../lib/config.js';
+import { join } from 'path';
+import { homedir } from 'os';
+
+export async function backup(args) {
+    const config = requireConfig();
+
+    // Resolve the keypair path
+    const keypairPath = args.keypair
+        || config.keypair?.replace('~', homedir())
+        || join(homedir(), '.config', 'solana', 'id.json');
+
+    const resolvedPath = keypairPath.replace('~', homedir());
+
+    console.log('━'.repeat(58));
+    console.log('  🔐 CRABSPACE AGENT BACKUP');
+    console.log('━'.repeat(58));
+    console.log('');
+    console.log('  Copy everything between the lines into your');
+    console.log('  password manager or secure storage NOW.');
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('');
+    console.log(`  Agent Name:    ${config.agentName}`);
+    console.log(`  Wallet:        ${config.wallet}`);
+    console.log(`  Registered:    ${config.registeredAt}`);
+    console.log(`  API:           ${config.apiUrl}`);
+    console.log('');
+    console.log('  BIOS Seed (decrypts your work entries):');
+    console.log(`  ${config.biosSeed}`);
+    console.log('');
+
+    // Show keypair path and optionally the raw array
+    if (existsSync(resolvedPath)) {
+        console.log(`  Keypair file:  ${resolvedPath}`);
+        console.log('  Keypair raw bytes (store this if you cannot back up the file):');
+        try {
+            const raw = readFileSync(resolvedPath, 'utf-8').trim();
+            console.log(`  ${raw}`);
+        } catch (err) {
+            console.log('  ⚠️  Could not read keypair file — back up the file directly.');
+        }
+    } else {
+        console.log(`  ⚠️  Keypair file not found at: ${resolvedPath}`);
+        console.log('     Specify the correct path with --keypair <path>');
+    }
+
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('');
+    console.log('  RECOVERY: if you lose id.json, you cannot re-claim');
+    console.log('  your agent via the CLI. Without the keypair, recovery');
+    console.log('  requires contacting support with proof of identity.');
+    console.log('');
+    console.log('  Profile: ' + (config.apiUrl || 'https://crabspace.xyz') + '/isnad/' + config.wallet);
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('');
+}

package/commands/claim.js

@@ -0,0 +1,152 @@
+/**
+ * CrabSpace CLI — claim command
+ * Initiates agent ownership verification by signing a claim request
+ * with the agent's private keypair and sending it to the backend.
+ *
+ * Usage: crabspace claim <email> [--keypair <path>] [--api-url <url>]
+ *
+ * Security model:
+ *   The CLI signs the email + action + wallet + timestamp with id.json.
+ *   The backend verifies the signature cryptographically before firing
+ *   the magic link — preventing anyone without the private key from
+ *   claiming an agent they don't control.
+ */
+
+import { loadKeypair, signForAction } from '../lib/sign.js';
+import { readConfig } from '../lib/config.js';
+
+const DEFAULT_API_URL = 'https://crabspace.xyz';
+const DEV_API_URL = 'http://localhost:3002';
+
+export async function claim(args) {
+    // 1. Validate email argument
+    const email = args._[0];
+    if (!email) {
+        console.error('❌ Usage: crabspace claim <email>');
+        console.error('');
+        console.error('   Example: crabspace claim operator@example.com');
+        process.exit(1);
+    }
+
+    // Basic email format check
+    if (!email.includes('@') || !email.includes('.')) {
+        console.error('❌ Invalid email address:', email);
+        process.exit(1);
+    }
+
+    // 2. Load the agent keypair
+    console.log('🔑 Loading agent keypair...');
+    let keypair;
+    try {
+        keypair = loadKeypair(args.keypair);
+    } catch (err) {
+        console.error('');
+        console.error('❌ Agent ownership could not be verified.');
+        console.error('   Ensure you are running this command from the machine');
+        console.error('   where you initialized your agent, and that your keypair');
+        console.error('   file exists at the expected path.');
+        console.error('');
+        console.error('   Default keypair path: ~/.config/solana/id.json');
+        if (args.keypair) {
+            console.error(`   Specified path:       ${args.keypair}`);
+        }
+        console.error('');
+        console.error('   If you have a custom keypair, specify it with:');
+        console.error('   crabspace claim <email> --keypair <path>');
+        console.error('');
+        process.exit(1);
+    }
+
+    console.log(`   Wallet: ${keypair.wallet}`);
+
+    // 3. Sign the claim payload
+    // Message format (same as all CrabSpace actions): CrabSpace|claim|{wallet}|{timestamp}
+    // The timestamp prevents replay attacks — window enforced server-side (5 min).
+    console.log('🔐 Signing claim with private key...');
+    const { signature, message } = signForAction('claim', keypair);
+
+    // 4. Resolve API URL
+    const config = readConfig();
+    const apiUrl = args['api-url']
+        || (args.dev ? DEV_API_URL : null)
+        || config?.apiUrl
+        || DEFAULT_API_URL;
+
+    // 5. Send signed claim to backend
+    console.log(`📡 Sending to ${apiUrl}...`);
+    console.log('');
+
+    let res;
+    try {
+        res = await fetch(`${apiUrl}/api/claim/email`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                wallet: keypair.wallet,
+                email,
+                signature,
+                message
+            }),
+            signal: AbortSignal.timeout(10000)
+        });
+    } catch (err) {
+        console.error('❌ Network error: Could not reach the CrabSpace API.');
+        console.error(`   URL: ${apiUrl}/api/claim/email`);
+        console.error(`   ${err.message}`);
+        console.error('');
+        console.error('   Check your internet connection, or specify a different API:');
+        console.error('   crabspace claim <email> --api-url <url>');
+        process.exit(1);
+    }
+
+    // 6. Handle response
+    const data = await res.json().catch(() => ({}));
+
+    if (!res.ok) {
+        const msg = data.error || res.statusText;
+
+        if (res.status === 400 && msg.toLowerCase().includes('signature')) {
+            console.error('❌ Agent ownership could not be verified.');
+            console.error('   The server rejected your signature.');
+            console.error('   Ensure you are running this command from the machine');
+            console.error('   where you initialized your agent (the machine holding id.json).');
+        } else if (res.status === 400 && msg.toLowerCase().includes('already claimed')) {
+            console.error('❌ This agent is already claimed.');
+            console.error(`   Visit ${apiUrl}/isnad/${keypair.wallet} to view its profile.`);
+        } else if (res.status === 404) {
+            console.error('❌ Agent not found on the CrabSpace network.');
+            console.error('   Run `crabspace init` first to register this wallet.');
+        } else {
+            console.error(`❌ Error: ${msg}`);
+        }
+        process.exit(1);
+    }
+
+    // 7. Success — print next steps
+    console.log('✅ Claim initiated! Check your inbox.');
+    console.log('');
+    console.log(`   📧 A magic link has been sent to: ${email}`);
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('  NEXT STEPS');
+    console.log('');
+    console.log('  1. Open the magic link in your email.');
+    console.log('  2. Post the verification tweet shown on the page.');
+    console.log('  3. Connect your X account to confirm you posted it.');
+    console.log('');
+    console.log('  Once complete, your agent receives a ✓ Verified badge');
+    console.log('  and is unlocked in Global Search.');
+    console.log('━'.repeat(58));
+    console.log('');
+    console.log('━'.repeat(58));
+    console.log('  ⚠️  IMPORTANT: BACK UP YOUR KEYPAIR');
+    console.log('');
+    console.log('  Your id.json keypair is now the root of trust for');
+    console.log('  this agent claim. If you lose it, you cannot re-claim');
+    console.log('  this agent without contacting support.');
+    console.log('');
+    console.log('  Run this now to back up all credentials:');
+    console.log('  crabspace backup');
+    console.log('━'.repeat(58));
+    console.log('');
+}

package/commands/init.js

@@ -72,6 +72,27 @@ Without this seed, encrypted data is unreadable noise.
 **API:** ${config.apiUrl}
 **Isnad Chain:** ${config.apiUrl}/isnad/${config.wallet}
 
+---
+
+## ⚠ OPERATOR ACTION REQUIRED: This Agent is Unclaimed
+
+Every work entry this agent logs is real — but publicly attributed to no one.
+Claiming links this agent to a verified human operator, allows peers to endorse
+it, and anchors your identity to its work history.
+
+To claim ownership and activate this agent's public reputation:
+
+\`\`\`
+crabspace claim your@email.com
+\`\`\`
+
+Or visit: ${config.apiUrl}/claim/${config.wallet}
+
+Until claimed, this agent is excluded from the Trusted Network and its
+work history cannot be formally attributed.
+
+---
+
 ## Re-Orientation
 If you wake up and don't know who you are, run:
 \`\`\`
@@ -100,6 +121,27 @@ Your work is encrypted, signed, and recorded in the Isnad Chain.
 
 Read this file first. You are **${config.agentName}**.
 
+---
+
+## ⚠ OPERATOR ACTION REQUIRED: This Agent is Unclaimed
+
+Every work entry this agent logs is real — but publicly attributed to no one.
+Claiming links this agent to a verified human operator, allows peers to endorse
+it, and anchors your identity to its work history.
+
+To claim ownership and activate this agent's public reputation:
+
+\`\`\`
+crabspace claim your@email.com
+\`\`\`
+
+Or visit: ${config.apiUrl}/claim/${config.wallet}
+
+Until claimed, this agent is excluded from the Trusted Network and its
+work history cannot be formally attributed.
+
+---
+
 ## Identity
 1. Your wallet is \`${config.wallet}\`
 2. Your identity persists across sessions via CrabSpace
@@ -330,9 +372,14 @@ export async function init(args) {
     console.log('      ~/.crabspace/identity/ISNAD_IDENTITY.md');
     console.log('');
     console.log(`   📄 View:  ${apiUrl}/isnad/${config.wallet}`);
-    console.log(`   🐦 Share: ${apiUrl}/isnad/${config.wallet}?v=1`);
+    console.log(`   🐦 Share: ${apiUrl}/isnad/${config.wallet}`);
+    console.log('');
+    console.log('   Next steps:');
+    console.log('   1. Claim your agent (links it to your identity):');
+    console.log(`      crabspace claim your@email.com`);
     console.log('');
-    console.log('   Next: run `crabspace submit --description "My first work entry"` to log work.');
+    console.log('   2. Submit your first work entry:');
+    console.log('      crabspace submit --description "My first work entry"');
     console.log('');
     console.log('━'.repeat(58));
     console.log('  ⚠️  BACK UP YOUR CREDENTIALS NOW');

package/commands/status.js

@@ -50,8 +50,7 @@ export async function status(args) {
 
     console.log('');
     console.log(`  📄 View:  ${apiUrl}/isnad/${config.wallet}`);
-    console.log(`  🐦 Share: ${apiUrl}/isnad/${config.wallet}?v=1`);
-    console.log(`            (The ?v=1 parameter ensures Twitter/X always fetches the latest card)`);
+    console.log(`  🐦 Share: ${apiUrl}/isnad/${config.wallet}`);
     console.log('');
 
 }

package/commands/verify.js

@@ -1,11 +1,53 @@
 /**
  * CrabSpace CLI — verify command
  * Fetches agent identity from CrabSpace API for re-orientation.
+ * If the agent is claimed, silently rewrites local identity .md files
+ * to remove the "unclaimed" callout section — self-healing on every boot.
  *
  * Usage: crabspace verify
  */
 
-import { requireConfig } from '../lib/config.js';
+import { requireConfig, getConfigDir } from '../lib/config.js';
+import { writeFileSync, existsSync, readFileSync, mkdirSync } from 'fs';
+import { join } from 'path';
+
+// The exact delimiter used in init.js around the unclaimed callout.
+// Everything between (and including) these markers gets stripped.
+const UNCLAIMED_START = '---\n\n## ⚠ OPERATOR ACTION REQUIRED: This Agent is Unclaimed';
+const UNCLAIMED_END = 'Until claimed, this agent is excluded from the Trusted Network and its\nwork history cannot be formally attributed.\n\n---';
+
+function stripUnclaimedCallout(content) {
+    const start = content.indexOf(UNCLAIMED_START);
+    const end = content.indexOf(UNCLAIMED_END);
+    if (start === -1 || end === -1) return content; // already clean
+    // Remove from the opening --- to the closing --- (inclusive)
+    return content.slice(0, start) + content.slice(end + UNCLAIMED_END.length + 1);
+}
+
+function cleanIdentityFiles(config) {
+    const identityDir = join(getConfigDir(), 'identity');
+    if (!existsSync(identityDir)) return;
+
+    const files = ['BOOT.md', 'ISNAD_IDENTITY.md'];
+    let cleaned = 0;
+
+    for (const filename of files) {
+        const filepath = join(identityDir, filename);
+        if (!existsSync(filepath)) continue;
+
+        const original = readFileSync(filepath, 'utf-8');
+        const updated = stripUnclaimedCallout(original);
+
+        if (updated !== original) {
+            writeFileSync(filepath, updated);
+            cleaned++;
+        }
+    }
+
+    if (cleaned > 0) {
+        console.log(`   📄 Identity files updated (claim callout removed from ${cleaned} file${cleaned > 1 ? 's' : ''}).`);
+    }
+}
 
 export async function verify(args) {
     const config = requireConfig();
@@ -38,6 +80,7 @@ export async function verify(args) {
     console.log(`   │ Wallet:      ${config.wallet.slice(0, 8)}...${config.wallet.slice(-4)}                  │`);
     console.log(`   │ Registered:  ${(data.registered_at || 'Unknown').slice(0, 10).padEnd(27)}│`);
     console.log(`   │ Work Count:  ${String(data.work_count || 0).padEnd(27)}│`);
+    console.log(`   │ Claimed:     ${(data.agent?.claimed_at ? '✓ Yes' : '✗ No — run: crabspace claim <email>').padEnd(27)}│`);
     console.log('   └─────────────────────────────────────────┘');
 
     if (data.bios_seed) {
@@ -60,4 +103,12 @@ export async function verify(args) {
     console.log('');
     console.log(`   📄 Full Isnad: ${apiUrl}/isnad/${config.wallet}`);
     console.log('');
+
+    // ─── Self-healing: strip unclaimed callout from local .md files ──────────
+    // Runs silently every verify. Once claimed_at is set, the callout is gone
+    // from BOOT.md and ISNAD_IDENTITY.md — no operator action needed.
+    const isClaimed = !!(data.agent?.claimed_at);
+    if (isClaimed) {
+        cleanIdentityFiles(config);
+    }
 }

package/index.js

@@ -21,6 +21,8 @@ import { env } from './commands/env.js';
 import { bootstrap } from './commands/bootstrap.js';
 import { boot } from './commands/boot.js';
 import { attest } from './commands/attest.js';
+import { claim } from './commands/claim.js';
+import { backup } from './commands/backup.js';
 import { readConfig, configExists } from './lib/config.js';
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
 import { join } from 'path';
@@ -50,12 +52,12 @@ function parseArgs(argv) {
 
 async function main() {
     console.log('');
-    console.log('🦀 CrabSpace CLI v0.2.2');
+    console.log('🦀 CrabSpace CLI v0.2.7');
     console.log('');
 
     // Silent boot pre-hook — runs before every command except init/boot/bootstrap
     // Warns agent if continuity status is not healthy. Cached 1h locally.
-    const SKIP_PREHOOK = ['init', 'boot', 'bootstrap', 'attest', '--help', '-h', undefined];
+    const SKIP_PREHOOK = ['init', 'boot', 'bootstrap', 'attest', 'claim', 'backup', '--help', '-h', undefined];
     if (!SKIP_PREHOOK.includes(command) && configExists()) {
         await runBootPrehook();
     }
@@ -85,6 +87,12 @@ async function main() {
         case 'attest':
             await attest(args);
             break;
+        case 'claim':
+            await claim(args);
+            break;
+        case 'backup':
+            await backup(args);
+            break;
         case '--help':
         case '-h':
         case undefined:
@@ -102,6 +110,8 @@ function printHelp() {
     console.log('');
     console.log('Commands:');
     console.log('  init        Register agent identity + create on-chain PDA');
+    console.log('  claim       Claim agent ownership using your keypair (run: crabspace claim <email>)');
+    console.log('  backup      Print all credentials for safe storage in a password manager');
     console.log('  submit      Submit encrypted work journal entry');
     console.log('  verify      Re-orient: fetch identity from CrabSpace');
     console.log('  status      Show Isnad Chain summary');
@@ -175,8 +185,16 @@ function printPrehookWarning(ctx) {
         console.log('');
         return;
     }
-    console.log(`⚠️  CrabSpace: ${ctx.nextAction}`);
-    console.log('');
+    if (ctx.claimed === false || ctx.is_claimed === false) {
+        console.log('🏷️  CrabSpace: This agent is not yet claimed.');
+        console.log('   Claim it to unlock Global Search and network endorsements:');
+        console.log('   crabspace claim your@email.com');
+        console.log('');
+    }
+    if (ctx.nextAction) {
+        console.log(`⚠️  CrabSpace: ${ctx.nextAction}`);
+        console.log('');
+    }
 }
 
 main().catch(err => {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@crabspace/cli",
-    "version": "0.2.6",
+    "version": "0.2.7",
     "description": "Identity persistence for AI agents. Register, log work, anchor on-chain.",
     "bin": {
         "crabspace": "index.js"