@cybermem/cli 0.8.5 → 0.8.9

package/dist/commands/dashboard.js

@@ -5,12 +5,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.dashboard = dashboard;
 const chalk_1 = __importDefault(require("chalk"));
-const fs_1 = __importDefault(require("fs"));
 const net_1 = __importDefault(require("net"));
 const open_1 = __importDefault(require("open"));
-const os_1 = __importDefault(require("os"));
-const path_1 = __importDefault(require("path"));
-const TOKEN_FILE = path_1.default.join(os_1.default.homedir(), ".cybermem", "token.json");
 const checkPort = (port) => {
     return new Promise((resolve) => {
         const socket = new net_1.default.Socket();
@@ -27,64 +23,32 @@ const checkPort = (port) => {
         });
     });
 };
-/**
- * Get stored token from ~/.cybermem/token.json
- */
-function getStoredToken() {
-    try {
-        if (!fs_1.default.existsSync(TOKEN_FILE))
-            return null;
-        const data = JSON.parse(fs_1.default.readFileSync(TOKEN_FILE, "utf-8"));
-        if (new Date(data.expires_at) < new Date()) {
-            console.warn(chalk_1.default.yellow("Token expired. Run: cybermem-cli login"));
-            return null;
-        }
-        return data.access_token;
-    }
-    catch {
-        return null;
-    }
-}
 async function dashboard(options) {
     console.log(chalk_1.default.blue("Checking CyberMem stack status..."));
-    const [dashboardUp, prometheusUp] = await Promise.all([
+    const [dashboardUp, dbExporterUp] = await Promise.all([
         checkPort(3000),
-        checkPort(9092),
+        checkPort(8000),
     ]);
     if (!dashboardUp) {
         console.error(chalk_1.default.red("❌ Dashboard is NOT running on port 3000."));
-        console.log(chalk_1.default.yellow("Run 'cybermem up' or 'cd packages/dashboard && npm run dev' to start it."));
+        console.log(chalk_1.default.yellow("Run 'npx @cybermem/cli init' to start the stack."));
     }
     else {
         console.log(chalk_1.default.green("✅ Dashboard is running on port 3000."));
     }
-    if (!prometheusUp) {
-        console.warn(chalk_1.default.yellow("⚠️  Prometheus is NOT running on port 9092."));
-        console.warn(chalk_1.default.gray("   Charts will be empty. Run 'cybermem up' or 'docker-compose up' to enable metrics."));
+    if (!dbExporterUp) {
+        console.warn(chalk_1.default.yellow("⚠️  db-exporter is NOT running on port 8000."));
+        console.warn(chalk_1.default.gray("   API may not be available. Run 'docker-compose up -d' to start services."));
     }
     else {
-        console.log(chalk_1.default.green("✅ Prometheus is running on port 9092."));
+        console.log(chalk_1.default.green("✅ db-exporter is running on port 8000."));
     }
     if (dashboardUp) {
         console.log(chalk_1.default.blue("\nOpening dashboard..."));
         await (0, open_1.default)("http://localhost:3000");
     }
     else {
-        // Try remote dashboard if local isn't up
-        const token = getStoredToken();
-        if (token) {
-            // Check for remote URL from environment or config
-            const remoteUrl = process.env.CYBERMEM_DASHBOARD_URL;
-            if (remoteUrl) {
-                console.log(chalk_1.default.blue("\nOpening remote dashboard..."));
-                await (0, open_1.default)(`${remoteUrl}/api/auth/token?token=${token}`);
-            }
-            else {
-                console.log(chalk_1.default.gray("\nTip: Set CYBERMEM_DASHBOARD_URL to open remote dashboard."));
-            }
-        }
-        else {
-            console.log(chalk_1.default.gray("\nTip: Run 'cybermem-cli login' to enable remote access."));
-        }
+        console.log(chalk_1.default.gray("\nTip: Access remote dashboard at http://<your-server>:3000"));
+        console.log(chalk_1.default.gray("     Copy your access token from Settings to connect."));
     }
 }

package/dist/commands/init.js

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -11,6 +44,23 @@ const fs_1 = __importDefault(require("fs"));
 const inquirer_1 = __importDefault(require("inquirer"));
 const os_1 = __importDefault(require("os"));
 const path_1 = __importDefault(require("path"));
+// Hash token using PBKDF2 (built-in, no bcrypt dependency)
+async function hashToken(token) {
+    return new Promise((resolve, reject) => {
+        // Use a fixed salt prefix for deterministic validation
+        const salt = crypto_1.default
+            .createHash("sha256")
+            .update("cybermem-salt-v1")
+            .digest("hex")
+            .slice(0, 16);
+        crypto_1.default.pbkdf2(token, salt, 100000, 64, "sha512", (err, key) => {
+            if (err)
+                reject(err);
+            else
+                resolve(key.toString("hex"));
+        });
+    });
+}
 async function init(options) {
     // Determine target from flags
     let target = "local";
@@ -80,13 +130,76 @@ async function init(options) {
                     OM_API_KEY: "",
                 },
             });
-            console.log(chalk_1.default.green("\n🎉 CyberMem Installed!"));
-            console.log("");
-            console.log(chalk_1.default.bold("Next Steps:"));
-            console.log(`  1. Open ${chalk_1.default.underline("http://localhost:3000/client-connect")} to connect your MCP clients`);
-            console.log(`  2. Default password: ${chalk_1.default.bold("admin")} (you'll be prompted to change it)`);
-            console.log("");
-            console.log(chalk_1.default.dim("Local mode is active: No API key required for connections from this laptop."));
+            // Generate access token and store hash in SQLite
+            const accessToken = `sk-${crypto_1.default.randomBytes(24).toString("base64url")}`;
+            const bcryptHash = await hashToken(accessToken);
+            const dbPath = path_1.default.join(dataDir, "openmemory.sqlite");
+            // Wait for SQLite DB to be created by MCP server
+            console.log(chalk_1.default.blue("Initializing access token..."));
+            await new Promise((resolve) => setTimeout(resolve, 3000));
+            // Check if token already exists
+            try {
+                const sqlite3 = await Promise.resolve().then(() => __importStar(require("sqlite3")));
+                const db = new sqlite3.default.Database(dbPath);
+                // Create table if not exists (in case MCP hasn't run yet)
+                db.run(`CREATE TABLE IF NOT EXISTS access_keys (
+          id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
+          key_hash TEXT NOT NULL,
+          name TEXT DEFAULT 'default',
+          user_id TEXT DEFAULT 'default',
+          created_at TEXT DEFAULT (datetime('now')),
+          last_used_at TEXT,
+          is_active INTEGER DEFAULT 1
+        );`);
+                // Check for existing key
+                db.get("SELECT COUNT(*) as count FROM access_keys WHERE is_active = 1", [], (err, row) => {
+                    if (err || (row && row.count > 0)) {
+                        db.close();
+                        // Token exists, don't regenerate
+                        console.log(chalk_1.default.gray("Access token already configured."));
+                        printSuccessMessage(false);
+                        return;
+                    }
+                    // Insert new key
+                    db.run("INSERT INTO access_keys (id, key_hash, name, user_id) VALUES (?, ?, ?, ?)", [
+                        crypto_1.default.randomBytes(8).toString("hex"),
+                        bcryptHash,
+                        "default",
+                        "default",
+                    ], (err) => {
+                        db.close();
+                        if (err) {
+                            console.warn(chalk_1.default.yellow("Could not store access token: " + err.message));
+                            printSuccessMessage(false);
+                        }
+                        else {
+                            printSuccessMessage(true, accessToken);
+                        }
+                    });
+                });
+            }
+            catch (e) {
+                console.warn(chalk_1.default.yellow("Could not initialize access token: " + e.message));
+                console.log(chalk_1.default.gray("You can generate a token from the Dashboard Settings."));
+                printSuccessMessage(false);
+            }
+            function printSuccessMessage(showToken, token) {
+                console.log(chalk_1.default.green("\n🎉 CyberMem Installed!"));
+                console.log("");
+                if (showToken && token) {
+                    console.log(chalk_1.default.bold("⚡ Your Access Token (save this!):"));
+                    console.log(chalk_1.default.cyan.bold(`   ${token}`));
+                    console.log("");
+                    console.log(chalk_1.default.gray("   Use this token to connect MCP clients from other devices."));
+                    console.log(chalk_1.default.gray("   You can regenerate it from Dashboard Settings."));
+                    console.log("");
+                }
+                console.log(chalk_1.default.bold("Next Steps:"));
+                console.log(`  1. Open ${chalk_1.default.underline("http://localhost:3000/client-setup")} to connect your MCP clients`);
+                console.log(`  2. Local access is auto-authenticated (no token needed on localhost)`);
+                console.log("");
+                console.log(chalk_1.default.dim("Local mode is active: No auth required for connections from this device."));
+            }
         }
         else if (target === "rpi" || target === "vps") {
             const composeFile = path_1.default.join(templateDir, "docker-compose.yml");

package/dist/commands/reset.js

@@ -8,32 +8,43 @@ const chalk_1 = __importDefault(require("chalk"));
 const child_process_1 = require("child_process");
 const ora_1 = __importDefault(require("ora"));
 async function reset() {
-    const spinner = (0, ora_1.default)('Resetting CyberMem database...').start();
+    // ⚠️ PRODUCTION PROTECTION - Never wipe RPi database
+    const cyberMemEnv = process.env.CYBERMEM_ENV || "";
+    const hostname = process.env.HOSTNAME || "";
+    if (cyberMemEnv === "production" || hostname.includes("raspberrypi")) {
+        console.error(chalk_1.default.red("❌ BLOCKED: Cannot reset database in production environment!"));
+        console.error(chalk_1.default.yellow("   CYBERMEM_ENV=" + cyberMemEnv + ", HOSTNAME=" + hostname));
+        console.error(chalk_1.default.gray("   Use npx @cybermem/cli backup first, then manually clear if needed."));
+        process.exit(1);
+    }
+    const spinner = (0, ora_1.default)("Resetting CyberMem database...").start();
     try {
-        const containerName = 'cybermem-mcp';
+        const containerName = "cybermem-mcp";
         // Check if container exists
         try {
-            (0, child_process_1.execSync)(`docker inspect ${containerName}`, { stdio: 'pipe' });
+            (0, child_process_1.execSync)(`docker inspect ${containerName}`, { stdio: "pipe" });
         }
         catch {
-            spinner.fail('Container not found. Is CyberMem running?');
+            spinner.fail("Container not found. Is CyberMem running?");
             process.exit(1);
         }
         // Remove SQLite files
-        spinner.text = 'Removing database files...';
+        spinner.text = "Removing database files...";
         (0, child_process_1.execSync)(`docker exec ${containerName} sh -c 'rm -f /data/openmemory.sqlite*'`, {
-            stdio: 'pipe'
+            stdio: "pipe",
         });
         // Restart container
-        spinner.text = 'Restarting container...';
-        (0, child_process_1.execSync)(`docker restart ${containerName}`, { stdio: 'pipe' });
+        spinner.text = "Restarting container...";
+        (0, child_process_1.execSync)(`docker restart ${containerName}`, { stdio: "pipe" });
         // Wait for health
-        spinner.text = 'Waiting for health check...';
+        spinner.text = "Waiting for health check...";
         let healthy = false;
         for (let i = 0; i < 30; i++) {
-            await new Promise(r => setTimeout(r, 2000));
+            await new Promise((r) => setTimeout(r, 2000));
             try {
-                (0, child_process_1.execSync)('curl -s http://localhost:8626/health | grep -q ok', { stdio: 'pipe' });
+                (0, child_process_1.execSync)("curl -s http://localhost:8626/health | grep -q ok", {
+                    stdio: "pipe",
+                });
                 healthy = true;
                 break;
             }
@@ -42,19 +53,21 @@ async function reset() {
             }
         }
         if (!healthy) {
-            spinner.fail('Container failed to become healthy');
+            spinner.fail("Container failed to become healthy");
             process.exit(1);
         }
         // Restart exporters
-        spinner.text = 'Restarting exporters...';
+        spinner.text = "Restarting exporters...";
         try {
-            (0, child_process_1.execSync)('docker restart cybermem-log-exporter cybermem-db-exporter', { stdio: 'pipe' });
+            (0, child_process_1.execSync)("docker restart cybermem-log-exporter cybermem-db-exporter", {
+                stdio: "pipe",
+            });
         }
         catch {
             // Exporters may not exist
         }
-        spinner.succeed(chalk_1.default.green('Database reset successfully!'));
-        console.log(chalk_1.default.gray('  All memories have been deleted.'));
+        spinner.succeed(chalk_1.default.green("Database reset successfully!"));
+        console.log(chalk_1.default.gray("  All memories have been deleted."));
     }
     catch (error) {
         spinner.fail(`Reset failed: ${error.message}`);

package/dist/index.js

@@ -5,7 +5,6 @@ const commander_1 = require("commander");
 const backup_1 = require("./commands/backup");
 const dashboard_1 = require("./commands/dashboard");
 const init_1 = require("./commands/init");
-const login_1 = require("./commands/login");
 const reset_1 = require("./commands/reset");
 const restore_1 = require("./commands/restore");
 const upgrade_1 = require("./commands/upgrade");
@@ -14,11 +13,6 @@ program
     .name("mcp")
     .description("CyberMem - Deploy your AI memory server in one command")
     .version("1.0.0");
-// Command: Login
-program
-    .command("login")
-    .description("Login to CyberMem via GitHub (OAuth)")
-    .action(login_1.login);
 // Command: Init (formerly deploy)
 program
     .command("init")

package/dist/templates/auth-sidecar/Dockerfile

@@ -1,5 +1,17 @@
-FROM node:20-alpine
+# Builder stage for native modules
+FROM node:20-alpine AS builder
 WORKDIR /app
+RUN apk add --no-cache python3 make g++
+COPY package.json ./
+RUN npm install
+
+# Production stage
+FROM node:20-alpine AS runner
+WORKDIR /app
+RUN apk add --no-cache libc6-compat
+COPY --from=builder /app/node_modules ./node_modules
 COPY server.js .
+COPY package.json .
+
 EXPOSE 3001
 CMD ["node", "server.js"]

package/dist/templates/auth-sidecar/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "cybermem-auth-sidecar",
+  "version": "0.1.0",
+  "description": "Auth sidecar for CyberMem",
+  "main": "server.js",
+  "dependencies": {
+    "sqlite3": "5.1.7"
+  }
+}

package/dist/templates/auth-sidecar/server.js

@@ -2,98 +2,95 @@
  * CyberMem Auth Sidecar
  *
  * ForwardAuth service for Traefik that validates:
- * 1. JWT tokens (RS256) with embedded public key
- * 2. API keys (X-API-Key header) - deprecated fallback
- * 3. Local requests (localhost bypass)
+ * 1. Bearer tokens (sk-xxx) against SQLite access_keys table
+ * 2. Local requests bypass (localhost, *.local domains)
  *
- * NO SECRETS REQUIRED - public key is embedded.
+ * NO EXTERNAL DEPENDENCIES - uses built-in crypto and sqlite3.
  */
 
 const http = require("http");
-const fs = require("fs");
 const crypto = require("crypto");
+const path = require("path");
 
 const PORT = process.env.PORT || 3001;
-const API_KEY_FILE = process.env.API_KEY_FILE || "/.env";
-
-// RSA Public Key for JWT verification (embedded - no secrets!)
-const PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkrWPslHt+dcX/lckX4mw
-AaI4koCqn7NqEkTtuyJuzFv969Da0ghhWdTIRR6H8pYfsTtqtX2UAZox8i5IJ9t9
-JS8nBfbL2fFiuEz51LMNKMSLw7j2dJT/g5iIdT64LyJZ/9+kLMXC
-EBWPIyEvx4GMzKSf2L+jNaUY/0J8n/JNAbKtIplKtfOU/tNWuoZfcj3SnoxrmApN
-Xw+LsE26EM2Gq7MKLQf3r3GUIm2dBgs7XUNJRiezrPgFzekiaiDyFsNhhk1jkx2I
-ljQgSslGQ4dODE73KB07b0Qi7zPWAtGlCyDQD5RLICzht1mMENta7x+TlPJfDv8g
-XeEmW5ihAgMBAAE=
------END PUBLIC KEY-----`;
-
-// Load API key from file (deprecated fallback)
-function loadApiKey() {
-  try {
-    const content = fs.readFileSync(API_KEY_FILE, "utf-8");
-    const match = content.match(/OM_API_KEY=(.+)/);
-    return match ? match[1].trim() : null;
-  } catch {
-    return null;
-  }
+const DB_PATH = process.env.OM_DB_PATH || "/data/openmemory.sqlite";
+
+// Hash token using same PBKDF2 as CLI (for verification)
+function hashToken(token) {
+  return new Promise((resolve, reject) => {
+    const salt = crypto
+      .createHash("sha256")
+      .update("cybermem-salt-v1")
+      .digest("hex")
+      .slice(0, 16);
+    crypto.pbkdf2(token, salt, 100000, 64, "sha512", (err, key) => {
+      if (err) reject(err);
+      else resolve(key.toString("hex"));
+    });
+  });
 }
 
-// RS256 JWT validation
-function validateJwt(token) {
+// Verify token against SQLite access_keys table
+async function verifyToken(token) {
   try {
-    const parts = token.split(".");
-    if (parts.length !== 3) return null;
-
-    const [headerB64, payloadB64, signatureB64] = parts;
-
-    // Decode header to check algorithm
-    const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
-    if (header.alg !== "RS256") {
-      console.log("JWT: unsupported algorithm", header.alg);
-      return null;
-    }
-
-    // Verify RS256 signature
-    const data = `${headerB64}.${payloadB64}`;
-    const signature = Buffer.from(signatureB64, "base64url");
-
-    const verify = crypto.createVerify("RSA-SHA256");
-    verify.update(data);
-
-    if (!verify.verify(PUBLIC_KEY, signature)) {
-      console.log("JWT: signature verification failed");
-      return null;
-    }
-
-    // Decode payload
-    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
-
-    // Check expiration
-    if (payload.exp && payload.exp < Date.now() / 1000) {
-      console.log("JWT: token expired");
-      return null;
-    }
-
-    // Check issuer
-    if (payload.iss !== "cybermem.dev") {
-      console.log("JWT: invalid issuer", payload.iss);
-      return null;
-    }
-
-    return payload;
+    const sqlite3 = require("sqlite3").verbose();
+    const db = new sqlite3.Database(DB_PATH);
+
+    const tokenHash = await hashToken(token);
+
+    return new Promise((resolve, reject) => {
+      db.get(
+        "SELECT user_id, name FROM access_keys WHERE key_hash = ? AND is_active = 1",
+        [tokenHash],
+        (err, row) => {
+          db.close();
+          if (err) {
+            console.log("DB error:", err.message);
+            resolve(null);
+          } else if (row) {
+            // Update last_used_at
+            const updateDb = new sqlite3.Database(DB_PATH);
+            updateDb.run(
+              "UPDATE access_keys SET last_used_at = datetime('now') WHERE key_hash = ?",
+              [tokenHash],
+            );
+            updateDb.close();
+            resolve({ userId: row.user_id, name: row.name });
+          } else {
+            resolve(null);
+          }
+        },
+      );
+    });
   } catch (err) {
-    console.log("JWT validation error:", err.message);
+    console.log("Token verification error:", err.message);
     return null;
   }
 }
 
-// Check if request is from localhost
+// Check if request is from localhost or local network
 function isLocalRequest(req) {
   const forwarded = req.headers["x-forwarded-for"];
   const realIp = req.headers["x-real-ip"];
-  const ip = forwarded?.split(",")[0] || realIp || req.socket.remoteAddress;
-
-  return ip === "127.0.0.1" || ip === "::1" || ip === "localhost";
+  const host = req.headers["x-forwarded-host"] || req.headers["host"] || "";
+  const ip =
+    forwarded?.split(",")[0]?.trim() || realIp || req.socket.remoteAddress;
+
+  // IP-based local check
+  const isLocalIp =
+    ip === "127.0.0.1" ||
+    ip === "::1" ||
+    ip === "::ffff:127.0.0.1" ||
+    ip === "localhost";
+
+  // Host-based local check (raspberrypi.local, localhost, *.local)
+  const isLocalHost =
+    host.includes("localhost") ||
+    host.includes("127.0.0.1") ||
+    host.includes("raspberrypi.local") ||
+    host.match(/\.local(:\d+)?$/);
+
+  return isLocalIp || isLocalHost;
 }
 
 // ForwardAuth handler
@@ -101,111 +98,73 @@ const server = http.createServer(async (req, res) => {
   // Health check
   if (req.url === "/health") {
     res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ status: "ok" }));
+    res.end(JSON.stringify({ status: "ok", mode: "token-auth" }));
     return;
   }
 
   const authHeader = req.headers["authorization"];
   const apiKeyHeader = req.headers["x-api-key"];
 
-  // 1. Check Bearer token (JWT or API Key)
+  // 1. Local bypass - no auth required for localhost
+  if (isLocalRequest(req)) {
+    console.log("Auth OK: Local bypass");
+    res.writeHead(200, {
+      "X-Auth-Method": "local",
+      "X-User-Id": "local",
+    });
+    res.end();
+    return;
+  }
+
+  // 2. Check Bearer token (sk-xxx format)
   if (authHeader?.startsWith("Bearer ")) {
     const token = authHeader.substring(7);
 
-    // 1a. Check if Bearer token is actually an API key (MCP clients like Claude Desktop)
-    const expectedKey = loadApiKey();
-    if (expectedKey && token === expectedKey) {
-      console.log("Auth OK: Bearer API Key");
-      res.writeHead(200, {
-        "X-Auth-Method": "bearer-api-key",
-      });
-      res.end();
-      return;
-    }
-
-    // 1b. Try JWT RS256 validation
-    const payload = validateJwt(token);
+    if (token.startsWith("sk-")) {
+      const result = await verifyToken(token);
 
-    if (payload) {
-      console.log(`Auth OK: JWT (${payload.email || payload.sub})`);
-      res.writeHead(200, {
-        "X-User-Id": payload.sub || "",
-        "X-User-Email": payload.email || "",
-        "X-User-Name": payload.name || "",
-        "X-Auth-Method": "jwt",
-      });
-      res.end();
-      return;
-    }
-
-    // 1c. Try GitHub OAuth token verification
-    try {
-      const https = require("https");
-      const ghRes = await new Promise((resolve, reject) => {
-        const req = https.get(
-          "https://api.github.com/user",
-          {
-            headers: {
-              Authorization: `Bearer ${token}`,
-              "User-Agent": "CyberMem-Auth-Sidecar/1.0",
-              Accept: "application/vnd.github+json",
-            },
-          },
-          (res) => {
-            let data = "";
-            res.on("data", (chunk) => (data += chunk));
-            res.on("end", () => resolve({ status: res.statusCode, data }));
-          },
-        );
-        req.on("error", reject);
-        req.end();
-      });
-
-      if (ghRes.status === 200) {
-        const user = JSON.parse(ghRes.data);
-        console.log(`Auth OK: GitHub OAuth (${user.login})`);
+      if (result) {
+        console.log(`Auth OK: Token (${result.name || result.userId})`);
         res.writeHead(200, {
-          "X-User-Id": String(user.id),
-          "X-User-Email": user.email || "",
-          "X-User-Name": user.login,
-          "X-Auth-Method": "github-oauth",
+          "X-User-Id": result.userId,
+          "X-Auth-Method": "token",
+          "X-Token-Name": result.name || "",
         });
         res.end();
         return;
       }
-    } catch (err) {
-      // GitHub verification failed, continue to other methods
     }
   }
 
-  // 2. Check API Key (deprecated fallback)
-  const expectedKey = loadApiKey();
-  if (apiKeyHeader && expectedKey && apiKeyHeader === expectedKey) {
-    console.log("Auth OK: API Key (deprecated)");
-    res.writeHead(200, {
-      "X-Auth-Method": "api-key",
-      "X-Auth-Deprecated": "true",
-    });
-    res.end();
-    return;
-  }
+  // 3. Check X-API-Key header (sk-xxx format)
+  if (apiKeyHeader?.startsWith("sk-")) {
+    const result = await verifyToken(apiKeyHeader);
 
-  // 3. Local bypass (development)
-  if (isLocalRequest(req)) {
-    console.log("Auth OK: Local bypass");
-    res.writeHead(200, {
-      "X-Auth-Method": "local",
-    });
-    res.end();
-    return;
+    if (result) {
+      console.log(`Auth OK: API-Key Header (${result.name || result.userId})`);
+      res.writeHead(200, {
+        "X-User-Id": result.userId,
+        "X-Auth-Method": "api-key",
+        "X-Token-Name": result.name || "",
+      });
+      res.end();
+      return;
+    }
   }
 
   // 4. Unauthorized
-  console.log("Auth FAILED: No valid credentials");
+  console.log("Auth FAILED: No valid token");
   res.writeHead(401, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({ error: "Unauthorized" }));
+  res.end(
+    JSON.stringify({
+      error: "Unauthorized",
+      message:
+        "Valid access token required. Get your token from Dashboard Settings.",
+    }),
+  );
 });
 
 server.listen(PORT, () => {
-  console.log(`Auth sidecar (RS256) listening on port ${PORT}`);
+  console.log(`Auth sidecar (token-auth) listening on port ${PORT}`);
+  console.log(`DB path: ${DB_PATH}`);
 });

package/dist/templates/docker-compose.yml

@@ -79,9 +79,11 @@ services:
     container_name: cybermem-auth-sidecar
     environment:
       PORT: "3001"
+      OM_DB_PATH: /data/openmemory.sqlite
       API_KEY_FILE: /.env
     volumes:
       - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/.env:ro
+      - ${HOME}/.cybermem/data:/data:ro
     labels:
       - traefik.enable=true
     healthcheck:
@@ -173,6 +175,8 @@ services:
       CYBERMEM_URL: http://mcp-server:8080
       OM_DB_PATH: /data/openmemory.sqlite
       OM_API_KEY: ${OM_API_KEY:-dev-secret-key}
+      # Tailscale domain for remote config (optional, auto-detected if not set)
+      TAILSCALE_DOMAIN: ${TAILSCALE_DOMAIN:-}
     ports:
       - "3000:3000"
     volumes:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cybermem/cli",
-  "version": "0.8.5",
+  "version": "0.8.9",
   "description": "CyberMem — Universal Long-Term Memory for AI Agents",
   "homepage": "https://cybermem.dev",
   "repository": {

package/templates/auth-sidecar/Dockerfile

@@ -1,5 +1,17 @@
-FROM node:20-alpine
+# Builder stage for native modules
+FROM node:20-alpine AS builder
 WORKDIR /app
+RUN apk add --no-cache python3 make g++
+COPY package.json ./
+RUN npm install
+
+# Production stage
+FROM node:20-alpine AS runner
+WORKDIR /app
+RUN apk add --no-cache libc6-compat
+COPY --from=builder /app/node_modules ./node_modules
 COPY server.js .
+COPY package.json .
+
 EXPOSE 3001
 CMD ["node", "server.js"]

package/templates/auth-sidecar/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "cybermem-auth-sidecar",
+  "version": "0.1.0",
+  "description": "Auth sidecar for CyberMem",
+  "main": "server.js",
+  "dependencies": {
+    "sqlite3": "5.1.7"
+  }
+}

package/templates/auth-sidecar/server.js

@@ -2,98 +2,95 @@
  * CyberMem Auth Sidecar
  *
  * ForwardAuth service for Traefik that validates:
- * 1. JWT tokens (RS256) with embedded public key
- * 2. API keys (X-API-Key header) - deprecated fallback
- * 3. Local requests (localhost bypass)
+ * 1. Bearer tokens (sk-xxx) against SQLite access_keys table
+ * 2. Local requests bypass (localhost, *.local domains)
  *
- * NO SECRETS REQUIRED - public key is embedded.
+ * NO EXTERNAL DEPENDENCIES - uses built-in crypto and sqlite3.
  */
 
 const http = require("http");
-const fs = require("fs");
 const crypto = require("crypto");
+const path = require("path");
 
 const PORT = process.env.PORT || 3001;
-const API_KEY_FILE = process.env.API_KEY_FILE || "/.env";
-
-// RSA Public Key for JWT verification (embedded - no secrets!)
-const PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkrWPslHt+dcX/lckX4mw
-AaI4koCqn7NqEkTtuyJuzFv969Da0ghhWdTIRR6H8pYfsTtqtX2UAZox8i5IJ9t9
-JS8nBfbL2fFiuEz51LMNKMSLw7j2dJT/g5iIdT64LyJZ/9+kLMXC
-EBWPIyEvx4GMzKSf2L+jNaUY/0J8n/JNAbKtIplKtfOU/tNWuoZfcj3SnoxrmApN
-Xw+LsE26EM2Gq7MKLQf3r3GUIm2dBgs7XUNJRiezrPgFzekiaiDyFsNhhk1jkx2I
-ljQgSslGQ4dODE73KB07b0Qi7zPWAtGlCyDQD5RLICzht1mMENta7x+TlPJfDv8g
-XeEmW5ihAgMBAAE=
------END PUBLIC KEY-----`;
-
-// Load API key from file (deprecated fallback)
-function loadApiKey() {
-  try {
-    const content = fs.readFileSync(API_KEY_FILE, "utf-8");
-    const match = content.match(/OM_API_KEY=(.+)/);
-    return match ? match[1].trim() : null;
-  } catch {
-    return null;
-  }
+const DB_PATH = process.env.OM_DB_PATH || "/data/openmemory.sqlite";
+
+// Hash token using same PBKDF2 as CLI (for verification)
+function hashToken(token) {
+  return new Promise((resolve, reject) => {
+    const salt = crypto
+      .createHash("sha256")
+      .update("cybermem-salt-v1")
+      .digest("hex")
+      .slice(0, 16);
+    crypto.pbkdf2(token, salt, 100000, 64, "sha512", (err, key) => {
+      if (err) reject(err);
+      else resolve(key.toString("hex"));
+    });
+  });
 }
 
-// RS256 JWT validation
-function validateJwt(token) {
+// Verify token against SQLite access_keys table
+async function verifyToken(token) {
   try {
-    const parts = token.split(".");
-    if (parts.length !== 3) return null;
-
-    const [headerB64, payloadB64, signatureB64] = parts;
-
-    // Decode header to check algorithm
-    const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
-    if (header.alg !== "RS256") {
-      console.log("JWT: unsupported algorithm", header.alg);
-      return null;
-    }
-
-    // Verify RS256 signature
-    const data = `${headerB64}.${payloadB64}`;
-    const signature = Buffer.from(signatureB64, "base64url");
-
-    const verify = crypto.createVerify("RSA-SHA256");
-    verify.update(data);
-
-    if (!verify.verify(PUBLIC_KEY, signature)) {
-      console.log("JWT: signature verification failed");
-      return null;
-    }
-
-    // Decode payload
-    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
-
-    // Check expiration
-    if (payload.exp && payload.exp < Date.now() / 1000) {
-      console.log("JWT: token expired");
-      return null;
-    }
-
-    // Check issuer
-    if (payload.iss !== "cybermem.dev") {
-      console.log("JWT: invalid issuer", payload.iss);
-      return null;
-    }
-
-    return payload;
+    const sqlite3 = require("sqlite3").verbose();
+    const db = new sqlite3.Database(DB_PATH);
+
+    const tokenHash = await hashToken(token);
+
+    return new Promise((resolve, reject) => {
+      db.get(
+        "SELECT user_id, name FROM access_keys WHERE key_hash = ? AND is_active = 1",
+        [tokenHash],
+        (err, row) => {
+          db.close();
+          if (err) {
+            console.log("DB error:", err.message);
+            resolve(null);
+          } else if (row) {
+            // Update last_used_at
+            const updateDb = new sqlite3.Database(DB_PATH);
+            updateDb.run(
+              "UPDATE access_keys SET last_used_at = datetime('now') WHERE key_hash = ?",
+              [tokenHash],
+            );
+            updateDb.close();
+            resolve({ userId: row.user_id, name: row.name });
+          } else {
+            resolve(null);
+          }
+        },
+      );
+    });
   } catch (err) {
-    console.log("JWT validation error:", err.message);
+    console.log("Token verification error:", err.message);
     return null;
   }
 }
 
-// Check if request is from localhost
+// Check if request is from localhost or local network
 function isLocalRequest(req) {
   const forwarded = req.headers["x-forwarded-for"];
   const realIp = req.headers["x-real-ip"];
-  const ip = forwarded?.split(",")[0] || realIp || req.socket.remoteAddress;
-
-  return ip === "127.0.0.1" || ip === "::1" || ip === "localhost";
+  const host = req.headers["x-forwarded-host"] || req.headers["host"] || "";
+  const ip =
+    forwarded?.split(",")[0]?.trim() || realIp || req.socket.remoteAddress;
+
+  // IP-based local check
+  const isLocalIp =
+    ip === "127.0.0.1" ||
+    ip === "::1" ||
+    ip === "::ffff:127.0.0.1" ||
+    ip === "localhost";
+
+  // Host-based local check (raspberrypi.local, localhost, *.local)
+  const isLocalHost =
+    host.includes("localhost") ||
+    host.includes("127.0.0.1") ||
+    host.includes("raspberrypi.local") ||
+    host.match(/\.local(:\d+)?$/);
+
+  return isLocalIp || isLocalHost;
 }
 
 // ForwardAuth handler
@@ -101,111 +98,73 @@ const server = http.createServer(async (req, res) => {
   // Health check
   if (req.url === "/health") {
     res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ status: "ok" }));
+    res.end(JSON.stringify({ status: "ok", mode: "token-auth" }));
     return;
   }
 
   const authHeader = req.headers["authorization"];
   const apiKeyHeader = req.headers["x-api-key"];
 
-  // 1. Check Bearer token (JWT or API Key)
+  // 1. Local bypass - no auth required for localhost
+  if (isLocalRequest(req)) {
+    console.log("Auth OK: Local bypass");
+    res.writeHead(200, {
+      "X-Auth-Method": "local",
+      "X-User-Id": "local",
+    });
+    res.end();
+    return;
+  }
+
+  // 2. Check Bearer token (sk-xxx format)
   if (authHeader?.startsWith("Bearer ")) {
     const token = authHeader.substring(7);
 
-    // 1a. Check if Bearer token is actually an API key (MCP clients like Claude Desktop)
-    const expectedKey = loadApiKey();
-    if (expectedKey && token === expectedKey) {
-      console.log("Auth OK: Bearer API Key");
-      res.writeHead(200, {
-        "X-Auth-Method": "bearer-api-key",
-      });
-      res.end();
-      return;
-    }
-
-    // 1b. Try JWT RS256 validation
-    const payload = validateJwt(token);
+    if (token.startsWith("sk-")) {
+      const result = await verifyToken(token);
 
-    if (payload) {
-      console.log(`Auth OK: JWT (${payload.email || payload.sub})`);
-      res.writeHead(200, {
-        "X-User-Id": payload.sub || "",
-        "X-User-Email": payload.email || "",
-        "X-User-Name": payload.name || "",
-        "X-Auth-Method": "jwt",
-      });
-      res.end();
-      return;
-    }
-
-    // 1c. Try GitHub OAuth token verification
-    try {
-      const https = require("https");
-      const ghRes = await new Promise((resolve, reject) => {
-        const req = https.get(
-          "https://api.github.com/user",
-          {
-            headers: {
-              Authorization: `Bearer ${token}`,
-              "User-Agent": "CyberMem-Auth-Sidecar/1.0",
-              Accept: "application/vnd.github+json",
-            },
-          },
-          (res) => {
-            let data = "";
-            res.on("data", (chunk) => (data += chunk));
-            res.on("end", () => resolve({ status: res.statusCode, data }));
-          },
-        );
-        req.on("error", reject);
-        req.end();
-      });
-
-      if (ghRes.status === 200) {
-        const user = JSON.parse(ghRes.data);
-        console.log(`Auth OK: GitHub OAuth (${user.login})`);
+      if (result) {
+        console.log(`Auth OK: Token (${result.name || result.userId})`);
         res.writeHead(200, {
-          "X-User-Id": String(user.id),
-          "X-User-Email": user.email || "",
-          "X-User-Name": user.login,
-          "X-Auth-Method": "github-oauth",
+          "X-User-Id": result.userId,
+          "X-Auth-Method": "token",
+          "X-Token-Name": result.name || "",
         });
         res.end();
         return;
       }
-    } catch (err) {
-      // GitHub verification failed, continue to other methods
     }
   }
 
-  // 2. Check API Key (deprecated fallback)
-  const expectedKey = loadApiKey();
-  if (apiKeyHeader && expectedKey && apiKeyHeader === expectedKey) {
-    console.log("Auth OK: API Key (deprecated)");
-    res.writeHead(200, {
-      "X-Auth-Method": "api-key",
-      "X-Auth-Deprecated": "true",
-    });
-    res.end();
-    return;
-  }
+  // 3. Check X-API-Key header (sk-xxx format)
+  if (apiKeyHeader?.startsWith("sk-")) {
+    const result = await verifyToken(apiKeyHeader);
 
-  // 3. Local bypass (development)
-  if (isLocalRequest(req)) {
-    console.log("Auth OK: Local bypass");
-    res.writeHead(200, {
-      "X-Auth-Method": "local",
-    });
-    res.end();
-    return;
+    if (result) {
+      console.log(`Auth OK: API-Key Header (${result.name || result.userId})`);
+      res.writeHead(200, {
+        "X-User-Id": result.userId,
+        "X-Auth-Method": "api-key",
+        "X-Token-Name": result.name || "",
+      });
+      res.end();
+      return;
+    }
   }
 
   // 4. Unauthorized
-  console.log("Auth FAILED: No valid credentials");
+  console.log("Auth FAILED: No valid token");
   res.writeHead(401, { "Content-Type": "application/json" });
-  res.end(JSON.stringify({ error: "Unauthorized" }));
+  res.end(
+    JSON.stringify({
+      error: "Unauthorized",
+      message:
+        "Valid access token required. Get your token from Dashboard Settings.",
+    }),
+  );
 });
 
 server.listen(PORT, () => {
-  console.log(`Auth sidecar (RS256) listening on port ${PORT}`);
+  console.log(`Auth sidecar (token-auth) listening on port ${PORT}`);
+  console.log(`DB path: ${DB_PATH}`);
 });

package/templates/docker-compose.yml

@@ -79,9 +79,11 @@ services:
     container_name: cybermem-auth-sidecar
     environment:
       PORT: "3001"
+      OM_DB_PATH: /data/openmemory.sqlite
       API_KEY_FILE: /.env
     volumes:
       - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/.env:ro
+      - ${HOME}/.cybermem/data:/data:ro
     labels:
       - traefik.enable=true
     healthcheck:
@@ -173,6 +175,8 @@ services:
       CYBERMEM_URL: http://mcp-server:8080
       OM_DB_PATH: /data/openmemory.sqlite
       OM_API_KEY: ${OM_API_KEY:-dev-secret-key}
+      # Tailscale domain for remote config (optional, auto-detected if not set)
+      TAILSCALE_DOMAIN: ${TAILSCALE_DOMAIN:-}
     ports:
       - "3000:3000"
     volumes: