@lifeaitools/clauth 0.1.0

package/.clauth-skill/SKILL.md

@@ -0,0 +1,141 @@
+---
+name: clauth
+description: Install, configure, and operate clauth — the LIFEAI hardware-bound credential vault. Triggers on "install clauth", "set up my keys", "clauth install", "store my credentials", "set up the vault", or any mention of clauth or managing LIFEAI service credentials. When triggered for install, check GitHub MCP first, clone LIFEAI/clauth, and run the installer. Also handles ongoing clauth commands: status, get, write, enable, disable, add service, revoke.
+---
+
+# clauth — LIFEAI Credential Vault
+
+Hardware-bound credential vault for the LIFEAI stack. Your machine is the second factor. Keys live in Supabase Vault (AES-256).
+
+---
+
+## When someone says "install clauth"
+
+### Step 1 — Check GitHub MCP is connected
+
+Look at your available tools. You need a GitHub/git tool that can clone a repository.
+
+If GitHub MCP is NOT connected, stop and tell the user:
+
+> "To install clauth I need your GitHub connection. In Claude, go to Settings → Integrations and connect GitHub, then come back and say 'install clauth' again."
+
+Do not proceed without it.
+
+---
+
+### Step 2 — Clone the repo
+
+Use bash to clone into `~/.clauth`:
+
+```bash
+git clone https://github.com/LIFEAI/clauth.git ~/.clauth
+```
+
+If `~/.clauth` already exists:
+```bash
+cd ~/.clauth && git pull
+```
+
+---
+
+### Step 3 — Run the bootstrap binary
+
+**Windows:**
+```powershell
+& "$env:USERPROFILE\.clauth\scripts\bin\bootstrap-win.exe"
+```
+
+**Mac/Linux:**
+```bash
+~/.clauth/scripts/bin/bootstrap-linux
+# Mac:
+~/.clauth/scripts/bin/bootstrap-macos
+```
+
+This binary:
+- Runs `npm install`
+- Links `clauth` globally
+- Chains to `clauth install` automatically
+
+---
+
+### Step 4 — clauth install (automatic)
+
+`clauth install` runs automatically. It asks for two Supabase items:
+
+**Project ref** — last part of your Supabase project URL:
+`https://supabase.com/dashboard/project/` **`uvojezuorjgqzmhhgluu`**
+
+**Personal Access Token (PAT):**
+`https://supabase.com/dashboard/account/tokens` → Generate new token
+*(NOT the anon key or service_role — this is your account-level token)*
+
+Then it provisions everything, tests it, installs this skill, and prints a **bootstrap token** — save it.
+
+---
+
+### Step 5 — clauth setup
+
+```
+clauth setup
+```
+
+Asks: machine label, password, bootstrap token (from step 4).
+
+Then verify:
+```
+clauth test      → PASS
+clauth status    → 12 services ready
+```
+
+---
+
+### Step 6 — Write your first key
+
+```bash
+clauth write key github     # prompts for value
+clauth enable github
+clauth get github
+```
+
+See `references/keys-guide.md` for where to find every credential.
+
+---
+
+## Command reference
+
+```
+clauth install              First-time: provision Supabase + install skill
+clauth setup                Register this machine (after install)
+clauth status               All services + state
+clauth test                 Verify HMAC connection
+clauth list                 Service names
+
+clauth write key <service>  Store a credential
+clauth write pw             Change password
+clauth enable <svc|all>     Activate service
+clauth disable <svc|all>    Suspend service
+clauth get <service>        Retrieve a key
+
+clauth add service <n>      Register new service
+clauth remove service <n>   Remove service
+clauth revoke <svc|all>     Delete key (destructive)
+```
+
+## Services
+
+`github` `supabase-anon` `supabase-service` `supabase-db`
+`vercel` `namecheap` `neo4j` `anthropic`
+`r2` `r2-bucket` `cloudflare` `rocketreach`
+
+---
+
+## Troubleshooting
+
+| Error | Fix |
+|-------|-----|
+| `machine_not_found` | Run `clauth setup` |
+| `timestamp_expired` | Sync system clock |
+| `invalid_token` | Wrong password |
+| `service_disabled` | `clauth enable <service>` |
+| `no_key_stored` | `clauth write key <service>` |

package/.clauth-skill/references/keys-guide.md

@@ -0,0 +1,270 @@
+# clauth Keys Guide
+
+Plain-English explanations of every credential clauth manages. Read this before setup.
+
+---
+
+## The Most Important Key for Install: Supabase Personal Access Token (PAT)
+
+This is the first thing the installer asks for and the most commonly confused item.
+
+```
+sbp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+
+This is your **account-level** token — not tied to any one project. It gives the installer permission to create tables, deploy the edge function, and store secrets in your project.
+
+**Where to get it:**
+> https://supabase.com/dashboard/account/tokens → "Generate new token"
+> Name it anything, e.g. "clauth-install"
+
+**This is NOT:**
+- Your anon key (that starts with `eyJ...`)
+- Your service_role key (also starts with `eyJ...`)
+- Your project URL
+
+The PAT is only needed once during install. After that, clauth uses the anon key + HMAC for everything.
+
+---
+
+## The Most Confusing Part: Supabase Has 4 Different Keys
+
+This is where most people get stuck. Supabase gives you multiple keys and they look similar. Here's what each one is:
+
+### 1. `NEXT_PUBLIC_SUPABASE_URL` — The Project URL
+```
+https://uvojezuorjgqzmhhgluu.supabase.co
+```
+This is just a URL. Not a secret. It's the address of your Supabase project. You can find it in:
+> Supabase Dashboard → Project Settings → API → Project URL
+
+**clauth uses this as:** `Supabase project URL` during `clauth setup`
+
+---
+
+### 2. Anon Key (Public JWT) — `supabase-anon` in clauth
+```
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ...  (very long)
+```
+This is a **public key** — it's safe to put in frontend code. It only has the permissions that your Row Level Security (RLS) policies allow. Think of it as a "guest pass" to your database.
+
+**Where to find it:**
+> Supabase Dashboard → Project Settings → API → Project API Keys → `anon` `public`
+
+**clauth uses this for:** Calling the Edge Function (every request). Used during `clauth setup` as `Supabase anon key`.
+
+**Also called:** `NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY` or `sb_publishable_...` in newer Supabase projects. Same thing, different name format.
+
+---
+
+### 3. Service Role Key — `supabase-service` in clauth
+```
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ...role":"service_role"...  (very long)
+```
+This is an **admin key** — it bypasses all RLS policies and can read/write anything. Treat this like a root password. Never put it in frontend code.
+
+**Where to find it:**
+> Supabase Dashboard → Project Settings → API → Project API Keys → `service_role` `secret`
+
+**clauth stores this as:** `supabase-service`
+
+**Also called:** `sb_secret_...` in newer Supabase projects. Same thing.
+
+---
+
+### 4. Database Connection String — `supabase-db` in clauth
+```
+postgres://postgres.uvojezuorjgqzmhhgluu:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:6543/postgres
+```
+This is for direct SQL access — tools like Drizzle, Prisma, or raw psql use this. Two versions exist:
+- **Pooled** (port 6543) — for apps with many connections (use this)
+- **Direct** (port 5432) — for migrations only
+
+**Where to find it:**
+> Supabase Dashboard → Project Settings → Database → Connection string → URI
+
+**Note:** Replace `[YOUR-PASSWORD]` with the password you set when creating the project.
+
+---
+
+## GitHub
+
+### Personal Access Token (PAT) — `github` in clauth
+```
+ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+This is what lets programs act as you on GitHub — push code, manage repos, etc.
+
+**Where to create one:**
+> GitHub.com → Settings (your profile, top right) → Developer settings → Personal access tokens → Tokens (classic) → Generate new token
+
+**Scopes you need for LIFEAI work:**
+- `repo` — full repo access
+- `workflow` — GitHub Actions
+- `read:org` — read org membership
+- `admin:org` — if you need to manage the org
+
+**clauth stores this as:** `github`
+
+---
+
+## Vercel
+
+### API Token + Team ID — `vercel` in clauth (keypair)
+Two values stored together as JSON: `{"token":"...","team_id":"..."}`
+
+**API Token:**
+> Vercel Dashboard → Account Settings → Tokens → Create Token
+> Name it something like "LIFEAI-clauth"
+
+**Team ID:**
+> Vercel Dashboard → Team Settings → General → Team ID
+> Looks like: `team_xxxxxxxxxxxxxxxxxxxxxxxx`
+
+**clauth stores this as:** `vercel` (keypair type)
+```bash
+clauth write key vercel '{"token":"vcp_xxx...","team_id":"team_xxx..."}'
+```
+
+---
+
+## Cloudflare R2
+
+R2 has **two separate credentials** because it uses the S3 protocol for file operations but a separate admin API for bucket management.
+
+### R2 Object Access Keys — `r2` in clauth (keypair)
+Used for: uploading, downloading, deleting files in your bucket (S3-compatible)
+```
+Access Key ID:      f3ff8996f212b638254cf5747abce445
+Secret Access Key:  45a078775b1b62a7200024c30660e72d2997ab65bb4a6e72629fda8a87e222a9
+```
+**Where to find:**
+> Cloudflare Dashboard → R2 → Manage R2 API Tokens → Create API Token → Object Read & Write
+
+**clauth stores this as:** `r2`
+```bash
+clauth write key r2 '{"access_key_id":"f3ff...","secret_access_key":"45a0..."}'
+```
+
+### R2 Bucket Config — `r2-bucket` in clauth (connstring)
+Used for: knowing which bucket to use and where it lives
+```
+bucket_name: regen-media
+endpoint: https://c879cf4758546d79164c2718c477be72.r2.cloudflarestorage.com
+public_cdn: https://pub-ff9788cd4f1f494db0491a197025a94c.r2.dev
+```
+**clauth stores this as:** `r2-bucket`
+```bash
+clauth write key r2-bucket '{"bucket":"regen-media","endpoint":"https://c879...r2.cloudflarestorage.com","cdn":"https://pub-ff97...r2.dev"}'
+```
+
+### Cloudflare Admin API Token — `cloudflare` in clauth (token)
+Used for: DNS records, zone management, creating/deleting buckets
+```
+1e_f4y2t58ra7UpKAAj5TzCcBUYTdEC3H2LJ9Vtc
+```
+**Where to find:**
+> Cloudflare Dashboard → R2 → Manage R2 API Tokens → (the Admin token, not the RW token)
+
+**clauth stores this as:** `cloudflare`
+
+---
+
+## Namecheap
+
+### API Key + Username — `namecheap` in clauth (keypair)
+Two values stored together:
+```
+username: ejlamyot
+api_key:  CJWM4dr&RMS$v.s  (yours will look similar)
+```
+**Where to find:**
+> Namecheap Dashboard → Profile (top right) → Tools → API Access → Enable API
+
+**Important:** Namecheap API also requires your **IP address to be whitelisted**. Add your current IP in the same API Access page, or Namecheap will reject every call.
+
+**clauth stores this as:** `namecheap`
+```bash
+clauth write key namecheap '{"username":"ejlamyot","api_key":"CJWM4dr..."}'
+```
+
+---
+
+## Neo4j Aura
+
+### Connection URI + Credentials — `neo4j` in clauth (connstring)
+```
+neo4j+s://xxxxxxxx.databases.neo4j.io
+username: neo4j
+password: (set when you created the instance)
+```
+**Where to find:**
+> Neo4j Aura Console → Your database → Connect → Connection URI
+
+**clauth stores this as:** `neo4j`
+```bash
+clauth write key neo4j 'neo4j+s://neo4j:yourpassword@xxxxxxxx.databases.neo4j.io'
+```
+
+---
+
+## Anthropic
+
+### API Key — `anthropic` in clauth (token)
+```
+sk-ant-api03-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+**Where to find:**
+> console.anthropic.com → API Keys → Create Key
+
+**clauth stores this as:** `anthropic`
+
+---
+
+## RocketReach
+
+### API Key — `rocketreach` in clauth (token)
+```
+12b893dk776927c079ea18cb1a7bc8d95b43398a
+```
+**Where to find:**
+> rocketreach.co → Account Settings → API
+
+**clauth stores this as:** `rocketreach`
+
+---
+
+## The Bootstrap Token (Special — One Time Only)
+
+```
+ba6f25ec30e9316ead93152f0cfa5617
+```
+
+This is **not a service API key**. It's a one-time password that lets `clauth setup` register your machine with the vault for the first time.
+
+- It's stored in your Supabase Vault (not hardcoded anywhere)
+- After your machine is registered, you never need it again for daily use
+- If you need to register a **new machine**, you need it again
+- The vault operator (Dave) can retrieve it from: Supabase Dashboard → Vault → `CLAUTH_ADMIN_BOOTSTRAP_TOKEN`
+
+---
+
+## Summary Table
+
+| clauth token | What it is | Where to get it | Type |
+|---|---|---|---|
+| *(setup prompt)* | Supabase project URL | Supabase → Settings → API | URL |
+| *(setup prompt)* | Supabase anon key | Supabase → Settings → API → anon public | JWT |
+| *(setup prompt)* | Bootstrap token | Ask vault operator / Supabase Vault | One-time |
+| `github` | GitHub Personal Access Token | github.com → Settings → Developer → PATs | token |
+| `supabase-anon` | Supabase anon key (stored for apps) | Same as above | token |
+| `supabase-service` | Supabase service role key | Supabase → Settings → API → service_role | token |
+| `supabase-db` | Postgres connection string | Supabase → Settings → Database → URI | connstring |
+| `vercel` | Vercel API token + Team ID | Vercel → Account Settings → Tokens | keypair |
+| `namecheap` | Namecheap API key + username | Namecheap → Profile → Tools → API | keypair |
+| `neo4j` | Neo4j Aura URI + password | Aura Console → Connect | connstring |
+| `anthropic` | Anthropic API key | console.anthropic.com → API Keys | token |
+| `r2` | Cloudflare R2 S3 keypair | Cloudflare → R2 → Manage API Tokens | keypair |
+| `r2-bucket` | R2 bucket name + endpoint | Cloudflare → R2 → bucket details | connstring |
+| `cloudflare` | Cloudflare admin API token | Cloudflare → R2 → Manage API Tokens | token |
+| `rocketreach` | RocketReach API key | rocketreach.co → Account → API | token |

package/.clauth-skill/references/operator-guide.md

@@ -0,0 +1,148 @@
+# clauth Operator Guide
+
+For teams deploying their own clauth instance from scratch.
+
+---
+
+## What "Operator" Means
+
+When you clone the clauth repo and run `clauth setup`, you're connecting to an existing vault. If you want to run your **own** vault (different Supabase project, your own team), you're the operator. This guide covers that.
+
+---
+
+## Step 1 — Supabase Project
+
+You need a Supabase project. Create one at supabase.com if you don't have one.
+
+Collect:
+- Project URL: `https://<ref>.supabase.co`
+- Anon key (public JWT)
+- Service role key (admin JWT)
+
+---
+
+## Step 2 — Run Migrations
+
+In Supabase SQL Editor (or via CLI), run both migration files in order:
+
+1. `supabase/migrations/001_clauth_schema.sql`
+2. `supabase/migrations/002_vault_helpers.sql`
+
+Or via Supabase CLI:
+```bash
+supabase db push
+```
+
+This creates:
+- `clauth_services` — service registry (12 services seeded)
+- `clauth_machines` — machine fingerprint registry
+- `clauth_audit` — all operations logged
+- Vault helper RPCs (upsert/decrypt/delete/list)
+
+---
+
+## Step 3 — Deploy Edge Function
+
+```bash
+supabase functions deploy auth-vault --project-ref <your-ref>
+```
+
+Or deploy from the Supabase dashboard by uploading `supabase/functions/auth-vault/index.ts`.
+
+The function automatically reads `CLAUTH_HMAC_SALT` and `CLAUTH_ADMIN_BOOTSTRAP_TOKEN` from Supabase Vault (or env vars if set).
+
+---
+
+## Step 4 — Generate and Store Secrets
+
+Run this to generate a salt and bootstrap token:
+```bash
+node -e "const c=require('crypto'); console.log('SALT:', c.randomBytes(32).toString('hex')); console.log('BOOTSTRAP:', c.randomBytes(16).toString('hex'));"
+```
+
+Store them in Supabase Vault via SQL Editor:
+```sql
+select vault.create_secret('<your-salt>', 'CLAUTH_HMAC_SALT', 'clauth HMAC salt');
+select vault.create_secret('<your-bootstrap>', 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN', 'clauth bootstrap token');
+```
+
+Or via Supabase Dashboard → Vault → New Secret.
+
+---
+
+## Step 5 — Distribute to Team
+
+Give team members:
+1. Your Supabase project URL
+2. Your Supabase anon key (public — safe to share)
+3. The bootstrap token (treat as a shared secret — regenerate after everyone registers)
+
+Each person runs:
+```bash
+git clone https://github.com/LIFEAI/clauth
+cd clauth && .\install.ps1   # or bash install.sh
+clauth setup
+```
+
+---
+
+## Adding Team Members After Initial Setup
+
+Once the bootstrap token has been used by the first person, you can either:
+- Keep the same token for additional machines (it's reusable)
+- Rotate it after everyone is registered:
+
+```sql
+-- Generate new one
+select vault.create_secret('new-token-here', 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN', 'rotated');
+-- This overwrites the old one
+```
+
+---
+
+## Viewing the Audit Log
+
+```sql
+select machine_hash, service_name, action, result, detail, created_at
+from clauth_audit
+order by created_at desc
+limit 50;
+```
+
+---
+
+## Disabling a Machine
+
+If a machine is lost or stolen:
+```sql
+update clauth_machines set enabled = false where label = 'Dave-Desktop-Win11';
+```
+
+That machine's HMAC tokens will be rejected immediately.
+
+---
+
+## Rotating the HMAC Salt
+
+If the salt is compromised, rotate it:
+```sql
+-- Find the existing secret ID
+select id, name from vault.secrets where name = 'CLAUTH_HMAC_SALT';
+
+-- Update it
+select vault.update_secret('<id>', 'new-salt-here');
+```
+
+**Warning:** After rotating the salt, ALL existing machines will fail HMAC validation. Every machine needs to re-run `clauth setup` with the new bootstrap token.
+
+---
+
+## Project Identifiers (LIFEAI canonical)
+
+| Item | Value |
+|------|-------|
+| Supabase project | `uvojezuorjgqzmhhgluu` |
+| Supabase URL | `https://uvojezuorjgqzmhhgluu.supabase.co` |
+| Edge Function | `auth-vault` (deployed, ACTIVE) |
+| GitHub org | LIFEAI |
+| Repo | https://github.com/LIFEAI/clauth |

package/README.md

@@ -0,0 +1,101 @@
+# @lifeai/clauth
+
+Hardware-bound credential vault for the LIFEAI stack. Your machine is the second factor. Keys live in Supabase Vault (AES-256).
+
+---
+
+## Install
+
+```bash
+npm install -g @lifeai/clauth
+```
+
+Then provision your Supabase project:
+
+```bash
+clauth install
+```
+
+That's it. `clauth install` handles everything:
+- Creates database tables
+- Deploys the Edge Function
+- Generates HMAC salt + bootstrap token
+- Tests the connection
+- Installs the Claude skill
+
+At the end it prints a **bootstrap token** — save it for the next step.
+
+---
+
+## After Install — Register Your Machine
+
+```bash
+clauth setup
+```
+
+Prompts for: machine label, password, bootstrap token (from `clauth install`).
+
+Then verify:
+```bash
+clauth test      # → PASS
+clauth status    # → 12 services, all NO KEY
+```
+
+---
+
+## What clauth install asks for
+
+Two things from Supabase:
+
+**1. Project ref** — the last segment of your project URL:
+`https://supabase.com/dashboard/project/` **`your-ref-here`**
+
+**2. Personal Access Token (PAT)**:
+`https://supabase.com/dashboard/account/tokens` → Generate new token
+
+> This is **not** your anon key or service_role key — it is your account-level token.
+
+---
+
+## Command Reference
+
+```
+clauth install              Provision Supabase + install Claude skill
+clauth setup                Register this machine with the vault
+clauth status               All services + state
+clauth test                 Verify connection
+
+clauth write key <service>  Store a credential
+clauth write pw             Change password
+clauth enable <svc|all>     Activate service
+clauth disable <svc|all>    Suspend service
+clauth get <service>        Retrieve a key
+
+clauth add service <name>   Register new service
+clauth remove service <name>Remove service
+clauth revoke <svc|all>     Delete key (destructive, confirms first)
+```
+
+## Built-in Services
+
+`github` `supabase-anon` `supabase-service` `supabase-db`
+`vercel` `namecheap` `neo4j` `anthropic`
+`r2` `r2-bucket` `cloudflare` `rocketreach`
+
+---
+
+## How It Works
+
+```
+Machine fingerprint (BIOS UUID + OS install ID)
+  + Your clauth password
+  → HMAC-SHA256 token + 5-min timestamp window
+  → Supabase Edge Function validates
+  → Returns AES-256 encrypted key from Vault
+```
+
+Nothing stored locally. Password never persisted. Machine hash is one-way only.
+
+---
+
+> Life before Profits. — LIFEAI / PRT