@lifeaitools/clauth 0.1.0 → 0.2.1

package/README.md

@@ -1,13 +1,13 @@
-# @lifeai/clauth
+# @lifeaitools/clauth
 
-Hardware-bound credential vault for the LIFEAI stack. Your machine is the second factor. Keys live in Supabase Vault (AES-256).
+Hardware-bound credential vault for the LIFEAI stack. Your machine is the second factor. Keys live in Supabase Vault (AES-256). Nothing sensitive ever touches a config file.
 
 ---
 
 ## Install
 
 ```bash
-npm install -g @lifeai/clauth
+npm install -g @lifeaitools/clauth
 ```
 
 Then provision your Supabase project:
@@ -17,10 +17,10 @@ clauth install
 ```
 
 That's it. `clauth install` handles everything:
-- Creates database tables
-- Deploys the Edge Function
+- Creates all database tables
+- Deploys the `auth-vault` Edge Function
 - Generates HMAC salt + bootstrap token
-- Tests the connection
+- Tests the connection end-to-end
 - Installs the Claude skill
 
 At the end it prints a **bootstrap token** — save it for the next step.
@@ -47,7 +47,7 @@ clauth status    # → 12 services, all NO KEY
 
 Two things from Supabase:
 
-**1. Project ref** — the last segment of your project URL:
+**1. Project ref** — the last segment of your Supabase project URL:
 `https://supabase.com/dashboard/project/` **`your-ref-here`**
 
 **2. Personal Access Token (PAT)**:
@@ -57,6 +57,16 @@ Two things from Supabase:
 
 ---
 
+## Writing Your First Key
+
+```bash
+clauth write key github     # prompts for value
+clauth enable github
+clauth get github
+```
+
+---
+
 ## Command Reference
 
 ```
@@ -71,9 +81,9 @@ clauth enable <svc|all>     Activate service
 clauth disable <svc|all>    Suspend service
 clauth get <service>        Retrieve a key
 
-clauth add service <name>   Register new service
-clauth remove service <name>Remove service
-clauth revoke <svc|all>     Delete key (destructive, confirms first)
+clauth add service <n>      Register new service
+clauth remove service <n>   Remove service
+clauth revoke <svc|all>     Delete key (destructive)
 ```
 
 ## Built-in Services
@@ -98,4 +108,18 @@ Nothing stored locally. Password never persisted. Machine hash is one-way only.
 
 ---
 
+## Releasing a New Version (maintainers)
+
+```bash
+# 1. Bump version in package.json
+# 2. Commit and tag
+git tag v0.1.1
+git push --tags
+# GitHub Actions publishes automatically via Trusted Publishing
+```
+
+---
+
 > Life before Profits. — LIFEAI / PRT
+>
+> ☕ [Support this project](https://github.com/sponsors/DaveLadouceur)

package/cli/commands/install.js

@@ -33,45 +33,28 @@ const SKILLS_DIR = process.env.CLAUTH_SKILLS_DIR ||
     : join(process.env.HOME || '', '.claude', 'skills'));
 
 // ─────────────────────────────────────────────
-// Prompt helpers
+// Prompt helpers — single shared readline to
+// avoid losing buffered stdin between prompts
 // ─────────────────────────────────────────────
 
+let _rl;
+function getRL() {
+  if (!_rl) {
+    _rl = createInterface({ input: process.stdin, output: process.stdout });
+  }
+  return _rl;
+}
+function closeRL() {
+  if (_rl) { _rl.close(); _rl = null; }
+}
+
 function ask(question) {
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise(res => rl.question(question, a => { rl.close(); res(a.trim()); }));
+  return new Promise(res => getRL().question(question, a => res(a.trim())));
 }
 
 function askSecret(label) {
-  return new Promise(res => {
-    const rl = createInterface({ input: process.stdin, output: process.stdout, terminal: true });
-    process.stdout.write(label);
-    let val = '';
-    if (process.stdin.isTTY) {
-      process.stdin.setRawMode(true);
-      process.stdin.resume();
-      process.stdin.setEncoding('utf8');
-      const onData = ch => {
-        if (ch === '\r' || ch === '\n') {
-          process.stdin.setRawMode(false);
-          process.stdin.pause();
-          process.stdin.removeListener('data', onData);
-          process.stdout.write('\n');
-          rl.close();
-          res(val);
-        } else if (ch === '\u0003') {
-          process.exit();
-        } else if (ch === '\u007f') {
-          val = val.slice(0, -1);
-        } else {
-          val += ch;
-          process.stdout.write('*');
-        }
-      };
-      process.stdin.on('data', onData);
-    } else {
-      rl.question('', a => { rl.close(); res(a.trim()); });
-    }
-  });
+  // In non-TTY (piped input, CI, Git Bash on Windows), just read a line
+  return ask(label);
 }
 
 // ─────────────────────────────────────────────
@@ -89,14 +72,16 @@ async function mgmt(pat, method, path, body) {
     throw new Error(`${method} ${path} → HTTP ${res.status}: ${text}`);
   }
   if (res.status === 204) return {};
-  return res.json();
+  const text = await res.text();
+  if (!text) return {};
+  return JSON.parse(text);
 }
 
 // ─────────────────────────────────────────────
 // Main install command
 // ─────────────────────────────────────────────
 
-export async function runInstall() {
+export async function runInstall(opts = {}) {
   console.log(chalk.cyan('\n🔐 clauth install\n'));
 
   // ── Step 1: Check internet ────────────────
@@ -112,16 +97,22 @@ export async function runInstall() {
   }
 
   // ── Step 2: Collect credentials ───────────
-  console.log(chalk.cyan('\nYou need two things from Supabase:\n'));
-  console.log(chalk.gray('  Project ref:  last segment of your project URL'));
-  console.log(chalk.gray('  e.g. supabase.com/dashboard/project/') + chalk.white('uvojezuorjgqzmhhgluu'));
-  console.log('');
-  console.log(chalk.gray('  Personal Access Token (PAT):'));
-  console.log(chalk.gray('  supabase.com/dashboard/account/tokens → Generate new token'));
-  console.log(chalk.gray('  (This is NOT your anon key or service_role key)\n'));
+  let ref = opts.ref;
+  let pat = opts.pat;
 
-  const ref = await ask(chalk.white('Supabase project ref: '));
-  const pat = await askSecret(chalk.white('Supabase PAT: '));
+  if (!ref || !pat) {
+    console.log(chalk.cyan('\nYou need two things from Supabase:\n'));
+    console.log(chalk.gray('  Project ref:  last segment of your project URL'));
+    console.log(chalk.gray('  e.g. supabase.com/dashboard/project/') + chalk.white('uvojezuorjgqzmhhgluu'));
+    console.log('');
+    console.log(chalk.gray('  Personal Access Token (PAT):'));
+    console.log(chalk.gray('  supabase.com/dashboard/account/tokens → Generate new token'));
+    console.log(chalk.gray('  (This is NOT your anon key or service_role key)\n'));
+
+    if (!ref) ref = await ask(chalk.white('Supabase project ref: '));
+    if (!pat) pat = await askSecret(chalk.white('Supabase PAT: '));
+    closeRL();
+  }
 
   if (!ref || !pat) {
     console.log(chalk.red('\n✗ Both required.\n')); process.exit(1);
@@ -166,16 +157,31 @@ export async function runInstall() {
   const s5 = ora('Deploying auth-vault Edge Function...').start();
   const fnSource = readFileSync(join(ROOT, 'supabase/functions/auth-vault/index.ts'), 'utf8');
   try {
-    // Try update first
-    try {
-      await mgmt(pat, 'PATCH', `/projects/${ref}/functions/auth-vault`, {
-        slug: 'auth-vault', name: 'auth-vault', verify_jwt: true, body: fnSource,
-      });
-    } catch {
-      await mgmt(pat, 'POST', `/projects/${ref}/functions`, {
-        slug: 'auth-vault', name: 'auth-vault', verify_jwt: true, body: fnSource,
-      });
+    // Use the /deploy endpoint with multipart/form-data (not the old /functions endpoint)
+    const formData = new FormData();
+
+    const metadata = {
+      name: 'auth-vault',
+      entrypoint_path: 'index.ts',
+      verify_jwt: true,
+    };
+    formData.append('metadata', new Blob([JSON.stringify(metadata)], { type: 'application/json' }));
+    formData.append('file', new Blob([fnSource], { type: 'application/typescript' }), 'index.ts');
+
+    const deployRes = await fetch(
+      `${MGMT}/projects/${ref}/functions/deploy?slug=auth-vault`,
+      {
+        method: 'POST',
+        headers: { 'Authorization': `Bearer ${pat}` },
+        body: formData,
+      }
+    );
+
+    if (!deployRes.ok) {
+      const errText = await deployRes.text().catch(() => deployRes.statusText);
+      throw new Error(`HTTP ${deployRes.status}: ${errText}`);
     }
+
     s5.succeed('auth-vault Edge Function deployed');
   } catch (e) {
     s5.warn(`Edge Function deploy failed: ${e.message}`);

package/cli/index.js

@@ -11,7 +11,7 @@ import * as api from "./api.js";
 import os from "os";
 
 const config = new Conf({ projectName: "clauth" });
-const VERSION = "0.1.0";
+const VERSION = "0.2.0";
 
 // ============================================================
 // Password prompt helper
@@ -55,8 +55,10 @@ import { runInstall } from './commands/install.js';
 program
   .command('install')
   .description('Provision Supabase, deploy Edge Function, install Claude skill')
-  .action(async () => {
-    await runInstall();
+  .option('--ref <ref>', 'Supabase project ref')
+  .option('--pat <pat>', 'Supabase Personal Access Token')
+  .action(async (opts) => {
+    await runInstall(opts);
   });
 
 // ──────────────────────────────────────────────
@@ -67,6 +69,7 @@ program
   .description("Register this machine with the vault (run after clauth install)")
   .option("--admin-token <token>", "Bootstrap token (from clauth install output)")
   .option("--label <label>", "Human label for this machine")
+  .option("-p, --pw <password>", "Password (skip interactive prompt)")
   .action(async (opts) => {
     console.log(chalk.cyan("\n🔐 clauth setup\n"));
 
@@ -79,12 +82,18 @@ program
     }
     console.log(chalk.gray(`  Project: ${savedUrl}\n`));
 
-    const answers = await inquirer.prompt([
-      { type: "input",    name: "label",   message: "Machine label:",   default: opts.label || os.hostname() },
-      { type: "password", name: "pw",      message: "Set password:",    mask: "*" },
-      { type: "password", name: "adminTk", message: "Bootstrap token:", mask: "*",
-        default: opts.adminToken || "" },
-    ]);
+    let answers;
+    if (opts.pw && opts.adminToken) {
+      // Non-interactive mode — all flags provided
+      answers = { label: opts.label || os.hostname(), pw: opts.pw, adminTk: opts.adminToken };
+    } else {
+      answers = await inquirer.prompt([
+        { type: "input",    name: "label",   message: "Machine label:",   default: opts.label || os.hostname() },
+        { type: "password", name: "pw",      message: "Set password:",    mask: "*", default: opts.pw || "" },
+        { type: "password", name: "adminTk", message: "Bootstrap token:", mask: "*",
+          default: opts.adminToken || "" },
+      ]);
+    }
 
     const spinner = ora("Registering machine with vault...").start();
     try {

package/package.json

@@ -1,54 +1,54 @@
-{
-  "name": "@lifeaitools/clauth",
-  "version": "0.1.0",
-  "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
-  "type": "module",
-  "bin": {
-    "clauth": "./cli/index.js"
-  },
-  "scripts": {
-    "build": "bash scripts/build.sh"
-  },
-  "dependencies": {
-    "chalk": "^5.3.0",
-    "commander": "^12.1.0",
-    "conf": "^13.0.0",
-    "inquirer": "^10.1.0",
-    "node-fetch": "^3.3.2",
-    "ora": "^8.1.0"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "keywords": [
-    "lifeai",
-    "credentials",
-    "vault",
-    "cli",
-    "prt"
-  ],
-  "author": "Dave Ladouceur <dave@life.ai>",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/LIFEAI/clauth.git"
-  },
-  "devDependencies": {
-    "javascript-obfuscator": "^5.3.0"
-  },
-  "files": [
-    "cli/",
-    "scripts/bin/",
-    "scripts/bootstrap.cjs",
-    "scripts/build.sh",
-    "supabase/",
-    ".clauth-skill/",
-    "install.sh",
-    "install.ps1",
-    "README.md"
-  ],
-  "publishConfig": {
-    "access": "public"
-  },
-  "homepage": "https://github.com/LIFEAI/clauth"
-}
+{
+  "name": "@lifeaitools/clauth",
+  "version": "0.2.1",
+  "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
+  "type": "module",
+  "bin": {
+    "clauth": "./cli/index.js"
+  },
+  "scripts": {
+    "build": "bash scripts/build.sh"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "conf": "^13.0.0",
+    "inquirer": "^10.1.0",
+    "node-fetch": "^3.3.2",
+    "ora": "^8.1.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "keywords": [
+    "lifeai",
+    "credentials",
+    "vault",
+    "cli",
+    "prt"
+  ],
+  "author": "Dave Ladouceur <dave@life.ai>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/LIFEAI/clauth.git"
+  },
+  "devDependencies": {
+    "javascript-obfuscator": "^5.3.0"
+  },
+  "files": [
+    "cli/",
+    "scripts/bin/",
+    "scripts/bootstrap.cjs",
+    "scripts/build.sh",
+    "supabase/",
+    ".clauth-skill/",
+    "install.sh",
+    "install.ps1",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "homepage": "https://github.com/LIFEAI/clauth"
+}

package/supabase/functions/auth-vault/index.ts

@@ -81,11 +81,11 @@ async function validateHMAC(body: {
     return { valid: false, reason: "machine_disabled" };
   }
 
-  // Expected token = HMAC(machine_hash + timestamp_window, password + SALT)
+  // Expected token = HMAC(machine_hash:window, password)
+  // Client derives token with password only; server verifies the same way
   const window = Math.floor(body.timestamp / REPLAY_WINDOW_MS);
   const message = `${body.machine_hash}:${window}`;
-  const hmacKey = `${body.password}:${CLAUTH_HMAC_SALT}`;
-  const expected = await hmacSha256(hmacKey, message);
+  const expected = await hmacSha256(body.password, message);
 
   if (expected !== body.token) {
     return { valid: false, reason: "invalid_token" };

package/supabase/migrations/001_clauth_schema.sql

@@ -77,9 +77,17 @@ alter table public.clauth_audit     enable row level security;
 
 -- service_role bypasses RLS — all access from Edge Function only
 -- No direct anon access to any clauth table
-create policy "no_anon_services"  on public.clauth_services  for all using (false);
-create policy "no_anon_machines"  on public.clauth_machines  for all using (false);
-create policy "no_anon_audit"     on public.clauth_audit     for all using (false);
+do $$ begin
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_services' and tablename = 'clauth_services') then
+    create policy "no_anon_services" on public.clauth_services for all using (false);
+  end if;
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_machines' and tablename = 'clauth_machines') then
+    create policy "no_anon_machines" on public.clauth_machines for all using (false);
+  end if;
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_audit' and tablename = 'clauth_audit') then
+    create policy "no_anon_audit" on public.clauth_audit for all using (false);
+  end if;
+end $$;
 
 -- ============================================================
 -- Updated_at trigger
@@ -89,6 +97,7 @@ returns trigger language plpgsql as $$
 begin new.updated_at = now(); return new; end;
 $$;
 
+drop trigger if exists clauth_services_updated on public.clauth_services;
 create trigger clauth_services_updated
   before update on public.clauth_services
   for each row execute procedure public.clauth_touch_updated();