@lifeaitools/clauth 0.1.0

package/cli/api.js

@@ -0,0 +1,108 @@
+// cli/api.js
+// Thin client that calls the auth-vault Edge Function
+
+import { createRequire } from "module";
+const require = createRequire(import.meta.url);
+
+import Conf from "conf";
+
+const config = new Conf({ projectName: "clauth" });
+
+// ============================================================
+// Get Edge Function base URL from local config
+// ============================================================
+export function getBaseUrl() {
+  const url = config.get("supabase_url") || process.env.CLAUTH_SUPABASE_URL;
+  if (!url) throw new Error("Supabase URL not configured. Run: clauth setup");
+  return `${url}/functions/v1/auth-vault`;
+}
+
+export function getAnonKey() {
+  const key = config.get("supabase_anon_key") || process.env.CLAUTH_SUPABASE_ANON_KEY;
+  if (!key) throw new Error("Supabase anon key not configured. Run: clauth setup");
+  return key;
+}
+
+// ============================================================
+// Core POST helper
+// ============================================================
+async function post(route, body) {
+  const url = `${getBaseUrl()}/${route}`;
+  const anonKey = getAnonKey();
+
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${anonKey}`
+    },
+    body: JSON.stringify(body)
+  });
+
+  const data = await res.json();
+  if (!res.ok && !data.error) throw new Error(`HTTP ${res.status}`);
+  return data;
+}
+
+// ============================================================
+// Auth-bearing calls (require HMAC token)
+// ============================================================
+async function authPost(route, password, machineHash, token, timestamp, extra = {}) {
+  return post(route, {
+    machine_hash: machineHash,
+    token,
+    timestamp,
+    password,
+    ...extra
+  });
+}
+
+// ============================================================
+// Exported API surface
+// ============================================================
+
+export async function retrieve(password, machineHash, token, timestamp, service) {
+  return authPost("retrieve", password, machineHash, token, timestamp, { service });
+}
+
+export async function write(password, machineHash, token, timestamp, service, value) {
+  return authPost("write", password, machineHash, token, timestamp, { service, value });
+}
+
+export async function enable(password, machineHash, token, timestamp, service, enabled) {
+  return authPost("enable", password, machineHash, token, timestamp, { service, enabled });
+}
+
+export async function addService(password, machineHash, token, timestamp, name, label, key_type, description) {
+  return authPost("add", password, machineHash, token, timestamp, { name, label, key_type, description });
+}
+
+export async function removeService(password, machineHash, token, timestamp, service, confirm) {
+  return authPost("remove", password, machineHash, token, timestamp, { service, confirm });
+}
+
+export async function revoke(password, machineHash, token, timestamp, service, confirm) {
+  return authPost("revoke", password, machineHash, token, timestamp, { service, confirm });
+}
+
+export async function status(password, machineHash, token, timestamp) {
+  return authPost("status", password, machineHash, token, timestamp);
+}
+
+export async function test(password, machineHash, token, timestamp) {
+  return authPost("test", password, machineHash, token, timestamp);
+}
+
+export async function registerMachine(machineHash, seedHash, label, adminToken) {
+  return post("register-machine", {
+    machine_hash: machineHash,
+    hmac_seed_hash: seedHash,
+    label,
+    admin_token: adminToken
+  });
+}
+
+export default {
+  retrieve, write, enable, addService, removeService, revoke,
+  status, test, registerMachine, getBaseUrl, getAnonKey
+};

package/cli/commands/install.js

@@ -0,0 +1,258 @@
+// cli/commands/install.js
+// clauth install — full provisioning command
+// Called automatically by the bootstrap installer, or manually: clauth install
+//
+// Does:
+//   1. Checks prerequisites (git, node, internet)
+//   2. Collects Supabase project ref + PAT
+//   3. Runs SQL migrations
+//   4. Deploys auth-vault Edge Function
+//   5. Generates HMAC salt + bootstrap token, stores as project secrets
+//   6. Saves local config (Supabase URL + anon key)
+//   7. Runs end-to-end test
+//   8. Installs Claude skill
+//   9. Cleans up
+//  10. Prints: "clauth ready. Type clauth --help"
+
+import { createInterface } from 'readline';
+import { randomBytes } from 'crypto';
+import { readFileSync, existsSync, mkdirSync, cpSync, rmSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { execSync } from 'child_process';
+import Conf from 'conf';
+import chalk from 'chalk';
+import ora from 'ora';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ROOT      = join(__dirname, '..', '..');
+const MGMT      = 'https://api.supabase.com/v1';
+const SKILLS_DIR = process.env.CLAUTH_SKILLS_DIR ||
+  (process.platform === 'win32'
+    ? join(process.env.USERPROFILE || '', '.claude', 'skills')
+    : join(process.env.HOME || '', '.claude', 'skills'));
+
+// ─────────────────────────────────────────────
+// Prompt helpers
+// ─────────────────────────────────────────────
+
+function ask(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise(res => rl.question(question, a => { rl.close(); res(a.trim()); }));
+}
+
+function askSecret(label) {
+  return new Promise(res => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+    process.stdout.write(label);
+    let val = '';
+    if (process.stdin.isTTY) {
+      process.stdin.setRawMode(true);
+      process.stdin.resume();
+      process.stdin.setEncoding('utf8');
+      const onData = ch => {
+        if (ch === '\r' || ch === '\n') {
+          process.stdin.setRawMode(false);
+          process.stdin.pause();
+          process.stdin.removeListener('data', onData);
+          process.stdout.write('\n');
+          rl.close();
+          res(val);
+        } else if (ch === '\u0003') {
+          process.exit();
+        } else if (ch === '\u007f') {
+          val = val.slice(0, -1);
+        } else {
+          val += ch;
+          process.stdout.write('*');
+        }
+      };
+      process.stdin.on('data', onData);
+    } else {
+      rl.question('', a => { rl.close(); res(a.trim()); });
+    }
+  });
+}
+
+// ─────────────────────────────────────────────
+// Supabase Management API
+// ─────────────────────────────────────────────
+
+async function mgmt(pat, method, path, body) {
+  const res = await fetch(`${MGMT}${path}`, {
+    method,
+    headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.statusText);
+    throw new Error(`${method} ${path} → HTTP ${res.status}: ${text}`);
+  }
+  if (res.status === 204) return {};
+  return res.json();
+}
+
+// ─────────────────────────────────────────────
+// Main install command
+// ─────────────────────────────────────────────
+
+export async function runInstall() {
+  console.log(chalk.cyan('\n🔐 clauth install\n'));
+
+  // ── Step 1: Check internet ────────────────
+  const s1 = ora('Checking connectivity...').start();
+  try {
+    await fetch('https://api.supabase.com/v1/projects', {
+      method: 'GET', headers: { 'Authorization': 'Bearer test' }
+    });
+    s1.succeed('Connected');
+  } catch {
+    s1.fail('No internet connection. Check your network and retry.');
+    process.exit(1);
+  }
+
+  // ── Step 2: Collect credentials ───────────
+  console.log(chalk.cyan('\nYou need two things from Supabase:\n'));
+  console.log(chalk.gray('  Project ref:  last segment of your project URL'));
+  console.log(chalk.gray('  e.g. supabase.com/dashboard/project/') + chalk.white('uvojezuorjgqzmhhgluu'));
+  console.log('');
+  console.log(chalk.gray('  Personal Access Token (PAT):'));
+  console.log(chalk.gray('  supabase.com/dashboard/account/tokens → Generate new token'));
+  console.log(chalk.gray('  (This is NOT your anon key or service_role key)\n'));
+
+  const ref = await ask(chalk.white('Supabase project ref: '));
+  const pat = await askSecret(chalk.white('Supabase PAT: '));
+
+  if (!ref || !pat) {
+    console.log(chalk.red('\n✗ Both required.\n')); process.exit(1);
+  }
+
+  // ── Step 3: Verify + fetch keys ──────────
+  const s3 = ora('Verifying Supabase credentials...').start();
+  let anon, serviceRole;
+  try {
+    const keys = await mgmt(pat, 'GET', `/projects/${ref}/api-keys`);
+    anon        = keys.find(k => k.name === 'anon')?.api_key;
+    serviceRole = keys.find(k => k.name === 'service_role')?.api_key;
+    if (!anon || !serviceRole) throw new Error('API keys not found in response');
+    s3.succeed('Supabase project verified');
+  } catch (e) {
+    s3.fail(`Could not connect: ${e.message}`);
+    console.log(chalk.gray('  Check your project ref and PAT.'));
+    process.exit(1);
+  }
+
+  const projectUrl = `https://${ref}.supabase.co`;
+
+  // ── Step 4: Run migrations ────────────────
+  const s4 = ora('Running database migrations...').start();
+  const migrations = [
+    { name: '001_clauth_schema',  file: 'supabase/migrations/001_clauth_schema.sql'  },
+    { name: '002_vault_helpers',  file: 'supabase/migrations/002_vault_helpers.sql'  },
+  ];
+  for (const m of migrations) {
+    const sql = readFileSync(join(ROOT, m.file), 'utf8');
+    try {
+      await mgmt(pat, 'POST', `/projects/${ref}/database/query`, { query: sql });
+      s4.text = `Migrations: ${m.name} ✓`;
+    } catch (e) {
+      s4.fail(`Migration ${m.name} failed: ${e.message}`);
+      process.exit(1);
+    }
+  }
+  s4.succeed('Database migrations applied');
+
+  // ── Step 5: Deploy Edge Function ─────────
+  const s5 = ora('Deploying auth-vault Edge Function...').start();
+  const fnSource = readFileSync(join(ROOT, 'supabase/functions/auth-vault/index.ts'), 'utf8');
+  try {
+    // Try update first
+    try {
+      await mgmt(pat, 'PATCH', `/projects/${ref}/functions/auth-vault`, {
+        slug: 'auth-vault', name: 'auth-vault', verify_jwt: true, body: fnSource,
+      });
+    } catch {
+      await mgmt(pat, 'POST', `/projects/${ref}/functions`, {
+        slug: 'auth-vault', name: 'auth-vault', verify_jwt: true, body: fnSource,
+      });
+    }
+    s5.succeed('auth-vault Edge Function deployed');
+  } catch (e) {
+    s5.warn(`Edge Function deploy failed: ${e.message}`);
+    console.log(chalk.yellow('  Run manually: supabase functions deploy auth-vault'));
+  }
+
+  // ── Step 6: Generate + store secrets ─────
+  const s6 = ora('Generating secrets...').start();
+  const hmacSalt       = randomBytes(32).toString('hex');
+  const bootstrapToken = randomBytes(16).toString('hex');
+  try {
+    await mgmt(pat, 'POST', `/projects/${ref}/secrets`, [
+      { name: 'CLAUTH_HMAC_SALT',              value: hmacSalt       },
+      { name: 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN',  value: bootstrapToken },
+    ]);
+    s6.succeed('Secrets generated and stored');
+  } catch (e) {
+    s6.warn(`Could not store secrets via API: ${e.message}`);
+    console.log(chalk.yellow('\n  Set these manually in Supabase → Settings → Edge Functions → Secrets:'));
+    console.log(chalk.white(`  CLAUTH_HMAC_SALT = ${hmacSalt}`));
+    console.log(chalk.white(`  CLAUTH_ADMIN_BOOTSTRAP_TOKEN = ${bootstrapToken}\n`));
+  }
+
+  // ── Step 7: Save local config ─────────────
+  const config = new Conf({ projectName: 'clauth' });
+  config.set('supabase_url', projectUrl);
+  config.set('supabase_anon_key', anon);
+
+  // ── Step 8: End-to-end test ───────────────
+  const s8 = ora('Running end-to-end test...').start();
+  try {
+    // Register a test machine
+    const testMachine = `install-test-${randomBytes(4).toString('hex')}`;
+    const regRes = await fetch(`${projectUrl}/functions/v1/auth-vault/register-machine`, {
+      method: 'POST',
+      headers: { 'Authorization': `Bearer ${anon}`, 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        machine_hash: testMachine, hmac_seed_hash: 'test',
+        label: 'install-test', admin_token: bootstrapToken,
+      }),
+    });
+    const reg = await regRes.json();
+    if (!reg.success) throw new Error(`register-machine: ${JSON.stringify(reg)}`);
+    s8.succeed('End-to-end test passed — Edge Function is live');
+  } catch (e) {
+    s8.warn(`Test failed (Edge Function may still be deploying): ${e.message}`);
+    console.log(chalk.yellow('  Run clauth test after a minute to verify.'));
+  }
+
+  // ── Step 9: Install Claude skill ──────────
+  const s9 = ora('Installing Claude skill...').start();
+  const skillSrc = join(ROOT, '.clauth-skill');
+  if (existsSync(skillSrc)) {
+    try {
+      const skillDest = join(SKILLS_DIR, 'clauth');
+      mkdirSync(skillDest, { recursive: true });
+      cpSync(skillSrc, skillDest, { recursive: true, force: true });
+      s9.succeed(`Claude skill installed → ${skillDest}`);
+    } catch (e) {
+      s9.warn(`Skill install skipped: ${e.message}`);
+    }
+  } else {
+    s9.warn('Skill directory not found — skipping');
+  }
+
+  // ── Step 10: Done ─────────────────────────
+  console.log('');
+  console.log(chalk.cyan('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log(chalk.green('  ✓ clauth installed and ready'));
+  console.log(chalk.cyan('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log('');
+  console.log(chalk.yellow('  Save this bootstrap token — you need it once for clauth setup:'));
+  console.log(chalk.white('  ' + bootstrapToken));
+  console.log('');
+  console.log(chalk.gray('  (Also stored in Supabase → Settings → Edge Functions → Secrets)'));
+  console.log('');
+  console.log(chalk.white('  Next: run') + chalk.cyan('  clauth setup'));
+  console.log(chalk.gray('  Then:') + chalk.cyan('     clauth test'));
+  console.log('');
+}

package/cli/fingerprint.js

@@ -0,0 +1,91 @@
+// cli/fingerprint.js
+// Collects stable hardware identifiers and derives HMAC tokens
+// Works on Windows (primary) + Linux/macOS (fallback)
+
+import { execSync } from "child_process";
+import { createHmac, createHash } from "crypto";
+import os from "os";
+
+// ============================================================
+// Machine ID collection
+// ============================================================
+
+function getMachineId() {
+  const platform = os.platform();
+
+  try {
+    if (platform === "win32") {
+      // Primary: BIOS UUID via WMIC
+      const uuid = execSync("wmic csproduct get uuid /format:value", {
+        encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"]
+      }).match(/UUID=([A-F0-9-]+)/i)?.[1]?.trim();
+
+      // Secondary: Windows MachineGuid from registry
+      const machineGuid = execSync(
+        "reg query HKLM\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid",
+        { encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }
+      ).match(/MachineGuid\s+REG_SZ\s+([a-f0-9-]+)/i)?.[1]?.trim();
+
+      if (!uuid || !machineGuid) throw new Error("Could not read Windows machine IDs");
+      return { primary: uuid, secondary: machineGuid, platform: "win32" };
+    }
+
+    if (platform === "darwin") {
+      const uuid = execSync(
+        "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { print $3 }'",
+        { encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }
+      ).replace(/['"]/g, "").trim();
+      return { primary: uuid, secondary: os.hostname(), platform: "darwin" };
+    }
+
+    // Linux
+    let uuid = "";
+    try { uuid = execSync("cat /etc/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
+    catch { uuid = execSync("cat /var/lib/dbus/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
+    return { primary: uuid, secondary: os.hostname(), platform: "linux" };
+
+  } catch (err) {
+    throw new Error(`Machine ID collection failed: ${err.message}`);
+  }
+}
+
+// ============================================================
+// Derive stable machine hash (what gets stored in Supabase)
+// ============================================================
+
+export function getMachineHash() {
+  const { primary, secondary } = getMachineId();
+  return createHash("sha256")
+    .update(`${primary}:${secondary}`)
+    .digest("hex");
+}
+
+// ============================================================
+// Derive HMAC token for a given password + timestamp
+// ============================================================
+
+export function deriveToken(password, machineHash) {
+  const windowMs = 5 * 60 * 1000;
+  const window   = Math.floor(Date.now() / windowMs);
+  const message  = `${machineHash}:${window}`;
+  
+  // Server reconstructs this — password + CLAUTH_HMAC_SALT
+  // Client sends token; server adds its SALT to the password before verifying
+  const token = createHmac("sha256", password)
+    .update(message)
+    .digest("hex");
+
+  return { token, timestamp: window * windowMs, machineHash };
+}
+
+// ============================================================
+// Derive HMAC seed hash (stored during machine registration)
+// ============================================================
+
+export function deriveSeedHash(machineHash, password) {
+  return createHash("sha256")
+    .update(`seed:${machineHash}:${password}`)
+    .digest("hex");
+}
+
+export default { getMachineHash, deriveToken, deriveSeedHash };