@lifeaitools/clauth 0.1.0

package/cli/index.js

@@ -0,0 +1,403 @@
+#!/usr/bin/env node
+// cli/index.js — clauth entry point
+
+import { Command } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+import inquirer from "inquirer";
+import Conf from "conf";
+import { getMachineHash, deriveToken, deriveSeedHash } from "./fingerprint.js";
+import * as api from "./api.js";
+import os from "os";
+
+const config = new Conf({ projectName: "clauth" });
+const VERSION = "0.1.0";
+
+// ============================================================
+// Password prompt helper
+// ============================================================
+async function promptPassword(message = "clauth password") {
+  const { pw } = await inquirer.prompt([{
+    type: "password",
+    name: "pw",
+    message,
+    mask: "*",
+    validate: v => v.length >= 8 || "Password must be at least 8 characters"
+  }]);
+  return pw;
+}
+
+// ============================================================
+// Auth helper — get pw + derive token
+// ============================================================
+async function getAuth(pw) {
+  const password = pw || await promptPassword();
+  const machineHash = getMachineHash();
+  const { token, timestamp } = deriveToken(password, machineHash);
+  return { password, machineHash, token, timestamp };
+}
+
+// ============================================================
+// Program
+// ============================================================
+const program = new Command();
+
+program
+  .name("clauth")
+  .version(VERSION)
+  .description(chalk.cyan("🔐 clauth") + " — Hardware-bound credential vault for LIFEAI infrastructure");
+
+// ──────────────────────────────────────────────
+// clauth install  (Supabase provisioning + skill install + test)
+// ──────────────────────────────────────────────
+import { runInstall } from './commands/install.js';
+
+program
+  .command('install')
+  .description('Provision Supabase, deploy Edge Function, install Claude skill')
+  .action(async () => {
+    await runInstall();
+  });
+
+// ──────────────────────────────────────────────
+// clauth setup
+// ──────────────────────────────────────────────
+program
+  .command("setup")
+  .description("Register this machine with the vault (run after clauth install)")
+  .option("--admin-token <token>", "Bootstrap token (from clauth install output)")
+  .option("--label <label>", "Human label for this machine")
+  .action(async (opts) => {
+    console.log(chalk.cyan("\n🔐 clauth setup\n"));
+
+    // URL + anon key already saved by clauth install — fail fast if missing
+    const savedUrl  = config.get("supabase_url");
+    const savedAnon = config.get("supabase_anon_key");
+    if (!savedUrl || !savedAnon) {
+      console.log(chalk.yellow("  Supabase config not found. Run clauth install first.\n"));
+      process.exit(1);
+    }
+    console.log(chalk.gray(`  Project: ${savedUrl}\n`));
+
+    const answers = await inquirer.prompt([
+      { type: "input",    name: "label",   message: "Machine label:",   default: opts.label || os.hostname() },
+      { type: "password", name: "pw",      message: "Set password:",    mask: "*" },
+      { type: "password", name: "adminTk", message: "Bootstrap token:", mask: "*",
+        default: opts.adminToken || "" },
+    ]);
+
+    const spinner = ora("Registering machine with vault...").start();
+    try {
+      const machineHash = getMachineHash();
+      const seedHash = deriveSeedHash(machineHash, answers.pw);
+      const result = await api.registerMachine(machineHash, seedHash, answers.label, answers.adminTk);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green(`Machine registered: ${machineHash.slice(0,12)}...`));
+      console.log(chalk.green("\n✓ clauth is ready.\n"));
+      console.log(chalk.cyan("  clauth test     — verify connection"));
+      console.log(chalk.cyan("  clauth status   — see all services\n"));
+    } catch (err) {
+      spinner.fail(chalk.red(`Setup failed: ${err.message}`));
+      process.exit(1);
+    }
+  });
+
+// ──────────────────────────────────────────────
+// clauth status
+// ──────────────────────────────────────────────
+program
+  .command("status")
+  .description("Show all services and their state")
+  .option("-p, --pw <password>", "Password (or will prompt)")
+  .action(async (opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora("Fetching service status...").start();
+    try {
+      const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
+      spinner.stop();
+      if (result.error) { console.log(chalk.red(`Error: ${result.error}`)); return; }
+
+      console.log(chalk.cyan("\n🔐 clauth service status\n"));
+      console.log(
+        chalk.bold(
+          "  " + "SERVICE".padEnd(20) + "TYPE".padEnd(12) + "STATUS".padEnd(12) +
+          "KEY STORED".padEnd(12) + "LAST RETRIEVED"
+        )
+      );
+      console.log("  " + "─".repeat(72));
+
+      for (const s of result.services || []) {
+        const status = s.enabled
+          ? chalk.green("ACTIVE".padEnd(12))
+          : s.vault_key
+            ? chalk.yellow("SUSPENDED".padEnd(12))
+            : chalk.gray("NO KEY".padEnd(12));
+        const hasKey = s.vault_key ? chalk.green("✓".padEnd(12)) : chalk.gray("—".padEnd(12));
+        const lastGet = s.last_retrieved
+          ? new Date(s.last_retrieved).toLocaleDateString()
+          : chalk.gray("never");
+
+        console.log(`  ${s.name.padEnd(20)}${s.key_type.padEnd(12)}${status}${hasKey}${lastGet}`);
+      }
+      console.log();
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+
+// ──────────────────────────────────────────────
+// clauth write pw <new_password>
+// clauth write params
+// clauth write key <service> <value>
+// ──────────────────────────────────────────────
+const writeCmd = program.command("write").description("Write credentials or update auth parameters");
+
+writeCmd
+  .command("pw [newpw]")
+  .description("Set or update clauth master password")
+  .action(async (newpw) => {
+    console.log(chalk.cyan("\n🔐 clauth write pw\n"));
+    const current = await promptPassword("Current password (to verify)");
+    const pw = newpw || (await inquirer.prompt([
+      { type: "password", name: "p", message: "New password:", mask: "*" },
+      { type: "password", name: "c", message: "Confirm new password:", mask: "*" }
+    ]).then(a => { if (a.p !== a.c) { console.log(chalk.red("Passwords don't match")); process.exit(1); } return a.p; }));
+
+    // Re-register machine with new seed hash
+    const machineHash = getMachineHash();
+    const newSeedHash = deriveSeedHash(machineHash, pw);
+    const { token, timestamp } = deriveToken(current, machineHash);
+    const adminToken = await inquirer.prompt([{
+      type: "password", name: "t", message: "Admin bootstrap token (required for re-registration):", mask: "*"
+    }]).then(a => a.t);
+
+    const spinner = ora("Updating password and re-registering machine...").start();
+    try {
+      const result = await api.registerMachine(machineHash, newSeedHash, null, adminToken);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green("Password updated and machine re-registered."));
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+
+writeCmd
+  .command("params")
+  .description("Re-read hardware fingerprint (use after hardware change)")
+  .action(async () => {
+    const spinner = ora("Reading hardware fingerprint...").start();
+    try {
+      const hash = getMachineHash();
+      spinner.succeed(chalk.green(`Machine hash: ${hash.slice(0,16)}...`));
+      console.log(chalk.gray("Full hash: " + hash));
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+
+writeCmd
+  .command("key <service> [value]")
+  .description("Write a credential into vault for a service")
+  .option("-p, --pw <password>", "Password")
+  .action(async (service, value, opts) => {
+    const auth = await getAuth(opts.pw);
+    let val = value;
+    if (!val) {
+      const { v } = await inquirer.prompt([{ type: "password", name: "v", message: `Value for ${service}:`, mask: "*" }]);
+      val = v;
+    }
+    const spinner = ora(`Writing key for ${service}...`).start();
+    try {
+      const result = await api.write(auth.password, auth.machineHash, auth.token, auth.timestamp, service, val);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green(`Key stored in vault: auth.${service}`));
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+
+// ──────────────────────────────────────────────
+// clauth enable <service|all>
+// clauth disable <service|all>
+// ──────────────────────────────────────────────
+program
+  .command("enable <service>")
+  .description("Enable a service (or 'all')")
+  .option("-p, --pw <password>")
+  .action(async (service, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Enabling ${service}...`).start();
+    try {
+      const result = await api.enable(auth.password, auth.machineHash, auth.token, auth.timestamp, service, true);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green(`Enabled: ${service}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+
+program
+  .command("disable <service>")
+  .description("Disable a service (or 'all')")
+  .option("-p, --pw <password>")
+  .action(async (service, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Disabling ${service}...`).start();
+    try {
+      const result = await api.enable(auth.password, auth.machineHash, auth.token, auth.timestamp, service, false);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.yellow(`Disabled: ${service}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+
+// ──────────────────────────────────────────────
+// clauth add service <name>
+// clauth remove service <name>
+// clauth list services
+// ──────────────────────────────────────────────
+const addCmd = program.command("add").description("Add resources to the registry");
+
+addCmd
+  .command("service <name>")
+  .description("Register a new service slot")
+  .option("--type <type>", "Key type: token | keypair | connstring | oauth")
+  .option("--label <label>", "Human-readable label")
+  .option("--description <desc>", "Description")
+  .option("-p, --pw <password>")
+  .action(async (name, opts) => {
+    const auth = await getAuth(opts.pw);
+    const answers = await inquirer.prompt([
+      { type: "input",  name: "label", message: "Label:", default: opts.label || name },
+      { type: "list",   name: "key_type", message: "Key type:", choices: ["token","keypair","connstring","oauth"], default: opts.type || "token" },
+      { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
+    ]);
+    const spinner = ora(`Adding service: ${name}...`).start();
+    try {
+      const result = await api.addService(
+        auth.password, auth.machineHash, auth.token, auth.timestamp,
+        name, answers.label, answers.key_type, answers.desc
+      );
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green(`Service added: ${name} (${answers.key_type})`));
+      console.log(chalk.gray(`  Next: clauth write key ${name}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+
+const removeCmd = program.command("remove").description("Remove resources from the registry");
+
+removeCmd
+  .command("service <name>")
+  .description("Remove a service and its key from vault")
+  .option("-p, --pw <password>")
+  .action(async (name, opts) => {
+    const { confirm } = await inquirer.prompt([{
+      type: "input", name: "confirm",
+      message: chalk.red(`Type "CONFIRM REMOVE ${name.toUpperCase()}" to proceed:`)
+    }]);
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Removing ${name}...`).start();
+    try {
+      const result = await api.removeService(auth.password, auth.machineHash, auth.token, auth.timestamp, name, confirm);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.yellow(`Removed: ${name}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+
+program
+  .command("list")
+  .description("List all registered services")
+  .option("-p, --pw <password>")
+  .action(async (opts) => {
+    const auth = await getAuth(opts.pw);
+    const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
+    if (result.error) { console.log(chalk.red(result.error)); return; }
+    console.log(chalk.cyan("\n Registered services:\n"));
+    for (const s of result.services || []) {
+      console.log(`  ${chalk.bold(s.name.padEnd(20))} ${chalk.gray(s.key_type.padEnd(12))} ${chalk.gray(s.description || "")}`);
+    }
+    console.log();
+  });
+
+// ──────────────────────────────────────────────
+// clauth test <service|all>
+// ──────────────────────────────────────────────
+program
+  .command("test [service]")
+  .description("Test HMAC handshake — no key returned")
+  .option("-p, --pw <password>")
+  .action(async (service, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora("Testing auth handshake...").start();
+    try {
+      const result = await api.test(auth.password, auth.machineHash, auth.token, auth.timestamp);
+      if (result.error) throw new Error(`${result.error}: ${result.reason}`);
+      spinner.succeed(chalk.green("PASS — HMAC validated"));
+      console.log(chalk.gray(`  Machine: ${auth.machineHash.slice(0,16)}...`));
+      console.log(chalk.gray(`  Window:  ${new Date(result.timestamp).toISOString()}`));
+    } catch (err) {
+      spinner.fail(chalk.red("FAIL — " + err.message));
+    }
+  });
+
+// ──────────────────────────────────────────────
+// clauth get <service>
+// ──────────────────────────────────────────────
+program
+  .command("get <service>")
+  .description("Retrieve a key from vault")
+  .option("-p, --pw <password>")
+  .option("--json", "Output raw JSON")
+  .action(async (service, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Retrieving ${service}...`).start();
+    try {
+      const result = await api.retrieve(auth.password, auth.machineHash, auth.token, auth.timestamp, service);
+      spinner.stop();
+      if (result.error) { console.log(chalk.red(`Error: ${result.error}`)); return; }
+      if (opts.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        console.log(chalk.cyan(`\n🔑 ${service} (${result.key_type})\n`));
+        const val = typeof result.value === "string" ? result.value : JSON.stringify(result.value, null, 2);
+        console.log(val);
+        console.log();
+      }
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+
+// ──────────────────────────────────────────────
+// clauth revoke <service|all>
+// ──────────────────────────────────────────────
+program
+  .command("revoke <service>")
+  .description("Delete key from vault (destructive)")
+  .option("-p, --pw <password>")
+  .action(async (service, opts) => {
+    const phrase = service === "all" ? "CONFIRM REVOKE ALL" : `CONFIRM REVOKE ${service.toUpperCase()}`;
+    const { confirm } = await inquirer.prompt([{
+      type: "input", name: "confirm",
+      message: chalk.red(`Type "${phrase}" to proceed:`)
+    }]);
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Revoking ${service}...`).start();
+    try {
+      const result = await api.revoke(auth.password, auth.machineHash, auth.token, auth.timestamp, service, confirm);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.yellow(`Revoked: ${service}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+
+// ──────────────────────────────────────────────
+// clauth --help override banner
+// ──────────────────────────────────────────────
+program.addHelpText("beforeAll", chalk.cyan(`
+  ██████╗██╗      █████╗ ██╗   ██╗████████╗██╗  ██╗
+ ██╔════╝██║     ██╔══██╗██║   ██║╚══██╔══╝██║  ██║
+ ██║     ██║     ███████║██║   ██║   ██║   ███████║
+ ██║     ██║     ██╔══██║██║   ██║   ██║   ██╔══██║
+ ╚██████╗███████╗██║  ██║╚██████╔╝   ██║   ██║  ██║
+  ╚═════╝╚══════╝╚═╝  ╚═╝ ╚═════╝    ╚═╝   ╚═╝  ╚═╝
+  v${VERSION} — LIFEAI Credential Vault
+`));
+
+program.parse(process.argv);

package/install.ps1

@@ -0,0 +1,44 @@
+# clauth installer — Windows
+# One-liner: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/LIFEAI/clauth/main/install.ps1'))
+
+$ErrorActionPreference = "Stop"
+$REPO = "https://github.com/LIFEAI/clauth.git"
+$DIR  = "$env:USERPROFILE\.clauth"
+
+# Check git
+try { git --version | Out-Null } catch {
+    Write-Host ""
+    Write-Host "  x git is required." -ForegroundColor Red
+    Write-Host "    Install from https://git-scm.com then re-run this script."
+    Write-Host ""
+    exit 1
+}
+
+# Check Node
+try { node --version | Out-Null } catch {
+    Write-Host ""
+    Write-Host "  x Node.js v18+ is required." -ForegroundColor Red
+    Write-Host "    Install from https://nodejs.org then re-run this script."
+    Write-Host ""
+    exit 1
+}
+
+# Clone or update
+if (Test-Path "$DIR\.git") {
+    Write-Host "  Updating clauth..."
+    Set-Location $DIR; git pull --quiet
+} else {
+    Write-Host "  Cloning clauth..."
+    git clone --quiet $REPO $DIR
+}
+
+# Run compiled bootstrap binary
+$bootstrap = "$DIR\scripts\bin\bootstrap-win.exe"
+if (-not (Test-Path $bootstrap)) {
+    Write-Host "  x Bootstrap binary not found at $bootstrap" -ForegroundColor Red
+    exit 1
+}
+
+Set-Location $DIR
+& $bootstrap
+exit $LASTEXITCODE

package/install.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# clauth installer
+set -e
+
+REPO="https://github.com/LIFEAI/clauth.git"
+DIR="$HOME/.clauth"
+
+# Check git
+if ! command -v git &>/dev/null; then
+  echo ""; echo "  x git is required."
+  echo "    Install git from https://git-scm.com then re-run this script."; echo ""
+  exit 1
+fi
+
+# Check Node
+if ! command -v node &>/dev/null; then
+  echo ""; echo "  x Node.js v18+ is required."
+  echo "    Install from https://nodejs.org then re-run this script."; echo ""
+  exit 1
+fi
+
+# Clone or update
+if [ -d "$DIR/.git" ]; then
+  echo "  Updating clauth..."; cd "$DIR" && git pull --quiet
+else
+  echo "  Cloning clauth..."; git clone --quiet "$REPO" "$DIR"
+fi
+
+# Run compiled bootstrap
+UNAME=$(uname -s | tr '[:upper:]' '[:lower:]')
+if [[ "$UNAME" == *"darwin"* ]]; then
+  BOOTSTRAP="$DIR/scripts/bin/bootstrap-macos"
+else
+  BOOTSTRAP="$DIR/scripts/bin/bootstrap-linux"
+fi
+
+chmod +x "$BOOTSTRAP"
+cd "$DIR" && "$BOOTSTRAP"

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@lifeaitools/clauth",
+  "version": "0.1.0",
+  "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
+  "type": "module",
+  "bin": {
+    "clauth": "./cli/index.js"
+  },
+  "scripts": {
+    "build": "bash scripts/build.sh"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "conf": "^13.0.0",
+    "inquirer": "^10.1.0",
+    "node-fetch": "^3.3.2",
+    "ora": "^8.1.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "keywords": [
+    "lifeai",
+    "credentials",
+    "vault",
+    "cli",
+    "prt"
+  ],
+  "author": "Dave Ladouceur <dave@life.ai>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/LIFEAI/clauth.git"
+  },
+  "devDependencies": {
+    "javascript-obfuscator": "^5.3.0"
+  },
+  "files": [
+    "cli/",
+    "scripts/bin/",
+    "scripts/bootstrap.cjs",
+    "scripts/build.sh",
+    "supabase/",
+    ".clauth-skill/",
+    "install.sh",
+    "install.ps1",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "homepage": "https://github.com/LIFEAI/clauth"
+}

package/scripts/bootstrap.cjs

@@ -0,0 +1,43 @@
+// bootstrap.cjs — CommonJS, compiled to binary by pkg
+// Installs npm deps, links clauth, chains to: clauth install
+'use strict';
+const { execSync, spawnSync } = require('child_process');
+const { join } = require('path');
+const ROOT = join(__dirname, '..');
+
+function run(cmd, opts) {
+  return spawnSync(cmd, Object.assign({ shell: true, stdio: 'inherit', cwd: ROOT }, opts || {}));
+}
+function check(cmd) {
+  try { execSync(cmd + ' --version', { stdio: 'pipe' }); return true; } catch { return false; }
+}
+
+console.log('\n  Installing clauth runtime...\n');
+
+if (!check('git')) {
+  console.error('  x git not found. Install from https://git-scm.com');
+  process.exit(1);
+}
+var nodeVer = parseInt(process.version.slice(1));
+if (nodeVer < 18) {
+  console.error('  x Node.js v18+ required (found ' + process.version + ')');
+  console.error('    Install from https://nodejs.org');
+  process.exit(1);
+}
+
+console.log('  -> Installing dependencies...');
+var inst = run('npm install --no-fund --no-audit', { stdio: ['ignore','ignore','pipe'] });
+if (inst.status !== 0) { console.error('  x npm install failed'); process.exit(1); }
+console.log('  + Dependencies ready');
+
+console.log('  -> Linking clauth command...');
+var lnk = run('npm link', { stdio: ['ignore','ignore','pipe'] });
+if (lnk.status !== 0) {
+  var slnk = run('sudo npm link', { stdio: 'inherit' });
+  if (slnk.status !== 0) console.warn('  ! Could not link globally — add ' + ROOT + '/node_modules/.bin to PATH');
+}
+console.log('  + clauth linked');
+
+console.log('\n  -> Launching clauth install...\n');
+var r = run('clauth install');
+process.exit(r.status || 0);

package/scripts/build.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# scripts/build.sh — regenerate bootstrap binaries from source
+# Run: npm run build
+set -e
+cd "$(dirname "$0")/.."
+
+echo "→ Obfuscating bootstrap.cjs..."
+node -e "
+const J = require('javascript-obfuscator');
+const fs = require('fs');
+const src = fs.readFileSync('scripts/bootstrap.cjs', 'utf8');
+const out = J.obfuscate(src, {
+  compact: true,
+  controlFlowFlattening: true, controlFlowFlatteningThreshold: 0.75,
+  deadCodeInjection: true, deadCodeInjectionThreshold: 0.4,
+  identifierNamesGenerator: 'hexadecimal',
+  rotateStringArray: true, shuffleStringArray: true,
+  splitStrings: true, splitStringsChunkLength: 8,
+  stringArray: true, stringArrayEncoding: ['base64'],
+  stringArrayThreshold: 0.85,
+  transformObjectKeys: true, target: 'node'
+});
+fs.writeFileSync('scripts/bootstrap.ob.cjs', out.getObfuscatedCode());
+console.log('  ✓ Obfuscated');
+"
+
+echo "→ Compiling binaries..."
+mkdir -p scripts/bin
+npx pkg scripts/bootstrap.ob.cjs \
+  --targets node18-win-x64,node18-linux-x64,node18-macos-x64 \
+  --out-path scripts/bin/tmp/ \
+  2>&1 | grep -v "^$" | grep -v "Warning" || true
+
+# Rename to clean names
+mv -f scripts/bin/tmp/bootstrap.ob-linux   scripts/bin/bootstrap-linux   2>/dev/null || true
+mv -f scripts/bin/tmp/bootstrap.ob-macos   scripts/bin/bootstrap-macos   2>/dev/null || true
+mv -f scripts/bin/tmp/bootstrap.ob-win.exe scripts/bin/bootstrap-win.exe 2>/dev/null || true
+rm -rf scripts/bin/tmp
+chmod +x scripts/bin/bootstrap-linux scripts/bin/bootstrap-macos 2>/dev/null || true
+
+# Clean intermediate
+rm -f scripts/bootstrap.ob.cjs
+
+ls -lh scripts/bin/
+echo "✓ Build complete"