@lifeaitools/clauth 0.1.0

package/supabase/functions/auth-vault/index.ts

@@ -0,0 +1,326 @@
+// ============================================================
+// clauth — auth-vault Edge Function
+// Supabase Deno runtime
+// Routes:
+//   POST /auth-vault/retrieve   — validate HMAC, return key
+//   POST /auth-vault/write      — write/update key in vault
+//   POST /auth-vault/enable     — enable/disable service
+//   POST /auth-vault/add        — add new service to registry
+//   POST /auth-vault/remove     — remove service from registry
+//   POST /auth-vault/status     — list all services + state
+//   POST /auth-vault/test       — dry-run HMAC check only
+//   POST /auth-vault/rotate     — flag a service for rotation
+//   POST /auth-vault/revoke     — delete key from vault
+// ============================================================
+
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
+
+const SUPABASE_URL     = Deno.env.get("SUPABASE_URL")!;
+const SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+const CLAUTH_HMAC_SALT = Deno.env.get("CLAUTH_HMAC_SALT")!; // stored in Supabase secrets
+
+const REPLAY_WINDOW_MS = 5 * 60 * 1000; // 5 minutes
+
+// ============================================================
+// Helpers
+// ============================================================
+
+async function sha256hex(input: string): Promise<string> {
+  const buf = await crypto.subtle.digest(
+    "SHA-256",
+    new TextEncoder().encode(input)
+  );
+  return Array.from(new Uint8Array(buf))
+    .map(b => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+async function hmacSha256(key: string, message: string): Promise<string> {
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(key),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.subtle.sign(
+    "HMAC",
+    cryptoKey,
+    new TextEncoder().encode(message)
+  );
+  return Array.from(new Uint8Array(sig))
+    .map(b => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+async function validateHMAC(body: {
+  machine_hash: string;
+  token: string;
+  timestamp: number;
+  password: string;
+}): Promise<{ valid: boolean; reason?: string }> {
+  const now = Date.now();
+
+  // Replay check
+  if (Math.abs(now - body.timestamp) > REPLAY_WINDOW_MS) {
+    return { valid: false, reason: "timestamp_expired" };
+  }
+
+  // Lookup machine
+  const sb = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
+  const { data: machine, error } = await sb
+    .from("clauth_machines")
+    .select("hmac_seed_hash, enabled")
+    .eq("machine_hash", body.machine_hash)
+    .single();
+
+  if (error || !machine) {
+    return { valid: false, reason: "machine_not_found" };
+  }
+  if (!machine.enabled) {
+    return { valid: false, reason: "machine_disabled" };
+  }
+
+  // Expected token = HMAC(machine_hash + timestamp_window, password + SALT)
+  const window = Math.floor(body.timestamp / REPLAY_WINDOW_MS);
+  const message = `${body.machine_hash}:${window}`;
+  const hmacKey = `${body.password}:${CLAUTH_HMAC_SALT}`;
+  const expected = await hmacSha256(hmacKey, message);
+
+  if (expected !== body.token) {
+    return { valid: false, reason: "invalid_token" };
+  }
+
+  // Update last_seen
+  await sb
+    .from("clauth_machines")
+    .update({ last_seen: new Date().toISOString() })
+    .eq("machine_hash", body.machine_hash);
+
+  return { valid: true };
+}
+
+async function auditLog(
+  sb: ReturnType<typeof createClient>,
+  machine_hash: string,
+  service_name: string,
+  action: string,
+  result: string,
+  detail?: string
+) {
+  await sb.from("clauth_audit").insert({
+    machine_hash, service_name, action, result, detail
+  });
+}
+
+// ============================================================
+// Route handlers
+// ============================================================
+
+async function handleRetrieve(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+  const { service } = body;
+  if (!service) return { error: "service required" };
+
+  const { data: svc } = await sb
+    .from("clauth_services")
+    .select("*")
+    .eq("name", service)
+    .single();
+
+  if (!svc) {
+    await auditLog(sb, machine_hash, service, "retrieve", "fail", "service_not_found");
+    return { error: "service_not_found" };
+  }
+  if (!svc.enabled) {
+    await auditLog(sb, machine_hash, service, "retrieve", "denied", "service_disabled");
+    return { error: "service_disabled" };
+  }
+  if (!svc.vault_key) {
+    await auditLog(sb, machine_hash, service, "retrieve", "fail", "no_key_stored");
+    return { error: "no_key_stored" };
+  }
+
+  // Retrieve from vault
+  const { data: secret } = await sb.rpc("vault_decrypt_secret", {
+    secret_name: svc.vault_key
+  });
+
+  await sb
+    .from("clauth_services")
+    .update({ last_retrieved: new Date().toISOString() })
+    .eq("name", service);
+
+  await auditLog(sb, machine_hash, service, "retrieve", "success");
+  return { service, key_type: svc.key_type, value: secret };
+}
+
+async function handleWrite(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+  const { service, value } = body;
+  if (!service || !value) return { error: "service and value required" };
+
+  const vaultKey = `clauth.${service}`;
+
+  // Upsert into vault
+  const { error } = await sb.rpc("vault_upsert_secret", {
+    secret_name: vaultKey,
+    secret_value: typeof value === "string" ? value : JSON.stringify(value)
+  });
+
+  if (error) {
+    await auditLog(sb, machine_hash, service, "write", "fail", error.message);
+    return { error: error.message };
+  }
+
+  // Update registry
+  await sb
+    .from("clauth_services")
+    .update({ vault_key: vaultKey, last_rotated: new Date().toISOString() })
+    .eq("name", service);
+
+  await auditLog(sb, machine_hash, service, "write", "success");
+  return { success: true, service, vault_key: vaultKey };
+}
+
+async function handleEnable(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+  const { service, enabled } = body; // enabled: true | false
+  const target = service === "all" ? null : service;
+
+  let query = sb.from("clauth_services").update({ enabled });
+  if (target) query = query.eq("name", target);
+  else query = query.not("vault_key", "is", null); // only enable services with keys
+
+  const { error } = await query;
+  if (error) return { error: error.message };
+
+  await auditLog(sb, machine_hash, service, enabled ? "enable" : "disable", "success");
+  return { success: true, service, enabled };
+}
+
+async function handleAdd(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+  const { name, label, key_type, description } = body;
+  if (!name || !label || !key_type) return { error: "name, label, key_type required" };
+
+  const { error } = await sb.from("clauth_services").insert({
+    name, label, key_type, description: description || null
+  });
+
+  if (error) return { error: error.message };
+  await auditLog(sb, machine_hash, name, "add", "success");
+  return { success: true, name, label, key_type };
+}
+
+async function handleRemove(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+  const { service, confirm } = body;
+  if (confirm !== `CONFIRM REMOVE ${service.toUpperCase()}`) {
+    return { error: "confirm phrase mismatch", required: `CONFIRM REMOVE ${service.toUpperCase()}` };
+  }
+
+  await sb.rpc("vault_delete_secret", { secret_name: `clauth.${service}` });
+  await sb.from("clauth_services").delete().eq("name", service);
+  await auditLog(sb, machine_hash, service, "remove", "success");
+  return { success: true, service };
+}
+
+async function handleRevoke(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+  const { service, confirm } = body;
+  const phrase = service === "all" ? "CONFIRM REVOKE ALL" : `CONFIRM REVOKE ${service.toUpperCase()}`;
+  if (confirm !== phrase) {
+    return { error: "confirm phrase mismatch", required: phrase };
+  }
+
+  if (service === "all") {
+    const { data: svcs } = await sb.from("clauth_services").select("name").not("vault_key", "is", null);
+    for (const s of svcs || []) {
+      await sb.rpc("vault_delete_secret", { secret_name: `clauth.${s.name}` });
+    }
+    await sb.from("clauth_services").update({ vault_key: null, enabled: false }).neq("id", "00000000-0000-0000-0000-000000000000");
+  } else {
+    await sb.rpc("vault_delete_secret", { secret_name: `clauth.${service}` });
+    await sb.from("clauth_services").update({ vault_key: null, enabled: false }).eq("name", service);
+  }
+
+  await auditLog(sb, machine_hash, service, "revoke", "success");
+  return { success: true, service };
+}
+
+async function handleStatus(sb: ReturnType<typeof createClient>, machine_hash: string) {
+  const { data: services } = await sb
+    .from("clauth_services")
+    .select("name, label, key_type, enabled, vault_key, last_retrieved, last_rotated, created_at")
+    .order("name");
+
+  await auditLog(sb, machine_hash, "all", "status", "success");
+  return { services: services || [] };
+}
+
+async function handleRegisterMachine(sb: ReturnType<typeof createClient>, body: any) {
+  const { machine_hash, hmac_seed_hash, label, admin_token } = body;
+  // Bootstrap: requires a one-time admin token stored as env var
+  if (admin_token !== Deno.env.get("CLAUTH_ADMIN_BOOTSTRAP_TOKEN")) {
+    return { error: "invalid_admin_token" };
+  }
+  const { error } = await sb.from("clauth_machines").upsert({
+    machine_hash, hmac_seed_hash, label, enabled: true
+  }, { onConflict: "machine_hash" });
+
+  if (error) return { error: error.message };
+  return { success: true, machine_hash };
+}
+
+// ============================================================
+// Main handler
+// ============================================================
+
+Deno.serve(async (req: Request) => {
+  const url = new URL(req.url);
+  const route = url.pathname.replace(/^\/auth-vault\/?/, "").replace(/^\//, "");
+
+  if (req.method === "OPTIONS") {
+    return new Response(null, {
+      headers: {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "POST, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type, Authorization"
+      }
+    });
+  }
+
+  if (req.method !== "POST") {
+    return Response.json({ error: "POST only" }, { status: 405 });
+  }
+
+  const body = await req.json().catch(() => ({}));
+  const sb = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
+
+  // Bootstrap machine registration — no HMAC required, uses admin token
+  if (route === "register-machine") {
+    return Response.json(await handleRegisterMachine(sb, body));
+  }
+
+  // All other routes require HMAC validation
+  const authResult = await validateHMAC({
+    machine_hash: body.machine_hash,
+    token: body.token,
+    timestamp: body.timestamp,
+    password: body.password
+  });
+
+  if (!authResult.valid) {
+    await auditLog(sb, body.machine_hash || "unknown", body.service || "unknown", route, "denied", authResult.reason);
+    return Response.json({ error: "auth_failed", reason: authResult.reason }, { status: 401 });
+  }
+
+  const machine_hash = body.machine_hash;
+
+  switch (route) {
+    case "retrieve":        return Response.json(await handleRetrieve(sb, body, machine_hash));
+    case "write":           return Response.json(await handleWrite(sb, body, machine_hash));
+    case "enable":          return Response.json(await handleEnable(sb, body, machine_hash));
+    case "add":             return Response.json(await handleAdd(sb, body, machine_hash));
+    case "remove":          return Response.json(await handleRemove(sb, body, machine_hash));
+    case "revoke":          return Response.json(await handleRevoke(sb, body, machine_hash));
+    case "status":          return Response.json(await handleStatus(sb, machine_hash));
+    case "test":            return Response.json({ valid: true, machine_hash, timestamp: body.timestamp });
+    default:                return Response.json({ error: "unknown_route", route }, { status: 404 });
+  }
+});

package/supabase/migrations/001_clauth_schema.sql

@@ -0,0 +1,94 @@
+-- ============================================================
+-- clauth schema
+-- Migration: 001_clauth_schema.sql
+-- ============================================================
+
+-- Enable vault extension (Supabase enables by default, but guard)
+-- vault.secrets is already available in Supabase projects
+
+-- ============================================================
+-- Service Registry
+-- ============================================================
+create table if not exists public.clauth_services (
+  id            uuid primary key default gen_random_uuid(),
+  name          text not null unique,           -- e.g. 'github', 'r2'
+  label         text not null,                  -- human display name
+  key_type      text not null                   -- 'token' | 'keypair' | 'connstring' | 'oauth'
+                check (key_type in ('token','keypair','connstring','oauth')),
+  enabled       boolean not null default false,
+  vault_key     text,                           -- vault secret name: 'clauth.<name>'
+  description   text,
+  last_retrieved timestamptz,
+  last_rotated   timestamptz,
+  created_at    timestamptz not null default now(),
+  updated_at    timestamptz not null default now()
+);
+
+-- ============================================================
+-- Machine Registry (hardware fingerprints — hashed only)
+-- ============================================================
+create table if not exists public.clauth_machines (
+  id              uuid primary key default gen_random_uuid(),
+  machine_hash    text not null unique,          -- SHA256(machine_id + os_install_id)
+  label           text,                          -- e.g. 'Dave-Desktop-Win11'
+  hmac_seed_hash  text not null,                 -- SHA256 of the HMAC seed stored in vault
+  enabled         boolean not null default true,
+  created_at      timestamptz not null default now(),
+  last_seen       timestamptz
+);
+
+-- ============================================================
+-- Audit Log
+-- ============================================================
+create table if not exists public.clauth_audit (
+  id           uuid primary key default gen_random_uuid(),
+  machine_hash text,
+  service_name text,
+  action       text not null,    -- 'retrieve' | 'enable' | 'disable' | 'rotate' | 'revoke' | 'add' | 'remove'
+  result       text not null,    -- 'success' | 'fail' | 'denied'
+  detail       text,
+  created_at   timestamptz not null default now()
+);
+
+-- ============================================================
+-- Seed: built-in service definitions (no keys — just registry)
+-- ============================================================
+insert into public.clauth_services (name, label, key_type, description) values
+  ('github',           'GitHub PAT',                  'token',     'GitHub Personal Access Token — repo, workflow, org'),
+  ('supabase-anon',    'Supabase Anon Key',            'token',     'Supabase public anon key (RLS-gated)'),
+  ('supabase-service', 'Supabase Service Role Key',    'token',     'Supabase service_role — bypasses RLS'),
+  ('supabase-db',      'Supabase DB Connection',       'connstring','PostgreSQL connection string (pooled + direct)'),
+  ('vercel',           'Vercel API Token',             'keypair',   'Vercel API token + Team ID'),
+  ('namecheap',        'Namecheap API',                'keypair',   'Namecheap API key + username'),
+  ('neo4j',            'Neo4j Aura',                   'connstring','Neo4j Aura URI + credentials'),
+  ('anthropic',        'Anthropic API Key',            'token',     'Claude API — sk-ant-...'),
+  ('r2',               'Cloudflare R2 Keypair',        'keypair',   'R2 Access Key ID + Secret Access Key'),
+  ('r2-bucket',        'Cloudflare R2 Bucket Config',  'connstring','R2 bucket name + endpoint URL'),
+  ('cloudflare',       'Cloudflare API Token',         'token',     'Cloudflare zone/DNS/admin token'),
+  ('rocketreach',      'RocketReach API Key',          'token',     'RocketReach contact intelligence API')
+on conflict (name) do nothing;
+
+-- ============================================================
+-- RLS — lock down all tables
+-- ============================================================
+alter table public.clauth_services  enable row level security;
+alter table public.clauth_machines  enable row level security;
+alter table public.clauth_audit     enable row level security;
+
+-- service_role bypasses RLS — all access from Edge Function only
+-- No direct anon access to any clauth table
+create policy "no_anon_services"  on public.clauth_services  for all using (false);
+create policy "no_anon_machines"  on public.clauth_machines  for all using (false);
+create policy "no_anon_audit"     on public.clauth_audit     for all using (false);
+
+-- ============================================================
+-- Updated_at trigger
+-- ============================================================
+create or replace function public.clauth_touch_updated()
+returns trigger language plpgsql as $$
+begin new.updated_at = now(); return new; end;
+$$;
+
+create trigger clauth_services_updated
+  before update on public.clauth_services
+  for each row execute procedure public.clauth_touch_updated();

package/supabase/migrations/002_vault_helpers.sql

@@ -0,0 +1,90 @@
+-- ============================================================
+-- Vault helper functions
+-- Migration: 002_vault_helpers.sql
+-- These wrap vault.create_secret / vault.update_secret 
+-- so Edge Functions don't need direct vault schema access
+-- ============================================================
+
+-- Upsert a secret (create or update)
+create or replace function public.vault_upsert_secret(
+  secret_name text,
+  secret_value text
+)
+returns void
+language plpgsql
+security definer
+as $$
+declare
+  existing_id uuid;
+begin
+  select id into existing_id
+  from vault.secrets
+  where name = secret_name
+  limit 1;
+
+  if existing_id is not null then
+    perform vault.update_secret(existing_id, secret_value);
+  else
+    perform vault.create_secret(secret_value, secret_name);
+  end if;
+end;
+$$;
+
+-- Decrypt and return a secret value by name
+create or replace function public.vault_decrypt_secret(
+  secret_name text
+)
+returns text
+language plpgsql
+security definer
+as $$
+declare
+  result text;
+begin
+  select decrypted_secret into result
+  from vault.decrypted_secrets
+  where name = secret_name
+  limit 1;
+  return result;
+end;
+$$;
+
+-- Delete a secret by name
+create or replace function public.vault_delete_secret(
+  secret_name text
+)
+returns void
+language plpgsql
+security definer
+as $$
+declare
+  target_id uuid;
+begin
+  select id into target_id
+  from vault.secrets
+  where name = secret_name
+  limit 1;
+
+  if target_id is not null then
+    delete from vault.secrets where id = target_id;
+  end if;
+end;
+$$;
+
+-- List all clauth secrets (names only — never values)
+create or replace function public.vault_list_clauth_secrets()
+returns table(name text, created_at timestamptz, updated_at timestamptz)
+language sql
+security definer
+as $$
+  select name, created_at, updated_at
+  from vault.secrets
+  where name like 'clauth.%'
+  order by name;
+$$;
+
+-- Revoke execute from public, grant to service_role only
+revoke execute on function public.vault_upsert_secret from public;
+revoke execute on function public.vault_decrypt_secret from public;
+revoke execute on function public.vault_delete_secret from public;
+revoke execute on function public.vault_list_clauth_secrets from public;