@lifeaitools/clauth 0.2.0 → 0.2.2

package/.clauth-skill/SKILL.md

@@ -9,93 +9,127 @@ Hardware-bound credential vault for the LIFEAI stack. Your machine is the second
 
 ---
 
-## When someone says "install clauth"
+## How Claude Interfaces with clauth
 
-### Step 1 — Check GitHub MCP is connected
+> **CRITICAL:** Never pipe input to clauth or use interactive prompts. The CLI uses `inquirer` which produces ANSI garbage when stdin is piped. Always use one of the two methods below.
 
-Look at your available tools. You need a GitHub/git tool that can clone a repository.
+### Method 1 — CLI with `--pw` flag (simplest)
 
-If GitHub MCP is NOT connected, stop and tell the user:
+All clauth commands accept `-p` / `--pw <password>` to skip the interactive password prompt:
 
-> "To install clauth I need your GitHub connection. In Claude, go to Settings → Integrations and connect GitHub, then come back and say 'install clauth' again."
+```bash
+clauth status -p "YourPassword"
+clauth get github -p "YourPassword"
+clauth test -p "YourPassword"
+clauth enable github -p "YourPassword"
+clauth write key github -p "YourPassword"   # still prompts for the key value
+```
 
-Do not proceed without it.
+### Method 2 — Direct API calls (full control, no CLI needed)
 
----
+Call the auth-vault Edge Function directly. This is the most reliable method for Claude.
 
-### Step 2 — Clone the repo
+**Base URL:** `https://<project-ref>.supabase.co/functions/v1/auth-vault`
+**Auth header:** `Authorization: Bearer <supabase-anon-key>`
+**Method:** POST (all routes)
+**Content-Type:** `application/json`
 
-Use bash to clone into `~/.clauth`:
+#### HMAC Token Derivation (must match server)
 
-```bash
-git clone https://github.com/LIFEAI/clauth.git ~/.clauth
-```
+```js
+import { createHmac, createHash, execSync } from "crypto";
 
-If `~/.clauth` already exists:
-```bash
-cd ~/.clauth && git pull
+// 1. Get machine hash (same as fingerprint.js)
+// Windows:
+const uuid = execSync("wmic csproduct get uuid /format:value", { encoding: "utf8" })
+  .match(/UUID=([A-F0-9-]+)/i)?.[1]?.trim();
+const machineGuid = execSync(
+  "reg query HKLM\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid",
+  { encoding: "utf8" }
+).match(/MachineGuid\s+REG_SZ\s+([a-f0-9-]+)/i)?.[1]?.trim();
+const machineHash = createHash("sha256").update(`${uuid}:${machineGuid}`).digest("hex");
+
+// 2. Derive HMAC token
+const windowMs = 5 * 60 * 1000;
+const window = Math.floor(Date.now() / windowMs);
+const message = `${machineHash}:${window}`;
+const token = createHmac("sha256", password).update(message).digest("hex");
+const timestamp = window * windowMs;
 ```
 
+#### API Routes
+
+| Route | Body fields | Returns |
+|-------|-------------|---------|
+| `POST /status` | `machine_hash, token, timestamp, password` | `{ services: [...] }` |
+| `POST /test` | `machine_hash, token, timestamp, password` | `{ ok: true }` |
+| `POST /retrieve` | `+ service` | `{ value: "..." }` |
+| `POST /write` | `+ service, value` | `{ ok: true }` |
+| `POST /enable` | `+ service, enabled: bool` | `{ ok: true }` |
+| `POST /add` | `+ name, label, key_type, description` | `{ ok: true }` |
+| `POST /remove` | `+ service, confirm: true` | `{ ok: true }` |
+| `POST /revoke` | `+ service, confirm: true` | `{ ok: true }` |
+| `POST /register-machine` | `machine_hash, hmac_seed_hash, label, admin_token` | `{ ok: true }` |
+
+All auth routes require: `machine_hash`, `token`, `timestamp`, `password`.
+
+### Password Handling
+
+- Ask the user for their clauth password **once per session**
+- Store it in working memory for the duration of the conversation
+- Never log or echo the password
+- If the user says "use clauth" or "get my github key", ask for the password if you don't have it yet
+
 ---
 
-### Step 3 — Run the bootstrap binary
+## When someone says "install clauth"
 
-**Windows:**
-```powershell
-& "$env:USERPROFILE\.clauth\scripts\bin\bootstrap-win.exe"
-```
+### Step 1 — Install from npm
 
-**Mac/Linux:**
 ```bash
-~/.clauth/scripts/bin/bootstrap-linux
-# Mac:
-~/.clauth/scripts/bin/bootstrap-macos
+npm install -g @lifeaitools/clauth
 ```
 
-This binary:
-- Runs `npm install`
-- Links `clauth` globally
-- Chains to `clauth install` automatically
+If already installed, update:
+```bash
+npm update -g @lifeaitools/clauth
+```
 
----
+### Step 2 — Run the installer
 
-### Step 4 — clauth install (automatic)
+Use CLI flags to avoid interactive prompts:
 
-`clauth install` runs automatically. It asks for two Supabase items:
+```bash
+clauth install --ref <supabase-project-ref> --pat <personal-access-token>
+```
 
-**Project ref** — last part of your Supabase project URL:
+**Project ref** — last part of the Supabase project URL:
 `https://supabase.com/dashboard/project/` **`uvojezuorjgqzmhhgluu`**
 
 **Personal Access Token (PAT):**
 `https://supabase.com/dashboard/account/tokens` → Generate new token
 *(NOT the anon key or service_role — this is your account-level token)*
 
-Then it provisions everything, tests it, installs this skill, and prints a **bootstrap token** — save it.
-
----
+The installer provisions everything and prints a **bootstrap token** — save it.
 
-### Step 5 — clauth setup
+### Step 3 — Setup this machine
 
-```
-clauth setup
+```bash
+clauth setup --admin-token <bootstrap-token> -p <password>
 ```
 
-Asks: machine label, password, bootstrap token (from step 4).
-
 Then verify:
+```bash
+clauth test -p <password>
+clauth status -p <password>
 ```
-clauth test      → PASS
-clauth status    → 12 services ready
-```
-
----
 
-### Step 6 — Write your first key
+### Step 4 — Write your first key
 
 ```bash
-clauth write key github     # prompts for value
-clauth enable github
-clauth get github
+clauth write key github -p <password>     # prompts for value
+clauth enable github -p <password>
+clauth get github -p <password>
 ```
 
 See `references/keys-guide.md` for where to find every credential.
@@ -105,21 +139,29 @@ See `references/keys-guide.md` for where to find every credential.
 ## Command reference
 
 ```
-clauth install              First-time: provision Supabase + install skill
-clauth setup                Register this machine (after install)
-clauth status               All services + state
-clauth test                 Verify HMAC connection
-clauth list                 Service names
-
-clauth write key <service>  Store a credential
-clauth write pw             Change password
-clauth enable <svc|all>     Activate service
-clauth disable <svc|all>    Suspend service
-clauth get <service>        Retrieve a key
-
-clauth add service <n>      Register new service
-clauth remove service <n>   Remove service
-clauth revoke <svc|all>     Delete key (destructive)
+clauth install [--ref R] [--pat P]     First-time: provision Supabase + install skill
+clauth setup [--admin-token T] [-p P]  Register this machine
+clauth status [-p P]                   All services + state
+clauth test [-p P]                     Verify HMAC connection
+clauth list [-p P]                     Service names
+
+clauth write key <service> [-p P]      Store a credential
+clauth write pw [-p P]                 Change password
+clauth enable <svc|all> [-p P]         Activate service
+clauth disable <svc|all> [-p P]        Suspend service
+clauth get <service> [-p P]            Retrieve a key
+
+clauth add service <n> [-p P]          Register new service
+clauth remove service <n> [-p P]       Remove service
+clauth revoke <svc|all> [-p P]         Delete key (destructive)
+
+clauth scrub                           Scrub active transcript (most recent .jsonl)
+clauth scrub <file>                    Scrub a specific file
+clauth scrub all                       Scrub all transcripts in ~/.claude/projects/
+clauth scrub all --force               Rescrub everything (ignore markers)
+
+clauth uninstall --ref R --pat P       Full teardown (DB, Edge Fn, secrets, skill, config)
+clauth uninstall --ref R --pat P --yes Skip confirmation
 ```
 
 ## Services
@@ -137,5 +179,6 @@ clauth revoke <svc|all>     Delete key (destructive)
 | `machine_not_found` | Run `clauth setup` |
 | `timestamp_expired` | Sync system clock |
 | `invalid_token` | Wrong password |
-| `service_disabled` | `clauth enable <service>` |
-| `no_key_stored` | `clauth write key <service>` |
+| `service_disabled` | `clauth enable <service> -p <password>` |
+| `no_key_stored` | `clauth write key <service> -p <password>` |
+| ANSI garbage output | You piped stdin — use `-p` flag instead |

package/cli/commands/install.js

@@ -157,16 +157,31 @@ export async function runInstall(opts = {}) {
   const s5 = ora('Deploying auth-vault Edge Function...').start();
   const fnSource = readFileSync(join(ROOT, 'supabase/functions/auth-vault/index.ts'), 'utf8');
   try {
-    // Try update first
-    try {
-      await mgmt(pat, 'PATCH', `/projects/${ref}/functions/auth-vault`, {
-        slug: 'auth-vault', name: 'auth-vault', verify_jwt: true, body: fnSource,
-      });
-    } catch {
-      await mgmt(pat, 'POST', `/projects/${ref}/functions`, {
-        slug: 'auth-vault', name: 'auth-vault', verify_jwt: true, body: fnSource,
-      });
+    // Use the /deploy endpoint with multipart/form-data (not the old /functions endpoint)
+    const formData = new FormData();
+
+    const metadata = {
+      name: 'auth-vault',
+      entrypoint_path: 'index.ts',
+      verify_jwt: true,
+    };
+    formData.append('metadata', new Blob([JSON.stringify(metadata)], { type: 'application/json' }));
+    formData.append('file', new Blob([fnSource], { type: 'application/typescript' }), 'index.ts');
+
+    const deployRes = await fetch(
+      `${MGMT}/projects/${ref}/functions/deploy?slug=auth-vault`,
+      {
+        method: 'POST',
+        headers: { 'Authorization': `Bearer ${pat}` },
+        body: formData,
+      }
+    );
+
+    if (!deployRes.ok) {
+      const errText = await deployRes.text().catch(() => deployRes.statusText);
+      throw new Error(`HTTP ${deployRes.status}: ${errText}`);
     }
+
     s5.succeed('auth-vault Edge Function deployed');
   } catch (e) {
     s5.warn(`Edge Function deploy failed: ${e.message}`);

package/cli/commands/scrub.js

@@ -0,0 +1,231 @@
+// cli/commands/scrub.js — Scrub credentials from Claude Code transcript logs
+//
+// clauth scrub          → scrub active transcript (most recent .jsonl)
+// clauth scrub <file>   → scrub a specific file
+// clauth scrub all      → scrub every transcript .jsonl
+// clauth scrub --force  → rescrub even if already marked
+
+import fs from "fs";
+import path from "path";
+import os from "os";
+import chalk from "chalk";
+import ora from "ora";
+
+const SCRUB_MARKER = "[CLAUTH-SCRUBBED]";
+const SCRUB_VERSION = "1.1";
+
+// ──────────────────────────────────────────────
+// Credential patterns — regex + replacement
+// ──────────────────────────────────────────────
+const PATTERNS = [
+  // Supabase JWTs (anon, service_role)
+  [/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,
+   "[SUPABASE_JWT_REDACTED]"],
+
+  // Vercel tokens
+  [/vcp_[A-Za-z0-9]{20,80}/g,
+   "[VERCEL_TOKEN_REDACTED]"],
+
+  // R2 / S3 secret access keys (64-char hex)
+  [/"secret_access_key"\s*:\s*"[a-f0-9]{64}"/g,
+   '"secret_access_key": "[R2_SECRET_REDACTED]"'],
+
+  // R2 / S3 access key IDs (32-char hex)
+  [/"access_key_id"\s*:\s*"[a-f0-9]{32}"/g,
+   '"access_key_id": "[R2_KEY_REDACTED]"'],
+
+  // Cloudflare admin tokens
+  [/"admin_token"\s*:\s*"[A-Za-z0-9_-]{20,60}"/g,
+   '"admin_token": "[CF_TOKEN_REDACTED]"'],
+
+  // Cloudflare account IDs (32-char hex)
+  [/"account_id"\s*:\s*"[a-f0-9]{32}"/g,
+   '"account_id": "[CF_ACCOUNT_REDACTED]"'],
+
+  // GitHub tokens
+  [/ghp_[A-Za-z0-9]{36}/g,
+   "[GITHUB_TOKEN_REDACTED]"],
+  [/github_pat_[A-Za-z0-9_]{40,100}/g,
+   "[GITHUB_PAT_REDACTED]"],
+
+  // Neo4j connection strings with passwords
+  [/neo4j\+s?:\/\/[^"\\]+/g,
+   "[NEO4J_CONNSTRING_REDACTED]"],
+
+  // Generic Bearer tokens in Authorization headers
+  [/Bearer [A-Za-z0-9_-]{20,}/g,
+   "Bearer [TOKEN_REDACTED]"],
+];
+
+// ──────────────────────────────────────────────
+// Marker check — read last 512 bytes
+// ──────────────────────────────────────────────
+function isAlreadyScrubbed(filePath) {
+  try {
+    const stat = fs.statSync(filePath);
+    const fd = fs.openSync(filePath, "r");
+    const bufSize = Math.min(512, stat.size);
+    const buf = Buffer.alloc(bufSize);
+    fs.readSync(fd, buf, 0, bufSize, Math.max(0, stat.size - bufSize));
+    fs.closeSync(fd);
+
+    const tail = buf.toString("utf-8");
+    const lastLine = tail.trim().split("\n").pop();
+    if (lastLine && lastLine.includes(SCRUB_MARKER)) {
+      try {
+        const marker = JSON.parse(lastLine);
+        return marker.version === SCRUB_VERSION;
+      } catch { return false; }
+    }
+    return false;
+  } catch { return false; }
+}
+
+// ──────────────────────────────────────────────
+// Stamp file as scrubbed
+// ──────────────────────────────────────────────
+function stampScrubbed(filePath) {
+  const marker = JSON.stringify({
+    type: SCRUB_MARKER,
+    version: SCRUB_VERSION,
+    scrubbed_at: new Date().toISOString(),
+    patterns: PATTERNS.length,
+  });
+  fs.appendFileSync(filePath, "\n" + marker + "\n", "utf-8");
+}
+
+// ──────────────────────────────────────────────
+// Scrub a single file
+// ──────────────────────────────────────────────
+function scrubFile(filePath, force = false) {
+  if (!force && isAlreadyScrubbed(filePath)) {
+    return "skipped";
+  }
+
+  let content = fs.readFileSync(filePath, "utf-8");
+  let total = 0;
+
+  for (const [pattern, replacement] of PATTERNS) {
+    // Reset lastIndex for global regexes
+    pattern.lastIndex = 0;
+    const matches = content.match(pattern);
+    if (matches) {
+      total += matches.length;
+      content = content.replace(pattern, replacement);
+    }
+  }
+
+  if (total > 0) {
+    fs.writeFileSync(filePath, content, "utf-8");
+  }
+
+  // Stamp as clean (whether creds found or not)
+  stampScrubbed(filePath);
+  return total;
+}
+
+// ──────────────────────────────────────────────
+// Find all transcript .jsonl files
+// ──────────────────────────────────────────────
+function findTranscripts() {
+  const claudeDir = path.join(os.homedir(), ".claude", "projects");
+  if (!fs.existsSync(claudeDir)) return [];
+
+  const results = [];
+  function walk(dir) {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) walk(full);
+      else if (entry.name.endsWith(".jsonl")) results.push(full);
+    }
+  }
+  walk(claudeDir);
+  return results;
+}
+
+// ──────────────────────────────────────────────
+// Find the most recent transcript (active session)
+// ──────────────────────────────────────────────
+function findMostRecent() {
+  const files = findTranscripts();
+  if (files.length === 0) return null;
+
+  let newest = files[0];
+  let newestMtime = fs.statSync(files[0]).mtimeMs;
+  for (const f of files.slice(1)) {
+    const mt = fs.statSync(f).mtimeMs;
+    if (mt > newestMtime) { newest = f; newestMtime = mt; }
+  }
+  return newest;
+}
+
+// ──────────────────────────────────────────────
+// Exported runner
+// ──────────────────────────────────────────────
+export async function runScrub(target, opts = {}) {
+  const force = opts.force || false;
+
+  // Determine which files to scrub
+  let files;
+  if (target === "all") {
+    files = findTranscripts();
+    if (files.length === 0) {
+      console.log(chalk.yellow("\n  No transcript files found.\n"));
+      return;
+    }
+    console.log(chalk.cyan(`\n  Scrubbing ${files.length} transcript file(s)...\n`));
+  } else if (target && target !== "all") {
+    // Specific file
+    const resolved = path.resolve(target);
+    if (!fs.existsSync(resolved)) {
+      console.log(chalk.red(`\n  File not found: ${resolved}\n`));
+      process.exit(1);
+    }
+    files = [resolved];
+  } else {
+    // No target — find most recent
+    const recent = findMostRecent();
+    if (!recent) {
+      console.log(chalk.yellow("\n  No transcript files found.\n"));
+      return;
+    }
+    files = [recent];
+    console.log(chalk.gray(`\n  Active transcript: ${path.basename(recent)}`));
+  }
+
+  // Scrub
+  const spinner = ora("Scrubbing credentials...").start();
+  let grandTotal = 0;
+  let skipped = 0;
+  let scanned = 0;
+
+  for (const f of files) {
+    const result = scrubFile(f, force);
+    if (result === "skipped") {
+      skipped++;
+    } else {
+      scanned++;
+      if (result > 0) {
+        spinner.stop();
+        console.log(chalk.yellow(`  ${result} redaction(s) in ${path.basename(f)}`));
+        spinner.start("Scrubbing credentials...");
+        grandTotal += result;
+      }
+    }
+  }
+
+  spinner.stop();
+
+  // Summary
+  const parts = [];
+  if (scanned) parts.push(`scanned ${scanned}`);
+  if (skipped) parts.push(chalk.gray(`skipped ${skipped} (already clean)`));
+  if (grandTotal) parts.push(chalk.green(`${grandTotal} credential(s) scrubbed`));
+  else if (scanned) parts.push(chalk.green("no credentials found"));
+
+  console.log(`\n  ${files.length} file(s): ${parts.join(", ")}.`);
+  if (skipped && !force) {
+    console.log(chalk.gray("  (use --force to rescan all files)"));
+  }
+  console.log();
+}

package/cli/commands/uninstall.js

@@ -0,0 +1,164 @@
+// cli/commands/uninstall.js
+// clauth uninstall — full teardown: DB objects, Edge Function, secrets, skill, local config
+//
+// Reverses everything `clauth install` does:
+//   1. Drops clauth tables, policies, triggers, functions from Supabase
+//   2. Deletes auth-vault Edge Function
+//   3. Removes CLAUTH_* secrets
+//   4. Removes Claude skill directory
+//   5. Clears local config (Conf store)
+
+import { existsSync, rmSync } from 'fs';
+import { join } from 'path';
+import Conf from 'conf';
+import chalk from 'chalk';
+import ora from 'ora';
+
+const MGMT = 'https://api.supabase.com/v1';
+const SKILLS_DIR = process.env.CLAUTH_SKILLS_DIR ||
+  (process.platform === 'win32'
+    ? join(process.env.USERPROFILE || '', '.claude', 'skills')
+    : join(process.env.HOME || '', '.claude', 'skills'));
+
+// ─────────────────────────────────────────────
+// Supabase Management API helper
+// ─────────────────────────────────────────────
+async function mgmt(pat, method, path, body) {
+  const res = await fetch(`${MGMT}${path}`, {
+    method,
+    headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.statusText);
+    throw new Error(`${method} ${path} → HTTP ${res.status}: ${text}`);
+  }
+  if (res.status === 204) return {};
+  const text = await res.text();
+  if (!text) return {};
+  return JSON.parse(text);
+}
+
+// ─────────────────────────────────────────────
+// Main uninstall command
+// ─────────────────────────────────────────────
+export async function runUninstall(opts = {}) {
+  console.log(chalk.red('\n🗑️  clauth uninstall\n'));
+
+  const config = new Conf({ projectName: 'clauth' });
+
+  // ── Collect credentials ────────────────────
+  const ref = opts.ref || config.get('supabase_url')?.match(/https:\/\/(.+)\.supabase\.co/)?.[1];
+  const pat = opts.pat;
+
+  if (!ref) {
+    console.log(chalk.red('  Cannot determine Supabase project ref.'));
+    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
+    process.exit(1);
+  }
+  if (!pat) {
+    console.log(chalk.red('  Supabase PAT required for teardown.'));
+    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
+    process.exit(1);
+  }
+
+  console.log(chalk.gray(`  Project: ${ref}\n`));
+
+  // ── Step 1: Drop database objects ──────────
+  const s1 = ora('Dropping clauth database objects...').start();
+  const teardownSQL = `
+    -- Drop triggers
+    DROP TRIGGER IF EXISTS clauth_services_updated ON public.clauth_services;
+
+    -- Drop tables (CASCADE drops policies automatically)
+    DROP TABLE IF EXISTS public.clauth_audit CASCADE;
+    DROP TABLE IF EXISTS public.clauth_machines CASCADE;
+    DROP TABLE IF EXISTS public.clauth_services CASCADE;
+
+    -- Drop functions
+    DROP FUNCTION IF EXISTS public.clauth_touch_updated() CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_upsert_vault_secret(text, text) CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_get_vault_secret(text) CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_delete_vault_secret(text) CASCADE;
+  `;
+
+  try {
+    await mgmt(pat, 'POST', `/projects/${ref}/database/query`, { query: teardownSQL });
+    s1.succeed('Database objects dropped (tables, triggers, functions, policies)');
+  } catch (e) {
+    s1.fail(`Database teardown failed: ${e.message}`);
+    console.log(chalk.yellow('  You may need to drop objects manually via SQL editor.'));
+  }
+
+  // ── Step 2: Delete Edge Function ───────────
+  const s2 = ora('Deleting auth-vault Edge Function...').start();
+  try {
+    const res = await fetch(`${MGMT}/projects/${ref}/functions/auth-vault`, {
+      method: 'DELETE',
+      headers: { 'Authorization': `Bearer ${pat}` },
+    });
+    if (res.ok || res.status === 404) {
+      s2.succeed(res.status === 404
+        ? 'Edge Function not found (already deleted)'
+        : 'Edge Function deleted');
+    } else {
+      const text = await res.text().catch(() => res.statusText);
+      throw new Error(`HTTP ${res.status}: ${text}`);
+    }
+  } catch (e) {
+    s2.fail(`Edge Function delete failed: ${e.message}`);
+    console.log(chalk.yellow('  Delete manually: Supabase Dashboard → Edge Functions → auth-vault → Delete'));
+  }
+
+  // ── Step 3: Remove secrets ─────────────────
+  const s3 = ora('Removing clauth secrets...').start();
+  try {
+    // Supabase Management API: DELETE /projects/{ref}/secrets with body listing secret names
+    const res = await fetch(`${MGMT}/projects/${ref}/secrets`, {
+      method: 'DELETE',
+      headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+      body: JSON.stringify(['CLAUTH_HMAC_SALT', 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN']),
+    });
+    if (res.ok) {
+      s3.succeed('Secrets removed (CLAUTH_HMAC_SALT, CLAUTH_ADMIN_BOOTSTRAP_TOKEN)');
+    } else {
+      const text = await res.text().catch(() => res.statusText);
+      throw new Error(`HTTP ${res.status}: ${text}`);
+    }
+  } catch (e) {
+    s3.warn(`Secret removal failed: ${e.message}`);
+    console.log(chalk.yellow('  Remove manually: Supabase → Settings → Edge Functions → Secrets'));
+  }
+
+  // ── Step 4: Remove Claude skill ────────────
+  const s4 = ora('Removing Claude skill...').start();
+  const skillDir = join(SKILLS_DIR, 'clauth');
+  if (existsSync(skillDir)) {
+    try {
+      rmSync(skillDir, { recursive: true, force: true });
+      s4.succeed(`Skill removed: ${skillDir}`);
+    } catch (e) {
+      s4.warn(`Could not remove skill: ${e.message}`);
+    }
+  } else {
+    s4.succeed('Skill directory not found (already removed)');
+  }
+
+  // ── Step 5: Clear local config ─────────────
+  const s5 = ora('Clearing local config...').start();
+  try {
+    config.clear();
+    s5.succeed('Local config cleared');
+  } catch (e) {
+    s5.warn(`Could not clear config: ${e.message}`);
+  }
+
+  // ── Done ───────────────────────────────────
+  console.log('');
+  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log(chalk.yellow('  ✓ clauth fully uninstalled'));
+  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log('');
+  console.log(chalk.gray('  To reinstall: npx @lifeaitools/clauth install'));
+  console.log('');
+}

package/cli/index.js

@@ -11,7 +11,7 @@ import * as api from "./api.js";
 import os from "os";
 
 const config = new Conf({ projectName: "clauth" });
-const VERSION = "0.2.0";
+const VERSION = "0.2.2";
 
 // ============================================================
 // Password prompt helper
@@ -51,6 +51,8 @@ program
 // clauth install  (Supabase provisioning + skill install + test)
 // ──────────────────────────────────────────────
 import { runInstall } from './commands/install.js';
+import { runUninstall } from './commands/uninstall.js';
+import { runScrub } from './commands/scrub.js';
 
 program
   .command('install')
@@ -61,6 +63,28 @@ program
     await runInstall(opts);
   });
 
+program
+  .command('uninstall')
+  .description('Full teardown — drop DB objects, Edge Function, secrets, skill, config')
+  .option('--ref <ref>', 'Supabase project ref')
+  .option('--pat <pat>', 'Supabase Personal Access Token (required)')
+  .option('--yes', 'Skip confirmation prompt')
+  .action(async (opts) => {
+    if (!opts.yes) {
+      const inquirerMod = await import('inquirer');
+      const { confirm } = await inquirerMod.default.prompt([{
+        type: 'input',
+        name: 'confirm',
+        message: chalk.red('Type "CONFIRM UNINSTALL" to proceed:'),
+      }]);
+      if (confirm !== 'CONFIRM UNINSTALL') {
+        console.log(chalk.yellow('\n  Uninstall cancelled.\n'));
+        process.exit(0);
+      }
+    }
+    await runUninstall(opts);
+  });
+
 // ──────────────────────────────────────────────
 // clauth setup
 // ──────────────────────────────────────────────
@@ -273,11 +297,17 @@ addCmd
   .option("-p, --pw <password>")
   .action(async (name, opts) => {
     const auth = await getAuth(opts.pw);
-    const answers = await inquirer.prompt([
-      { type: "input",  name: "label", message: "Label:", default: opts.label || name },
-      { type: "list",   name: "key_type", message: "Key type:", choices: ["token","keypair","connstring","oauth"], default: opts.type || "token" },
-      { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
-    ]);
+    let answers;
+    if (opts.type && opts.label) {
+      // Non-interactive — all flags provided
+      answers = { label: opts.label, key_type: opts.type, desc: opts.description || "" };
+    } else {
+      answers = await inquirer.prompt([
+        { type: "input",  name: "label", message: "Label:", default: opts.label || name },
+        { type: "list",   name: "key_type", message: "Key type:", choices: ["token","keypair","connstring","oauth"], default: opts.type || "token" },
+        { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
+      ]);
+    }
     const spinner = ora(`Adding service: ${name}...`).start();
     try {
       const result = await api.addService(
@@ -396,6 +426,24 @@ program
     } catch (err) { spinner.fail(chalk.red(err.message)); }
   });
 
+// ──────────────────────────────────────────────
+// clauth scrub [target]
+// ──────────────────────────────────────────────
+program
+  .command("scrub [target]")
+  .description("Scrub credentials from Claude Code transcript logs (no auth required)")
+  .option("--force", "Rescrub files even if already marked clean")
+  .addHelpText("after", `
+Examples:
+  clauth scrub              Scrub the most recent (active) transcript
+  clauth scrub <file>       Scrub a specific .jsonl file
+  clauth scrub all          Scrub every transcript in ~/.claude/projects/
+  clauth scrub all --force  Rescrub all files (ignore markers)
+`)
+  .action(async (target, opts) => {
+    await runScrub(target, opts);
+  });
+
 // ──────────────────────────────────────────────
 // clauth --help override banner
 // ──────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {

package/supabase/migrations/001_clauth_schema.sql

@@ -77,9 +77,17 @@ alter table public.clauth_audit     enable row level security;
 
 -- service_role bypasses RLS — all access from Edge Function only
 -- No direct anon access to any clauth table
-create policy "no_anon_services"  on public.clauth_services  for all using (false);
-create policy "no_anon_machines"  on public.clauth_machines  for all using (false);
-create policy "no_anon_audit"     on public.clauth_audit     for all using (false);
+do $$ begin
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_services' and tablename = 'clauth_services') then
+    create policy "no_anon_services" on public.clauth_services for all using (false);
+  end if;
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_machines' and tablename = 'clauth_machines') then
+    create policy "no_anon_machines" on public.clauth_machines for all using (false);
+  end if;
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_audit' and tablename = 'clauth_audit') then
+    create policy "no_anon_audit" on public.clauth_audit for all using (false);
+  end if;
+end $$;
 
 -- ============================================================
 -- Updated_at trigger
@@ -89,6 +97,7 @@ returns trigger language plpgsql as $$
 begin new.updated_at = now(); return new; end;
 $$;
 
+drop trigger if exists clauth_services_updated on public.clauth_services;
 create trigger clauth_services_updated
   before update on public.clauth_services
   for each row execute procedure public.clauth_touch_updated();