@lifeaitools/clauth 0.2.1 → 0.3.0

package/.clauth-skill/SKILL.md

@@ -9,93 +9,127 @@ Hardware-bound credential vault for the LIFEAI stack. Your machine is the second
 
 ---
 
-## When someone says "install clauth"
+## How Claude Interfaces with clauth
 
-### Step 1 — Check GitHub MCP is connected
+> **CRITICAL:** Never pipe input to clauth or use interactive prompts. The CLI uses `inquirer` which produces ANSI garbage when stdin is piped. Always use one of the two methods below.
 
-Look at your available tools. You need a GitHub/git tool that can clone a repository.
+### Method 1 — CLI with `--pw` flag (simplest)
 
-If GitHub MCP is NOT connected, stop and tell the user:
+All clauth commands accept `-p` / `--pw <password>` to skip the interactive password prompt:
 
-> "To install clauth I need your GitHub connection. In Claude, go to Settings → Integrations and connect GitHub, then come back and say 'install clauth' again."
+```bash
+clauth status -p "YourPassword"
+clauth get github -p "YourPassword"
+clauth test -p "YourPassword"
+clauth enable github -p "YourPassword"
+clauth write key github -p "YourPassword"   # still prompts for the key value
+```
 
-Do not proceed without it.
+### Method 2 — Direct API calls (full control, no CLI needed)
 
----
+Call the auth-vault Edge Function directly. This is the most reliable method for Claude.
 
-### Step 2 — Clone the repo
+**Base URL:** `https://<project-ref>.supabase.co/functions/v1/auth-vault`
+**Auth header:** `Authorization: Bearer <supabase-anon-key>`
+**Method:** POST (all routes)
+**Content-Type:** `application/json`
 
-Use bash to clone into `~/.clauth`:
+#### HMAC Token Derivation (must match server)
 
-```bash
-git clone https://github.com/LIFEAI/clauth.git ~/.clauth
-```
+```js
+import { createHmac, createHash, execSync } from "crypto";
 
-If `~/.clauth` already exists:
-```bash
-cd ~/.clauth && git pull
+// 1. Get machine hash (same as fingerprint.js)
+// Windows:
+const uuid = execSync("wmic csproduct get uuid /format:value", { encoding: "utf8" })
+  .match(/UUID=([A-F0-9-]+)/i)?.[1]?.trim();
+const machineGuid = execSync(
+  "reg query HKLM\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid",
+  { encoding: "utf8" }
+).match(/MachineGuid\s+REG_SZ\s+([a-f0-9-]+)/i)?.[1]?.trim();
+const machineHash = createHash("sha256").update(`${uuid}:${machineGuid}`).digest("hex");
+
+// 2. Derive HMAC token
+const windowMs = 5 * 60 * 1000;
+const window = Math.floor(Date.now() / windowMs);
+const message = `${machineHash}:${window}`;
+const token = createHmac("sha256", password).update(message).digest("hex");
+const timestamp = window * windowMs;
 ```
 
+#### API Routes
+
+| Route | Body fields | Returns |
+|-------|-------------|---------|
+| `POST /status` | `machine_hash, token, timestamp, password` | `{ services: [...] }` |
+| `POST /test` | `machine_hash, token, timestamp, password` | `{ ok: true }` |
+| `POST /retrieve` | `+ service` | `{ value: "..." }` |
+| `POST /write` | `+ service, value` | `{ ok: true }` |
+| `POST /enable` | `+ service, enabled: bool` | `{ ok: true }` |
+| `POST /add` | `+ name, label, key_type, description` | `{ ok: true }` |
+| `POST /remove` | `+ service, confirm: true` | `{ ok: true }` |
+| `POST /revoke` | `+ service, confirm: true` | `{ ok: true }` |
+| `POST /register-machine` | `machine_hash, hmac_seed_hash, label, admin_token` | `{ ok: true }` |
+
+All auth routes require: `machine_hash`, `token`, `timestamp`, `password`.
+
+### Password Handling
+
+- Ask the user for their clauth password **once per session**
+- Store it in working memory for the duration of the conversation
+- Never log or echo the password
+- If the user says "use clauth" or "get my github key", ask for the password if you don't have it yet
+
 ---
 
-### Step 3 — Run the bootstrap binary
+## When someone says "install clauth"
 
-**Windows:**
-```powershell
-& "$env:USERPROFILE\.clauth\scripts\bin\bootstrap-win.exe"
-```
+### Step 1 — Install from npm
 
-**Mac/Linux:**
 ```bash
-~/.clauth/scripts/bin/bootstrap-linux
-# Mac:
-~/.clauth/scripts/bin/bootstrap-macos
+npm install -g @lifeaitools/clauth
 ```
 
-This binary:
-- Runs `npm install`
-- Links `clauth` globally
-- Chains to `clauth install` automatically
+If already installed, update:
+```bash
+npm update -g @lifeaitools/clauth
+```
 
----
+### Step 2 — Run the installer
 
-### Step 4 — clauth install (automatic)
+Use CLI flags to avoid interactive prompts:
 
-`clauth install` runs automatically. It asks for two Supabase items:
+```bash
+clauth install --ref <supabase-project-ref> --pat <personal-access-token>
+```
 
-**Project ref** — last part of your Supabase project URL:
+**Project ref** — last part of the Supabase project URL:
 `https://supabase.com/dashboard/project/` **`uvojezuorjgqzmhhgluu`**
 
 **Personal Access Token (PAT):**
 `https://supabase.com/dashboard/account/tokens` → Generate new token
 *(NOT the anon key or service_role — this is your account-level token)*
 
-Then it provisions everything, tests it, installs this skill, and prints a **bootstrap token** — save it.
-
----
+The installer provisions everything and prints a **bootstrap token** — save it.
 
-### Step 5 — clauth setup
+### Step 3 — Setup this machine
 
-```
-clauth setup
+```bash
+clauth setup --admin-token <bootstrap-token> -p <password>
 ```
 
-Asks: machine label, password, bootstrap token (from step 4).
-
 Then verify:
+```bash
+clauth test -p <password>
+clauth status -p <password>
 ```
-clauth test      → PASS
-clauth status    → 12 services ready
-```
-
----
 
-### Step 6 — Write your first key
+### Step 4 — Write your first key
 
 ```bash
-clauth write key github     # prompts for value
-clauth enable github
-clauth get github
+clauth write key github -p <password>     # prompts for value
+clauth enable github -p <password>
+clauth get github -p <password>
 ```
 
 See `references/keys-guide.md` for where to find every credential.
@@ -105,21 +139,29 @@ See `references/keys-guide.md` for where to find every credential.
 ## Command reference
 
 ```
-clauth install              First-time: provision Supabase + install skill
-clauth setup                Register this machine (after install)
-clauth status               All services + state
-clauth test                 Verify HMAC connection
-clauth list                 Service names
-
-clauth write key <service>  Store a credential
-clauth write pw             Change password
-clauth enable <svc|all>     Activate service
-clauth disable <svc|all>    Suspend service
-clauth get <service>        Retrieve a key
-
-clauth add service <n>      Register new service
-clauth remove service <n>   Remove service
-clauth revoke <svc|all>     Delete key (destructive)
+clauth install [--ref R] [--pat P]     First-time: provision Supabase + install skill
+clauth setup [--admin-token T] [-p P]  Register this machine
+clauth status [-p P]                   All services + state
+clauth test [-p P]                     Verify HMAC connection
+clauth list [-p P]                     Service names
+
+clauth write key <service> [-p P]      Store a credential
+clauth write pw [-p P]                 Change password
+clauth enable <svc|all> [-p P]         Activate service
+clauth disable <svc|all> [-p P]        Suspend service
+clauth get <service> [-p P]            Retrieve a key
+
+clauth add service <n> [-p P]          Register new service
+clauth remove service <n> [-p P]       Remove service
+clauth revoke <svc|all> [-p P]         Delete key (destructive)
+
+clauth scrub                           Scrub active transcript (most recent .jsonl)
+clauth scrub <file>                    Scrub a specific file
+clauth scrub all                       Scrub all transcripts in ~/.claude/projects/
+clauth scrub all --force               Rescrub everything (ignore markers)
+
+clauth uninstall --ref R --pat P       Full teardown (DB, Edge Fn, secrets, skill, config)
+clauth uninstall --ref R --pat P --yes Skip confirmation
 ```
 
 ## Services
@@ -137,5 +179,6 @@ clauth revoke <svc|all>     Delete key (destructive)
 | `machine_not_found` | Run `clauth setup` |
 | `timestamp_expired` | Sync system clock |
 | `invalid_token` | Wrong password |
-| `service_disabled` | `clauth enable <service>` |
-| `no_key_stored` | `clauth write key <service>` |
+| `service_disabled` | `clauth enable <service> -p <password>` |
+| `no_key_stored` | `clauth write key <service> -p <password>` |
+| ANSI garbage output | You piped stdin — use `-p` flag instead |

package/cli/commands/scrub.js

@@ -0,0 +1,231 @@
+// cli/commands/scrub.js — Scrub credentials from Claude Code transcript logs
+//
+// clauth scrub          → scrub active transcript (most recent .jsonl)
+// clauth scrub <file>   → scrub a specific file
+// clauth scrub all      → scrub every transcript .jsonl
+// clauth scrub --force  → rescrub even if already marked
+
+import fs from "fs";
+import path from "path";
+import os from "os";
+import chalk from "chalk";
+import ora from "ora";
+
+const SCRUB_MARKER = "[CLAUTH-SCRUBBED]";
+const SCRUB_VERSION = "1.1";
+
+// ──────────────────────────────────────────────
+// Credential patterns — regex + replacement
+// ──────────────────────────────────────────────
+const PATTERNS = [
+  // Supabase JWTs (anon, service_role)
+  [/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,
+   "[SUPABASE_JWT_REDACTED]"],
+
+  // Vercel tokens
+  [/vcp_[A-Za-z0-9]{20,80}/g,
+   "[VERCEL_TOKEN_REDACTED]"],
+
+  // R2 / S3 secret access keys (64-char hex)
+  [/"secret_access_key"\s*:\s*"[a-f0-9]{64}"/g,
+   '"secret_access_key": "[R2_SECRET_REDACTED]"'],
+
+  // R2 / S3 access key IDs (32-char hex)
+  [/"access_key_id"\s*:\s*"[a-f0-9]{32}"/g,
+   '"access_key_id": "[R2_KEY_REDACTED]"'],
+
+  // Cloudflare admin tokens
+  [/"admin_token"\s*:\s*"[A-Za-z0-9_-]{20,60}"/g,
+   '"admin_token": "[CF_TOKEN_REDACTED]"'],
+
+  // Cloudflare account IDs (32-char hex)
+  [/"account_id"\s*:\s*"[a-f0-9]{32}"/g,
+   '"account_id": "[CF_ACCOUNT_REDACTED]"'],
+
+  // GitHub tokens
+  [/ghp_[A-Za-z0-9]{36}/g,
+   "[GITHUB_TOKEN_REDACTED]"],
+  [/github_pat_[A-Za-z0-9_]{40,100}/g,
+   "[GITHUB_PAT_REDACTED]"],
+
+  // Neo4j connection strings with passwords
+  [/neo4j\+s?:\/\/[^"\\]+/g,
+   "[NEO4J_CONNSTRING_REDACTED]"],
+
+  // Generic Bearer tokens in Authorization headers
+  [/Bearer [A-Za-z0-9_-]{20,}/g,
+   "Bearer [TOKEN_REDACTED]"],
+];
+
+// ──────────────────────────────────────────────
+// Marker check — read last 512 bytes
+// ──────────────────────────────────────────────
+function isAlreadyScrubbed(filePath) {
+  try {
+    const stat = fs.statSync(filePath);
+    const fd = fs.openSync(filePath, "r");
+    const bufSize = Math.min(512, stat.size);
+    const buf = Buffer.alloc(bufSize);
+    fs.readSync(fd, buf, 0, bufSize, Math.max(0, stat.size - bufSize));
+    fs.closeSync(fd);
+
+    const tail = buf.toString("utf-8");
+    const lastLine = tail.trim().split("\n").pop();
+    if (lastLine && lastLine.includes(SCRUB_MARKER)) {
+      try {
+        const marker = JSON.parse(lastLine);
+        return marker.version === SCRUB_VERSION;
+      } catch { return false; }
+    }
+    return false;
+  } catch { return false; }
+}
+
+// ──────────────────────────────────────────────
+// Stamp file as scrubbed
+// ──────────────────────────────────────────────
+function stampScrubbed(filePath) {
+  const marker = JSON.stringify({
+    type: SCRUB_MARKER,
+    version: SCRUB_VERSION,
+    scrubbed_at: new Date().toISOString(),
+    patterns: PATTERNS.length,
+  });
+  fs.appendFileSync(filePath, "\n" + marker + "\n", "utf-8");
+}
+
+// ──────────────────────────────────────────────
+// Scrub a single file
+// ──────────────────────────────────────────────
+function scrubFile(filePath, force = false) {
+  if (!force && isAlreadyScrubbed(filePath)) {
+    return "skipped";
+  }
+
+  let content = fs.readFileSync(filePath, "utf-8");
+  let total = 0;
+
+  for (const [pattern, replacement] of PATTERNS) {
+    // Reset lastIndex for global regexes
+    pattern.lastIndex = 0;
+    const matches = content.match(pattern);
+    if (matches) {
+      total += matches.length;
+      content = content.replace(pattern, replacement);
+    }
+  }
+
+  if (total > 0) {
+    fs.writeFileSync(filePath, content, "utf-8");
+  }
+
+  // Stamp as clean (whether creds found or not)
+  stampScrubbed(filePath);
+  return total;
+}
+
+// ──────────────────────────────────────────────
+// Find all transcript .jsonl files
+// ──────────────────────────────────────────────
+function findTranscripts() {
+  const claudeDir = path.join(os.homedir(), ".claude", "projects");
+  if (!fs.existsSync(claudeDir)) return [];
+
+  const results = [];
+  function walk(dir) {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) walk(full);
+      else if (entry.name.endsWith(".jsonl")) results.push(full);
+    }
+  }
+  walk(claudeDir);
+  return results;
+}
+
+// ──────────────────────────────────────────────
+// Find the most recent transcript (active session)
+// ──────────────────────────────────────────────
+function findMostRecent() {
+  const files = findTranscripts();
+  if (files.length === 0) return null;
+
+  let newest = files[0];
+  let newestMtime = fs.statSync(files[0]).mtimeMs;
+  for (const f of files.slice(1)) {
+    const mt = fs.statSync(f).mtimeMs;
+    if (mt > newestMtime) { newest = f; newestMtime = mt; }
+  }
+  return newest;
+}
+
+// ──────────────────────────────────────────────
+// Exported runner
+// ──────────────────────────────────────────────
+export async function runScrub(target, opts = {}) {
+  const force = opts.force || false;
+
+  // Determine which files to scrub
+  let files;
+  if (target === "all") {
+    files = findTranscripts();
+    if (files.length === 0) {
+      console.log(chalk.yellow("\n  No transcript files found.\n"));
+      return;
+    }
+    console.log(chalk.cyan(`\n  Scrubbing ${files.length} transcript file(s)...\n`));
+  } else if (target && target !== "all") {
+    // Specific file
+    const resolved = path.resolve(target);
+    if (!fs.existsSync(resolved)) {
+      console.log(chalk.red(`\n  File not found: ${resolved}\n`));
+      process.exit(1);
+    }
+    files = [resolved];
+  } else {
+    // No target — find most recent
+    const recent = findMostRecent();
+    if (!recent) {
+      console.log(chalk.yellow("\n  No transcript files found.\n"));
+      return;
+    }
+    files = [recent];
+    console.log(chalk.gray(`\n  Active transcript: ${path.basename(recent)}`));
+  }
+
+  // Scrub
+  const spinner = ora("Scrubbing credentials...").start();
+  let grandTotal = 0;
+  let skipped = 0;
+  let scanned = 0;
+
+  for (const f of files) {
+    const result = scrubFile(f, force);
+    if (result === "skipped") {
+      skipped++;
+    } else {
+      scanned++;
+      if (result > 0) {
+        spinner.stop();
+        console.log(chalk.yellow(`  ${result} redaction(s) in ${path.basename(f)}`));
+        spinner.start("Scrubbing credentials...");
+        grandTotal += result;
+      }
+    }
+  }
+
+  spinner.stop();
+
+  // Summary
+  const parts = [];
+  if (scanned) parts.push(`scanned ${scanned}`);
+  if (skipped) parts.push(chalk.gray(`skipped ${skipped} (already clean)`));
+  if (grandTotal) parts.push(chalk.green(`${grandTotal} credential(s) scrubbed`));
+  else if (scanned) parts.push(chalk.green("no credentials found"));
+
+  console.log(`\n  ${files.length} file(s): ${parts.join(", ")}.`);
+  if (skipped && !force) {
+    console.log(chalk.gray("  (use --force to rescan all files)"));
+  }
+  console.log();
+}