@lifeaitools/clauth 0.2.1 → 0.3.0

package/cli/commands/serve.js

@@ -0,0 +1,378 @@
+// cli/commands/serve.js
+// Localhost-only credential daemon with daemon lifecycle management
+// Binds 127.0.0.1 ONLY — unreachable from outside the machine
+// 3 failed requests of any kind → process exits, requires manual restart
+// Supports: start (background daemon), stop, restart, ping, foreground
+
+import http from "http";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { getMachineHash, deriveToken } from "../fingerprint.js";
+import * as api from "../api.js";
+import chalk from "chalk";
+
+const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
+const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
+
+// ── PID helpers ──────────────────────────────────────────────
+function readPid() {
+  try {
+    const raw = fs.readFileSync(PID_FILE, "utf8").trim();
+    const [pid, port] = raw.split(":");
+    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
+  } catch { return null; }
+}
+
+function writePid(pid, port) {
+  fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
+}
+
+function removePid() {
+  try { fs.unlinkSync(PID_FILE); } catch {}
+}
+
+function isProcessAlive(pid) {
+  try { process.kill(pid, 0); return true; } catch { return false; }
+}
+
+// ── Server logic (shared by foreground + daemon) ─────────────
+function createServer(password, whitelist, port) {
+  const MAX_FAILS = 3;
+  let failCount = 0;
+  const machineHash = getMachineHash();
+
+  function strike(res, code, message) {
+    failCount++;
+    const remaining = MAX_FAILS - failCount;
+    const logLine = `[${new Date().toISOString()}] [FAIL ${failCount}/${MAX_FAILS}] ${message}\n`;
+    try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+
+    const body = JSON.stringify({
+      error: message,
+      failures: failCount,
+      failures_remaining: remaining,
+      ...(failCount >= MAX_FAILS ? { shutdown: true } : {})
+    });
+
+    res.writeHead(code, { "Content-Type": "application/json" });
+    res.end(body);
+
+    if (failCount >= MAX_FAILS) {
+      const msg = `[${new Date().toISOString()}] Failure limit reached — shutting down\n`;
+      try { fs.appendFileSync(LOG_FILE, msg); } catch {}
+      removePid();
+      setTimeout(() => process.exit(1), 100);
+    }
+  }
+
+  function ok(res, data) {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(data));
+  }
+
+  const server = http.createServer(async (req, res) => {
+    // Hard reject anything not from loopback
+    const remote = req.socket.remoteAddress;
+    const isLocal = remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
+    if (!isLocal) {
+      return strike(res, 403, `Rejected non-local address: ${remote}`);
+    }
+
+    const url    = new URL(req.url, `http://127.0.0.1:${port}`);
+    const reqPath = url.pathname;
+    const method = req.method;
+
+    // GET /ping
+    if (method === "GET" && reqPath === "/ping") {
+      return ok(res, {
+        status: "ok",
+        pid: process.pid,
+        failures: failCount,
+        failures_remaining: MAX_FAILS - failCount,
+        services: whitelist || "all",
+        port
+      });
+    }
+
+    // GET /shutdown (for daemon stop)
+    if (method === "GET" && reqPath === "/shutdown") {
+      ok(res, { ok: true, message: "shutting down" });
+      removePid();
+      setTimeout(() => process.exit(0), 100);
+      return;
+    }
+
+    // GET /status
+    if (method === "GET" && reqPath === "/status") {
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.status(password, machineHash, token, timestamp);
+        if (result.error) return strike(res, 502, result.error);
+        if (whitelist) {
+          result.services = (result.services || []).filter(
+            s => whitelist.includes(s.name.toLowerCase())
+          );
+        }
+        return ok(res, result);
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // GET /get/:service
+    const getMatch = reqPath.match(/^\/get\/([a-zA-Z0-9_-]+)$/);
+    if (method === "GET" && getMatch) {
+      const service = getMatch[1].toLowerCase();
+
+      if (whitelist && !whitelist.includes(service)) {
+        return strike(res, 403, `Service '${service}' not in whitelist`);
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.retrieve(password, machineHash, token, timestamp, service);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { service, value: result.value, key_type: result.key_type });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // Unknown route
+    return strike(res, 404, `Unknown endpoint: ${reqPath}`);
+  });
+
+  return server;
+}
+
+// ── Actions ──────────────────────────────────────────────────
+
+async function verifyAuth(password) {
+  const machineHash = getMachineHash();
+  const { token, timestamp } = deriveToken(password, machineHash);
+  const result = await api.test(password, machineHash, token, timestamp);
+  if (result.error) throw new Error(result.error);
+}
+
+async function actionStart(opts) {
+  const port     = parseInt(opts.port || "52437", 10);
+  const password = opts.pw;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+
+  // Check for existing instance
+  const existing = readPid();
+  if (existing && isProcessAlive(existing.pid)) {
+    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
+    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
+    process.exit(1);
+  }
+
+  // If we're the daemon child, run the server directly
+  if (process.env.__CLAUTH_DAEMON === "1") {
+    try {
+      await verifyAuth(password);
+    } catch (err) {
+      const msg = `[${new Date().toISOString()}] Auth failed: ${err.message}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+      process.exit(1);
+    }
+
+    const server = createServer(password, whitelist, port);
+    server.listen(port, "127.0.0.1", () => {
+      writePid(process.pid, port);
+      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+    });
+
+    server.on("error", err => {
+      const msg = `[${new Date().toISOString()}] Server error: ${err.message}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+      process.exit(1);
+    });
+
+    const shutdown = () => { removePid(); process.exit(0); };
+    process.on("SIGTERM", shutdown);
+    process.on("SIGINT", shutdown);
+    return;
+  }
+
+  // Parent: verify auth first (show errors to user)
+  console.log(chalk.gray("\n  Verifying vault credentials..."));
+  try {
+    await verifyAuth(password);
+  } catch (err) {
+    console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
+    process.exit(1);
+  }
+  console.log(chalk.green("  ✓ Vault auth verified"));
+
+  // Spawn detached daemon child
+  const { spawn } = await import("child_process");
+  const { fileURLToPath } = await import("url");
+  const __filename = fileURLToPath(import.meta.url);
+
+  // Build args: node serve.js --action start --port N --pw PW [--services S]
+  const childArgs = [__filename, "--action", "start", "--port", String(port), "--pw", password];
+  if (opts.services) childArgs.push("--services", opts.services);
+
+  const out = fs.openSync(LOG_FILE, "a");
+  const child = spawn(process.execPath, childArgs, {
+    detached: true,
+    stdio: ["ignore", out, out],
+    env: { ...process.env, __CLAUTH_DAEMON: "1" },
+  });
+  child.unref();
+
+  // Give it a moment then verify
+  await new Promise(r => setTimeout(r, 800));
+
+  const info = readPid();
+  if (info && isProcessAlive(info.pid)) {
+    console.log(chalk.green(`\n  🔐 clauth serve started`));
+    console.log(chalk.gray(`  PID:      ${info.pid}`));
+    console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
+    console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
+    console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
+    console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
+  } else {
+    console.log(chalk.red(`\n  ❌ Failed to start daemon — check ${LOG_FILE}\n`));
+    process.exit(1);
+  }
+}
+
+async function actionStop() {
+  const info = readPid();
+  if (!info) {
+    console.log(chalk.yellow("\n  No clauth serve PID file found — not running.\n"));
+    return;
+  }
+
+  if (!isProcessAlive(info.pid)) {
+    console.log(chalk.yellow(`\n  PID ${info.pid} is not running (stale PID file). Cleaning up.\n`));
+    removePid();
+    return;
+  }
+
+  // Try HTTP shutdown first (clean)
+  try {
+    const resp = await fetch(`http://127.0.0.1:${info.port}/shutdown`);
+    if (resp.ok) {
+      await new Promise(r => setTimeout(r, 300));
+      console.log(chalk.green(`\n  🛑 clauth serve stopped (was PID ${info.pid}, port ${info.port})\n`));
+      removePid();
+      return;
+    }
+  } catch {}
+
+  // Fallback: kill the process
+  try {
+    process.kill(info.pid, "SIGTERM");
+    await new Promise(r => setTimeout(r, 300));
+    console.log(chalk.green(`\n  🛑 clauth serve stopped via SIGTERM (PID ${info.pid})\n`));
+  } catch (err) {
+    console.log(chalk.yellow(`\n  Could not kill PID ${info.pid}: ${err.message}\n`));
+  }
+  removePid();
+}
+
+async function actionPing() {
+  const info = readPid();
+  if (!info) {
+    console.log(chalk.red("\n  clauth serve is not running (no PID file)\n"));
+    process.exit(1);
+  }
+
+  if (!isProcessAlive(info.pid)) {
+    console.log(chalk.red(`\n  PID ${info.pid} is not alive (stale PID file)\n`));
+    removePid();
+    process.exit(1);
+  }
+
+  try {
+    const resp = await fetch(`http://127.0.0.1:${info.port}/ping`);
+    const data = await resp.json();
+    if (data.status === "ok") {
+      console.log(chalk.green(`\n  ✅ clauth serve running`));
+      console.log(chalk.gray(`  PID:     ${info.pid}`));
+      console.log(chalk.gray(`  Port:    ${info.port}`));
+      console.log(chalk.gray(`  Fails:   ${data.failures}/${data.failures + data.failures_remaining}`));
+      console.log(chalk.gray(`  Services: ${Array.isArray(data.services) ? data.services.join(", ") : data.services}\n`));
+    } else {
+      console.log(chalk.yellow(`\n  PID alive but /ping returned unexpected response\n`));
+    }
+  } catch (err) {
+    console.log(chalk.yellow(`\n  PID ${info.pid} alive but HTTP failed: ${err.message}\n`));
+  }
+}
+
+async function actionRestart(opts) {
+  const info = readPid();
+  if (info && isProcessAlive(info.pid)) {
+    await actionStop();
+    await new Promise(r => setTimeout(r, 500));
+  }
+  await actionStart(opts);
+}
+
+async function actionForeground(opts) {
+  const port     = parseInt(opts.port || "52437", 10);
+  const password = opts.pw;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+
+  console.log(chalk.gray("\n  Verifying vault credentials..."));
+  try {
+    await verifyAuth(password);
+  } catch (err) {
+    console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
+    process.exit(1);
+  }
+
+  console.log(chalk.green("  ✓ Vault auth verified"));
+  console.log(chalk.gray(`  Port:     127.0.0.1:${port}`));
+  console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
+  console.log(chalk.gray(`  Lockout:  3 failures → exit\n`));
+
+  const server = createServer(password, whitelist, port);
+  server.listen(port, "127.0.0.1", () => {
+    writePid(process.pid, port);
+    console.log(chalk.green(`  clauth serve → http://127.0.0.1:${port}`));
+    console.log(chalk.gray("  Ctrl+C to stop\n"));
+  });
+
+  server.on("error", err => {
+    if (err.code === "EADDRINUSE") {
+      console.log(chalk.red(`\n  Port ${port} already in use. Use --port to choose another.\n`));
+    } else {
+      console.log(chalk.red(`\n  Server error: ${err.message}\n`));
+    }
+    process.exit(1);
+  });
+
+  process.on("SIGINT", () => {
+    console.log(chalk.yellow("\n  Stopping clauth serve...\n"));
+    removePid();
+    server.close(() => process.exit(0));
+  });
+}
+
+// ── Export ────────────────────────────────────────────────────
+export async function runServe(opts) {
+  const action = opts.action || "foreground";
+
+  switch (action) {
+    case "start":     return actionStart(opts);
+    case "stop":      return actionStop();
+    case "restart":   return actionRestart(opts);
+    case "ping":      return actionPing();
+    case "foreground": return actionForeground(opts);
+    default:
+      console.log(chalk.red(`\n  Unknown serve action: ${action}`));
+      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground\n"));
+      process.exit(1);
+  }
+}

package/cli/commands/uninstall.js

@@ -0,0 +1,164 @@
+// cli/commands/uninstall.js
+// clauth uninstall — full teardown: DB objects, Edge Function, secrets, skill, local config
+//
+// Reverses everything `clauth install` does:
+//   1. Drops clauth tables, policies, triggers, functions from Supabase
+//   2. Deletes auth-vault Edge Function
+//   3. Removes CLAUTH_* secrets
+//   4. Removes Claude skill directory
+//   5. Clears local config (Conf store)
+
+import { existsSync, rmSync } from 'fs';
+import { join } from 'path';
+import Conf from 'conf';
+import chalk from 'chalk';
+import ora from 'ora';
+
+const MGMT = 'https://api.supabase.com/v1';
+const SKILLS_DIR = process.env.CLAUTH_SKILLS_DIR ||
+  (process.platform === 'win32'
+    ? join(process.env.USERPROFILE || '', '.claude', 'skills')
+    : join(process.env.HOME || '', '.claude', 'skills'));
+
+// ─────────────────────────────────────────────
+// Supabase Management API helper
+// ─────────────────────────────────────────────
+async function mgmt(pat, method, path, body) {
+  const res = await fetch(`${MGMT}${path}`, {
+    method,
+    headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.statusText);
+    throw new Error(`${method} ${path} → HTTP ${res.status}: ${text}`);
+  }
+  if (res.status === 204) return {};
+  const text = await res.text();
+  if (!text) return {};
+  return JSON.parse(text);
+}
+
+// ─────────────────────────────────────────────
+// Main uninstall command
+// ─────────────────────────────────────────────
+export async function runUninstall(opts = {}) {
+  console.log(chalk.red('\n🗑️  clauth uninstall\n'));
+
+  const config = new Conf({ projectName: 'clauth' });
+
+  // ── Collect credentials ────────────────────
+  const ref = opts.ref || config.get('supabase_url')?.match(/https:\/\/(.+)\.supabase\.co/)?.[1];
+  const pat = opts.pat;
+
+  if (!ref) {
+    console.log(chalk.red('  Cannot determine Supabase project ref.'));
+    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
+    process.exit(1);
+  }
+  if (!pat) {
+    console.log(chalk.red('  Supabase PAT required for teardown.'));
+    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
+    process.exit(1);
+  }
+
+  console.log(chalk.gray(`  Project: ${ref}\n`));
+
+  // ── Step 1: Drop database objects ──────────
+  const s1 = ora('Dropping clauth database objects...').start();
+  const teardownSQL = `
+    -- Drop triggers
+    DROP TRIGGER IF EXISTS clauth_services_updated ON public.clauth_services;
+
+    -- Drop tables (CASCADE drops policies automatically)
+    DROP TABLE IF EXISTS public.clauth_audit CASCADE;
+    DROP TABLE IF EXISTS public.clauth_machines CASCADE;
+    DROP TABLE IF EXISTS public.clauth_services CASCADE;
+
+    -- Drop functions
+    DROP FUNCTION IF EXISTS public.clauth_touch_updated() CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_upsert_vault_secret(text, text) CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_get_vault_secret(text) CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_delete_vault_secret(text) CASCADE;
+  `;
+
+  try {
+    await mgmt(pat, 'POST', `/projects/${ref}/database/query`, { query: teardownSQL });
+    s1.succeed('Database objects dropped (tables, triggers, functions, policies)');
+  } catch (e) {
+    s1.fail(`Database teardown failed: ${e.message}`);
+    console.log(chalk.yellow('  You may need to drop objects manually via SQL editor.'));
+  }
+
+  // ── Step 2: Delete Edge Function ───────────
+  const s2 = ora('Deleting auth-vault Edge Function...').start();
+  try {
+    const res = await fetch(`${MGMT}/projects/${ref}/functions/auth-vault`, {
+      method: 'DELETE',
+      headers: { 'Authorization': `Bearer ${pat}` },
+    });
+    if (res.ok || res.status === 404) {
+      s2.succeed(res.status === 404
+        ? 'Edge Function not found (already deleted)'
+        : 'Edge Function deleted');
+    } else {
+      const text = await res.text().catch(() => res.statusText);
+      throw new Error(`HTTP ${res.status}: ${text}`);
+    }
+  } catch (e) {
+    s2.fail(`Edge Function delete failed: ${e.message}`);
+    console.log(chalk.yellow('  Delete manually: Supabase Dashboard → Edge Functions → auth-vault → Delete'));
+  }
+
+  // ── Step 3: Remove secrets ─────────────────
+  const s3 = ora('Removing clauth secrets...').start();
+  try {
+    // Supabase Management API: DELETE /projects/{ref}/secrets with body listing secret names
+    const res = await fetch(`${MGMT}/projects/${ref}/secrets`, {
+      method: 'DELETE',
+      headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+      body: JSON.stringify(['CLAUTH_HMAC_SALT', 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN']),
+    });
+    if (res.ok) {
+      s3.succeed('Secrets removed (CLAUTH_HMAC_SALT, CLAUTH_ADMIN_BOOTSTRAP_TOKEN)');
+    } else {
+      const text = await res.text().catch(() => res.statusText);
+      throw new Error(`HTTP ${res.status}: ${text}`);
+    }
+  } catch (e) {
+    s3.warn(`Secret removal failed: ${e.message}`);
+    console.log(chalk.yellow('  Remove manually: Supabase → Settings → Edge Functions → Secrets'));
+  }
+
+  // ── Step 4: Remove Claude skill ────────────
+  const s4 = ora('Removing Claude skill...').start();
+  const skillDir = join(SKILLS_DIR, 'clauth');
+  if (existsSync(skillDir)) {
+    try {
+      rmSync(skillDir, { recursive: true, force: true });
+      s4.succeed(`Skill removed: ${skillDir}`);
+    } catch (e) {
+      s4.warn(`Could not remove skill: ${e.message}`);
+    }
+  } else {
+    s4.succeed('Skill directory not found (already removed)');
+  }
+
+  // ── Step 5: Clear local config ─────────────
+  const s5 = ora('Clearing local config...').start();
+  try {
+    config.clear();
+    s5.succeed('Local config cleared');
+  } catch (e) {
+    s5.warn(`Could not clear config: ${e.message}`);
+  }
+
+  // ── Done ───────────────────────────────────
+  console.log('');
+  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log(chalk.yellow('  ✓ clauth fully uninstalled'));
+  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log('');
+  console.log(chalk.gray('  To reinstall: npx @lifeaitools/clauth install'));
+  console.log('');
+}

package/cli/index.js

@@ -11,7 +11,7 @@ import * as api from "./api.js";
 import os from "os";
 
 const config = new Conf({ projectName: "clauth" });
-const VERSION = "0.2.0";
+const VERSION = "0.3.0";
 
 // ============================================================
 // Password prompt helper
@@ -51,6 +51,9 @@ program
 // clauth install  (Supabase provisioning + skill install + test)
 // ──────────────────────────────────────────────
 import { runInstall } from './commands/install.js';
+import { runUninstall } from './commands/uninstall.js';
+import { runScrub } from './commands/scrub.js';
+import { runServe } from './commands/serve.js';
 
 program
   .command('install')
@@ -61,6 +64,28 @@ program
     await runInstall(opts);
   });
 
+program
+  .command('uninstall')
+  .description('Full teardown — drop DB objects, Edge Function, secrets, skill, config')
+  .option('--ref <ref>', 'Supabase project ref')
+  .option('--pat <pat>', 'Supabase Personal Access Token (required)')
+  .option('--yes', 'Skip confirmation prompt')
+  .action(async (opts) => {
+    if (!opts.yes) {
+      const inquirerMod = await import('inquirer');
+      const { confirm } = await inquirerMod.default.prompt([{
+        type: 'input',
+        name: 'confirm',
+        message: chalk.red('Type "CONFIRM UNINSTALL" to proceed:'),
+      }]);
+      if (confirm !== 'CONFIRM UNINSTALL') {
+        console.log(chalk.yellow('\n  Uninstall cancelled.\n'));
+        process.exit(0);
+      }
+    }
+    await runUninstall(opts);
+  });
+
 // ──────────────────────────────────────────────
 // clauth setup
 // ──────────────────────────────────────────────
@@ -273,11 +298,17 @@ addCmd
   .option("-p, --pw <password>")
   .action(async (name, opts) => {
     const auth = await getAuth(opts.pw);
-    const answers = await inquirer.prompt([
-      { type: "input",  name: "label", message: "Label:", default: opts.label || name },
-      { type: "list",   name: "key_type", message: "Key type:", choices: ["token","keypair","connstring","oauth"], default: opts.type || "token" },
-      { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
-    ]);
+    let answers;
+    if (opts.type && opts.label) {
+      // Non-interactive — all flags provided
+      answers = { label: opts.label, key_type: opts.type, desc: opts.description || "" };
+    } else {
+      answers = await inquirer.prompt([
+        { type: "input",  name: "label", message: "Label:", default: opts.label || name },
+        { type: "list",   name: "key_type", message: "Key type:", choices: ["token","keypair","connstring","oauth"], default: opts.type || "token" },
+        { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
+      ]);
+    }
     const spinner = ora(`Adding service: ${name}...`).start();
     try {
       const result = await api.addService(
@@ -396,6 +427,24 @@ program
     } catch (err) { spinner.fail(chalk.red(err.message)); }
   });
 
+// ──────────────────────────────────────────────
+// clauth scrub [target]
+// ──────────────────────────────────────────────
+program
+  .command("scrub [target]")
+  .description("Scrub credentials from Claude Code transcript logs (no auth required)")
+  .option("--force", "Rescrub files even if already marked clean")
+  .addHelpText("after", `
+Examples:
+  clauth scrub              Scrub the most recent (active) transcript
+  clauth scrub <file>       Scrub a specific .jsonl file
+  clauth scrub all          Scrub every transcript in ~/.claude/projects/
+  clauth scrub all --force  Rescrub all files (ignore markers)
+`)
+  .action(async (target, opts) => {
+    await runScrub(target, opts);
+  });
+
 // ──────────────────────────────────────────────
 // clauth --help override banner
 // ──────────────────────────────────────────────
@@ -409,4 +458,43 @@ program.addHelpText("beforeAll", chalk.cyan(`
   v${VERSION} — LIFEAI Credential Vault
 `));
 
+// ──────────────────────────────────────────────
+// clauth serve [action]
+// ──────────────────────────────────────────────
+program
+  .command("serve [action]")
+  .description("Manage localhost HTTP vault daemon (start|stop|restart|ping)")
+  .option("--port <n>", "Port (default: 52437)")
+  .option("-p, --pw <password>", "clauth password (required for start/restart)")
+  .option("--services <list>", "Comma-separated service whitelist (default: all)")
+  .option("--action <action>", "Internal: action override for daemon child")
+  .addHelpText("after", `
+Actions:
+  start       Start the server as a background daemon
+  stop        Stop the running daemon
+  restart     Stop + start
+  ping        Check if the daemon is running
+  foreground  Run in foreground (Ctrl+C to stop) — default if no action given
+
+Examples:
+  clauth serve -p mypass                 Run in foreground (original behavior)
+  clauth serve start -p mypass           Start as background daemon
+  clauth serve stop                      Stop the daemon
+  clauth serve ping                      Check status
+  clauth serve restart -p mypass         Restart the daemon
+  clauth serve start --services github,vercel -p mypass
+`)
+  .action(async (action, opts) => {
+    const resolvedAction = opts.action || action || "foreground";
+
+    // stop and ping don't need a password
+    if (!["stop", "ping"].includes(resolvedAction) && !opts.pw) {
+      console.log(chalk.red("\n  --pw is required for serve mode\n"));
+      console.log(chalk.gray("  Example: clauth serve start --pw yourpassword\n"));
+      process.exit(1);
+    }
+
+    await runServe({ ...opts, action: resolvedAction });
+  });
+
 program.parse(process.argv);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {