npm - @lifeaitools/clauth - Versions diffs - 0.2.1 → 0.3.0 - Mend

@lifeaitools/clauth 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/.clauth-skill/SKILL.md +109 -66
package/cli/commands/scrub.js +231 -0
package/cli/commands/serve.js +378 -0
package/cli/commands/uninstall.js +164 -0
package/cli/index.js +94 -6
package/package.json +1 -1
package/supabase/functions/auth-vault/index.ts +132 -235
package/supabase/migrations/20260317_lockout.sql +26 -0

package/supabase/functions/auth-vault/index.ts CHANGED Viewed

@@ -1,326 +1,223 @@
-// ============================================================
-// clauth — auth-vault Edge Function
-// Supabase Deno runtime
-// Routes:
-//   POST /auth-vault/retrieve   — validate HMAC, return key
-//   POST /auth-vault/write      — write/update key in vault
-//   POST /auth-vault/enable     — enable/disable service
-//   POST /auth-vault/add        — add new service to registry
-//   POST /auth-vault/remove     — remove service from registry
-//   POST /auth-vault/status     — list all services + state
-//   POST /auth-vault/test       — dry-run HMAC check only
-//   POST /auth-vault/rotate     — flag a service for rotation
-//   POST /auth-vault/revoke     — delete key from vault
-// ============================================================
+// clauth — auth-vault Edge Function v2
+// Added: IP whitelist, rate limiting, machine lockout (fail_count + locked)
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
-const SUPABASE_URL     = Deno.env.get("SUPABASE_URL")!;
-const SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
-const CLAUTH_HMAC_SALT = Deno.env.get("CLAUTH_HMAC_SALT")!; // stored in Supabase secrets
+const SUPABASE_URL          = Deno.env.get("SUPABASE_URL")!;
+const SERVICE_ROLE_KEY      = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+const CLAUTH_HMAC_SALT      = Deno.env.get("CLAUTH_HMAC_SALT")!;
+const ADMIN_BOOTSTRAP_TOKEN = Deno.env.get("CLAUTH_ADMIN_BOOTSTRAP_TOKEN")!;
-const REPLAY_WINDOW_MS = 5 * 60 * 1000; // 5 minutes
+const ALLOWED_IPS: string[] = (Deno.env.get("CLAUTH_ALLOWED_IPS") || "")
+  .split(",").map(s => s.trim()).filter(Boolean);
-// ============================================================
-// Helpers
-// ============================================================
-async function sha256hex(input: string): Promise<string> {
-  const buf = await crypto.subtle.digest(
-    "SHA-256",
-    new TextEncoder().encode(input)
-  );
-  return Array.from(new Uint8Array(buf))
-    .map(b => b.toString(16).padStart(2, "0"))
-    .join("");
-}
+const RATE_LIMIT_MAX    = 30;
+const RATE_LIMIT_WINDOW = 60;
+const REPLAY_WINDOW_MS  = 5 * 60 * 1000;
+const MAX_FAIL_COUNT    = 5;
 async function hmacSha256(key: string, message: string): Promise<string> {
   const cryptoKey = await crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(key),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const sig = await crypto.subtle.sign(
-    "HMAC",
-    cryptoKey,
-    new TextEncoder().encode(message)
+    "raw", new TextEncoder().encode(key),
+    { name: "HMAC", hash: "SHA-256" }, false, ["sign"]
   );
-  return Array.from(new Uint8Array(sig))
-    .map(b => b.toString(16).padStart(2, "0"))
-    .join("");
+  const sig = await crypto.subtle.sign("HMAC", cryptoKey, new TextEncoder().encode(message));
+  return Array.from(new Uint8Array(sig)).map(b => b.toString(16).padStart(2, "0")).join("");
 }
-async function validateHMAC(body: {
-  machine_hash: string;
-  token: string;
-  timestamp: number;
-  password: string;
-}): Promise<{ valid: boolean; reason?: string }> {
-  const now = Date.now();
+function getClientIP(req: Request): string {
+  return req.headers.get("cf-connecting-ip") ||
+    req.headers.get("x-real-ip") ||
+    req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
-  // Replay check
-  if (Math.abs(now - body.timestamp) > REPLAY_WINDOW_MS) {
-    return { valid: false, reason: "timestamp_expired" };
+function checkIP(ip: string): { allowed: boolean; reason?: string } {
+  if (ALLOWED_IPS.length === 0) return { allowed: true };
+  if (ALLOWED_IPS.includes(ip)) return { allowed: true };
+  return { allowed: false, reason: `IP not whitelisted: ${ip}` };
+}
+async function checkRateLimit(sb: any, machine_hash: string): Promise<{ allowed: boolean; reason?: string }> {
+  const windowStart = new Date(Date.now() - RATE_LIMIT_WINDOW * 1000).toISOString();
+  const { count } = await sb.from("clauth_audit")
+    .select("id", { count: "exact", head: true })
+    .eq("machine_hash", machine_hash)
+    .gte("created_at", windowStart);
+  if ((count || 0) >= RATE_LIMIT_MAX) {
+    return { allowed: false, reason: `Rate limit: ${count}/${RATE_LIMIT_MAX} per ${RATE_LIMIT_WINDOW}s` };
   }
+  return { allowed: true };
+}
+async function validateHMAC(sb: any, body: any): Promise<{ valid: boolean; reason?: string }> {
+  const now = Date.now();
+  if (Math.abs(now - body.timestamp) > REPLAY_WINDOW_MS) return { valid: false, reason: "timestamp_expired" };
-  // Lookup machine
-  const sb = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
-  const { data: machine, error } = await sb
-    .from("clauth_machines")
-    .select("hmac_seed_hash, enabled")
-    .eq("machine_hash", body.machine_hash)
-    .single();
+  const { data: machine, error } = await sb.from("clauth_machines")
+    .select("hmac_seed_hash, enabled, fail_count, locked")
+    .eq("machine_hash", body.machine_hash).single();
-  if (error || !machine) {
-    return { valid: false, reason: "machine_not_found" };
-  }
-  if (!machine.enabled) {
-    return { valid: false, reason: "machine_disabled" };
-  }
+  if (error || !machine) return { valid: false, reason: "machine_not_found" };
+  if (!machine.enabled)   return { valid: false, reason: "machine_disabled" };
+  if (machine.locked)     return { valid: false, reason: "machine_locked" };
-  // Expected token = HMAC(machine_hash:window, password)
-  // Client derives token with password only; server verifies the same way
-  const window = Math.floor(body.timestamp / REPLAY_WINDOW_MS);
-  const message = `${body.machine_hash}:${window}`;
+  const window   = Math.floor(body.timestamp / REPLAY_WINDOW_MS);
+  const message  = `${body.machine_hash}:${window}`;
   const expected = await hmacSha256(body.password, message);
   if (expected !== body.token) {
-    return { valid: false, reason: "invalid_token" };
+    const newCount   = (machine.fail_count || 0) + 1;
+    const shouldLock = newCount >= MAX_FAIL_COUNT;
+    await sb.from("clauth_machines")
+      .update({ fail_count: newCount, locked: shouldLock })
+      .eq("machine_hash", body.machine_hash);
+    return { valid: false, reason: shouldLock ? `machine_locked after ${newCount} failures` : `invalid_token (${newCount}/${MAX_FAIL_COUNT})` };
   }
-  // Update last_seen
-  await sb
-    .from("clauth_machines")
-    .update({ last_seen: new Date().toISOString() })
+  await sb.from("clauth_machines")
+    .update({ last_seen: new Date().toISOString(), fail_count: 0 })
     .eq("machine_hash", body.machine_hash);
   return { valid: true };
 }
-async function auditLog(
-  sb: ReturnType<typeof createClient>,
-  machine_hash: string,
-  service_name: string,
-  action: string,
-  result: string,
-  detail?: string
-) {
-  await sb.from("clauth_audit").insert({
-    machine_hash, service_name, action, result, detail
-  });
+async function auditLog(sb: any, machine_hash: string, service_name: string, action: string, result: string, detail?: string) {
+  await sb.from("clauth_audit").insert({ machine_hash, service_name, action, result, detail });
 }
-// ============================================================
-// Route handlers
-// ============================================================
-async function handleRetrieve(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleRetrieve(sb: any, body: any, mh: string) {
   const { service } = body;
   if (!service) return { error: "service required" };
-  const { data: svc } = await sb
-    .from("clauth_services")
-    .select("*")
-    .eq("name", service)
-    .single();
-  if (!svc) {
-    await auditLog(sb, machine_hash, service, "retrieve", "fail", "service_not_found");
-    return { error: "service_not_found" };
-  }
-  if (!svc.enabled) {
-    await auditLog(sb, machine_hash, service, "retrieve", "denied", "service_disabled");
-    return { error: "service_disabled" };
-  }
-  if (!svc.vault_key) {
-    await auditLog(sb, machine_hash, service, "retrieve", "fail", "no_key_stored");
-    return { error: "no_key_stored" };
-  }
-  // Retrieve from vault
-  const { data: secret } = await sb.rpc("vault_decrypt_secret", {
-    secret_name: svc.vault_key
-  });
-  await sb
-    .from("clauth_services")
-    .update({ last_retrieved: new Date().toISOString() })
-    .eq("name", service);
-  await auditLog(sb, machine_hash, service, "retrieve", "success");
+  const { data: svc } = await sb.from("clauth_services").select("*").eq("name", service).single();
+  if (!svc)           { await auditLog(sb, mh, service, "retrieve", "fail", "service_not_found"); return { error: "service_not_found" }; }
+  if (!svc.enabled)   { await auditLog(sb, mh, service, "retrieve", "denied", "service_disabled"); return { error: "service_disabled" }; }
+  if (!svc.vault_key) { await auditLog(sb, mh, service, "retrieve", "fail", "no_key_stored"); return { error: "no_key_stored" }; }
+  const { data: secret } = await sb.rpc("vault_decrypt_secret", { secret_name: svc.vault_key });
+  await sb.from("clauth_services").update({ last_retrieved: new Date().toISOString() }).eq("name", service);
+  await auditLog(sb, mh, service, "retrieve", "success");
   return { service, key_type: svc.key_type, value: secret };
 }
-async function handleWrite(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleWrite(sb: any, body: any, mh: string) {
   const { service, value } = body;
   if (!service || !value) return { error: "service and value required" };
   const vaultKey = `clauth.${service}`;
-  // Upsert into vault
-  const { error } = await sb.rpc("vault_upsert_secret", {
-    secret_name: vaultKey,
-    secret_value: typeof value === "string" ? value : JSON.stringify(value)
-  });
-  if (error) {
-    await auditLog(sb, machine_hash, service, "write", "fail", error.message);
-    return { error: error.message };
-  }
-  // Update registry
-  await sb
-    .from("clauth_services")
-    .update({ vault_key: vaultKey, last_rotated: new Date().toISOString() })
-    .eq("name", service);
-  await auditLog(sb, machine_hash, service, "write", "success");
+  const { error } = await sb.rpc("vault_upsert_secret", { secret_name: vaultKey, secret_value: typeof value === "string" ? value : JSON.stringify(value) });
+  if (error) { await auditLog(sb, mh, service, "write", "fail", error.message); return { error: error.message }; }
+  await sb.from("clauth_services").update({ vault_key: vaultKey, last_rotated: new Date().toISOString() }).eq("name", service);
+  await auditLog(sb, mh, service, "write", "success");
   return { success: true, service, vault_key: vaultKey };
 }
-async function handleEnable(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
-  const { service, enabled } = body; // enabled: true | false
-  const target = service === "all" ? null : service;
-  let query = sb.from("clauth_services").update({ enabled });
-  if (target) query = query.eq("name", target);
-  else query = query.not("vault_key", "is", null); // only enable services with keys
-  const { error } = await query;
+async function handleEnable(sb: any, body: any, mh: string) {
+  const { service, enabled } = body;
+  let q = sb.from("clauth_services").update({ enabled });
+  q = service !== "all" ? q.eq("name", service) : q.not("vault_key", "is", null);
+  const { error } = await q;
   if (error) return { error: error.message };
-  await auditLog(sb, machine_hash, service, enabled ? "enable" : "disable", "success");
+  await auditLog(sb, mh, service, enabled ? "enable" : "disable", "success");
   return { success: true, service, enabled };
 }
-async function handleAdd(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleAdd(sb: any, body: any, mh: string) {
   const { name, label, key_type, description } = body;
   if (!name || !label || !key_type) return { error: "name, label, key_type required" };
-  const { error } = await sb.from("clauth_services").insert({
-    name, label, key_type, description: description || null
-  });
+  const { error } = await sb.from("clauth_services").insert({ name, label, key_type, description: description || null });
   if (error) return { error: error.message };
-  await auditLog(sb, machine_hash, name, "add", "success");
+  await auditLog(sb, mh, name, "add", "success");
   return { success: true, name, label, key_type };
 }
-async function handleRemove(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleRemove(sb: any, body: any, mh: string) {
   const { service, confirm } = body;
-  if (confirm !== `CONFIRM REMOVE ${service.toUpperCase()}`) {
-    return { error: "confirm phrase mismatch", required: `CONFIRM REMOVE ${service.toUpperCase()}` };
-  }
+  if (confirm !== `CONFIRM REMOVE ${service.toUpperCase()}`) return { error: "confirm phrase mismatch" };
   await sb.rpc("vault_delete_secret", { secret_name: `clauth.${service}` });
   await sb.from("clauth_services").delete().eq("name", service);
-  await auditLog(sb, machine_hash, service, "remove", "success");
+  await auditLog(sb, mh, service, "remove", "success");
   return { success: true, service };
 }
-async function handleRevoke(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleRevoke(sb: any, body: any, mh: string) {
   const { service, confirm } = body;
   const phrase = service === "all" ? "CONFIRM REVOKE ALL" : `CONFIRM REVOKE ${service.toUpperCase()}`;
-  if (confirm !== phrase) {
-    return { error: "confirm phrase mismatch", required: phrase };
-  }
+  if (confirm !== phrase) return { error: "confirm phrase mismatch", required: phrase };
   if (service === "all") {
     const { data: svcs } = await sb.from("clauth_services").select("name").not("vault_key", "is", null);
-    for (const s of svcs || []) {
-      await sb.rpc("vault_delete_secret", { secret_name: `clauth.${s.name}` });
-    }
+    for (const s of svcs || []) await sb.rpc("vault_delete_secret", { secret_name: `clauth.${s.name}` });
     await sb.from("clauth_services").update({ vault_key: null, enabled: false }).neq("id", "00000000-0000-0000-0000-000000000000");
   } else {
     await sb.rpc("vault_delete_secret", { secret_name: `clauth.${service}` });
     await sb.from("clauth_services").update({ vault_key: null, enabled: false }).eq("name", service);
   }
-  await auditLog(sb, machine_hash, service, "revoke", "success");
+  await auditLog(sb, mh, service, "revoke", "success");
   return { success: true, service };
 }
-async function handleStatus(sb: ReturnType<typeof createClient>, machine_hash: string) {
-  const { data: services } = await sb
-    .from("clauth_services")
-    .select("name, label, key_type, enabled, vault_key, last_retrieved, last_rotated, created_at")
-    .order("name");
-  await auditLog(sb, machine_hash, "all", "status", "success");
+async function handleStatus(sb: any, mh: string) {
+  const { data: services } = await sb.from("clauth_services")
+    .select("name, label, key_type, enabled, vault_key, last_retrieved, last_rotated, created_at").order("name");
+  await auditLog(sb, mh, "all", "status", "success");
   return { services: services || [] };
 }
-async function handleRegisterMachine(sb: ReturnType<typeof createClient>, body: any) {
+async function handleRegisterMachine(sb: any, body: any) {
   const { machine_hash, hmac_seed_hash, label, admin_token } = body;
-  // Bootstrap: requires a one-time admin token stored as env var
-  if (admin_token !== Deno.env.get("CLAUTH_ADMIN_BOOTSTRAP_TOKEN")) {
-    return { error: "invalid_admin_token" };
-  }
-  const { error } = await sb.from("clauth_machines").upsert({
-    machine_hash, hmac_seed_hash, label, enabled: true
-  }, { onConflict: "machine_hash" });
+  if (admin_token !== ADMIN_BOOTSTRAP_TOKEN) return { error: "invalid_admin_token" };
+  const { error } = await sb.from("clauth_machines").upsert(
+    { machine_hash, hmac_seed_hash, label, enabled: true, fail_count: 0, locked: false },
+    { onConflict: "machine_hash" }
+  );
   if (error) return { error: error.message };
   return { success: true, machine_hash };
 }
-// ============================================================
-// Main handler
-// ============================================================
 Deno.serve(async (req: Request) => {
-  const url = new URL(req.url);
-  const route = url.pathname.replace(/^\/auth-vault\/?/, "").replace(/^\//, "");
   if (req.method === "OPTIONS") {
-    return new Response(null, {
-      headers: {
-        "Access-Control-Allow-Origin": "*",
-        "Access-Control-Allow-Methods": "POST, OPTIONS",
-        "Access-Control-Allow-Headers": "Content-Type, Authorization"
-      }
-    });
+    return new Response(null, { headers: {
+      "Access-Control-Allow-Origin": "*",
+      "Access-Control-Allow-Methods": "POST, OPTIONS",
+      "Access-Control-Allow-Headers": "Content-Type, Authorization"
+    }});
   }
+  if (req.method !== "POST") return Response.json({ error: "POST only" }, { status: 405 });
-  if (req.method !== "POST") {
-    return Response.json({ error: "POST only" }, { status: 405 });
-  }
+  const url   = new URL(req.url);
+  const route = url.pathname.replace(/^\/auth-vault\/?/, "").replace(/^\//, "");
+  const body  = await req.json().catch(() => ({}));
+  const sb    = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
+  const ip    = getClientIP(req);
-  const body = await req.json().catch(() => ({}));
-  const sb = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
+  if (route === "register-machine") return Response.json(await handleRegisterMachine(sb, body));
-  // Bootstrap machine registration — no HMAC required, uses admin token
-  if (route === "register-machine") {
-    return Response.json(await handleRegisterMachine(sb, body));
+  const ipCheck = checkIP(ip);
+  if (!ipCheck.allowed) {
+    await auditLog(sb, body.machine_hash || "unknown", "system", route, "blocked", ipCheck.reason);
+    return Response.json({ error: "ip_blocked", reason: ipCheck.reason }, { status: 403 });
   }
-  // All other routes require HMAC validation
-  const authResult = await validateHMAC({
-    machine_hash: body.machine_hash,
-    token: body.token,
-    timestamp: body.timestamp,
-    password: body.password
-  });
+  if (body.machine_hash) {
+    const rateCheck = await checkRateLimit(sb, body.machine_hash);
+    if (!rateCheck.allowed) {
+      await auditLog(sb, body.machine_hash, "system", route, "rate_limited", rateCheck.reason);
+      return Response.json({ error: "rate_limited", reason: rateCheck.reason }, { status: 429 });
+    }
+  }
+  const authResult = await validateHMAC(sb, { machine_hash: body.machine_hash, token: body.token, timestamp: body.timestamp, password: body.password });
   if (!authResult.valid) {
     await auditLog(sb, body.machine_hash || "unknown", body.service || "unknown", route, "denied", authResult.reason);
     return Response.json({ error: "auth_failed", reason: authResult.reason }, { status: 401 });
   }
-  const machine_hash = body.machine_hash;
+  const mh = body.machine_hash;
   switch (route) {
-    case "retrieve":        return Response.json(await handleRetrieve(sb, body, machine_hash));
-    case "write":           return Response.json(await handleWrite(sb, body, machine_hash));
-    case "enable":          return Response.json(await handleEnable(sb, body, machine_hash));
-    case "add":             return Response.json(await handleAdd(sb, body, machine_hash));
-    case "remove":          return Response.json(await handleRemove(sb, body, machine_hash));
-    case "revoke":          return Response.json(await handleRevoke(sb, body, machine_hash));
-    case "status":          return Response.json(await handleStatus(sb, machine_hash));
-    case "test":            return Response.json({ valid: true, machine_hash, timestamp: body.timestamp });
-    default:                return Response.json({ error: "unknown_route", route }, { status: 404 });
+    case "retrieve": return Response.json(await handleRetrieve(sb, body, mh));
+    case "write":    return Response.json(await handleWrite(sb, body, mh));
+    case "enable":   return Response.json(await handleEnable(sb, body, mh));
+    case "add":      return Response.json(await handleAdd(sb, body, mh));
+    case "remove":   return Response.json(await handleRemove(sb, body, mh));
+    case "revoke":   return Response.json(await handleRevoke(sb, body, mh));
+    case "status":   return Response.json(await handleStatus(sb, mh));
+    case "test":     return Response.json({ valid: true, machine_hash: mh, timestamp: body.timestamp, ip });
+    default:         return Response.json({ error: "unknown_route", route }, { status: 404 });
   }
 });

package/supabase/migrations/20260317_lockout.sql ADDED Viewed

@@ -0,0 +1,26 @@
+-- Migration: add fail_count and locked to clauth_machines
+-- Run via: clauth install (picks this up automatically) or apply manually
+ALTER TABLE clauth_machines
+  ADD COLUMN IF NOT EXISTS fail_count  INTEGER NOT NULL DEFAULT 0,
+  ADD COLUMN IF NOT EXISTS locked      BOOLEAN NOT NULL DEFAULT false;
+-- Index for fast lockout checks
+CREATE INDEX IF NOT EXISTS idx_clauth_machines_locked
+  ON clauth_machines (machine_hash, locked);
+-- Admin helper: unlock a machine
+-- Usage: SELECT clauth_unlock_machine('your_machine_hash');
+CREATE OR REPLACE FUNCTION clauth_unlock_machine(p_machine_hash TEXT)
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+BEGIN
+  UPDATE clauth_machines
+  SET locked = false, fail_count = 0
+  WHERE machine_hash = p_machine_hash;
+END;
+$$;
+REVOKE EXECUTE ON FUNCTION clauth_unlock_machine(TEXT) FROM PUBLIC;