npm - @lifeaitools/clauth - Versions diffs - 0.2.2 → 0.3.0 - Mend

@lifeaitools/clauth 0.2.2 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/cli/commands/serve.js +378 -0
package/cli/index.js +41 -1
package/package.json +1 -1
package/supabase/functions/auth-vault/index.ts +132 -235
package/supabase/migrations/20260317_lockout.sql +26 -0

package/cli/commands/serve.js ADDED Viewed

@@ -0,0 +1,378 @@
+// cli/commands/serve.js
+// Localhost-only credential daemon with daemon lifecycle management
+// Binds 127.0.0.1 ONLY — unreachable from outside the machine
+// 3 failed requests of any kind → process exits, requires manual restart
+// Supports: start (background daemon), stop, restart, ping, foreground
+import http from "http";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { getMachineHash, deriveToken } from "../fingerprint.js";
+import * as api from "../api.js";
+import chalk from "chalk";
+const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
+const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
+// ── PID helpers ──────────────────────────────────────────────
+function readPid() {
+  try {
+    const raw = fs.readFileSync(PID_FILE, "utf8").trim();
+    const [pid, port] = raw.split(":");
+    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
+  } catch { return null; }
+}
+function writePid(pid, port) {
+  fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
+}
+function removePid() {
+  try { fs.unlinkSync(PID_FILE); } catch {}
+}
+function isProcessAlive(pid) {
+  try { process.kill(pid, 0); return true; } catch { return false; }
+}
+// ── Server logic (shared by foreground + daemon) ─────────────
+function createServer(password, whitelist, port) {
+  const MAX_FAILS = 3;
+  let failCount = 0;
+  const machineHash = getMachineHash();
+  function strike(res, code, message) {
+    failCount++;
+    const remaining = MAX_FAILS - failCount;
+    const logLine = `[${new Date().toISOString()}] [FAIL ${failCount}/${MAX_FAILS}] ${message}\n`;
+    try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+    const body = JSON.stringify({
+      error: message,
+      failures: failCount,
+      failures_remaining: remaining,
+      ...(failCount >= MAX_FAILS ? { shutdown: true } : {})
+    });
+    res.writeHead(code, { "Content-Type": "application/json" });
+    res.end(body);
+    if (failCount >= MAX_FAILS) {
+      const msg = `[${new Date().toISOString()}] Failure limit reached — shutting down\n`;
+      try { fs.appendFileSync(LOG_FILE, msg); } catch {}
+      removePid();
+      setTimeout(() => process.exit(1), 100);
+    }
+  }
+  function ok(res, data) {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(data));
+  }
+  const server = http.createServer(async (req, res) => {
+    // Hard reject anything not from loopback
+    const remote = req.socket.remoteAddress;
+    const isLocal = remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
+    if (!isLocal) {
+      return strike(res, 403, `Rejected non-local address: ${remote}`);
+    }
+    const url    = new URL(req.url, `http://127.0.0.1:${port}`);
+    const reqPath = url.pathname;
+    const method = req.method;
+    // GET /ping
+    if (method === "GET" && reqPath === "/ping") {
+      return ok(res, {
+        status: "ok",
+        pid: process.pid,
+        failures: failCount,
+        failures_remaining: MAX_FAILS - failCount,
+        services: whitelist || "all",
+        port
+      });
+    }
+    // GET /shutdown (for daemon stop)
+    if (method === "GET" && reqPath === "/shutdown") {
+      ok(res, { ok: true, message: "shutting down" });
+      removePid();
+      setTimeout(() => process.exit(0), 100);
+      return;
+    }
+    // GET /status
+    if (method === "GET" && reqPath === "/status") {
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.status(password, machineHash, token, timestamp);
+        if (result.error) return strike(res, 502, result.error);
+        if (whitelist) {
+          result.services = (result.services || []).filter(
+            s => whitelist.includes(s.name.toLowerCase())
+          );
+        }
+        return ok(res, result);
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // GET /get/:service
+    const getMatch = reqPath.match(/^\/get\/([a-zA-Z0-9_-]+)$/);
+    if (method === "GET" && getMatch) {
+      const service = getMatch[1].toLowerCase();
+      if (whitelist && !whitelist.includes(service)) {
+        return strike(res, 403, `Service '${service}' not in whitelist`);
+      }
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.retrieve(password, machineHash, token, timestamp, service);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { service, value: result.value, key_type: result.key_type });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // Unknown route
+    return strike(res, 404, `Unknown endpoint: ${reqPath}`);
+  });
+  return server;
+}
+// ── Actions ──────────────────────────────────────────────────
+async function verifyAuth(password) {
+  const machineHash = getMachineHash();
+  const { token, timestamp } = deriveToken(password, machineHash);
+  const result = await api.test(password, machineHash, token, timestamp);
+  if (result.error) throw new Error(result.error);
+}
+async function actionStart(opts) {
+  const port     = parseInt(opts.port || "52437", 10);
+  const password = opts.pw;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+  // Check for existing instance
+  const existing = readPid();
+  if (existing && isProcessAlive(existing.pid)) {
+    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
+    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
+    process.exit(1);
+  }
+  // If we're the daemon child, run the server directly
+  if (process.env.__CLAUTH_DAEMON === "1") {
+    try {
+      await verifyAuth(password);
+    } catch (err) {
+      const msg = `[${new Date().toISOString()}] Auth failed: ${err.message}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+      process.exit(1);
+    }
+    const server = createServer(password, whitelist, port);
+    server.listen(port, "127.0.0.1", () => {
+      writePid(process.pid, port);
+      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+    });
+    server.on("error", err => {
+      const msg = `[${new Date().toISOString()}] Server error: ${err.message}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+      process.exit(1);
+    });
+    const shutdown = () => { removePid(); process.exit(0); };
+    process.on("SIGTERM", shutdown);
+    process.on("SIGINT", shutdown);
+    return;
+  }
+  // Parent: verify auth first (show errors to user)
+  console.log(chalk.gray("\n  Verifying vault credentials..."));
+  try {
+    await verifyAuth(password);
+  } catch (err) {
+    console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
+    process.exit(1);
+  }
+  console.log(chalk.green("  ✓ Vault auth verified"));
+  // Spawn detached daemon child
+  const { spawn } = await import("child_process");
+  const { fileURLToPath } = await import("url");
+  const __filename = fileURLToPath(import.meta.url);
+  // Build args: node serve.js --action start --port N --pw PW [--services S]
+  const childArgs = [__filename, "--action", "start", "--port", String(port), "--pw", password];
+  if (opts.services) childArgs.push("--services", opts.services);
+  const out = fs.openSync(LOG_FILE, "a");
+  const child = spawn(process.execPath, childArgs, {
+    detached: true,
+    stdio: ["ignore", out, out],
+    env: { ...process.env, __CLAUTH_DAEMON: "1" },
+  });
+  child.unref();
+  // Give it a moment then verify
+  await new Promise(r => setTimeout(r, 800));
+  const info = readPid();
+  if (info && isProcessAlive(info.pid)) {
+    console.log(chalk.green(`\n  🔐 clauth serve started`));
+    console.log(chalk.gray(`  PID:      ${info.pid}`));
+    console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
+    console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
+    console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
+    console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
+  } else {
+    console.log(chalk.red(`\n  ❌ Failed to start daemon — check ${LOG_FILE}\n`));
+    process.exit(1);
+  }
+}
+async function actionStop() {
+  const info = readPid();
+  if (!info) {
+    console.log(chalk.yellow("\n  No clauth serve PID file found — not running.\n"));
+    return;
+  }
+  if (!isProcessAlive(info.pid)) {
+    console.log(chalk.yellow(`\n  PID ${info.pid} is not running (stale PID file). Cleaning up.\n`));
+    removePid();
+    return;
+  }
+  // Try HTTP shutdown first (clean)
+  try {
+    const resp = await fetch(`http://127.0.0.1:${info.port}/shutdown`);
+    if (resp.ok) {
+      await new Promise(r => setTimeout(r, 300));
+      console.log(chalk.green(`\n  🛑 clauth serve stopped (was PID ${info.pid}, port ${info.port})\n`));
+      removePid();
+      return;
+    }
+  } catch {}
+  // Fallback: kill the process
+  try {
+    process.kill(info.pid, "SIGTERM");
+    await new Promise(r => setTimeout(r, 300));
+    console.log(chalk.green(`\n  🛑 clauth serve stopped via SIGTERM (PID ${info.pid})\n`));
+  } catch (err) {
+    console.log(chalk.yellow(`\n  Could not kill PID ${info.pid}: ${err.message}\n`));
+  }
+  removePid();
+}
+async function actionPing() {
+  const info = readPid();
+  if (!info) {
+    console.log(chalk.red("\n  clauth serve is not running (no PID file)\n"));
+    process.exit(1);
+  }
+  if (!isProcessAlive(info.pid)) {
+    console.log(chalk.red(`\n  PID ${info.pid} is not alive (stale PID file)\n`));
+    removePid();
+    process.exit(1);
+  }
+  try {
+    const resp = await fetch(`http://127.0.0.1:${info.port}/ping`);
+    const data = await resp.json();
+    if (data.status === "ok") {
+      console.log(chalk.green(`\n  ✅ clauth serve running`));
+      console.log(chalk.gray(`  PID:     ${info.pid}`));
+      console.log(chalk.gray(`  Port:    ${info.port}`));
+      console.log(chalk.gray(`  Fails:   ${data.failures}/${data.failures + data.failures_remaining}`));
+      console.log(chalk.gray(`  Services: ${Array.isArray(data.services) ? data.services.join(", ") : data.services}\n`));
+    } else {
+      console.log(chalk.yellow(`\n  PID alive but /ping returned unexpected response\n`));
+    }
+  } catch (err) {
+    console.log(chalk.yellow(`\n  PID ${info.pid} alive but HTTP failed: ${err.message}\n`));
+  }
+}
+async function actionRestart(opts) {
+  const info = readPid();
+  if (info && isProcessAlive(info.pid)) {
+    await actionStop();
+    await new Promise(r => setTimeout(r, 500));
+  }
+  await actionStart(opts);
+}
+async function actionForeground(opts) {
+  const port     = parseInt(opts.port || "52437", 10);
+  const password = opts.pw;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+  console.log(chalk.gray("\n  Verifying vault credentials..."));
+  try {
+    await verifyAuth(password);
+  } catch (err) {
+    console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
+    process.exit(1);
+  }
+  console.log(chalk.green("  ✓ Vault auth verified"));
+  console.log(chalk.gray(`  Port:     127.0.0.1:${port}`));
+  console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
+  console.log(chalk.gray(`  Lockout:  3 failures → exit\n`));
+  const server = createServer(password, whitelist, port);
+  server.listen(port, "127.0.0.1", () => {
+    writePid(process.pid, port);
+    console.log(chalk.green(`  clauth serve → http://127.0.0.1:${port}`));
+    console.log(chalk.gray("  Ctrl+C to stop\n"));
+  });
+  server.on("error", err => {
+    if (err.code === "EADDRINUSE") {
+      console.log(chalk.red(`\n  Port ${port} already in use. Use --port to choose another.\n`));
+    } else {
+      console.log(chalk.red(`\n  Server error: ${err.message}\n`));
+    }
+    process.exit(1);
+  });
+  process.on("SIGINT", () => {
+    console.log(chalk.yellow("\n  Stopping clauth serve...\n"));
+    removePid();
+    server.close(() => process.exit(0));
+  });
+}
+// ── Export ────────────────────────────────────────────────────
+export async function runServe(opts) {
+  const action = opts.action || "foreground";
+  switch (action) {
+    case "start":     return actionStart(opts);
+    case "stop":      return actionStop();
+    case "restart":   return actionRestart(opts);
+    case "ping":      return actionPing();
+    case "foreground": return actionForeground(opts);
+    default:
+      console.log(chalk.red(`\n  Unknown serve action: ${action}`));
+      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground\n"));
+      process.exit(1);
+  }
+}

package/cli/index.js CHANGED Viewed

@@ -11,7 +11,7 @@ import * as api from "./api.js";
 import os from "os";
 const config = new Conf({ projectName: "clauth" });
-const VERSION = "0.2.2";
+const VERSION = "0.3.0";
 // ============================================================
 // Password prompt helper
@@ -53,6 +53,7 @@ program
 import { runInstall } from './commands/install.js';
 import { runUninstall } from './commands/uninstall.js';
 import { runScrub } from './commands/scrub.js';
+import { runServe } from './commands/serve.js';
 program
   .command('install')
@@ -457,4 +458,43 @@ program.addHelpText("beforeAll", chalk.cyan(`
   v${VERSION} — LIFEAI Credential Vault
 `));
+// ──────────────────────────────────────────────
+// clauth serve [action]
+// ──────────────────────────────────────────────
+program
+  .command("serve [action]")
+  .description("Manage localhost HTTP vault daemon (start|stop|restart|ping)")
+  .option("--port <n>", "Port (default: 52437)")
+  .option("-p, --pw <password>", "clauth password (required for start/restart)")
+  .option("--services <list>", "Comma-separated service whitelist (default: all)")
+  .option("--action <action>", "Internal: action override for daemon child")
+  .addHelpText("after", `
+Actions:
+  start       Start the server as a background daemon
+  stop        Stop the running daemon
+  restart     Stop + start
+  ping        Check if the daemon is running
+  foreground  Run in foreground (Ctrl+C to stop) — default if no action given
+Examples:
+  clauth serve -p mypass                 Run in foreground (original behavior)
+  clauth serve start -p mypass           Start as background daemon
+  clauth serve stop                      Stop the daemon
+  clauth serve ping                      Check status
+  clauth serve restart -p mypass         Restart the daemon
+  clauth serve start --services github,vercel -p mypass
+`)
+  .action(async (action, opts) => {
+    const resolvedAction = opts.action || action || "foreground";
+    // stop and ping don't need a password
+    if (!["stop", "ping"].includes(resolvedAction) && !opts.pw) {
+      console.log(chalk.red("\n  --pw is required for serve mode\n"));
+      console.log(chalk.gray("  Example: clauth serve start --pw yourpassword\n"));
+      process.exit(1);
+    }
+    await runServe({ ...opts, action: resolvedAction });
+  });
 program.parse(process.argv);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "0.2.2",
+  "version": "0.3.0",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {

package/supabase/functions/auth-vault/index.ts CHANGED Viewed

@@ -1,326 +1,223 @@
-// ============================================================
-// clauth — auth-vault Edge Function
-// Supabase Deno runtime
-// Routes:
-//   POST /auth-vault/retrieve   — validate HMAC, return key
-//   POST /auth-vault/write      — write/update key in vault
-//   POST /auth-vault/enable     — enable/disable service
-//   POST /auth-vault/add        — add new service to registry
-//   POST /auth-vault/remove     — remove service from registry
-//   POST /auth-vault/status     — list all services + state
-//   POST /auth-vault/test       — dry-run HMAC check only
-//   POST /auth-vault/rotate     — flag a service for rotation
-//   POST /auth-vault/revoke     — delete key from vault
-// ============================================================
+// clauth — auth-vault Edge Function v2
+// Added: IP whitelist, rate limiting, machine lockout (fail_count + locked)
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
-const SUPABASE_URL     = Deno.env.get("SUPABASE_URL")!;
-const SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
-const CLAUTH_HMAC_SALT = Deno.env.get("CLAUTH_HMAC_SALT")!; // stored in Supabase secrets
+const SUPABASE_URL          = Deno.env.get("SUPABASE_URL")!;
+const SERVICE_ROLE_KEY      = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+const CLAUTH_HMAC_SALT      = Deno.env.get("CLAUTH_HMAC_SALT")!;
+const ADMIN_BOOTSTRAP_TOKEN = Deno.env.get("CLAUTH_ADMIN_BOOTSTRAP_TOKEN")!;
-const REPLAY_WINDOW_MS = 5 * 60 * 1000; // 5 minutes
+const ALLOWED_IPS: string[] = (Deno.env.get("CLAUTH_ALLOWED_IPS") || "")
+  .split(",").map(s => s.trim()).filter(Boolean);
-// ============================================================
-// Helpers
-// ============================================================
-async function sha256hex(input: string): Promise<string> {
-  const buf = await crypto.subtle.digest(
-    "SHA-256",
-    new TextEncoder().encode(input)
-  );
-  return Array.from(new Uint8Array(buf))
-    .map(b => b.toString(16).padStart(2, "0"))
-    .join("");
-}
+const RATE_LIMIT_MAX    = 30;
+const RATE_LIMIT_WINDOW = 60;
+const REPLAY_WINDOW_MS  = 5 * 60 * 1000;
+const MAX_FAIL_COUNT    = 5;
 async function hmacSha256(key: string, message: string): Promise<string> {
   const cryptoKey = await crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(key),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"]
-  );
-  const sig = await crypto.subtle.sign(
-    "HMAC",
-    cryptoKey,
-    new TextEncoder().encode(message)
+    "raw", new TextEncoder().encode(key),
+    { name: "HMAC", hash: "SHA-256" }, false, ["sign"]
   );
-  return Array.from(new Uint8Array(sig))
-    .map(b => b.toString(16).padStart(2, "0"))
-    .join("");
+  const sig = await crypto.subtle.sign("HMAC", cryptoKey, new TextEncoder().encode(message));
+  return Array.from(new Uint8Array(sig)).map(b => b.toString(16).padStart(2, "0")).join("");
 }
-async function validateHMAC(body: {
-  machine_hash: string;
-  token: string;
-  timestamp: number;
-  password: string;
-}): Promise<{ valid: boolean; reason?: string }> {
-  const now = Date.now();
+function getClientIP(req: Request): string {
+  return req.headers.get("cf-connecting-ip") ||
+    req.headers.get("x-real-ip") ||
+    req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
-  // Replay check
-  if (Math.abs(now - body.timestamp) > REPLAY_WINDOW_MS) {
-    return { valid: false, reason: "timestamp_expired" };
+function checkIP(ip: string): { allowed: boolean; reason?: string } {
+  if (ALLOWED_IPS.length === 0) return { allowed: true };
+  if (ALLOWED_IPS.includes(ip)) return { allowed: true };
+  return { allowed: false, reason: `IP not whitelisted: ${ip}` };
+}
+async function checkRateLimit(sb: any, machine_hash: string): Promise<{ allowed: boolean; reason?: string }> {
+  const windowStart = new Date(Date.now() - RATE_LIMIT_WINDOW * 1000).toISOString();
+  const { count } = await sb.from("clauth_audit")
+    .select("id", { count: "exact", head: true })
+    .eq("machine_hash", machine_hash)
+    .gte("created_at", windowStart);
+  if ((count || 0) >= RATE_LIMIT_MAX) {
+    return { allowed: false, reason: `Rate limit: ${count}/${RATE_LIMIT_MAX} per ${RATE_LIMIT_WINDOW}s` };
   }
+  return { allowed: true };
+}
+async function validateHMAC(sb: any, body: any): Promise<{ valid: boolean; reason?: string }> {
+  const now = Date.now();
+  if (Math.abs(now - body.timestamp) > REPLAY_WINDOW_MS) return { valid: false, reason: "timestamp_expired" };
-  // Lookup machine
-  const sb = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
-  const { data: machine, error } = await sb
-    .from("clauth_machines")
-    .select("hmac_seed_hash, enabled")
-    .eq("machine_hash", body.machine_hash)
-    .single();
+  const { data: machine, error } = await sb.from("clauth_machines")
+    .select("hmac_seed_hash, enabled, fail_count, locked")
+    .eq("machine_hash", body.machine_hash).single();
-  if (error || !machine) {
-    return { valid: false, reason: "machine_not_found" };
-  }
-  if (!machine.enabled) {
-    return { valid: false, reason: "machine_disabled" };
-  }
+  if (error || !machine) return { valid: false, reason: "machine_not_found" };
+  if (!machine.enabled)   return { valid: false, reason: "machine_disabled" };
+  if (machine.locked)     return { valid: false, reason: "machine_locked" };
-  // Expected token = HMAC(machine_hash:window, password)
-  // Client derives token with password only; server verifies the same way
-  const window = Math.floor(body.timestamp / REPLAY_WINDOW_MS);
-  const message = `${body.machine_hash}:${window}`;
+  const window   = Math.floor(body.timestamp / REPLAY_WINDOW_MS);
+  const message  = `${body.machine_hash}:${window}`;
   const expected = await hmacSha256(body.password, message);
   if (expected !== body.token) {
-    return { valid: false, reason: "invalid_token" };
+    const newCount   = (machine.fail_count || 0) + 1;
+    const shouldLock = newCount >= MAX_FAIL_COUNT;
+    await sb.from("clauth_machines")
+      .update({ fail_count: newCount, locked: shouldLock })
+      .eq("machine_hash", body.machine_hash);
+    return { valid: false, reason: shouldLock ? `machine_locked after ${newCount} failures` : `invalid_token (${newCount}/${MAX_FAIL_COUNT})` };
   }
-  // Update last_seen
-  await sb
-    .from("clauth_machines")
-    .update({ last_seen: new Date().toISOString() })
+  await sb.from("clauth_machines")
+    .update({ last_seen: new Date().toISOString(), fail_count: 0 })
     .eq("machine_hash", body.machine_hash);
   return { valid: true };
 }
-async function auditLog(
-  sb: ReturnType<typeof createClient>,
-  machine_hash: string,
-  service_name: string,
-  action: string,
-  result: string,
-  detail?: string
-) {
-  await sb.from("clauth_audit").insert({
-    machine_hash, service_name, action, result, detail
-  });
+async function auditLog(sb: any, machine_hash: string, service_name: string, action: string, result: string, detail?: string) {
+  await sb.from("clauth_audit").insert({ machine_hash, service_name, action, result, detail });
 }
-// ============================================================
-// Route handlers
-// ============================================================
-async function handleRetrieve(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleRetrieve(sb: any, body: any, mh: string) {
   const { service } = body;
   if (!service) return { error: "service required" };
-  const { data: svc } = await sb
-    .from("clauth_services")
-    .select("*")
-    .eq("name", service)
-    .single();
-  if (!svc) {
-    await auditLog(sb, machine_hash, service, "retrieve", "fail", "service_not_found");
-    return { error: "service_not_found" };
-  }
-  if (!svc.enabled) {
-    await auditLog(sb, machine_hash, service, "retrieve", "denied", "service_disabled");
-    return { error: "service_disabled" };
-  }
-  if (!svc.vault_key) {
-    await auditLog(sb, machine_hash, service, "retrieve", "fail", "no_key_stored");
-    return { error: "no_key_stored" };
-  }
-  // Retrieve from vault
-  const { data: secret } = await sb.rpc("vault_decrypt_secret", {
-    secret_name: svc.vault_key
-  });
-  await sb
-    .from("clauth_services")
-    .update({ last_retrieved: new Date().toISOString() })
-    .eq("name", service);
-  await auditLog(sb, machine_hash, service, "retrieve", "success");
+  const { data: svc } = await sb.from("clauth_services").select("*").eq("name", service).single();
+  if (!svc)           { await auditLog(sb, mh, service, "retrieve", "fail", "service_not_found"); return { error: "service_not_found" }; }
+  if (!svc.enabled)   { await auditLog(sb, mh, service, "retrieve", "denied", "service_disabled"); return { error: "service_disabled" }; }
+  if (!svc.vault_key) { await auditLog(sb, mh, service, "retrieve", "fail", "no_key_stored"); return { error: "no_key_stored" }; }
+  const { data: secret } = await sb.rpc("vault_decrypt_secret", { secret_name: svc.vault_key });
+  await sb.from("clauth_services").update({ last_retrieved: new Date().toISOString() }).eq("name", service);
+  await auditLog(sb, mh, service, "retrieve", "success");
   return { service, key_type: svc.key_type, value: secret };
 }
-async function handleWrite(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleWrite(sb: any, body: any, mh: string) {
   const { service, value } = body;
   if (!service || !value) return { error: "service and value required" };
   const vaultKey = `clauth.${service}`;
-  // Upsert into vault
-  const { error } = await sb.rpc("vault_upsert_secret", {
-    secret_name: vaultKey,
-    secret_value: typeof value === "string" ? value : JSON.stringify(value)
-  });
-  if (error) {
-    await auditLog(sb, machine_hash, service, "write", "fail", error.message);
-    return { error: error.message };
-  }
-  // Update registry
-  await sb
-    .from("clauth_services")
-    .update({ vault_key: vaultKey, last_rotated: new Date().toISOString() })
-    .eq("name", service);
-  await auditLog(sb, machine_hash, service, "write", "success");
+  const { error } = await sb.rpc("vault_upsert_secret", { secret_name: vaultKey, secret_value: typeof value === "string" ? value : JSON.stringify(value) });
+  if (error) { await auditLog(sb, mh, service, "write", "fail", error.message); return { error: error.message }; }
+  await sb.from("clauth_services").update({ vault_key: vaultKey, last_rotated: new Date().toISOString() }).eq("name", service);
+  await auditLog(sb, mh, service, "write", "success");
   return { success: true, service, vault_key: vaultKey };
 }
-async function handleEnable(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
-  const { service, enabled } = body; // enabled: true | false
-  const target = service === "all" ? null : service;
-  let query = sb.from("clauth_services").update({ enabled });
-  if (target) query = query.eq("name", target);
-  else query = query.not("vault_key", "is", null); // only enable services with keys
-  const { error } = await query;
+async function handleEnable(sb: any, body: any, mh: string) {
+  const { service, enabled } = body;
+  let q = sb.from("clauth_services").update({ enabled });
+  q = service !== "all" ? q.eq("name", service) : q.not("vault_key", "is", null);
+  const { error } = await q;
   if (error) return { error: error.message };
-  await auditLog(sb, machine_hash, service, enabled ? "enable" : "disable", "success");
+  await auditLog(sb, mh, service, enabled ? "enable" : "disable", "success");
   return { success: true, service, enabled };
 }
-async function handleAdd(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleAdd(sb: any, body: any, mh: string) {
   const { name, label, key_type, description } = body;
   if (!name || !label || !key_type) return { error: "name, label, key_type required" };
-  const { error } = await sb.from("clauth_services").insert({
-    name, label, key_type, description: description || null
-  });
+  const { error } = await sb.from("clauth_services").insert({ name, label, key_type, description: description || null });
   if (error) return { error: error.message };
-  await auditLog(sb, machine_hash, name, "add", "success");
+  await auditLog(sb, mh, name, "add", "success");
   return { success: true, name, label, key_type };
 }
-async function handleRemove(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleRemove(sb: any, body: any, mh: string) {
   const { service, confirm } = body;
-  if (confirm !== `CONFIRM REMOVE ${service.toUpperCase()}`) {
-    return { error: "confirm phrase mismatch", required: `CONFIRM REMOVE ${service.toUpperCase()}` };
-  }
+  if (confirm !== `CONFIRM REMOVE ${service.toUpperCase()}`) return { error: "confirm phrase mismatch" };
   await sb.rpc("vault_delete_secret", { secret_name: `clauth.${service}` });
   await sb.from("clauth_services").delete().eq("name", service);
-  await auditLog(sb, machine_hash, service, "remove", "success");
+  await auditLog(sb, mh, service, "remove", "success");
   return { success: true, service };
 }
-async function handleRevoke(sb: ReturnType<typeof createClient>, body: any, machine_hash: string) {
+async function handleRevoke(sb: any, body: any, mh: string) {
   const { service, confirm } = body;
   const phrase = service === "all" ? "CONFIRM REVOKE ALL" : `CONFIRM REVOKE ${service.toUpperCase()}`;
-  if (confirm !== phrase) {
-    return { error: "confirm phrase mismatch", required: phrase };
-  }
+  if (confirm !== phrase) return { error: "confirm phrase mismatch", required: phrase };
   if (service === "all") {
     const { data: svcs } = await sb.from("clauth_services").select("name").not("vault_key", "is", null);
-    for (const s of svcs || []) {
-      await sb.rpc("vault_delete_secret", { secret_name: `clauth.${s.name}` });
-    }
+    for (const s of svcs || []) await sb.rpc("vault_delete_secret", { secret_name: `clauth.${s.name}` });
     await sb.from("clauth_services").update({ vault_key: null, enabled: false }).neq("id", "00000000-0000-0000-0000-000000000000");
   } else {
     await sb.rpc("vault_delete_secret", { secret_name: `clauth.${service}` });
     await sb.from("clauth_services").update({ vault_key: null, enabled: false }).eq("name", service);
   }
-  await auditLog(sb, machine_hash, service, "revoke", "success");
+  await auditLog(sb, mh, service, "revoke", "success");
   return { success: true, service };
 }
-async function handleStatus(sb: ReturnType<typeof createClient>, machine_hash: string) {
-  const { data: services } = await sb
-    .from("clauth_services")
-    .select("name, label, key_type, enabled, vault_key, last_retrieved, last_rotated, created_at")
-    .order("name");
-  await auditLog(sb, machine_hash, "all", "status", "success");
+async function handleStatus(sb: any, mh: string) {
+  const { data: services } = await sb.from("clauth_services")
+    .select("name, label, key_type, enabled, vault_key, last_retrieved, last_rotated, created_at").order("name");
+  await auditLog(sb, mh, "all", "status", "success");
   return { services: services || [] };
 }
-async function handleRegisterMachine(sb: ReturnType<typeof createClient>, body: any) {
+async function handleRegisterMachine(sb: any, body: any) {
   const { machine_hash, hmac_seed_hash, label, admin_token } = body;
-  // Bootstrap: requires a one-time admin token stored as env var
-  if (admin_token !== Deno.env.get("CLAUTH_ADMIN_BOOTSTRAP_TOKEN")) {
-    return { error: "invalid_admin_token" };
-  }
-  const { error } = await sb.from("clauth_machines").upsert({
-    machine_hash, hmac_seed_hash, label, enabled: true
-  }, { onConflict: "machine_hash" });
+  if (admin_token !== ADMIN_BOOTSTRAP_TOKEN) return { error: "invalid_admin_token" };
+  const { error } = await sb.from("clauth_machines").upsert(
+    { machine_hash, hmac_seed_hash, label, enabled: true, fail_count: 0, locked: false },
+    { onConflict: "machine_hash" }
+  );
   if (error) return { error: error.message };
   return { success: true, machine_hash };
 }
-// ============================================================
-// Main handler
-// ============================================================
 Deno.serve(async (req: Request) => {
-  const url = new URL(req.url);
-  const route = url.pathname.replace(/^\/auth-vault\/?/, "").replace(/^\//, "");
   if (req.method === "OPTIONS") {
-    return new Response(null, {
-      headers: {
-        "Access-Control-Allow-Origin": "*",
-        "Access-Control-Allow-Methods": "POST, OPTIONS",
-        "Access-Control-Allow-Headers": "Content-Type, Authorization"
-      }
-    });
+    return new Response(null, { headers: {
+      "Access-Control-Allow-Origin": "*",
+      "Access-Control-Allow-Methods": "POST, OPTIONS",
+      "Access-Control-Allow-Headers": "Content-Type, Authorization"
+    }});
   }
+  if (req.method !== "POST") return Response.json({ error: "POST only" }, { status: 405 });
-  if (req.method !== "POST") {
-    return Response.json({ error: "POST only" }, { status: 405 });
-  }
+  const url   = new URL(req.url);
+  const route = url.pathname.replace(/^\/auth-vault\/?/, "").replace(/^\//, "");
+  const body  = await req.json().catch(() => ({}));
+  const sb    = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
+  const ip    = getClientIP(req);
-  const body = await req.json().catch(() => ({}));
-  const sb = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
+  if (route === "register-machine") return Response.json(await handleRegisterMachine(sb, body));
-  // Bootstrap machine registration — no HMAC required, uses admin token
-  if (route === "register-machine") {
-    return Response.json(await handleRegisterMachine(sb, body));
+  const ipCheck = checkIP(ip);
+  if (!ipCheck.allowed) {
+    await auditLog(sb, body.machine_hash || "unknown", "system", route, "blocked", ipCheck.reason);
+    return Response.json({ error: "ip_blocked", reason: ipCheck.reason }, { status: 403 });
   }
-  // All other routes require HMAC validation
-  const authResult = await validateHMAC({
-    machine_hash: body.machine_hash,
-    token: body.token,
-    timestamp: body.timestamp,
-    password: body.password
-  });
+  if (body.machine_hash) {
+    const rateCheck = await checkRateLimit(sb, body.machine_hash);
+    if (!rateCheck.allowed) {
+      await auditLog(sb, body.machine_hash, "system", route, "rate_limited", rateCheck.reason);
+      return Response.json({ error: "rate_limited", reason: rateCheck.reason }, { status: 429 });
+    }
+  }
+  const authResult = await validateHMAC(sb, { machine_hash: body.machine_hash, token: body.token, timestamp: body.timestamp, password: body.password });
   if (!authResult.valid) {
     await auditLog(sb, body.machine_hash || "unknown", body.service || "unknown", route, "denied", authResult.reason);
     return Response.json({ error: "auth_failed", reason: authResult.reason }, { status: 401 });
   }
-  const machine_hash = body.machine_hash;
+  const mh = body.machine_hash;
   switch (route) {
-    case "retrieve":        return Response.json(await handleRetrieve(sb, body, machine_hash));
-    case "write":           return Response.json(await handleWrite(sb, body, machine_hash));
-    case "enable":          return Response.json(await handleEnable(sb, body, machine_hash));
-    case "add":             return Response.json(await handleAdd(sb, body, machine_hash));
-    case "remove":          return Response.json(await handleRemove(sb, body, machine_hash));
-    case "revoke":          return Response.json(await handleRevoke(sb, body, machine_hash));
-    case "status":          return Response.json(await handleStatus(sb, machine_hash));
-    case "test":            return Response.json({ valid: true, machine_hash, timestamp: body.timestamp });
-    default:                return Response.json({ error: "unknown_route", route }, { status: 404 });
+    case "retrieve": return Response.json(await handleRetrieve(sb, body, mh));
+    case "write":    return Response.json(await handleWrite(sb, body, mh));
+    case "enable":   return Response.json(await handleEnable(sb, body, mh));
+    case "add":      return Response.json(await handleAdd(sb, body, mh));
+    case "remove":   return Response.json(await handleRemove(sb, body, mh));
+    case "revoke":   return Response.json(await handleRevoke(sb, body, mh));
+    case "status":   return Response.json(await handleStatus(sb, mh));
+    case "test":     return Response.json({ valid: true, machine_hash: mh, timestamp: body.timestamp, ip });
+    default:         return Response.json({ error: "unknown_route", route }, { status: 404 });
   }
 });

package/supabase/migrations/20260317_lockout.sql ADDED Viewed

@@ -0,0 +1,26 @@
+-- Migration: add fail_count and locked to clauth_machines
+-- Run via: clauth install (picks this up automatically) or apply manually
+ALTER TABLE clauth_machines
+  ADD COLUMN IF NOT EXISTS fail_count  INTEGER NOT NULL DEFAULT 0,
+  ADD COLUMN IF NOT EXISTS locked      BOOLEAN NOT NULL DEFAULT false;
+-- Index for fast lockout checks
+CREATE INDEX IF NOT EXISTS idx_clauth_machines_locked
+  ON clauth_machines (machine_hash, locked);
+-- Admin helper: unlock a machine
+-- Usage: SELECT clauth_unlock_machine('your_machine_hash');
+CREATE OR REPLACE FUNCTION clauth_unlock_machine(p_machine_hash TEXT)
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+BEGIN
+  UPDATE clauth_machines
+  SET locked = false, fail_count = 0
+  WHERE machine_hash = p_machine_hash;
+END;
+$$;
+REVOKE EXECUTE ON FUNCTION clauth_unlock_machine(TEXT) FROM PUBLIC;