npm - @lifeaitools/clauth - Versions diffs - 0.3.1 → 0.3.6 - Mend

@lifeaitools/clauth 0.3.1 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/cli/api.js +4 -0
package/cli/commands/serve.js +672 -29
package/cli/index.js +492 -500
package/package.json +1 -1
package/supabase/functions/auth-vault/index.ts +14 -2

package/cli/index.js CHANGED Viewed

@@ -1,500 +1,492 @@
-#!/usr/bin/env node
-// cli/index.js — clauth entry point
-import { Command } from "commander";
-import chalk from "chalk";
-import ora from "ora";
-import inquirer from "inquirer";
-import Conf from "conf";
-import { getMachineHash, deriveToken, deriveSeedHash } from "./fingerprint.js";
-import * as api from "./api.js";
-import os from "os";
-const config = new Conf({ projectName: "clauth" });
-const VERSION = "0.3.1";
-// ============================================================
-// Password prompt helper
-// ============================================================
-async function promptPassword(message = "clauth password") {
-  const { pw } = await inquirer.prompt([{
-    type: "password",
-    name: "pw",
-    message,
-    mask: "*",
-    validate: v => v.length >= 8 || "Password must be at least 8 characters"
-  }]);
-  return pw;
-}
-// ============================================================
-// Auth helper — get pw + derive token
-// ============================================================
-async function getAuth(pw) {
-  const password = pw || await promptPassword();
-  const machineHash = getMachineHash();
-  const { token, timestamp } = deriveToken(password, machineHash);
-  return { password, machineHash, token, timestamp };
-}
-// ============================================================
-// Program
-// ============================================================
-const program = new Command();
-program
-  .name("clauth")
-  .version(VERSION)
-  .description(chalk.cyan("🔐 clauth") + " — Hardware-bound credential vault for LIFEAI infrastructure");
-// ──────────────────────────────────────────────
-// clauth install  (Supabase provisioning + skill install + test)
-// ──────────────────────────────────────────────
-import { runInstall } from './commands/install.js';
-import { runUninstall } from './commands/uninstall.js';
-import { runScrub } from './commands/scrub.js';
-import { runServe } from './commands/serve.js';
-program
-  .command('install')
-  .description('Provision Supabase, deploy Edge Function, install Claude skill')
-  .option('--ref <ref>', 'Supabase project ref')
-  .option('--pat <pat>', 'Supabase Personal Access Token')
-  .action(async (opts) => {
-    await runInstall(opts);
-  });
-program
-  .command('uninstall')
-  .description('Full teardown — drop DB objects, Edge Function, secrets, skill, config')
-  .option('--ref <ref>', 'Supabase project ref')
-  .option('--pat <pat>', 'Supabase Personal Access Token (required)')
-  .option('--yes', 'Skip confirmation prompt')
-  .action(async (opts) => {
-    if (!opts.yes) {
-      const inquirerMod = await import('inquirer');
-      const { confirm } = await inquirerMod.default.prompt([{
-        type: 'input',
-        name: 'confirm',
-        message: chalk.red('Type "CONFIRM UNINSTALL" to proceed:'),
-      }]);
-      if (confirm !== 'CONFIRM UNINSTALL') {
-        console.log(chalk.yellow('\n  Uninstall cancelled.\n'));
-        process.exit(0);
-      }
-    }
-    await runUninstall(opts);
-  });
-// ──────────────────────────────────────────────
-// clauth setup
-// ──────────────────────────────────────────────
-program
-  .command("setup")
-  .description("Register this machine with the vault (run after clauth install)")
-  .option("--admin-token <token>", "Bootstrap token (from clauth install output)")
-  .option("--label <label>", "Human label for this machine")
-  .option("-p, --pw <password>", "Password (skip interactive prompt)")
-  .action(async (opts) => {
-    console.log(chalk.cyan("\n🔐 clauth setup\n"));
-    // URL + anon key already saved by clauth install — fail fast if missing
-    const savedUrl  = config.get("supabase_url");
-    const savedAnon = config.get("supabase_anon_key");
-    if (!savedUrl || !savedAnon) {
-      console.log(chalk.yellow("  Supabase config not found. Run clauth install first.\n"));
-      process.exit(1);
-    }
-    console.log(chalk.gray(`  Project: ${savedUrl}\n`));
-    let answers;
-    if (opts.pw && opts.adminToken) {
-      // Non-interactive mode — all flags provided
-      answers = { label: opts.label || os.hostname(), pw: opts.pw, adminTk: opts.adminToken };
-    } else {
-      answers = await inquirer.prompt([
-        { type: "input",    name: "label",   message: "Machine label:",   default: opts.label || os.hostname() },
-        { type: "password", name: "pw",      message: "Set password:",    mask: "*", default: opts.pw || "" },
-        { type: "password", name: "adminTk", message: "Bootstrap token:", mask: "*",
-          default: opts.adminToken || "" },
-      ]);
-    }
-    const spinner = ora("Registering machine with vault...").start();
-    try {
-      const machineHash = getMachineHash();
-      const seedHash = deriveSeedHash(machineHash, answers.pw);
-      const result = await api.registerMachine(machineHash, seedHash, answers.label, answers.adminTk);
-      if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.green(`Machine registered: ${machineHash.slice(0,12)}...`));
-      console.log(chalk.green("\n✓ clauth is ready.\n"));
-      console.log(chalk.cyan("  clauth test     — verify connection"));
-      console.log(chalk.cyan("  clauth status   — see all services\n"));
-    } catch (err) {
-      spinner.fail(chalk.red(`Setup failed: ${err.message}`));
-      process.exit(1);
-    }
-  });
-// ──────────────────────────────────────────────
-// clauth status
-// ──────────────────────────────────────────────
-program
-  .command("status")
-  .description("Show all services and their state")
-  .option("-p, --pw <password>", "Password (or will prompt)")
-  .action(async (opts) => {
-    const auth = await getAuth(opts.pw);
-    const spinner = ora("Fetching service status...").start();
-    try {
-      const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
-      spinner.stop();
-      if (result.error) { console.log(chalk.red(`Error: ${result.error}`)); return; }
-      console.log(chalk.cyan("\n🔐 clauth service status\n"));
-      console.log(
-        chalk.bold(
-          "  " + "SERVICE".padEnd(20) + "TYPE".padEnd(12) + "STATUS".padEnd(12) +
-          "KEY STORED".padEnd(12) + "LAST RETRIEVED"
-        )
-      );
-      console.log("  " + "─".repeat(72));
-      for (const s of result.services || []) {
-        const status = s.enabled
-          ? chalk.green("ACTIVE".padEnd(12))
-          : s.vault_key
-            ? chalk.yellow("SUSPENDED".padEnd(12))
-            : chalk.gray("NO KEY".padEnd(12));
-        const hasKey = s.vault_key ? chalk.green("✓".padEnd(12)) : chalk.gray("—".padEnd(12));
-        const lastGet = s.last_retrieved
-          ? new Date(s.last_retrieved).toLocaleDateString()
-          : chalk.gray("never");
-        console.log(`  ${s.name.padEnd(20)}${s.key_type.padEnd(12)}${status}${hasKey}${lastGet}`);
-      }
-      console.log();
-    } catch (err) {
-      spinner.fail(chalk.red(err.message));
-    }
-  });
-// ──────────────────────────────────────────────
-// clauth write pw <new_password>
-// clauth write params
-// clauth write key <service> <value>
-// ──────────────────────────────────────────────
-const writeCmd = program.command("write").description("Write credentials or update auth parameters");
-writeCmd
-  .command("pw [newpw]")
-  .description("Set or update clauth master password")
-  .action(async (newpw) => {
-    console.log(chalk.cyan("\n🔐 clauth write pw\n"));
-    const current = await promptPassword("Current password (to verify)");
-    const pw = newpw || (await inquirer.prompt([
-      { type: "password", name: "p", message: "New password:", mask: "*" },
-      { type: "password", name: "c", message: "Confirm new password:", mask: "*" }
-    ]).then(a => { if (a.p !== a.c) { console.log(chalk.red("Passwords don't match")); process.exit(1); } return a.p; }));
-    // Re-register machine with new seed hash
-    const machineHash = getMachineHash();
-    const newSeedHash = deriveSeedHash(machineHash, pw);
-    const { token, timestamp } = deriveToken(current, machineHash);
-    const adminToken = await inquirer.prompt([{
-      type: "password", name: "t", message: "Admin bootstrap token (required for re-registration):", mask: "*"
-    }]).then(a => a.t);
-    const spinner = ora("Updating password and re-registering machine...").start();
-    try {
-      const result = await api.registerMachine(machineHash, newSeedHash, null, adminToken);
-      if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.green("Password updated and machine re-registered."));
-    } catch (err) {
-      spinner.fail(chalk.red(err.message));
-    }
-  });
-writeCmd
-  .command("params")
-  .description("Re-read hardware fingerprint (use after hardware change)")
-  .action(async () => {
-    const spinner = ora("Reading hardware fingerprint...").start();
-    try {
-      const hash = getMachineHash();
-      spinner.succeed(chalk.green(`Machine hash: ${hash.slice(0,16)}...`));
-      console.log(chalk.gray("Full hash: " + hash));
-    } catch (err) {
-      spinner.fail(chalk.red(err.message));
-    }
-  });
-writeCmd
-  .command("key <service> [value]")
-  .description("Write a credential into vault for a service")
-  .option("-p, --pw <password>", "Password")
-  .action(async (service, value, opts) => {
-    const auth = await getAuth(opts.pw);
-    let val = value;
-    if (!val) {
-      const { v } = await inquirer.prompt([{ type: "password", name: "v", message: `Value for ${service}:`, mask: "*" }]);
-      val = v;
-    }
-    const spinner = ora(`Writing key for ${service}...`).start();
-    try {
-      const result = await api.write(auth.password, auth.machineHash, auth.token, auth.timestamp, service, val);
-      if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.green(`Key stored in vault: auth.${service}`));
-    } catch (err) {
-      spinner.fail(chalk.red(err.message));
-    }
-  });
-// ──────────────────────────────────────────────
-// clauth enable <service|all>
-// clauth disable <service|all>
-// ──────────────────────────────────────────────
-program
-  .command("enable <service>")
-  .description("Enable a service (or 'all')")
-  .option("-p, --pw <password>")
-  .action(async (service, opts) => {
-    const auth = await getAuth(opts.pw);
-    const spinner = ora(`Enabling ${service}...`).start();
-    try {
-      const result = await api.enable(auth.password, auth.machineHash, auth.token, auth.timestamp, service, true);
-      if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.green(`Enabled: ${service}`));
-    } catch (err) { spinner.fail(chalk.red(err.message)); }
-  });
-program
-  .command("disable <service>")
-  .description("Disable a service (or 'all')")
-  .option("-p, --pw <password>")
-  .action(async (service, opts) => {
-    const auth = await getAuth(opts.pw);
-    const spinner = ora(`Disabling ${service}...`).start();
-    try {
-      const result = await api.enable(auth.password, auth.machineHash, auth.token, auth.timestamp, service, false);
-      if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.yellow(`Disabled: ${service}`));
-    } catch (err) { spinner.fail(chalk.red(err.message)); }
-  });
-// ──────────────────────────────────────────────
-// clauth add service <name>
-// clauth remove service <name>
-// clauth list services
-// ──────────────────────────────────────────────
-const addCmd = program.command("add").description("Add resources to the registry");
-addCmd
-  .command("service <name>")
-  .description("Register a new service slot")
-  .option("--type <type>", "Key type: token | keypair | connstring | oauth")
-  .option("--label <label>", "Human-readable label")
-  .option("--description <desc>", "Description")
-  .option("-p, --pw <password>")
-  .action(async (name, opts) => {
-    const auth = await getAuth(opts.pw);
-    let answers;
-    if (opts.type && opts.label) {
-      // Non-interactive — all flags provided
-      answers = { label: opts.label, key_type: opts.type, desc: opts.description || "" };
-    } else {
-      answers = await inquirer.prompt([
-        { type: "input",  name: "label", message: "Label:", default: opts.label || name },
-        { type: "list",   name: "key_type", message: "Key type:", choices: ["token","keypair","connstring","oauth"], default: opts.type || "token" },
-        { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
-      ]);
-    }
-    const spinner = ora(`Adding service: ${name}...`).start();
-    try {
-      const result = await api.addService(
-        auth.password, auth.machineHash, auth.token, auth.timestamp,
-        name, answers.label, answers.key_type, answers.desc
-      );
-      if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.green(`Service added: ${name} (${answers.key_type})`));
-      console.log(chalk.gray(`  Next: clauth write key ${name}`));
-    } catch (err) { spinner.fail(chalk.red(err.message)); }
-  });
-const removeCmd = program.command("remove").description("Remove resources from the registry");
-removeCmd
-  .command("service <name>")
-  .description("Remove a service and its key from vault")
-  .option("-p, --pw <password>")
-  .action(async (name, opts) => {
-    const { confirm } = await inquirer.prompt([{
-      type: "input", name: "confirm",
-      message: chalk.red(`Type "CONFIRM REMOVE ${name.toUpperCase()}" to proceed:`)
-    }]);
-    const auth = await getAuth(opts.pw);
-    const spinner = ora(`Removing ${name}...`).start();
-    try {
-      const result = await api.removeService(auth.password, auth.machineHash, auth.token, auth.timestamp, name, confirm);
-      if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.yellow(`Removed: ${name}`));
-    } catch (err) { spinner.fail(chalk.red(err.message)); }
-  });
-program
-  .command("list")
-  .description("List all registered services")
-  .option("-p, --pw <password>")
-  .action(async (opts) => {
-    const auth = await getAuth(opts.pw);
-    const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
-    if (result.error) { console.log(chalk.red(result.error)); return; }
-    console.log(chalk.cyan("\n Registered services:\n"));
-    for (const s of result.services || []) {
-      console.log(`  ${chalk.bold(s.name.padEnd(20))} ${chalk.gray(s.key_type.padEnd(12))} ${chalk.gray(s.description || "")}`);
-    }
-    console.log();
-  });
-// ──────────────────────────────────────────────
-// clauth test <service|all>
-// ──────────────────────────────────────────────
-program
-  .command("test [service]")
-  .description("Test HMAC handshake — no key returned")
-  .option("-p, --pw <password>")
-  .action(async (service, opts) => {
-    const auth = await getAuth(opts.pw);
-    const spinner = ora("Testing auth handshake...").start();
-    try {
-      const result = await api.test(auth.password, auth.machineHash, auth.token, auth.timestamp);
-      if (result.error) throw new Error(`${result.error}: ${result.reason}`);
-      spinner.succeed(chalk.green("PASS — HMAC validated"));
-      console.log(chalk.gray(`  Machine: ${auth.machineHash.slice(0,16)}...`));
-      console.log(chalk.gray(`  Window:  ${new Date(result.timestamp).toISOString()}`));
-    } catch (err) {
-      spinner.fail(chalk.red("FAIL — " + err.message));
-    }
-  });
-// ──────────────────────────────────────────────
-// clauth get <service>
-// ──────────────────────────────────────────────
-program
-  .command("get <service>")
-  .description("Retrieve a key from vault")
-  .option("-p, --pw <password>")
-  .option("--json", "Output raw JSON")
-  .action(async (service, opts) => {
-    const auth = await getAuth(opts.pw);
-    const spinner = ora(`Retrieving ${service}...`).start();
-    try {
-      const result = await api.retrieve(auth.password, auth.machineHash, auth.token, auth.timestamp, service);
-      spinner.stop();
-      if (result.error) { console.log(chalk.red(`Error: ${result.error}`)); return; }
-      if (opts.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        console.log(chalk.cyan(`\n🔑 ${service} (${result.key_type})\n`));
-        const val = typeof result.value === "string" ? result.value : JSON.stringify(result.value, null, 2);
-        console.log(val);
-        console.log();
-      }
-    } catch (err) {
-      spinner.fail(chalk.red(err.message));
-    }
-  });
-// ──────────────────────────────────────────────
-// clauth revoke <service|all>
-// ──────────────────────────────────────────────
-program
-  .command("revoke <service>")
-  .description("Delete key from vault (destructive)")
-  .option("-p, --pw <password>")
-  .action(async (service, opts) => {
-    const phrase = service === "all" ? "CONFIRM REVOKE ALL" : `CONFIRM REVOKE ${service.toUpperCase()}`;
-    const { confirm } = await inquirer.prompt([{
-      type: "input", name: "confirm",
-      message: chalk.red(`Type "${phrase}" to proceed:`)
-    }]);
-    const auth = await getAuth(opts.pw);
-    const spinner = ora(`Revoking ${service}...`).start();
-    try {
-      const result = await api.revoke(auth.password, auth.machineHash, auth.token, auth.timestamp, service, confirm);
-      if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.yellow(`Revoked: ${service}`));
-    } catch (err) { spinner.fail(chalk.red(err.message)); }
-  });
-// ──────────────────────────────────────────────
-// clauth scrub [target]
-// ──────────────────────────────────────────────
-program
-  .command("scrub [target]")
-  .description("Scrub credentials from Claude Code transcript logs (no auth required)")
-  .option("--force", "Rescrub files even if already marked clean")
-  .addHelpText("after", `
-Examples:
-  clauth scrub              Scrub the most recent (active) transcript
-  clauth scrub <file>       Scrub a specific .jsonl file
-  clauth scrub all          Scrub every transcript in ~/.claude/projects/
-  clauth scrub all --force  Rescrub all files (ignore markers)
-`)
-  .action(async (target, opts) => {
-    await runScrub(target, opts);
-  });
-// ──────────────────────────────────────────────
-// clauth --help override banner
-// ──────────────────────────────────────────────
-program.addHelpText("beforeAll", chalk.cyan(`
-  ██████╗██╗      █████╗ ██╗   ██╗████████╗██╗  ██╗
- ██╔════╝██║     ██╔══██╗██║   ██║╚══██╔══╝██║  ██║
- ██║     ██║     ███████║██║   ██║   ██║   ███████║
- ██║     ██║     ██╔══██║██║   ██║   ██║   ██╔══██║
- ╚██████╗███████╗██║  ██║╚██████╔╝   ██║   ██║  ██║
-  ╚═════╝╚══════╝╚═╝  ╚═╝ ╚═════╝    ╚═╝   ╚═╝  ╚═╝
-  v${VERSION} — LIFEAI Credential Vault
-`));
-// ──────────────────────────────────────────────
-// clauth serve [action]
-// ──────────────────────────────────────────────
-program
-  .command("serve [action]")
-  .description("Manage localhost HTTP vault daemon (start|stop|restart|ping)")
-  .option("--port <n>", "Port (default: 52437)")
-  .option("-p, --pw <password>", "clauth password (required for start/restart)")
-  .option("--services <list>", "Comma-separated service whitelist (default: all)")
-  .option("--action <action>", "Internal: action override for daemon child")
-  .addHelpText("after", `
-Actions:
-  start       Start the server as a background daemon
-  stop        Stop the running daemon
-  restart     Stop + start
-  ping        Check if the daemon is running
-  foreground  Run in foreground (Ctrl+C to stop) — default if no action given
-Examples:
-  clauth serve -p mypass                 Run in foreground (original behavior)
-  clauth serve start -p mypass           Start as background daemon
-  clauth serve stop                      Stop the daemon
-  clauth serve ping                      Check status
-  clauth serve restart -p mypass         Restart the daemon
-  clauth serve start --services github,vercel -p mypass
-`)
-  .action(async (action, opts) => {
-    const resolvedAction = opts.action || action || "foreground";
-    // stop and ping don't need a password
-    if (!["stop", "ping"].includes(resolvedAction) && !opts.pw) {
-      console.log(chalk.red("\n  --pw is required for serve mode\n"));
-      console.log(chalk.gray("  Example: clauth serve start --pw yourpassword\n"));
-      process.exit(1);
-    }
-    await runServe({ ...opts, action: resolvedAction });
-  });
-program.parse(process.argv);
+#!/usr/bin/env node
+// cli/index.js — clauth entry point
+import { Command } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+import inquirer from "inquirer";
+import Conf from "conf";
+import { getMachineHash, deriveToken, deriveSeedHash } from "./fingerprint.js";
+import * as api from "./api.js";
+import os from "os";
+const config = new Conf({ projectName: "clauth" });
+const VERSION = "0.3.4";
+// ============================================================
+// Password prompt helper
+// ============================================================
+async function promptPassword(message = "clauth password") {
+  const { pw } = await inquirer.prompt([{
+    type: "password",
+    name: "pw",
+    message,
+    mask: "*",
+    validate: v => v.length >= 8 || "Password must be at least 8 characters"
+  }]);
+  return pw;
+}
+// ============================================================
+// Auth helper — get pw + derive token
+// ============================================================
+async function getAuth(pw) {
+  const password = pw || await promptPassword();
+  const machineHash = getMachineHash();
+  const { token, timestamp } = deriveToken(password, machineHash);
+  return { password, machineHash, token, timestamp };
+}
+// ============================================================
+// Program
+// ============================================================
+const program = new Command();
+program
+  .name("clauth")
+  .version(VERSION)
+  .description(chalk.cyan("🔐 clauth") + " — Hardware-bound credential vault for LIFEAI infrastructure");
+// ──────────────────────────────────────────────
+// clauth install  (Supabase provisioning + skill install + test)
+// ──────────────────────────────────────────────
+import { runInstall } from './commands/install.js';
+import { runUninstall } from './commands/uninstall.js';
+import { runScrub } from './commands/scrub.js';
+import { runServe } from './commands/serve.js';
+program
+  .command('install')
+  .description('Provision Supabase, deploy Edge Function, install Claude skill')
+  .option('--ref <ref>', 'Supabase project ref')
+  .option('--pat <pat>', 'Supabase Personal Access Token')
+  .action(async (opts) => {
+    await runInstall(opts);
+  });
+program
+  .command('uninstall')
+  .description('Full teardown — drop DB objects, Edge Function, secrets, skill, config')
+  .option('--ref <ref>', 'Supabase project ref')
+  .option('--pat <pat>', 'Supabase Personal Access Token (required)')
+  .option('--yes', 'Skip confirmation prompt')
+  .action(async (opts) => {
+    if (!opts.yes) {
+      const inquirerMod = await import('inquirer');
+      const { confirm } = await inquirerMod.default.prompt([{
+        type: 'input',
+        name: 'confirm',
+        message: chalk.red('Type "CONFIRM UNINSTALL" to proceed:'),
+      }]);
+      if (confirm !== 'CONFIRM UNINSTALL') {
+        console.log(chalk.yellow('\n  Uninstall cancelled.\n'));
+        process.exit(0);
+      }
+    }
+    await runUninstall(opts);
+  });
+// ──────────────────────────────────────────────
+// clauth setup
+// ──────────────────────────────────────────────
+program
+  .command("setup")
+  .description("Register this machine with the vault (run after clauth install)")
+  .option("--admin-token <token>", "Bootstrap token (from clauth install output)")
+  .option("--label <label>", "Human label for this machine")
+  .option("-p, --pw <password>", "Password (skip interactive prompt)")
+  .action(async (opts) => {
+    console.log(chalk.cyan("\n🔐 clauth setup\n"));
+    // URL + anon key already saved by clauth install — fail fast if missing
+    const savedUrl  = config.get("supabase_url");
+    const savedAnon = config.get("supabase_anon_key");
+    if (!savedUrl || !savedAnon) {
+      console.log(chalk.yellow("  Supabase config not found. Run clauth install first.\n"));
+      process.exit(1);
+    }
+    console.log(chalk.gray(`  Project: ${savedUrl}\n`));
+    let answers;
+    if (opts.pw && opts.adminToken) {
+      // Non-interactive mode — all flags provided
+      answers = { label: opts.label || os.hostname(), pw: opts.pw, adminTk: opts.adminToken };
+    } else {
+      answers = await inquirer.prompt([
+        { type: "input",    name: "label",   message: "Machine label:",   default: opts.label || os.hostname() },
+        { type: "password", name: "pw",      message: "Set password:",    mask: "*", default: opts.pw || "" },
+        { type: "password", name: "adminTk", message: "Bootstrap token:", mask: "*",
+          default: opts.adminToken || "" },
+      ]);
+    }
+    const spinner = ora("Registering machine with vault...").start();
+    try {
+      const machineHash = getMachineHash();
+      const seedHash = deriveSeedHash(machineHash, answers.pw);
+      const result = await api.registerMachine(machineHash, seedHash, answers.label, answers.adminTk);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green(`Machine registered: ${machineHash.slice(0,12)}...`));
+      console.log(chalk.green("\n✓ clauth is ready.\n"));
+      console.log(chalk.cyan("  clauth test     — verify connection"));
+      console.log(chalk.cyan("  clauth status   — see all services\n"));
+    } catch (err) {
+      spinner.fail(chalk.red(`Setup failed: ${err.message}`));
+      process.exit(1);
+    }
+  });
+// ──────────────────────────────────────────────
+// clauth status
+// ──────────────────────────────────────────────
+program
+  .command("status")
+  .description("Show all services and their state")
+  .option("-p, --pw <password>", "Password (or will prompt)")
+  .action(async (opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora("Fetching service status...").start();
+    try {
+      const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
+      spinner.stop();
+      if (result.error) { console.log(chalk.red(`Error: ${result.error}`)); return; }
+      console.log(chalk.cyan("\n🔐 clauth service status\n"));
+      console.log(
+        chalk.bold(
+          "  " + "SERVICE".padEnd(20) + "TYPE".padEnd(12) + "STATUS".padEnd(12) +
+          "KEY STORED".padEnd(12) + "LAST RETRIEVED"
+        )
+      );
+      console.log("  " + "─".repeat(72));
+      for (const s of result.services || []) {
+        const status = s.enabled
+          ? chalk.green("ACTIVE".padEnd(12))
+          : s.vault_key
+            ? chalk.yellow("SUSPENDED".padEnd(12))
+            : chalk.gray("NO KEY".padEnd(12));
+        const hasKey = s.vault_key ? chalk.green("✓".padEnd(12)) : chalk.gray("—".padEnd(12));
+        const lastGet = s.last_retrieved
+          ? new Date(s.last_retrieved).toLocaleDateString()
+          : chalk.gray("never");
+        console.log(`  ${s.name.padEnd(20)}${s.key_type.padEnd(12)}${status}${hasKey}${lastGet}`);
+      }
+      console.log();
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+// ──────────────────────────────────────────────
+// clauth write pw <new_password>
+// clauth write params
+// clauth write key <service> <value>
+// ──────────────────────────────────────────────
+const writeCmd = program.command("write").description("Write credentials or update auth parameters");
+writeCmd
+  .command("pw [newpw]")
+  .description("Set or update clauth master password")
+  .action(async (newpw) => {
+    console.log(chalk.cyan("\n🔐 clauth write pw\n"));
+    const current = await promptPassword("Current password (to verify)");
+    const pw = newpw || (await inquirer.prompt([
+      { type: "password", name: "p", message: "New password:", mask: "*" },
+      { type: "password", name: "c", message: "Confirm new password:", mask: "*" }
+    ]).then(a => { if (a.p !== a.c) { console.log(chalk.red("Passwords don't match")); process.exit(1); } return a.p; }));
+    // Re-register machine with new seed hash
+    const machineHash = getMachineHash();
+    const newSeedHash = deriveSeedHash(machineHash, pw);
+    const { token, timestamp } = deriveToken(current, machineHash);
+    const adminToken = await inquirer.prompt([{
+      type: "password", name: "t", message: "Admin bootstrap token (required for re-registration):", mask: "*"
+    }]).then(a => a.t);
+    const spinner = ora("Updating password and re-registering machine...").start();
+    try {
+      const result = await api.registerMachine(machineHash, newSeedHash, null, adminToken);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green("Password updated and machine re-registered."));
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+writeCmd
+  .command("params")
+  .description("Re-read hardware fingerprint (use after hardware change)")
+  .action(async () => {
+    const spinner = ora("Reading hardware fingerprint...").start();
+    try {
+      const hash = getMachineHash();
+      spinner.succeed(chalk.green(`Machine hash: ${hash.slice(0,16)}...`));
+      console.log(chalk.gray("Full hash: " + hash));
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+writeCmd
+  .command("key <service> [value]")
+  .description("Write a credential into vault for a service")
+  .option("-p, --pw <password>", "Password")
+  .action(async (service, value, opts) => {
+    const auth = await getAuth(opts.pw);
+    let val = value;
+    if (!val) {
+      const { v } = await inquirer.prompt([{ type: "password", name: "v", message: `Value for ${service}:`, mask: "*" }]);
+      val = v;
+    }
+    const spinner = ora(`Writing key for ${service}...`).start();
+    try {
+      const result = await api.write(auth.password, auth.machineHash, auth.token, auth.timestamp, service, val);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green(`Key stored in vault: auth.${service}`));
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+// ──────────────────────────────────────────────
+// clauth enable <service|all>
+// clauth disable <service|all>
+// ──────────────────────────────────────────────
+program
+  .command("enable <service>")
+  .description("Enable a service (or 'all')")
+  .option("-p, --pw <password>")
+  .action(async (service, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Enabling ${service}...`).start();
+    try {
+      const result = await api.enable(auth.password, auth.machineHash, auth.token, auth.timestamp, service, true);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green(`Enabled: ${service}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+program
+  .command("disable <service>")
+  .description("Disable a service (or 'all')")
+  .option("-p, --pw <password>")
+  .action(async (service, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Disabling ${service}...`).start();
+    try {
+      const result = await api.enable(auth.password, auth.machineHash, auth.token, auth.timestamp, service, false);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.yellow(`Disabled: ${service}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+// ──────────────────────────────────────────────
+// clauth add service <name>
+// clauth remove service <name>
+// clauth list services
+// ──────────────────────────────────────────────
+const addCmd = program.command("add").description("Add resources to the registry");
+addCmd
+  .command("service <name>")
+  .description("Register a new service slot")
+  .option("--type <type>", "Key type: token | keypair | connstring | oauth")
+  .option("--label <label>", "Human-readable label")
+  .option("--description <desc>", "Description")
+  .option("-p, --pw <password>")
+  .action(async (name, opts) => {
+    const auth = await getAuth(opts.pw);
+    let answers;
+    if (opts.type && opts.label) {
+      // Non-interactive — all flags provided
+      answers = { label: opts.label, key_type: opts.type, desc: opts.description || "" };
+    } else {
+      answers = await inquirer.prompt([
+        { type: "input",  name: "label", message: "Label:", default: opts.label || name },
+        { type: "list",   name: "key_type", message: "Key type:", choices: ["token","keypair","connstring","oauth"], default: opts.type || "token" },
+        { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
+      ]);
+    }
+    const spinner = ora(`Adding service: ${name}...`).start();
+    try {
+      const result = await api.addService(
+        auth.password, auth.machineHash, auth.token, auth.timestamp,
+        name, answers.label, answers.key_type, answers.desc
+      );
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.green(`Service added: ${name} (${answers.key_type})`));
+      console.log(chalk.gray(`  Next: clauth write key ${name}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+const removeCmd = program.command("remove").description("Remove resources from the registry");
+removeCmd
+  .command("service <name>")
+  .description("Remove a service and its key from vault")
+  .option("-p, --pw <password>")
+  .action(async (name, opts) => {
+    const { confirm } = await inquirer.prompt([{
+      type: "input", name: "confirm",
+      message: chalk.red(`Type "CONFIRM REMOVE ${name.toUpperCase()}" to proceed:`)
+    }]);
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Removing ${name}...`).start();
+    try {
+      const result = await api.removeService(auth.password, auth.machineHash, auth.token, auth.timestamp, name, confirm);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.yellow(`Removed: ${name}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+program
+  .command("list")
+  .description("List all registered services")
+  .option("-p, --pw <password>")
+  .action(async (opts) => {
+    const auth = await getAuth(opts.pw);
+    const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
+    if (result.error) { console.log(chalk.red(result.error)); return; }
+    console.log(chalk.cyan("\n Registered services:\n"));
+    for (const s of result.services || []) {
+      console.log(`  ${chalk.bold(s.name.padEnd(20))} ${chalk.gray(s.key_type.padEnd(12))} ${chalk.gray(s.description || "")}`);
+    }
+    console.log();
+  });
+// ──────────────────────────────────────────────
+// clauth test <service|all>
+// ──────────────────────────────────────────────
+program
+  .command("test [service]")
+  .description("Test HMAC handshake — no key returned")
+  .option("-p, --pw <password>")
+  .action(async (service, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora("Testing auth handshake...").start();
+    try {
+      const result = await api.test(auth.password, auth.machineHash, auth.token, auth.timestamp);
+      if (result.error) throw new Error(`${result.error}: ${result.reason}`);
+      spinner.succeed(chalk.green("PASS — HMAC validated"));
+      console.log(chalk.gray(`  Machine: ${auth.machineHash.slice(0,16)}...`));
+      console.log(chalk.gray(`  Window:  ${new Date(result.timestamp).toISOString()}`));
+    } catch (err) {
+      spinner.fail(chalk.red("FAIL — " + err.message));
+    }
+  });
+// ──────────────────────────────────────────────
+// clauth get <service>
+// ──────────────────────────────────────────────
+program
+  .command("get <service>")
+  .description("Retrieve a key from vault")
+  .option("-p, --pw <password>")
+  .option("--json", "Output raw JSON")
+  .action(async (service, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Retrieving ${service}...`).start();
+    try {
+      const result = await api.retrieve(auth.password, auth.machineHash, auth.token, auth.timestamp, service);
+      spinner.stop();
+      if (result.error) { console.log(chalk.red(`Error: ${result.error}`)); return; }
+      if (opts.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        console.log(chalk.cyan(`\n🔑 ${service} (${result.key_type})\n`));
+        const val = typeof result.value === "string" ? result.value : JSON.stringify(result.value, null, 2);
+        console.log(val);
+        console.log();
+      }
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+// ──────────────────────────────────────────────
+// clauth revoke <service|all>
+// ──────────────────────────────────────────────
+program
+  .command("revoke <service>")
+  .description("Delete key from vault (destructive)")
+  .option("-p, --pw <password>")
+  .action(async (service, opts) => {
+    const phrase = service === "all" ? "CONFIRM REVOKE ALL" : `CONFIRM REVOKE ${service.toUpperCase()}`;
+    const { confirm } = await inquirer.prompt([{
+      type: "input", name: "confirm",
+      message: chalk.red(`Type "${phrase}" to proceed:`)
+    }]);
+    const auth = await getAuth(opts.pw);
+    const spinner = ora(`Revoking ${service}...`).start();
+    try {
+      const result = await api.revoke(auth.password, auth.machineHash, auth.token, auth.timestamp, service, confirm);
+      if (result.error) throw new Error(result.error);
+      spinner.succeed(chalk.yellow(`Revoked: ${service}`));
+    } catch (err) { spinner.fail(chalk.red(err.message)); }
+  });
+// ──────────────────────────────────────────────
+// clauth scrub [target]
+// ──────────────────────────────────────────────
+program
+  .command("scrub [target]")
+  .description("Scrub credentials from Claude Code transcript logs (no auth required)")
+  .option("--force", "Rescrub files even if already marked clean")
+  .addHelpText("after", `
+Examples:
+  clauth scrub              Scrub the most recent (active) transcript
+  clauth scrub <file>       Scrub a specific .jsonl file
+  clauth scrub all          Scrub every transcript in ~/.claude/projects/
+  clauth scrub all --force  Rescrub all files (ignore markers)
+`)
+  .action(async (target, opts) => {
+    await runScrub(target, opts);
+  });
+// ──────────────────────────────────────────────
+// clauth --help override banner
+// ──────────────────────────────────────────────
+program.addHelpText("beforeAll", chalk.cyan(`
+  ██████╗██╗      █████╗ ██╗   ██╗████████╗██╗  ██╗
+ ██╔════╝██║     ██╔══██╗██║   ██║╚══██╔══╝██║  ██║
+ ██║     ██║     ███████║██║   ██║   ██║   ███████║
+ ██║     ██║     ██╔══██║██║   ██║   ██║   ██╔══██║
+ ╚██████╗███████╗██║  ██║╚██████╔╝   ██║   ██║  ██║
+  ╚═════╝╚══════╝╚═╝  ╚═╝ ╚═════╝    ╚═╝   ╚═╝  ╚═╝
+  v${VERSION} — LIFEAI Credential Vault
+`));
+// ──────────────────────────────────────────────
+// clauth serve [action]
+// ──────────────────────────────────────────────
+program
+  .command("serve [action]")
+  .description("Manage localhost HTTP vault daemon (start|stop|restart|ping)")
+  .option("--port <n>", "Port (default: 52437)")
+  .option("-p, --pw <password>", "clauth password (optional — omit to start locked, unlock in browser)")
+  .option("--services <list>", "Comma-separated service whitelist (default: all)")
+  .option("--action <action>", "Internal: action override for daemon child")
+  .addHelpText("after", `
+Actions:
+  start       Start the server as a background daemon
+  stop        Stop the running daemon
+  restart     Stop + start
+  ping        Check if the daemon is running
+  foreground  Run in foreground (Ctrl+C to stop) — default if no action given
+Examples:
+  clauth serve start                     Start locked — unlock at http://127.0.0.1:52437
+  clauth serve start -p mypass           Start pre-unlocked (password in memory only)
+  clauth serve stop                      Stop the daemon
+  clauth serve ping                      Check status
+  clauth serve restart                   Restart (stays locked until browser unlock)
+  clauth serve start --services github,vercel
+`)
+  .action(async (action, opts) => {
+    const resolvedAction = opts.action || action || "foreground";
+    await runServe({ ...opts, action: resolvedAction });
+  });
+program.parse(process.argv);