@lifeaitools/clauth 0.3.6 → 0.3.8

package/supabase/migrations/001_clauth_schema.sql

@@ -1,103 +1,103 @@
--- ============================================================
--- clauth schema
--- Migration: 001_clauth_schema.sql
--- ============================================================
-
--- Enable vault extension (Supabase enables by default, but guard)
--- vault.secrets is already available in Supabase projects
-
--- ============================================================
--- Service Registry
--- ============================================================
-create table if not exists public.clauth_services (
-  id            uuid primary key default gen_random_uuid(),
-  name          text not null unique,           -- e.g. 'github', 'r2'
-  label         text not null,                  -- human display name
-  key_type      text not null                   -- 'token' | 'keypair' | 'connstring' | 'oauth'
-                check (key_type in ('token','keypair','connstring','oauth')),
-  enabled       boolean not null default false,
-  vault_key     text,                           -- vault secret name: 'clauth.<name>'
-  description   text,
-  last_retrieved timestamptz,
-  last_rotated   timestamptz,
-  created_at    timestamptz not null default now(),
-  updated_at    timestamptz not null default now()
-);
-
--- ============================================================
--- Machine Registry (hardware fingerprints — hashed only)
--- ============================================================
-create table if not exists public.clauth_machines (
-  id              uuid primary key default gen_random_uuid(),
-  machine_hash    text not null unique,          -- SHA256(machine_id + os_install_id)
-  label           text,                          -- e.g. 'Dave-Desktop-Win11'
-  hmac_seed_hash  text not null,                 -- SHA256 of the HMAC seed stored in vault
-  enabled         boolean not null default true,
-  created_at      timestamptz not null default now(),
-  last_seen       timestamptz
-);
-
--- ============================================================
--- Audit Log
--- ============================================================
-create table if not exists public.clauth_audit (
-  id           uuid primary key default gen_random_uuid(),
-  machine_hash text,
-  service_name text,
-  action       text not null,    -- 'retrieve' | 'enable' | 'disable' | 'rotate' | 'revoke' | 'add' | 'remove'
-  result       text not null,    -- 'success' | 'fail' | 'denied'
-  detail       text,
-  created_at   timestamptz not null default now()
-);
-
--- ============================================================
--- Seed: built-in service definitions (no keys — just registry)
--- ============================================================
-insert into public.clauth_services (name, label, key_type, description) values
-  ('github',           'GitHub PAT',                  'token',     'GitHub Personal Access Token — repo, workflow, org'),
-  ('supabase-anon',    'Supabase Anon Key',            'token',     'Supabase public anon key (RLS-gated)'),
-  ('supabase-service', 'Supabase Service Role Key',    'token',     'Supabase service_role — bypasses RLS'),
-  ('supabase-db',      'Supabase DB Connection',       'connstring','PostgreSQL connection string (pooled + direct)'),
-  ('vercel',           'Vercel API Token',             'keypair',   'Vercel API token + Team ID'),
-  ('namecheap',        'Namecheap API',                'keypair',   'Namecheap API key + username'),
-  ('neo4j',            'Neo4j Aura',                   'connstring','Neo4j Aura URI + credentials'),
-  ('anthropic',        'Anthropic API Key',            'token',     'Claude API — sk-ant-...'),
-  ('r2',               'Cloudflare R2 Keypair',        'keypair',   'R2 Access Key ID + Secret Access Key'),
-  ('r2-bucket',        'Cloudflare R2 Bucket Config',  'connstring','R2 bucket name + endpoint URL'),
-  ('cloudflare',       'Cloudflare API Token',         'token',     'Cloudflare zone/DNS/admin token'),
-  ('rocketreach',      'RocketReach API Key',          'token',     'RocketReach contact intelligence API')
-on conflict (name) do nothing;
-
--- ============================================================
--- RLS — lock down all tables
--- ============================================================
-alter table public.clauth_services  enable row level security;
-alter table public.clauth_machines  enable row level security;
-alter table public.clauth_audit     enable row level security;
-
--- service_role bypasses RLS — all access from Edge Function only
--- No direct anon access to any clauth table
-do $$ begin
-  if not exists (select 1 from pg_policies where policyname = 'no_anon_services' and tablename = 'clauth_services') then
-    create policy "no_anon_services" on public.clauth_services for all using (false);
-  end if;
-  if not exists (select 1 from pg_policies where policyname = 'no_anon_machines' and tablename = 'clauth_machines') then
-    create policy "no_anon_machines" on public.clauth_machines for all using (false);
-  end if;
-  if not exists (select 1 from pg_policies where policyname = 'no_anon_audit' and tablename = 'clauth_audit') then
-    create policy "no_anon_audit" on public.clauth_audit for all using (false);
-  end if;
-end $$;
-
--- ============================================================
--- Updated_at trigger
--- ============================================================
-create or replace function public.clauth_touch_updated()
-returns trigger language plpgsql as $$
-begin new.updated_at = now(); return new; end;
-$$;
-
-drop trigger if exists clauth_services_updated on public.clauth_services;
-create trigger clauth_services_updated
-  before update on public.clauth_services
-  for each row execute procedure public.clauth_touch_updated();
+-- ============================================================
+-- clauth schema
+-- Migration: 001_clauth_schema.sql
+-- ============================================================
+
+-- Enable vault extension (Supabase enables by default, but guard)
+-- vault.secrets is already available in Supabase projects
+
+-- ============================================================
+-- Service Registry
+-- ============================================================
+create table if not exists public.clauth_services (
+  id            uuid primary key default gen_random_uuid(),
+  name          text not null unique,           -- e.g. 'github', 'r2'
+  label         text not null,                  -- human display name
+  key_type      text not null                   -- 'token' | 'keypair' | 'connstring' | 'oauth'
+                check (key_type in ('token','keypair','connstring','oauth')),
+  enabled       boolean not null default false,
+  vault_key     text,                           -- vault secret name: 'clauth.<name>'
+  description   text,
+  last_retrieved timestamptz,
+  last_rotated   timestamptz,
+  created_at    timestamptz not null default now(),
+  updated_at    timestamptz not null default now()
+);
+
+-- ============================================================
+-- Machine Registry (hardware fingerprints — hashed only)
+-- ============================================================
+create table if not exists public.clauth_machines (
+  id              uuid primary key default gen_random_uuid(),
+  machine_hash    text not null unique,          -- SHA256(machine_id + os_install_id)
+  label           text,                          -- e.g. 'Dave-Desktop-Win11'
+  hmac_seed_hash  text not null,                 -- SHA256 of the HMAC seed stored in vault
+  enabled         boolean not null default true,
+  created_at      timestamptz not null default now(),
+  last_seen       timestamptz
+);
+
+-- ============================================================
+-- Audit Log
+-- ============================================================
+create table if not exists public.clauth_audit (
+  id           uuid primary key default gen_random_uuid(),
+  machine_hash text,
+  service_name text,
+  action       text not null,    -- 'retrieve' | 'enable' | 'disable' | 'rotate' | 'revoke' | 'add' | 'remove'
+  result       text not null,    -- 'success' | 'fail' | 'denied'
+  detail       text,
+  created_at   timestamptz not null default now()
+);
+
+-- ============================================================
+-- Seed: built-in service definitions (no keys — just registry)
+-- ============================================================
+insert into public.clauth_services (name, label, key_type, description) values
+  ('github',           'GitHub PAT',                  'token',     'GitHub Personal Access Token — repo, workflow, org'),
+  ('supabase-anon',    'Supabase Anon Key',            'token',     'Supabase public anon key (RLS-gated)'),
+  ('supabase-service', 'Supabase Service Role Key',    'token',     'Supabase service_role — bypasses RLS'),
+  ('supabase-db',      'Supabase DB Connection',       'connstring','PostgreSQL connection string (pooled + direct)'),
+  ('vercel',           'Vercel API Token',             'keypair',   'Vercel API token + Team ID'),
+  ('namecheap',        'Namecheap API',                'keypair',   'Namecheap API key + username'),
+  ('neo4j',            'Neo4j Aura',                   'connstring','Neo4j Aura URI + credentials'),
+  ('anthropic',        'Anthropic API Key',            'token',     'Claude API — sk-ant-...'),
+  ('r2',               'Cloudflare R2 Keypair',        'keypair',   'R2 Access Key ID + Secret Access Key'),
+  ('r2-bucket',        'Cloudflare R2 Bucket Config',  'connstring','R2 bucket name + endpoint URL'),
+  ('cloudflare',       'Cloudflare API Token',         'token',     'Cloudflare zone/DNS/admin token'),
+  ('rocketreach',      'RocketReach API Key',          'token',     'RocketReach contact intelligence API')
+on conflict (name) do nothing;
+
+-- ============================================================
+-- RLS — lock down all tables
+-- ============================================================
+alter table public.clauth_services  enable row level security;
+alter table public.clauth_machines  enable row level security;
+alter table public.clauth_audit     enable row level security;
+
+-- service_role bypasses RLS — all access from Edge Function only
+-- No direct anon access to any clauth table
+do $$ begin
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_services' and tablename = 'clauth_services') then
+    create policy "no_anon_services" on public.clauth_services for all using (false);
+  end if;
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_machines' and tablename = 'clauth_machines') then
+    create policy "no_anon_machines" on public.clauth_machines for all using (false);
+  end if;
+  if not exists (select 1 from pg_policies where policyname = 'no_anon_audit' and tablename = 'clauth_audit') then
+    create policy "no_anon_audit" on public.clauth_audit for all using (false);
+  end if;
+end $$;
+
+-- ============================================================
+-- Updated_at trigger
+-- ============================================================
+create or replace function public.clauth_touch_updated()
+returns trigger language plpgsql as $$
+begin new.updated_at = now(); return new; end;
+$$;
+
+drop trigger if exists clauth_services_updated on public.clauth_services;
+create trigger clauth_services_updated
+  before update on public.clauth_services
+  for each row execute procedure public.clauth_touch_updated();

package/supabase/migrations/002_vault_helpers.sql

@@ -1,90 +1,90 @@
--- ============================================================
--- Vault helper functions
--- Migration: 002_vault_helpers.sql
--- These wrap vault.create_secret / vault.update_secret 
--- so Edge Functions don't need direct vault schema access
--- ============================================================
-
--- Upsert a secret (create or update)
-create or replace function public.vault_upsert_secret(
-  secret_name text,
-  secret_value text
-)
-returns void
-language plpgsql
-security definer
-as $$
-declare
-  existing_id uuid;
-begin
-  select id into existing_id
-  from vault.secrets
-  where name = secret_name
-  limit 1;
-
-  if existing_id is not null then
-    perform vault.update_secret(existing_id, secret_value);
-  else
-    perform vault.create_secret(secret_value, secret_name);
-  end if;
-end;
-$$;
-
--- Decrypt and return a secret value by name
-create or replace function public.vault_decrypt_secret(
-  secret_name text
-)
-returns text
-language plpgsql
-security definer
-as $$
-declare
-  result text;
-begin
-  select decrypted_secret into result
-  from vault.decrypted_secrets
-  where name = secret_name
-  limit 1;
-  return result;
-end;
-$$;
-
--- Delete a secret by name
-create or replace function public.vault_delete_secret(
-  secret_name text
-)
-returns void
-language plpgsql
-security definer
-as $$
-declare
-  target_id uuid;
-begin
-  select id into target_id
-  from vault.secrets
-  where name = secret_name
-  limit 1;
-
-  if target_id is not null then
-    delete from vault.secrets where id = target_id;
-  end if;
-end;
-$$;
-
--- List all clauth secrets (names only — never values)
-create or replace function public.vault_list_clauth_secrets()
-returns table(name text, created_at timestamptz, updated_at timestamptz)
-language sql
-security definer
-as $$
-  select name, created_at, updated_at
-  from vault.secrets
-  where name like 'clauth.%'
-  order by name;
-$$;
-
--- Revoke execute from public, grant to service_role only
-revoke execute on function public.vault_upsert_secret from public;
-revoke execute on function public.vault_decrypt_secret from public;
-revoke execute on function public.vault_delete_secret from public;
-revoke execute on function public.vault_list_clauth_secrets from public;
+-- ============================================================
+-- Vault helper functions
+-- Migration: 002_vault_helpers.sql
+-- These wrap vault.create_secret / vault.update_secret 
+-- so Edge Functions don't need direct vault schema access
+-- ============================================================
+
+-- Upsert a secret (create or update)
+create or replace function public.vault_upsert_secret(
+  secret_name text,
+  secret_value text
+)
+returns void
+language plpgsql
+security definer
+as $$
+declare
+  existing_id uuid;
+begin
+  select id into existing_id
+  from vault.secrets
+  where name = secret_name
+  limit 1;
+
+  if existing_id is not null then
+    perform vault.update_secret(existing_id, secret_value);
+  else
+    perform vault.create_secret(secret_value, secret_name);
+  end if;
+end;
+$$;
+
+-- Decrypt and return a secret value by name
+create or replace function public.vault_decrypt_secret(
+  secret_name text
+)
+returns text
+language plpgsql
+security definer
+as $$
+declare
+  result text;
+begin
+  select decrypted_secret into result
+  from vault.decrypted_secrets
+  where name = secret_name
+  limit 1;
+  return result;
+end;
+$$;
+
+-- Delete a secret by name
+create or replace function public.vault_delete_secret(
+  secret_name text
+)
+returns void
+language plpgsql
+security definer
+as $$
+declare
+  target_id uuid;
+begin
+  select id into target_id
+  from vault.secrets
+  where name = secret_name
+  limit 1;
+
+  if target_id is not null then
+    delete from vault.secrets where id = target_id;
+  end if;
+end;
+$$;
+
+-- List all clauth secrets (names only — never values)
+create or replace function public.vault_list_clauth_secrets()
+returns table(name text, created_at timestamptz, updated_at timestamptz)
+language sql
+security definer
+as $$
+  select name, created_at, updated_at
+  from vault.secrets
+  where name like 'clauth.%'
+  order by name;
+$$;
+
+-- Revoke execute from public, grant to service_role only
+revoke execute on function public.vault_upsert_secret from public;
+revoke execute on function public.vault_decrypt_secret from public;
+revoke execute on function public.vault_delete_secret from public;
+revoke execute on function public.vault_list_clauth_secrets from public;

package/supabase/migrations/20260317_lockout.sql

@@ -1,26 +1,26 @@
--- Migration: add fail_count and locked to clauth_machines
--- Run via: clauth install (picks this up automatically) or apply manually
-
-ALTER TABLE clauth_machines
-  ADD COLUMN IF NOT EXISTS fail_count  INTEGER NOT NULL DEFAULT 0,
-  ADD COLUMN IF NOT EXISTS locked      BOOLEAN NOT NULL DEFAULT false;
-
--- Index for fast lockout checks
-CREATE INDEX IF NOT EXISTS idx_clauth_machines_locked
-  ON clauth_machines (machine_hash, locked);
-
--- Admin helper: unlock a machine
--- Usage: SELECT clauth_unlock_machine('your_machine_hash');
-CREATE OR REPLACE FUNCTION clauth_unlock_machine(p_machine_hash TEXT)
-RETURNS void
-LANGUAGE plpgsql
-SECURITY DEFINER
-AS $$
-BEGIN
-  UPDATE clauth_machines
-  SET locked = false, fail_count = 0
-  WHERE machine_hash = p_machine_hash;
-END;
-$$;
-
-REVOKE EXECUTE ON FUNCTION clauth_unlock_machine(TEXT) FROM PUBLIC;
+-- Migration: add fail_count and locked to clauth_machines
+-- Run via: clauth install (picks this up automatically) or apply manually
+
+ALTER TABLE clauth_machines
+  ADD COLUMN IF NOT EXISTS fail_count  INTEGER NOT NULL DEFAULT 0,
+  ADD COLUMN IF NOT EXISTS locked      BOOLEAN NOT NULL DEFAULT false;
+
+-- Index for fast lockout checks
+CREATE INDEX IF NOT EXISTS idx_clauth_machines_locked
+  ON clauth_machines (machine_hash, locked);
+
+-- Admin helper: unlock a machine
+-- Usage: SELECT clauth_unlock_machine('your_machine_hash');
+CREATE OR REPLACE FUNCTION clauth_unlock_machine(p_machine_hash TEXT)
+RETURNS void
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+BEGIN
+  UPDATE clauth_machines
+  SET locked = false, fail_count = 0
+  WHERE machine_hash = p_machine_hash;
+END;
+$$;
+
+REVOKE EXECUTE ON FUNCTION clauth_unlock_machine(TEXT) FROM PUBLIC;