npm - @lifeaitools/clauth - Versions diffs - 0.3.7 → 0.3.8 - Mend

@lifeaitools/clauth 0.3.7 → 0.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/.clauth-skill/SKILL.md +184 -184
package/.clauth-skill/references/keys-guide.md +270 -270
package/.clauth-skill/references/operator-guide.md +148 -148
package/README.md +125 -125
package/cli/api.js +112 -112
package/cli/commands/install.js +264 -264
package/cli/commands/serve.js +1207 -1101
package/cli/commands/uninstall.js +164 -164
package/cli/fingerprint.js +91 -91
package/cli/index.js +1 -1
package/install.ps1 +44 -44
package/install.sh +38 -38
package/package.json +1 -1
package/scripts/bin/bootstrap-linux +0 -0
package/scripts/bin/bootstrap-macos +0 -0
package/scripts/bootstrap.cjs +43 -43
package/scripts/build.sh +45 -45
package/supabase/functions/auth-vault/index.ts +235 -235
package/supabase/migrations/001_clauth_schema.sql +103 -103
package/supabase/migrations/002_vault_helpers.sql +90 -90
package/supabase/migrations/20260317_lockout.sql +26 -26

package/.clauth-skill/references/keys-guide.md CHANGED Viewed

@@ -1,270 +1,270 @@
-# clauth Keys Guide
-Plain-English explanations of every credential clauth manages. Read this before setup.
----
-## The Most Important Key for Install: Supabase Personal Access Token (PAT)
-This is the first thing the installer asks for and the most commonly confused item.
-```
-sbp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-```
-This is your **account-level** token — not tied to any one project. It gives the installer permission to create tables, deploy the edge function, and store secrets in your project.
-**Where to get it:**
-> https://supabase.com/dashboard/account/tokens → "Generate new token"
-> Name it anything, e.g. "clauth-install"
-**This is NOT:**
-- Your anon key (that starts with `eyJ...`)
-- Your service_role key (also starts with `eyJ...`)
-- Your project URL
-The PAT is only needed once during install. After that, clauth uses the anon key + HMAC for everything.
----
-## The Most Confusing Part: Supabase Has 4 Different Keys
-This is where most people get stuck. Supabase gives you multiple keys and they look similar. Here's what each one is:
-### 1. `NEXT_PUBLIC_SUPABASE_URL` — The Project URL
-```
-https://uvojezuorjgqzmhhgluu.supabase.co
-```
-This is just a URL. Not a secret. It's the address of your Supabase project. You can find it in:
-> Supabase Dashboard → Project Settings → API → Project URL
-**clauth uses this as:** `Supabase project URL` during `clauth setup`
----
-### 2. Anon Key (Public JWT) — `supabase-anon` in clauth
-```
-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ...  (very long)
-```
-This is a **public key** — it's safe to put in frontend code. It only has the permissions that your Row Level Security (RLS) policies allow. Think of it as a "guest pass" to your database.
-**Where to find it:**
-> Supabase Dashboard → Project Settings → API → Project API Keys → `anon` `public`
-**clauth uses this for:** Calling the Edge Function (every request). Used during `clauth setup` as `Supabase anon key`.
-**Also called:** `NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY` or `sb_publishable_...` in newer Supabase projects. Same thing, different name format.
----
-### 3. Service Role Key — `supabase-service` in clauth
-```
-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ...role":"service_role"...  (very long)
-```
-This is an **admin key** — it bypasses all RLS policies and can read/write anything. Treat this like a root password. Never put it in frontend code.
-**Where to find it:**
-> Supabase Dashboard → Project Settings → API → Project API Keys → `service_role` `secret`
-**clauth stores this as:** `supabase-service`
-**Also called:** `sb_secret_...` in newer Supabase projects. Same thing.
----
-### 4. Database Connection String — `supabase-db` in clauth
-```
-postgres://postgres.uvojezuorjgqzmhhgluu:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:6543/postgres
-```
-This is for direct SQL access — tools like Drizzle, Prisma, or raw psql use this. Two versions exist:
-- **Pooled** (port 6543) — for apps with many connections (use this)
-- **Direct** (port 5432) — for migrations only
-**Where to find it:**
-> Supabase Dashboard → Project Settings → Database → Connection string → URI
-**Note:** Replace `[YOUR-PASSWORD]` with the password you set when creating the project.
----
-## GitHub
-### Personal Access Token (PAT) — `github` in clauth
-```
-ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-```
-This is what lets programs act as you on GitHub — push code, manage repos, etc.
-**Where to create one:**
-> GitHub.com → Settings (your profile, top right) → Developer settings → Personal access tokens → Tokens (classic) → Generate new token
-**Scopes you need for LIFEAI work:**
-- `repo` — full repo access
-- `workflow` — GitHub Actions
-- `read:org` — read org membership
-- `admin:org` — if you need to manage the org
-**clauth stores this as:** `github`
----
-## Vercel
-### API Token + Team ID — `vercel` in clauth (keypair)
-Two values stored together as JSON: `{"token":"...","team_id":"..."}`
-**API Token:**
-> Vercel Dashboard → Account Settings → Tokens → Create Token
-> Name it something like "LIFEAI-clauth"
-**Team ID:**
-> Vercel Dashboard → Team Settings → General → Team ID
-> Looks like: `team_xxxxxxxxxxxxxxxxxxxxxxxx`
-**clauth stores this as:** `vercel` (keypair type)
-```bash
-clauth write key vercel '{"token":"vcp_xxx...","team_id":"team_xxx..."}'
-```
----
-## Cloudflare R2
-R2 has **two separate credentials** because it uses the S3 protocol for file operations but a separate admin API for bucket management.
-### R2 Object Access Keys — `r2` in clauth (keypair)
-Used for: uploading, downloading, deleting files in your bucket (S3-compatible)
-```
-Access Key ID:      f3ff8996f212b638254cf5747abce445
-Secret Access Key:  45a078775b1b62a7200024c30660e72d2997ab65bb4a6e72629fda8a87e222a9
-```
-**Where to find:**
-> Cloudflare Dashboard → R2 → Manage R2 API Tokens → Create API Token → Object Read & Write
-**clauth stores this as:** `r2`
-```bash
-clauth write key r2 '{"access_key_id":"f3ff...","secret_access_key":"45a0..."}'
-```
-### R2 Bucket Config — `r2-bucket` in clauth (connstring)
-Used for: knowing which bucket to use and where it lives
-```
-bucket_name: regen-media
-endpoint: https://c879cf4758546d79164c2718c477be72.r2.cloudflarestorage.com
-public_cdn: https://pub-ff9788cd4f1f494db0491a197025a94c.r2.dev
-```
-**clauth stores this as:** `r2-bucket`
-```bash
-clauth write key r2-bucket '{"bucket":"regen-media","endpoint":"https://c879...r2.cloudflarestorage.com","cdn":"https://pub-ff97...r2.dev"}'
-```
-### Cloudflare Admin API Token — `cloudflare` in clauth (token)
-Used for: DNS records, zone management, creating/deleting buckets
-```
-1e_f4y2t58ra7UpKAAj5TzCcBUYTdEC3H2LJ9Vtc
-```
-**Where to find:**
-> Cloudflare Dashboard → R2 → Manage R2 API Tokens → (the Admin token, not the RW token)
-**clauth stores this as:** `cloudflare`
----
-## Namecheap
-### API Key + Username — `namecheap` in clauth (keypair)
-Two values stored together:
-```
-username: ejlamyot
-api_key:  CJWM4dr&RMS$v.s  (yours will look similar)
-```
-**Where to find:**
-> Namecheap Dashboard → Profile (top right) → Tools → API Access → Enable API
-**Important:** Namecheap API also requires your **IP address to be whitelisted**. Add your current IP in the same API Access page, or Namecheap will reject every call.
-**clauth stores this as:** `namecheap`
-```bash
-clauth write key namecheap '{"username":"ejlamyot","api_key":"CJWM4dr..."}'
-```
----
-## Neo4j Aura
-### Connection URI + Credentials — `neo4j` in clauth (connstring)
-```
-neo4j+s://xxxxxxxx.databases.neo4j.io
-username: neo4j
-password: (set when you created the instance)
-```
-**Where to find:**
-> Neo4j Aura Console → Your database → Connect → Connection URI
-**clauth stores this as:** `neo4j`
-```bash
-clauth write key neo4j 'neo4j+s://neo4j:yourpassword@xxxxxxxx.databases.neo4j.io'
-```
----
-## Anthropic
-### API Key — `anthropic` in clauth (token)
-```
-sk-ant-api03-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-```
-**Where to find:**
-> console.anthropic.com → API Keys → Create Key
-**clauth stores this as:** `anthropic`
----
-## RocketReach
-### API Key — `rocketreach` in clauth (token)
-```
-12b893dk776927c079ea18cb1a7bc8d95b43398a
-```
-**Where to find:**
-> rocketreach.co → Account Settings → API
-**clauth stores this as:** `rocketreach`
----
-## The Bootstrap Token (Special — One Time Only)
-```
-ba6f25ec30e9316ead93152f0cfa5617
-```
-This is **not a service API key**. It's a one-time password that lets `clauth setup` register your machine with the vault for the first time.
-- It's stored in your Supabase Vault (not hardcoded anywhere)
-- After your machine is registered, you never need it again for daily use
-- If you need to register a **new machine**, you need it again
-- The vault operator (Dave) can retrieve it from: Supabase Dashboard → Vault → `CLAUTH_ADMIN_BOOTSTRAP_TOKEN`
----
-## Summary Table
-| clauth token | What it is | Where to get it | Type |
-|---|---|---|---|
-| *(setup prompt)* | Supabase project URL | Supabase → Settings → API | URL |
-| *(setup prompt)* | Supabase anon key | Supabase → Settings → API → anon public | JWT |
-| *(setup prompt)* | Bootstrap token | Ask vault operator / Supabase Vault | One-time |
-| `github` | GitHub Personal Access Token | github.com → Settings → Developer → PATs | token |
-| `supabase-anon` | Supabase anon key (stored for apps) | Same as above | token |
-| `supabase-service` | Supabase service role key | Supabase → Settings → API → service_role | token |
-| `supabase-db` | Postgres connection string | Supabase → Settings → Database → URI | connstring |
-| `vercel` | Vercel API token + Team ID | Vercel → Account Settings → Tokens | keypair |
-| `namecheap` | Namecheap API key + username | Namecheap → Profile → Tools → API | keypair |
-| `neo4j` | Neo4j Aura URI + password | Aura Console → Connect | connstring |
-| `anthropic` | Anthropic API key | console.anthropic.com → API Keys | token |
-| `r2` | Cloudflare R2 S3 keypair | Cloudflare → R2 → Manage API Tokens | keypair |
-| `r2-bucket` | R2 bucket name + endpoint | Cloudflare → R2 → bucket details | connstring |
-| `cloudflare` | Cloudflare admin API token | Cloudflare → R2 → Manage API Tokens | token |
-| `rocketreach` | RocketReach API key | rocketreach.co → Account → API | token |
+# clauth Keys Guide
+Plain-English explanations of every credential clauth manages. Read this before setup.
+---
+## The Most Important Key for Install: Supabase Personal Access Token (PAT)
+This is the first thing the installer asks for and the most commonly confused item.
+```
+sbp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+This is your **account-level** token — not tied to any one project. It gives the installer permission to create tables, deploy the edge function, and store secrets in your project.
+**Where to get it:**
+> https://supabase.com/dashboard/account/tokens → "Generate new token"
+> Name it anything, e.g. "clauth-install"
+**This is NOT:**
+- Your anon key (that starts with `eyJ...`)
+- Your service_role key (also starts with `eyJ...`)
+- Your project URL
+The PAT is only needed once during install. After that, clauth uses the anon key + HMAC for everything.
+---
+## The Most Confusing Part: Supabase Has 4 Different Keys
+This is where most people get stuck. Supabase gives you multiple keys and they look similar. Here's what each one is:
+### 1. `NEXT_PUBLIC_SUPABASE_URL` — The Project URL
+```
+https://uvojezuorjgqzmhhgluu.supabase.co
+```
+This is just a URL. Not a secret. It's the address of your Supabase project. You can find it in:
+> Supabase Dashboard → Project Settings → API → Project URL
+**clauth uses this as:** `Supabase project URL` during `clauth setup`
+---
+### 2. Anon Key (Public JWT) — `supabase-anon` in clauth
+```
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ...  (very long)
+```
+This is a **public key** — it's safe to put in frontend code. It only has the permissions that your Row Level Security (RLS) policies allow. Think of it as a "guest pass" to your database.
+**Where to find it:**
+> Supabase Dashboard → Project Settings → API → Project API Keys → `anon` `public`
+**clauth uses this for:** Calling the Edge Function (every request). Used during `clauth setup` as `Supabase anon key`.
+**Also called:** `NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY` or `sb_publishable_...` in newer Supabase projects. Same thing, different name format.
+---
+### 3. Service Role Key — `supabase-service` in clauth
+```
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ...role":"service_role"...  (very long)
+```
+This is an **admin key** — it bypasses all RLS policies and can read/write anything. Treat this like a root password. Never put it in frontend code.
+**Where to find it:**
+> Supabase Dashboard → Project Settings → API → Project API Keys → `service_role` `secret`
+**clauth stores this as:** `supabase-service`
+**Also called:** `sb_secret_...` in newer Supabase projects. Same thing.
+---
+### 4. Database Connection String — `supabase-db` in clauth
+```
+postgres://postgres.uvojezuorjgqzmhhgluu:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:6543/postgres
+```
+This is for direct SQL access — tools like Drizzle, Prisma, or raw psql use this. Two versions exist:
+- **Pooled** (port 6543) — for apps with many connections (use this)
+- **Direct** (port 5432) — for migrations only
+**Where to find it:**
+> Supabase Dashboard → Project Settings → Database → Connection string → URI
+**Note:** Replace `[YOUR-PASSWORD]` with the password you set when creating the project.
+---
+## GitHub
+### Personal Access Token (PAT) — `github` in clauth
+```
+ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+This is what lets programs act as you on GitHub — push code, manage repos, etc.
+**Where to create one:**
+> GitHub.com → Settings (your profile, top right) → Developer settings → Personal access tokens → Tokens (classic) → Generate new token
+**Scopes you need for LIFEAI work:**
+- `repo` — full repo access
+- `workflow` — GitHub Actions
+- `read:org` — read org membership
+- `admin:org` — if you need to manage the org
+**clauth stores this as:** `github`
+---
+## Vercel
+### API Token + Team ID — `vercel` in clauth (keypair)
+Two values stored together as JSON: `{"token":"...","team_id":"..."}`
+**API Token:**
+> Vercel Dashboard → Account Settings → Tokens → Create Token
+> Name it something like "LIFEAI-clauth"
+**Team ID:**
+> Vercel Dashboard → Team Settings → General → Team ID
+> Looks like: `team_xxxxxxxxxxxxxxxxxxxxxxxx`
+**clauth stores this as:** `vercel` (keypair type)
+```bash
+clauth write key vercel '{"token":"vcp_xxx...","team_id":"team_xxx..."}'
+```
+---
+## Cloudflare R2
+R2 has **two separate credentials** because it uses the S3 protocol for file operations but a separate admin API for bucket management.
+### R2 Object Access Keys — `r2` in clauth (keypair)
+Used for: uploading, downloading, deleting files in your bucket (S3-compatible)
+```
+Access Key ID:      f3ff8996f212b638254cf5747abce445
+Secret Access Key:  45a078775b1b62a7200024c30660e72d2997ab65bb4a6e72629fda8a87e222a9
+```
+**Where to find:**
+> Cloudflare Dashboard → R2 → Manage R2 API Tokens → Create API Token → Object Read & Write
+**clauth stores this as:** `r2`
+```bash
+clauth write key r2 '{"access_key_id":"f3ff...","secret_access_key":"45a0..."}'
+```
+### R2 Bucket Config — `r2-bucket` in clauth (connstring)
+Used for: knowing which bucket to use and where it lives
+```
+bucket_name: regen-media
+endpoint: https://c879cf4758546d79164c2718c477be72.r2.cloudflarestorage.com
+public_cdn: https://pub-ff9788cd4f1f494db0491a197025a94c.r2.dev
+```
+**clauth stores this as:** `r2-bucket`
+```bash
+clauth write key r2-bucket '{"bucket":"regen-media","endpoint":"https://c879...r2.cloudflarestorage.com","cdn":"https://pub-ff97...r2.dev"}'
+```
+### Cloudflare Admin API Token — `cloudflare` in clauth (token)
+Used for: DNS records, zone management, creating/deleting buckets
+```
+1e_f4y2t58ra7UpKAAj5TzCcBUYTdEC3H2LJ9Vtc
+```
+**Where to find:**
+> Cloudflare Dashboard → R2 → Manage R2 API Tokens → (the Admin token, not the RW token)
+**clauth stores this as:** `cloudflare`
+---
+## Namecheap
+### API Key + Username — `namecheap` in clauth (keypair)
+Two values stored together:
+```
+username: ejlamyot
+api_key:  CJWM4dr&RMS$v.s  (yours will look similar)
+```
+**Where to find:**
+> Namecheap Dashboard → Profile (top right) → Tools → API Access → Enable API
+**Important:** Namecheap API also requires your **IP address to be whitelisted**. Add your current IP in the same API Access page, or Namecheap will reject every call.
+**clauth stores this as:** `namecheap`
+```bash
+clauth write key namecheap '{"username":"ejlamyot","api_key":"CJWM4dr..."}'
+```
+---
+## Neo4j Aura
+### Connection URI + Credentials — `neo4j` in clauth (connstring)
+```
+neo4j+s://xxxxxxxx.databases.neo4j.io
+username: neo4j
+password: (set when you created the instance)
+```
+**Where to find:**
+> Neo4j Aura Console → Your database → Connect → Connection URI
+**clauth stores this as:** `neo4j`
+```bash
+clauth write key neo4j 'neo4j+s://neo4j:yourpassword@xxxxxxxx.databases.neo4j.io'
+```
+---
+## Anthropic
+### API Key — `anthropic` in clauth (token)
+```
+sk-ant-api03-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+**Where to find:**
+> console.anthropic.com → API Keys → Create Key
+**clauth stores this as:** `anthropic`
+---
+## RocketReach
+### API Key — `rocketreach` in clauth (token)
+```
+12b893dk776927c079ea18cb1a7bc8d95b43398a
+```
+**Where to find:**
+> rocketreach.co → Account Settings → API
+**clauth stores this as:** `rocketreach`
+---
+## The Bootstrap Token (Special — One Time Only)
+```
+ba6f25ec30e9316ead93152f0cfa5617
+```
+This is **not a service API key**. It's a one-time password that lets `clauth setup` register your machine with the vault for the first time.
+- It's stored in your Supabase Vault (not hardcoded anywhere)
+- After your machine is registered, you never need it again for daily use
+- If you need to register a **new machine**, you need it again
+- The vault operator (Dave) can retrieve it from: Supabase Dashboard → Vault → `CLAUTH_ADMIN_BOOTSTRAP_TOKEN`
+---
+## Summary Table
+| clauth token | What it is | Where to get it | Type |
+|---|---|---|---|
+| *(setup prompt)* | Supabase project URL | Supabase → Settings → API | URL |
+| *(setup prompt)* | Supabase anon key | Supabase → Settings → API → anon public | JWT |
+| *(setup prompt)* | Bootstrap token | Ask vault operator / Supabase Vault | One-time |
+| `github` | GitHub Personal Access Token | github.com → Settings → Developer → PATs | token |
+| `supabase-anon` | Supabase anon key (stored for apps) | Same as above | token |
+| `supabase-service` | Supabase service role key | Supabase → Settings → API → service_role | token |
+| `supabase-db` | Postgres connection string | Supabase → Settings → Database → URI | connstring |
+| `vercel` | Vercel API token + Team ID | Vercel → Account Settings → Tokens | keypair |
+| `namecheap` | Namecheap API key + username | Namecheap → Profile → Tools → API | keypair |
+| `neo4j` | Neo4j Aura URI + password | Aura Console → Connect | connstring |
+| `anthropic` | Anthropic API key | console.anthropic.com → API Keys | token |
+| `r2` | Cloudflare R2 S3 keypair | Cloudflare → R2 → Manage API Tokens | keypair |
+| `r2-bucket` | R2 bucket name + endpoint | Cloudflare → R2 → bucket details | connstring |
+| `cloudflare` | Cloudflare admin API token | Cloudflare → R2 → Manage API Tokens | token |
+| `rocketreach` | RocketReach API key | rocketreach.co → Account → API | token |