@lifeaitools/clauth 0.4.0 → 0.5.0

package/.clauth-skill/SKILL.md

@@ -1,184 +1,184 @@
----
-name: clauth
-description: Install, configure, and operate clauth — the LIFEAI hardware-bound credential vault. Triggers on "install clauth", "set up my keys", "clauth install", "store my credentials", "set up the vault", or any mention of clauth or managing LIFEAI service credentials. When triggered for install, check GitHub MCP first, clone LIFEAI/clauth, and run the installer. Also handles ongoing clauth commands: status, get, write, enable, disable, add service, revoke.
----
-
-# clauth — LIFEAI Credential Vault
-
-Hardware-bound credential vault for the LIFEAI stack. Your machine is the second factor. Keys live in Supabase Vault (AES-256).
-
----
-
-## How Claude Interfaces with clauth
-
-> **CRITICAL:** Never pipe input to clauth or use interactive prompts. The CLI uses `inquirer` which produces ANSI garbage when stdin is piped. Always use one of the two methods below.
-
-### Method 1 — CLI with `--pw` flag (simplest)
-
-All clauth commands accept `-p` / `--pw <password>` to skip the interactive password prompt:
-
-```bash
-clauth status -p "YourPassword"
-clauth get github -p "YourPassword"
-clauth test -p "YourPassword"
-clauth enable github -p "YourPassword"
-clauth write key github -p "YourPassword"   # still prompts for the key value
-```
-
-### Method 2 — Direct API calls (full control, no CLI needed)
-
-Call the auth-vault Edge Function directly. This is the most reliable method for Claude.
-
-**Base URL:** `https://<project-ref>.supabase.co/functions/v1/auth-vault`
-**Auth header:** `Authorization: Bearer <supabase-anon-key>`
-**Method:** POST (all routes)
-**Content-Type:** `application/json`
-
-#### HMAC Token Derivation (must match server)
-
-```js
-import { createHmac, createHash, execSync } from "crypto";
-
-// 1. Get machine hash (same as fingerprint.js)
-// Windows:
-const uuid = execSync("wmic csproduct get uuid /format:value", { encoding: "utf8" })
-  .match(/UUID=([A-F0-9-]+)/i)?.[1]?.trim();
-const machineGuid = execSync(
-  "reg query HKLM\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid",
-  { encoding: "utf8" }
-).match(/MachineGuid\s+REG_SZ\s+([a-f0-9-]+)/i)?.[1]?.trim();
-const machineHash = createHash("sha256").update(`${uuid}:${machineGuid}`).digest("hex");
-
-// 2. Derive HMAC token
-const windowMs = 5 * 60 * 1000;
-const window = Math.floor(Date.now() / windowMs);
-const message = `${machineHash}:${window}`;
-const token = createHmac("sha256", password).update(message).digest("hex");
-const timestamp = window * windowMs;
-```
-
-#### API Routes
-
-| Route | Body fields | Returns |
-|-------|-------------|---------|
-| `POST /status` | `machine_hash, token, timestamp, password` | `{ services: [...] }` |
-| `POST /test` | `machine_hash, token, timestamp, password` | `{ ok: true }` |
-| `POST /retrieve` | `+ service` | `{ value: "..." }` |
-| `POST /write` | `+ service, value` | `{ ok: true }` |
-| `POST /enable` | `+ service, enabled: bool` | `{ ok: true }` |
-| `POST /add` | `+ name, label, key_type, description` | `{ ok: true }` |
-| `POST /remove` | `+ service, confirm: true` | `{ ok: true }` |
-| `POST /revoke` | `+ service, confirm: true` | `{ ok: true }` |
-| `POST /register-machine` | `machine_hash, hmac_seed_hash, label, admin_token` | `{ ok: true }` |
-
-All auth routes require: `machine_hash`, `token`, `timestamp`, `password`.
-
-### Password Handling
-
-- Ask the user for their clauth password **once per session**
-- Store it in working memory for the duration of the conversation
-- Never log or echo the password
-- If the user says "use clauth" or "get my github key", ask for the password if you don't have it yet
-
----
-
-## When someone says "install clauth"
-
-### Step 1 — Install from npm
-
-```bash
-npm install -g @lifeaitools/clauth
-```
-
-If already installed, update:
-```bash
-npm update -g @lifeaitools/clauth
-```
-
-### Step 2 — Run the installer
-
-Use CLI flags to avoid interactive prompts:
-
-```bash
-clauth install --ref <supabase-project-ref> --pat <personal-access-token>
-```
-
-**Project ref** — last part of the Supabase project URL:
-`https://supabase.com/dashboard/project/` **`uvojezuorjgqzmhhgluu`**
-
-**Personal Access Token (PAT):**
-`https://supabase.com/dashboard/account/tokens` → Generate new token
-*(NOT the anon key or service_role — this is your account-level token)*
-
-The installer provisions everything and prints a **bootstrap token** — save it.
-
-### Step 3 — Setup this machine
-
-```bash
-clauth setup --admin-token <bootstrap-token> -p <password>
-```
-
-Then verify:
-```bash
-clauth test -p <password>
-clauth status -p <password>
-```
-
-### Step 4 — Write your first key
-
-```bash
-clauth write key github -p <password>     # prompts for value
-clauth enable github -p <password>
-clauth get github -p <password>
-```
-
-See `references/keys-guide.md` for where to find every credential.
-
----
-
-## Command reference
-
-```
-clauth install [--ref R] [--pat P]     First-time: provision Supabase + install skill
-clauth setup [--admin-token T] [-p P]  Register this machine
-clauth status [-p P]                   All services + state
-clauth test [-p P]                     Verify HMAC connection
-clauth list [-p P]                     Service names
-
-clauth write key <service> [-p P]      Store a credential
-clauth write pw [-p P]                 Change password
-clauth enable <svc|all> [-p P]         Activate service
-clauth disable <svc|all> [-p P]        Suspend service
-clauth get <service> [-p P]            Retrieve a key
-
-clauth add service <n> [-p P]          Register new service
-clauth remove service <n> [-p P]       Remove service
-clauth revoke <svc|all> [-p P]         Delete key (destructive)
-
-clauth scrub                           Scrub active transcript (most recent .jsonl)
-clauth scrub <file>                    Scrub a specific file
-clauth scrub all                       Scrub all transcripts in ~/.claude/projects/
-clauth scrub all --force               Rescrub everything (ignore markers)
-
-clauth uninstall --ref R --pat P       Full teardown (DB, Edge Fn, secrets, skill, config)
-clauth uninstall --ref R --pat P --yes Skip confirmation
-```
-
-## Services
-
-`github` `supabase-anon` `supabase-service` `supabase-db`
-`vercel` `namecheap` `neo4j` `anthropic`
-`r2` `r2-bucket` `cloudflare` `rocketreach`
-
----
-
-## Troubleshooting
-
-| Error | Fix |
-|-------|-----|
-| `machine_not_found` | Run `clauth setup` |
-| `timestamp_expired` | Sync system clock |
-| `invalid_token` | Wrong password |
-| `service_disabled` | `clauth enable <service> -p <password>` |
-| `no_key_stored` | `clauth write key <service> -p <password>` |
-| ANSI garbage output | You piped stdin — use `-p` flag instead |
+---
+name: clauth
+description: Install, configure, and operate clauth — the LIFEAI hardware-bound credential vault. Triggers on "install clauth", "set up my keys", "clauth install", "store my credentials", "set up the vault", or any mention of clauth or managing LIFEAI service credentials. When triggered for install, check GitHub MCP first, clone LIFEAI/clauth, and run the installer. Also handles ongoing clauth commands: status, get, write, enable, disable, add service, revoke.
+---
+
+# clauth — LIFEAI Credential Vault
+
+Hardware-bound credential vault for the LIFEAI stack. Your machine is the second factor. Keys live in Supabase Vault (AES-256).
+
+---
+
+## How Claude Interfaces with clauth
+
+> **CRITICAL:** Never pipe input to clauth or use interactive prompts. The CLI uses `inquirer` which produces ANSI garbage when stdin is piped. Always use one of the two methods below.
+
+### Method 1 — CLI with `--pw` flag (simplest)
+
+All clauth commands accept `-p` / `--pw <password>` to skip the interactive password prompt:
+
+```bash
+clauth status -p "YourPassword"
+clauth get github -p "YourPassword"
+clauth test -p "YourPassword"
+clauth enable github -p "YourPassword"
+clauth write key github -p "YourPassword"   # still prompts for the key value
+```
+
+### Method 2 — Direct API calls (full control, no CLI needed)
+
+Call the auth-vault Edge Function directly. This is the most reliable method for Claude.
+
+**Base URL:** `https://<project-ref>.supabase.co/functions/v1/auth-vault`
+**Auth header:** `Authorization: Bearer <supabase-anon-key>`
+**Method:** POST (all routes)
+**Content-Type:** `application/json`
+
+#### HMAC Token Derivation (must match server)
+
+```js
+import { createHmac, createHash, execSync } from "crypto";
+
+// 1. Get machine hash (same as fingerprint.js)
+// Windows:
+const uuid = execSync("wmic csproduct get uuid /format:value", { encoding: "utf8" })
+  .match(/UUID=([A-F0-9-]+)/i)?.[1]?.trim();
+const machineGuid = execSync(
+  "reg query HKLM\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid",
+  { encoding: "utf8" }
+).match(/MachineGuid\s+REG_SZ\s+([a-f0-9-]+)/i)?.[1]?.trim();
+const machineHash = createHash("sha256").update(`${uuid}:${machineGuid}`).digest("hex");
+
+// 2. Derive HMAC token
+const windowMs = 5 * 60 * 1000;
+const window = Math.floor(Date.now() / windowMs);
+const message = `${machineHash}:${window}`;
+const token = createHmac("sha256", password).update(message).digest("hex");
+const timestamp = window * windowMs;
+```
+
+#### API Routes
+
+| Route | Body fields | Returns |
+|-------|-------------|---------|
+| `POST /status` | `machine_hash, token, timestamp, password` | `{ services: [...] }` |
+| `POST /test` | `machine_hash, token, timestamp, password` | `{ ok: true }` |
+| `POST /retrieve` | `+ service` | `{ value: "..." }` |
+| `POST /write` | `+ service, value` | `{ ok: true }` |
+| `POST /enable` | `+ service, enabled: bool` | `{ ok: true }` |
+| `POST /add` | `+ name, label, key_type, description` | `{ ok: true }` |
+| `POST /remove` | `+ service, confirm: true` | `{ ok: true }` |
+| `POST /revoke` | `+ service, confirm: true` | `{ ok: true }` |
+| `POST /register-machine` | `machine_hash, hmac_seed_hash, label, admin_token` | `{ ok: true }` |
+
+All auth routes require: `machine_hash`, `token`, `timestamp`, `password`.
+
+### Password Handling
+
+- Ask the user for their clauth password **once per session**
+- Store it in working memory for the duration of the conversation
+- Never log or echo the password
+- If the user says "use clauth" or "get my github key", ask for the password if you don't have it yet
+
+---
+
+## When someone says "install clauth"
+
+### Step 1 — Install from npm
+
+```bash
+npm install -g @lifeaitools/clauth
+```
+
+If already installed, update:
+```bash
+npm update -g @lifeaitools/clauth
+```
+
+### Step 2 — Run the installer
+
+Use CLI flags to avoid interactive prompts:
+
+```bash
+clauth install --ref <supabase-project-ref> --pat <personal-access-token>
+```
+
+**Project ref** — last part of the Supabase project URL:
+`https://supabase.com/dashboard/project/` **`uvojezuorjgqzmhhgluu`**
+
+**Personal Access Token (PAT):**
+`https://supabase.com/dashboard/account/tokens` → Generate new token
+*(NOT the anon key or service_role — this is your account-level token)*
+
+The installer provisions everything and prints a **bootstrap token** — save it.
+
+### Step 3 — Setup this machine
+
+```bash
+clauth setup --admin-token <bootstrap-token> -p <password>
+```
+
+Then verify:
+```bash
+clauth test -p <password>
+clauth status -p <password>
+```
+
+### Step 4 — Write your first key
+
+```bash
+clauth write key github -p <password>     # prompts for value
+clauth enable github -p <password>
+clauth get github -p <password>
+```
+
+See `references/keys-guide.md` for where to find every credential.
+
+---
+
+## Command reference
+
+```
+clauth install [--ref R] [--pat P]     First-time: provision Supabase + install skill
+clauth setup [--admin-token T] [-p P]  Register this machine
+clauth status [-p P]                   All services + state
+clauth test [-p P]                     Verify HMAC connection
+clauth list [-p P]                     Service names
+
+clauth write key <service> [-p P]      Store a credential
+clauth write pw [-p P]                 Change password
+clauth enable <svc|all> [-p P]         Activate service
+clauth disable <svc|all> [-p P]        Suspend service
+clauth get <service> [-p P]            Retrieve a key
+
+clauth add service <n> [-p P]          Register new service
+clauth remove service <n> [-p P]       Remove service
+clauth revoke <svc|all> [-p P]         Delete key (destructive)
+
+clauth scrub                           Scrub active transcript (most recent .jsonl)
+clauth scrub <file>                    Scrub a specific file
+clauth scrub all                       Scrub all transcripts in ~/.claude/projects/
+clauth scrub all --force               Rescrub everything (ignore markers)
+
+clauth uninstall --ref R --pat P       Full teardown (DB, Edge Fn, secrets, skill, config)
+clauth uninstall --ref R --pat P --yes Skip confirmation
+```
+
+## Services
+
+`github` `supabase-anon` `supabase-service` `supabase-db`
+`vercel` `namecheap` `neo4j` `anthropic`
+`r2` `r2-bucket` `cloudflare` `rocketreach`
+
+---
+
+## Troubleshooting
+
+| Error | Fix |
+|-------|-----|
+| `machine_not_found` | Run `clauth setup` |
+| `timestamp_expired` | Sync system clock |
+| `invalid_token` | Wrong password |
+| `service_disabled` | `clauth enable <service> -p <password>` |
+| `no_key_stored` | `clauth write key <service> -p <password>` |
+| ANSI garbage output | You piped stdin — use `-p` flag instead |