@lifeaitools/clauth 0.4.1 → 0.5.0

package/cli/commands/uninstall.js

@@ -1,164 +1,164 @@
-// cli/commands/uninstall.js
-// clauth uninstall — full teardown: DB objects, Edge Function, secrets, skill, local config
-//
-// Reverses everything `clauth install` does:
-//   1. Drops clauth tables, policies, triggers, functions from Supabase
-//   2. Deletes auth-vault Edge Function
-//   3. Removes CLAUTH_* secrets
-//   4. Removes Claude skill directory
-//   5. Clears local config (Conf store)
-
-import { existsSync, rmSync } from 'fs';
-import { join } from 'path';
-import Conf from 'conf';
-import chalk from 'chalk';
-import ora from 'ora';
-
-const MGMT = 'https://api.supabase.com/v1';
-const SKILLS_DIR = process.env.CLAUTH_SKILLS_DIR ||
-  (process.platform === 'win32'
-    ? join(process.env.USERPROFILE || '', '.claude', 'skills')
-    : join(process.env.HOME || '', '.claude', 'skills'));
-
-// ─────────────────────────────────────────────
-// Supabase Management API helper
-// ─────────────────────────────────────────────
-async function mgmt(pat, method, path, body) {
-  const res = await fetch(`${MGMT}${path}`, {
-    method,
-    headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
-    body: body ? JSON.stringify(body) : undefined,
-  });
-  if (!res.ok) {
-    const text = await res.text().catch(() => res.statusText);
-    throw new Error(`${method} ${path} → HTTP ${res.status}: ${text}`);
-  }
-  if (res.status === 204) return {};
-  const text = await res.text();
-  if (!text) return {};
-  return JSON.parse(text);
-}
-
-// ─────────────────────────────────────────────
-// Main uninstall command
-// ─────────────────────────────────────────────
-export async function runUninstall(opts = {}) {
-  console.log(chalk.red('\n🗑️  clauth uninstall\n'));
-
-  const config = new Conf({ projectName: 'clauth' });
-
-  // ── Collect credentials ────────────────────
-  const ref = opts.ref || config.get('supabase_url')?.match(/https:\/\/(.+)\.supabase\.co/)?.[1];
-  const pat = opts.pat;
-
-  if (!ref) {
-    console.log(chalk.red('  Cannot determine Supabase project ref.'));
-    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
-    process.exit(1);
-  }
-  if (!pat) {
-    console.log(chalk.red('  Supabase PAT required for teardown.'));
-    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
-    process.exit(1);
-  }
-
-  console.log(chalk.gray(`  Project: ${ref}\n`));
-
-  // ── Step 1: Drop database objects ──────────
-  const s1 = ora('Dropping clauth database objects...').start();
-  const teardownSQL = `
-    -- Drop triggers
-    DROP TRIGGER IF EXISTS clauth_services_updated ON public.clauth_services;
-
-    -- Drop tables (CASCADE drops policies automatically)
-    DROP TABLE IF EXISTS public.clauth_audit CASCADE;
-    DROP TABLE IF EXISTS public.clauth_machines CASCADE;
-    DROP TABLE IF EXISTS public.clauth_services CASCADE;
-
-    -- Drop functions
-    DROP FUNCTION IF EXISTS public.clauth_touch_updated() CASCADE;
-    DROP FUNCTION IF EXISTS public.clauth_upsert_vault_secret(text, text) CASCADE;
-    DROP FUNCTION IF EXISTS public.clauth_get_vault_secret(text) CASCADE;
-    DROP FUNCTION IF EXISTS public.clauth_delete_vault_secret(text) CASCADE;
-  `;
-
-  try {
-    await mgmt(pat, 'POST', `/projects/${ref}/database/query`, { query: teardownSQL });
-    s1.succeed('Database objects dropped (tables, triggers, functions, policies)');
-  } catch (e) {
-    s1.fail(`Database teardown failed: ${e.message}`);
-    console.log(chalk.yellow('  You may need to drop objects manually via SQL editor.'));
-  }
-
-  // ── Step 2: Delete Edge Function ───────────
-  const s2 = ora('Deleting auth-vault Edge Function...').start();
-  try {
-    const res = await fetch(`${MGMT}/projects/${ref}/functions/auth-vault`, {
-      method: 'DELETE',
-      headers: { 'Authorization': `Bearer ${pat}` },
-    });
-    if (res.ok || res.status === 404) {
-      s2.succeed(res.status === 404
-        ? 'Edge Function not found (already deleted)'
-        : 'Edge Function deleted');
-    } else {
-      const text = await res.text().catch(() => res.statusText);
-      throw new Error(`HTTP ${res.status}: ${text}`);
-    }
-  } catch (e) {
-    s2.fail(`Edge Function delete failed: ${e.message}`);
-    console.log(chalk.yellow('  Delete manually: Supabase Dashboard → Edge Functions → auth-vault → Delete'));
-  }
-
-  // ── Step 3: Remove secrets ─────────────────
-  const s3 = ora('Removing clauth secrets...').start();
-  try {
-    // Supabase Management API: DELETE /projects/{ref}/secrets with body listing secret names
-    const res = await fetch(`${MGMT}/projects/${ref}/secrets`, {
-      method: 'DELETE',
-      headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
-      body: JSON.stringify(['CLAUTH_HMAC_SALT', 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN']),
-    });
-    if (res.ok) {
-      s3.succeed('Secrets removed (CLAUTH_HMAC_SALT, CLAUTH_ADMIN_BOOTSTRAP_TOKEN)');
-    } else {
-      const text = await res.text().catch(() => res.statusText);
-      throw new Error(`HTTP ${res.status}: ${text}`);
-    }
-  } catch (e) {
-    s3.warn(`Secret removal failed: ${e.message}`);
-    console.log(chalk.yellow('  Remove manually: Supabase → Settings → Edge Functions → Secrets'));
-  }
-
-  // ── Step 4: Remove Claude skill ────────────
-  const s4 = ora('Removing Claude skill...').start();
-  const skillDir = join(SKILLS_DIR, 'clauth');
-  if (existsSync(skillDir)) {
-    try {
-      rmSync(skillDir, { recursive: true, force: true });
-      s4.succeed(`Skill removed: ${skillDir}`);
-    } catch (e) {
-      s4.warn(`Could not remove skill: ${e.message}`);
-    }
-  } else {
-    s4.succeed('Skill directory not found (already removed)');
-  }
-
-  // ── Step 5: Clear local config ─────────────
-  const s5 = ora('Clearing local config...').start();
-  try {
-    config.clear();
-    s5.succeed('Local config cleared');
-  } catch (e) {
-    s5.warn(`Could not clear config: ${e.message}`);
-  }
-
-  // ── Done ───────────────────────────────────
-  console.log('');
-  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-  console.log(chalk.yellow('  ✓ clauth fully uninstalled'));
-  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-  console.log('');
-  console.log(chalk.gray('  To reinstall: npx @lifeaitools/clauth install'));
-  console.log('');
-}
+// cli/commands/uninstall.js
+// clauth uninstall — full teardown: DB objects, Edge Function, secrets, skill, local config
+//
+// Reverses everything `clauth install` does:
+//   1. Drops clauth tables, policies, triggers, functions from Supabase
+//   2. Deletes auth-vault Edge Function
+//   3. Removes CLAUTH_* secrets
+//   4. Removes Claude skill directory
+//   5. Clears local config (Conf store)
+
+import { existsSync, rmSync } from 'fs';
+import { join } from 'path';
+import Conf from 'conf';
+import chalk from 'chalk';
+import ora from 'ora';
+
+const MGMT = 'https://api.supabase.com/v1';
+const SKILLS_DIR = process.env.CLAUTH_SKILLS_DIR ||
+  (process.platform === 'win32'
+    ? join(process.env.USERPROFILE || '', '.claude', 'skills')
+    : join(process.env.HOME || '', '.claude', 'skills'));
+
+// ─────────────────────────────────────────────
+// Supabase Management API helper
+// ─────────────────────────────────────────────
+async function mgmt(pat, method, path, body) {
+  const res = await fetch(`${MGMT}${path}`, {
+    method,
+    headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.statusText);
+    throw new Error(`${method} ${path} → HTTP ${res.status}: ${text}`);
+  }
+  if (res.status === 204) return {};
+  const text = await res.text();
+  if (!text) return {};
+  return JSON.parse(text);
+}
+
+// ─────────────────────────────────────────────
+// Main uninstall command
+// ─────────────────────────────────────────────
+export async function runUninstall(opts = {}) {
+  console.log(chalk.red('\n🗑️  clauth uninstall\n'));
+
+  const config = new Conf({ projectName: 'clauth' });
+
+  // ── Collect credentials ────────────────────
+  const ref = opts.ref || config.get('supabase_url')?.match(/https:\/\/(.+)\.supabase\.co/)?.[1];
+  const pat = opts.pat;
+
+  if (!ref) {
+    console.log(chalk.red('  Cannot determine Supabase project ref.'));
+    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
+    process.exit(1);
+  }
+  if (!pat) {
+    console.log(chalk.red('  Supabase PAT required for teardown.'));
+    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
+    process.exit(1);
+  }
+
+  console.log(chalk.gray(`  Project: ${ref}\n`));
+
+  // ── Step 1: Drop database objects ──────────
+  const s1 = ora('Dropping clauth database objects...').start();
+  const teardownSQL = `
+    -- Drop triggers
+    DROP TRIGGER IF EXISTS clauth_services_updated ON public.clauth_services;
+
+    -- Drop tables (CASCADE drops policies automatically)
+    DROP TABLE IF EXISTS public.clauth_audit CASCADE;
+    DROP TABLE IF EXISTS public.clauth_machines CASCADE;
+    DROP TABLE IF EXISTS public.clauth_services CASCADE;
+
+    -- Drop functions
+    DROP FUNCTION IF EXISTS public.clauth_touch_updated() CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_upsert_vault_secret(text, text) CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_get_vault_secret(text) CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_delete_vault_secret(text) CASCADE;
+  `;
+
+  try {
+    await mgmt(pat, 'POST', `/projects/${ref}/database/query`, { query: teardownSQL });
+    s1.succeed('Database objects dropped (tables, triggers, functions, policies)');
+  } catch (e) {
+    s1.fail(`Database teardown failed: ${e.message}`);
+    console.log(chalk.yellow('  You may need to drop objects manually via SQL editor.'));
+  }
+
+  // ── Step 2: Delete Edge Function ───────────
+  const s2 = ora('Deleting auth-vault Edge Function...').start();
+  try {
+    const res = await fetch(`${MGMT}/projects/${ref}/functions/auth-vault`, {
+      method: 'DELETE',
+      headers: { 'Authorization': `Bearer ${pat}` },
+    });
+    if (res.ok || res.status === 404) {
+      s2.succeed(res.status === 404
+        ? 'Edge Function not found (already deleted)'
+        : 'Edge Function deleted');
+    } else {
+      const text = await res.text().catch(() => res.statusText);
+      throw new Error(`HTTP ${res.status}: ${text}`);
+    }
+  } catch (e) {
+    s2.fail(`Edge Function delete failed: ${e.message}`);
+    console.log(chalk.yellow('  Delete manually: Supabase Dashboard → Edge Functions → auth-vault → Delete'));
+  }
+
+  // ── Step 3: Remove secrets ─────────────────
+  const s3 = ora('Removing clauth secrets...').start();
+  try {
+    // Supabase Management API: DELETE /projects/{ref}/secrets with body listing secret names
+    const res = await fetch(`${MGMT}/projects/${ref}/secrets`, {
+      method: 'DELETE',
+      headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+      body: JSON.stringify(['CLAUTH_HMAC_SALT', 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN']),
+    });
+    if (res.ok) {
+      s3.succeed('Secrets removed (CLAUTH_HMAC_SALT, CLAUTH_ADMIN_BOOTSTRAP_TOKEN)');
+    } else {
+      const text = await res.text().catch(() => res.statusText);
+      throw new Error(`HTTP ${res.status}: ${text}`);
+    }
+  } catch (e) {
+    s3.warn(`Secret removal failed: ${e.message}`);
+    console.log(chalk.yellow('  Remove manually: Supabase → Settings → Edge Functions → Secrets'));
+  }
+
+  // ── Step 4: Remove Claude skill ────────────
+  const s4 = ora('Removing Claude skill...').start();
+  const skillDir = join(SKILLS_DIR, 'clauth');
+  if (existsSync(skillDir)) {
+    try {
+      rmSync(skillDir, { recursive: true, force: true });
+      s4.succeed(`Skill removed: ${skillDir}`);
+    } catch (e) {
+      s4.warn(`Could not remove skill: ${e.message}`);
+    }
+  } else {
+    s4.succeed('Skill directory not found (already removed)');
+  }
+
+  // ── Step 5: Clear local config ─────────────
+  const s5 = ora('Clearing local config...').start();
+  try {
+    config.clear();
+    s5.succeed('Local config cleared');
+  } catch (e) {
+    s5.warn(`Could not clear config: ${e.message}`);
+  }
+
+  // ── Done ───────────────────────────────────
+  console.log('');
+  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log(chalk.yellow('  ✓ clauth fully uninstalled'));
+  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log('');
+  console.log(chalk.gray('  To reinstall: npx @lifeaitools/clauth install'));
+  console.log('');
+}

package/cli/fingerprint.js

@@ -1,91 +1,91 @@
-// cli/fingerprint.js
-// Collects stable hardware identifiers and derives HMAC tokens
-// Works on Windows (primary) + Linux/macOS (fallback)
-
-import { execSync } from "child_process";
-import { createHmac, createHash } from "crypto";
-import os from "os";
-
-// ============================================================
-// Machine ID collection
-// ============================================================
-
-function getMachineId() {
-  const platform = os.platform();
-
-  try {
-    if (platform === "win32") {
-      // Primary: BIOS UUID via WMIC
-      const uuid = execSync("wmic csproduct get uuid /format:value", {
-        encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"]
-      }).match(/UUID=([A-F0-9-]+)/i)?.[1]?.trim();
-
-      // Secondary: Windows MachineGuid from registry
-      const machineGuid = execSync(
-        "reg query HKLM\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid",
-        { encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }
-      ).match(/MachineGuid\s+REG_SZ\s+([a-f0-9-]+)/i)?.[1]?.trim();
-
-      if (!uuid || !machineGuid) throw new Error("Could not read Windows machine IDs");
-      return { primary: uuid, secondary: machineGuid, platform: "win32" };
-    }
-
-    if (platform === "darwin") {
-      const uuid = execSync(
-        "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { print $3 }'",
-        { encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }
-      ).replace(/['"]/g, "").trim();
-      return { primary: uuid, secondary: os.hostname(), platform: "darwin" };
-    }
-
-    // Linux
-    let uuid = "";
-    try { uuid = execSync("cat /etc/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
-    catch { uuid = execSync("cat /var/lib/dbus/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
-    return { primary: uuid, secondary: os.hostname(), platform: "linux" };
-
-  } catch (err) {
-    throw new Error(`Machine ID collection failed: ${err.message}`);
-  }
-}
-
-// ============================================================
-// Derive stable machine hash (what gets stored in Supabase)
-// ============================================================
-
-export function getMachineHash() {
-  const { primary, secondary } = getMachineId();
-  return createHash("sha256")
-    .update(`${primary}:${secondary}`)
-    .digest("hex");
-}
-
-// ============================================================
-// Derive HMAC token for a given password + timestamp
-// ============================================================
-
-export function deriveToken(password, machineHash) {
-  const windowMs = 5 * 60 * 1000;
-  const window   = Math.floor(Date.now() / windowMs);
-  const message  = `${machineHash}:${window}`;
-  
-  // Server reconstructs this — password + CLAUTH_HMAC_SALT
-  // Client sends token; server adds its SALT to the password before verifying
-  const token = createHmac("sha256", password)
-    .update(message)
-    .digest("hex");
-
-  return { token, timestamp: window * windowMs, machineHash };
-}
-
-// ============================================================
-// Derive HMAC seed hash (stored during machine registration)
-// ============================================================
-
-export function deriveSeedHash(machineHash, password) {
-  return createHash("sha256")
-    .update(`seed:${machineHash}:${password}`)
-    .digest("hex");
-}
-
-export default { getMachineHash, deriveToken, deriveSeedHash };
+// cli/fingerprint.js
+// Collects stable hardware identifiers and derives HMAC tokens
+// Works on Windows (primary) + Linux/macOS (fallback)
+
+import { execSync } from "child_process";
+import { createHmac, createHash } from "crypto";
+import os from "os";
+
+// ============================================================
+// Machine ID collection
+// ============================================================
+
+function getMachineId() {
+  const platform = os.platform();
+
+  try {
+    if (platform === "win32") {
+      // Primary: BIOS UUID via WMIC
+      const uuid = execSync("wmic csproduct get uuid /format:value", {
+        encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"]
+      }).match(/UUID=([A-F0-9-]+)/i)?.[1]?.trim();
+
+      // Secondary: Windows MachineGuid from registry
+      const machineGuid = execSync(
+        "reg query HKLM\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid",
+        { encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }
+      ).match(/MachineGuid\s+REG_SZ\s+([a-f0-9-]+)/i)?.[1]?.trim();
+
+      if (!uuid || !machineGuid) throw new Error("Could not read Windows machine IDs");
+      return { primary: uuid, secondary: machineGuid, platform: "win32" };
+    }
+
+    if (platform === "darwin") {
+      const uuid = execSync(
+        "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { print $3 }'",
+        { encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }
+      ).replace(/['"]/g, "").trim();
+      return { primary: uuid, secondary: os.hostname(), platform: "darwin" };
+    }
+
+    // Linux
+    let uuid = "";
+    try { uuid = execSync("cat /etc/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
+    catch { uuid = execSync("cat /var/lib/dbus/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
+    return { primary: uuid, secondary: os.hostname(), platform: "linux" };
+
+  } catch (err) {
+    throw new Error(`Machine ID collection failed: ${err.message}`);
+  }
+}
+
+// ============================================================
+// Derive stable machine hash (what gets stored in Supabase)
+// ============================================================
+
+export function getMachineHash() {
+  const { primary, secondary } = getMachineId();
+  return createHash("sha256")
+    .update(`${primary}:${secondary}`)
+    .digest("hex");
+}
+
+// ============================================================
+// Derive HMAC token for a given password + timestamp
+// ============================================================
+
+export function deriveToken(password, machineHash) {
+  const windowMs = 5 * 60 * 1000;
+  const window   = Math.floor(Date.now() / windowMs);
+  const message  = `${machineHash}:${window}`;
+  
+  // Server reconstructs this — password + CLAUTH_HMAC_SALT
+  // Client sends token; server adds its SALT to the password before verifying
+  const token = createHmac("sha256", password)
+    .update(message)
+    .digest("hex");
+
+  return { token, timestamp: window * windowMs, machineHash };
+}
+
+// ============================================================
+// Derive HMAC seed hash (stored during machine registration)
+// ============================================================
+
+export function deriveSeedHash(machineHash, password) {
+  return createHash("sha256")
+    .update(`seed:${machineHash}:${password}`)
+    .digest("hex");
+}
+
+export default { getMachineHash, deriveToken, deriveSeedHash };

package/cli/index.js

@@ -12,7 +12,7 @@ import * as api from "./api.js";
 import os from "os";
 
 const config = new Conf(getConfOptions());
-const VERSION = "0.4.1";
+const VERSION = "0.5.0";
 
 // ============================================================
 // Password prompt helper
@@ -478,6 +478,10 @@ Actions:
   foreground  Run in foreground (Ctrl+C to stop) — default if no action given
   mcp         Run as MCP stdio server for Claude Code (JSON-RPC over stdin/stdout)
 
+MCP SSE (built into start/foreground):
+  The HTTP daemon also serves MCP SSE transport at GET /sse + POST /message.
+  Connect claude.ai via Cloudflare Tunnel pointing to http://127.0.0.1:52437/sse
+
 Examples:
   clauth serve start                     Start locked — unlock at http://127.0.0.1:52437
   clauth serve start -p mypass           Start pre-unlocked (password in memory only)

package/install.ps1

@@ -1,44 +1,44 @@
-# clauth installer — Windows
-# One-liner: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/LIFEAI/clauth/main/install.ps1'))
-
-$ErrorActionPreference = "Stop"
-$REPO = "https://github.com/LIFEAI/clauth.git"
-$DIR  = "$env:USERPROFILE\.clauth"
-
-# Check git
-try { git --version | Out-Null } catch {
-    Write-Host ""
-    Write-Host "  x git is required." -ForegroundColor Red
-    Write-Host "    Install from https://git-scm.com then re-run this script."
-    Write-Host ""
-    exit 1
-}
-
-# Check Node
-try { node --version | Out-Null } catch {
-    Write-Host ""
-    Write-Host "  x Node.js v18+ is required." -ForegroundColor Red
-    Write-Host "    Install from https://nodejs.org then re-run this script."
-    Write-Host ""
-    exit 1
-}
-
-# Clone or update
-if (Test-Path "$DIR\.git") {
-    Write-Host "  Updating clauth..."
-    Set-Location $DIR; git pull --quiet
-} else {
-    Write-Host "  Cloning clauth..."
-    git clone --quiet $REPO $DIR
-}
-
-# Run compiled bootstrap binary
-$bootstrap = "$DIR\scripts\bin\bootstrap-win.exe"
-if (-not (Test-Path $bootstrap)) {
-    Write-Host "  x Bootstrap binary not found at $bootstrap" -ForegroundColor Red
-    exit 1
-}
-
-Set-Location $DIR
-& $bootstrap
-exit $LASTEXITCODE
+# clauth installer — Windows
+# One-liner: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/LIFEAI/clauth/main/install.ps1'))
+
+$ErrorActionPreference = "Stop"
+$REPO = "https://github.com/LIFEAI/clauth.git"
+$DIR  = "$env:USERPROFILE\.clauth"
+
+# Check git
+try { git --version | Out-Null } catch {
+    Write-Host ""
+    Write-Host "  x git is required." -ForegroundColor Red
+    Write-Host "    Install from https://git-scm.com then re-run this script."
+    Write-Host ""
+    exit 1
+}
+
+# Check Node
+try { node --version | Out-Null } catch {
+    Write-Host ""
+    Write-Host "  x Node.js v18+ is required." -ForegroundColor Red
+    Write-Host "    Install from https://nodejs.org then re-run this script."
+    Write-Host ""
+    exit 1
+}
+
+# Clone or update
+if (Test-Path "$DIR\.git") {
+    Write-Host "  Updating clauth..."
+    Set-Location $DIR; git pull --quiet
+} else {
+    Write-Host "  Cloning clauth..."
+    git clone --quiet $REPO $DIR
+}
+
+# Run compiled bootstrap binary
+$bootstrap = "$DIR\scripts\bin\bootstrap-win.exe"
+if (-not (Test-Path $bootstrap)) {
+    Write-Host "  x Bootstrap binary not found at $bootstrap" -ForegroundColor Red
+    exit 1
+}
+
+Set-Location $DIR
+& $bootstrap
+exit $LASTEXITCODE