npm - @lifeaitools/clauth - Versions diffs - 1.2.3 → 1.3.1 - Mend

@lifeaitools/clauth 1.2.3 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli/commands/serve.js CHANGED Viewed

@@ -58,7 +58,10 @@ ALTER TABLE clauth_config ENABLE ROW LEVEL SECURITY;`,
 const CURRENT_SCHEMA_VERSION = 3;
 const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
+const STAGED_PID_FILE = path.join(os.tmpdir(), "clauth-serve-staged.pid");
 const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
+const LIVE_PORT = 52437;
+const STAGED_PORT = 52438;
 // ── PID helpers ──────────────────────────────────────────────
 function readPid() {
@@ -73,6 +76,22 @@ function writePid(pid, port) {
   fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
 }
+function readStagedPid() {
+  try {
+    const raw = fs.readFileSync(STAGED_PID_FILE, "utf8").trim();
+    const [pid, port] = raw.split(":");
+    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
+  } catch { return null; }
+}
+function writeStagedPid(pid, port) {
+  fs.writeFileSync(STAGED_PID_FILE, `${pid}:${port}`, "utf8");
+}
+function removeStagedPid() {
+  try { fs.unlinkSync(STAGED_PID_FILE); } catch {}
+}
 function removePid() {
   try { fs.unlinkSync(PID_FILE); } catch {}
 }
@@ -91,13 +110,13 @@ function openBrowser(url) {
 }
 // ── Dashboard HTML ───────────────────────────────────────────
-function dashboardHtml(port, whitelist) {
+function dashboardHtml(port, whitelist, isStaged = false) {
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width,initial-scale=1">
-<title>clauth vault v${VERSION}</title>
+<title>clauth vault v${VERSION}${isStaged ? " (STAGED)" : ""}</title>
 <style>
   *{margin:0;padding:0;box-sizing:border-box}
   body{background:#0a0f1a;color:#e2e8f0;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;min-height:100vh}
@@ -341,8 +360,15 @@ function dashboardHtml(port, whitelist) {
   </div>
   <div class="header">
     <div class="dot" id="dot"></div>
-    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
+    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span>${isStaged ? `<span style="font-size:0.5em;background:#b45309;color:#fef3c7;border-radius:4px;padding:2px 10px;margin-left:12px;font-weight:600;letter-spacing:.5px">STAGED</span>` : ""}</h1>
   </div>
+  ${isStaged ? `<div id="staged-banner" style="background:linear-gradient(135deg,#78350f,#92400e);border:1px solid #b45309;border-radius:6px;padding:12px 16px;margin:0 16px 8px;display:flex;align-items:center;justify-content:space-between">
+    <div>
+      <strong style="color:#fef3c7">⚡ Staged deployment</strong>
+      <span style="color:#fcd34d;font-size:.85rem;margin-left:8px">Running on port ${port} — verify before making live</span>
+    </div>
+    <button onclick="makeLive()" style="background:#15803d;border:1px solid #16a34a;color:#dcfce7;padding:6px 16px;border-radius:4px;cursor:pointer;font-weight:600;font-size:.85rem">✓ Make Live</button>
+  </div>` : ""}
   <div id="error-bar" class="error-bar"></div>
   <div class="status-bar">
     <div>PID: <span id="s-pid">—</span></div>
@@ -364,6 +390,7 @@ function dashboardHtml(port, whitelist) {
     <button class="btn-add" onclick="toggleAddService()">+ Add Service</button>
     <button class="btn-check" id="check-btn" onclick="checkAll()">⬤ Check All</button>
     <button class="btn-lock" onclick="lockVault()">🔒 Lock</button>
+    <button class="btn-stop" onclick="stopDaemon()" style="background:#7f1d1d;border:1px solid #991b1b;color:#fca5a5" title="Stop daemon — password required on next start">⏹ Stop</button>
     <button class="btn-cancel" style="margin-left:auto" onclick="toggleChangePw()">Change Password</button>
   </div>
@@ -695,6 +722,34 @@ async function lockVault() {
   showLockScreen();
 }
+// ── Make Live (blue-green: promote staged instance to live port) ──
+async function makeLive() {
+  if (!confirm("Promote this staged instance to live?\\n\\nThe current live daemon (port ${LIVE_PORT}) will be stopped and this instance will restart on port ${LIVE_PORT}.")) return;
+  const banner = document.getElementById("staged-banner");
+  if (banner) banner.innerHTML = '<div style="color:#fef3c7"><strong>⏳ Promoting to live...</strong></div>';
+  try {
+    const resp = await fetch(BASE + "/make-live", { method: "POST" });
+    const data = await resp.json();
+    if (data.ok) {
+      document.getElementById("main-view").innerHTML = '<div style="text-align:center;padding:80px 20px"><div style="font-size:3rem;margin-bottom:16px">✅</div><div style="font-size:1.1rem;color:#4ade80">Promoted to live!</div><div style="font-size:.85rem;color:#94a3b8;margin-top:8px">Restarting on port ${LIVE_PORT}... page will reload in 5 seconds.</div></div>';
+      setTimeout(() => { window.location.href = "http://127.0.0.1:" + ${LIVE_PORT}; }, 5000);
+    } else {
+      if (banner) banner.innerHTML = '<div style="color:#fca5a5"><strong>❌ Promotion failed:</strong> ' + (data.error || 'unknown') + '</div>';
+    }
+  } catch (err) {
+    if (banner) banner.innerHTML = '<div style="color:#fca5a5"><strong>❌ Promotion failed:</strong> ' + err.message + '</div>';
+  }
+}
+// ── Stop daemon (user-initiated — clears boot.key, requires password on restart) ──
+async function stopDaemon() {
+  if (!confirm("Stop the daemon?\\n\\nCredentials will need to be re-entered on next start.")) return;
+  try {
+    await fetch(BASE + "/shutdown-ui", { method: "POST" });
+  } catch {}
+  document.getElementById("main-view").innerHTML = '<div style="text-align:center;padding:80px 20px"><div style="font-size:3rem;margin-bottom:16px">⏹</div><div style="font-size:1.1rem;color:#94a3b8">Daemon stopped</div><div style="font-size:.85rem;color:#64748b;margin-top:8px">Restart with: clauth serve start</div></div>';
+}
 // ── Load services ───────────────────────────
 let allServices = [];
 let activeProjectTab = "all";
@@ -1780,7 +1835,7 @@ function readBody(req) {
 }
 // ── Server logic (shared by foreground + daemon) ─────────────
-function createServer(initPassword, whitelist, port, tunnelHostnameInit = null) {
+function createServer(initPassword, whitelist, port, tunnelHostnameInit = null, isStaged = false) {
   // tunnelHostname may be updated at runtime (fetched from DB after unlock)
   let tunnelHostname = tunnelHostnameInit;
@@ -1916,6 +1971,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       const proc = spawnProc(cfBin, args, {
         stdio: ["ignore", "pipe", "pipe"],
+        windowsHide: true,
       });
       tunnelProc = proc;
@@ -2516,7 +2572,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
     // GET / — built-in web dashboard
     if (method === "GET" && reqPath === "/") {
       res.writeHead(200, { "Content-Type": "text/html", ...CORS });
-      return res.end(dashboardHtml(port, whitelist));
+      return res.end(dashboardHtml(port, whitelist, isStaged));
     }
     // GET /ping
@@ -2532,6 +2588,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
         tunnel_status: tunnelStatus,
         tunnel_url: tunnelUrl || null,
         app_version: VERSION,
+        staged: isStaged,
         schema_version: CURRENT_SCHEMA_VERSION,
       });
     }
@@ -2603,7 +2660,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       return ok(res, { status: tunnelStatus });
     }
-    // GET /shutdown (for daemon stop)
+    // GET /shutdown (for daemon stop — programmatic, keeps boot.key)
     if (method === "GET" && reqPath === "/shutdown") {
       stopTunnel();
       ok(res, { ok: true, message: "shutting down" });
@@ -2612,6 +2669,100 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       return;
     }
+    // POST /shutdown-ui (user-initiated stop — clears boot.key so password is required on restart)
+    if (method === "POST" && reqPath === "/shutdown-ui") {
+      stopTunnel();
+      // Clear boot.key so watchdog can't auto-unlock on restart
+      const bootKeyPath = getBootKeyPath();
+      if (bootKeyPath) {
+        try { fs.unlinkSync(bootKeyPath); } catch {}
+      }
+      ok(res, { ok: true, message: "shutting down (user-initiated, boot.key cleared)" });
+      const logLine = `[${new Date().toISOString()}] User-initiated shutdown via UI — boot.key cleared\n`;
+      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+      removePid();
+      setTimeout(() => process.exit(0), 100);
+      return;
+    }
+    // POST /make-live (blue-green: staged instance promotes itself to live port)
+    if (method === "POST" && reqPath === "/make-live") {
+      if (!isStaged) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Not a staged instance" }));
+      }
+      const logLine = `[${new Date().toISOString()}] Make-live: promoting staged (port ${port}) to live (port ${LIVE_PORT})\n`;
+      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+      // Stop the current live daemon if running
+      try { await fetch(`http://127.0.0.1:${LIVE_PORT}/shutdown`); } catch {}
+      // Wait for port to be released (Windows is slow to release sockets)
+      let portFree = false;
+      for (let i = 0; i < 10; i++) {
+        await new Promise(r => setTimeout(r, 1000));
+        try {
+          await fetch(`http://127.0.0.1:${LIVE_PORT}/ping`);
+          // Still responding — not dead yet
+        } catch {
+          portFree = true;
+          break;
+        }
+      }
+      if (!portFree) {
+        const errLog = `[${new Date().toISOString()}] Make-live: live daemon on port ${LIVE_PORT} failed to stop within 10s\n`;
+        try { fs.appendFileSync(LOG_FILE, errLog); } catch {}
+      }
+      // Stop tunnel on this instance (will restart on new port)
+      stopTunnel();
+      // Clean up staged PID file
+      removeStagedPid();
+      // Spawn a new daemon on the live port with same credentials
+      const { spawn } = await import("child_process");
+      const cliEntry = path.resolve(__dirname, "../index.js");
+      const childArgs = [cliEntry, "serve", "start", "--port", String(LIVE_PORT)];
+      if (password) childArgs.push("--pw", password);
+      if (whitelist) childArgs.push("--services", whitelist.join(","));
+      if (tunnelHostname) childArgs.push("--tunnel", tunnelHostname);
+      const out = fs.openSync(LOG_FILE, "a");
+      const childEnv = { ...process.env, __CLAUTH_DAEMON: "1" };
+      delete childEnv.__CLAUTH_STAGED;  // Clear staged flag — child is live
+      const child = spawn(process.execPath, childArgs, {
+        detached: true,
+        stdio: ["ignore", out, out],
+        env: childEnv,
+      });
+      child.unref();
+      // Wait for new live daemon to be reachable
+      let promoted = false;
+      for (let i = 0; i < 8; i++) {
+        await new Promise(r => setTimeout(r, 1000));
+        try {
+          const resp = await fetch(`http://127.0.0.1:${LIVE_PORT}/ping`);
+          if (resp.ok) { promoted = true; break; }
+        } catch {}
+      }
+      if (promoted) {
+        const okLog = `[${new Date().toISOString()}] Make-live: promoted to live on port ${LIVE_PORT}\n`;
+        try { fs.appendFileSync(LOG_FILE, okLog); } catch {}
+        ok(res, { ok: true, message: "promoted to live", live_port: LIVE_PORT });
+      } else {
+        const failLog = `[${new Date().toISOString()}] Make-live: new daemon failed to start on port ${LIVE_PORT}\n`;
+        try { fs.appendFileSync(LOG_FILE, failLog); } catch {}
+        ok(res, { ok: false, error: "New daemon failed to start on live port — check log" });
+      }
+      // Self-terminate after response is sent
+      setTimeout(() => process.exit(0), 500);
+      return;
+    }
     // Locked guard — returns true if locked and already responded
     function lockedGuard(res) {
       if (!password) {
@@ -2708,6 +2859,25 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
         password = pw;   // unlock — store in process memory only
         const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+        // Auto-seal: DPAPI-encrypt password to boot.key for passwordless crash recovery
+        // Only on Windows; only if autostart dir exists (i.e., install was run)
+        if (os.platform() === "win32") {
+          const autostartDir = path.join(os.homedir(), "AppData", "Roaming", "clauth");
+          const bootKeyPath = path.join(autostartDir, "boot.key");
+          if (fs.existsSync(autostartDir)) {
+            try {
+              const pwEscaped = pw.replace(/'/g, "''");
+              const psExpr = `[Convert]::ToBase64String([Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::UTF8.GetBytes('${pwEscaped}'),$null,'CurrentUser'))`;
+              const encrypted = execSyncTop(`powershell -NoProfile -Command "${psExpr}"`, { encoding: "utf8", timeout: 5000 }).trim();
+              fs.writeFileSync(bootKeyPath, encrypted, "utf8");
+              const sealLog = `[${new Date().toISOString()}] Auto-sealed boot.key via DPAPI (crash recovery enabled)\n`;
+              try { fs.appendFileSync(LOG_FILE, sealLog); } catch {}
+            } catch (sealErr) {
+              const sealLog = `[${new Date().toISOString()}] Auto-seal failed (non-fatal): ${sealErr.message}\n`;
+              try { fs.appendFileSync(LOG_FILE, sealLog); } catch {}
+            }
+          }
+        }
         // Auto-start tunnel: --tunnel flag takes priority, otherwise fetch from DB
         if (!tunnelHostname) {
           fetchTunnelConfig().then(configured => {
@@ -3426,23 +3596,43 @@ async function verifyAuth(password) {
 }
 async function actionStart(opts) {
-  const port     = parseInt(opts.port || "52437", 10);
+  const isStaged = !!opts.staged || process.env.__CLAUTH_STAGED === "1";
+  const port     = isStaged ? STAGED_PORT : parseInt(opts.port || String(LIVE_PORT), 10);
   const password = opts.pw;
   const tunnelHostname = opts.tunnel || null;
   const whitelist = opts.services
     ? opts.services.split(",").map(s => s.trim().toLowerCase())
     : null;
-  // Check for existing instance
-  const existing = readPid();
-  if (existing && isProcessAlive(existing.pid)) {
-    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
-    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
-    process.exit(1);
+  if (isStaged) {
+    // Staged mode: allow running alongside live instance
+    const existingStaged = readStagedPid();
+    if (existingStaged) {
+      try {
+        const resp = await fetch(`http://127.0.0.1:${existingStaged.port}/ping`);
+        if (resp.ok) {
+          console.log(chalk.yellow(`\n  Staged instance already running (PID ${existingStaged.pid}, port ${existingStaged.port})`));
+          console.log(chalk.gray(`  Open http://127.0.0.1:${existingStaged.port} to verify, then click Make Live\n`));
+          process.exit(1);
+        }
+      } catch {}
+      removeStagedPid();
+    }
+  } else {
+    // Normal mode: check for existing instance
+    const existing = readPid();
+    if (existing && isProcessAlive(existing.pid)) {
+      console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
+      console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
+      process.exit(1);
+    }
   }
   // If we're the daemon child, run the server directly
   if (process.env.__CLAUTH_DAEMON === "1") {
+    // Set process title for task manager visibility
+    process.title = isStaged ? `clauth-staged (port ${port})` : `clauth (port ${port})`;
     // Verify password only if one was provided at start (optional — browser can unlock later)
     if (password) {
       try {
@@ -3454,10 +3644,15 @@ async function actionStart(opts) {
       }
     }
-    const server = createServer(password, whitelist, port, tunnelHostname);
+    const server = createServer(password, whitelist, port, tunnelHostname, isStaged);
     server.listen(port, "127.0.0.1", () => {
-      writePid(process.pid, port);
-      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
+      if (isStaged) {
+        writeStagedPid(process.pid, port);
+      } else {
+        writePid(process.pid, port);
+      }
+      const label = isStaged ? "STAGED" : "LIVE";
+      const msg = `[${new Date().toISOString()}] clauth serve started [${label}] — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
       fs.appendFileSync(LOG_FILE, msg);
     });
@@ -3467,7 +3662,10 @@ async function actionStart(opts) {
       process.exit(1);
     });
-    const shutdown = () => { removePid(); process.exit(0); };
+    const shutdown = () => {
+      if (isStaged) { removeStagedPid(); } else { removePid(); }
+      process.exit(0);
+    };
     process.on("SIGTERM", shutdown);
     process.on("SIGINT", shutdown);
     return;
@@ -3499,12 +3697,13 @@ async function actionStart(opts) {
   if (password) childArgs.push("--pw", password);
   if (opts.services) childArgs.push("--services", opts.services);
   if (tunnelHostname) childArgs.push("--tunnel", tunnelHostname);
+  if (isStaged) childArgs.push("--staged");
   const out = fs.openSync(LOG_FILE, "a");
   const child = spawn(process.execPath, childArgs, {
     detached: true,
     stdio: ["ignore", out, out],
-    env: { ...process.env, __CLAUTH_DAEMON: "1" },
+    env: { ...process.env, __CLAUTH_DAEMON: "1", ...(isStaged ? { __CLAUTH_STAGED: "1" } : {}) },
   });
   child.unref();
@@ -3519,14 +3718,18 @@ async function actionStart(opts) {
     } catch {}
   }
-  const info = readPid();
+  const readInfo = isStaged ? readStagedPid : readPid;
+  const info = readInfo();
   if (started && info) {
-    console.log(chalk.green(`\n  🔐 clauth serve started`));
+    const label = isStaged ? "⚡ STAGED" : "🔐";
+    console.log(chalk.green(`\n  ${label} clauth serve started`));
     console.log(chalk.gray(`  PID:      ${info.pid}`));
     console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
     console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
     console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
-    if (!password) {
+    if (isStaged) {
+      console.log(chalk.yellow(`\n  ⚡ Staged on port ${port} — open dashboard to verify, then click "Make Live"`));
+    } else if (!password) {
       console.log(chalk.cyan(`\n  👉 Open http://127.0.0.1:${info.port} to unlock the vault`));
     }
     console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
@@ -4317,19 +4520,33 @@ async function installWindows(pw, tunnelHostname, execSync) {
     ].join("\n");
     fs.writeFileSync(psScriptPath, psScript, "utf8");
   } else {
-    // ── First-run mode: no password yet — start locked, browser opens for setup ──
-    // Watchdog starts the daemon in locked mode; user enters password in the browser dashboard.
-    // After entering password in the browser, user can seal it for future unattended restarts
-    // by running: clauth serve seal
+    // ── Adaptive mode: check for boot.key on each restart ──
+    // If boot.key exists (auto-sealed after browser unlock), decrypt and start unlocked.
+    // If boot.key missing (user clicked Stop, or first run), start locked + open browser.
     const psScript = [
-      "# clauth autostart + watchdog (locked mode — browser password entry)",
-      "# Starts daemon locked, opens browser for password. Restarts on crash every 15s.",
+      "# clauth autostart + watchdog (adaptive: sealed if boot.key exists, locked otherwise)",
+      "# Restarts on crash every 15s. Auto-unlock if DPAPI boot.key available.",
+      "",
+      `$bootKey = '${bootKey}'`,
       "",
       "while ($true) {",
       "  try {",
       "    $ping = Invoke-RestMethod -Uri 'http://127.0.0.1:52437/ping' -TimeoutSec 3 -ErrorAction Stop",
       "  } catch {",
-      `    Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "    if (Test-Path $bootKey) {",
+      "      # boot.key exists — decrypt via DPAPI and start unlocked",
+      "      try {",
+      "        $enc = (Get-Content $bootKey -Raw).Trim()",
+      "        $pw = [Text.Encoding]::UTF8.GetString([Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($enc),$null,'CurrentUser'))",
+      `        Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start -p $pw${tunnelArg}" -WindowStyle Hidden`,
+      "      } catch {",
+      "        # DPAPI decrypt failed — start locked",
+      `        Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "      }",
+      "    } else {",
+      "      # No boot.key — start locked, user enters password in browser",
+      `      Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "    }",
       "    Start-Sleep -Seconds 5",
       "  }",
       "  Start-Sleep -Seconds 15",
@@ -4338,20 +4555,38 @@ async function installWindows(pw, tunnelHostname, execSync) {
     fs.writeFileSync(psScriptPath, psScript, "utf8");
   }
-  // Register Windows Scheduled Task — triggers on user logon
+  // Register auto-start — try HKCU\Run first (no admin), fall back to Scheduled Task
   const mode = pw ? "sealed — fully unattended" : "locked — browser password entry";
-  const spinner2 = ora(`Registering Scheduled Task (${mode})...`).start();
+  const spinner2 = ora(`Registering auto-start (${mode})...`).start();
+  const psScriptEsc = psScriptPath.replace(/\\/g, "\\\\");
+  const regValue = `powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
+  let autoStartOk = false;
+  // Method 1: HKCU\Run registry key (no elevation needed)
   try {
-    const psScriptEsc = psScriptPath.replace(/\\/g, "\\\\");
-    const args = `-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
+    const regExe = `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\reg.exe`;
+    // Use single-backslash path for reg key (reg.exe expects it)
+    const regKey = "HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run";
     execSync(
-      `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
+      `${regExe} add "${regKey}" /v "${TASK_NAME}" /t REG_SZ /d "${regValue}" /f`,
       { encoding: "utf8", stdio: "pipe" }
     );
-    spinner2.succeed(chalk.green(`Scheduled Task "${TASK_NAME}" registered`));
-  } catch (err) {
-    spinner2.fail(chalk.yellow(`Scheduled task failed (non-fatal): ${err.message}`));
-    console.log(chalk.gray("  You can still start manually: clauth serve start"));
+    spinner2.succeed(chalk.green(`Registry auto-start registered (HKCU\\Run)`));
+    autoStartOk = true;
+  } catch {
+    // Method 2: Scheduled Task (needs admin)
+    try {
+      const args = `-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
+      execSync(
+        `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
+        { encoding: "utf8", stdio: "pipe" }
+      );
+      spinner2.succeed(chalk.green(`Scheduled Task "${TASK_NAME}" registered`));
+      autoStartOk = true;
+    } catch (err) {
+      spinner2.fail(chalk.yellow(`Auto-start registration failed (non-fatal): ${err.message}`));
+      console.log(chalk.gray("  You can still start manually: clauth serve start"));
+    }
   }
   // Start the daemon now
@@ -4600,7 +4835,14 @@ async function uninstallWindows(execSync) {
   const bootKeyPath  = path.join(autostartDir, "boot.key");
   const psScriptPath = path.join(autostartDir, "autostart.ps1");
-  // Remove scheduled task
+  // Remove HKCU\Run registry key
+  try {
+    const regExe = `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\reg.exe`;
+    execSync(`${regExe} delete "HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run" /v "${TASK_NAME}" /f`, { encoding: "utf8", stdio: "pipe" });
+    console.log(chalk.green(`  Removed Registry auto-start: ${TASK_NAME}`));
+  } catch { console.log(chalk.gray(`  Registry key not found (already removed): ${TASK_NAME}`)); }
+  // Remove scheduled task (legacy)
   try {
     execSync(`${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /delete /f /tn "${TASK_NAME}"`, { encoding: "utf8", stdio: "pipe" });
     console.log(chalk.green(`  Removed Scheduled Task: ${TASK_NAME}`));
@@ -4678,6 +4920,53 @@ async function uninstallLinux(execSync) {
 }
 // ── Export ────────────────────────────────────────────────────
+// ── Blue-green upgrade: npm update + start staged + open dashboard ──
+async function actionUpgrade(opts) {
+  console.log(chalk.cyan("\n  ⚡ Blue-green upgrade\n"));
+  // Step 1: Check current live version
+  const liveInfo = readPid();
+  let liveVersion = "unknown";
+  if (liveInfo) {
+    try {
+      const resp = await fetch(`http://127.0.0.1:${liveInfo.port}/ping`);
+      const data = await resp.json();
+      liveVersion = data.app_version || "unknown";
+    } catch {}
+  }
+  console.log(chalk.gray(`  Live version:    v${liveVersion} (port ${liveInfo?.port || LIVE_PORT})`));
+  // Step 2: npm update
+  const spinner = ora("Updating @lifeaitools/clauth from npm...").start();
+  try {
+    execSyncTop("npm install -g @lifeaitools/clauth@latest", { encoding: "utf8", stdio: "pipe", timeout: 60000 });
+    // Read new version from installed package
+    const newPkg = JSON.parse(fs.readFileSync(
+      path.join(path.dirname(process.execPath), "..", "lib", "node_modules", "@lifeaitools", "clauth", "package.json"), "utf8"
+    ).toString());
+    spinner.succeed(chalk.green(`Updated to v${newPkg.version}`));
+    console.log(chalk.gray(`  Staged version:  v${newPkg.version} (port ${STAGED_PORT})`));
+  } catch (err) {
+    // Try alternate npm global path (Windows)
+    try {
+      const npmGlobal = path.join(os.homedir(), "AppData", "Roaming", "npm");
+      const newPkg = JSON.parse(fs.readFileSync(
+        path.join(npmGlobal, "node_modules", "@lifeaitools", "clauth", "package.json"), "utf8"
+      ).toString());
+      spinner.succeed(chalk.green(`Updated to v${newPkg.version}`));
+    } catch {
+      spinner.fail(chalk.yellow(`npm update may have failed: ${err.message}`));
+      console.log(chalk.gray("  Continuing with staged start anyway..."));
+    }
+  }
+  // Step 3: Start staged instance
+  console.log(chalk.gray(`\n  Starting staged instance on port ${STAGED_PORT}...`));
+  opts.staged = true;
+  opts.port = String(STAGED_PORT);
+  return actionStart(opts);
+}
 export async function runServe(opts) {
   const action = opts.action || "foreground";
@@ -4690,9 +4979,10 @@ export async function runServe(opts) {
     case "mcp":        return actionMcp(opts);
     case "install":    return actionInstall(opts);
     case "uninstall":  return actionUninstall();
+    case "upgrade":    return actionUpgrade(opts);
     default:
       console.log(chalk.red(`\n  Unknown serve action: ${action}`));
-      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground | mcp | install | uninstall\n"));
+      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground | mcp | install | uninstall | upgrade\n"));
       process.exit(1);
   }
 }

package/cli/index.js CHANGED Viewed

@@ -644,6 +644,7 @@ program
   .option("-p, --pw <password>", "clauth password (optional — omit to start locked, unlock in browser)")
   .option("--services <list>", "Comma-separated service whitelist (default: all)")
   .option("--tunnel <hostname>", "Fixed tunnel hostname (e.g. clauth.prtrust.fund) — uses named Cloudflare Tunnel instead of random URL")
+  .option("--staged", "Start on staging port (52438) for blue-green verification before make-live")
   .option("--action <action>", "Internal: action override for daemon child")
   .addHelpText("after", `
 Actions:
@@ -654,8 +655,9 @@ Actions:
   foreground  Run in foreground (Ctrl+C to stop) — default if no action given
   mcp         Run as MCP stdio server for Claude Code (JSON-RPC over stdin/stdout)
   install     Store password securely + register auto-start service (cross-platform)
-              Windows: DPAPI + Scheduled Task | macOS: Keychain + LaunchAgent | Linux: libsecret/openssl + systemd
+              Windows: DPAPI + HKCU\\Run | macOS: Keychain + LaunchAgent | Linux: libsecret/openssl + systemd
   uninstall   Remove auto-start service + delete stored password
+  upgrade     Blue-green upgrade: start new version on staging port, verify, then make live
 MCP SSE (built into start/foreground):
   The HTTP daemon also serves MCP SSE transport at GET /sse + POST /message.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.2.3",
+  "version": "1.3.1",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {