@lifeaitools/clauth 1.3.1 → 1.4.0

package/cli/commands/serve.js

@@ -53,9 +53,347 @@ ALTER TABLE clauth_machines ADD COLUMN IF NOT EXISTS locked boolean NOT NULL DEF
 );
 ALTER TABLE clauth_config ENABLE ROW LEVEL SECURITY;`,
   },
+  {
+    version: 4,
+    name: "004_key_rotation",
+    description: "Key rotation tracking — expiry dates, rotation policy, rotation log",
+    type: "safe",
+    sql: `ALTER TABLE clauth_services ADD COLUMN IF NOT EXISTS expires_at timestamptz;
+ALTER TABLE clauth_services ADD COLUMN IF NOT EXISTS rotation_policy text NOT NULL DEFAULT 'none';
+ALTER TABLE clauth_services ADD COLUMN IF NOT EXISTS rotation_days integer NOT NULL DEFAULT 30;
+ALTER TABLE clauth_services ADD COLUMN IF NOT EXISTS last_rotated_at timestamptz;
+CREATE TABLE IF NOT EXISTS clauth_rotation_log (
+  id          bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+  service     text NOT NULL,
+  action      text NOT NULL,
+  status      text NOT NULL,
+  detail      text,
+  created_at  timestamptz DEFAULT now()
+);
+ALTER TABLE clauth_rotation_log ENABLE ROW LEVEL SECURITY;`,
+  },
 ];
 
-const CURRENT_SCHEMA_VERSION = 3;
+const CURRENT_SCHEMA_VERSION = 4;
+
+// ── Key Rotation Config ─────────────────────────────────────────
+// Per-service rotation capabilities. "auto" services can be rotated programmatically.
+// "manual" services require dashboard/UI action. "none" means static keys.
+const ROTATION_CONFIG = {
+  "cloudflare": {
+    policy: "auto",
+    defaultDays: 30,
+    description: "Cloudflare API Token",
+    async rotate(currentKey) {
+      // Step 1: List tokens to find current token's ID and permissions
+      const listResp = await fetch("https://api.cloudflare.com/client/v4/user/tokens", {
+        headers: { "Authorization": `Bearer ${currentKey}`, "Content-Type": "application/json" },
+      });
+      const listData = await listResp.json();
+      if (!listData.success) throw new Error(`CF list tokens: ${listData.errors?.[0]?.message || "failed"}`);
+
+      const currentToken = listData.result?.find(t => t.status === "active");
+      if (!currentToken) throw new Error("No active CF token found");
+
+      // Step 2: Create a new token with same policies
+      const createResp = await fetch("https://api.cloudflare.com/client/v4/user/tokens", {
+        method: "POST",
+        headers: { "Authorization": `Bearer ${currentKey}`, "Content-Type": "application/json" },
+        body: JSON.stringify({
+          name: `${currentToken.name} (rotated ${new Date().toISOString().slice(0, 10)})`,
+          policies: currentToken.policies,
+          expires_on: new Date(Date.now() + 30 * 86400000).toISOString(),
+        }),
+      });
+      const createData = await createResp.json();
+      if (!createData.success) throw new Error(`CF create token: ${createData.errors?.[0]?.message || "failed"}`);
+
+      const newKey = createData.result?.value;
+      if (!newKey) throw new Error("CF token created but no value returned");
+
+      // Step 3: Verify new token works
+      const verifyResp = await fetch("https://api.cloudflare.com/client/v4/user/tokens/verify", {
+        headers: { "Authorization": `Bearer ${newKey}` },
+      });
+      const verifyData = await verifyResp.json();
+      if (!verifyData.success) throw new Error("New CF token failed verification");
+
+      // Step 4: Delete old token
+      await fetch(`https://api.cloudflare.com/client/v4/user/tokens/${currentToken.id}`, {
+        method: "DELETE",
+        headers: { "Authorization": `Bearer ${newKey}` },
+      });
+
+      return { newKey, expiresAt: createData.result.expires_on };
+    },
+  },
+  "cloudfare-dns": {
+    policy: "auto",
+    defaultDays: 30,
+    description: "Cloudflare DNS Token",
+    // Same rotation logic as cloudflare — they're both CF API tokens
+    async rotate(currentKey) {
+      return ROTATION_CONFIG["cloudflare"].rotate(currentKey);
+    },
+  },
+  "npm": {
+    policy: "auto",
+    defaultDays: 30,
+    description: "npm Granular Token",
+    async rotate(currentKey) {
+      // Step 1: Create new token
+      const createResp = await fetch("https://registry.npmjs.org/-/npm/v1/tokens", {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${currentKey}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          password: "", // granular tokens don't need password for automation tokens
+          cidr_whitelist: [],
+        }),
+      });
+      if (!createResp.ok) throw new Error(`npm create token: HTTP ${createResp.status}`);
+      const createData = await createResp.json();
+      const newKey = createData.token;
+      if (!newKey) throw new Error("npm token created but no value returned");
+
+      // Step 2: Delete old token (get its key hash first)
+      const listResp = await fetch("https://registry.npmjs.org/-/npm/v1/tokens", {
+        headers: { "Authorization": `Bearer ${newKey}` },
+      });
+      if (listResp.ok) {
+        const listData = await listResp.json();
+        // The old token shows as a different key from the new one
+        const oldToken = listData.objects?.find(t => t.key !== createData.key);
+        if (oldToken) {
+          await fetch(`https://registry.npmjs.org/-/npm/v1/tokens/token/${oldToken.key}`, {
+            method: "DELETE",
+            headers: { "Authorization": `Bearer ${newKey}` },
+          });
+        }
+      }
+
+      return { newKey, expiresAt: null }; // npm tokens don't have built-in expiry
+    },
+  },
+  "vultr-api": {
+    policy: "auto",
+    defaultDays: 90,
+    description: "Vultr API Key",
+    async rotate(currentKey) {
+      const expiresAt = new Date(Date.now() + 90 * 86400000).toISOString();
+      const createResp = await fetch("https://api.vultr.com/v2/apikeys", {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${currentKey}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          name: `clauth-rotated-${new Date().toISOString().slice(0, 10)}`,
+          expire: true,
+          date_expire: expiresAt,
+        }),
+      });
+      if (!createResp.ok) throw new Error(`Vultr create key: HTTP ${createResp.status}`);
+      const createData = await createResp.json();
+      const newKey = createData.api_key?.api_key;
+      if (!newKey) throw new Error("Vultr key created but no value returned");
+
+      // Delete old key
+      const listResp = await fetch("https://api.vultr.com/v2/apikeys", {
+        headers: { "Authorization": `Bearer ${newKey}` },
+      });
+      if (listResp.ok) {
+        const listData = await listResp.json();
+        const oldKey = listData.api_keys?.find(k => k.id !== createData.api_key?.id);
+        if (oldKey) {
+          await fetch(`https://api.vultr.com/v2/apikeys/${oldKey.id}`, {
+            method: "DELETE",
+            headers: { "Authorization": `Bearer ${newKey}` },
+          });
+        }
+      }
+
+      return { newKey, expiresAt };
+    },
+  },
+  // Manual-only services — track expiry but can't auto-rotate
+  "github":           { policy: "manual", defaultDays: 90,  description: "GitHub PAT (rotate in Settings > Developer settings)" },
+  "supabase-anon":    { policy: "manual", defaultDays: 365, description: "Supabase anon key (rotate via Management API or dashboard)" },
+  "supabase-service": { policy: "manual", defaultDays: 365, description: "Supabase service key (rotate via Management API or dashboard)" },
+  "supabase-db":      { policy: "none",   defaultDays: 0,   description: "Supabase DB connection string" },
+  "coolify-api":      { policy: "manual", defaultDays: 365, description: "Coolify API token (rotate in dashboard)" },
+  "rocketreach":      { policy: "manual", defaultDays: 365, description: "RocketReach API key" },
+  "namecheap":        { policy: "manual", defaultDays: 0,   description: "Namecheap API (no expiry, dashboard-only)" },
+  "neo4j":            { policy: "none",   defaultDays: 0,   description: "Neo4j connection string" },
+  "r2":               { policy: "manual", defaultDays: 365, description: "Cloudflare R2 access key" },
+  "r2-bucket":        { policy: "none",   defaultDays: 0,   description: "R2 bucket endpoint" },
+  "google-client-id":      { policy: "none", defaultDays: 0, description: "Google OAuth client ID (static)" },
+  "google-client-secret":  { policy: "none", defaultDays: 0, description: "Google OAuth client secret (static)" },
+  "google-redirect-uri":   { policy: "none", defaultDays: 0, description: "Google OAuth redirect URI (static)" },
+  "google-refresh-token":  { policy: "none", defaultDays: 0, description: "Google OAuth refresh token (auto-refreshes)" },
+};
+
+// ── Rotation Engine ─────────────────────────────────────────────
+// Runs inside createServer() as a background interval.
+// Checks all services for upcoming expiry, auto-rotates if policy=auto.
+
+function createRotationEngine(password, machineHash, logFile) {
+  const CHECK_INTERVAL_MS = 6 * 3600 * 1000; // check every 6 hours
+  const WARN_DAYS = 7; // warn when within 7 days of expiry
+  let rotationState = new Map(); // service → { expires_at, policy, rotation_days, last_rotated_at, status }
+  let rotationLog = []; // in-memory log of recent rotations (also persisted to DB)
+  let intervalHandle = null;
+
+  function getExpiryStatus(expiresAt) {
+    if (!expiresAt) return { status: "unknown", daysLeft: null, color: "gray" };
+    const days = Math.ceil((new Date(expiresAt) - Date.now()) / 86400000);
+    if (days < 0) return { status: "expired", daysLeft: days, color: "red" };
+    if (days <= WARN_DAYS) return { status: "expiring", daysLeft: days, color: "orange" };
+    if (days <= 30) return { status: "ok", daysLeft: days, color: "yellow" };
+    return { status: "ok", daysLeft: days, color: "green" };
+  }
+
+  async function loadState() {
+    // Load expiry metadata from clauth_config
+    try {
+      const { token, timestamp } = deriveToken(password, machineHash);
+      const result = await api.status(password, machineHash, token, timestamp);
+      if (!result.services) return;
+
+      for (const svc of result.services) {
+        const config = ROTATION_CONFIG[svc.name] || { policy: "none", defaultDays: 0 };
+        rotationState.set(svc.name, {
+          expires_at: svc.expires_at || null,
+          policy: svc.rotation_policy || config.policy,
+          rotation_days: svc.rotation_days || config.defaultDays,
+          last_rotated_at: svc.last_rotated_at || null,
+          status: getExpiryStatus(svc.expires_at).status,
+        });
+      }
+    } catch (err) {
+      const msg = `[${new Date().toISOString()}] Rotation engine: failed to load state: ${err.message}\n`;
+      try { fs.appendFileSync(logFile, msg); } catch {}
+    }
+  }
+
+  async function rotateService(serviceName) {
+    const config = ROTATION_CONFIG[serviceName];
+    if (!config || !config.rotate) {
+      return { ok: false, error: "No auto-rotation available for this service" };
+    }
+
+    const logEntry = { service: serviceName, action: "rotate", status: "started", detail: null, created_at: new Date().toISOString() };
+
+    try {
+      // Get current key
+      const { token, timestamp } = deriveToken(password, machineHash);
+      const retrieved = await api.retrieve(password, machineHash, token, timestamp, serviceName);
+      if (retrieved.error) throw new Error(retrieved.error);
+      const currentKey = retrieved.value;
+
+      // Execute rotation
+      const result = await config.rotate(currentKey);
+      if (!result.newKey) throw new Error("Rotation returned no new key");
+
+      // Write new key to vault
+      const { token: wt, timestamp: wts } = deriveToken(password, machineHash);
+      const writeResult = await api.write(password, machineHash, wt, wts, serviceName, result.newKey);
+      if (writeResult.error) throw new Error(`Write failed: ${writeResult.error}`);
+
+      // Update expiry in state
+      const newExpiry = result.expiresAt || new Date(Date.now() + (config.defaultDays || 30) * 86400000).toISOString();
+      rotationState.set(serviceName, {
+        ...rotationState.get(serviceName),
+        expires_at: newExpiry,
+        last_rotated_at: new Date().toISOString(),
+        status: "ok",
+      });
+
+      logEntry.status = "success";
+      logEntry.detail = `Rotated. New expiry: ${newExpiry}`;
+      rotationLog.unshift(logEntry);
+      if (rotationLog.length > 100) rotationLog.length = 100;
+
+      const msg = `[${new Date().toISOString()}] Rotation: ${serviceName} rotated successfully. Expires: ${newExpiry}\n`;
+      try { fs.appendFileSync(logFile, msg); } catch {}
+
+      return { ok: true, expiresAt: newExpiry };
+    } catch (err) {
+      logEntry.status = "failed";
+      logEntry.detail = err.message;
+      rotationLog.unshift(logEntry);
+      if (rotationLog.length > 100) rotationLog.length = 100;
+
+      const msg = `[${new Date().toISOString()}] Rotation: ${serviceName} FAILED: ${err.message}\n`;
+      try { fs.appendFileSync(logFile, msg); } catch {}
+
+      return { ok: false, error: err.message };
+    }
+  }
+
+  async function checkAndRotate() {
+    if (!password) return; // vault locked — skip
+    await loadState();
+
+    for (const [name, state] of rotationState) {
+      const config = ROTATION_CONFIG[name];
+      if (!config || config.policy !== "auto" || !config.rotate) continue;
+      if (!state.expires_at) continue;
+
+      const { daysLeft } = getExpiryStatus(state.expires_at);
+      if (daysLeft !== null && daysLeft <= WARN_DAYS) {
+        const msg = `[${new Date().toISOString()}] Rotation: ${name} expires in ${daysLeft} days — auto-rotating\n`;
+        try { fs.appendFileSync(logFile, msg); } catch {}
+        await rotateService(name);
+      }
+    }
+  }
+
+  function start() {
+    // Initial check after 30s (let daemon fully start)
+    setTimeout(() => {
+      checkAndRotate().catch(() => {});
+    }, 30000);
+    // Then every 6 hours
+    intervalHandle = setInterval(() => {
+      checkAndRotate().catch(() => {});
+    }, CHECK_INTERVAL_MS);
+  }
+
+  function stop() {
+    if (intervalHandle) clearInterval(intervalHandle);
+  }
+
+  function getState() {
+    const result = {};
+    for (const [name, state] of rotationState) {
+      const expiry = getExpiryStatus(state.expires_at);
+      result[name] = { ...state, ...expiry };
+    }
+    return result;
+  }
+
+  function getLog() {
+    return rotationLog;
+  }
+
+  // Set expiry for a service manually (from dashboard or API)
+  function setExpiry(serviceName, expiresAt, rotationDays) {
+    const existing = rotationState.get(serviceName) || {};
+    const config = ROTATION_CONFIG[serviceName] || { policy: "none", defaultDays: 0 };
+    rotationState.set(serviceName, {
+      ...existing,
+      expires_at: expiresAt,
+      rotation_days: rotationDays || config.defaultDays,
+      policy: config.policy,
+      status: getExpiryStatus(expiresAt).status,
+    });
+  }
+
+  return { start, stop, getState, getLog, rotateService, setExpiry, loadState, checkAndRotate };
+}
 
 const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
 const STAGED_PID_FILE = path.join(os.tmpdir(), "clauth-serve-staged.pid");
@@ -801,6 +1139,7 @@ function renderServiceGrid(services) {
           <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
             <div class="card-type">\${s.key_type || "secret"}</div>
             <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
+            <span class="expiry-badge" id="expiry-\${s.name}" style="font-size:.65rem;border-radius:3px;padding:1px 6px;display:none"></span>
             \${s.project ? \`<span style="font-size:.68rem;color:#3b82f6;background:rgba(59,130,246,.1);border:1px solid rgba(59,130,246,.2);border-radius:3px;padding:1px 6px">\${s.project}</span>\` : ""}
           </div>
           \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
@@ -815,6 +1154,7 @@ function renderServiceGrid(services) {
         <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
         <button class="btn-project" onclick="toggleProjectEdit('\${s.name}')">\${s.project ? "✎ Project" : "+ Project"}</button>
         <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
+        <button class="btn-rotate" id="rotbtn-\${s.name}" style="display:none;background:#0e7490;border:1px solid #06b6d4;color:#cffafe;font-size:.75rem;padding:3px 8px;border-radius:4px;cursor:pointer" onclick="rotateKey('\${s.name}')">↻ Rotate</button>
       </div>
       <div class="project-edit" id="pe-\${s.name}">
         <input type="text" id="pe-input-\${s.name}" value="\${s.project || ""}" placeholder="Project name…" spellcheck="false" autocomplete="off">
@@ -843,6 +1183,8 @@ async function loadServices() {
 
     renderProjectTabs(allServices);
     renderServiceGrid(allServices);
+    // Load expiry data after grid renders
+    loadExpiry();
   } catch (e) {
     err.textContent = "⚠ " + e.message;
     err.style.display = "block";
@@ -851,6 +1193,92 @@ async function loadServices() {
   }
 }
 
+// ── Expiry & Rotation ───────────────────────
+const ROTATION_CAPABLE = ["cloudflare","cloudfare-dns","npm","vultr-api"];
+
+async function loadExpiry() {
+  try {
+    const data = await fetch(BASE + "/expiry").then(r => r.json());
+    if (!data.services) return;
+    for (const [name, info] of Object.entries(data.services)) {
+      const el = document.getElementById("expiry-" + name);
+      const rotBtn = document.getElementById("rotbtn-" + name);
+      if (!el) continue;
+
+      // Show rotate button for auto-capable services
+      if (rotBtn && ROTATION_CAPABLE.includes(name)) {
+        rotBtn.style.display = "inline-block";
+      }
+
+      if (!info.expires_at) {
+        // Show policy type for services with rotation config
+        if (info.policy === "auto") {
+          el.style.display = "inline";
+          el.style.color = "#94a3b8";
+          el.style.background = "rgba(148,163,184,0.1)";
+          el.style.border = "1px solid rgba(148,163,184,0.2)";
+          el.textContent = "no expiry set";
+        }
+        continue;
+      }
+
+      el.style.display = "inline";
+      const colors = { green: { c: "#4ade80", bg: "rgba(74,222,128,0.1)", b: "rgba(74,222,128,0.2)" },
+                       yellow: { c: "#facc15", bg: "rgba(250,204,21,0.1)", b: "rgba(250,204,21,0.2)" },
+                       orange: { c: "#fb923c", bg: "rgba(251,146,60,0.1)", b: "rgba(251,146,60,0.2)" },
+                       red: { c: "#f87171", bg: "rgba(248,113,113,0.15)", b: "rgba(248,113,113,0.3)" },
+                       gray: { c: "#94a3b8", bg: "rgba(148,163,184,0.1)", b: "rgba(148,163,184,0.2)" } };
+      const clr = colors[info.color] || colors.gray;
+      el.style.color = clr.c;
+      el.style.background = clr.bg;
+      el.style.border = "1px solid " + clr.b;
+
+      if (info.daysLeft === null) {
+        el.textContent = "unknown";
+      } else if (info.daysLeft < 0) {
+        el.textContent = "EXPIRED " + Math.abs(info.daysLeft) + "d ago";
+      } else if (info.daysLeft === 0) {
+        el.textContent = "EXPIRES TODAY";
+      } else {
+        el.textContent = info.daysLeft + "d left";
+      }
+    }
+  } catch {}
+}
+
+async function rotateKey(name) {
+  if (!confirm("Rotate " + name + " key?\\n\\nA new key will be created and the old one deleted.")) return;
+  const rotBtn = document.getElementById("rotbtn-" + name);
+  if (rotBtn) { rotBtn.disabled = true; rotBtn.textContent = "rotating…"; }
+  try {
+    const r = await fetch(BASE + "/rotate/" + name, { method: "POST" }).then(r => r.json());
+    if (r.ok) {
+      if (rotBtn) { rotBtn.textContent = "✓ rotated"; rotBtn.style.background = "#166534"; }
+      loadExpiry(); // refresh badges
+    } else {
+      alert("Rotation failed: " + (r.error || "unknown error"));
+      if (rotBtn) { rotBtn.disabled = false; rotBtn.textContent = "↻ Rotate"; }
+    }
+  } catch (err) {
+    alert("Rotation error: " + err.message);
+    if (rotBtn) { rotBtn.disabled = false; rotBtn.textContent = "↻ Rotate"; }
+  }
+}
+
+async function setExpiry(name) {
+  const days = prompt("Set expiry for " + name + " (days from now):", "30");
+  if (!days) return;
+  const expiresAt = new Date(Date.now() + parseInt(days) * 86400000).toISOString();
+  try {
+    await fetch(BASE + "/set-expiry/" + name, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ expires_at: expiresAt, rotation_days: parseInt(days) }),
+    });
+    loadExpiry();
+  } catch {}
+}
+
 // ── Reveal ──────────────────────────────────
 async function reveal(name, btn) {
   const valEl   = document.getElementById("val-" + name);
@@ -1854,6 +2282,9 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   let password = initPassword || null;   // null = locked; set via POST /auth
   const machineHash = getMachineHash();
 
+  // Rotation engine — starts after unlock
+  const rotationEngine = createRotationEngine(initPassword, machineHash, LOG_FILE);
+
   const CORS = {
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
@@ -2040,9 +2471,10 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     }
   }
 
-  // Auto-start tunnel if vault is already unlocked (--pw flag)
+  // Auto-start tunnel and rotation engine if vault is already unlocked (--pw flag)
   if (password) {
     startTunnel().catch(() => {});
+    rotationEngine.start();
   }
 
   function strike(res, code, message) {
@@ -2859,6 +3291,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         password = pw;   // unlock — store in process memory only
         const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+        // Start rotation engine on unlock
+        rotationEngine.start();
         // Auto-seal: DPAPI-encrypt password to boot.key for passwordless crash recovery
         // Only on Windows; only if autostart dir exists (i.e., install was run)
         if (os.platform() === "win32") {
@@ -2997,6 +3431,46 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       }
     }
 
+    // ── Key Rotation Endpoints ──────────────────────────────────
+
+    // GET /expiry — expiry status for all services
+    if (method === "GET" && reqPath === "/expiry") {
+      if (lockedGuard(res)) return;
+      const state = rotationEngine.getState();
+      return ok(res, { services: state });
+    }
+
+    // POST /rotate/:service — manually trigger rotation for a service
+    if (method === "POST" && reqPath.startsWith("/rotate/")) {
+      if (lockedGuard(res)) return;
+      const service = reqPath.slice("/rotate/".length);
+      if (!service) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Service name required" }));
+      }
+      const result = await rotationEngine.rotateService(service);
+      return ok(res, result);
+    }
+
+    // POST /set-expiry/:service — set expiry date for a service
+    if (method === "POST" && reqPath.startsWith("/set-expiry/")) {
+      if (lockedGuard(res)) return;
+      const service = reqPath.slice("/set-expiry/".length);
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+      rotationEngine.setExpiry(service, body.expires_at, body.rotation_days);
+      return ok(res, { ok: true, service, expires_at: body.expires_at });
+    }
+
+    // GET /rotation-log — recent rotation history
+    if (method === "GET" && reqPath === "/rotation-log") {
+      if (lockedGuard(res)) return;
+      return ok(res, { log: rotationEngine.getLog() });
+    }
+
     // GET /tunnel/test — end-to-end tunnel health check (hits /ping through the tunnel)
     if (method === "GET" && reqPath === "/tunnel/test") {
       if (lockedGuard(res)) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {