@lifeaitools/clauth 1.5.59 → 1.5.62

package/README.md

@@ -1,211 +1,211 @@
-# @lifeaitools/clauth
-
-Hardware-bound credential vault for the LIFEAI stack. Your machine is the second factor. Keys live in Supabase Vault (AES-256). Nothing sensitive ever touches a config file.
-
----
-
-## Install
-
-```bash
-npm install -g @lifeaitools/clauth
-```
-
-Then provision your Supabase project:
-
-```bash
-clauth install
-```
-
-That's it. `clauth install` handles everything:
-- Creates all database tables
-- Deploys the `auth-vault` Edge Function
-- Generates HMAC salt + bootstrap token
-- Tests the connection end-to-end
-- Installs the Claude skill
-
-At the end it prints a **bootstrap token** — save it for the next step.
-
----
-
-## After Install — Register Your Machine
-
-```bash
-clauth setup
-```
-
-Prompts for: machine label, password, bootstrap token (from `clauth install`).
-
-Then verify:
-```bash
-clauth test      # → PASS
-clauth status    # → 12 services, all NO KEY
-```
-
----
-
-## What clauth install asks for
-
-Two things from Supabase:
-
-**1. Project ref** — the last segment of your Supabase project URL:
-`https://supabase.com/dashboard/project/` **`your-ref-here`**
-
-**2. Personal Access Token (PAT)**:
-`https://supabase.com/dashboard/account/tokens` → Generate new token
-
-> This is **not** your anon key or service_role key — it is your account-level token.
-
----
-
-## Writing Your First Key
-
-```bash
-clauth write key github     # prompts for value
-clauth enable github
-clauth get github
-```
-
----
-
-## Command Reference
-
-```
-clauth install              Provision Supabase + install Claude skill
-clauth setup                Register this machine with the vault
-clauth status               All services + state
-clauth test                 Verify connection
-
-clauth write key <service>  Store a credential
-clauth write pw             Change password
-clauth enable <svc|all>     Activate service
-clauth disable <svc|all>    Suspend service
-clauth get <service>        Retrieve a key
-
-clauth add service <n>      Register new service
-clauth remove service <n>   Remove service
-clauth revoke <svc|all>     Delete key (destructive)
-```
-
-## Built-in Services
-
-`github` `supabase-anon` `supabase-service` `supabase-db`
-`vercel` `namecheap` `neo4j` `anthropic`
-`r2` `r2-bucket` `cloudflare` `rocketreach`
-
----
-
-## How It Works
-
-```
-Machine fingerprint (BIOS UUID + OS install ID)
-  + Your clauth password
-  → HMAC-SHA256 token + 5-min timestamp window
-  → Supabase Edge Function validates
-  → Returns AES-256 encrypted key from Vault
-```
-
-Nothing stored locally. Password never persisted. Machine hash is one-way only.
-
----
-
-## Daemon Mode (`clauth serve`)
-
-clauth runs as an HTTP daemon on `http://127.0.0.1:52437`. The daemon provides:
-
-- **Web UI** — unlock vault, manage services, configure mounts
-- **REST API** — `GET /get/<service>`, `GET /ping`, `POST /restart`, `GET /shutdown`
-- **MCP server** — Model Context Protocol for Claude Code and claude.ai
-- **Cloudflare Tunnel** — exposes MCP endpoints publicly for claude.ai connectors
-
-Start: `clauth serve start` (starts locked, auto-opens browser for unlock).
-
-Full daemon operations reference: see `regen-root/.claude/rules/clauth.md`.
-
----
-
-## MCP Server — 3 Namespaces, 27 Tools
-
-clauth is the single MCP interface for all local tools. One process, namespaced paths:
-
-| Path | Namespace | Tools | Description |
-|------|-----------|-------|-------------|
-| `/clauth` | `clauth_*` | 13 | Credential vault operations |
-| `/gws` | `gws_*` | 6 | Google Workspace (Gmail, Calendar, Drive) |
-| `/fs` | `fs_*` | 8 | Filesystem (read, write, grep, glob, delete, mkdir, mounts) |
-| `/mcp` | all | 27 | All namespaces combined (Claude Code) |
-
-### FS Tools (v1.5.38)
-
-8 filesystem tools with path-jail security:
-- `fs_read`, `fs_write`, `fs_list`, `fs_grep`, `fs_glob`, `fs_delete`, `fs_mkdir`, `fs_mounts`
-- Uses `node:fs/promises` (async), `@vscode/ripgrep` (shipped binary), `fast-glob`
-- Permission flags per mount: `r` (read), `w` (write), `d` (delete)
-- Mount config stored as "fileserver" service type in vault — only configurable through web UI
-
-### GWS Tools
-
-6 Google Workspace tools: `gws_gmail_list`, `gws_gmail_read`, `gws_gmail_send`, `gws_gmail_draft`, `gws_calendar_list`, `gws_calendar_create`
-- Calls `gws` CLI via `execSync` with `shell: 'bash'` (fixes Windows cmd.exe JSON quoting)
-
----
-
-## claude.ai Integration
-
-### Noauth Mode (v1.5.38)
-
-claude.ai's OAuth proxy has a confirmed bug ([anthropics/claude-code#46140](https://github.com/anthropics/claude-code/issues/46140), [anthropics/claude-ai-mcp#136](https://github.com/anthropics/claude-ai-mcp/issues/136)): it completes the token exchange but never sends the authenticated request.
-
-**Workaround:** Noauth hosts — fresh domains where OAuth endpoints return 404. claude.ai connects directly (tunnel URL is the shared secret).
-
-### OAuth 2.1 (v1.5.36-37)
-
-Full OAuth 2.1 protocol implementation is present for future use when Anthropic fixes the bug:
-- 401 gate with `WWW-Authenticate` header
-- Dynamic client registration (public client, no secret)
-- Mandatory PKCE S256
-- `Cache-Control: no-store`
-
-### Connector URLs
-
-| Connector | URL |
-|-----------|-----|
-| clauth | `https://clauth.regendevcorp.com/clauth` |
-| gws | `https://clauth.regendevcorp.com/gws` |
-| fs | `https://fs.regendevcorp.com/fs` |
-
----
-
-## Dependencies (notable)
-
-- `@vscode/ripgrep` — shipped ripgrep binary for `fs_grep`
-- `fast-glob` — pattern matching for `fs_glob`
-
----
-
-## Testing
-
-```bash
-node test-tools.mjs    # 25 tool execution tests across all 3 namespaces
-```
-
-Tests actual MCP tool calls (not just OAuth + listing).
-
----
-
-## Releasing a New Version (maintainers)
-
-```bash
-# 1. Bump version in package.json
-# 2. Commit and tag
-git tag v1.5.38
-git push && git push --tags
-# GitHub Actions publishes automatically via Trusted Publishing
-```
-
-**NEVER** commit a version bump without tagging — the tag triggers npm CI.
-
----
-
-> Life before Profits. — LIFEAI / PRT
->
-> ☕ [Support this project](https://github.com/sponsors/DaveLadouceur)
+# @lifeaitools/clauth
+
+Hardware-bound credential vault for the LIFEAI stack. Your machine is the second factor. Keys live in Supabase Vault (AES-256). Nothing sensitive ever touches a config file.
+
+---
+
+## Install
+
+```bash
+npm install -g @lifeaitools/clauth
+```
+
+Then provision your Supabase project:
+
+```bash
+clauth install
+```
+
+That's it. `clauth install` handles everything:
+- Creates all database tables
+- Deploys the `auth-vault` Edge Function
+- Generates HMAC salt + bootstrap token
+- Tests the connection end-to-end
+- Installs the Claude skill
+
+At the end it prints a **bootstrap token** — save it for the next step.
+
+---
+
+## After Install — Register Your Machine
+
+```bash
+clauth setup
+```
+
+Prompts for: machine label, password, bootstrap token (from `clauth install`).
+
+Then verify:
+```bash
+clauth test      # → PASS
+clauth status    # → 12 services, all NO KEY
+```
+
+---
+
+## What clauth install asks for
+
+Two things from Supabase:
+
+**1. Project ref** — the last segment of your Supabase project URL:
+`https://supabase.com/dashboard/project/` **`your-ref-here`**
+
+**2. Personal Access Token (PAT)**:
+`https://supabase.com/dashboard/account/tokens` → Generate new token
+
+> This is **not** your anon key or service_role key — it is your account-level token.
+
+---
+
+## Writing Your First Key
+
+```bash
+clauth write key github     # prompts for value
+clauth enable github
+clauth get github
+```
+
+---
+
+## Command Reference
+
+```
+clauth install              Provision Supabase + install Claude skill
+clauth setup                Register this machine with the vault
+clauth status               All services + state
+clauth test                 Verify connection
+
+clauth write key <service>  Store a credential
+clauth write pw             Change password
+clauth enable <svc|all>     Activate service
+clauth disable <svc|all>    Suspend service
+clauth get <service>        Retrieve a key
+
+clauth add service <n>      Register new service
+clauth remove service <n>   Remove service
+clauth revoke <svc|all>     Delete key (destructive)
+```
+
+## Built-in Services
+
+`github` `supabase-anon` `supabase-service` `supabase-db`
+`vercel` `namecheap` `neo4j` `anthropic`
+`r2` `r2-bucket` `cloudflare` `rocketreach`
+
+---
+
+## How It Works
+
+```
+Machine fingerprint (BIOS UUID + OS install ID)
+  + Your clauth password
+  → HMAC-SHA256 token + 5-min timestamp window
+  → Supabase Edge Function validates
+  → Returns AES-256 encrypted key from Vault
+```
+
+Nothing stored locally. Password never persisted. Machine hash is one-way only.
+
+---
+
+## Daemon Mode (`clauth serve`)
+
+clauth runs as an HTTP daemon on `http://127.0.0.1:52437`. The daemon provides:
+
+- **Web UI** — unlock vault, manage services, configure mounts
+- **REST API** — `GET /get/<service>`, `GET /ping`, `POST /restart`, `GET /shutdown`
+- **MCP server** — Model Context Protocol for Claude Code and claude.ai
+- **Cloudflare Tunnel** — exposes MCP endpoints publicly for claude.ai connectors
+
+Start: `clauth serve start` (starts locked, auto-opens browser for unlock).
+
+Full daemon operations reference: see `regen-root/.claude/rules/clauth.md`.
+
+---
+
+## MCP Server — 3 Namespaces, 27 Tools
+
+clauth is the single MCP interface for all local tools. One process, namespaced paths:
+
+| Path | Namespace | Tools | Description |
+|------|-----------|-------|-------------|
+| `/clauth` | `clauth_*` | 13 | Credential vault operations |
+| `/gws` | `gws_*` | 6 | Google Workspace (Gmail, Calendar, Drive) |
+| `/fs` | `fs_*` | 8 | Filesystem (read, write, grep, glob, delete, mkdir, mounts) |
+| `/mcp` | all | 27 | All namespaces combined (Claude Code) |
+
+### FS Tools (v1.5.38)
+
+8 filesystem tools with path-jail security:
+- `fs_read`, `fs_write`, `fs_list`, `fs_grep`, `fs_glob`, `fs_delete`, `fs_mkdir`, `fs_mounts`
+- Uses `node:fs/promises` (async), `@vscode/ripgrep` (shipped binary), `fast-glob`
+- Permission flags per mount: `r` (read), `w` (write), `d` (delete)
+- Mount config stored as "fileserver" service type in vault — only configurable through web UI
+
+### GWS Tools
+
+6 Google Workspace tools: `gws_gmail_list`, `gws_gmail_read`, `gws_gmail_send`, `gws_gmail_draft`, `gws_calendar_list`, `gws_calendar_create`
+- Calls `gws` CLI via `execSync` with `shell: 'bash'` (fixes Windows cmd.exe JSON quoting)
+
+---
+
+## claude.ai Integration
+
+### Noauth Mode (v1.5.38)
+
+claude.ai's OAuth proxy has a confirmed bug ([anthropics/claude-code#46140](https://github.com/anthropics/claude-code/issues/46140), [anthropics/claude-ai-mcp#136](https://github.com/anthropics/claude-ai-mcp/issues/136)): it completes the token exchange but never sends the authenticated request.
+
+**Workaround:** Noauth hosts — fresh domains where OAuth endpoints return 404. claude.ai connects directly (tunnel URL is the shared secret).
+
+### OAuth 2.1 (v1.5.36-37)
+
+Full OAuth 2.1 protocol implementation is present for future use when Anthropic fixes the bug:
+- 401 gate with `WWW-Authenticate` header
+- Dynamic client registration (public client, no secret)
+- Mandatory PKCE S256
+- `Cache-Control: no-store`
+
+### Connector URLs
+
+| Connector | URL |
+|-----------|-----|
+| clauth | `https://clauth.regendevcorp.com/clauth` |
+| gws | `https://clauth.regendevcorp.com/gws` |
+| fs | `https://fs.regendevcorp.com/fs` |
+
+---
+
+## Dependencies (notable)
+
+- `@vscode/ripgrep` — shipped ripgrep binary for `fs_grep`
+- `fast-glob` — pattern matching for `fs_glob`
+
+---
+
+## Testing
+
+```bash
+node test-tools.mjs    # 25 tool execution tests across all 3 namespaces
+```
+
+Tests actual MCP tool calls (not just OAuth + listing).
+
+---
+
+## Releasing a New Version (maintainers)
+
+```bash
+# 1. Bump version in package.json
+# 2. Commit and tag
+git tag v1.5.38
+git push && git push --tags
+# GitHub Actions publishes automatically via Trusted Publishing
+```
+
+**NEVER** commit a version bump without tagging — the tag triggers npm CI.
+
+---
+
+> Life before Profits. — LIFEAI / PRT
+>
+> ☕ [Support this project](https://github.com/sponsors/DaveLadouceur)

package/cli/api.js

@@ -1,121 +1,121 @@
-// cli/api.js
-// Thin client that calls the auth-vault Edge Function
-
-import { createRequire } from "module";
-const require = createRequire(import.meta.url);
-
-import Conf from "conf";
-import { getConfOptions } from "./conf-path.js";
-
-const config = new Conf(getConfOptions());
-
-// ============================================================
-// Get Edge Function base URL from local config
-// ============================================================
-export function getBaseUrl() {
-  const url = config.get("supabase_url") || process.env.CLAUTH_SUPABASE_URL;
-  if (!url) throw new Error("Supabase URL not configured. Run: clauth setup");
-  return `${url}/functions/v1/auth-vault`;
-}
-
-export function getAnonKey() {
-  const key = config.get("supabase_anon_key") || process.env.CLAUTH_SUPABASE_ANON_KEY;
-  if (!key) throw new Error("Supabase anon key not configured. Run: clauth setup");
-  return key;
-}
-
-// ============================================================
-// Core POST helper
-// ============================================================
-async function post(route, body) {
-  const url = `${getBaseUrl()}/${route}`;
-  const anonKey = getAnonKey();
-
-  const res = await fetch(url, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "Authorization": `Bearer ${anonKey}`
-    },
-    body: JSON.stringify(body)
-  });
-
-  const data = await res.json();
-  if (!res.ok && !data.error) throw new Error(`HTTP ${res.status}`);
-  return data;
-}
-
-// ============================================================
-// Auth-bearing calls (require HMAC token)
-// ============================================================
-async function authPost(route, password, machineHash, token, timestamp, extra = {}) {
-  return post(route, {
-    machine_hash: machineHash,
-    token,
-    timestamp,
-    password,
-    ...extra
-  });
-}
-
-// ============================================================
-// Exported API surface
-// ============================================================
-
-export async function retrieve(password, machineHash, token, timestamp, service) {
-  return authPost("retrieve", password, machineHash, token, timestamp, { service });
-}
-
-export async function write(password, machineHash, token, timestamp, service, value) {
-  return authPost("write", password, machineHash, token, timestamp, { service, value });
-}
-
-export async function enable(password, machineHash, token, timestamp, service, enabled) {
-  return authPost("enable", password, machineHash, token, timestamp, { service, enabled });
-}
-
-export async function addService(password, machineHash, token, timestamp, name, label, key_type, description, project) {
-  const extra = { name, label, key_type, description };
-  if (project) extra.project = project;
-  return authPost("add", password, machineHash, token, timestamp, extra);
-}
-
-export async function updateService(password, machineHash, token, timestamp, service, updates) {
-  return authPost("update", password, machineHash, token, timestamp, { service, ...updates });
-}
-
-export async function removeService(password, machineHash, token, timestamp, service, confirm) {
-  return authPost("remove", password, machineHash, token, timestamp, { service, confirm });
-}
-
-export async function revoke(password, machineHash, token, timestamp, service, confirm) {
-  return authPost("revoke", password, machineHash, token, timestamp, { service, confirm });
-}
-
-export async function status(password, machineHash, token, timestamp, project) {
-  const extra = {};
-  if (project) extra.project = project;
-  return authPost("status", password, machineHash, token, timestamp, extra);
-}
-
-export async function test(password, machineHash, token, timestamp) {
-  return authPost("test", password, machineHash, token, timestamp);
-}
-
-export async function changePassword(password, machineHash, token, timestamp, newSeedHash) {
-  return authPost("change-password", password, machineHash, token, timestamp, { new_hmac_seed_hash: newSeedHash });
-}
-
-export async function registerMachine(machineHash, seedHash, label, adminToken) {
-  return post("register-machine", {
-    machine_hash: machineHash,
-    hmac_seed_hash: seedHash,
-    label,
-    admin_token: adminToken
-  });
-}
-
-export default {
-  retrieve, write, enable, addService, updateService, removeService, revoke,
-  status, test, registerMachine, getBaseUrl, getAnonKey
-};
+// cli/api.js
+// Thin client that calls the auth-vault Edge Function
+
+import { createRequire } from "module";
+const require = createRequire(import.meta.url);
+
+import Conf from "conf";
+import { getConfOptions } from "./conf-path.js";
+
+const config = new Conf(getConfOptions());
+
+// ============================================================
+// Get Edge Function base URL from local config
+// ============================================================
+export function getBaseUrl() {
+  const url = config.get("supabase_url") || process.env.CLAUTH_SUPABASE_URL;
+  if (!url) throw new Error("Supabase URL not configured. Run: clauth setup");
+  return `${url}/functions/v1/auth-vault`;
+}
+
+export function getAnonKey() {
+  const key = config.get("supabase_anon_key") || process.env.CLAUTH_SUPABASE_ANON_KEY;
+  if (!key) throw new Error("Supabase anon key not configured. Run: clauth setup");
+  return key;
+}
+
+// ============================================================
+// Core POST helper
+// ============================================================
+async function post(route, body) {
+  const url = `${getBaseUrl()}/${route}`;
+  const anonKey = getAnonKey();
+
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${anonKey}`
+    },
+    body: JSON.stringify(body)
+  });
+
+  const data = await res.json();
+  if (!res.ok && !data.error) throw new Error(`HTTP ${res.status}`);
+  return data;
+}
+
+// ============================================================
+// Auth-bearing calls (require HMAC token)
+// ============================================================
+async function authPost(route, password, machineHash, token, timestamp, extra = {}) {
+  return post(route, {
+    machine_hash: machineHash,
+    token,
+    timestamp,
+    password,
+    ...extra
+  });
+}
+
+// ============================================================
+// Exported API surface
+// ============================================================
+
+export async function retrieve(password, machineHash, token, timestamp, service) {
+  return authPost("retrieve", password, machineHash, token, timestamp, { service });
+}
+
+export async function write(password, machineHash, token, timestamp, service, value) {
+  return authPost("write", password, machineHash, token, timestamp, { service, value });
+}
+
+export async function enable(password, machineHash, token, timestamp, service, enabled) {
+  return authPost("enable", password, machineHash, token, timestamp, { service, enabled });
+}
+
+export async function addService(password, machineHash, token, timestamp, name, label, key_type, description, project) {
+  const extra = { name, label, key_type, description };
+  if (project) extra.project = project;
+  return authPost("add", password, machineHash, token, timestamp, extra);
+}
+
+export async function updateService(password, machineHash, token, timestamp, service, updates) {
+  return authPost("update", password, machineHash, token, timestamp, { service, ...updates });
+}
+
+export async function removeService(password, machineHash, token, timestamp, service, confirm) {
+  return authPost("remove", password, machineHash, token, timestamp, { service, confirm });
+}
+
+export async function revoke(password, machineHash, token, timestamp, service, confirm) {
+  return authPost("revoke", password, machineHash, token, timestamp, { service, confirm });
+}
+
+export async function status(password, machineHash, token, timestamp, project) {
+  const extra = {};
+  if (project) extra.project = project;
+  return authPost("status", password, machineHash, token, timestamp, extra);
+}
+
+export async function test(password, machineHash, token, timestamp) {
+  return authPost("test", password, machineHash, token, timestamp);
+}
+
+export async function changePassword(password, machineHash, token, timestamp, newSeedHash) {
+  return authPost("change-password", password, machineHash, token, timestamp, { new_hmac_seed_hash: newSeedHash });
+}
+
+export async function registerMachine(machineHash, seedHash, label, adminToken) {
+  return post("register-machine", {
+    machine_hash: machineHash,
+    hmac_seed_hash: seedHash,
+    label,
+    admin_token: adminToken
+  });
+}
+
+export default {
+  retrieve, write, enable, addService, updateService, removeService, revoke,
+  status, test, registerMachine, getBaseUrl, getAnonKey
+};