@lifeaitools/clauth 1.5.81 → 1.5.83

package/.clauth-skill/SKILL.md

@@ -141,11 +141,12 @@ See `references/keys-guide.md` for where to find every credential.
 ```
 clauth install [--ref R] [--pat P]     First-time: provision Supabase + install skill
 clauth setup [--admin-token T] [-p P]  Register this machine
-clauth status [-p P]                   All services + state
-clauth test [-p P]                     Verify HMAC connection
-clauth list [-p P]                     Service names
-
-clauth write key <service> [-p P]      Store a credential
+clauth status [-p P]                   All services + state
+clauth test [-p P]                     Verify HMAC connection
+clauth list [-p P]                     Service names
+clauth search <query> [-p P]           Search names, metadata, and redacted server addresses
+
+clauth write key <service> [-p P]      Store a credential
 clauth write pw [-p P]                 Change password
 clauth enable <svc|all> [-p P]         Activate service
 clauth disable <svc|all> [-p P]        Suspend service

package/README.md

@@ -72,16 +72,20 @@ clauth get github
 ```
 clauth install              Provision Supabase + install Claude skill
 clauth setup                Register this machine with the vault
-clauth status               All services + state
-clauth test                 Verify connection
+clauth status               All services + state
+clauth search <query>       Find services by name, project, description, or redacted address
+clauth test                 Verify connection
 
 clauth write key <service>  Store a credential
 clauth write pw             Change password
 clauth enable <svc|all>     Activate service
 clauth disable <svc|all>    Suspend service
-clauth get <service>        Retrieve a key
-
-clauth add service <n>      Register new service
+clauth get <service>        Retrieve a key
+clauth npm whoami           Verify npm token without PowerShell secret plumbing
+clauth npm sync-github-secret LIFEAI/rdc-skills
+                            Update GitHub NPM_TOKEN from clauth
+
+clauth add service <n>      Register new service
 clauth remove service <n>   Remove service
 clauth revoke <svc|all>     Delete key (destructive)
 ```
@@ -123,7 +127,7 @@ Full daemon operations reference: see `regen-root/.claude/rules/clauth.md`.
 
 ---
 
-## MCP Server — 3 Namespaces, 27 Tools
+## MCP Server — 3 Namespaces, 32 Tools
 
 clauth is the single MCP interface for all local tools. One process, namespaced paths:
 
@@ -131,16 +135,18 @@ clauth is the single MCP interface for all local tools. One process, namespaced
 |------|-----------|-------|-------------|
 | `/clauth` | `clauth_*` | 13 | Credential vault operations |
 | `/gws` | `gws_*` | 6 | Google Workspace (Gmail, Calendar, Drive) |
-| `/fs` | `fs_*` | 8 | Filesystem (read, write, grep, glob, delete, mkdir, mounts) |
-| `/mcp` | all | 27 | All namespaces combined (Claude Code) |
-
-### FS Tools (v1.5.38)
-
-8 filesystem tools with path-jail security:
-- `fs_read`, `fs_write`, `fs_list`, `fs_grep`, `fs_glob`, `fs_delete`, `fs_mkdir`, `fs_mounts`
-- Uses `node:fs/promises` (async), `@vscode/ripgrep` (shipped binary), `fast-glob`
-- Permission flags per mount: `r` (read), `w` (write), `d` (delete)
-- Mount config stored as "fileserver" service type in vault — only configurable through web UI
+| `/fs` | `fs_*` | 13 | Filesystem (read, write, append, chunked write, URL ingest, Git import, stat, grep, glob, delete, mkdir, mounts) |
+| `/mcp` | all | 32 | All namespaces combined (Claude Code) |
+
+### FS Tools
+
+13 filesystem tools with path-jail security:
+- `fs_read`, `fs_write`, `fs_stat`, `fs_append`, `fs_write_chunk`, `fs_ingest_url`, `fs_import_git_files`, `fs_list`, `fs_grep`, `fs_glob`, `fs_delete`, `fs_mkdir`, `fs_mounts`
+- Uses `node:fs/promises` (async), `@vscode/ripgrep` (shipped binary), `fast-glob`
+- Permission flags per mount: `r` (read), `w` (write), `d` (delete)
+- Mount config stored as "fileserver" service type in vault — only configurable through web UI
+- Large writes should use `fs_write_chunk`; cloud-to-local transfer should use `fs_ingest_url`; guarded appends should pass `expected_sha256` from `fs_stat`
+- Durable new files authored by Claude.ai in GitHub should use `fs_import_git_files` so the local dirty monorepo fetches and restores only named paths without `git pull`
 
 ### GWS Tools
 

package/cli/commands/npm.js

@@ -0,0 +1,123 @@
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { spawnSync } from "child_process";
+
+const CLAUTH_NPM_URL = "http://127.0.0.1:52437/v/npm";
+
+function run(cmd, args, opts = {}) {
+  const useCmd = process.platform === "win32" && ["npm", "gh"].includes(cmd);
+  const executable = useCmd ? "cmd.exe" : cmd;
+  const finalArgs = useCmd ? ["/d", "/s", "/c", cmd, ...args] : args;
+  const result = spawnSync(executable, finalArgs, {
+    encoding: "utf8",
+    ...opts,
+    env: { ...process.env, ...(opts.env || {}) }
+  });
+  if (result.error) throw result.error;
+  return result;
+}
+
+function redactNpmTokenList(text) {
+  return String(text || "").replace(/npm_[A-Za-z0-9]+/g, token => `${token.slice(0, 9)}...${token.slice(-4)}`);
+}
+
+async function fetchNpmToken() {
+  const response = await fetch(CLAUTH_NPM_URL);
+  if (!response.ok) throw new Error(`failed to fetch npm token from clauth daemon: HTTP ${response.status}`);
+  const token = (await response.text()).trim();
+  if (!token) throw new Error("clauth npm token is empty");
+  if (!token.startsWith("npm_")) throw new Error("clauth npm token does not look like an npm token");
+  return token;
+}
+
+function withNpmAuth(token, fn) {
+  const npmrc = path.join(os.tmpdir(), `clauth-npm-${process.pid}-${Date.now()}.npmrc`);
+  try {
+    fs.writeFileSync(npmrc, `//registry.npmjs.org/:_authToken=${token}`, { encoding: "utf8", mode: 0o600 });
+    return fn(npmrc);
+  } finally {
+    try { fs.rmSync(npmrc, { force: true }); } catch {}
+  }
+}
+
+function runNpmWithToken(token, args) {
+  return withNpmAuth(token, npmrc => run("npm", ["--userconfig", npmrc, ...args]));
+}
+
+function printResult(result, { redact = true } = {}) {
+  const stdout = redact ? redactNpmTokenList(result.stdout) : result.stdout;
+  const stderr = redact ? redactNpmTokenList(result.stderr) : result.stderr;
+  if (stdout) process.stdout.write(stdout);
+  if (stderr) process.stderr.write(stderr);
+}
+
+function usage() {
+  console.log(`clauth npm <action>
+
+Actions:
+  whoami                         Verify the clauth npm token identity
+  tokens                         List npm token metadata with token strings redacted
+  set-local                      Write the clauth npm token to the user npm config
+  sync-github-secret <repo>       Set repo secret NPM_TOKEN from clauth, e.g. LIFEAI/rdc-skills
+  rerun <run-id> --repo <repo>    Rerun a failed GitHub Actions workflow
+`);
+}
+
+export async function runNpm(action = "help", opts = {}) {
+  if (action === "help") {
+    usage();
+    return;
+  }
+
+  const token = await fetchNpmToken();
+
+  if (action === "whoami") {
+    const result = runNpmWithToken(token, ["whoami", "--registry=https://registry.npmjs.org/"]);
+    printResult(result);
+    if (result.status !== 0) process.exitCode = result.status;
+    return;
+  }
+
+  if (action === "tokens") {
+    const result = runNpmWithToken(token, ["token", "list", "--json", "--registry=https://registry.npmjs.org/"]);
+    printResult(result);
+    if (result.status !== 0) process.exitCode = result.status;
+    return;
+  }
+
+  if (action === "set-local") {
+    const result = run("npm", ["config", "set", "//registry.npmjs.org/:_authToken", token, "--location=user"]);
+    if (result.status !== 0) {
+      printResult(result);
+      process.exitCode = result.status;
+      return;
+    }
+    console.log("local npm auth updated from clauth service 'npm'");
+    return;
+  }
+
+  if (action === "sync-github-secret") {
+    const repo = opts.repo || opts.args?.[0];
+    if (!repo) throw new Error("repo is required, e.g. clauth npm sync-github-secret LIFEAI/rdc-skills");
+    const result = run("gh", ["secret", "set", "NPM_TOKEN", "--repo", repo], { input: token });
+    printResult(result);
+    if (result.status !== 0) process.exitCode = result.status;
+    else console.log(`GitHub secret NPM_TOKEN updated for ${repo}`);
+    return;
+  }
+
+  if (action === "rerun") {
+    const runId = opts.args?.[0];
+    const repo = opts.repo;
+    if (!runId || !repo) throw new Error("usage: clauth npm rerun <run-id> --repo LIFEAI/rdc-skills");
+    const result = run("gh", ["run", "rerun", runId, "--repo", repo, "--failed"]);
+    printResult(result);
+    if (result.status !== 0) process.exitCode = result.status;
+    else console.log(`rerun requested for ${repo} run ${runId}`);
+    return;
+  }
+
+  usage();
+  throw new Error(`unknown clauth npm action: ${action}`);
+}

package/cli/commands/serve.js

@@ -17,7 +17,7 @@ import ora from "ora";
 import { execSync as execSyncTop } from "child_process";
 import Conf from "conf";
 import { getConfOptions } from "../conf-path.js";
-import { readdir, readFile, writeFile, rm, mkdir, stat, rename } from "node:fs/promises";
+import { appendFile, readdir, readFile, writeFile, rm, mkdir, stat, rename } from "node:fs/promises";
 import fg from "fast-glob";
 import { rgPath } from "@vscode/ripgrep";
 import { createStudioDebugRuntime } from "../studio-debug.js";
@@ -5076,8 +5076,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     }
 
     // POST /update-service — update service metadata (project, label, description)
-    if (method === "POST" && reqPath === "/update-service") {
-      if (lockedGuard(res)) return;
+    if (method === "POST" && reqPath === "/update-service") {
+      if (lockedGuard(res)) return;
 
       let body;
       try { body = await readBody(req); } catch {
@@ -5108,10 +5108,39 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         return ok(res, { ok: true, service: service.toLowerCase(), ...updates });
       } catch (err) {
         return strike(res, 502, err.message);
-      }
-    }
-
-    // Unknown route — a wrong URL is not an auth failure. Log it, return 404,
+      }
+    }
+
+    if (method === "GET" && reqPath === "/search") {
+      if (lockedGuard(res)) return;
+      const query = (url.searchParams.get("q") || url.searchParams.get("query") || "").trim();
+      const project = (url.searchParams.get("project") || "").trim() || undefined;
+      const includeAddresses = url.searchParams.get("addresses") !== "false";
+      if (!query) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "q query parameter is required" }));
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await searchServices({
+          password,
+          machineHash,
+          token,
+          timestamp,
+          project,
+          query,
+          includeAddresses,
+          whitelist
+        });
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, result);
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // Unknown route — a wrong URL is not an auth failure. Log it, return 404,
     // but do NOT increment failCount (which locks the vault at MAX_FAILS).
     // Auth failures (wrong password, wrong token) still strike via /auth and /get/:service.
     try {
@@ -5482,8 +5511,8 @@ async function actionForeground(opts) {
 // Reuses the same auth model as the HTTP daemon.
 // Secrets are delivered via temp files — never in the MCP response.
 
-import { createInterface } from "readline";
-import { execSync, spawn as spawnProc } from "child_process";
+import { createInterface } from "readline";
+import { execSync, spawn as spawnProc, spawnSync } from "child_process";
 
 // ── Monkey dispatch — headless Claude CLI worker ─────────────────
 function findClaudeBinary() {
@@ -6086,9 +6115,9 @@ function stopCodevelopSession(session_id) {
   return { stopped: true, session_id };
 }
 
-const ENV_MAP = {
-  "github":           "GITHUB_TOKEN",
-  "supabase-anon":    "NEXT_PUBLIC_SUPABASE_ANON_KEY",
+const ENV_MAP = {
+  "github":           "GITHUB_TOKEN",
+  "supabase-anon":    "NEXT_PUBLIC_SUPABASE_ANON_KEY",
   "supabase-service": "SUPABASE_SERVICE_ROLE_KEY",
   "supabase-db":      "SUPABASE_DB_URL",
   "vercel":           "VERCEL_TOKEN",
@@ -6100,11 +6129,116 @@ const ENV_MAP = {
   "rocketreach":      "ROCKETREACH_API_KEY",
   "npm":              "NPM_TOKEN",
   "namecheap":        "NAMECHEAP_API_KEY",
-  "gmail":            "GMAIL_CREDENTIALS",
-};
-
-// ── Filesystem service config — loaded from clauth vault ──
-let _fsMountsCache = null;
+  "gmail":            "GMAIL_CREDENTIALS",
+};
+
+const ADDRESS_KEY_TYPES = new Set(["connstring", "fileserver", "oauth"]);
+const ADDRESS_FIELDS = new Set(["url", "uri", "host", "hostname", "server", "address", "base_url", "endpoint", "path", "root"]);
+
+function normalizeSearchText(value) {
+  return String(value || "").toLowerCase();
+}
+
+function redactUrlish(value) {
+  const text = String(value || "").trim();
+  if (!text) return "";
+  try {
+    const url = new URL(text);
+    if (url.username) url.username = "***";
+    if (url.password) url.password = "***";
+    return url.toString();
+  } catch {
+    return text.replace(/:\/\/([^:@/\s]+):([^@/\s]+)@/g, "://***:***@");
+  }
+}
+
+function collectAddressHints(value, keyType) {
+  if (!ADDRESS_KEY_TYPES.has(String(keyType || "").toLowerCase())) return [];
+  const hints = new Set();
+
+  function add(candidate) {
+    if (candidate === undefined || candidate === null) return;
+    const text = redactUrlish(candidate);
+    if (text) hints.add(text);
+  }
+
+  function walk(node, fieldName = "") {
+    if (node === undefined || node === null) return;
+    if (typeof node === "string") {
+      if (fieldName && ADDRESS_FIELDS.has(fieldName.toLowerCase())) add(node);
+      if (/^[a-z][a-z0-9+.-]*:\/\//i.test(node) || /^[A-Za-z]:[\\/]/.test(node) || node.startsWith("\\\\")) add(node);
+      return;
+    }
+    if (Array.isArray(node)) {
+      for (const item of node) walk(item, fieldName);
+      return;
+    }
+    if (typeof node === "object") {
+      for (const [key, child] of Object.entries(node)) walk(child, key);
+    }
+  }
+
+  try {
+    walk(JSON.parse(value));
+  } catch {
+    walk(value);
+  }
+
+  return [...hints];
+}
+
+async function searchServices({ password, machineHash, token, timestamp, query, project, includeAddresses = true, whitelist }) {
+  const q = normalizeSearchText(query);
+  if (!q) return { error: "query is required" };
+
+  const result = await api.status(password, machineHash, token, timestamp, project);
+  if (result.error) return { error: result.error };
+
+  let services = result.services || [];
+  if (whitelist) services = services.filter(s => whitelist.includes(String(s.name || "").toLowerCase()));
+
+  const matches = [];
+  for (const s of services) {
+    const fields = {
+      name: s.name,
+      label: s.label,
+      project: s.project,
+      type: s.key_type,
+      description: s.description
+    };
+    const matched = Object.entries(fields)
+      .filter(([, value]) => normalizeSearchText(value).includes(q))
+      .map(([field]) => field);
+
+    let addressHints = [];
+    if (includeAddresses && ADDRESS_KEY_TYPES.has(String(s.key_type || "").toLowerCase()) && s.vault_key) {
+      const secret = await api.retrieve(password, machineHash, token, timestamp, s.name);
+      if (!secret.error) {
+        addressHints = collectAddressHints(secret.value, s.key_type);
+        if (addressHints.some(h => normalizeSearchText(h).includes(q))) matched.push("address");
+      }
+    }
+
+    if (matched.length) {
+      matches.push({
+        name: s.name,
+        label: s.label || null,
+        project: s.project || null,
+        key_type: s.key_type,
+        enabled: !!s.enabled,
+        has_key: !!s.vault_key,
+        description: s.description || null,
+        matched: [...new Set(matched)],
+        address_hints: addressHints
+      });
+    }
+  }
+
+  return { query, count: matches.length, matches };
+}
+
+// ── Filesystem service config — loaded from clauth vault ──
+let _fsMountsCache = null;
 let _fsMountsCacheTime = 0;
 const FS_CACHE_TTL = 60000; // 1 minute
 
@@ -6138,24 +6272,115 @@ async function getFileserverMounts(vault) {
   }
 }
 
-async function resolveInMount(requestedPath, mountName, vault) {
+async function resolveInMount(requestedPath, mountName, vault) {
   const { mounts, error } = await getFileserverMounts(vault);
   if (error) return { error };
   if (!mounts || mounts.length === 0) return { error: "No fileserver services configured. Add one with key_type='fileserver' and value: {\"path\": \"C:/Dev/regen-root\", \"access\": \"rwd\"}" };
   const mount = mountName ? mounts.find(m => m.name === mountName) : mounts[0];
   if (!mount) return { error: `Mount '${mountName}' not found. Available: ${mounts.map(m => m.name).join(", ")}` };
   if (!mount.path) return { error: `Fileserver '${mount.name}' has no path configured` };
-  const resolved = path.resolve(mount.path, requestedPath);
-  const normalized = path.normalize(resolved);
-  if (!normalized.startsWith(path.normalize(mount.path))) {
-    return { error: `Path escapes mount: ${requestedPath}` };
-  }
-  return { resolved: normalized, mount };
-}
-
-function checkAccess(mount, flag) {
-  return mount.access.includes(flag);
-}
+  const resolved = path.resolve(mount.path, requestedPath);
+  const normalized = path.normalize(resolved);
+  const relative = path.relative(path.normalize(mount.path), normalized);
+  if (relative.startsWith("..") || path.isAbsolute(relative)) {
+    return { error: `Path escapes mount: ${requestedPath}` };
+  }
+  return { resolved: normalized, mount };
+}
+
+function checkAccess(mount, flag) {
+  return mount.access.includes(flag);
+}
+
+function sha256Hex(value) {
+  return crypto.createHash("sha256").update(value).digest("hex");
+}
+
+async function atomicWriteText(filePath, content) {
+  await mkdir(path.dirname(filePath), { recursive: true });
+  const tempPath = path.join(
+    path.dirname(filePath),
+    `.${path.basename(filePath)}.tmp-${process.pid}-${Date.now()}-${crypto.randomBytes(4).toString("hex")}`
+  );
+  await writeFile(tempPath, content, "utf8");
+  await rename(tempPath, filePath);
+}
+
+async function fileInfo(filePath, requestedPath) {
+  const s = await stat(filePath);
+  const info = {
+    path: requestedPath,
+    type: s.isDirectory() ? "dir" : "file",
+    size: s.size,
+    modified: s.mtime.toISOString(),
+  };
+  if (s.isFile()) {
+    const content = await readFile(filePath);
+    info.sha256 = sha256Hex(content);
+  }
+  return info;
+}
+
+const FS_UPLOAD_SESSIONS = new Map();
+const FS_UPLOAD_TTL_MS = 30 * 60 * 1000;
+const FS_MAX_CHUNKS = 500;
+const FS_MAX_CHUNK_BYTES = 128 * 1024;
+const FS_MAX_INGEST_BYTES = 25 * 1024 * 1024;
+const FS_GIT_IMPORT_ALLOWED_PREFIXES = [
+  "docs/",
+  ".rdc/plans/",
+  ".rdc/guides/",
+  ".claude/context/",
+  ".claude/rules/",
+  ".rdc/relay/from-claude-ai/",
+];
+
+function cleanupFsUploadSessions() {
+  const cutoff = Date.now() - FS_UPLOAD_TTL_MS;
+  for (const [id, session] of FS_UPLOAD_SESSIONS) {
+    if (session.updatedAt < cutoff) FS_UPLOAD_SESSIONS.delete(id);
+  }
+}
+
+function runGit(cwd, args, opts = {}) {
+  const res = spawnSync("git", args, {
+    cwd,
+    encoding: "utf8",
+    windowsHide: true,
+    maxBuffer: opts.maxBuffer || 10 * 1024 * 1024,
+  });
+  if (res.status !== 0) {
+    const detail = (res.stderr || res.stdout || "").trim();
+    throw new Error(`git ${args.join(" ")} failed${detail ? `: ${detail}` : ""}`);
+  }
+  return (res.stdout || "").trim();
+}
+
+function runGitRaw(cwd, args, opts = {}) {
+  const res = spawnSync("git", args, {
+    cwd,
+    encoding: "buffer",
+    windowsHide: true,
+    maxBuffer: opts.maxBuffer || 10 * 1024 * 1024,
+  });
+  if (res.status !== 0) {
+    const detail = Buffer.concat([res.stderr || Buffer.alloc(0), res.stdout || Buffer.alloc(0)]).toString("utf8").trim();
+    throw new Error(`git ${args.join(" ")} failed${detail ? `: ${detail}` : ""}`);
+  }
+  return res.stdout || Buffer.alloc(0);
+}
+
+function normalizeRepoPath(p) {
+  if (!p || typeof p !== "string") return null;
+  const normalized = p.replace(/\\/g, "/").replace(/^\/+/, "");
+  const parts = normalized.split("/").filter(Boolean);
+  if (parts.length === 0 || parts.includes("..") || path.isAbsolute(p)) return null;
+  return parts.join("/");
+}
+
+function isAllowedGitImportPath(p, allowedPrefixes = FS_GIT_IMPORT_ALLOWED_PREFIXES) {
+  return allowedPrefixes.some((prefix) => p === prefix.replace(/\/$/, "") || p.startsWith(prefix));
+}
 
 const MCP_TOOLS = [
   {
@@ -6178,14 +6403,28 @@ const MCP_TOOLS = [
     description: "List all services with type, enabled state, key presence, and last retrieval time",
     inputSchema: { type: "object", properties: {}, additionalProperties: false }
   },
-  {
-    name: "clauth_list",
-    description: "List registered service names",
-    inputSchema: { type: "object", properties: {}, additionalProperties: false }
-  },
-  {
-    name: "clauth_get",
-    description: "Retrieve a secret and deliver to a temp file (default), clipboard, or stdout. Temp files auto-delete after 30 seconds.",
+  {
+    name: "clauth_list",
+    description: "List registered service names",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
+  {
+    name: "clauth_search",
+    description: "Search registered services by name, label, project, description, type, or redacted address hints from address-bearing secrets",
+    inputSchema: {
+      type: "object",
+      properties: {
+        query: { type: "string", description: "Search text, such as part of a service name, project, host, URL, or filesystem path" },
+        project: { type: "string", description: "Optional project scope" },
+        addresses: { type: "boolean", default: true, description: "Include redacted address hints from connstring/fileserver/oauth secrets" }
+      },
+      required: ["query"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "clauth_get",
+    description: "Retrieve a secret and deliver to a temp file (default), clipboard, or stdout. Temp files auto-delete after 30 seconds.",
     inputSchema: {
       type: "object",
       properties: {
@@ -6648,9 +6887,9 @@ const MCP_TOOLS = [
       additionalProperties: false,
     },
   },
-  {
-    name: "fs_write",
-    description: "Write content to a file. Creates parent directories if needed. Overwrites existing file.",
+  {
+    name: "fs_write",
+    description: "Write content to a file. Creates parent directories if needed. Overwrites existing file.",
     inputSchema: {
       type: "object",
       properties: {
@@ -6659,12 +6898,93 @@ const MCP_TOOLS = [
         mount: { type: "string", description: "Mount name (default: first mount)" },
       },
       required: ["path", "content"],
-      additionalProperties: false,
-    },
-  },
-  {
-    name: "fs_list",
-    description: "List directory contents with file type, size, and modification time.",
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_stat",
+    description: "Get file or directory metadata. Files include a SHA-256 hash for guarded edits.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Relative path within mount" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+      },
+      required: ["path"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_append",
+    description: "Append text to a file, optionally guarded by the current file SHA-256 hash.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Relative path within mount" },
+        content: { type: "string", description: "Text to append" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+        expected_sha256: { type: "string", description: "Optional current file SHA-256. If provided and the file exists, append only when it matches." },
+      },
+      required: ["path", "content"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_write_chunk",
+    description: "Stage chunked text writes and atomically publish when all chunks arrive. Use when single write arguments are too large.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        upload_id: { type: "string", description: "Caller-chosen idempotency key for this file upload" },
+        path: { type: "string", description: "Relative path within mount" },
+        chunk_index: { type: "number", description: "Zero-based chunk index" },
+        total_chunks: { type: "number", description: "Total chunks expected" },
+        content: { type: "string", description: "Chunk text content" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+        expected_sha256: { type: "string", description: "Optional SHA-256 of the final assembled file content" },
+      },
+      required: ["upload_id", "path", "chunk_index", "total_chunks", "content"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_ingest_url",
+    description: "Download text from an http(s) URL and atomically write it inside the mount. Useful for moving cloud files into the local filesystem.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        url: { type: "string", description: "HTTPS or HTTP URL to fetch" },
+        path: { type: "string", description: "Relative output path within mount" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+        max_bytes: { type: "number", description: "Maximum download size in bytes (default 5MB, hard max 25MB)" },
+        expected_sha256: { type: "string", description: "Optional SHA-256 of fetched content before writing" },
+      },
+      required: ["url", "path"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_import_git_files",
+    description: "Fetch a Git ref and restore only named files into the mounted repo, optionally committing just those files. Designed for Claude.ai GitHub uploads into dirty local monorepos.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        remote: { type: "string", description: "Git remote name (default: origin)" },
+        ref: { type: "string", description: "Branch, tag, or commit to fetch/restore from" },
+        paths: { type: "array", items: { type: "string" }, description: "Repo-relative file paths to import" },
+        mode: { type: "string", enum: ["new_only", "overwrite"], description: "new_only refuses existing local paths. overwrite restores named paths only." },
+        commit: { type: "boolean", description: "When true, stage only imported paths and create a local commit. Never pushes." },
+        message: { type: "string", description: "Commit subject when commit=true" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+        allowed_prefixes: { type: "array", items: { type: "string" }, description: "Optional path allowlist prefixes. Defaults to docs and agent corpus paths." },
+      },
+      required: ["ref", "paths"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_list",
+    description: "List directory contents with file type, size, and modification time.",
     inputSchema: {
       type: "object",
       properties: {
@@ -6821,10 +7141,10 @@ async function handleMcpTool(vault, name, args) {
       }
     }
 
-    case "clauth_list": {
-      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
-      try {
-        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+    case "clauth_list": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
         const result = await api.status(vault.password, vault.machineHash, token, timestamp);
         if (result.error) return mcpError(result.error);
         let services = result.services || [];
@@ -6833,13 +7153,34 @@ async function handleMcpTool(vault, name, args) {
         }
         return mcpResult(services.map(s => s.name).join(", "));
       } catch (err) {
-        return mcpError(err.message);
-      }
-    }
-
-    case "clauth_get": {
-      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
-      const service = (args.service || "").toLowerCase();
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_search": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await searchServices({
+          password: vault.password,
+          machineHash: vault.machineHash,
+          token,
+          timestamp,
+          query: args.query,
+          project: args.project,
+          includeAddresses: args.addresses !== false,
+          whitelist: vault.whitelist
+        });
+        if (result.error) return mcpError(result.error);
+        return mcpResult(JSON.stringify(result, null, 2));
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_get": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      const service = (args.service || "").toLowerCase();
       const target = args.target || "file";
       if (!service) return mcpError("service is required");
       if (vault.whitelist && !vault.whitelist.includes(service)) {
@@ -7133,20 +7474,250 @@ async function handleMcpTool(vault, name, args) {
       }
     }
 
-    case "fs_write": {
-      const r = await resolveInMount(args.path, args.mount, vault);
-      if (r.error) return mcpError(r.error);
-      if (!checkAccess(r.mount, "w")) return mcpError("Write access denied on this mount");
-      try {
-        await mkdir(path.dirname(r.resolved), { recursive: true });
-        await writeFile(r.resolved, args.content, "utf8");
-        return mcpResult(`Written: ${args.path} (${Buffer.byteLength(args.content)} bytes)`);
-      } catch (err) {
-        return mcpError(`Write failed: ${err.message}`);
-      }
-    }
-
-    case "fs_list": {
+    case "fs_write": {
+      const r = await resolveInMount(args.path, args.mount, vault);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "w")) return mcpError("Write access denied on this mount");
+      try {
+        await atomicWriteText(r.resolved, args.content);
+        return mcpResult(`Written: ${args.path} (${Buffer.byteLength(args.content)} bytes)`);
+      } catch (err) {
+        return mcpError(`Write failed: ${err.message}`);
+      }
+    }
+
+    case "fs_stat": {
+      const r = await resolveInMount(args.path, args.mount, vault);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "r")) return mcpError("Read access denied on this mount");
+      try {
+        return mcpResult(JSON.stringify(await fileInfo(r.resolved, args.path), null, 2));
+      } catch (err) {
+        if (err.code === "ENOENT") return mcpError(`Not found: ${args.path}`);
+        return mcpError(`Stat failed: ${err.message}`);
+      }
+    }
+
+    case "fs_append": {
+      const r = await resolveInMount(args.path, args.mount, vault);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "w")) return mcpError("Write access denied on this mount");
+      try {
+        try {
+          const current = await readFile(r.resolved);
+          if (args.expected_sha256 && sha256Hex(current) !== args.expected_sha256) {
+            return mcpError("Append rejected: current file hash does not match expected_sha256");
+          }
+        } catch (err) {
+          if (err.code !== "ENOENT") throw err;
+          if (args.expected_sha256) return mcpError("Append rejected: file does not exist for expected_sha256 guard");
+        }
+        await mkdir(path.dirname(r.resolved), { recursive: true });
+        await appendFile(r.resolved, args.content, "utf8");
+        const info = await fileInfo(r.resolved, args.path);
+        return mcpResult(JSON.stringify({ appended_bytes: Buffer.byteLength(args.content), ...info }, null, 2));
+      } catch (err) {
+        return mcpError(`Append failed: ${err.message}`);
+      }
+    }
+
+    case "fs_write_chunk": {
+      cleanupFsUploadSessions();
+      const { upload_id, chunk_index, total_chunks, content } = args;
+      const index = Number(chunk_index);
+      const total = Number(total_chunks);
+      if (!Number.isInteger(index) || !Number.isInteger(total) || index < 0 || total < 1 || index >= total) {
+        return mcpError("Invalid chunk_index/total_chunks");
+      }
+      if (total > FS_MAX_CHUNKS) return mcpError(`Too many chunks: max ${FS_MAX_CHUNKS}`);
+      if (Buffer.byteLength(content, "utf8") > FS_MAX_CHUNK_BYTES) {
+        return mcpError(`Chunk too large: max ${FS_MAX_CHUNK_BYTES} bytes`);
+      }
+
+      const r = await resolveInMount(args.path, args.mount, vault);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "w")) return mcpError("Write access denied on this mount");
+
+      const key = `${r.mount.name}:${args.path}:${upload_id}`;
+      let session = FS_UPLOAD_SESSIONS.get(key);
+      if (!session) {
+        session = { path: args.path, resolved: r.resolved, total, chunks: new Map(), expectedSha256: args.expected_sha256 || null, updatedAt: Date.now() };
+        FS_UPLOAD_SESSIONS.set(key, session);
+      }
+      if (session.total !== total || session.path !== args.path || session.resolved !== r.resolved) {
+        return mcpError("Upload id collision: path or total_chunks differs from existing session");
+      }
+      if (args.expected_sha256 && session.expectedSha256 && args.expected_sha256 !== session.expectedSha256) {
+        return mcpError("Upload id collision: expected_sha256 differs from existing session");
+      }
+
+      session.chunks.set(index, content);
+      session.updatedAt = Date.now();
+
+      if (session.chunks.size < total) {
+        return mcpResult(JSON.stringify({ upload_id, status: "staged", received_chunks: session.chunks.size, total_chunks: total }, null, 2));
+      }
+
+      const assembled = Array.from({ length: total }, (_, i) => session.chunks.get(i)).join("");
+      const actualSha = sha256Hex(assembled);
+      if (session.expectedSha256 && actualSha !== session.expectedSha256) {
+        FS_UPLOAD_SESSIONS.delete(key);
+        return mcpError(`Final SHA-256 mismatch: expected ${session.expectedSha256}, got ${actualSha}`);
+      }
+
+      try {
+        await atomicWriteText(r.resolved, assembled);
+        FS_UPLOAD_SESSIONS.delete(key);
+        return mcpResult(JSON.stringify({ upload_id, status: "written", path: args.path, bytes: Buffer.byteLength(assembled), sha256: actualSha }, null, 2));
+      } catch (err) {
+        return mcpError(`Chunked write failed: ${err.message}`);
+      }
+    }
+
+    case "fs_ingest_url": {
+      const r = await resolveInMount(args.path, args.mount, vault);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "w")) return mcpError("Write access denied on this mount");
+
+      let url;
+      try {
+        url = new URL(args.url);
+      } catch {
+        return mcpError("Invalid URL");
+      }
+      if (!["http:", "https:"].includes(url.protocol)) return mcpError("Only http(s) URLs are supported");
+
+      const maxBytes = Math.min(Number(args.max_bytes || 5 * 1024 * 1024), FS_MAX_INGEST_BYTES);
+      try {
+        const response = await fetch(url, { redirect: "follow" });
+        if (!response.ok) return mcpError(`Fetch failed: HTTP ${response.status}`);
+        const length = Number(response.headers.get("content-length") || 0);
+        if (length && length > maxBytes) return mcpError(`Fetch rejected: content-length ${length} exceeds max_bytes ${maxBytes}`);
+
+        const reader = response.body?.getReader();
+        if (!reader) return mcpError("Fetch failed: response body is not readable");
+
+        let received = 0;
+        const chunks = [];
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          received += value.byteLength;
+          if (received > maxBytes) return mcpError(`Fetch rejected: response exceeds max_bytes ${maxBytes}`);
+          chunks.push(Buffer.from(value));
+        }
+
+        const content = Buffer.concat(chunks).toString("utf8");
+        const actualSha = sha256Hex(content);
+        if (args.expected_sha256 && actualSha !== args.expected_sha256) {
+          return mcpError(`Fetched SHA-256 mismatch: expected ${args.expected_sha256}, got ${actualSha}`);
+        }
+        await atomicWriteText(r.resolved, content);
+        return mcpResult(JSON.stringify({ status: "written", path: args.path, bytes: Buffer.byteLength(content), sha256: actualSha, source: url.href }, null, 2));
+      } catch (err) {
+        return mcpError(`Ingest failed: ${err.message}`);
+      }
+    }
+
+    case "fs_import_git_files": {
+      if (!Array.isArray(args.paths) || args.paths.length === 0) return mcpError("paths must be a non-empty array");
+      if (args.paths.length > 25) return mcpError("Too many paths: max 25 per import");
+
+      const r = await resolveInMount(".", args.mount, vault);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "w")) return mcpError("Write access denied on this mount");
+
+      const repoRoot = r.resolved;
+      const remote = args.remote || "origin";
+      const mode = args.mode || "new_only";
+      const doCommit = args.commit === true;
+      const allowedPrefixes = Array.isArray(args.allowed_prefixes) && args.allowed_prefixes.length > 0
+        ? args.allowed_prefixes.map((p) => normalizeRepoPath(p.endsWith("/") ? p : `${p}/`)).filter(Boolean)
+        : FS_GIT_IMPORT_ALLOWED_PREFIXES;
+
+      try {
+        const topLevel = path.normalize(runGit(repoRoot, ["rev-parse", "--show-toplevel"]));
+        if (topLevel.toLowerCase() !== path.normalize(repoRoot).toLowerCase()) {
+          return mcpError(`Mount root is not the git repo root: ${repoRoot} (repo root: ${topLevel})`);
+        }
+
+        const normalizedPaths = [];
+        for (const rawPath of args.paths) {
+          const normalized = normalizeRepoPath(rawPath);
+          if (!normalized) return mcpError(`Invalid repo path: ${rawPath}`);
+          if (!isAllowedGitImportPath(normalized, allowedPrefixes)) return mcpError(`Path not allowed for git import: ${normalized}`);
+          normalizedPaths.push(normalized);
+        }
+
+        if (mode === "new_only") {
+          for (const rel of normalizedPaths) {
+            const localPath = path.join(repoRoot, rel);
+            try {
+              await stat(localPath);
+              return mcpError(`Import refused: local path already exists in new_only mode: ${rel}`);
+            } catch (err) {
+              if (err.code !== "ENOENT") throw err;
+            }
+          }
+        }
+
+        if (doCommit) {
+          const staged = runGit(repoRoot, ["diff", "--cached", "--name-only"]);
+          if (staged) return mcpError(`Import refused: index already has staged files:\n${staged}`);
+          if (!args.message || !args.message.trim()) return mcpError("message is required when commit=true");
+        }
+
+        runGit(repoRoot, ["fetch", "--no-tags", remote, args.ref]);
+        const sourceCommit = runGit(repoRoot, ["rev-parse", "FETCH_HEAD"]);
+
+        for (const rel of normalizedPaths) {
+          runGit(repoRoot, ["cat-file", "-e", `${sourceCommit}:${rel}`]);
+        }
+
+        runGit(repoRoot, ["restore", `--source=${sourceCommit}`, "--", ...normalizedPaths]);
+
+        const imported = [];
+        for (const rel of normalizedPaths) {
+          const localPath = path.join(repoRoot, rel);
+          const info = await fileInfo(localPath, rel);
+          const sourceBlob = runGit(repoRoot, ["rev-parse", `${sourceCommit}:${rel}`]);
+          const sourceSize = Number(runGitRaw(repoRoot, ["cat-file", "-s", `${sourceCommit}:${rel}`]).toString("utf8").trim());
+          imported.push({ ...info, source_blob: sourceBlob, source_size: sourceSize });
+        }
+
+        let localCommit = null;
+        if (doCommit) {
+          runGit(repoRoot, ["add", "--", ...normalizedPaths]);
+          const body = [
+            args.message.trim(),
+            "",
+            "Imported from Claude.ai GitHub upload.",
+            "",
+            `Source remote: ${remote}`,
+            `Source ref: ${args.ref}`,
+            `Source commit: ${sourceCommit}`,
+            "",
+            "Paths:",
+            ...normalizedPaths.map((p) => `- ${p}`),
+          ].join("\n");
+          runGit(repoRoot, ["commit", "-m", body]);
+          localCommit = runGit(repoRoot, ["rev-parse", "HEAD"]);
+        }
+
+        return mcpResult(JSON.stringify({
+          status: "ok",
+          mode,
+          committed: doCommit,
+          source_commit: sourceCommit,
+          local_commit: localCommit,
+          imported,
+        }, null, 2));
+      } catch (err) {
+        return mcpError(`Git import failed: ${err.message}`);
+      }
+    }
+
+    case "fs_list": {
       const dirPath = args.path || ".";
       const r = await resolveInMount(dirPath, args.mount, vault);
       if (r.error) return mcpError(r.error);

package/cli/index.js

@@ -40,6 +40,97 @@ async function getAuth(pw) {
   return { password, machineHash, token, timestamp };
 }
 
+const ADDRESS_KEY_TYPES = new Set(["connstring", "fileserver", "oauth"]);
+const ADDRESS_FIELDS = new Set(["url", "uri", "host", "hostname", "server", "address", "base_url", "endpoint", "path", "root"]);
+
+function normalizeSearchText(value) {
+  return String(value || "").toLowerCase();
+}
+
+function redactUrlish(value) {
+  const text = String(value || "").trim();
+  if (!text) return "";
+  try {
+    const url = new URL(text);
+    if (url.username) url.username = "***";
+    if (url.password) url.password = "***";
+    return url.toString();
+  } catch {
+    return text.replace(/:\/\/([^:@/\s]+):([^@/\s]+)@/g, "://***:***@");
+  }
+}
+
+function collectAddressHints(value, keyType) {
+  if (!ADDRESS_KEY_TYPES.has(String(keyType || "").toLowerCase())) return [];
+  const hints = new Set();
+
+  function add(candidate) {
+    if (candidate === undefined || candidate === null) return;
+    const text = redactUrlish(candidate);
+    if (text) hints.add(text);
+  }
+
+  function walk(node, fieldName = "") {
+    if (node === undefined || node === null) return;
+    if (typeof node === "string") {
+      if (fieldName && ADDRESS_FIELDS.has(fieldName.toLowerCase())) add(node);
+      if (/^[a-z][a-z0-9+.-]*:\/\//i.test(node) || /^[A-Za-z]:[\\/]/.test(node) || node.startsWith("\\\\")) add(node);
+      return;
+    }
+    if (Array.isArray(node)) {
+      for (const item of node) walk(item, fieldName);
+      return;
+    }
+    if (typeof node === "object") {
+      for (const [key, child] of Object.entries(node)) walk(child, key);
+    }
+  }
+
+  try {
+    walk(JSON.parse(value));
+  } catch {
+    walk(value);
+  }
+
+  return [...hints];
+}
+
+async function searchServices(auth, query, opts = {}) {
+  const q = normalizeSearchText(query);
+  if (!q) throw new Error("Search query is required");
+  const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp, opts.project);
+  if (result.error) throw new Error(result.error);
+
+  const services = result.services || [];
+  const rows = [];
+
+  for (const s of services) {
+    const fields = {
+      name: s.name,
+      label: s.label,
+      project: s.project,
+      type: s.key_type,
+      description: s.description
+    };
+    const matched = Object.entries(fields)
+      .filter(([, value]) => normalizeSearchText(value).includes(q))
+      .map(([field]) => field);
+
+    let addressHints = [];
+    if (opts.addresses !== false && ADDRESS_KEY_TYPES.has(String(s.key_type || "").toLowerCase()) && s.vault_key) {
+      const secret = await api.retrieve(auth.password, auth.machineHash, auth.token, auth.timestamp, s.name);
+      if (!secret.error) {
+        addressHints = collectAddressHints(secret.value, s.key_type);
+        if (addressHints.some(h => normalizeSearchText(h).includes(q))) matched.push("address");
+      }
+    }
+
+    if (matched.length) rows.push({ ...s, matched: [...new Set(matched)], addressHints });
+  }
+
+  return rows;
+}
+
 // ============================================================
 // Program
 // ============================================================
@@ -58,6 +149,7 @@ import { runUninstall } from './commands/uninstall.js';
 import { runScrub } from './commands/scrub.js';
 import { runServe } from './commands/serve.js';
 import { runCodevelop } from './commands/codevelop.js';
+import { runNpm } from './commands/npm.js';
 
 program
   .command('install')
@@ -126,6 +218,16 @@ program
     await runCodevelop({ ...opts, action });
   });
 
+program
+  .command("npm")
+  .description("Operate npm auth safely through the clauth npm service")
+  .argument("[action]", "whoami | tokens | set-local | sync-github-secret | rerun | help", "help")
+  .argument("[args...]", "Action arguments")
+  .option("--repo <repo>", "GitHub repo, e.g. LIFEAI/rdc-skills")
+  .action(async (action, args, opts) => {
+    await runNpm(action, { ...opts, args });
+  });
+
 // ──────────────────────────────────────────────
 // clauth setup
 // ──────────────────────────────────────────────
@@ -410,6 +512,38 @@ program
     console.log();
   });
 
+program
+  .command("search <query>")
+  .description("Search services by name, label, project, description, type, or redacted address hints")
+  .option("-p, --pw <password>")
+  .option("--project <name>", "Filter by project scope")
+  .option("--no-addresses", "Skip address-bearing secret metadata scans")
+  .action(async (query, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora("Searching services...").start();
+    try {
+      const rows = await searchServices(auth, query, { project: opts.project, addresses: opts.addresses });
+      spinner.stop();
+      console.log(chalk.cyan(`\n Search results for "${query}":\n`));
+      if (!rows.length) {
+        console.log(chalk.gray("  No matching services found.\n"));
+        return;
+      }
+      console.log(chalk.bold("  " + "SERVICE".padEnd(24) + "TYPE".padEnd(12) + "PROJECT".padEnd(20) + "MATCHED"));
+      console.log("  " + "─".repeat(78));
+      for (const s of rows) {
+        const project = s.project || "global";
+        console.log(`  ${chalk.bold(s.name.padEnd(24))}${String(s.key_type || "").padEnd(12)}${project.padEnd(20)}${s.matched.join(", ")}`);
+        if (s.label) console.log(chalk.gray(`    label: ${s.label}`));
+        if (s.description) console.log(chalk.gray(`    description: ${s.description}`));
+        for (const hint of s.addressHints || []) console.log(chalk.gray(`    address: ${hint}`));
+      }
+      console.log();
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+
 // ──────────────────────────────────────────────
 // clauth test <service|all>
 // ──────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.81",
+  "version": "1.5.83",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {