@lifeaitools/clauth 1.5.82 → 1.5.83

package/.clauth-skill/SKILL.md

@@ -141,11 +141,12 @@ See `references/keys-guide.md` for where to find every credential.
 ```
 clauth install [--ref R] [--pat P]     First-time: provision Supabase + install skill
 clauth setup [--admin-token T] [-p P]  Register this machine
-clauth status [-p P]                   All services + state
-clauth test [-p P]                     Verify HMAC connection
-clauth list [-p P]                     Service names
-
-clauth write key <service> [-p P]      Store a credential
+clauth status [-p P]                   All services + state
+clauth test [-p P]                     Verify HMAC connection
+clauth list [-p P]                     Service names
+clauth search <query> [-p P]           Search names, metadata, and redacted server addresses
+
+clauth write key <service> [-p P]      Store a credential
 clauth write pw [-p P]                 Change password
 clauth enable <svc|all> [-p P]         Activate service
 clauth disable <svc|all> [-p P]        Suspend service

package/README.md

@@ -72,16 +72,20 @@ clauth get github
 ```
 clauth install              Provision Supabase + install Claude skill
 clauth setup                Register this machine with the vault
-clauth status               All services + state
-clauth test                 Verify connection
+clauth status               All services + state
+clauth search <query>       Find services by name, project, description, or redacted address
+clauth test                 Verify connection
 
 clauth write key <service>  Store a credential
 clauth write pw             Change password
 clauth enable <svc|all>     Activate service
 clauth disable <svc|all>    Suspend service
-clauth get <service>        Retrieve a key
-
-clauth add service <n>      Register new service
+clauth get <service>        Retrieve a key
+clauth npm whoami           Verify npm token without PowerShell secret plumbing
+clauth npm sync-github-secret LIFEAI/rdc-skills
+                            Update GitHub NPM_TOKEN from clauth
+
+clauth add service <n>      Register new service
 clauth remove service <n>   Remove service
 clauth revoke <svc|all>     Delete key (destructive)
 ```

package/cli/commands/npm.js

@@ -0,0 +1,123 @@
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { spawnSync } from "child_process";
+
+const CLAUTH_NPM_URL = "http://127.0.0.1:52437/v/npm";
+
+function run(cmd, args, opts = {}) {
+  const useCmd = process.platform === "win32" && ["npm", "gh"].includes(cmd);
+  const executable = useCmd ? "cmd.exe" : cmd;
+  const finalArgs = useCmd ? ["/d", "/s", "/c", cmd, ...args] : args;
+  const result = spawnSync(executable, finalArgs, {
+    encoding: "utf8",
+    ...opts,
+    env: { ...process.env, ...(opts.env || {}) }
+  });
+  if (result.error) throw result.error;
+  return result;
+}
+
+function redactNpmTokenList(text) {
+  return String(text || "").replace(/npm_[A-Za-z0-9]+/g, token => `${token.slice(0, 9)}...${token.slice(-4)}`);
+}
+
+async function fetchNpmToken() {
+  const response = await fetch(CLAUTH_NPM_URL);
+  if (!response.ok) throw new Error(`failed to fetch npm token from clauth daemon: HTTP ${response.status}`);
+  const token = (await response.text()).trim();
+  if (!token) throw new Error("clauth npm token is empty");
+  if (!token.startsWith("npm_")) throw new Error("clauth npm token does not look like an npm token");
+  return token;
+}
+
+function withNpmAuth(token, fn) {
+  const npmrc = path.join(os.tmpdir(), `clauth-npm-${process.pid}-${Date.now()}.npmrc`);
+  try {
+    fs.writeFileSync(npmrc, `//registry.npmjs.org/:_authToken=${token}`, { encoding: "utf8", mode: 0o600 });
+    return fn(npmrc);
+  } finally {
+    try { fs.rmSync(npmrc, { force: true }); } catch {}
+  }
+}
+
+function runNpmWithToken(token, args) {
+  return withNpmAuth(token, npmrc => run("npm", ["--userconfig", npmrc, ...args]));
+}
+
+function printResult(result, { redact = true } = {}) {
+  const stdout = redact ? redactNpmTokenList(result.stdout) : result.stdout;
+  const stderr = redact ? redactNpmTokenList(result.stderr) : result.stderr;
+  if (stdout) process.stdout.write(stdout);
+  if (stderr) process.stderr.write(stderr);
+}
+
+function usage() {
+  console.log(`clauth npm <action>
+
+Actions:
+  whoami                         Verify the clauth npm token identity
+  tokens                         List npm token metadata with token strings redacted
+  set-local                      Write the clauth npm token to the user npm config
+  sync-github-secret <repo>       Set repo secret NPM_TOKEN from clauth, e.g. LIFEAI/rdc-skills
+  rerun <run-id> --repo <repo>    Rerun a failed GitHub Actions workflow
+`);
+}
+
+export async function runNpm(action = "help", opts = {}) {
+  if (action === "help") {
+    usage();
+    return;
+  }
+
+  const token = await fetchNpmToken();
+
+  if (action === "whoami") {
+    const result = runNpmWithToken(token, ["whoami", "--registry=https://registry.npmjs.org/"]);
+    printResult(result);
+    if (result.status !== 0) process.exitCode = result.status;
+    return;
+  }
+
+  if (action === "tokens") {
+    const result = runNpmWithToken(token, ["token", "list", "--json", "--registry=https://registry.npmjs.org/"]);
+    printResult(result);
+    if (result.status !== 0) process.exitCode = result.status;
+    return;
+  }
+
+  if (action === "set-local") {
+    const result = run("npm", ["config", "set", "//registry.npmjs.org/:_authToken", token, "--location=user"]);
+    if (result.status !== 0) {
+      printResult(result);
+      process.exitCode = result.status;
+      return;
+    }
+    console.log("local npm auth updated from clauth service 'npm'");
+    return;
+  }
+
+  if (action === "sync-github-secret") {
+    const repo = opts.repo || opts.args?.[0];
+    if (!repo) throw new Error("repo is required, e.g. clauth npm sync-github-secret LIFEAI/rdc-skills");
+    const result = run("gh", ["secret", "set", "NPM_TOKEN", "--repo", repo], { input: token });
+    printResult(result);
+    if (result.status !== 0) process.exitCode = result.status;
+    else console.log(`GitHub secret NPM_TOKEN updated for ${repo}`);
+    return;
+  }
+
+  if (action === "rerun") {
+    const runId = opts.args?.[0];
+    const repo = opts.repo;
+    if (!runId || !repo) throw new Error("usage: clauth npm rerun <run-id> --repo LIFEAI/rdc-skills");
+    const result = run("gh", ["run", "rerun", runId, "--repo", repo, "--failed"]);
+    printResult(result);
+    if (result.status !== 0) process.exitCode = result.status;
+    else console.log(`rerun requested for ${repo} run ${runId}`);
+    return;
+  }
+
+  usage();
+  throw new Error(`unknown clauth npm action: ${action}`);
+}

package/cli/commands/serve.js

@@ -5076,8 +5076,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     }
 
     // POST /update-service — update service metadata (project, label, description)
-    if (method === "POST" && reqPath === "/update-service") {
-      if (lockedGuard(res)) return;
+    if (method === "POST" && reqPath === "/update-service") {
+      if (lockedGuard(res)) return;
 
       let body;
       try { body = await readBody(req); } catch {
@@ -5108,10 +5108,39 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         return ok(res, { ok: true, service: service.toLowerCase(), ...updates });
       } catch (err) {
         return strike(res, 502, err.message);
-      }
-    }
-
-    // Unknown route — a wrong URL is not an auth failure. Log it, return 404,
+      }
+    }
+
+    if (method === "GET" && reqPath === "/search") {
+      if (lockedGuard(res)) return;
+      const query = (url.searchParams.get("q") || url.searchParams.get("query") || "").trim();
+      const project = (url.searchParams.get("project") || "").trim() || undefined;
+      const includeAddresses = url.searchParams.get("addresses") !== "false";
+      if (!query) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "q query parameter is required" }));
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await searchServices({
+          password,
+          machineHash,
+          token,
+          timestamp,
+          project,
+          query,
+          includeAddresses,
+          whitelist
+        });
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, result);
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // Unknown route — a wrong URL is not an auth failure. Log it, return 404,
     // but do NOT increment failCount (which locks the vault at MAX_FAILS).
     // Auth failures (wrong password, wrong token) still strike via /auth and /get/:service.
     try {
@@ -6086,9 +6115,9 @@ function stopCodevelopSession(session_id) {
   return { stopped: true, session_id };
 }
 
-const ENV_MAP = {
-  "github":           "GITHUB_TOKEN",
-  "supabase-anon":    "NEXT_PUBLIC_SUPABASE_ANON_KEY",
+const ENV_MAP = {
+  "github":           "GITHUB_TOKEN",
+  "supabase-anon":    "NEXT_PUBLIC_SUPABASE_ANON_KEY",
   "supabase-service": "SUPABASE_SERVICE_ROLE_KEY",
   "supabase-db":      "SUPABASE_DB_URL",
   "vercel":           "VERCEL_TOKEN",
@@ -6100,11 +6129,116 @@ const ENV_MAP = {
   "rocketreach":      "ROCKETREACH_API_KEY",
   "npm":              "NPM_TOKEN",
   "namecheap":        "NAMECHEAP_API_KEY",
-  "gmail":            "GMAIL_CREDENTIALS",
-};
-
-// ── Filesystem service config — loaded from clauth vault ──
-let _fsMountsCache = null;
+  "gmail":            "GMAIL_CREDENTIALS",
+};
+
+const ADDRESS_KEY_TYPES = new Set(["connstring", "fileserver", "oauth"]);
+const ADDRESS_FIELDS = new Set(["url", "uri", "host", "hostname", "server", "address", "base_url", "endpoint", "path", "root"]);
+
+function normalizeSearchText(value) {
+  return String(value || "").toLowerCase();
+}
+
+function redactUrlish(value) {
+  const text = String(value || "").trim();
+  if (!text) return "";
+  try {
+    const url = new URL(text);
+    if (url.username) url.username = "***";
+    if (url.password) url.password = "***";
+    return url.toString();
+  } catch {
+    return text.replace(/:\/\/([^:@/\s]+):([^@/\s]+)@/g, "://***:***@");
+  }
+}
+
+function collectAddressHints(value, keyType) {
+  if (!ADDRESS_KEY_TYPES.has(String(keyType || "").toLowerCase())) return [];
+  const hints = new Set();
+
+  function add(candidate) {
+    if (candidate === undefined || candidate === null) return;
+    const text = redactUrlish(candidate);
+    if (text) hints.add(text);
+  }
+
+  function walk(node, fieldName = "") {
+    if (node === undefined || node === null) return;
+    if (typeof node === "string") {
+      if (fieldName && ADDRESS_FIELDS.has(fieldName.toLowerCase())) add(node);
+      if (/^[a-z][a-z0-9+.-]*:\/\//i.test(node) || /^[A-Za-z]:[\\/]/.test(node) || node.startsWith("\\\\")) add(node);
+      return;
+    }
+    if (Array.isArray(node)) {
+      for (const item of node) walk(item, fieldName);
+      return;
+    }
+    if (typeof node === "object") {
+      for (const [key, child] of Object.entries(node)) walk(child, key);
+    }
+  }
+
+  try {
+    walk(JSON.parse(value));
+  } catch {
+    walk(value);
+  }
+
+  return [...hints];
+}
+
+async function searchServices({ password, machineHash, token, timestamp, query, project, includeAddresses = true, whitelist }) {
+  const q = normalizeSearchText(query);
+  if (!q) return { error: "query is required" };
+
+  const result = await api.status(password, machineHash, token, timestamp, project);
+  if (result.error) return { error: result.error };
+
+  let services = result.services || [];
+  if (whitelist) services = services.filter(s => whitelist.includes(String(s.name || "").toLowerCase()));
+
+  const matches = [];
+  for (const s of services) {
+    const fields = {
+      name: s.name,
+      label: s.label,
+      project: s.project,
+      type: s.key_type,
+      description: s.description
+    };
+    const matched = Object.entries(fields)
+      .filter(([, value]) => normalizeSearchText(value).includes(q))
+      .map(([field]) => field);
+
+    let addressHints = [];
+    if (includeAddresses && ADDRESS_KEY_TYPES.has(String(s.key_type || "").toLowerCase()) && s.vault_key) {
+      const secret = await api.retrieve(password, machineHash, token, timestamp, s.name);
+      if (!secret.error) {
+        addressHints = collectAddressHints(secret.value, s.key_type);
+        if (addressHints.some(h => normalizeSearchText(h).includes(q))) matched.push("address");
+      }
+    }
+
+    if (matched.length) {
+      matches.push({
+        name: s.name,
+        label: s.label || null,
+        project: s.project || null,
+        key_type: s.key_type,
+        enabled: !!s.enabled,
+        has_key: !!s.vault_key,
+        description: s.description || null,
+        matched: [...new Set(matched)],
+        address_hints: addressHints
+      });
+    }
+  }
+
+  return { query, count: matches.length, matches };
+}
+
+// ── Filesystem service config — loaded from clauth vault ──
+let _fsMountsCache = null;
 let _fsMountsCacheTime = 0;
 const FS_CACHE_TTL = 60000; // 1 minute
 
@@ -6269,14 +6403,28 @@ const MCP_TOOLS = [
     description: "List all services with type, enabled state, key presence, and last retrieval time",
     inputSchema: { type: "object", properties: {}, additionalProperties: false }
   },
-  {
-    name: "clauth_list",
-    description: "List registered service names",
-    inputSchema: { type: "object", properties: {}, additionalProperties: false }
-  },
-  {
-    name: "clauth_get",
-    description: "Retrieve a secret and deliver to a temp file (default), clipboard, or stdout. Temp files auto-delete after 30 seconds.",
+  {
+    name: "clauth_list",
+    description: "List registered service names",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
+  {
+    name: "clauth_search",
+    description: "Search registered services by name, label, project, description, type, or redacted address hints from address-bearing secrets",
+    inputSchema: {
+      type: "object",
+      properties: {
+        query: { type: "string", description: "Search text, such as part of a service name, project, host, URL, or filesystem path" },
+        project: { type: "string", description: "Optional project scope" },
+        addresses: { type: "boolean", default: true, description: "Include redacted address hints from connstring/fileserver/oauth secrets" }
+      },
+      required: ["query"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "clauth_get",
+    description: "Retrieve a secret and deliver to a temp file (default), clipboard, or stdout. Temp files auto-delete after 30 seconds.",
     inputSchema: {
       type: "object",
       properties: {
@@ -6993,10 +7141,10 @@ async function handleMcpTool(vault, name, args) {
       }
     }
 
-    case "clauth_list": {
-      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
-      try {
-        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+    case "clauth_list": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
         const result = await api.status(vault.password, vault.machineHash, token, timestamp);
         if (result.error) return mcpError(result.error);
         let services = result.services || [];
@@ -7005,13 +7153,34 @@ async function handleMcpTool(vault, name, args) {
         }
         return mcpResult(services.map(s => s.name).join(", "));
       } catch (err) {
-        return mcpError(err.message);
-      }
-    }
-
-    case "clauth_get": {
-      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
-      const service = (args.service || "").toLowerCase();
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_search": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await searchServices({
+          password: vault.password,
+          machineHash: vault.machineHash,
+          token,
+          timestamp,
+          query: args.query,
+          project: args.project,
+          includeAddresses: args.addresses !== false,
+          whitelist: vault.whitelist
+        });
+        if (result.error) return mcpError(result.error);
+        return mcpResult(JSON.stringify(result, null, 2));
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_get": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      const service = (args.service || "").toLowerCase();
       const target = args.target || "file";
       if (!service) return mcpError("service is required");
       if (vault.whitelist && !vault.whitelist.includes(service)) {

package/cli/index.js

@@ -40,6 +40,97 @@ async function getAuth(pw) {
   return { password, machineHash, token, timestamp };
 }
 
+const ADDRESS_KEY_TYPES = new Set(["connstring", "fileserver", "oauth"]);
+const ADDRESS_FIELDS = new Set(["url", "uri", "host", "hostname", "server", "address", "base_url", "endpoint", "path", "root"]);
+
+function normalizeSearchText(value) {
+  return String(value || "").toLowerCase();
+}
+
+function redactUrlish(value) {
+  const text = String(value || "").trim();
+  if (!text) return "";
+  try {
+    const url = new URL(text);
+    if (url.username) url.username = "***";
+    if (url.password) url.password = "***";
+    return url.toString();
+  } catch {
+    return text.replace(/:\/\/([^:@/\s]+):([^@/\s]+)@/g, "://***:***@");
+  }
+}
+
+function collectAddressHints(value, keyType) {
+  if (!ADDRESS_KEY_TYPES.has(String(keyType || "").toLowerCase())) return [];
+  const hints = new Set();
+
+  function add(candidate) {
+    if (candidate === undefined || candidate === null) return;
+    const text = redactUrlish(candidate);
+    if (text) hints.add(text);
+  }
+
+  function walk(node, fieldName = "") {
+    if (node === undefined || node === null) return;
+    if (typeof node === "string") {
+      if (fieldName && ADDRESS_FIELDS.has(fieldName.toLowerCase())) add(node);
+      if (/^[a-z][a-z0-9+.-]*:\/\//i.test(node) || /^[A-Za-z]:[\\/]/.test(node) || node.startsWith("\\\\")) add(node);
+      return;
+    }
+    if (Array.isArray(node)) {
+      for (const item of node) walk(item, fieldName);
+      return;
+    }
+    if (typeof node === "object") {
+      for (const [key, child] of Object.entries(node)) walk(child, key);
+    }
+  }
+
+  try {
+    walk(JSON.parse(value));
+  } catch {
+    walk(value);
+  }
+
+  return [...hints];
+}
+
+async function searchServices(auth, query, opts = {}) {
+  const q = normalizeSearchText(query);
+  if (!q) throw new Error("Search query is required");
+  const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp, opts.project);
+  if (result.error) throw new Error(result.error);
+
+  const services = result.services || [];
+  const rows = [];
+
+  for (const s of services) {
+    const fields = {
+      name: s.name,
+      label: s.label,
+      project: s.project,
+      type: s.key_type,
+      description: s.description
+    };
+    const matched = Object.entries(fields)
+      .filter(([, value]) => normalizeSearchText(value).includes(q))
+      .map(([field]) => field);
+
+    let addressHints = [];
+    if (opts.addresses !== false && ADDRESS_KEY_TYPES.has(String(s.key_type || "").toLowerCase()) && s.vault_key) {
+      const secret = await api.retrieve(auth.password, auth.machineHash, auth.token, auth.timestamp, s.name);
+      if (!secret.error) {
+        addressHints = collectAddressHints(secret.value, s.key_type);
+        if (addressHints.some(h => normalizeSearchText(h).includes(q))) matched.push("address");
+      }
+    }
+
+    if (matched.length) rows.push({ ...s, matched: [...new Set(matched)], addressHints });
+  }
+
+  return rows;
+}
+
 // ============================================================
 // Program
 // ============================================================
@@ -58,6 +149,7 @@ import { runUninstall } from './commands/uninstall.js';
 import { runScrub } from './commands/scrub.js';
 import { runServe } from './commands/serve.js';
 import { runCodevelop } from './commands/codevelop.js';
+import { runNpm } from './commands/npm.js';
 
 program
   .command('install')
@@ -126,6 +218,16 @@ program
     await runCodevelop({ ...opts, action });
   });
 
+program
+  .command("npm")
+  .description("Operate npm auth safely through the clauth npm service")
+  .argument("[action]", "whoami | tokens | set-local | sync-github-secret | rerun | help", "help")
+  .argument("[args...]", "Action arguments")
+  .option("--repo <repo>", "GitHub repo, e.g. LIFEAI/rdc-skills")
+  .action(async (action, args, opts) => {
+    await runNpm(action, { ...opts, args });
+  });
+
 // ──────────────────────────────────────────────
 // clauth setup
 // ──────────────────────────────────────────────
@@ -410,6 +512,38 @@ program
     console.log();
   });
 
+program
+  .command("search <query>")
+  .description("Search services by name, label, project, description, type, or redacted address hints")
+  .option("-p, --pw <password>")
+  .option("--project <name>", "Filter by project scope")
+  .option("--no-addresses", "Skip address-bearing secret metadata scans")
+  .action(async (query, opts) => {
+    const auth = await getAuth(opts.pw);
+    const spinner = ora("Searching services...").start();
+    try {
+      const rows = await searchServices(auth, query, { project: opts.project, addresses: opts.addresses });
+      spinner.stop();
+      console.log(chalk.cyan(`\n Search results for "${query}":\n`));
+      if (!rows.length) {
+        console.log(chalk.gray("  No matching services found.\n"));
+        return;
+      }
+      console.log(chalk.bold("  " + "SERVICE".padEnd(24) + "TYPE".padEnd(12) + "PROJECT".padEnd(20) + "MATCHED"));
+      console.log("  " + "─".repeat(78));
+      for (const s of rows) {
+        const project = s.project || "global";
+        console.log(`  ${chalk.bold(s.name.padEnd(24))}${String(s.key_type || "").padEnd(12)}${project.padEnd(20)}${s.matched.join(", ")}`);
+        if (s.label) console.log(chalk.gray(`    label: ${s.label}`));
+        if (s.description) console.log(chalk.gray(`    description: ${s.description}`));
+        for (const hint of s.addressHints || []) console.log(chalk.gray(`    address: ${hint}`));
+      }
+      console.log();
+    } catch (err) {
+      spinner.fail(chalk.red(err.message));
+    }
+  });
+
 // ──────────────────────────────────────────────
 // clauth test <service|all>
 // ──────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.82",
+  "version": "1.5.83",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {