@lifeaitools/clauth 1.7.2 → 1.8.1

package/README.md

@@ -200,32 +200,34 @@ Tests actual MCP tool calls (not just OAuth + listing).
 
 ## Releasing a New Version (maintainers)
 
-clauth is a **private** repo, so we do **not** use GitHub Actions to publish —
-Actions bill for minutes on private repos. (Reserve Actions for *public* repos,
-where they're free.) Publishing is **webhook-driven**, with a manual fallback.
+Publishing is **manual** — there is no auto-publish. The GitHub Actions
+`publish.yml` workflow was removed on 2026-04-27 (commit `08b7751`); trusted
+publishing via OIDC was tried first (`b2bf08b`→`41d2d92`) and dropped. clauth is
+a **private** repo and GitHub Actions bill for minutes on private repos, so we
+don't run them here (reserve Actions for *public* repos, where they're free).
 
 ```bash
 # 1. Bump version in package.json
-# 2. Commit + tag + push — the tag push triggers the publish webhook
+# 2. Commit + tag + push
 git add -A && git commit -m "feat(...): description (vX.Y.Z)"
 git tag vX.Y.Z
 git push && git push --tags
 
-# 3. Verify it published (direct registry check — bypasses npm's cache)
+# 3. Publish manually with the vault npm token
+clauth npm set-local          # writes ~/.npmrc auth from the vault 'npm' service
+npm publish --access public
+
+# 4. Verify on the registry (direct check — bypasses npm's local cache)
 curl -s https://registry.npmjs.org/@lifeaitools/clauth \
   | python -c "import sys,json;print(json.load(sys.stdin)['dist-tags'])"
 
-# 4. Fallback — if the webhook did NOT publish (registry still shows the old
-#    version), publish manually with the vault npm token:
-clauth npm set-local          # writes ~/.npmrc auth from the vault 'npm' service
-npm publish --access public
+# 5. Update the running daemon
+curl -s -X POST http://127.0.0.1:52437/restart   # picks up new code, stays unlocked
 ```
 
-**NEVER** commit a version bump without tagging — the tag push is what triggers
-the publish webhook. If the webhook fails silently, the usual cause is a **stale
-npm token on the webhook receiver** (it holds an env copy, not the live vault
-value) — re-sync the receiver's token to the current vault `npm` service, then
-use the manual publish above to unblock the release.
+**The tag push does NOT publish anything** — you must run step 3. A version bump
+that is committed+tagged but never `npm publish`ed leaves the registry stale
+(symptom: `npm view` still shows the old version after a push).
 
 ---
 

package/cli/commands/npm.js

@@ -121,3 +121,62 @@ export async function runNpm(action = "help", opts = {}) {
   usage();
   throw new Error(`unknown clauth npm action: ${action}`);
 }
+
+// ── Guarded publish ──────────────────────────────────────────────────────────
+// Generic, package-agnostic publish that REFUSES to publish unless the package
+// is already committed and pushed to GitHub — so the npm tarball can never be
+// built from uncommitted "dev" code that isn't on the repo. Works for standalone
+// repos and monorepo subpackages (clean-check is scoped to the package's dir).
+export async function runPublish(target, opts = {}) {
+  const pkgDir = path.resolve(target || process.cwd());
+  const pkgJsonPath = path.join(pkgDir, "package.json");
+  if (!fs.existsSync(pkgJsonPath)) throw new Error(`No package.json found at ${pkgDir}`);
+  const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, "utf8"));
+  if (!pkg.name || !pkg.version) throw new Error(`package.json at ${pkgDir} is missing name or version`);
+  if (pkg.private === true) throw new Error(`${pkg.name} is marked "private": true — refusing to publish`);
+  const access = opts.access || pkg.publishConfig?.access || (pkg.name.startsWith("@") ? "public" : undefined);
+
+  const gitRoot = run("git", ["rev-parse", "--show-toplevel"], { cwd: pkgDir }).stdout?.trim();
+  if (!gitRoot) throw new Error(`${pkgDir} is not inside a git repository`);
+  const rel = path.relative(gitRoot, pkgDir) || ".";
+
+  // Guard 1 — nothing uncommitted in the package (else we'd pack dev code).
+  const dirty = run("git", ["status", "--porcelain", "--", rel], { cwd: gitRoot }).stdout?.trim();
+  if (dirty && !opts.allowDirty) {
+    throw new Error(`Refusing to publish ${pkg.name}@${pkg.version}: uncommitted changes in ${rel} would be packed but are NOT on GitHub:\n${dirty}\n\nCommit + push first (or pass --allow-dirty to override).`);
+  }
+
+  // Guard 2 — HEAD is on a remote (actually pushed to GitHub).
+  const head = run("git", ["rev-parse", "HEAD"], { cwd: gitRoot }).stdout?.trim();
+  const onRemote = run("git", ["branch", "-r", "--contains", head], { cwd: gitRoot }).stdout?.trim();
+  if (!onRemote && !opts.allowUnpushed) {
+    throw new Error(`Refusing to publish ${pkg.name}@${pkg.version}: HEAD ${head.slice(0, 9)} is not on any remote branch — push to GitHub first (or pass --allow-unpushed to override).`);
+  }
+
+  // Traceability — warn (don't block) if there's no v<version> tag at HEAD.
+  const tags = (run("git", ["tag", "--points-at", "HEAD"], { cwd: gitRoot }).stdout || "").split("\n").map((s) => s.trim()).filter(Boolean);
+  if (!tags.includes(`v${pkg.version}`)) {
+    console.log(`⚠  No git tag v${pkg.version} at HEAD (traceability only). Tags here: ${tags.join(", ") || "none"}`);
+  }
+
+  console.log(`${opts.dryRun ? "[dry-run] " : ""}Publishing ${pkg.name}@${pkg.version} from ${rel} @ ${head.slice(0, 9)} (pushed${access ? `, access=${access}` : ""})`);
+
+  const token = await fetchNpmToken();
+  const args = ["publish"];
+  if (access) args.push("--access", access);
+  if (opts.dryRun) args.push("--dry-run");
+  const result = withNpmAuth(token, (npmrc) => run("npm", ["--userconfig", npmrc, ...args], { cwd: pkgDir }));
+  printResult(result, { redact: true });
+  if (result.status !== 0) { process.exitCode = result.status; throw new Error(`npm publish failed for ${pkg.name}`); }
+  if (opts.dryRun) { console.log("Dry run complete — nothing published."); return; }
+
+  // Verify on the registry directly (bypasses npm's local cache lag).
+  try {
+    const reg = await fetch(`https://registry.npmjs.org/${pkg.name}`);
+    const meta = await reg.json();
+    if (meta.versions?.[pkg.version]) console.log(`✓ Verified ${pkg.name}@${pkg.version} on the registry (latest: ${meta["dist-tags"]?.latest}).`);
+    else console.log(`⚠  ${pkg.name}@${pkg.version} not visible on the registry yet (propagation lag) — re-check shortly.`);
+  } catch (e) {
+    console.log(`(could not verify on registry: ${e.message})`);
+  }
+}

package/cli/commands/serve.js

@@ -492,7 +492,7 @@ function openBrowser(url) {
 }
 
 // ── Dashboard HTML ───────────────────────────────────────────
-function dashboardHtml(port, whitelist, isStaged = false) {
+function dashboardHtml(port, whitelist, isStaged = false, initWriteToken = null) {
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -1001,7 +1001,9 @@ function renderSetPanel(name) {
 }
 
 // ── Boot: check lock state ──────────────────
-let writeToken = null;
+// Injected by the daemon when it serves the page on an unlocked vault, so a
+// fresh load (incl. when auto-unlocked via --pw/boot.key) is write-ready.
+let writeToken = ${JSON.stringify(initWriteToken)};
 
 function writeHeaders(extra) {
   if (!writeToken) throw new Error("Write access requires password unlock in this browser session.");
@@ -3447,8 +3449,19 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
     // GET / — built-in web dashboard
     if (method === "GET" && reqPath === "/") {
+      // When unlocked, ensure a non-expired write session exists and hand its
+      // token to the page so the dashboard is write-ready on load — fixes the
+      // --pw/boot.key auto-unlock case where the page never saw the unlock
+      // screen and so held no write token. (Consistent with the existing trust
+      // model: /v/<service> already serves raw credentials to localhost when
+      // unlocked, so a same-origin write token is no broader.)
+      let initWriteToken = null;
+      if (password) {
+        if (!writeSession || Date.now() > writeSession.expiresAt) writeSession = makeWriteToken();
+        initWriteToken = writeSession.token;
+      }
       res.writeHead(200, { "Content-Type": "text/html", ...CORS });
-      return res.end(dashboardHtml(port, whitelist, isStaged));
+      return res.end(dashboardHtml(port, whitelist, isStaged, initWriteToken));
     }
 
     // GET /ping

package/cli/index.js

@@ -150,7 +150,7 @@ import { runUninstall } from './commands/uninstall.js';
 import { runScrub } from './commands/scrub.js';
 import { runServe } from './commands/serve.js';
 import { runCodevelop } from './commands/codevelop.js';
-import { runNpm } from './commands/npm.js';
+import { runNpm, runPublish } from './commands/npm.js';
 
 program
   .command('install')
@@ -229,6 +229,27 @@ program
     await runNpm(action, { ...opts, args });
   });
 
+// ──────────────────────────────────────────────
+// clauth publish [target]
+// Guarded npm publish for ANY package — refuses to ship code that isn't
+// committed AND pushed to GitHub (prevents npm/repo divergence from dev builds).
+// ──────────────────────────────────────────────
+program
+  .command("publish [target]")
+  .description("Safely publish an npm package (default: cwd). Refuses unless committed + pushed to GitHub.")
+  .option("--dry-run", "Run all guards and pack, but do not publish")
+  .option("--access <access>", "npm access: public | restricted")
+  .option("--allow-dirty", "Override the uncommitted-changes guard (NOT recommended)")
+  .option("--allow-unpushed", "Override the not-pushed-to-remote guard (NOT recommended)")
+  .action(async (target, opts) => {
+    try {
+      await runPublish(target, opts);
+    } catch (err) {
+      console.error(chalk.red(err.message));
+      process.exitCode = 1;
+    }
+  });
+
 // ──────────────────────────────────────────────
 // clauth setup
 // ──────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.7.2",
+  "version": "1.8.1",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {