@lifeaitools/clauth 1.8.0 → 1.9.1

package/cli/index.js

@@ -17,6 +17,49 @@ import path from "path";
 const config = new Conf(getConfOptions());
 const VERSION = JSON.parse(fs.readFileSync(new URL('../package.json', import.meta.url), 'utf8')).version;
 
+function shellSingleQuote(value) {
+  return `'${String(value ?? "").replace(/'/g, "''")}'`;
+}
+
+function enrollmentScriptName(label) {
+  const slug = String(label || "new-computer")
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    .slice(0, 40) || "new-computer";
+  return `clauth-enroll-${slug}.ps1`;
+}
+
+function writeEnrollmentScript({ supabaseUrl, anonKey, enrollmentCode, label }) {
+  const appDir = process.platform === "win32"
+    ? path.join(process.env.APPDATA || path.join(os.homedir(), "AppData", "Roaming"), "clauth")
+    : path.join(os.homedir(), ".config", "clauth");
+  fs.mkdirSync(appDir, { recursive: true });
+  const scriptPath = path.join(appDir, enrollmentScriptName(label));
+  const script = [
+    "$ErrorActionPreference = 'Stop'",
+    "$label = $env:COMPUTERNAME",
+    "if (-not $label) { $label = [System.Net.Dns]::GetHostName() }",
+    "Write-Host 'Installing clauth...'",
+    "npm install -g @lifeaitools/clauth@latest",
+    "Write-Host 'Enrolling this computer with clauth...'",
+    [
+      "clauth setup",
+      `--supabase-url ${shellSingleQuote(supabaseUrl)}`,
+      `--anon-key ${shellSingleQuote(anonKey)}`,
+      `--enrollment-code ${shellSingleQuote(enrollmentCode)}`,
+      "--label \"$label\"",
+    ].join(" "),
+    "Write-Host 'Installing clauth startup service...'",
+    "clauth serve install",
+    "Write-Host 'clauth enrollment complete.'",
+    "$self = $PSCommandPath",
+    "Start-Process powershell.exe -WindowStyle Hidden -ArgumentList @('-NoProfile','-Command',\"Start-Sleep -Seconds 2; Remove-Item -LiteralPath '$self' -Force -ErrorAction SilentlyContinue\")",
+  ].join("\r\n");
+  fs.writeFileSync(scriptPath, `${script}\r\n`, "utf8");
+  return scriptPath;
+}
+
 // ============================================================
 // Password prompt helper
 // ============================================================
@@ -186,7 +229,7 @@ program
 program
   .command("codevelop")
   .description("Install and launch Claude/Codex co-development terminal sessions")
-  .argument("[action]", "install-terminal | start | ask | reply | inbox | listen | request-partner | launch-peer | check-partner | sync | help", "help")
+  .argument("[action]", "install-terminal | start | join | say | read | watch | who | ask | reply | inbox | listen | request-partner | launch-peer | check-partner | sync | help", "help")
   .option("--repo <path>", "Repo root", "C:\\Dev\\regen-root")
   .option("--port <port>", "Isolated clauth port", "53137")
   .option("--base-url <url>", "Override clauth base URL")
@@ -194,8 +237,10 @@ program
   .option("--session <idOrManifestPath>", "Co-develop session id or manifest path")
   .option("--task <task>", "Initial partner request task")
   .option("--context <path>", "Context, plan, or architecture file the partner should read first")
-  .option("--to <peer>", "Target peer for ask/reply: claude or codex")
-  .option("--from <peer>", "Sender peer for ask/reply: claude or codex")
+  .option("--channel <name>", "Ad hoc channel name for join/say/read/watch")
+  .option("--message <text>", "Ad hoc message for say")
+  .option("--to <peer>", "Target peer for ask/reply, or optional direct ad hoc recipient for say")
+  .option("--from <peer>", "Sender peer for ask/reply")
   .option("--turn <turn_id>", "Turn ID for reply")
   .option("--role <role>", "Turn role, e.g. reviewer or builder")
   .option("--skill <skill>", "Requested skill name, e.g. rdc:review")
@@ -208,10 +253,11 @@ program
   .option("--next <items>", "Reply next actions; separate multiple items with semicolons")
   .option("--wait", "For ask: wait for a matching reply")
   .option("--once", "For listen: exit after the first message event")
+  .option("--json", "For read: print raw JSON")
   .option("--timeout-ms <ms>", "Wait timeout in milliseconds", "300000")
   .option("--interval-ms <ms>", "Wait polling interval in milliseconds", "2000")
   .option("--start-isolated-clauth", "Start isolated clauth if the selected port is not running")
-  .option("--peer <peer>", "Peer for launch-peer: claude or codex")
+  .option("--peer <peer>", "Peer name for launch-peer/check-partner/sync, or ad hoc name such as codex-1")
   .option("--dry-run", "Print and write session manifest without opening Windows Terminal")
   .option("--no-open", "Create session/config but do not open Windows Terminal")
   .option("--print-only", "For launch-peer: resolve command without starting the CLI")
@@ -257,29 +303,62 @@ program
   .command("setup")
   .description("Register this machine with the vault (run after clauth install)")
   .option("--admin-token <token>", "Bootstrap token (from clauth install output)")
+  .option("--enrollment-code <code>", "One-time enrollment code from clauth enroll")
+  .option("--supabase-url <url>", "Vault Supabase URL, for enrolling a new computer without running clauth install")
+  .option("--anon-key <key>", "Vault Supabase anon key, for enrolling a new computer without running clauth install")
+  .option("--install-id <id>", "Logical install/owner group for admin-token setup", "default")
   .option("--label <label>", "Human label for this machine")
   .option("-p, --pw <password>", "Password (skip interactive prompt)")
   .action(async (opts) => {
     console.log(chalk.cyan("\n🔐 clauth setup\n"));
 
-    // URL + anon key already saved by clauth install — fail fast if missing
-    const savedUrl  = config.get("supabase_url");
-    const savedAnon = config.get("supabase_anon_key");
+    if (opts.supabaseUrl) config.set("supabase_url", opts.supabaseUrl);
+    if (opts.anonKey) config.set("supabase_anon_key", opts.anonKey);
+
+    // URL + anon key may already be saved by clauth install, or provided by
+    // an old-machine enrollment command.
+    let savedUrl  = config.get("supabase_url");
+    let savedAnon = config.get("supabase_anon_key");
     if (!savedUrl || !savedAnon) {
-      console.log(chalk.yellow("  Supabase config not found. Run clauth install first.\n"));
-      process.exit(1);
+      const configAnswers = await inquirer.prompt([
+        { type: "input", name: "supabaseUrl", message: "Vault Supabase URL:", default: savedUrl || opts.supabaseUrl || "" },
+        { type: "password", name: "anonKey", message: "Vault anon key:", mask: "*", default: savedAnon || opts.anonKey || "" },
+      ]);
+      if (!configAnswers.supabaseUrl || !configAnswers.anonKey) {
+        console.log(chalk.yellow("  Supabase config not found. Run clauth install first, or provide --supabase-url and --anon-key.\n"));
+        process.exit(1);
+      }
+      config.set("supabase_url", configAnswers.supabaseUrl);
+      config.set("supabase_anon_key", configAnswers.anonKey);
+      savedUrl = configAnswers.supabaseUrl;
+      savedAnon = configAnswers.anonKey;
     }
     console.log(chalk.gray(`  Project: ${savedUrl}\n`));
 
     let answers;
-    if (opts.pw && opts.adminToken) {
+    if (opts.pw && (opts.adminToken || opts.enrollmentCode)) {
       // Non-interactive mode — all flags provided
-      answers = { label: opts.label || os.hostname(), pw: opts.pw, adminTk: opts.adminToken };
+      answers = {
+        label: opts.label || os.hostname(),
+        pw: opts.pw,
+        adminTk: opts.adminToken,
+        enrollmentCode: opts.enrollmentCode,
+      };
+    } else if (opts.enrollmentCode) {
+      const pw = opts.pw || await promptPassword("Set clauth password for this computer");
+      answers = {
+        label: opts.label || os.hostname(),
+        pw,
+        adminTk: opts.adminToken,
+        enrollmentCode: opts.enrollmentCode,
+      };
     } else {
       answers = await inquirer.prompt([
         { type: "input",    name: "label",   message: "Machine label:",   default: opts.label || os.hostname() },
         { type: "password", name: "pw",      message: "Set password:",    mask: "*", default: opts.pw || "" },
-        { type: "password", name: "adminTk", message: "Bootstrap token:", mask: "*",
+        { type: "password", name: "enrollmentCode", message: "Enrollment code (preferred for new computer; leave blank if using bootstrap token):", mask: "*",
+          default: opts.enrollmentCode || "" },
+        { type: "password", name: "adminTk", message: "Bootstrap token (admin fallback):", mask: "*",
           default: opts.adminToken || "" },
       ]);
     }
@@ -288,9 +367,11 @@ program
     try {
       const machineHash = getMachineHash();
       const seedHash = deriveSeedHash(machineHash, answers.pw);
-      const result = await api.registerMachine(machineHash, seedHash, answers.label, answers.adminTk);
+      const result = answers.enrollmentCode
+        ? await api.redeemEnrollment(machineHash, seedHash, answers.label, answers.enrollmentCode)
+        : await api.registerMachine(machineHash, seedHash, answers.label, answers.adminTk, { install_id: opts.installId || "default" });
       if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.green(`Machine registered: ${machineHash.slice(0,12)}...`));
+      spinner.succeed(chalk.green(`Machine registered: ${machineHash.slice(0,12)}... install_id=${result.install_id || opts.installId || "default"}`));
 
       console.log(chalk.green("\n✓ clauth is ready.\n"));
       console.log(chalk.cyan("  clauth test     — verify connection"));
@@ -301,6 +382,55 @@ program
     }
   });
 
+// ──────────────────────────────────────────────
+// clauth enroll
+// ──────────────────────────────────────────────
+program
+  .command("enroll")
+  .description("Create a one-time enrollment code for adding another computer")
+  .option("--label <label>", "Suggested label for the new computer")
+  .option("--ttl-minutes <minutes>", "Enrollment lifetime, 5 to 1440 minutes", "60")
+  .option("--install-id <id>", "Override install id; default is current machine's install id")
+  .option("-p, --pw <password>", "Password (or will prompt)")
+  .action(async (opts) => {
+    console.log(chalk.cyan("\n🔐 clauth enroll\n"));
+    const auth = await getAuth(opts.pw);
+    const spinner = ora("Creating one-time machine enrollment...").start();
+    try {
+      const result = await api.createEnrollment(
+        auth.password,
+        auth.machineHash,
+        auth.token,
+        auth.timestamp,
+        opts.label,
+        Number(opts.ttlMinutes || 60),
+        opts.installId
+      );
+      if (result.error) throw new Error(result.error);
+      const supabaseUrl = config.get("supabase_url");
+      const anonKey = config.get("supabase_anon_key");
+      const scriptPath = writeEnrollmentScript({
+        supabaseUrl,
+        anonKey,
+        enrollmentCode: result.enrollment_code,
+        label: opts.label,
+      });
+      spinner.succeed(chalk.green(`Enrollment created for install_id=${result.install_id}`));
+      console.log("");
+      console.log(chalk.bold("  Enrollment code:"));
+      console.log(chalk.white(`  ${result.enrollment_code}`));
+      console.log("");
+      console.log(chalk.bold("  On the new computer:"));
+      console.log(chalk.gray(`  Run this one-time script: ${scriptPath}`));
+      console.log(chalk.gray("  It installs clauth, enrolls with this code, installs startup, then deletes itself."));
+      console.log("");
+      console.log(chalk.gray(`  Expires: ${result.expires_at}`));
+    } catch (err) {
+      spinner.fail(chalk.red(`Enroll failed: ${err.message}`));
+      process.exitCode = 1;
+    }
+  });
+
 // ──────────────────────────────────────────────
 // clauth status
 // ──────────────────────────────────────────────
@@ -913,6 +1043,7 @@ program
   .option("--tunnel <hostname>", "Fixed tunnel hostname (e.g. clauth.prtrust.fund) — uses named Cloudflare Tunnel instead of random URL")
   .option("--staged", "Start on staging port (52438) for blue-green verification before make-live")
   .option("--isolated", "Run on a non-live port without touching live PID files, browser, or boot-key credentials")
+  .option("--from-boot-key", "Internal: password came from boot.key auto-unlock (degrade gracefully on verify failure)")
   .option("--action <action>", "Internal: action override for daemon child")
   .addHelpText("after", `
 Actions:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.8.0",
+  "version": "1.9.1",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {

package/supabase/functions/auth-vault/index.ts

@@ -12,18 +12,36 @@ const ALLOWED_IPS: string[] = (Deno.env.get("CLAUTH_ALLOWED_IPS") || "")
   .split(",").map(s => s.trim()).filter(Boolean);
 
 const RATE_LIMIT_MAX    = 30;
-const RATE_LIMIT_WINDOW = 60;
-const REPLAY_WINDOW_MS  = 5 * 60 * 1000;
-const MAX_FAIL_COUNT    = 5;
+const RATE_LIMIT_WINDOW = 60;
+const REPLAY_WINDOW_MS  = 5 * 60 * 1000;
+const MAX_FAIL_COUNT    = 5;
+const DEFAULT_INSTALL_ID = "default";
 
-async function hmacSha256(key: string, message: string): Promise<string> {
+async function hmacSha256(key: string, message: string): Promise<string> {
   const cryptoKey = await crypto.subtle.importKey(
     "raw", new TextEncoder().encode(key),
     { name: "HMAC", hash: "SHA-256" }, false, ["sign"]
   );
   const sig = await crypto.subtle.sign("HMAC", cryptoKey, new TextEncoder().encode(message));
   return Array.from(new Uint8Array(sig)).map(b => b.toString(16).padStart(2, "0")).join("");
-}
+}
+
+async function sha256Hex(value: string): Promise<string> {
+  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(value));
+  return Array.from(new Uint8Array(digest)).map(b => b.toString(16).padStart(2, "0")).join("");
+}
+
+function randomToken(bytes = 24): string {
+  const data = new Uint8Array(bytes);
+  crypto.getRandomValues(data);
+  return Array.from(data).map(b => b.toString(16).padStart(2, "0")).join("");
+}
+
+function normalizeInstallId(value: unknown): string {
+  const text = String(value || "").trim().toLowerCase();
+  const normalized = text.replace(/[^a-z0-9_.-]+/g, "-").replace(/^-+|-+$/g, "");
+  return normalized || DEFAULT_INSTALL_ID;
+}
 
 function getClientIP(req: Request): string {
   return req.headers.get("cf-connecting-ip") ||
@@ -53,22 +71,23 @@ async function validateHMAC(sb: any, body: any): Promise<{ valid: boolean; reaso
   const now = Date.now();
   if (Math.abs(now - body.timestamp) > REPLAY_WINDOW_MS) return { valid: false, reason: "timestamp_expired" };
 
-  const { data: machine, error } = await sb.from("clauth_machines")
-    .select("hmac_seed_hash, enabled, fail_count, locked")
-    .eq("machine_hash", body.machine_hash).single();
+  const { data: machine, error } = await sb.from("clauth_machines")
+    .select("hmac_seed_hash, enabled, fail_count, locked")
+    .eq("machine_hash", body.machine_hash).single();
 
   if (error || !machine) return { valid: false, reason: "machine_not_found" };
   if (!machine.enabled)   return { valid: false, reason: "machine_disabled" };
   if (machine.locked)     return { valid: false, reason: "machine_locked" };
 
   const window   = Math.floor(body.timestamp / REPLAY_WINDOW_MS);
-  const message  = `${body.machine_hash}:${window}`;
-  const expected = await hmacSha256(body.password, message);
-
-  if (expected !== body.token) {
-    const newCount   = (machine.fail_count || 0) + 1;
-    const shouldLock = newCount >= MAX_FAIL_COUNT;
-    await sb.from("clauth_machines")
+  const message  = `${body.machine_hash}:${window}`;
+  const expected = await hmacSha256(body.password, message);
+  const seedHash = await sha256Hex(`seed:${body.machine_hash}:${body.password}`);
+
+  if (seedHash !== machine.hmac_seed_hash || expected !== body.token) {
+    const newCount   = (machine.fail_count || 0) + 1;
+    const shouldLock = newCount >= MAX_FAIL_COUNT;
+    await sb.from("clauth_machines")
       .update({ fail_count: newCount, locked: shouldLock })
       .eq("machine_hash", body.machine_hash);
     return { valid: false, reason: shouldLock ? `machine_locked after ${newCount} failures` : `invalid_token (${newCount}/${MAX_FAIL_COUNT})` };
@@ -178,7 +197,7 @@ async function handleStatus(sb: any, body: any, mh: string) {
   return { services: services || [] };
 }
 
-async function handleChangePassword(sb: any, body: any, mh: string) {
+async function handleChangePassword(sb: any, body: any, mh: string) {
   const { new_hmac_seed_hash } = body;
   if (!new_hmac_seed_hash) return { error: "new_hmac_seed_hash required" };
   const { error } = await sb.from("clauth_machines")
@@ -187,18 +206,91 @@ async function handleChangePassword(sb: any, body: any, mh: string) {
   if (error) return { error: error.message };
   await auditLog(sb, mh, "system", "change-password", "success");
   return { success: true };
-}
-
-async function handleRegisterMachine(sb: any, body: any) {
-  const { machine_hash, hmac_seed_hash, label, admin_token } = body;
-  if (admin_token !== ADMIN_BOOTSTRAP_TOKEN) return { error: "invalid_admin_token" };
-  const { error } = await sb.from("clauth_machines").upsert(
-    { machine_hash, hmac_seed_hash, label, enabled: true, fail_count: 0, locked: false },
-    { onConflict: "machine_hash" }
-  );
-  if (error) return { error: error.message };
-  return { success: true, machine_hash };
-}
+}
+
+async function getMachineInstallId(sb: any, machine_hash: string): Promise<string> {
+  const { data: machine } = await sb.from("clauth_machines")
+    .select("install_id")
+    .eq("machine_hash", machine_hash)
+    .single();
+  return normalizeInstallId(machine?.install_id);
+}
+
+async function handleCreateEnrollment(sb: any, body: any, mh: string) {
+  const install_id = normalizeInstallId(body.install_id || await getMachineInstallId(sb, mh));
+  const ttl_minutes = Math.max(5, Math.min(Number(body.ttl_minutes || 60), 24 * 60));
+  const code = `ce_${randomToken(24)}`;
+  const token_hash = await sha256Hex(code);
+  const expires_at = new Date(Date.now() + ttl_minutes * 60 * 1000).toISOString();
+  const label = body.label ? String(body.label).slice(0, 120) : null;
+
+  const { error } = await sb.from("clauth_machine_enrollments").insert({
+    install_id,
+    token_hash,
+    label,
+    created_by_machine_hash: mh,
+    expires_at,
+  });
+  if (error) {
+    await auditLog(sb, mh, "system", "create-enrollment", "fail", error.message);
+    return { error: error.message };
+  }
+
+  await auditLog(sb, mh, "system", "create-enrollment", "success", `install_id=${install_id}`);
+  return { success: true, enrollment_code: code, install_id, expires_at, label };
+}
+
+async function handleRedeemEnrollment(sb: any, body: any) {
+  const { machine_hash, hmac_seed_hash, enrollment_code } = body;
+  if (!machine_hash || !hmac_seed_hash || !enrollment_code) {
+    return { error: "machine_hash, hmac_seed_hash, enrollment_code required" };
+  }
+
+  const token_hash = await sha256Hex(String(enrollment_code).trim());
+  const nowIso = new Date().toISOString();
+  const { data: enrollment, error: lookupError } = await sb.from("clauth_machine_enrollments")
+    .select("id, install_id, label, expires_at, consumed_at")
+    .eq("token_hash", token_hash)
+    .single();
+
+  if (lookupError || !enrollment) return { error: "enrollment_not_found" };
+  if (enrollment.consumed_at) return { error: "enrollment_already_used" };
+  if (new Date(enrollment.expires_at).getTime() < Date.now()) return { error: "enrollment_expired" };
+
+  const label = body.label || enrollment.label || null;
+  const install_id = normalizeInstallId(enrollment.install_id);
+  const { data: consumedRows, error: consumeError } = await sb.from("clauth_machine_enrollments")
+    .update({ consumed_at: nowIso, redeemed_by_machine_hash: machine_hash })
+    .eq("id", enrollment.id)
+    .is("consumed_at", null)
+    .select("id");
+  if (consumeError) return { error: consumeError.message };
+  if (!consumedRows || consumedRows.length !== 1) return { error: "enrollment_already_used" };
+
+  const { error: machineError } = await sb.from("clauth_machines").upsert(
+    { machine_hash, hmac_seed_hash, label, install_id, enabled: true, fail_count: 0, locked: false },
+    { onConflict: "machine_hash" }
+  );
+  if (machineError) return { error: machineError.message };
+
+  await auditLog(sb, machine_hash, "system", "redeem-enrollment", "success", `install_id=${install_id}`);
+  return { success: true, machine_hash, install_id };
+}
+
+async function handleRegisterMachine(sb: any, body: any) {
+  const { machine_hash, hmac_seed_hash, label, admin_token } = body;
+  if (body.enrollment_code || body.invite_code) {
+    return handleRedeemEnrollment(sb, { ...body, enrollment_code: body.enrollment_code || body.invite_code });
+  }
+  if (admin_token !== ADMIN_BOOTSTRAP_TOKEN) return { error: "invalid_admin_token" };
+  const install_id = normalizeInstallId(body.install_id);
+  const { error } = await sb.from("clauth_machines").upsert(
+    { machine_hash, hmac_seed_hash, label, install_id, enabled: true, fail_count: 0, locked: false },
+    { onConflict: "machine_hash" }
+  );
+  if (error) return { error: error.message };
+  return { success: true, machine_hash, install_id };
+}
 
 Deno.serve(async (req: Request) => {
   if (req.method === "OPTIONS") {
@@ -216,7 +308,8 @@ Deno.serve(async (req: Request) => {
   const sb    = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);
   const ip    = getClientIP(req);
 
-  if (route === "register-machine") return Response.json(await handleRegisterMachine(sb, body));
+  if (route === "register-machine") return Response.json(await handleRegisterMachine(sb, body));
+  if (route === "redeem-enrollment") return Response.json(await handleRedeemEnrollment(sb, body));
 
   const ipCheck = checkIP(ip);
   if (!ipCheck.allowed) {
@@ -247,9 +340,10 @@ Deno.serve(async (req: Request) => {
     case "update":   return Response.json(await handleUpdate(sb, body, mh));
     case "remove":   return Response.json(await handleRemove(sb, body, mh));
     case "revoke":   return Response.json(await handleRevoke(sb, body, mh));
-    case "status":          return Response.json(await handleStatus(sb, body, mh));
-    case "change-password": return Response.json(await handleChangePassword(sb, body, mh));
-    case "test":            return Response.json({ valid: true, machine_hash: mh, timestamp: body.timestamp, ip });
+    case "status":          return Response.json(await handleStatus(sb, body, mh));
+    case "change-password": return Response.json(await handleChangePassword(sb, body, mh));
+    case "create-enrollment": return Response.json(await handleCreateEnrollment(sb, body, mh));
+    case "test":            return Response.json({ valid: true, machine_hash: mh, timestamp: body.timestamp, ip });
     default:         return Response.json({ error: "unknown_route", route }, { status: 404 });
   }
 });

package/supabase/migrations/001_clauth_schema.sql

@@ -27,15 +27,18 @@ create table if not exists public.clauth_services (
 -- ============================================================
 -- Machine Registry (hardware fingerprints — hashed only)
 -- ============================================================
-create table if not exists public.clauth_machines (
-  id              uuid primary key default gen_random_uuid(),
-  machine_hash    text not null unique,          -- SHA256(machine_id + os_install_id)
-  label           text,                          -- e.g. 'Dave-Desktop-Win11'
-  hmac_seed_hash  text not null,                 -- SHA256 of the HMAC seed stored in vault
-  enabled         boolean not null default true,
-  created_at      timestamptz not null default now(),
-  last_seen       timestamptz
-);
+create table if not exists public.clauth_machines (
+  id              uuid primary key default gen_random_uuid(),
+  install_id      text not null default 'default', -- logical vault install / owner group
+  machine_hash    text not null unique,          -- SHA256(machine_id + os_install_id)
+  label           text,                          -- e.g. 'Dave-Desktop-Win11'
+  hmac_seed_hash  text not null,                 -- SHA256 of the HMAC seed stored in vault
+  enabled         boolean not null default true,
+  fail_count      integer not null default 0,
+  locked          boolean not null default false,
+  created_at      timestamptz not null default now(),
+  last_seen       timestamptz
+);
 
 -- ============================================================
 -- Audit Log

package/supabase/migrations/003_machine_enrollments.sql

@@ -0,0 +1,39 @@
+-- ============================================================
+-- clauth machine enrollment
+-- Migration: 003_machine_enrollments.sql
+-- ============================================================
+
+alter table public.clauth_machines
+  add column if not exists install_id text not null default 'default';
+
+create index if not exists clauth_machines_install_id_idx
+  on public.clauth_machines (install_id);
+
+create table if not exists public.clauth_machine_enrollments (
+  id uuid primary key default gen_random_uuid(),
+  install_id text not null default 'default',
+  token_hash text not null unique,
+  label text,
+  created_by_machine_hash text not null references public.clauth_machines(machine_hash) on delete cascade,
+  redeemed_by_machine_hash text references public.clauth_machines(machine_hash) on delete set null,
+  expires_at timestamptz not null,
+  consumed_at timestamptz,
+  created_at timestamptz not null default now()
+);
+
+create index if not exists clauth_machine_enrollments_install_idx
+  on public.clauth_machine_enrollments (install_id, expires_at);
+
+alter table public.clauth_machine_enrollments enable row level security;
+
+do $$ begin
+  if not exists (
+    select 1
+    from pg_policies
+    where policyname = 'no_anon_machine_enrollments'
+      and tablename = 'clauth_machine_enrollments'
+  ) then
+    create policy "no_anon_machine_enrollments"
+      on public.clauth_machine_enrollments for all using (false);
+  end if;
+end $$;