claudeinone-cli 1.0.1 → 1.0.3

package/kit/.claude/skills/auth-oauth2.md

@@ -0,0 +1,110 @@
+# OAuth 2.0
+
+Industry-standard authorization framework for delegated access.
+
+## OAuth 2.0 Flows
+
+### Authorization Code Flow (Most Secure)
+```
+1. User visits app, clicks "Login with Google"
+2. Redirects to Google login page
+3. User authenticates with Google
+4. Google redirects back to app with auth code
+5. App exchanges code for access token (backend)
+6. App can now access user data
+```
+
+## Implementation (Node.js + Google)
+
+```javascript
+const passport = require('passport');
+const GoogleStrategy = require('passport-google-oauth20').Strategy;
+
+passport.use(new GoogleStrategy({
+    clientID: process.env.GOOGLE_CLIENT_ID,
+    clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+    callbackURL: 'http://localhost:3000/auth/google/callback'
+  },
+  function(accessToken, refreshToken, profile, done) {
+    // Find or create user
+    User.findOrCreate({ googleId: profile.id }, (err, user) => {
+      return done(err, user);
+    });
+  }
+));
+
+// Routes
+app.get('/auth/google',
+  passport.authenticate('google', { scope: ['profile', 'email'] }));
+
+app.get('/auth/google/callback',
+  passport.authenticate('google', { failureRedirect: '/login' }),
+  (req, res) => {
+    res.redirect('/dashboard');
+  });
+```
+
+## PKCE (For Native/SPA Apps)
+
+```javascript
+// Generate code challenge
+const crypto = require('crypto');
+const codeVerifier = crypto.randomBytes(32).toString('hex');
+const codeChallenge = crypto
+  .createHash('sha256')
+  .update(codeVerifier)
+  .digest('base64url');
+
+// Exchange with verifier
+const tokenResponse = await fetch('https://oauth.example.com/token', {
+  method: 'POST',
+  body: {
+    grant_type: 'authorization_code',
+    code: authCode,
+    code_verifier: codeVerifier,
+    client_id: CLIENT_ID,
+  }
+});
+```
+
+## Token Management
+
+```javascript
+// Store tokens securely
+localStorage.setItem('access_token', accessToken);
+
+// Refresh token when expired
+async function getValidToken() {
+  if (isTokenExpired(accessToken)) {
+    const response = await fetch('/api/refresh', {
+      method: 'POST',
+      body: { refreshToken }
+    });
+    const { accessToken: newToken } = await response.json();
+    localStorage.setItem('access_token', newToken);
+    return newToken;
+  }
+  return accessToken;
+}
+
+// Use in API requests
+const token = await getValidToken();
+const response = await fetch('/api/users', {
+  headers: { 'Authorization': `Bearer ${token}` }
+});
+```
+
+## Best Practices
+
+1. **Never store credentials in frontend**
+2. **Use PKCE for public clients**
+3. **Refresh tokens before expiry**
+4. **Validate OAuth provider certificates**
+5. **Implement proper error handling**
+6. **Scope requests to minimum needed**
+
+## Resources
+
+- [OAuth 2.0 Specification](https://tools.ietf.org/html/rfc6749)
+- [PKCE](https://tools.ietf.org/html/rfc7636)
+- [OpenID Connect](https://openid.net/connect/)

package/kit/.claude/skills/auth-passkeys.md

@@ -0,0 +1,109 @@
+# WebAuthn Passkeys
+
+## Overview
+Passkeys use device biometrics (Touch ID, Face ID) for phishing-resistant, passwordless authentication.
+
+## Setup with SimpleWebAuthn
+
+```bash
+npm install @simplewebauthn/server @simplewebauthn/browser
+```
+
+## Registration Flow
+
+```typescript
+// app/api/auth/passkey/register/generate/route.ts
+import { generateRegistrationOptions } from '@simplewebauthn/server';
+
+export async function POST(req: Request) {
+  const { userId } = await auth(); // get current user
+  const user = await prisma.user.findUnique({ where: { id: userId } });
+  const existingCredentials = await prisma.passkey.findMany({ where: { userId } });
+
+  const options = await generateRegistrationOptions({
+    rpName: 'My App',
+    rpID: process.env.RP_ID!, // 'yourdomain.com'
+    userID: new TextEncoder().encode(userId),
+    userName: user!.email,
+    excludeCredentials: existingCredentials.map(c => ({
+      id: c.credentialId, type: 'public-key'
+    })),
+    authenticatorSelection: {
+      residentKey: 'preferred',
+      userVerification: 'preferred',
+    },
+  });
+
+  // Store challenge temporarily
+  await redis.setex(`challenge:${userId}`, 300, options.challenge);
+  return Response.json(options);
+}
+
+// app/api/auth/passkey/register/verify/route.ts
+import { verifyRegistrationResponse } from '@simplewebauthn/server';
+
+export async function POST(req: Request) {
+  const { userId } = await auth();
+  const body = await req.json();
+  const challenge = await redis.get(`challenge:${userId}`);
+
+  const { verified, registrationInfo } = await verifyRegistrationResponse({
+    response: body,
+    expectedChallenge: challenge!,
+    expectedOrigin: process.env.ORIGIN!,
+    expectedRPID: process.env.RP_ID!,
+  });
+
+  if (verified && registrationInfo) {
+    await prisma.passkey.create({
+      data: {
+        userId,
+        credentialId: registrationInfo.credential.id,
+        publicKey: Buffer.from(registrationInfo.credential.publicKey),
+        counter: registrationInfo.credential.counter,
+      }
+    });
+  }
+
+  return Response.json({ verified });
+}
+```
+
+## Authentication Flow
+
+```typescript
+// Browser: start authentication
+import { startAuthentication } from '@simplewebauthn/browser';
+
+const options = await fetch('/api/auth/passkey/authenticate/generate', { method: 'POST' }).then(r => r.json());
+const response = await startAuthentication(options);
+await fetch('/api/auth/passkey/authenticate/verify', {
+  method: 'POST',
+  body: JSON.stringify(response),
+  headers: { 'Content-Type': 'application/json' }
+});
+```
+
+```typescript
+// Server: verify authentication
+import { verifyAuthenticationResponse } from '@simplewebauthn/server';
+
+const passkey = await prisma.passkey.findFirst({ where: { credentialId: body.id } });
+const { verified } = await verifyAuthenticationResponse({
+  response: body,
+  expectedChallenge: challenge!,
+  expectedOrigin: process.env.ORIGIN!,
+  expectedRPID: process.env.RP_ID!,
+  credential: { id: passkey!.credentialId, publicKey: passkey!.publicKey, counter: passkey!.counter }
+});
+```
+
+## Best Practices
+- Set `RP_ID` to your domain without protocol or path
+- Store challenges in Redis with short TTL (5 min)
+- Update `counter` after each authentication to detect cloned credentials
+- Offer passkeys as addition to, not replacement for, existing auth
+
+## Resources
+- [SimpleWebAuthn docs](https://simplewebauthn.dev)
+- [WebAuthn Guide](https://webauthn.guide)

package/kit/.claude/skills/auth-session.md

@@ -0,0 +1,88 @@
+# Session Authentication
+
+## Overview
+Server-side sessions store user state on the server, giving the client only an encrypted session cookie.
+
+## iron-session (Next.js)
+
+```bash
+npm install iron-session
+```
+
+```typescript
+// lib/session.ts
+import { SessionOptions } from 'iron-session';
+
+export interface SessionData { userId?: string; role?: string; }
+
+export const sessionOptions: SessionOptions = {
+  password: process.env.SESSION_SECRET!,
+  cookieName: 'app-session',
+  cookieOptions: {
+    secure: process.env.NODE_ENV === 'production',
+    httpOnly: true,
+    sameSite: 'lax',
+    maxAge: 60 * 60 * 24 * 7,
+  },
+};
+```
+
+```typescript
+// app/api/auth/login/route.ts
+import { getIronSession } from 'iron-session';
+import { cookies } from 'next/headers';
+import bcrypt from 'bcryptjs';
+
+export async function POST(req: Request) {
+  const { email, password } = await req.json();
+  const user = await prisma.user.findUnique({ where: { email } });
+  if (!user || !(await bcrypt.compare(password, user.passwordHash))) {
+    return Response.json({ error: 'Invalid credentials' }, { status: 401 });
+  }
+
+  const session = await getIronSession<SessionData>(await cookies(), sessionOptions);
+  session.userId = user.id;
+  session.role = user.role;
+  await session.save();
+  return Response.json({ success: true });
+}
+
+// app/api/auth/logout/route.ts
+export async function POST() {
+  const session = await getIronSession<SessionData>(await cookies(), sessionOptions);
+  session.destroy();
+  return Response.json({ success: true });
+}
+```
+
+## Express Sessions with Redis
+
+```bash
+npm install express-session connect-redis redis
+```
+
+```typescript
+import session from 'express-session';
+import RedisStore from 'connect-redis';
+import { createClient } from 'redis';
+
+const redisClient = createClient({ url: process.env.REDIS_URL });
+await redisClient.connect();
+
+app.use(session({
+  store: new RedisStore({ client: redisClient }),
+  secret: process.env.SESSION_SECRET!,
+  resave: false,
+  saveUninitialized: false,
+  cookie: { secure: true, httpOnly: true, maxAge: 7 * 24 * 60 * 60 * 1000, sameSite: 'lax' }
+}));
+```
+
+## Best Practices
+- Use `httpOnly: true` and `secure: true` in production
+- Use Redis — never memory store in production
+- Regenerate session ID on login to prevent fixation: `req.session.regenerate(cb)`
+- Set `sameSite: 'lax'` to prevent CSRF
+
+## Resources
+- [iron-session](https://github.com/vvo/iron-session)