securegate-cli-tool 2.0.0

package/index.js

@@ -0,0 +1,351 @@
+#!/usr/bin/env node
+
+/**
+ * SecureGate CLI - Setup and manage security keys
+ * Run: npx securegate setup
+ */
+
+const https = require('https');
+const http = require('http');
+const crypto = require('crypto');
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const readline = require('readline');
+
+// Configuration
+const SUPABASE_URL = 'https://pbrmsfoowrjqsikgkijb.supabase.co';
+const CONFIG_DIR = path.join(os.homedir(), '.securegate');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+
+// ANSI colors
+const colors = {
+    reset: '\x1b[0m',
+    green: '\x1b[32m',
+    yellow: '\x1b[33m',
+    cyan: '\x1b[36m',
+    red: '\x1b[31m',
+    bold: '\x1b[1m',
+    dim: '\x1b[2m',
+};
+
+function log(msg, color = '') {
+    console.log(`${color}${msg}${colors.reset}`);
+}
+
+function banner() {
+    console.log(`
+${colors.cyan}${colors.bold}🔐 SecureGate Setup${colors.reset}
+${colors.dim}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${colors.reset}
+`);
+}
+
+// Get device fingerprint (machine-based)
+function getDeviceFingerprint() {
+    const cpus = os.cpus();
+    const networkInterfaces = os.networkInterfaces();
+
+    // Get first MAC address
+    let mac = '';
+    for (const [name, interfaces] of Object.entries(networkInterfaces)) {
+        for (const iface of interfaces) {
+            if (iface.mac && iface.mac !== '00:00:00:00:00:00') {
+                mac = iface.mac;
+                break;
+            }
+        }
+        if (mac) break;
+    }
+
+    const fingerprint = [
+        os.hostname(),
+        os.platform(),
+        os.arch(),
+        cpus[0]?.model || 'unknown',
+        mac,
+        os.totalmem().toString(),
+    ].join('|');
+
+    return crypto.createHash('sha256').update(fingerprint).digest('hex').substring(0, 32);
+}
+
+// Get public IP
+async function getPublicIP() {
+    return new Promise((resolve) => {
+        https.get('https://api.ipify.org?format=json', (res) => {
+            let data = '';
+            res.on('data', chunk => data += chunk);
+            res.on('end', () => {
+                try {
+                    resolve(JSON.parse(data).ip);
+                } catch {
+                    resolve('unknown');
+                }
+            });
+        }).on('error', () => resolve('unknown'));
+    });
+}
+
+// Get geolocation
+async function getGeoLocation(ip) {
+    return new Promise((resolve) => {
+        http.get(`http://ip-api.com/json/${ip}?fields=status,country,countryCode,city`, (res) => {
+            let data = '';
+            res.on('data', chunk => data += chunk);
+            res.on('end', () => {
+                try {
+                    const result = JSON.parse(data);
+                    if (result.status === 'success') {
+                        resolve({ country: result.country, code: result.countryCode, city: result.city });
+                    } else {
+                        resolve(null);
+                    }
+                } catch {
+                    resolve(null);
+                }
+            });
+        }).on('error', () => resolve(null));
+    });
+}
+
+// Make HTTP request
+function httpRequest(url, options = {}) {
+    return new Promise((resolve, reject) => {
+        const urlObj = new URL(url);
+        const isHttps = urlObj.protocol === 'https:';
+        const lib = isHttps ? https : http;
+
+        const req = lib.request(url, {
+            method: options.method || 'GET',
+            headers: options.headers || {},
+        }, (res) => {
+            let data = '';
+            res.on('data', chunk => data += chunk);
+            res.on('end', () => {
+                try {
+                    resolve({ status: res.statusCode, data: JSON.parse(data) });
+                } catch {
+                    resolve({ status: res.statusCode, data });
+                }
+            });
+        });
+
+        req.on('error', reject);
+
+        if (options.body) {
+            req.write(options.body);
+        }
+        req.end();
+    });
+}
+
+// Create readline interface
+function createPrompt() {
+    return readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+    });
+}
+
+// Ask question
+function ask(rl, question) {
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => {
+            resolve(answer.trim());
+        });
+    });
+}
+
+// Load config
+function loadConfig() {
+    try {
+        if (fs.existsSync(CONFIG_FILE)) {
+            return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
+        }
+    } catch { }
+    return {};
+}
+
+// Save config
+function saveConfig(config) {
+    if (!fs.existsSync(CONFIG_DIR)) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+    fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
+}
+
+// Main setup flow
+async function setup() {
+    banner();
+
+    const rl = createPrompt();
+
+    try {
+        // Step 1: Get JWT token
+        log('1. Authentication', colors.bold);
+        log('   Enter your Supabase JWT token (from browser after login):', colors.dim);
+        const token = await ask(rl, '   Token: ');
+
+        if (!token) {
+            log('   ❌ Token required', colors.red);
+            process.exit(1);
+        }
+        log('   ✓ Token received', colors.green);
+
+        // Step 2: Get connection ID
+        log('\n2. Connection', colors.bold);
+        log('   Enter your connection_id (e.g., open_abc123):', colors.dim);
+        const connectionId = await ask(rl, '   Connection ID: ');
+
+        if (!connectionId) {
+            log('   ❌ Connection ID required', colors.red);
+            process.exit(1);
+        }
+        log(`   ✓ Connection: ${connectionId}`, colors.green);
+
+        // Step 3: Detect environment
+        log('\n3. Detecting environment...', colors.bold);
+
+        const ip = await getPublicIP();
+        log(`   ✓ IP: ${ip}`, colors.green);
+
+        const geo = await getGeoLocation(ip);
+        if (geo) {
+            log(`   ✓ Location: ${geo.city}, ${geo.country} (${geo.code})`, colors.green);
+        } else {
+            log('   ⚠ Could not detect location', colors.yellow);
+        }
+
+        const fingerprint = getDeviceFingerprint();
+        log(`   ✓ Device: ${os.hostname()} (${os.platform()})`, colors.green);
+        log(`   ✓ Fingerprint: ${fingerprint.substring(0, 8)}...`, colors.dim);
+
+        // Step 4: Activate key
+        log('\n4. Generating security key...', colors.bold);
+
+        const response = await httpRequest(`${SUPABASE_URL}/functions/v1/activate-key`, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${token}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                connection_id: connectionId,
+                device_fingerprint: fingerprint,
+                label: `${os.hostname()} (${os.platform()})`,
+            }),
+        });
+
+        if (response.status !== 201) {
+            log(`   ❌ Failed: ${response.data.error || 'Unknown error'}`, colors.red);
+            process.exit(1);
+        }
+
+        const { security_key, bound_to, provider, usage } = response.data;
+
+        log('   ✓ Key activated!', colors.green);
+
+        // Save to config
+        const config = loadConfig();
+        config[connectionId] = {
+            security_key,
+            provider,
+            bound_to,
+            created_at: new Date().toISOString(),
+        };
+        saveConfig(config);
+
+        // Display result
+        console.log(`
+${colors.dim}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${colors.reset}
+
+${colors.bold}${colors.green}✓ Security Key Generated!${colors.reset}
+
+${colors.yellow}⚠ SAVE THIS KEY - IT WILL NOT BE SHOWN AGAIN!${colors.reset}
+
+${colors.cyan}Security Key:${colors.reset}
+${colors.bold}${security_key}${colors.reset}
+
+${colors.cyan}Bound to:${colors.reset}
+  • IP: ${bound_to.ip}
+  • Country: ${bound_to.country}
+  • Device: ${bound_to.device}
+
+${colors.cyan}Usage:${colors.reset}
+${colors.dim}const openai = new OpenAI({
+  apiKey: '${security_key}',
+  baseURL: '${usage.baseURL}'
+});${colors.reset}
+
+${colors.dim}Config saved to: ${CONFIG_FILE}${colors.reset}
+
+${colors.dim}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${colors.reset}
+`);
+
+    } finally {
+        rl.close();
+    }
+}
+
+// List configured keys
+async function list() {
+    banner();
+
+    const config = loadConfig();
+    const keys = Object.entries(config);
+
+    if (keys.length === 0) {
+        log('No security keys configured yet.', colors.dim);
+        log('Run: npx securegate setup', colors.cyan);
+        return;
+    }
+
+    log('Configured Security Keys:', colors.bold);
+    console.log();
+
+    for (const [connectionId, data] of keys) {
+        const keyPreview = data.security_key.substring(0, 12) + '...';
+        log(`  ${connectionId}`, colors.cyan);
+        log(`    Key: ${keyPreview}`, colors.dim);
+        log(`    Provider: ${data.provider}`, colors.dim);
+        log(`    IP: ${data.bound_to?.ip || 'unknown'}`, colors.dim);
+        log(`    Created: ${data.created_at}`, colors.dim);
+        console.log();
+    }
+}
+
+// Show usage instructions
+function usage() {
+    console.log(`
+${colors.cyan}${colors.bold}SecureGate CLI${colors.reset}
+
+${colors.bold}Usage:${colors.reset}
+  npx securegate setup     Generate a new security key
+  npx securegate list      List configured keys
+  npx securegate help      Show this help
+
+${colors.bold}Example:${colors.reset}
+  1. First, create a connection in the SecureGate dashboard
+  2. Run: npx securegate setup
+  3. Enter your JWT token and connection ID
+  4. Use the generated key with OpenAI SDK
+`);
+}
+
+// Main
+const command = process.argv[2] || 'help';
+
+switch (command) {
+    case 'setup':
+        setup().catch(err => {
+            log(`Error: ${err.message}`, colors.red);
+            process.exit(1);
+        });
+        break;
+    case 'list':
+        list();
+        break;
+    case 'help':
+    default:
+        usage();
+}

package/package.json

@@ -0,0 +1,35 @@
+{
+    "name": "securegate-cli-tool",
+    "version": "2.0.0",
+    "description": "SecureGate CLI — Secure your AI agent API keys from the terminal",
+    "main": "src/index.js",
+    "bin": {
+        "securegate": "src/index.js"
+    },
+    "scripts": {
+        "start": "node src/index.js",
+        "test": "node src/index.js --help",
+        "postinstall": "node scripts/postinstall.js"
+    },
+    "keywords": [
+        "api-security",
+        "openai",
+        "anthropic",
+        "ai-agent",
+        "security-key",
+        "device-lock",
+        "mcp",
+        "cli"
+    ],
+    "author": "SecureGate",
+    "license": "MIT",
+    "engines": {
+        "node": ">=16"
+    },
+    "dependencies": {
+        "commander": "^12.1.0",
+        "inquirer": "^8.2.6",
+        "chalk": "^4.1.2",
+        "ora": "^5.4.1"
+    }
+}

package/scripts/postinstall.js

@@ -0,0 +1,37 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+try {
+    const homeDir = os.homedir();
+    const openClawPath = path.join(homeDir, '.openclaw');
+    const skillsDir = path.join(openClawPath, 'skills');
+    const targetDir = path.join(skillsDir, 'securegate');
+    const templatePath = path.join(__dirname, '../templates/SKILL.md');
+
+    // Only proceed if .openclaw config directory exists (implies usage)
+    // Or if the user wants to force it? No, auto-detect is safer.
+    if (fs.existsSync(openClawPath)) {
+        console.log('OpenClaw detected. Installing SecureGate skill...');
+
+        // Ensure directories exist
+        if (!fs.existsSync(skillsDir)) {
+            fs.mkdirSync(skillsDir, { recursive: true });
+        }
+
+        if (!fs.existsSync(targetDir)) {
+            fs.mkdirSync(targetDir, { recursive: true });
+        }
+
+        // Copy skill file
+        fs.copyFileSync(templatePath, path.join(targetDir, 'SKILL.md'));
+
+        console.log('✅ SecureGate skill installed to ~/.openclaw/skills/securegate/SKILL.md');
+    }
+} catch (error) {
+    // Silently fail or log warning - we don't want to break the install just for this
+    console.warn('Note: Could not auto-install OpenClaw skill (optional step).');
+    // console.warn(error.message);
+}

package/src/api.js

@@ -0,0 +1,205 @@
+/**
+ * SecureGate CLI — API Client
+ * Wraps all Supabase Edge Function calls
+ */
+
+const https = require('https');
+const http = require('http');
+const { SUPABASE_URL, SUPABASE_ANON_KEY, getAuth, setAuth } = require('./config');
+
+// ── HTTP Helper ──────────────────────────────────────────────────────────────
+
+function httpRequest(url, options = {}) {
+    return new Promise((resolve, reject) => {
+        const urlObj = new URL(url);
+        const lib = urlObj.protocol === 'https:' ? https : http;
+
+        const req = lib.request(url, {
+            method: options.method || 'GET',
+            headers: options.headers || {},
+        }, (res) => {
+            let data = '';
+            res.on('data', chunk => data += chunk);
+            res.on('end', () => {
+                try {
+                    resolve({ status: res.statusCode, data: JSON.parse(data) });
+                } catch {
+                    resolve({ status: res.statusCode, data });
+                }
+            });
+        });
+
+        req.on('error', reject);
+        if (options.body) req.write(options.body);
+        req.end();
+    });
+}
+
+// ── Auth Helpers ─────────────────────────────────────────────────────────────
+
+async function login(email, password) {
+    const res = await httpRequest(`${SUPABASE_URL}/auth/v1/token?grant_type=password`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'apikey': SUPABASE_ANON_KEY,
+        },
+        body: JSON.stringify({ email, password }),
+    });
+
+    if (res.status !== 200) {
+        throw new Error(res.data?.error_description || res.data?.msg || 'Login failed');
+    }
+
+    setAuth({
+        access_token: res.data.access_token,
+        refresh_token: res.data.refresh_token,
+        user: {
+            id: res.data.user?.id,
+            email: res.data.user?.email,
+        },
+        expires_at: Date.now() + (res.data.expires_in * 1000),
+    });
+
+    return res.data;
+}
+
+async function refreshToken() {
+    const auth = getAuth();
+    if (!auth?.refresh_token) throw new Error('Not logged in. Run: securegate login');
+
+    const res = await httpRequest(`${SUPABASE_URL}/auth/v1/token?grant_type=refresh_token`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'apikey': SUPABASE_ANON_KEY,
+        },
+        body: JSON.stringify({ refresh_token: auth.refresh_token }),
+    });
+
+    if (res.status !== 200) {
+        throw new Error('Session expired. Please run: securegate login');
+    }
+
+    setAuth({
+        access_token: res.data.access_token,
+        refresh_token: res.data.refresh_token,
+        user: auth.user,
+        expires_at: Date.now() + (res.data.expires_in * 1000),
+    });
+
+    return res.data.access_token;
+}
+
+async function getValidToken() {
+    const auth = getAuth();
+    if (!auth) throw new Error('Not logged in. Run: securegate login');
+
+    // Refresh if expires within 5 minutes
+    if (auth.expires_at && (Date.now() > auth.expires_at - 300000)) {
+        return await refreshToken();
+    }
+
+    return auth.access_token;
+}
+
+// ── Edge Function Wrappers ───────────────────────────────────────────────────
+
+async function authedRequest(functionName, body = null, method = 'POST') {
+    const token = await getValidToken();
+
+    const options = {
+        method,
+        headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        },
+    };
+
+    if (body) options.body = JSON.stringify(body);
+
+    const res = await httpRequest(`${SUPABASE_URL}/functions/v1/${functionName}`, options);
+
+    if (res.status === 403) {
+        throw new Error('Unauthorized. Your session may have expired. Run: securegate login');
+    }
+
+    return res;
+}
+
+async function listConnections() {
+    return authedRequest('list-connections', null, 'GET');
+}
+
+async function getConnection(connectionId) {
+    return authedRequest(`get-connection?connection_id=${connectionId}`, null, 'GET');
+}
+
+async function createConnection({ provider, apiKey, customName, baseUrl }) {
+    return authedRequest('create-connection', {
+        provider,
+        api_key: apiKey,
+        custom_name: customName,
+        base_url: baseUrl,
+    });
+}
+
+async function generateKey(connectionId, label) {
+    const os = require('os');
+    const crypto = require('crypto');
+
+    // Generate device fingerprint
+    const networkInterfaces = os.networkInterfaces();
+    let mac = '';
+    for (const [, interfaces] of Object.entries(networkInterfaces)) {
+        for (const iface of interfaces) {
+            if (iface.mac && iface.mac !== '00:00:00:00:00:00') {
+                mac = iface.mac;
+                break;
+            }
+        }
+        if (mac) break;
+    }
+
+    const fingerprint = [
+        os.hostname(), os.platform(), os.arch(),
+        os.cpus()[0]?.model || 'unknown', mac,
+        os.totalmem().toString(),
+    ].join('|');
+
+    const deviceFingerprint = crypto.createHash('sha256').update(fingerprint).digest('hex').substring(0, 32);
+
+    return authedRequest('generate-key', {
+        connection_id: connectionId,
+        device_fingerprint: deviceFingerprint,
+        label: label || `${os.hostname()} (${os.platform()})`,
+    });
+}
+
+async function deleteKey(keyId) {
+    return authedRequest('delete-key', { key_id: keyId });
+}
+
+async function lockKey(keyId, ip) {
+    return authedRequest('update-key', {
+        key_id: keyId,
+        update_data: { bound_ip: ip }
+    });
+}
+
+async function getProfile() {
+    return authedRequest('get-profile', null, 'GET');
+}
+
+module.exports = {
+    login,
+    refreshToken,
+    getValidToken,
+    listConnections,
+    getConnection,
+    createConnection,
+    generateKey,
+    deleteKey,
+    lockKey,
+    getProfile,
+};