@lifeaitools/clauth 1.5.55 → 1.5.58

package/cli/commands/uninstall.js

@@ -1,164 +1,164 @@
-// cli/commands/uninstall.js
-// clauth uninstall — full teardown: DB objects, Edge Function, secrets, skill, local config
-//
-// Reverses everything `clauth install` does:
-//   1. Drops clauth tables, policies, triggers, functions from Supabase
-//   2. Deletes auth-vault Edge Function
-//   3. Removes CLAUTH_* secrets
-//   4. Removes Claude skill directory
-//   5. Clears local config (Conf store)
-
-import { existsSync, rmSync } from 'fs';
-import { join } from 'path';
-import Conf from 'conf';
-import chalk from 'chalk';
-import ora from 'ora';
-
-const MGMT = 'https://api.supabase.com/v1';
-const SKILLS_DIR = process.env.CLAUTH_SKILLS_DIR ||
-  (process.platform === 'win32'
-    ? join(process.env.USERPROFILE || '', '.claude', 'skills')
-    : join(process.env.HOME || '', '.claude', 'skills'));
-
-// ─────────────────────────────────────────────
-// Supabase Management API helper
-// ─────────────────────────────────────────────
-async function mgmt(pat, method, path, body) {
-  const res = await fetch(`${MGMT}${path}`, {
-    method,
-    headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
-    body: body ? JSON.stringify(body) : undefined,
-  });
-  if (!res.ok) {
-    const text = await res.text().catch(() => res.statusText);
-    throw new Error(`${method} ${path} → HTTP ${res.status}: ${text}`);
-  }
-  if (res.status === 204) return {};
-  const text = await res.text();
-  if (!text) return {};
-  return JSON.parse(text);
-}
-
-// ─────────────────────────────────────────────
-// Main uninstall command
-// ─────────────────────────────────────────────
-export async function runUninstall(opts = {}) {
-  console.log(chalk.red('\n🗑️  clauth uninstall\n'));
-
-  const config = new Conf({ projectName: 'clauth' });
-
-  // ── Collect credentials ────────────────────
-  const ref = opts.ref || config.get('supabase_url')?.match(/https:\/\/(.+)\.supabase\.co/)?.[1];
-  const pat = opts.pat;
-
-  if (!ref) {
-    console.log(chalk.red('  Cannot determine Supabase project ref.'));
-    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
-    process.exit(1);
-  }
-  if (!pat) {
-    console.log(chalk.red('  Supabase PAT required for teardown.'));
-    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
-    process.exit(1);
-  }
-
-  console.log(chalk.gray(`  Project: ${ref}\n`));
-
-  // ── Step 1: Drop database objects ──────────
-  const s1 = ora('Dropping clauth database objects...').start();
-  const teardownSQL = `
-    -- Drop triggers
-    DROP TRIGGER IF EXISTS clauth_services_updated ON public.clauth_services;
-
-    -- Drop tables (CASCADE drops policies automatically)
-    DROP TABLE IF EXISTS public.clauth_audit CASCADE;
-    DROP TABLE IF EXISTS public.clauth_machines CASCADE;
-    DROP TABLE IF EXISTS public.clauth_services CASCADE;
-
-    -- Drop functions
-    DROP FUNCTION IF EXISTS public.clauth_touch_updated() CASCADE;
-    DROP FUNCTION IF EXISTS public.clauth_upsert_vault_secret(text, text) CASCADE;
-    DROP FUNCTION IF EXISTS public.clauth_get_vault_secret(text) CASCADE;
-    DROP FUNCTION IF EXISTS public.clauth_delete_vault_secret(text) CASCADE;
-  `;
-
-  try {
-    await mgmt(pat, 'POST', `/projects/${ref}/database/query`, { query: teardownSQL });
-    s1.succeed('Database objects dropped (tables, triggers, functions, policies)');
-  } catch (e) {
-    s1.fail(`Database teardown failed: ${e.message}`);
-    console.log(chalk.yellow('  You may need to drop objects manually via SQL editor.'));
-  }
-
-  // ── Step 2: Delete Edge Function ───────────
-  const s2 = ora('Deleting auth-vault Edge Function...').start();
-  try {
-    const res = await fetch(`${MGMT}/projects/${ref}/functions/auth-vault`, {
-      method: 'DELETE',
-      headers: { 'Authorization': `Bearer ${pat}` },
-    });
-    if (res.ok || res.status === 404) {
-      s2.succeed(res.status === 404
-        ? 'Edge Function not found (already deleted)'
-        : 'Edge Function deleted');
-    } else {
-      const text = await res.text().catch(() => res.statusText);
-      throw new Error(`HTTP ${res.status}: ${text}`);
-    }
-  } catch (e) {
-    s2.fail(`Edge Function delete failed: ${e.message}`);
-    console.log(chalk.yellow('  Delete manually: Supabase Dashboard → Edge Functions → auth-vault → Delete'));
-  }
-
-  // ── Step 3: Remove secrets ─────────────────
-  const s3 = ora('Removing clauth secrets...').start();
-  try {
-    // Supabase Management API: DELETE /projects/{ref}/secrets with body listing secret names
-    const res = await fetch(`${MGMT}/projects/${ref}/secrets`, {
-      method: 'DELETE',
-      headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
-      body: JSON.stringify(['CLAUTH_HMAC_SALT', 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN']),
-    });
-    if (res.ok) {
-      s3.succeed('Secrets removed (CLAUTH_HMAC_SALT, CLAUTH_ADMIN_BOOTSTRAP_TOKEN)');
-    } else {
-      const text = await res.text().catch(() => res.statusText);
-      throw new Error(`HTTP ${res.status}: ${text}`);
-    }
-  } catch (e) {
-    s3.warn(`Secret removal failed: ${e.message}`);
-    console.log(chalk.yellow('  Remove manually: Supabase → Settings → Edge Functions → Secrets'));
-  }
-
-  // ── Step 4: Remove Claude skill ────────────
-  const s4 = ora('Removing Claude skill...').start();
-  const skillDir = join(SKILLS_DIR, 'clauth');
-  if (existsSync(skillDir)) {
-    try {
-      rmSync(skillDir, { recursive: true, force: true });
-      s4.succeed(`Skill removed: ${skillDir}`);
-    } catch (e) {
-      s4.warn(`Could not remove skill: ${e.message}`);
-    }
-  } else {
-    s4.succeed('Skill directory not found (already removed)');
-  }
-
-  // ── Step 5: Clear local config ─────────────
-  const s5 = ora('Clearing local config...').start();
-  try {
-    config.clear();
-    s5.succeed('Local config cleared');
-  } catch (e) {
-    s5.warn(`Could not clear config: ${e.message}`);
-  }
-
-  // ── Done ───────────────────────────────────
-  console.log('');
-  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-  console.log(chalk.yellow('  ✓ clauth fully uninstalled'));
-  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-  console.log('');
-  console.log(chalk.gray('  To reinstall: npx @lifeaitools/clauth install'));
-  console.log('');
-}
+// cli/commands/uninstall.js
+// clauth uninstall — full teardown: DB objects, Edge Function, secrets, skill, local config
+//
+// Reverses everything `clauth install` does:
+//   1. Drops clauth tables, policies, triggers, functions from Supabase
+//   2. Deletes auth-vault Edge Function
+//   3. Removes CLAUTH_* secrets
+//   4. Removes Claude skill directory
+//   5. Clears local config (Conf store)
+
+import { existsSync, rmSync } from 'fs';
+import { join } from 'path';
+import Conf from 'conf';
+import chalk from 'chalk';
+import ora from 'ora';
+
+const MGMT = 'https://api.supabase.com/v1';
+const SKILLS_DIR = process.env.CLAUTH_SKILLS_DIR ||
+  (process.platform === 'win32'
+    ? join(process.env.USERPROFILE || '', '.claude', 'skills')
+    : join(process.env.HOME || '', '.claude', 'skills'));
+
+// ─────────────────────────────────────────────
+// Supabase Management API helper
+// ─────────────────────────────────────────────
+async function mgmt(pat, method, path, body) {
+  const res = await fetch(`${MGMT}${path}`, {
+    method,
+    headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.statusText);
+    throw new Error(`${method} ${path} → HTTP ${res.status}: ${text}`);
+  }
+  if (res.status === 204) return {};
+  const text = await res.text();
+  if (!text) return {};
+  return JSON.parse(text);
+}
+
+// ─────────────────────────────────────────────
+// Main uninstall command
+// ─────────────────────────────────────────────
+export async function runUninstall(opts = {}) {
+  console.log(chalk.red('\n🗑️  clauth uninstall\n'));
+
+  const config = new Conf({ projectName: 'clauth' });
+
+  // ── Collect credentials ────────────────────
+  const ref = opts.ref || config.get('supabase_url')?.match(/https:\/\/(.+)\.supabase\.co/)?.[1];
+  const pat = opts.pat;
+
+  if (!ref) {
+    console.log(chalk.red('  Cannot determine Supabase project ref.'));
+    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
+    process.exit(1);
+  }
+  if (!pat) {
+    console.log(chalk.red('  Supabase PAT required for teardown.'));
+    console.log(chalk.gray('  Use: clauth uninstall --ref <project-ref> --pat <personal-access-token>'));
+    process.exit(1);
+  }
+
+  console.log(chalk.gray(`  Project: ${ref}\n`));
+
+  // ── Step 1: Drop database objects ──────────
+  const s1 = ora('Dropping clauth database objects...').start();
+  const teardownSQL = `
+    -- Drop triggers
+    DROP TRIGGER IF EXISTS clauth_services_updated ON public.clauth_services;
+
+    -- Drop tables (CASCADE drops policies automatically)
+    DROP TABLE IF EXISTS public.clauth_audit CASCADE;
+    DROP TABLE IF EXISTS public.clauth_machines CASCADE;
+    DROP TABLE IF EXISTS public.clauth_services CASCADE;
+
+    -- Drop functions
+    DROP FUNCTION IF EXISTS public.clauth_touch_updated() CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_upsert_vault_secret(text, text) CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_get_vault_secret(text) CASCADE;
+    DROP FUNCTION IF EXISTS public.clauth_delete_vault_secret(text) CASCADE;
+  `;
+
+  try {
+    await mgmt(pat, 'POST', `/projects/${ref}/database/query`, { query: teardownSQL });
+    s1.succeed('Database objects dropped (tables, triggers, functions, policies)');
+  } catch (e) {
+    s1.fail(`Database teardown failed: ${e.message}`);
+    console.log(chalk.yellow('  You may need to drop objects manually via SQL editor.'));
+  }
+
+  // ── Step 2: Delete Edge Function ───────────
+  const s2 = ora('Deleting auth-vault Edge Function...').start();
+  try {
+    const res = await fetch(`${MGMT}/projects/${ref}/functions/auth-vault`, {
+      method: 'DELETE',
+      headers: { 'Authorization': `Bearer ${pat}` },
+    });
+    if (res.ok || res.status === 404) {
+      s2.succeed(res.status === 404
+        ? 'Edge Function not found (already deleted)'
+        : 'Edge Function deleted');
+    } else {
+      const text = await res.text().catch(() => res.statusText);
+      throw new Error(`HTTP ${res.status}: ${text}`);
+    }
+  } catch (e) {
+    s2.fail(`Edge Function delete failed: ${e.message}`);
+    console.log(chalk.yellow('  Delete manually: Supabase Dashboard → Edge Functions → auth-vault → Delete'));
+  }
+
+  // ── Step 3: Remove secrets ─────────────────
+  const s3 = ora('Removing clauth secrets...').start();
+  try {
+    // Supabase Management API: DELETE /projects/{ref}/secrets with body listing secret names
+    const res = await fetch(`${MGMT}/projects/${ref}/secrets`, {
+      method: 'DELETE',
+      headers: { 'Authorization': `Bearer ${pat}`, 'Content-Type': 'application/json' },
+      body: JSON.stringify(['CLAUTH_HMAC_SALT', 'CLAUTH_ADMIN_BOOTSTRAP_TOKEN']),
+    });
+    if (res.ok) {
+      s3.succeed('Secrets removed (CLAUTH_HMAC_SALT, CLAUTH_ADMIN_BOOTSTRAP_TOKEN)');
+    } else {
+      const text = await res.text().catch(() => res.statusText);
+      throw new Error(`HTTP ${res.status}: ${text}`);
+    }
+  } catch (e) {
+    s3.warn(`Secret removal failed: ${e.message}`);
+    console.log(chalk.yellow('  Remove manually: Supabase → Settings → Edge Functions → Secrets'));
+  }
+
+  // ── Step 4: Remove Claude skill ────────────
+  const s4 = ora('Removing Claude skill...').start();
+  const skillDir = join(SKILLS_DIR, 'clauth');
+  if (existsSync(skillDir)) {
+    try {
+      rmSync(skillDir, { recursive: true, force: true });
+      s4.succeed(`Skill removed: ${skillDir}`);
+    } catch (e) {
+      s4.warn(`Could not remove skill: ${e.message}`);
+    }
+  } else {
+    s4.succeed('Skill directory not found (already removed)');
+  }
+
+  // ── Step 5: Clear local config ─────────────
+  const s5 = ora('Clearing local config...').start();
+  try {
+    config.clear();
+    s5.succeed('Local config cleared');
+  } catch (e) {
+    s5.warn(`Could not clear config: ${e.message}`);
+  }
+
+  // ── Done ───────────────────────────────────
+  console.log('');
+  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log(chalk.yellow('  ✓ clauth fully uninstalled'));
+  console.log(chalk.red('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+  console.log('');
+  console.log(chalk.gray('  To reinstall: npx @lifeaitools/clauth install'));
+  console.log('');
+}

package/cli/fingerprint.js

@@ -1,133 +1,133 @@
-// cli/fingerprint.js
-// Collects stable hardware identifiers and derives HMAC tokens
-// Works on Windows (primary) + Linux/macOS (fallback)
-
-import { execSync } from "child_process";
-import { createHmac, createHash } from "crypto";
-import os from "os";
-import fs from "fs";
-import path from "path";
-
-// ============================================================
-// Machine ID collection
-// ============================================================
-
-// Cache path — avoids re-querying WMI/CIM on every daemon start.
-// This eliminates the spawnSync cmd.exe ETIMEDOUT crash that occurs
-// when PowerShell/WMI is slow on first call after boot.
-const CACHE_FILE = path.join(os.tmpdir(), "clauth-machine.cache");
-
-function readCache() {
-  try {
-    const raw = fs.readFileSync(CACHE_FILE, "utf8").trim();
-    // Validate: must be two non-empty lines (primary:secondary)
-    const [primary, secondary] = raw.split("\n");
-    if (primary && secondary) return { primary: primary.trim(), secondary: secondary.trim() };
-  } catch { /* cache miss */ }
-  return null;
-}
-
-function writeCache(primary, secondary) {
-  try { fs.writeFileSync(CACHE_FILE, `${primary}\n${secondary}`, "utf8"); } catch { /* best effort */ }
-}
-
-function getMachineId() {
-  // Fast path: use cached IDs if available (avoids WMI/PowerShell on every restart)
-  const cached = readCache();
-  if (cached) return { ...cached, platform: os.platform() };
-
-  const platform = os.platform();
-
-  try {
-    if (platform === "win32") {
-      const psPath = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe";
-      // Increased timeout to 15s — CimInstance/WMI can be slow after boot or under load.
-      // Each call is wrapped independently so a partial failure still yields a result.
-      let uuid = "";
-      try {
-        uuid = execSync(
-          `${psPath} -NoProfile -Command "(Get-CimInstance Win32_ComputerSystemProduct).UUID"`,
-          { encoding: "utf8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"] }
-        ).trim();
-      } catch { /* fall through to registry-only path */ }
-
-      let machineGuid = "";
-      try {
-        machineGuid = execSync(
-          `${psPath} -NoProfile -Command "(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Cryptography').MachineGuid"`,
-          { encoding: "utf8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"] }
-        ).trim();
-      } catch { /* fall through */ }
-
-      // Require at least one identifier
-      if (!uuid && !machineGuid) throw new Error("Could not read any Windows machine ID");
-
-      // Use hostname as fallback secondary if registry query failed
-      const primary = uuid || machineGuid;
-      const secondary = machineGuid || os.hostname();
-
-      writeCache(primary, secondary);
-      return { primary, secondary, platform: "win32" };
-    }
-
-    if (platform === "darwin") {
-      const uuid = execSync(
-        "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { print $3 }'",
-        { encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }
-      ).replace(/['"]/g, "").trim();
-      writeCache(uuid, os.hostname());
-      return { primary: uuid, secondary: os.hostname(), platform: "darwin" };
-    }
-
-    // Linux
-    let uuid = "";
-    try { uuid = execSync("cat /etc/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
-    catch { uuid = execSync("cat /var/lib/dbus/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
-    writeCache(uuid, os.hostname());
-    return { primary: uuid, secondary: os.hostname(), platform: "linux" };
-
-  } catch (err) {
-    throw new Error(`Machine ID collection failed: ${err.message}`);
-  }
-}
-
-// ============================================================
-// Derive stable machine hash (what gets stored in Supabase)
-// ============================================================
-
-export function getMachineHash() {
-  const { primary, secondary } = getMachineId();
-  return createHash("sha256")
-    .update(`${primary}:${secondary}`)
-    .digest("hex");
-}
-
-// ============================================================
-// Derive HMAC token for a given password + timestamp
-// ============================================================
-
-export function deriveToken(password, machineHash) {
-  const windowMs = 5 * 60 * 1000;
-  const window   = Math.floor(Date.now() / windowMs);
-  const message  = `${machineHash}:${window}`;
-  
-  // Server reconstructs this — password + CLAUTH_HMAC_SALT
-  // Client sends token; server adds its SALT to the password before verifying
-  const token = createHmac("sha256", password)
-    .update(message)
-    .digest("hex");
-
-  return { token, timestamp: window * windowMs, machineHash };
-}
-
-// ============================================================
-// Derive HMAC seed hash (stored during machine registration)
-// ============================================================
-
-export function deriveSeedHash(machineHash, password) {
-  return createHash("sha256")
-    .update(`seed:${machineHash}:${password}`)
-    .digest("hex");
-}
-
-export default { getMachineHash, deriveToken, deriveSeedHash };
+// cli/fingerprint.js
+// Collects stable hardware identifiers and derives HMAC tokens
+// Works on Windows (primary) + Linux/macOS (fallback)
+
+import { execSync } from "child_process";
+import { createHmac, createHash } from "crypto";
+import os from "os";
+import fs from "fs";
+import path from "path";
+
+// ============================================================
+// Machine ID collection
+// ============================================================
+
+// Cache path — avoids re-querying WMI/CIM on every daemon start.
+// This eliminates the spawnSync cmd.exe ETIMEDOUT crash that occurs
+// when PowerShell/WMI is slow on first call after boot.
+const CACHE_FILE = path.join(os.tmpdir(), "clauth-machine.cache");
+
+function readCache() {
+  try {
+    const raw = fs.readFileSync(CACHE_FILE, "utf8").trim();
+    // Validate: must be two non-empty lines (primary:secondary)
+    const [primary, secondary] = raw.split("\n");
+    if (primary && secondary) return { primary: primary.trim(), secondary: secondary.trim() };
+  } catch { /* cache miss */ }
+  return null;
+}
+
+function writeCache(primary, secondary) {
+  try { fs.writeFileSync(CACHE_FILE, `${primary}\n${secondary}`, "utf8"); } catch { /* best effort */ }
+}
+
+function getMachineId() {
+  // Fast path: use cached IDs if available (avoids WMI/PowerShell on every restart)
+  const cached = readCache();
+  if (cached) return { ...cached, platform: os.platform() };
+
+  const platform = os.platform();
+
+  try {
+    if (platform === "win32") {
+      const psPath = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe";
+      // Increased timeout to 15s — CimInstance/WMI can be slow after boot or under load.
+      // Each call is wrapped independently so a partial failure still yields a result.
+      let uuid = "";
+      try {
+        uuid = execSync(
+          `${psPath} -NoProfile -Command "(Get-CimInstance Win32_ComputerSystemProduct).UUID"`,
+          { encoding: "utf8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"] }
+        ).trim();
+      } catch { /* fall through to registry-only path */ }
+
+      let machineGuid = "";
+      try {
+        machineGuid = execSync(
+          `${psPath} -NoProfile -Command "(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Cryptography').MachineGuid"`,
+          { encoding: "utf8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"] }
+        ).trim();
+      } catch { /* fall through */ }
+
+      // Require at least one identifier
+      if (!uuid && !machineGuid) throw new Error("Could not read any Windows machine ID");
+
+      // Use hostname as fallback secondary if registry query failed
+      const primary = uuid || machineGuid;
+      const secondary = machineGuid || os.hostname();
+
+      writeCache(primary, secondary);
+      return { primary, secondary, platform: "win32" };
+    }
+
+    if (platform === "darwin") {
+      const uuid = execSync(
+        "ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { print $3 }'",
+        { encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }
+      ).replace(/['"]/g, "").trim();
+      writeCache(uuid, os.hostname());
+      return { primary: uuid, secondary: os.hostname(), platform: "darwin" };
+    }
+
+    // Linux
+    let uuid = "";
+    try { uuid = execSync("cat /etc/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
+    catch { uuid = execSync("cat /var/lib/dbus/machine-id", { encoding: "utf8", timeout: 2000 }).trim(); }
+    writeCache(uuid, os.hostname());
+    return { primary: uuid, secondary: os.hostname(), platform: "linux" };
+
+  } catch (err) {
+    throw new Error(`Machine ID collection failed: ${err.message}`);
+  }
+}
+
+// ============================================================
+// Derive stable machine hash (what gets stored in Supabase)
+// ============================================================
+
+export function getMachineHash() {
+  const { primary, secondary } = getMachineId();
+  return createHash("sha256")
+    .update(`${primary}:${secondary}`)
+    .digest("hex");
+}
+
+// ============================================================
+// Derive HMAC token for a given password + timestamp
+// ============================================================
+
+export function deriveToken(password, machineHash) {
+  const windowMs = 5 * 60 * 1000;
+  const window   = Math.floor(Date.now() / windowMs);
+  const message  = `${machineHash}:${window}`;
+  
+  // Server reconstructs this — password + CLAUTH_HMAC_SALT
+  // Client sends token; server adds its SALT to the password before verifying
+  const token = createHmac("sha256", password)
+    .update(message)
+    .digest("hex");
+
+  return { token, timestamp: window * windowMs, machineHash };
+}
+
+// ============================================================
+// Derive HMAC seed hash (stored during machine registration)
+// ============================================================
+
+export function deriveSeedHash(machineHash, password) {
+  return createHash("sha256")
+    .update(`seed:${machineHash}:${password}`)
+    .digest("hex");
+}
+
+export default { getMachineHash, deriveToken, deriveSeedHash };