@prabhask5/stellar-engine 1.1.8 → 1.1.10

package/README.md

@@ -81,7 +81,6 @@ initEngine({
   tables: [/* ... */],
   database: {/* ... */},
   auth: {
-    mode: 'single-user',
     singleUser: { gateType: 'code', codeLength: 4 },
     enableOfflineAuth: true,
     // emailConfirmation: { enabled: true },       // require email confirmation on setup
@@ -107,12 +106,14 @@ if (!auth.singleUserSetUp) {
 
 ## Install PWA Command
 
-Scaffold a complete offline-first PWA project:
+Scaffold a complete offline-first PWA project with an interactive walkthrough:
 
 ```bash
-npx @prabhask5/stellar-engine install pwa --name "My App" --short_name "App" --prefix "myapp" [--description "..."]
+npx @prabhask5/stellar-engine install pwa
 ```
 
+The wizard guides you through each option (app name, short name, prefix, description), validates input inline, shows a confirmation summary, then scaffolds with animated progress.
+
 ### What it generates
 
 The command creates a full SvelteKit 2 + Svelte 5 project with:
@@ -134,7 +135,7 @@ The command creates a full SvelteKit 2 + Svelte 5 project with:
 | `src/routes/+layout.svelte` | Auth state hydration via `hydrateAuthState()` | App shell (navbar, tab bar, overlays) |
 | `src/routes/+page.svelte` | Imports `resolveFirstName`, `onSyncComplete`, `authState`; derives `firstName` reactively | Home page UI |
 | `src/routes/+error.svelte` | — | Error page UI |
-| `src/routes/setup/+page.ts` | Config check, session validation, admin check via `getConfig()`, `getValidSession()`, `isAdmin()` | — (fully managed) |
+| `src/routes/setup/+page.ts` | Config check, session validation via `getConfig()`, `getValidSession()` | — (fully managed) |
 | `src/routes/setup/+page.svelte` | Imports `setConfig`, `isOnline`, `pollForNewServiceWorker` | Setup wizard UI |
 | `src/routes/policy/+page.svelte` | — | Privacy policy content |
 | `src/routes/login/+page.svelte` | All auth functions: `setupSingleUser`, `unlockSingleUser`, `getSingleUserInfo`, `completeSingleUserSetup`, `completeDeviceVerification`, `pollDeviceVerification`, `fetchRemoteGateConfig`, `linkSingleUserDevice`, `sendDeviceVerification` | Login page UI |
@@ -151,14 +152,14 @@ The command creates a full SvelteKit 2 + Svelte 5 project with:
 
 **Git hooks (1):** `.husky/pre-commit` with lint + format + validate
 
-### Parameters
+### Interactive Prompts
 
-| Flag | Required | Description |
-|------|----------|-------------|
-| `--name` | Yes | Full app name (e.g., "My Stellar App") |
-| `--short_name` | Yes | Short name for PWA home screen |
-| `--prefix` | Yes | App prefix for localStorage keys, SW, debug utils |
-| `--description` | No | App description (default: "A self-hosted offline-first PWA") |
+| Prompt | Required | Description |
+|--------|----------|-------------|
+| App Name | Yes | Full app name (e.g., "Stellar Planner") |
+| Short Name | Yes | Short name for PWA home screen (under 12 chars) |
+| Prefix | Yes | Lowercase key for localStorage, caches, SW (auto-suggested from name) |
+| Description | No | App description (default: "A self-hosted offline-first PWA") |
 
 ## Subpath exports
 
@@ -168,7 +169,7 @@ Import only what you need via subpath exports:
 |---|---|
 | `@prabhask5/stellar-engine` | `initEngine`, `startSyncEngine`, `runFullSync`, `supabase`, `getDb`, `validateSupabaseCredentials`, `validateSchema` |
 | `@prabhask5/stellar-engine/data` | All engine CRUD + query operations (`engineCreate`, `engineUpdate`, etc.) |
-| `@prabhask5/stellar-engine/auth` | All auth functions (`signIn`, `signUp`, `resolveAuthState`, `isAdmin`, `changeEmail`, `completeEmailChange`, single-user: `setupSingleUser`, `unlockSingleUser`, `lockSingleUser`, `completeSingleUserSetup`, `completeDeviceVerification`, `changeSingleUserEmail`, `completeSingleUserEmailChange`, `padPin`, etc.) |
+| `@prabhask5/stellar-engine/auth` | All auth functions (`resolveAuthState`, `signOut`, `setupSingleUser`, `unlockSingleUser`, `lockSingleUser`, `completeSingleUserSetup`, `completeDeviceVerification`, `changeSingleUserEmail`, `completeSingleUserEmailChange`, `padPin`, etc.) |
 | `@prabhask5/stellar-engine/stores` | Reactive stores + event subscriptions (`syncStatusStore`, `authState`, `onSyncComplete`, etc.) |
 | `@prabhask5/stellar-engine/types` | All type exports (`Session`, `SyncEngineConfig`, `BatchOperation`, `SingleUserConfig`, etc.) |
 | `@prabhask5/stellar-engine/utils` | Utility functions (`generateId`, `now`, `calculateNewOrder`, `snakeToCamel`, `debug`, etc.) |
@@ -300,30 +301,22 @@ Alternatively, you can provide a pre-created Dexie instance via the `db` config
 | `markEntityModified(table, id)` | Record that an entity was recently modified locally (prevents incoming realtime from overwriting). |
 | `onSyncComplete(callback)` | Register a callback invoked after each successful sync cycle. |
 
-### Auth
+### Auth Utilities
 
 | Export | Description |
 |---|---|
-| `signIn` / `signUp` / `signOut` | Supabase auth wrappers that also manage offline credential caching. |
-| `getSession` / `isSessionExpired` | Session inspection helpers. |
-| `changePassword` / `resendConfirmationEmail` | Account management. |
-| `changeEmail(newEmail)` | Request email change (sends confirmation to new address). Returns `{ error, confirmationRequired }`. |
-| `completeEmailChange()` | Finalize email change after confirmation. Refreshes session and updates cached credentials. |
+| `signOut` | Full teardown: stops sync, clears caches, signs out of Supabase. |
+| `resendConfirmationEmail` | Resend signup confirmation email. |
 | `getUserProfile` / `updateProfile` | Profile read/write via Supabase user metadata. |
+| `verifyOtp` | Verify OTP token hash from confirmation email links. |
+| `getValidSession` | Get a non-expired Supabase session, or `null`. |
 | `resolveFirstName(session, offline, fallback?)` | Resolve display name from session or offline profile with configurable fallback. |
 | `resolveUserId(session, offline)` | Extract user UUID from session or offline credentials. |
 | `resolveAvatarInitial(session, offline, fallback?)` | Single uppercase initial for avatar display. |
 
-### Offline auth
-
-| Export | Description |
-|---|---|
-| `cacheOfflineCredentials` / `getOfflineCredentials` / `verifyOfflineCredentials` / `clearOfflineCredentials` | Store and verify credentials locally for offline sign-in. |
-| `createOfflineSession` / `getValidOfflineSession` / `clearOfflineSession` | Manage offline session tokens in IndexedDB. |
-
 ### Single-user auth
 
-For personal apps that use a simplified PIN or password gate. Uses real Supabase email/password auth where the PIN is padded to meet minimum password length. Enable by setting `auth.mode: 'single-user'` in the engine config.
+For personal apps that use a simplified PIN or password gate. Uses real Supabase email/password auth where the PIN is padded to meet minimum password length. Enable by setting `auth.singleUser` in the engine config.
 
 | Export | Description |
 |---|---|

package/dist/auth/crypto.d.ts

@@ -17,10 +17,6 @@
  *   password storage on its own. It is acceptable here because the hashed values
  *   are only stored in the client-side IndexedDB for offline pre-checking and
  *   are never transmitted to a server.
- * - The `isAlreadyHashed` helper uses a regex heuristic (64-char hex). If a
- *   user's actual password happens to be a 64-char hex string, it will be
- *   misidentified as already hashed. This is an acceptable edge case given the
- *   vanishingly low probability and the local-only usage context.
  *
  * @module auth/crypto
  */
@@ -40,25 +36,6 @@
  * // hashed === 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' (example)
  * ```
  *
- * @see {@link isAlreadyHashed} to check whether a string is already a hex digest.
  */
 export declare function hashValue(value: string): Promise<string>;
-/**
- * Check if a stored value is already hashed (64-character hex string).
- *
- * Used to distinguish between legacy plaintext credentials and modern
- * SHA-256-hashed credentials in IndexedDB, enabling backward-compatible
- * verification without a migration step.
- *
- * @param value - The string to test.
- * @returns `true` if the value matches the pattern of a SHA-256 hex digest
- *          (exactly 64 lowercase hexadecimal characters), `false` otherwise.
- *
- * @example
- * ```ts
- * isAlreadyHashed('abc123');           // false
- * isAlreadyHashed('e3b0c442...b855');  // true (64-char hex)
- * ```
- */
-export declare function isAlreadyHashed(value: string): boolean;
 //# sourceMappingURL=crypto.d.ts.map

package/dist/auth/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAMH;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAM9D;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEtD"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAMH;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAM9D"}

package/dist/auth/crypto.js

@@ -17,10 +17,6 @@
  *   password storage on its own. It is acceptable here because the hashed values
  *   are only stored in the client-side IndexedDB for offline pre-checking and
  *   are never transmitted to a server.
- * - The `isAlreadyHashed` helper uses a regex heuristic (64-char hex). If a
- *   user's actual password happens to be a 64-char hex string, it will be
- *   misidentified as already hashed. This is an acceptable edge case given the
- *   vanishingly low probability and the local-only usage context.
  *
  * @module auth/crypto
  */
@@ -43,7 +39,6 @@
  * // hashed === 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' (example)
  * ```
  *
- * @see {@link isAlreadyHashed} to check whether a string is already a hex digest.
  */
 export async function hashValue(value) {
     const encoder = new TextEncoder();
@@ -52,24 +47,4 @@ export async function hashValue(value) {
     const hashArray = Array.from(new Uint8Array(hashBuffer));
     return hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
 }
-/**
- * Check if a stored value is already hashed (64-character hex string).
- *
- * Used to distinguish between legacy plaintext credentials and modern
- * SHA-256-hashed credentials in IndexedDB, enabling backward-compatible
- * verification without a migration step.
- *
- * @param value - The string to test.
- * @returns `true` if the value matches the pattern of a SHA-256 hex digest
- *          (exactly 64 lowercase hexadecimal characters), `false` otherwise.
- *
- * @example
- * ```ts
- * isAlreadyHashed('abc123');           // false
- * isAlreadyHashed('e3b0c442...b855');  // true (64-char hex)
- * ```
- */
-export function isAlreadyHashed(value) {
-    return /^[0-9a-f]{64}$/.test(value);
-}
 //# sourceMappingURL=crypto.js.map

package/dist/auth/crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa;IAC3C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IACzD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,OAAO,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACtC,CAAC"}
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa;IAC3C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IACzD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACxE,CAAC"}

package/dist/auth/deviceVerification.d.ts

@@ -1,8 +1,8 @@
 /**
  * @fileoverview Device Verification Module
  *
- * Manages the trusted device registry and email-based OTP verification flow
- * for both single-user and multi-user modes. When device verification is
+ * Manages the trusted device registry and email-based OTP verification flow.
+ * When device verification is
  * enabled, only devices present in the Supabase `trusted_devices` table (with
  * a recent `last_used_at` timestamp) are allowed to proceed after
  * authentication. Untrusted devices must complete an email OTP challenge.

package/dist/auth/deviceVerification.js

@@ -1,8 +1,8 @@
 /**
  * @fileoverview Device Verification Module
  *
- * Manages the trusted device registry and email-based OTP verification flow
- * for both single-user and multi-user modes. When device verification is
+ * Manages the trusted device registry and email-based OTP verification flow.
+ * When device verification is
  * enabled, only devices present in the Supabase `trusted_devices` table (with
  * a recent `last_used_at` timestamp) are allowed to proceed after
  * authentication. Untrusted devices must complete an email OTP challenge.

package/dist/auth/loginGuard.d.ts

@@ -57,25 +57,20 @@ export type PreCheckResult = {
 /**
  * Pre-check login credentials locally before calling Supabase.
  *
- * For single-user mode: reads `singleUserConfig.gateHash`, hashes input, compares.
- * For multi-user mode: reads offline credentials, matches email + hashes password, compares.
+ * Reads `singleUserConfig.gateHash`, hashes input, and compares.
  *
  * Returns `{ proceed: true, strategy }` to allow Supabase call,
  * or `{ proceed: false, error, retryAfterMs? }` to reject locally.
  *
  * @param input - The plaintext password or gate code entered by the user.
- * @param mode - The auth mode (`'single-user'` or `'multi-user'`), which
- *               determines which IndexedDB table holds the cached hash.
- * @param email - (Multi-user only) The email address to match against cached
- *                credentials. Ignored in single-user mode.
  * @returns A promise resolving to a {@link PreCheckResult}.
  *
  * @example
  * ```ts
- * const result = await preCheckLogin(password, 'multi-user', email);
+ * const result = await preCheckLogin(password);
  * if (result.proceed) {
  *   const { error } = await supabase.auth.signInWithPassword({ email, password });
- *   if (error) await onLoginFailure(result.strategy, 'multi-user');
+ *   if (error) await onLoginFailure(result.strategy);
  *   else onLoginSuccess();
  * } else {
  *   showError(result.error);
@@ -85,7 +80,7 @@ export type PreCheckResult = {
  * @see {@link onLoginSuccess} -- must be called after a successful Supabase login.
  * @see {@link onLoginFailure} -- must be called after a failed Supabase login.
  */
-export declare function preCheckLogin(input: string, mode: 'single-user' | 'multi-user', email?: string): Promise<PreCheckResult>;
+export declare function preCheckLogin(input: string): Promise<PreCheckResult>;
 /**
  * Called after a successful Supabase login.
  *
@@ -112,19 +107,17 @@ export declare function onLoginSuccess(): void;
  *
  * @param strategy - The {@link PreCheckStrategy} that was returned by
  *                   {@link preCheckLogin} for this attempt.
- * @param mode - The auth mode, used to determine which IndexedDB table to
- *               invalidate if the hash is stale. Defaults to `'multi-user'`.
  *
  * @example
  * ```ts
- * const result = await preCheckLogin(password, 'multi-user', email);
+ * const result = await preCheckLogin(password);
  * if (result.proceed) {
  *   const { error } = await supabase.auth.signInWithPassword({ email, password });
- *   if (error) await onLoginFailure(result.strategy, 'multi-user');
+ *   if (error) await onLoginFailure(result.strategy);
  * }
  * ```
  */
-export declare function onLoginFailure(strategy: PreCheckStrategy, mode?: 'single-user' | 'multi-user'): Promise<void>;
+export declare function onLoginFailure(strategy: PreCheckStrategy): Promise<void>;
 /**
  * Full reset of all login guard state.
  *

package/dist/auth/loginGuard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loginGuard.d.ts","sourceRoot":"","sources":["../../src/auth/loginGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAoDH;;;;;;;GAOG;AACH,MAAM,MAAM,gBAAgB,GAAG,aAAa,GAAG,UAAU,CAAC;AAE1D;;;;;;;GAOG;AACH,MAAM,MAAM,cAAc,GACtB;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GAC7C;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAsE7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,aAAa,GAAG,YAAY,EAClC,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,cAAc,CAAC,CA8EzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAKrC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,gBAAgB,EAC1B,IAAI,GAAE,aAAa,GAAG,YAA2B,GAChD,OAAO,CAAC,IAAI,CAAC,CAiBf;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAKtC"}
+{"version":3,"file":"loginGuard.d.ts","sourceRoot":"","sources":["../../src/auth/loginGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAmDH;;;;;;;GAOG;AACH,MAAM,MAAM,gBAAgB,GAAG,aAAa,GAAG,UAAU,CAAC;AAE1D;;;;;;;GAOG;AACH,MAAM,MAAM,cAAc,GACtB;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GAC7C;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAoD7D;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAuE1E;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAKrC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAiB9E;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAKtC"}

package/dist/auth/loginGuard.js

@@ -30,7 +30,6 @@
  * @module auth/loginGuard
  */
 import { hashValue } from './crypto';
-import { getOfflineCredentials } from './offlineCredentials';
 import { getEngineConfig } from '../config';
 import { debugLog, debugWarn } from '../debug';
 // =============================================================================
@@ -82,45 +81,26 @@ function checkRateLimit() {
     return { allowed: true };
 }
 /**
- * Invalidate the locally cached password/gate hash in IndexedDB.
+ * Invalidate the locally cached gate hash in IndexedDB.
  *
  * Called when the guard determines the cached hash is stale (e.g., the user
- * changed their password on another device, or too many consecutive local
+ * changed their PIN on another device, or too many consecutive local
  * mismatches have occurred).
  *
- * @param mode - Whether the app is running in single-user or multi-user mode,
- *               which determines which IndexedDB table to update.
- *
  * @throws Never -- errors are caught and logged via `debugWarn`.
  */
-async function invalidateCachedHash(mode) {
+async function invalidateCachedHash() {
     try {
-        if (mode === 'single-user') {
-            const config = getEngineConfig();
-            const db = config.db;
-            if (db) {
-                const record = await db.table('singleUserConfig').get('config');
-                if (record && record.gateHash) {
-                    await db.table('singleUserConfig').update('config', {
-                        gateHash: undefined,
-                        updatedAt: new Date().toISOString()
-                    });
-                    debugLog('[LoginGuard] Invalidated single-user gateHash');
-                }
-            }
-        }
-        else {
-            const config = getEngineConfig();
-            const db = config.db;
-            if (db) {
-                const record = await db.table('offlineCredentials').get('current_user');
-                if (record && record.password) {
-                    await db.table('offlineCredentials').update('current_user', {
-                        password: undefined,
-                        cachedAt: new Date().toISOString()
-                    });
-                    debugLog('[LoginGuard] Invalidated offline credentials password hash');
-                }
+        const config = getEngineConfig();
+        const db = config.db;
+        if (db) {
+            const record = await db.table('singleUserConfig').get('config');
+            if (record && record.gateHash) {
+                await db.table('singleUserConfig').update('config', {
+                    gateHash: undefined,
+                    updatedAt: new Date().toISOString()
+                });
+                debugLog('[LoginGuard] Invalidated single-user gateHash');
             }
         }
     }
@@ -134,25 +114,20 @@ async function invalidateCachedHash(mode) {
 /**
  * Pre-check login credentials locally before calling Supabase.
  *
- * For single-user mode: reads `singleUserConfig.gateHash`, hashes input, compares.
- * For multi-user mode: reads offline credentials, matches email + hashes password, compares.
+ * Reads `singleUserConfig.gateHash`, hashes input, and compares.
  *
  * Returns `{ proceed: true, strategy }` to allow Supabase call,
  * or `{ proceed: false, error, retryAfterMs? }` to reject locally.
  *
  * @param input - The plaintext password or gate code entered by the user.
- * @param mode - The auth mode (`'single-user'` or `'multi-user'`), which
- *               determines which IndexedDB table holds the cached hash.
- * @param email - (Multi-user only) The email address to match against cached
- *                credentials. Ignored in single-user mode.
  * @returns A promise resolving to a {@link PreCheckResult}.
  *
  * @example
  * ```ts
- * const result = await preCheckLogin(password, 'multi-user', email);
+ * const result = await preCheckLogin(password);
  * if (result.proceed) {
  *   const { error } = await supabase.auth.signInWithPassword({ email, password });
- *   if (error) await onLoginFailure(result.strategy, 'multi-user');
+ *   if (error) await onLoginFailure(result.strategy);
  *   else onLoginSuccess();
  * } else {
  *   showError(result.error);
@@ -162,22 +137,14 @@ async function invalidateCachedHash(mode) {
  * @see {@link onLoginSuccess} -- must be called after a successful Supabase login.
  * @see {@link onLoginFailure} -- must be called after a failed Supabase login.
  */
-export async function preCheckLogin(input, mode, email) {
+export async function preCheckLogin(input) {
     try {
         let cachedHash;
-        if (mode === 'single-user') {
-            const config = getEngineConfig();
-            const db = config.db;
-            if (db) {
-                const record = await db.table('singleUserConfig').get('config');
-                cachedHash = record?.gateHash;
-            }
-        }
-        else {
-            const creds = await getOfflineCredentials();
-            if (creds && email && creds.email === email && creds.password) {
-                cachedHash = creds.password;
-            }
+        const config = getEngineConfig();
+        const db = config.db;
+        if (db) {
+            const record = await db.table('singleUserConfig').get('config');
+            cachedHash = record?.gateHash;
         }
         if (cachedHash) {
             /* We have a cached hash -- compare locally before touching the network. */
@@ -196,7 +163,7 @@ export async function preCheckLogin(input, mode, email) {
                    on another device). Invalidate it so subsequent attempts go directly
                    to Supabase in rate-limited mode. */
                 debugWarn('[LoginGuard] Threshold exceeded, invalidating cached hash');
-                await invalidateCachedHash(mode);
+                await invalidateCachedHash();
                 consecutiveLocalFailures = 0;
                 /* Fall through to rate-limited Supabase mode */
                 const rateCheck = checkRateLimit();
@@ -262,24 +229,22 @@ export function onLoginSuccess() {
  *
  * @param strategy - The {@link PreCheckStrategy} that was returned by
  *                   {@link preCheckLogin} for this attempt.
- * @param mode - The auth mode, used to determine which IndexedDB table to
- *               invalidate if the hash is stale. Defaults to `'multi-user'`.
  *
  * @example
  * ```ts
- * const result = await preCheckLogin(password, 'multi-user', email);
+ * const result = await preCheckLogin(password);
  * if (result.proceed) {
  *   const { error } = await supabase.auth.signInWithPassword({ email, password });
- *   if (error) await onLoginFailure(result.strategy, 'multi-user');
+ *   if (error) await onLoginFailure(result.strategy);
  * }
  * ```
  */
-export async function onLoginFailure(strategy, mode = 'multi-user') {
+export async function onLoginFailure(strategy) {
     if (strategy === 'local-match') {
         /* Stale hash: local match but Supabase rejected -- invalidate the cache
            so the user is not stuck in a loop of false local matches. */
         debugWarn('[LoginGuard] Stale hash detected, invalidating cached hash');
-        await invalidateCachedHash(mode);
+        await invalidateCachedHash();
     }
     else {
         /* No-cache mode: apply exponential backoff to throttle brute-force

package/dist/auth/loginGuard.js.map

@@ -1 +1 @@
-{"version":3,"file":"loginGuard.js","sourceRoot":"","sources":["../../src/auth/loginGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE/C,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,uBAAuB,GAAG,CAAC,CAAC;AAElC,qEAAqE;AACrE,MAAM,aAAa,GAAG,IAAI,CAAC;AAE3B,0EAA0E;AAC1E,MAAM,YAAY,GAAG,KAAK,CAAC;AAE3B,wEAAwE;AACxE,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF;;;GAGG;AACH,IAAI,wBAAwB,GAAG,CAAC,CAAC;AAEjC;;;GAGG;AACH,IAAI,iBAAiB,GAAG,CAAC,CAAC;AAE1B;;;GAGG;AACH,IAAI,kBAAkB,GAAG,CAAC,CAAC;AA4B3B,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;GAKG;AACH,SAAS,cAAc;IACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,kBAAkB,GAAG,GAAG,EAAE,CAAC;QAC7B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,kBAAkB,GAAG,GAAG,EAAE,CAAC;IACpE,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,oBAAoB,CAAC,IAAkC;IACpE,IAAI,CAAC;QACH,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC;YACrB,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAChE,IAAI,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAC9B,MAAM,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE;wBAClD,QAAQ,EAAE,SAAS;wBACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACpC,CAAC,CAAC;oBACH,QAAQ,CAAC,+CAA+C,CAAC,CAAC;gBAC5D,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC;YACrB,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;gBACxE,IAAI,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAC9B,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE;wBAC1D,QAAQ,EAAE,SAAS;wBACnB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACnC,CAAC,CAAC;oBACH,QAAQ,CAAC,4DAA4D,CAAC,CAAC;gBACzE,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,SAAS,CAAC,gDAAgD,EAAE,CAAC,CAAC,CAAC;IACjE,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,IAAkC,EAClC,KAAc;IAEd,IAAI,CAAC;QACH,IAAI,UAA8B,CAAC;QAEnC,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC;YACrB,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAChE,UAAU,GAAG,MAAM,EAAE,QAAQ,CAAC;YAChC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,GAAG,MAAM,qBAAqB,EAAE,CAAC;YAC5C,IAAI,KAAK,IAAI,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,KAAK,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC9D,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,IAAI,UAAU,EAAE,CAAC;YACf,2EAA2E;YAC3E,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;YAEzC,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;gBAC7B;oFACoE;gBACpE,QAAQ,CAAC,uDAAuD,CAAC,CAAC;gBAClE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;YACpD,CAAC;YAED,yEAAyE;YACzE,wBAAwB,EAAE,CAAC;YAC3B,SAAS,CACP,qCAAqC,wBAAwB,IAAI,uBAAuB,GAAG,CAC5F,CAAC;YAEF,IAAI,wBAAwB,IAAI,uBAAuB,EAAE,CAAC;gBACxD;;uDAEuC;gBACvC,SAAS,CAAC,2DAA2D,CAAC,CAAC;gBACvE,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC;gBACjC,wBAAwB,GAAG,CAAC,CAAC;gBAE7B,gDAAgD;gBAChD,MAAM,SAAS,GAAG,cAAc,EAAE,CAAC;gBACnC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;oBACvB,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,qDAAqD;wBAC5D,YAAY,EAAE,SAAS,CAAC,YAAY;qBACrC,CAAC;gBACJ,CAAC;gBAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;YACjD,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;QACjE,CAAC;QAED,kDAAkD;QAClD,MAAM,SAAS,GAAG,cAAc,EAAE,CAAC;QACnC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,qDAAqD;gBAC5D,YAAY,EAAE,SAAS,CAAC,YAAY;aACrC,CAAC;QACJ,CAAC;QAED,QAAQ,CAAC,yEAAyE,CAAC,CAAC;QACpF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IACjD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX;;6CAEqC;QACrC,SAAS,CAAC,4DAA4D,EAAE,CAAC,CAAC,CAAC;QAC3E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IACjD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc;IAC5B,wBAAwB,GAAG,CAAC,CAAC;IAC7B,iBAAiB,GAAG,CAAC,CAAC;IACtB,kBAAkB,GAAG,CAAC,CAAC;IACvB,QAAQ,CAAC,4CAA4C,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAA0B,EAC1B,OAAqC,YAAY;IAEjD,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC/B;wEACgE;QAChE,SAAS,CAAC,4DAA4D,CAAC,CAAC;QACxE,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;SAAM,CAAC;QACN;uDAC+C;QAC/C,iBAAiB,EAAE,CAAC;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CACpB,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,iBAAiB,GAAG,CAAC,CAAC,EACnE,YAAY,CACb,CAAC;QACF,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QACxC,SAAS,CAAC,oCAAoC,KAAK,qBAAqB,iBAAiB,GAAG,CAAC,CAAC;IAChG,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,eAAe;IAC7B,wBAAwB,GAAG,CAAC,CAAC;IAC7B,iBAAiB,GAAG,CAAC,CAAC;IACtB,kBAAkB,GAAG,CAAC,CAAC;IACvB,QAAQ,CAAC,0BAA0B,CAAC,CAAC;AACvC,CAAC"}
+{"version":3,"file":"loginGuard.js","sourceRoot":"","sources":["../../src/auth/loginGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE/C,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,uBAAuB,GAAG,CAAC,CAAC;AAElC,qEAAqE;AACrE,MAAM,aAAa,GAAG,IAAI,CAAC;AAE3B,0EAA0E;AAC1E,MAAM,YAAY,GAAG,KAAK,CAAC;AAE3B,wEAAwE;AACxE,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF;;;GAGG;AACH,IAAI,wBAAwB,GAAG,CAAC,CAAC;AAEjC;;;GAGG;AACH,IAAI,iBAAiB,GAAG,CAAC,CAAC;AAE1B;;;GAGG;AACH,IAAI,kBAAkB,GAAG,CAAC,CAAC;AA4B3B,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;GAKG;AACH,SAAS,cAAc;IACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,kBAAkB,GAAG,GAAG,EAAE,CAAC;QAC7B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,kBAAkB,GAAG,GAAG,EAAE,CAAC;IACpE,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;;;;;;;GAQG;AACH,KAAK,UAAU,oBAAoB;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;QACjC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC;QACrB,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAChE,IAAI,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC9B,MAAM,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE;oBAClD,QAAQ,EAAE,SAAS;oBACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACpC,CAAC,CAAC;gBACH,QAAQ,CAAC,+CAA+C,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,SAAS,CAAC,gDAAgD,EAAE,CAAC,CAAC,CAAC;IACjE,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa;IAC/C,IAAI,CAAC;QACH,IAAI,UAA8B,CAAC;QAEnC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;QACjC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC;QACrB,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAChE,UAAU,GAAG,MAAM,EAAE,QAAQ,CAAC;QAChC,CAAC;QAED,IAAI,UAAU,EAAE,CAAC;YACf,2EAA2E;YAC3E,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;YAEzC,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;gBAC7B;oFACoE;gBACpE,QAAQ,CAAC,uDAAuD,CAAC,CAAC;gBAClE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;YACpD,CAAC;YAED,yEAAyE;YACzE,wBAAwB,EAAE,CAAC;YAC3B,SAAS,CACP,qCAAqC,wBAAwB,IAAI,uBAAuB,GAAG,CAC5F,CAAC;YAEF,IAAI,wBAAwB,IAAI,uBAAuB,EAAE,CAAC;gBACxD;;uDAEuC;gBACvC,SAAS,CAAC,2DAA2D,CAAC,CAAC;gBACvE,MAAM,oBAAoB,EAAE,CAAC;gBAC7B,wBAAwB,GAAG,CAAC,CAAC;gBAE7B,gDAAgD;gBAChD,MAAM,SAAS,GAAG,cAAc,EAAE,CAAC;gBACnC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;oBACvB,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,qDAAqD;wBAC5D,YAAY,EAAE,SAAS,CAAC,YAAY;qBACrC,CAAC;gBACJ,CAAC;gBAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;YACjD,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;QACjE,CAAC;QAED,kDAAkD;QAClD,MAAM,SAAS,GAAG,cAAc,EAAE,CAAC;QACnC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,qDAAqD;gBAC5D,YAAY,EAAE,SAAS,CAAC,YAAY;aACrC,CAAC;QACJ,CAAC;QAED,QAAQ,CAAC,yEAAyE,CAAC,CAAC;QACpF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IACjD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX;;6CAEqC;QACrC,SAAS,CAAC,4DAA4D,EAAE,CAAC,CAAC,CAAC;QAC3E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IACjD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc;IAC5B,wBAAwB,GAAG,CAAC,CAAC;IAC7B,iBAAiB,GAAG,CAAC,CAAC;IACtB,kBAAkB,GAAG,CAAC,CAAC;IACvB,QAAQ,CAAC,4CAA4C,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAA0B;IAC7D,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC/B;wEACgE;QAChE,SAAS,CAAC,4DAA4D,CAAC,CAAC;QACxE,MAAM,oBAAoB,EAAE,CAAC;IAC/B,CAAC;SAAM,CAAC;QACN;uDAC+C;QAC/C,iBAAiB,EAAE,CAAC;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CACpB,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,iBAAiB,GAAG,CAAC,CAAC,EACnE,YAAY,CACb,CAAC;QACF,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QACxC,SAAS,CAAC,oCAAoC,KAAK,qBAAqB,iBAAiB,GAAG,CAAC,CAAC;IAChG,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,eAAe;IAC7B,wBAAwB,GAAG,CAAC,CAAC;IAC7B,iBAAiB,GAAG,CAAC,CAAC;IACtB,kBAAkB,GAAG,CAAC,CAAC;IACvB,QAAQ,CAAC,0BAA0B,CAAC,CAAC;AACvC,CAAC"}

package/dist/auth/offlineCredentials.d.ts

@@ -1,25 +1,22 @@
 /**
  * @fileoverview Offline Credentials Management
  *
- * Handles caching, retrieval, verification, and update of user credentials
- * in IndexedDB for offline login support. When the user successfully
- * authenticates online via Supabase, their credentials are cached locally
- * (with the password SHA-256-hashed) so they can log in again while offline.
+ * Handles caching, retrieval, and update of user credentials in IndexedDB
+ * for offline fallback support. When the user successfully authenticates
+ * online via Supabase, their credentials are cached locally (with the
+ * password SHA-256-hashed) so profile data is available while offline.
  *
  * Architecture:
  * - Credentials are stored as a singleton record (key: `'current_user'`) in the
  *   `offlineCredentials` IndexedDB table.
- * - Only one set of credentials is cached at a time. In multi-user apps, the
- *   last successfully authenticated user's credentials are stored.
+ * - Only one set of credentials is cached at a time.
  * - The profile blob is extracted via the host app's `profileExtractor` config
  *   callback, or falls back to raw Supabase `user_metadata`.
  *
  * Security considerations:
  * - Passwords are **always** hashed with SHA-256 before storage. The plaintext
  *   password is never persisted.
- * - Legacy plaintext credentials (from before the hashing migration) are
- *   supported in `verifyOfflineCredentials` via the `isAlreadyHashed` check,
- *   but new writes always hash.
+ * - New writes always hash the password before storage.
  * - A paranoid read-back verification is performed after `cacheOfflineCredentials`
  *   to ensure the password was actually persisted (guards against silent
  *   IndexedDB write failures).
@@ -75,56 +72,6 @@ export declare function cacheOfflineCredentials(email: string, password: string,
  * ```
  */
 export declare function getOfflineCredentials(): Promise<OfflineCredentials | null>;
-/**
- * Verify email and password against cached credentials.
- *
- * Performs a multi-field comparison:
- * 1. Checks that cached credentials exist.
- * 2. Verifies the `userId` matches (prevents cross-user attacks).
- * 3. Verifies the `email` matches (prevents credential reuse across accounts).
- * 4. Verifies the password by hashing the input and comparing against the
- *    stored hash (or plaintext for legacy records).
- *
- * @param email          - The email to verify against cached credentials.
- * @param password       - The plaintext password to verify.
- * @param expectedUserId - The Supabase user ID that the credentials should belong to.
- *                          Prevents offline login with credentials cached from a
- *                          different user.
- * @returns An object with `valid: true` on success, or `valid: false` with a
- *          `reason` string identifying which check failed.
- *
- * @example
- * ```ts
- * const result = await verifyOfflineCredentials(email, password, userId);
- * if (result.valid) {
- *   await createOfflineSession(userId);
- * } else {
- *   console.warn('Verification failed:', result.reason);
- * }
- * ```
- *
- * @see {@link cacheOfflineCredentials} for how credentials are stored.
- */
-export declare function verifyOfflineCredentials(email: string, password: string, expectedUserId: string): Promise<{
-    valid: boolean;
-    reason?: string;
-}>;
-/**
- * Update the cached password hash after an online password change.
- *
- * Should be called whenever the user changes their password while online,
- * so the offline cache stays in sync and the login guard does not flag
- * the old hash as stale.
- *
- * @param newPassword - The new plaintext password. Will be SHA-256-hashed before storage.
- *
- * @example
- * ```ts
- * await supabase.auth.updateUser({ password: newPassword });
- * await updateOfflineCredentialsPassword(newPassword);
- * ```
- */
-export declare function updateOfflineCredentialsPassword(newPassword: string): Promise<void>;
 /**
  * Update the user profile in cached credentials after an online profile update.
  *

package/dist/auth/offlineCredentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"offlineCredentials.d.ts","sourceRoot":"","sources":["../../src/auth/offlineCredentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AACnD,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAmB3D;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,IAAI,EACV,QAAQ,EAAE,OAAO,GAChB,OAAO,CAAC,IAAI,CAAC,CAyCf;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAQhF;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAkD9C;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,gCAAgC,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAYzF;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,+BAA+B,CACnD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,IAAI,CAAC,CAG7D"}
+{"version":3,"file":"offlineCredentials.d.ts","sourceRoot":"","sources":["../../src/auth/offlineCredentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AACnD,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAmB3D;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,IAAI,EACV,QAAQ,EAAE,OAAO,GAChB,OAAO,CAAC,IAAI,CAAC,CAyCf;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAQhF;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,+BAA+B,CACnD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,IAAI,CAAC,CAG7D"}