@slock-ai/computer 0.0.25 → 0.0.26

package/dist/index.js

@@ -36,12 +36,12 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
-// ../../node_modules/.pnpm/tsup@8.5.1_jiti@2.6.1_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/assets/esm_shims.js
+// ../../node_modules/.pnpm/tsup@8.5.1_jiti@2.7.0_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3_yaml@2.9.0/node_modules/tsup/assets/esm_shims.js
 import path from "path";
 import { fileURLToPath } from "url";
 var getFilename, __filename;
 var init_esm_shims = __esm({
-  "../../node_modules/.pnpm/tsup@8.5.1_jiti@2.6.1_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/assets/esm_shims.js"() {
+  "../../node_modules/.pnpm/tsup@8.5.1_jiti@2.7.0_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3_yaml@2.9.0/node_modules/tsup/assets/esm_shims.js"() {
     "use strict";
     getFilename = () => fileURLToPath(import.meta.url);
     __filename = /* @__PURE__ */ getFilename();
@@ -29773,6 +29773,51 @@ var ComputerAttachClient = class {
     if (!code) return { status: "unexpected_response", httpStatus: res.status };
     return { status: "error", code };
   }
+  /**
+   * POST /api/computer/adopt-legacy — user-authed roster-selected adoption.
+   * Used by setup after the operator selected a server-rostered legacy
+   * candidate. The user session + serverSlug + legacyMachineId +
+   * apiKeyFingerprint are the authority; no raw legacy key is required.
+   */
+  async adoptLegacyByFingerprint(input) {
+    const res = await (0, import_undici.fetch)(this.url("/api/computer/adopt-legacy"), {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.accessToken}`
+      },
+      body: JSON.stringify({
+        serverSlug: input.serverSlug,
+        legacyMachineId: input.legacyMachineId,
+        apiKeyFingerprint: input.apiKeyFingerprint,
+        ...input.name ? { name: input.name } : {}
+      })
+    });
+    const body = await res.json().catch(() => null);
+    if (res.status === 201 && body && typeof body.apiKey === "string") {
+      return {
+        status: "success",
+        apiKey: body.apiKey,
+        computerId: String(body.computerId ?? ""),
+        machineId: String(body.machineId ?? ""),
+        serverId: String(body.serverId ?? ""),
+        resumed: body.resumed === true
+      };
+    }
+    const code = body && typeof body.code === "string" ? body.code : void 0;
+    if (res.status === 401) {
+      if (code === "legacy_key_invalid") return { status: "legacy_key_invalid" };
+      if (code === "auth_required") return { status: "auth_required" };
+      return { status: "unexpected_response", httpStatus: res.status, ...code ? { code } : {} };
+    }
+    if (res.status === 409 && code === "legacy_machine_key_migrated") {
+      return { status: "legacy_machine_key_migrated" };
+    }
+    if (res.status === 403) return { status: "not_authorized" };
+    if (res.status === 404) return { status: "disabled" };
+    if (!code) return { status: "unexpected_response", httpStatus: res.status };
+    return { status: "error", code };
+  }
   /**
    * POST /internal/computer/preflight — §9 READ-ONLY, side-effect-free.
    * Authenticated with the freshly-issued sk_computer_* (NOT the user
@@ -30630,10 +30675,6 @@ function emit3(opts, event) {
 }
 var LEGACY_STOP_WAIT_MS = 1e4;
 var LEGACY_STOP_POLL_MS = 200;
-function legacyLockOwnerPath(slockHome, rawKey) {
-  const fingerprint = createHash2("sha256").update(rawKey).digest("hex").slice(0, 16);
-  return join2(slockHome, "machines", `machine-${fingerprint}`, "daemon.lock", "owner.json");
-}
 function isProcessAlive(pid) {
   if (!Number.isInteger(pid) || pid <= 0) return false;
   try {
@@ -30715,9 +30756,7 @@ function formatLegacyOwnerEvidence(slockHome, evidence) {
   if (evidence.reason) fields.push(`ownerStatus=${evidence.reason}`);
   return fields.join(" ");
 }
-async function adoptLegacy(input, options = {}) {
-  options.signal?.throwIfAborted?.();
-  const slockHome = resolveSlockHome();
+async function readUserSessionContext(slockHome, serverUrl) {
   const sessionFile = userSessionPath(slockHome);
   let session;
   try {
@@ -30735,123 +30774,82 @@ async function adoptLegacy(input, options = {}) {
       `User session at ${sessionFile} is invalid. Re-run \`slock-computer login\`.`
     );
   }
-  const baseUrl = resolveServerUrl(input.serverUrl, session.serverUrl, process.env.SLOCK_SERVER_URL);
-  const slugForServer = normalizeServerSlug(input.serverSlug);
-  if (!slugForServer) {
-    throw new ComputerServiceError("ADOPT_NOT_AUTHORIZED", "Server slug must not be empty.");
-  }
-  options.signal?.throwIfAborted?.();
-  emit3(options, { type: "adopting", serverSlug: slugForServer, mode: input.mode });
-  const client = new ComputerAttachClient(baseUrl, session.accessToken);
-  const adoptStartedAt = /* @__PURE__ */ new Date();
-  const legacyOwnerFile = legacyLockOwnerPath(slockHome, input.rawKey);
-  const ownerEvidence = await readLegacyOwnerEvidence(legacyOwnerFile);
-  const result = await client.adoptLegacy(input.rawKey, input.name);
-  input.rawKey = void 0;
+  return {
+    accessToken: session.accessToken,
+    baseUrl: resolveServerUrl(serverUrl, session.serverUrl, process.env.SLOCK_SERVER_URL)
+  };
+}
+async function appendAdoptionFailureLog(slockHome, log, startedAt, failureReason, extra = {}) {
+  await appendAdoptionLog(slockHome, {
+    ...log,
+    startedAt,
+    outcome: "failed",
+    failureReason,
+    ...extra
+  });
+}
+async function completeAdoptionExchange(input, options) {
+  const {
+    slockHome,
+    client,
+    baseUrl,
+    slugForServer,
+    ownerEvidence,
+    legacyOwnerFile,
+    result,
+    startedAt,
+    log,
+    copy
+  } = input;
   if (result.status === "disabled") {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: "computer_adopt_disabled"
-    });
+    await appendAdoptionFailureLog(slockHome, log, startedAt, "computer_adopt_disabled");
     throw new ComputerServiceError(
       "ADOPT_DISABLED",
       "Computer legacy adoption is not enabled on this server. Upgrade the server or set SLOCK_DEVICE_LOGIN_ENABLED."
     );
   }
   if (result.status === "legacy_key_invalid") {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: "legacy_key_invalid"
-    });
-    throw new ComputerServiceError(
-      "LEGACY_KEY_INVALID",
-      `Server rejected the legacy api key (unknown / wrong server / malformed). Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Verify the key came from this SLOCK_HOME and server, or use a fresh isolated SLOCK_HOME for a clean Computer setup.`
-    );
+    await appendAdoptionFailureLog(slockHome, log, startedAt, copy.invalidFailureReason);
+    throw new ComputerServiceError("LEGACY_KEY_INVALID", copy.invalidMessage);
   }
   if (result.status === "legacy_machine_key_migrated") {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: "legacy_machine_key_migrated"
-    });
-    throw new ComputerServiceError(
-      "LEGACY_MACHINE_KEY_MIGRATED",
-      `This machine has already been adopted; the legacy key is no longer accepted. Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Use \`slock-computer attach\` to add another Computer attachment, or use a fresh isolated SLOCK_HOME for a clean setup.`
-    );
+    await appendAdoptionFailureLog(slockHome, log, startedAt, "legacy_machine_key_migrated");
+    throw new ComputerServiceError("LEGACY_MACHINE_KEY_MIGRATED", copy.migratedMessage);
   }
   if (result.status === "auth_required") {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: "auth_required"
-    });
-    throw new ComputerServiceError(
-      "ADOPT_AUTH_REQUIRED",
-      `Your Computer user session was rejected by the server before legacy adoption. Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Re-run \`slock-computer login\` for this server (use the same \`--server-url\` if not on production), then retry the adopt command. No local Computer state was written.`
-    );
+    await appendAdoptionFailureLog(slockHome, log, startedAt, "auth_required");
+    throw new ComputerServiceError("ADOPT_AUTH_REQUIRED", copy.authRequiredMessage);
   }
   if (result.status === "not_authorized") {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: "not_authorized"
-    });
+    await appendAdoptionFailureLog(slockHome, log, startedAt, "not_authorized");
     throw new ComputerServiceError(
       "ADOPT_NOT_AUTHORIZED",
       "Not authorized to adopt this machine on this server. Check that you are a current member."
     );
   }
   if (result.status === "unexpected_response") {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: result.code ? `unexpected_response_${result.code}` : "unexpected_response_missing_code"
-    });
+    await appendAdoptionFailureLog(
+      slockHome,
+      log,
+      startedAt,
+      result.code ? `unexpected_response_${result.code}` : "unexpected_response_missing_code"
+    );
     const responseDetail = result.code ? `status ${result.httpStatus}, code ${result.code}` : `status ${result.httpStatus}, missing error code`;
-    const authHint = result.httpStatus === 401 ? " If your server may be on an older release that does not emit `code: auth_required`, re-run `slock-computer login` first to refresh your user session, then retry. If the issue persists, report it as server contract drift." : "";
+    const authHint = copy.unexpectedAuthHint?.(result.httpStatus) ?? "";
     throw new ComputerServiceError(
       "ADOPT_UNEXPECTED_RESPONSE",
-      `Server returned an unexpected legacy adoption response (${responseDetail}).${authHint} Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Please report this with the command, server URL, and SLOCK_HOME; no local Computer state was written.`
+      `Server returned an unexpected legacy adoption response (${responseDetail}).${authHint} Local legacy owner evidence: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Please report this with the command, server URL, and SLOCK_HOME; no local Computer state was written.`
     );
   }
   if (result.status === "error") {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: result.code
-    });
-    throw new ComputerServiceError(
-      "ADOPT_FAILED",
-      `Adoption failed at server exchange (${result.code}). Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Confirm the user session is valid, the legacy key belongs to this server/SLOCK_HOME, and the server URL is correct. No local Computer state was written.`
-    );
+    await appendAdoptionFailureLog(slockHome, log, startedAt, result.code);
+    throw new ComputerServiceError("ADOPT_FAILED", copy.failedMessage(result.code));
   }
   emit3(options, { type: "preflight", resumed: result.resumed });
   options.signal?.throwIfAborted?.();
   const pre = await client.preflight(result.apiKey);
   if (!pre.ok) {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: `preflight_${pre.code}`
-    });
+    await appendAdoptionFailureLog(slockHome, log, startedAt, `preflight_${pre.code}`);
     throw new ComputerServiceError(
       "PREFLIGHT_FAILED",
       `Server preflight failed (${pre.code}); local state not written. Upgrade the server or retry.`
@@ -30860,12 +30858,7 @@ async function adoptLegacy(input, options = {}) {
   options.signal?.throwIfAborted?.();
   const stop2 = await stopLegacyDaemonByOwnerFile(legacyOwnerFile);
   if (stop2.outcome === "timed_out" || stop2.outcome === "denied" || stop2.outcome === "error") {
-    await appendAdoptionLog(slockHome, {
-      mode: input.mode,
-      redactedPrefix: input.redactedPrefix,
-      startedAt: adoptStartedAt,
-      outcome: "failed",
-      failureReason: `legacy_stop_${stop2.outcome}`,
+    await appendAdoptionFailureLog(slockHome, log, startedAt, `legacy_stop_${stop2.outcome}`, {
       computerId: result.computerId,
       machineId: result.machineId,
       serverId: result.serverId,
@@ -30874,7 +30867,7 @@ async function adoptLegacy(input, options = {}) {
     const detail = stop2.outcome === "timed_out" ? `pid ${stop2.pid} did not exit within ${LEGACY_STOP_WAIT_MS}ms` : stop2.outcome === "denied" ? `pid ${stop2.pid} cannot be stopped (permission denied)` : `stop attempt error (${stop2.reason ?? "unknown"})`;
     throw new ComputerServiceError(
       "LEGACY_DAEMON_STOP_FAILED",
-      `Adoption succeeded server-side but the legacy daemon could not be stopped: ${detail}. Stop it manually and re-run \`slock-computer adopt-legacy\`, or run \`slock-computer attach\` after confirming the legacy process is gone. No local Computer state was written.`
+      `Adoption succeeded server-side but the legacy daemon could not be stopped: ${detail}. Stop it manually and re-run ${copy.stopFailureRetryCommand}, or run \`slock-computer attach\` after confirming the legacy process is gone. No local Computer state was written.`
     );
   }
   const file = serverAttachmentPath(slockHome, result.serverId);
@@ -30900,9 +30893,8 @@ async function adoptLegacy(input, options = {}) {
   );
   await chmod3(file, 384);
   await appendAdoptionLog(slockHome, {
-    mode: input.mode,
-    redactedPrefix: input.redactedPrefix,
-    startedAt: adoptStartedAt,
+    ...log,
+    startedAt,
     outcome: "succeeded",
     computerId: result.computerId,
     machineId: result.machineId,
@@ -30933,6 +30925,48 @@ async function adoptLegacy(input, options = {}) {
     legacyStop: stop2
   };
 }
+async function adoptLegacyByFingerprint(input, options = {}) {
+  options.signal?.throwIfAborted?.();
+  const slockHome = resolveSlockHome();
+  const { accessToken, baseUrl } = await readUserSessionContext(slockHome, input.serverUrl);
+  const slugForServer = normalizeServerSlug(input.serverSlug);
+  if (!slugForServer) {
+    throw new ComputerServiceError("ADOPT_NOT_AUTHORIZED", "Server slug must not be empty.");
+  }
+  options.signal?.throwIfAborted?.();
+  emit3(options, { type: "adopting", serverSlug: slugForServer, mode: "legacy_fingerprint_roster" });
+  const client = new ComputerAttachClient(baseUrl, accessToken);
+  const adoptStartedAt = /* @__PURE__ */ new Date();
+  const ownerEvidence = await readLegacyOwnerEvidence(input.legacyOwnerPath);
+  const result = await client.adoptLegacyByFingerprint({
+    serverSlug: slugForServer,
+    legacyMachineId: input.legacyMachineId,
+    apiKeyFingerprint: input.apiKeyFingerprint,
+    ...input.name ? { name: input.name } : {}
+  });
+  return completeAdoptionExchange(
+    {
+      slockHome,
+      client,
+      baseUrl,
+      slugForServer,
+      ownerEvidence,
+      legacyOwnerFile: input.legacyOwnerPath,
+      result,
+      startedAt: adoptStartedAt,
+      log: { mode: "legacy_fingerprint_roster", legacyFingerprint: input.apiKeyFingerprint },
+      copy: {
+        invalidFailureReason: "legacy_fingerprint_invalid",
+        invalidMessage: `Server rejected the selected legacy machine (unknown / wrong server / malformed fingerprint). Local legacy owner evidence for this candidate: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Re-run setup and pick a currently listed legacy daemon, or choose fresh attach.`,
+        migratedMessage: `This machine has already been adopted. Local legacy owner evidence for this candidate: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Use \`slock-computer attach\` to add another Computer attachment, or choose fresh attach in setup.`,
+        authRequiredMessage: `Your Computer user session was rejected by the server before legacy adoption. Local legacy owner evidence for this candidate: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Re-run \`slock-computer login\` for this server, then retry setup. No local Computer state was written.`,
+        failedMessage: (code) => `Adoption failed at server exchange (${code}). Local legacy owner evidence for this candidate: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Confirm the user session is valid and the server URL is correct. No local Computer state was written.`,
+        stopFailureRetryCommand: `\`slock-computer setup ${formatServerSlugDisplay(slugForServer)}\``
+      }
+    },
+    options
+  );
+}
 async function appendAdoptionLog(slockHome, line) {
   try {
     await mkdir4(computerDir(slockHome), { recursive: true });
@@ -30940,9 +30974,10 @@ async function appendAdoptionLog(slockHome, line) {
       `ts=${(/* @__PURE__ */ new Date()).toISOString()}`,
       `started_at=${line.startedAt.toISOString()}`,
       `outcome=${line.outcome}`,
-      `credential_bridge_mode=${line.mode}`,
-      `legacy_key_prefix=${line.redactedPrefix}`
+      `credential_bridge_mode=${line.mode}`
     ];
+    if (line.redactedPrefix) fields.push(`legacy_key_prefix=${line.redactedPrefix}`);
+    if (line.legacyFingerprint) fields.push(`legacy_fingerprint=${line.legacyFingerprint}`);
     if (line.failureReason) fields.push(`failure_reason=${line.failureReason}`);
     if (line.computerId) fields.push(`computer_id=${line.computerId}`);
     if (line.machineId) fields.push(`legacy_machine_id=${line.machineId}`);
@@ -32293,17 +32328,6 @@ async function defaultPickMigrationCandidate(candidates) {
     }
   );
 }
-async function readLegacyApiKey(isTty) {
-  const fromEnv = process.env.SLOCK_LEGACY_API_KEY;
-  if (typeof fromEnv === "string" && fromEnv.length > 0) return fromEnv.trim();
-  if (!isTty) return "";
-  process.stdout.write(
-    "Paste legacy api key (sk_machine_* or sk_daemon_*); input is hidden: "
-  );
-  const { line } = await readLine(true);
-  process.stdout.write("\n");
-  return line.trim();
-}
 async function readLine(masked) {
   const stdin = process.stdin;
   const wasRaw = stdin.isTTY === true && stdin.isRaw === true;
@@ -32351,33 +32375,21 @@ async function readLine(masked) {
     stdin.on("end", onEnd);
   });
 }
-async function runMigrateAdoption(opts, candidate, isTty, adoptLegacyImpl, readLegacyApiKeyImpl) {
+async function runRosterAdoption(opts, candidate, adoptLegacyByFingerprintImpl) {
   const where = candidate.hostname ? ` (${candidate.hostname})` : "";
   const seen = candidate.lastSeenAt ? ` last seen ${candidate.lastSeenAt}` : "";
-  info(`Migration: adopting legacy daemon "${candidate.machineName}"${where}${seen}.`);
+  info(`Migration: adopting legacy daemon "${candidate.machineName}"${where}${seen} using logged-in user authorization.`);
   info(`  local owner.json: ${candidate.localPath}`);
-  const rawKey = await readLegacyApiKeyImpl(isTty);
-  if (rawKey.length === 0) {
-    fail(
-      "LEGACY_KEY_REQUIRED",
-      "No legacy api key provided. Set `SLOCK_LEGACY_API_KEY` or paste the legacy `sk_machine_*` / `sk_daemon_*` key when prompted."
-    );
-  }
-  if (!rawKey.startsWith("sk_machine_") && !rawKey.startsWith("sk_daemon_")) {
-    fail(
-      "LEGACY_KEY_INVALID",
-      "Provided key does not look like a legacy machine key (expected `sk_machine_*` or `sk_daemon_*`)."
-    );
-  }
+  info("  legacy api key: not required for setup after user login.");
   try {
-    await adoptLegacyImpl(
+    await adoptLegacyByFingerprintImpl(
       {
         serverSlug: opts.serverSlug,
         ...opts.serverUrl ? { serverUrl: opts.serverUrl } : {},
         ...opts.name ? { name: opts.name } : {},
-        rawKey,
-        mode: "legacy_key_stdin",
-        redactedPrefix: rawKey.slice(0, 8)
+        legacyMachineId: candidate.daemonId,
+        apiKeyFingerprint: candidate.apiKeyFingerprint,
+        legacyOwnerPath: candidate.localPath
       },
       {
         onEvent: (event) => {
@@ -32438,8 +32450,7 @@ async function runSetup(opts, deps = {}) {
   const validateManualPath = deps.validateManualMigratePath ?? validateManualMigratePath;
   const buildRoster = deps.buildRosterClient ?? ((baseUrl, accessToken) => new LegacyMachinesClient(baseUrl, accessToken));
   const pickCandidate = deps.pickMigrationCandidate ?? defaultPickMigrationCandidate;
-  const adoptLegacy2 = deps.adoptLegacy ?? adoptLegacy;
-  const readLegacyKey = deps.readLegacyApiKey ?? readLegacyApiKey;
+  const adoptLegacyByFingerprint2 = deps.adoptLegacyByFingerprint ?? adoptLegacyByFingerprint;
   if (!isTty && !opts.yes) {
     fail(
       "NON_INTERACTIVE_SETUP_REQUIRES_FLAGS",
@@ -32489,7 +32500,7 @@ async function runSetup(opts, deps = {}) {
       if (!validation.ok) {
         fail(validation.code, manualPathErrorMessage(validation.code, opts.migrateFrom));
       }
-      await runMigrateAdoption(opts, validation.candidate, isTty, adoptLegacy2, readLegacyKey);
+      await runRosterAdoption(opts, validation.candidate, adoptLegacyByFingerprint2);
       migrated = true;
     } else {
       const detection = await detectMigration(slockHome, opts.serverSlug, rosterClient);
@@ -32513,7 +32524,7 @@ async function runSetup(opts, deps = {}) {
                 `Picker returned candidate index ${selection.index} but only ${detection.candidates.length} candidate(s) were detected.`
               );
             }
-            await runMigrateAdoption(opts, candidate, isTty, adoptLegacy2, readLegacyKey);
+            await runRosterAdoption(opts, candidate, adoptLegacyByFingerprint2);
             migrated = true;
             break pickerLoop;
           } else if (selection.kind === "manual") {
@@ -32535,13 +32546,7 @@ async function runSetup(opts, deps = {}) {
               );
               continue pickerLoop;
             }
-            await runMigrateAdoption(
-              opts,
-              validation.candidate,
-              isTty,
-              adoptLegacy2,
-              readLegacyKey
-            );
+            await runRosterAdoption(opts, validation.candidate, adoptLegacyByFingerprint2);
             migrated = true;
             break pickerLoop;
           } else {

package/dist/lib/index.d.ts

@@ -437,10 +437,11 @@ interface LegacyMachineCandidate {
  * Fingerprint discipline (Cody msg=ec68c27f redline):
  *   - `apiKeyFingerprint` is treated as a sensitive identity. It is
  *     scoped to this caller's authenticated request and never logged.
- *   - The intersection is the trust-gate: a candidate proves the
- *     server has a roster row keyed by the same fingerprint that
- *     appears in the local owner.json. Final adoption still walks
- *     `AdoptLegacyService.migrate()` credential validation.
+ *   - The intersection is setup's adoption identity after user login:
+ *     a candidate proves the server has a roster row keyed by the same
+ *     fingerprint that appears in the local owner.json. The server
+ *     still enforces ownership by requiring the session user to own the
+ *     selected machine row; fingerprint is only the selector.
  */
 /**
  * Closed set of `MigrationDetection.kind` discriminator values. Mirrors

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@slock-ai/computer",
-  "version": "0.0.25",
+  "version": "0.0.26",
   "description": "Slock Computer — standalone human/local-machine control-plane CLI (login + attach). Distinct from the agent-facing @slock-ai/cli.",
   "type": "module",
   "bin": {
@@ -28,7 +28,7 @@
     "commander": "^12.1.0",
     "proper-lockfile": "^4.1.2",
     "undici": "^7.24.7",
-    "@slock-ai/daemon": "0.55.6"
+    "@slock-ai/daemon": "0.56.0"
   },
   "devDependencies": {
     "@types/node": "^25.5.0",