estatehelm 1.0.0

package/dist/index.js

@@ -0,0 +1,3012 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/index.ts
+var import_commander = require("commander");
+
+// src/login.ts
+var readline = __toESM(require("readline"));
+var import_open = __toESM(require("open"));
+
+// ../api-client/src/auth.ts
+var TokenAuthAdapter = class {
+  getToken;
+  constructor(getToken) {
+    this.getToken = getToken;
+  }
+  async getAuthHeaders() {
+    const token = await this.getToken();
+    if (token) {
+      return { Authorization: `Bearer ${token}` };
+    }
+    return {};
+  }
+  getCredentials() {
+    return "same-origin";
+  }
+};
+
+// ../api-client/src/types.ts
+var HOUSEHOLD_MEMBER_ROLES = {
+  OWNER: "owner",
+  MEMBER: "member",
+  EXECUTOR: "executor"
+};
+
+// ../api-client/src/client.ts
+var EntityBatcher = class {
+  pending = /* @__PURE__ */ new Map();
+  householdId = null;
+  includeDeleted = false;
+  timer = null;
+  fetchFn;
+  constructor(fetchFn) {
+    this.fetchFn = fetchFn;
+  }
+  request(householdId, entityType, includeDeleted = false) {
+    if (this.pending.size > 0 && this.householdId !== householdId) {
+      this.flush();
+    }
+    this.householdId = householdId;
+    this.includeDeleted = includeDeleted;
+    return new Promise((resolve, reject) => {
+      this.pending.set(entityType, { resolve, reject });
+      if (!this.timer) {
+        this.timer = setTimeout(() => this.flush(), 0);
+      }
+    });
+  }
+  async flush() {
+    const entityTypes = Array.from(this.pending.keys());
+    const callbacks = new Map(this.pending);
+    const householdId = this.householdId;
+    const includeDeleted = this.includeDeleted;
+    this.pending.clear();
+    this.timer = null;
+    this.householdId = null;
+    this.includeDeleted = false;
+    if (entityTypes.length === 0) return;
+    try {
+      const response = await this.fetchFn(householdId, entityTypes, includeDeleted);
+      const items = response.items || [];
+      const groupedByType = /* @__PURE__ */ new Map();
+      for (const type of entityTypes) {
+        groupedByType.set(type, []);
+      }
+      for (const item of items) {
+        const type = item.entityType;
+        if (groupedByType.has(type)) {
+          groupedByType.get(type).push(item);
+        }
+      }
+      for (const [type, { resolve }] of callbacks) {
+        resolve(groupedByType.get(type) || []);
+      }
+    } catch (err) {
+      for (const { reject } of callbacks.values()) {
+        reject(err);
+      }
+    }
+  }
+};
+var ApiClient = class {
+  config;
+  // Cache for in-flight GET requests to deduplicate concurrent calls
+  inFlightRequests = /* @__PURE__ */ new Map();
+  // Batcher for entity requests
+  entityBatcher;
+  constructor(config) {
+    this.config = config;
+    this.entityBatcher = new EntityBatcher(
+      (householdId, entityTypes, includeDeleted) => this.getEntitiesMultiple(householdId, entityTypes, includeDeleted)
+    );
+  }
+  getApiUrl(path3) {
+    const cleanPath = path3.startsWith("/") ? path3 : `/${path3}`;
+    return `${this.config.baseUrl}/api/${this.config.apiVersion}${cleanPath}`;
+  }
+  async request(method, path3, options) {
+    const url = this.getApiUrl(path3);
+    const authHeaders = await this.config.auth.getAuthHeaders();
+    const headers = {
+      "Content-Type": "application/json",
+      ...authHeaders,
+      ...options?.headers
+    };
+    const config = {
+      method,
+      headers,
+      credentials: this.config.auth.getCredentials()
+    };
+    if (options?.body) {
+      config.body = JSON.stringify(options.body);
+    }
+    let response;
+    try {
+      response = await fetch(url, config);
+    } catch (networkError) {
+      console.error("Network error:", { url, method, error: networkError });
+      const error = Object.assign(
+        new Error("Unable to connect to server. Please check your connection and try again."),
+        { status: 0, code: "NETWORK_ERROR", originalError: networkError }
+      );
+      throw error;
+    }
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({
+        message: "An error occurred"
+      }));
+      const logLevel = response.status === 400 || response.status === 404 ? console.debug : console.error;
+      logLevel("API Error:", {
+        url,
+        method,
+        status: response.status,
+        error
+      });
+      if (response.status === 401) {
+        console.warn("Authentication required");
+        this.config.onAuthError?.();
+        throw Object.assign(new Error("Authentication required"), { status: 401 });
+      }
+      if (response.status === 402) {
+        throw Object.assign(
+          new Error(error.message || "Upgrade required to access this feature"),
+          {
+            status: 402,
+            code: error.error || "limit_exceeded",
+            details: error.details,
+            requiredPlan: error.details?.requiredPlan
+          }
+        );
+      }
+      if (response.status === 403) {
+        throw Object.assign(
+          new Error(error.message || "You do not have permission to perform this action"),
+          { status: 403, code: "FORBIDDEN" }
+        );
+      }
+      if (response.status === 412) {
+        throw Object.assign(
+          new Error("VERSION_CONFLICT"),
+          {
+            status: 412,
+            code: "VERSION_CONFLICT",
+            currentVersion: error.details?.currentVersion,
+            expectedVersion: error.details?.expectedVersion
+          }
+        );
+      }
+      let errorMessage = error.error || error.message || error.title || `HTTP ${response.status}`;
+      if (error.errors && typeof error.errors === "object") {
+        const validationErrors = Object.entries(error.errors).map(([field, messages]) => {
+          const msgs = Array.isArray(messages) ? messages : [messages];
+          return `${field}: ${msgs.join(", ")}`;
+        }).join("; ");
+        errorMessage = validationErrors || errorMessage;
+      }
+      const apiError = Object.assign(new Error(errorMessage), {
+        status: response.status,
+        error
+      });
+      throw apiError;
+    }
+    if (response.status === 204) {
+      return {};
+    }
+    return response.json();
+  }
+  async get(path3, options) {
+    const deduplicatePaths = ["/webauthn/credentials", "/webauthn/key-bundles/current"];
+    const shouldDeduplicate = deduplicatePaths.some((p) => path3.includes(p));
+    if (shouldDeduplicate) {
+      const cacheKey = `get:${path3}`;
+      const inFlight = this.inFlightRequests.get(cacheKey);
+      if (inFlight) {
+        return inFlight;
+      }
+      const request = this.request("GET", path3, options).finally(() => this.inFlightRequests.delete(cacheKey));
+      this.inFlightRequests.set(cacheKey, request);
+      return request;
+    }
+    return this.request("GET", path3, options);
+  }
+  async post(path3, body, options) {
+    return this.request("POST", path3, { ...options, body });
+  }
+  async put(path3, body, options) {
+    return this.request("PUT", path3, { ...options, body });
+  }
+  async patch(path3, body, options) {
+    return this.request("PATCH", path3, { ...options, body });
+  }
+  async delete(path3, options) {
+    return this.request("DELETE", path3, options);
+  }
+  /**
+   * Fetch binary data as a Blob (for downloading files like PDFs).
+   */
+  async getBlob(path3, options) {
+    const url = this.getApiUrl(path3);
+    const authHeaders = await this.config.auth.getAuthHeaders();
+    const headers = {
+      ...authHeaders,
+      ...options?.headers
+    };
+    const config = {
+      method: "GET",
+      headers,
+      credentials: this.config.auth.getCredentials()
+    };
+    let response;
+    try {
+      response = await fetch(url, config);
+    } catch (networkError) {
+      console.error("Network error:", { url, error: networkError });
+      const error = Object.assign(
+        new Error("Unable to connect to server. Please check your connection and try again."),
+        { status: 0, code: "NETWORK_ERROR", originalError: networkError }
+      );
+      throw error;
+    }
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({
+        message: "An error occurred"
+      }));
+      const apiError = Object.assign(new Error(error.message || `HTTP ${response.status}`), {
+        status: response.status,
+        error
+      });
+      throw apiError;
+    }
+    return response.blob();
+  }
+  // ===== HOUSEHOLD METHODS =====
+  async getHouseholds() {
+    return this.get("/households");
+  }
+  async createHousehold(data) {
+    return this.post("/households", data);
+  }
+  async updateHousehold(id, data) {
+    await this.put(`/households/${id}`, data);
+  }
+  async deleteHousehold(id) {
+    await this.delete(`/households/${id}`);
+  }
+  /**
+   * Extend trial for households with less than 5 entities.
+   * Allows users who haven't fully explored to continue without subscribing.
+   */
+  async extendTrial(householdId) {
+    return this.post(`/households/${householdId}/extend-trial`, {});
+  }
+  /**
+   * Permanently delete the current user's account and all personal data.
+   * This includes: key bundles, WebAuthn credentials, personal vault entities,
+   * member key access records, legal consents, user profile, and authentication identity.
+   *
+   * WARNING: This action is irreversible. The user must re-register to use the service again.
+   */
+  async deleteCurrentUser() {
+    await this.delete("/users/me");
+  }
+  async checkUserHasHousehold() {
+    const households = await this.getHouseholds();
+    return {
+      hasHousehold: households.length > 0,
+      households: households.length > 0 ? households : void 0
+    };
+  }
+  // ===== HOUSEHOLD KEYS METHODS =====
+  async getHouseholdKeys(householdId) {
+    const cacheKey = `getHouseholdKeys:${householdId}`;
+    const inFlight = this.inFlightRequests.get(cacheKey);
+    if (inFlight) {
+      return inFlight;
+    }
+    const request = this.get(`/households/${householdId}/keys`).finally(() => {
+      this.inFlightRequests.delete(cacheKey);
+    });
+    this.inFlightRequests.set(cacheKey, request);
+    return request;
+  }
+  async grantHouseholdKey(householdId, data) {
+    await this.post(`/households/${householdId}/keys/grant`, data);
+  }
+  async batchGrantHouseholdKeys(householdId, data) {
+    await this.post(`/households/${householdId}/keys/grant/batch`, data);
+  }
+  async revokeHouseholdKey(householdId, userId, keyType) {
+    await this.delete(`/households/${householdId}/keys/${userId}/${keyType}`);
+  }
+  async getMembersKeyAccess(householdId) {
+    return this.get(`/households/${householdId}/keys/access`);
+  }
+  async getKeyTypes(householdId) {
+    return this.get(`/households/${householdId}/keys/types`);
+  }
+  async deleteKeyType(householdId, keyType) {
+    await this.delete(`/households/${householdId}/keys/types/${keyType}`);
+  }
+  // ===== ENCRYPTED ENTITIES METHODS =====
+  /**
+   * Fetch entities for a single type. When batched=true (default), requests are
+   * automatically combined with other concurrent calls into a single HTTP request.
+   */
+  async getEntities(householdId, params) {
+    const batched = params?.batched ?? true;
+    if (batched && params?.entityType && !params?.limit && !params?.offset) {
+      const items = await this.entityBatcher.request(
+        householdId,
+        params.entityType,
+        params.includeDeleted ?? false
+      );
+      return { items, total: items.length };
+    }
+    const queryParams = new URLSearchParams();
+    if (householdId) queryParams.set("householdId", householdId);
+    if (params?.entityType) queryParams.set("entityType", params.entityType);
+    if (params?.limit) queryParams.set("limit", params.limit.toString());
+    if (params?.offset) queryParams.set("offset", params.offset.toString());
+    if (params?.includeDeleted) queryParams.set("includeDeleted", params.includeDeleted.toString());
+    const query = queryParams.toString();
+    const path3 = `/entities${query ? `?${query}` : ""}`;
+    return this.get(path3);
+  }
+  /**
+   * Internal method to fetch multiple entity types in one request.
+   * Used by the EntityBatcher.
+   */
+  async getEntitiesMultiple(householdId, entityTypes, includeDeleted) {
+    const queryParams = new URLSearchParams();
+    if (householdId) queryParams.set("householdId", householdId);
+    if (entityTypes.length > 0) queryParams.set("entityTypes", entityTypes.join(","));
+    if (includeDeleted) queryParams.set("includeDeleted", "true");
+    const query = queryParams.toString();
+    const path3 = `/entities${query ? `?${query}` : ""}`;
+    return this.get(path3);
+  }
+  async getEntity(householdId, entityId) {
+    const queryParams = new URLSearchParams();
+    if (householdId) queryParams.set("householdId", householdId);
+    const query = queryParams.toString();
+    const path3 = `/entities/${entityId}${query ? `?${query}` : ""}`;
+    return this.get(path3);
+  }
+  async createEntity(householdId, data) {
+    const queryParams = new URLSearchParams();
+    if (householdId) queryParams.set("householdId", householdId);
+    const query = queryParams.toString();
+    const path3 = `/entities${query ? `?${query}` : ""}`;
+    return this.post(path3, data);
+  }
+  async updateEntity(householdId, entityId, data, version) {
+    const queryParams = new URLSearchParams();
+    if (householdId) queryParams.set("householdId", householdId);
+    const query = queryParams.toString();
+    const path3 = `/entities/${entityId}${query ? `?${query}` : ""}`;
+    return this.put(path3, data, {
+      headers: { "If-Match": `"${version}"` }
+    });
+  }
+  async deleteEntity(householdId, entityId, version) {
+    const queryParams = new URLSearchParams();
+    if (householdId) queryParams.set("householdId", householdId);
+    const query = queryParams.toString();
+    const path3 = `/entities/${entityId}${query ? `?${query}` : ""}`;
+    await this.delete(path3, {
+      headers: { "If-Match": `"${version}"` }
+    });
+  }
+  // ===== HOUSEHOLD MEMBERS METHODS =====
+  async getHouseholdMembers(householdId) {
+    return this.get(`/households/${householdId}/members`);
+  }
+  async inviteHouseholdMember(householdId, email, role = HOUSEHOLD_MEMBER_ROLES.MEMBER) {
+    return this.post(`/households/${householdId}/members/invite`, { email, role });
+  }
+  async updateMemberRole(householdId, userId, data) {
+    await this.put(`/households/${householdId}/members/${userId}`, data);
+  }
+  async removeHouseholdMember(householdId, userId) {
+    await this.delete(`/households/${householdId}/members/${userId}`);
+  }
+  async getHouseholdPeople(householdId) {
+    const members = await this.getHouseholdMembers(householdId);
+    return { people: members };
+  }
+  // DEPRECATED: Legacy invitation methods - will be removed
+  async createHouseholdInvitation(householdId, role = HOUSEHOLD_MEMBER_ROLES.MEMBER, residentId, expiresIn, oneTimeUse) {
+    return this.post(`/households/${householdId}/invitations`, {
+      role,
+      residentId,
+      expiresIn,
+      oneTimeUse
+    });
+  }
+  async revokeInvitation(invitationToken) {
+    await this.delete(`/households/invitations/${invitationToken}`);
+  }
+  // ===== CONTACTS =====
+  async getContacts(householdId) {
+    return this.get(`/contacts?householdId=${householdId}`);
+  }
+  async createContact(householdId, data) {
+    return this.post("/contacts", { ...data, household_id: householdId });
+  }
+  async updateContact(id, data) {
+    return this.put(`/contacts/${id}`, data);
+  }
+  async deleteContact(id) {
+    await this.delete(`/contacts/${id}`);
+  }
+  // ===== INSURANCE POLICIES =====
+  async getInsurancePolicies(householdId) {
+    return this.get(`/insurance-policies?householdId=${householdId}`);
+  }
+  async createInsurancePolicy(householdId, data) {
+    return this.post("/insurance-policies", { ...data, household_id: householdId });
+  }
+  async updateInsurancePolicy(id, data, householdId) {
+    return this.put(`/insurance-policies/${id}`, { ...data, household_id: householdId });
+  }
+  async deleteInsurancePolicy(id) {
+    await this.delete(`/insurance-policies/${id}`);
+  }
+  // ===== GENERIC RESOURCE METHODS =====
+  // These are used by entity contexts and can be extended
+  async getResources(path3, householdId) {
+    return this.get(`${path3}?householdId=${householdId}`);
+  }
+  async createResource(path3, householdId, data) {
+    return this.post(path3, { ...data, household_id: householdId });
+  }
+  async updateResource(path3, id, data) {
+    return this.put(`${path3}/${id}`, data);
+  }
+  async deleteResource(path3, id) {
+    await this.delete(`${path3}/${id}`);
+  }
+  // ===== USER KEY METHODS =====
+  async batchAddKeys(data) {
+    return this.post("/users/batch-add-keys", data);
+  }
+  /**
+   * Get the current user's key bundle (public key, encrypted private key, etc.)
+   * This is deduplicated automatically - concurrent calls return the same promise.
+   */
+  async getCurrentKeyBundle() {
+    return this.get("/webauthn/key-bundles/current");
+  }
+  // ===== BILLING METHODS =====
+  /**
+   * Create a Stripe Checkout session to start a subscription.
+   * Only household owners can call this.
+   */
+  async createCheckoutSession(householdId, planCode) {
+    return this.post(`/billing/${householdId}/checkout`, { planCode });
+  }
+  /**
+   * Create a Stripe Customer Portal session for managing subscription.
+   * Only household owners can call this.
+   */
+  async createPortalSession(householdId) {
+    return this.post(`/billing/${householdId}/portal`, {});
+  }
+  /**
+   * Get available subscription plans.
+   * This endpoint is public (no auth required).
+   */
+  async getAvailablePlans() {
+    return this.get("/billing/plans");
+  }
+  /**
+   * Start a free trial for a household.
+   * No credit card required.
+   */
+  async startTrial(householdId, tier) {
+    return this.post(`/billing/${householdId}/start-trial`, { tier });
+  }
+  /**
+   * Upgrade an existing subscription to a new plan.
+   * This updates the subscription in place instead of creating a new one.
+   */
+  async upgradeSubscription(householdId, planCode) {
+    return this.post(`/billing/${householdId}/upgrade`, { planCode });
+  }
+  /**
+   * Get billing details for subscription sync.
+   * Used by frontend to sync EstateHelm subscription entity.
+   */
+  async getBillingDetails(householdId) {
+    return this.get(`/billing/${householdId}/details`);
+  }
+  // ===== MOBILE BILLING METHODS (Apple IAP / Google Play) =====
+  /**
+   * Verify an Apple In-App Purchase transaction.
+   * Called by iOS app after a successful StoreKit purchase.
+   */
+  async verifyApplePurchase(householdId, data) {
+    return this.post(`/apple-billing/${householdId}/verify-transaction`, data);
+  }
+  /**
+   * Sync Apple subscription status with the server.
+   */
+  async syncAppleSubscription(householdId) {
+    return this.post(`/apple-billing/${householdId}/sync`, {});
+  }
+  /**
+   * Get Apple subscription status for a household.
+   */
+  async getAppleSubscriptionStatus(householdId) {
+    return this.get(`/apple-billing/${householdId}/status`);
+  }
+  /**
+   * Get available Apple products (for StoreKit).
+   */
+  async getAppleProducts() {
+    return this.get("/apple-billing/products");
+  }
+  /**
+   * Verify a Google Play purchase.
+   * Called by Android app after a successful Google Play Billing purchase.
+   */
+  async verifyGooglePurchase(householdId, data) {
+    return this.post(`/google-billing/${householdId}/verify-purchase`, data);
+  }
+  /**
+   * Sync Google Play subscription status with the server.
+   */
+  async syncGoogleSubscription(householdId) {
+    return this.post(`/google-billing/${householdId}/sync`, {});
+  }
+  /**
+   * Get Google Play subscription status for a household.
+   */
+  async getGoogleSubscriptionStatus(householdId) {
+    return this.get(`/google-billing/${householdId}/status`);
+  }
+  /**
+   * Get available Google Play products.
+   */
+  async getGoogleProducts() {
+    return this.get("/google-billing/products");
+  }
+};
+
+// ../encryption/src/utils.ts
+function base64Encode(bytes) {
+  const binString = Array.from(bytes, (byte) => String.fromCodePoint(byte)).join("");
+  return btoa(binString);
+}
+function base64Decode(base64) {
+  try {
+    const cleanBase64 = base64.replace(/\s/g, "");
+    const binString = atob(cleanBase64);
+    return Uint8Array.from(binString, (char) => char.codePointAt(0));
+  } catch (error) {
+    throw new Error(`Failed to decode base64: ${error instanceof Error ? error.message : "Unknown error"}`);
+  }
+}
+function stringToBytes(str) {
+  return new TextEncoder().encode(str);
+}
+function bytesToString(bytes) {
+  return new TextDecoder().decode(bytes);
+}
+
+// ../encryption/src/householdKeys.ts
+var HOUSEHOLD_KEY_SIZE = 32;
+async function importHouseholdKeyForDerivation(keyBytes) {
+  if (keyBytes.length !== HOUSEHOLD_KEY_SIZE) {
+    throw new Error(`Invalid household key size: expected ${HOUSEHOLD_KEY_SIZE} bytes, got ${keyBytes.length}`);
+  }
+  try {
+    return await crypto.subtle.importKey(
+      "raw",
+      keyBytes,
+      "HKDF",
+      false,
+      ["deriveBits"]
+    );
+  } catch (error) {
+    throw new Error(
+      `Failed to import household key for derivation: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+
+// ../encryption/src/entityKeys.ts
+var ENTITY_KEY_SIZE = 32;
+async function deriveEntityKey(householdKey, entityId, entityType) {
+  if (!entityId || entityId.trim().length === 0) {
+    throw new Error("Entity ID cannot be empty");
+  }
+  if (!entityType || entityType.trim().length === 0) {
+    throw new Error("Entity type cannot be empty");
+  }
+  const infoString = `${entityType}:${entityId}`;
+  try {
+    const keyMaterial = await importHouseholdKeyForDerivation(householdKey);
+    const info = stringToBytes(infoString);
+    const derivedBits = await crypto.subtle.deriveBits(
+      {
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: new Uint8Array(0),
+        // Empty salt for deterministic derivation
+        info
+      },
+      keyMaterial,
+      ENTITY_KEY_SIZE * 8
+      // 256 bits
+    );
+    return new Uint8Array(derivedBits);
+  } catch (error) {
+    throw new Error(
+      `Failed to derive entity key for ${entityType}:${entityId}: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+async function importEntityKey(entityKeyBytes) {
+  if (entityKeyBytes.length !== ENTITY_KEY_SIZE) {
+    throw new Error(`Invalid entity key size: expected ${ENTITY_KEY_SIZE} bytes, got ${entityKeyBytes.length}`);
+  }
+  try {
+    return await crypto.subtle.importKey(
+      "raw",
+      entityKeyBytes,
+      {
+        name: "AES-GCM",
+        length: ENTITY_KEY_SIZE * 8
+      },
+      false,
+      // Not extractable (security best practice)
+      ["encrypt", "decrypt"]
+    );
+  } catch (error) {
+    throw new Error(
+      `Failed to import entity key: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+
+// ../encryption/src/entityEncryption.ts
+var IV_SIZE = 12;
+var AUTH_TAG_SIZE = 16;
+function unpackEncryptedBlob(packedBlob) {
+  const blob = base64Decode(packedBlob);
+  if (blob.length < 1 + IV_SIZE + AUTH_TAG_SIZE) {
+    throw new Error("Invalid encrypted blob: too short");
+  }
+  const version = blob[0];
+  const iv = blob.slice(1, 1 + IV_SIZE);
+  const ciphertext = blob.slice(1 + IV_SIZE);
+  return { version, iv, ciphertext };
+}
+async function decryptEntity(householdKey, encrypted, options = {}) {
+  if (options.expectedType && encrypted.entityType !== options.expectedType) {
+    throw new Error(
+      `Entity type mismatch: expected ${options.expectedType}, got ${encrypted.entityType}`
+    );
+  }
+  try {
+    const entityKeyBytes = options.entityKey ? options.entityKey : await deriveEntityKey(householdKey, encrypted.entityId, encrypted.entityType);
+    const entityKey = await importEntityKey(entityKeyBytes);
+    const ciphertext = base64Decode(encrypted.ciphertext);
+    const iv = base64Decode(encrypted.iv);
+    const decryptParams = {
+      name: "AES-GCM",
+      iv
+    };
+    if (options.additionalData) {
+      decryptParams.additionalData = options.additionalData;
+    }
+    const plaintext = await crypto.subtle.decrypt(
+      decryptParams,
+      entityKey,
+      ciphertext
+    );
+    const jsonData = bytesToString(new Uint8Array(plaintext));
+    return JSON.parse(jsonData);
+  } catch (error) {
+    if (error instanceof Error && error.name === "OperationError") {
+      throw new Error(
+        `Failed to decrypt ${encrypted.entityType} entity ${encrypted.entityId}: Authentication failed. This may indicate a wrong household key, corrupted data, or tampered ciphertext.`
+      );
+    }
+    throw new Error(
+      `Failed to decrypt ${encrypted.entityType} entity ${encrypted.entityId}: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+
+// ../encryption/src/entityKeyMapping.ts
+var ENTITY_KEY_TYPE_MAP = {
+  // General household items
+  "property": "general",
+  "maintenance_task": "task",
+  "pet": "general",
+  "vehicle": "general",
+  "device": "general",
+  "valuable": "general",
+  "valuables": "general",
+  // Route alias
+  "access_code": "access_code",
+  "contact": "general",
+  "service": "general",
+  "document": "general",
+  "travel": "general",
+  "resident": "general",
+  "home_improvement": "general",
+  // Property improvements
+  "vehicle_maintenance": "general",
+  // Vehicle maintenance history
+  "vehicle_service_visit": "general",
+  // Vehicle service visits
+  "pet_vet_visit": "general",
+  // Pet vet visits (like vehicle_service_visit for vehicles)
+  "pet_health": "general",
+  // Pet health records (simple single records)
+  "military_record": "general",
+  // Military service records
+  "education_record": "general",
+  // Education records (diplomas, transcripts, etc.)
+  "credential": "general",
+  // Credentials (professional licenses, government IDs, etc.)
+  "credentials": "general",
+  // Route alias
+  "membership_record": "general",
+  // Membership records (airline, hotel, retail loyalty programs)
+  // Health records (sensitive - requires health key)
+  "health_record": "health",
+  // Financial
+  "bank_account": "financial",
+  "investment": "financial",
+  "tax_document": "financial",
+  "tax_year": "financial",
+  "taxes": "financial",
+  // Route alias
+  "financial_account": "financial",
+  "financial": "financial",
+  // Route alias
+  // Legal (owner-only)
+  "legal": "legal",
+  // Insurance (both names for compatibility)
+  "insurance": "general",
+  "insurance_policy": "general",
+  "subscription": "subscription",
+  // Passwords (shared household credentials)
+  "password": "password",
+  // Identity (Personal Vault)
+  "identity": "identity",
+  // Calendar Connections (Personal Vault - user's OAuth tokens for calendar sync)
+  "calendar_connection": "identity",
+  // Continuity (Personal Vault - shared messages for beneficiaries)
+  "continuity": "continuity",
+  // Emergency (household-scoped emergency info, encrypted with general key so all members can decrypt)
+  "emergency": "general"
+};
+function getKeyTypeForEntity(entityType) {
+  const keyType = ENTITY_KEY_TYPE_MAP[entityType];
+  if (!keyType) {
+    throw new Error(
+      `No key type mapping found for entity type: ${entityType}. Please add it to ENTITY_KEY_TYPE_MAP in entityKeyMapping.ts`
+    );
+  }
+  return keyType;
+}
+
+// ../encryption/src/recoveryKey.ts
+var RECOVERY_KEY_SIZE = 16;
+var GROUP_SIZE = 4;
+var BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function encodeBase32(bytes) {
+  let bits = "";
+  for (const byte of bytes) {
+    bits += byte.toString(2).padStart(8, "0");
+  }
+  while (bits.length % 5 !== 0) {
+    bits += "0";
+  }
+  let result = "";
+  for (let i = 0; i < bits.length; i += 5) {
+    const chunk = bits.substring(i, i + 5);
+    const index = parseInt(chunk, 2);
+    result += BASE32_ALPHABET[index];
+  }
+  return result;
+}
+function decodeBase32(base32) {
+  const cleaned = base32.toUpperCase().replace(/[^A-Z2-7]/g, "");
+  let bits = "";
+  for (const char of cleaned) {
+    const index = BASE32_ALPHABET.indexOf(char);
+    if (index === -1) {
+      throw new Error(`Invalid base32 character: ${char}`);
+    }
+    bits += index.toString(2).padStart(5, "0");
+  }
+  const bytes = [];
+  for (let i = 0; i < bits.length - bits.length % 8; i += 8) {
+    const byte = parseInt(bits.substring(i, i + 8), 2);
+    bytes.push(byte);
+  }
+  return new Uint8Array(bytes);
+}
+function formatRecoveryKey(base32) {
+  const groups = [];
+  for (let i = 0; i < base32.length; i += GROUP_SIZE) {
+    groups.push(base32.substring(i, i + GROUP_SIZE));
+  }
+  return groups.join("-");
+}
+function unformatRecoveryKey(formatted) {
+  return formatted.toUpperCase().replace(/[^A-Z2-7]/g, "");
+}
+function validateRecoveryKey(recoveryKey) {
+  try {
+    const unformatted = unformatRecoveryKey(recoveryKey);
+    if (unformatted.length < 20 || unformatted.length > 30) {
+      return false;
+    }
+    for (const char of unformatted) {
+      if (!BASE32_ALPHABET.includes(char)) {
+        return false;
+      }
+    }
+    const bytes = decodeBase32(unformatted);
+    return bytes.length >= RECOVERY_KEY_SIZE - 2 && bytes.length <= RECOVERY_KEY_SIZE + 2;
+  } catch {
+    return false;
+  }
+}
+function parseRecoveryKey(recoveryKey) {
+  if (!validateRecoveryKey(recoveryKey)) {
+    throw new Error("Invalid recovery key format");
+  }
+  const unformatted = unformatRecoveryKey(recoveryKey);
+  const bytes = decodeBase32(unformatted);
+  const normalizedBytes = new Uint8Array(RECOVERY_KEY_SIZE);
+  normalizedBytes.set(bytes.slice(0, RECOVERY_KEY_SIZE));
+  const base32 = encodeBase32(normalizedBytes);
+  const formatted = formatRecoveryKey(base32);
+  const base64 = base64Encode(normalizedBytes);
+  return {
+    bytes: normalizedBytes,
+    formatted,
+    base64
+  };
+}
+async function deriveWrapKey(recoveryKeyBytes, serverWrapSecret, info = "hearthcoo-wrap-key-v1") {
+  if (recoveryKeyBytes.length !== RECOVERY_KEY_SIZE) {
+    throw new Error(`Recovery key must be ${RECOVERY_KEY_SIZE} bytes`);
+  }
+  if (serverWrapSecret.length !== 32) {
+    throw new Error("Server wrap secret must be 32 bytes");
+  }
+  const recoveryKeyMaterial = await crypto.subtle.importKey(
+    "raw",
+    recoveryKeyBytes,
+    "HKDF",
+    false,
+    ["deriveKey"]
+  );
+  const wrapKey = await crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: serverWrapSecret,
+      info: new TextEncoder().encode(info)
+    },
+    recoveryKeyMaterial,
+    {
+      name: "AES-GCM",
+      length: 256
+    },
+    false,
+    ["encrypt", "decrypt"]
+  );
+  return wrapKey;
+}
+
+// ../types/src/keys.ts
+var DEFAULT_KEY_BUNDLE_ALG = "ECDH-P-521";
+
+// ../types/src/options.ts
+var PERSONAL_LEGAL_DOCUMENT_TYPE_OPTIONS = [
+  { label: "Birth Certificate", value: "birth_certificate" },
+  { label: "Citizenship Certificate", value: "citizenship_certificate" },
+  { label: "Divorce Decree", value: "divorce_decree" },
+  { label: "Healthcare Directive", value: "healthcare_directive" },
+  { label: "Living Will", value: "living_will" },
+  { label: "Marriage Certificate", value: "marriage_certificate" },
+  { label: "Power of Attorney", value: "power_of_attorney" },
+  { label: "Social Security Card", value: "social_security_card" },
+  { label: "Will", value: "will" },
+  { label: "Property Deed", value: "property_deed" },
+  { label: "Vehicle Title", value: "vehicle_title" },
+  { label: "Other", value: "other" }
+];
+var LLC_LEGAL_DOCUMENT_TYPE_OPTIONS = [
+  { label: "LLC Formation Certificate", value: "llc_formation" },
+  { label: "Operating Agreement", value: "operating_agreement" },
+  { label: "Annual Report", value: "annual_report" },
+  { label: "Sales Tax Registration", value: "sales_tax_registration" },
+  { label: "Business License", value: "business_license" },
+  { label: "Registered Agent Certificate", value: "registered_agent" },
+  { label: "DBA Certificate", value: "dba_certificate" },
+  { label: "Business Insurance Certificate", value: "business_insurance_certificate" },
+  { label: "EIN Certificate", value: "ein_certificate" },
+  { label: "Property Deed", value: "property_deed" },
+  { label: "Vehicle Title", value: "vehicle_title" },
+  { label: "Other", value: "other" }
+];
+var TRUST_LEGAL_DOCUMENT_TYPE_OPTIONS = [
+  { label: "Trust Agreement", value: "trust_agreement" },
+  { label: "Certificate of Trust", value: "certificate_of_trust" },
+  { label: "Trust Amendment", value: "trust_amendment" },
+  { label: "Schedule of Assets", value: "schedule_of_assets" },
+  { label: "Trustee Acceptance", value: "trustee_acceptance" },
+  { label: "Trustee Resignation", value: "trustee_resignation" },
+  { label: "Pour-Over Will", value: "pour_over_will" },
+  { label: "Trust Restatement", value: "trust_restatement" },
+  { label: "Beneficiary Designation", value: "beneficiary_designation" },
+  { label: "EIN Certificate", value: "ein_certificate" },
+  { label: "Property Deed", value: "property_deed" },
+  { label: "Vehicle Title", value: "vehicle_title" },
+  { label: "Other", value: "other" }
+];
+var LEGAL_DOCUMENT_TYPE_OPTIONS = [
+  ...PERSONAL_LEGAL_DOCUMENT_TYPE_OPTIONS.filter((o) => o.value !== "other"),
+  ...LLC_LEGAL_DOCUMENT_TYPE_OPTIONS.filter((o) => !["property_deed", "vehicle_title", "other", "ein_certificate"].includes(o.value)),
+  ...TRUST_LEGAL_DOCUMENT_TYPE_OPTIONS.filter((o) => !["property_deed", "vehicle_title", "other", "ein_certificate"].includes(o.value)),
+  { label: "EIN Certificate", value: "ein_certificate" },
+  { label: "Other", value: "other" }
+];
+
+// ../types/src/feature-limits.json
+var feature_limits_default = {
+  limits: {
+    property: { household: 1, estate: 50, requiredPlan: "estate" },
+    vehicle: { household: 3, estate: 50, requiredPlan: "household" },
+    pet: { household: 10, estate: 50, requiredPlan: "household" },
+    contact: { household: 200, estate: 1e3, requiredPlan: "household" },
+    resident: { household: 6, estate: 50, requiredPlan: "household" },
+    maintenance_task: { household: 100, estate: 1e3, requiredPlan: "household" },
+    subscription: { household: 100, estate: 1e3, requiredPlan: "household" },
+    valuable: { household: 20, estate: 2e3, requiredPlan: "household" },
+    legal: { household: 5, estate: 500, requiredPlan: "household" },
+    financial_account: { household: 100, estate: 1e3, requiredPlan: "household" },
+    service: { household: 20, estate: 100, requiredPlan: "household" },
+    insurance: { household: 20, estate: 100, requiredPlan: "household" },
+    device: { household: 50, estate: 1e3, requiredPlan: "household" },
+    identity: { household: 10, estate: 50, requiredPlan: "household" }
+  }
+};
+
+// ../types/src/plans.ts
+var PLAN_FEATURES = {
+  household: [
+    "1 property",
+    "Up to 3 vehicles",
+    "Up to 5 family members",
+    "Store contractors, providers, and emergency contacts",
+    "Track cleaners, gardeners, and other service visits",
+    "Maintenance task wizard for your property and vehicles",
+    "Maintenance reminders",
+    "Emergency procedures",
+    "Subscription cost and renewal tracking",
+    "Link insurance to assets, expiration reminders",
+    "Valuables cataloging",
+    "Encrypted legal documents",
+    "Secure sharing"
+  ],
+  estate: [
+    "Dozens of properties and vehicles",
+    "Dozens of members including family and staff",
+    "Link LLCs and Trusts to your assets",
+    "Continuity Protocol (automatic contingency access)",
+    "Everything in Household"
+  ]
+};
+var PLAN_DEFINITIONS = {
+  household_monthly: {
+    planCode: "household_monthly",
+    tier: "household",
+    name: "Household",
+    description: "For managing your home and family with confidence",
+    amountCents: 999,
+    billingCycle: "monthly",
+    features: PLAN_FEATURES.household
+  },
+  household_annual: {
+    planCode: "household_annual",
+    tier: "household",
+    name: "Household",
+    description: "For managing your home and family with confidence",
+    descriptionAnnual: "For managing your home and family with confidence - Save 17%",
+    amountCents: 9900,
+    billingCycle: "annual",
+    features: PLAN_FEATURES.household
+  },
+  estate_monthly: {
+    planCode: "estate_monthly",
+    tier: "estate",
+    name: "Estate",
+    description: "For estates, multiple properties, and long term planning",
+    amountCents: 1999,
+    billingCycle: "monthly",
+    features: PLAN_FEATURES.estate,
+    tagline: "Designed for families who want their home information, digital assets, and legal documents to stay accessible \u2014 even if something happens."
+  },
+  estate_annual: {
+    planCode: "estate_annual",
+    tier: "estate",
+    name: "Estate",
+    description: "For estates, multiple properties, and long term planning",
+    descriptionAnnual: "For estates, multiple properties, and long term planning - Save 17%",
+    amountCents: 19900,
+    billingCycle: "annual",
+    features: PLAN_FEATURES.estate,
+    tagline: "Designed for families who want their home information, digital assets, and legal documents to stay accessible \u2014 even if something happens."
+  }
+};
+var FEATURE_LIMITS = feature_limits_default.limits;
+
+// ../types/src/files.ts
+var MAX_FILE_SIZE_MB = 200;
+var MAX_FILE_SIZE_BYTES = MAX_FILE_SIZE_MB * 1024 * 1024;
+var MAX_HEARTBEAT_VIDEO_SIZE_MB = 500;
+var MAX_HEARTBEAT_VIDEO_SIZE_BYTES = MAX_HEARTBEAT_VIDEO_SIZE_MB * 1024 * 1024;
+
+// ../types/src/navColors.ts
+var NAV_KEYS = [
+  // Bottom nav (always visible)
+  "/dashboard",
+  "/people",
+  "/password",
+  "/search",
+  "/more",
+  // More drawer - Group 1 (Assets)
+  "/property",
+  "/pet",
+  "/valuables",
+  "/vehicle",
+  // More drawer - Group 2 (Financial & Services)
+  "/subscription",
+  "/financial",
+  "/service",
+  "/contact",
+  "/insurance",
+  // More drawer - Group 3 (Bottom row)
+  "/signout",
+  "/settings",
+  "/continuity",
+  "/share",
+  // Other routes (sidebar, less common)
+  "/access_code",
+  "/credentials",
+  "/device",
+  "/legal",
+  "/taxes"
+];
+var SECONDARY_KEYS = ["records", "maintenance", "improvements"];
+function cycleColors(colors, secondary) {
+  const result = {};
+  NAV_KEYS.forEach((key, i) => {
+    result[key] = colors[i % colors.length];
+  });
+  const sec = secondary || colors;
+  SECONDARY_KEYS.forEach((key, i) => {
+    result[key] = sec[i % sec.length];
+  });
+  return result;
+}
+function stripeColors(stripes) {
+  const result = {};
+  const itemsPerStripe = Math.ceil(NAV_KEYS.length / stripes.length);
+  NAV_KEYS.forEach((key, i) => {
+    const stripeIndex = Math.floor(i / itemsPerStripe);
+    const stripe = stripes[Math.min(stripeIndex, stripes.length - 1)];
+    result[key] = stripe[i % stripe.length];
+  });
+  SECONDARY_KEYS.forEach((key, i) => {
+    result[key] = stripes[i % stripes.length][0];
+  });
+  return result;
+}
+var CHRISTMAS_NAV_COLORS = cycleColors([
+  "text-red-600",
+  "text-green-600",
+  "text-red-500",
+  "text-yellow-500",
+  "text-green-500",
+  "text-red-500",
+  "text-green-600"
+]);
+var HALLOWEEN_NAV_COLORS = cycleColors([
+  "text-orange-500",
+  "text-purple-600",
+  "text-orange-600",
+  "text-purple-500",
+  "text-orange-500",
+  "text-purple-600",
+  "text-zinc-800"
+]);
+var VALENTINES_NAV_COLORS = cycleColors([
+  "text-pink-500",
+  "text-red-500",
+  "text-rose-500",
+  "text-pink-600",
+  "text-red-500",
+  "text-rose-500",
+  "text-red-600"
+]);
+var PRIDE_NAV_COLORS = cycleColors([
+  "text-red-500",
+  "text-orange-500",
+  "text-yellow-500",
+  "text-green-500",
+  "text-blue-500",
+  "text-purple-500"
+]);
+var STPATRICKS_NAV_COLORS = cycleColors([
+  "text-green-600",
+  "text-green-500",
+  "text-yellow-500",
+  "text-emerald-500"
+]);
+var CANADADAY_NAV_COLORS = cycleColors(["text-red-600", "text-slate-400", "text-red-500"]);
+var JULY4TH_NAV_COLORS = cycleColors(["text-red-500", "text-blue-600", "text-slate-400", "text-red-600", "text-blue-500"]);
+var THANKSGIVING_NAV_COLORS = cycleColors(["text-orange-600", "text-amber-700", "text-yellow-600", "text-orange-500", "text-amber-600"]);
+var EARTHDAY_NAV_COLORS = cycleColors(["text-green-600", "text-blue-500", "text-emerald-500", "text-sky-500", "text-green-500", "text-blue-600"]);
+var NEWYEAR_NAV_COLORS = cycleColors(["text-yellow-500", "text-slate-400", "text-yellow-600", "text-slate-500"]);
+var EASTER_NAV_COLORS = cycleColors(["text-pink-500", "text-purple-500", "text-yellow-500", "text-emerald-500", "text-sky-500"]);
+var COSTARICA_NAV_COLORS = stripeColors([
+  ["text-blue-600", "text-blue-500"],
+  // Blue stripe
+  ["text-slate-400"],
+  // White stripe  
+  ["text-red-600", "text-red-500"],
+  // Red stripe (center)
+  ["text-slate-400"],
+  // White stripe
+  ["text-blue-600", "text-blue-500"]
+  // Blue stripe
+]);
+
+// ../encryption/src/keyBundle.ts
+async function decryptPrivateKeyWithWrapKey(encryptedPrivateKey, wrapKey) {
+  const packed = base64Decode(encryptedPrivateKey);
+  const version = packed[0];
+  if (version !== 1) {
+    throw new Error(`Unsupported encryption version: ${version}`);
+  }
+  const iv = packed.slice(1, 13);
+  const ciphertext = packed.slice(13);
+  const plaintextBuffer = await crypto.subtle.decrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    wrapKey,
+    ciphertext
+  );
+  return new Uint8Array(plaintextBuffer);
+}
+async function importPrivateKey(privateKeyBytes, algorithm = DEFAULT_KEY_BUNDLE_ALG) {
+  const jwkString = new TextDecoder().decode(privateKeyBytes);
+  const jwk = JSON.parse(jwkString);
+  let namedCurve;
+  if (algorithm.includes("P-521")) {
+    namedCurve = "P-521";
+  } else if (algorithm.includes("P-384")) {
+    namedCurve = "P-384";
+  } else if (algorithm.includes("P-256")) {
+    namedCurve = "P-256";
+  } else {
+    throw new Error(`Unsupported algorithm: ${algorithm}`);
+  }
+  return await crypto.subtle.importKey(
+    "jwk",
+    jwk,
+    {
+      name: "ECDH",
+      namedCurve
+    },
+    true,
+    ["deriveKey"]
+  );
+}
+
+// ../encryption/src/asymmetricWrap.ts
+async function unwrapHouseholdKey(wrappedKey, privateKey, algorithm = DEFAULT_KEY_BUNDLE_ALG) {
+  const packed = base64Decode(wrappedKey);
+  const version = packed[0];
+  if (version !== 1) {
+    throw new Error(`Unsupported wrap version: ${version}`);
+  }
+  const namedCurve = algorithm.includes("P-521") ? "P-521" : algorithm.includes("P-384") ? "P-384" : algorithm.includes("P-256") ? "P-256" : (() => {
+    throw new Error(`Unsupported algorithm: ${algorithm}`);
+  })();
+  const publicKeySize = namedCurve === "P-521" ? 133 : namedCurve === "P-384" ? 97 : 65;
+  let offset = 1;
+  const ephemeralPublicKeyBytes = packed.slice(offset, offset + publicKeySize);
+  offset += publicKeySize;
+  const iv = packed.slice(offset, offset + 12);
+  offset += 12;
+  const ciphertext = packed.slice(offset);
+  const ephemeralPublicKey = await crypto.subtle.importKey(
+    "raw",
+    ephemeralPublicKeyBytes,
+    {
+      name: "ECDH",
+      namedCurve
+    },
+    false,
+    []
+  );
+  const sharedSecret = await crypto.subtle.deriveKey(
+    {
+      name: "ECDH",
+      public: ephemeralPublicKey
+    },
+    privateKey,
+    {
+      name: "AES-GCM",
+      length: 256
+    },
+    false,
+    ["decrypt"]
+  );
+  const plaintextBuffer = await crypto.subtle.decrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    sharedSecret,
+    ciphertext
+  );
+  return new Uint8Array(plaintextBuffer);
+}
+
+// ../encryption/src/webauthnDeviceBound.ts
+var RP_ID = typeof window !== "undefined" ? window.location.hostname : "estatehelm.com";
+
+// src/config.ts
+var import_env_paths = __toESM(require("env-paths"));
+var path = __toESM(require("path"));
+var fs = __toESM(require("fs"));
+var paths = (0, import_env_paths.default)("estatehelm", { suffix: "" });
+var DATA_DIR = paths.data;
+var CACHE_DB_PATH = path.join(DATA_DIR, "cache.db");
+var CONFIG_PATH = path.join(DATA_DIR, "config.json");
+var DEVICE_ID_PATH = path.join(DATA_DIR, ".device-id");
+var KEYTAR_SERVICE = "estatehelm";
+var KEYTAR_ACCOUNTS = {
+  BEARER_TOKEN: "bearer-token",
+  REFRESH_TOKEN: "refresh-token",
+  DEVICE_CREDENTIALS: "device-credentials"
+};
+var API_BASE_URL = process.env.ESTATEHELM_API_URL || "https://api.estatehelm.com";
+var OAUTH_CONFIG = {
+  // OAuth authorization URL (opens in browser)
+  authUrl: `${API_BASE_URL}/.ory/self-service/login/browser`,
+  // OAuth token exchange endpoint
+  tokenUrl: `${API_BASE_URL}/api/v2/auth/device-token`,
+  // Device code flow endpoint
+  deviceCodeUrl: `${API_BASE_URL}/api/v2/auth/device-code`,
+  // Client ID for CLI app
+  clientId: "estatehelm-cli"
+};
+var DEFAULT_CONFIG = {
+  defaultMode: "full"
+};
+function ensureDataDir() {
+  if (!fs.existsSync(DATA_DIR)) {
+    fs.mkdirSync(DATA_DIR, { recursive: true });
+  }
+}
+function loadConfig() {
+  ensureDataDir();
+  try {
+    if (fs.existsSync(CONFIG_PATH)) {
+      const data = fs.readFileSync(CONFIG_PATH, "utf-8");
+      return { ...DEFAULT_CONFIG, ...JSON.parse(data) };
+    }
+  } catch (err) {
+    console.warn("[Config] Failed to load config:", err);
+  }
+  return DEFAULT_CONFIG;
+}
+function saveConfig(config) {
+  ensureDataDir();
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+}
+function getDeviceId() {
+  ensureDataDir();
+  try {
+    if (fs.existsSync(DEVICE_ID_PATH)) {
+      return fs.readFileSync(DEVICE_ID_PATH, "utf-8").trim();
+    }
+  } catch {
+  }
+  const id = `mcp-${Date.now()}-${Math.random().toString(36).substring(2, 10)}`;
+  fs.writeFileSync(DEVICE_ID_PATH, id);
+  return id;
+}
+function getDevicePlatform() {
+  const platform = process.platform;
+  switch (platform) {
+    case "darwin":
+      return "macOS";
+    case "win32":
+      return "Windows";
+    case "linux":
+      return "Linux";
+    default:
+      return platform;
+  }
+}
+function getDeviceUserAgent() {
+  return `estatehelm-mcp/1.0 (${getDevicePlatform()})`;
+}
+function sanitizeToken(token) {
+  if (token.length <= 8) return "***";
+  return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+
+// src/keyStore.ts
+var import_keytar = __toESM(require("keytar"));
+async function saveBearerToken(token) {
+  await import_keytar.default.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.BEARER_TOKEN, token);
+  console.log(`[KeyStore] Saved bearer token: ${sanitizeToken(token)}`);
+}
+async function getBearerToken() {
+  return import_keytar.default.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.BEARER_TOKEN);
+}
+async function saveRefreshToken(token) {
+  await import_keytar.default.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.REFRESH_TOKEN, token);
+  console.log(`[KeyStore] Saved refresh token: ${sanitizeToken(token)}`);
+}
+async function getRefreshToken() {
+  return import_keytar.default.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.REFRESH_TOKEN);
+}
+async function saveDeviceCredentials(credentials) {
+  const json = JSON.stringify(credentials);
+  await import_keytar.default.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.DEVICE_CREDENTIALS, json);
+  console.log(`[KeyStore] Saved device credentials`);
+}
+async function getDeviceCredentials() {
+  const json = await import_keytar.default.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.DEVICE_CREDENTIALS);
+  if (!json) return null;
+  try {
+    return JSON.parse(json);
+  } catch {
+    console.warn("[KeyStore] Failed to parse device credentials");
+    return null;
+  }
+}
+async function getCredentials() {
+  const [bearerToken, refreshToken, deviceCredentials] = await Promise.all([
+    getBearerToken(),
+    getRefreshToken(),
+    getDeviceCredentials()
+  ]);
+  if (!bearerToken || !deviceCredentials) {
+    return null;
+  }
+  return {
+    bearerToken,
+    refreshToken: refreshToken || "",
+    deviceCredentials
+  };
+}
+async function clearCredentials() {
+  await Promise.all([
+    import_keytar.default.deletePassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.BEARER_TOKEN),
+    import_keytar.default.deletePassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.REFRESH_TOKEN),
+    import_keytar.default.deletePassword(KEYTAR_SERVICE, KEYTAR_ACCOUNTS.DEVICE_CREDENTIALS)
+  ]);
+  console.log("[KeyStore] Cleared all credentials");
+}
+
+// src/login.ts
+function prompt(question) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer);
+    });
+  });
+}
+function createApiClient(token) {
+  return new ApiClient({
+    baseUrl: API_BASE_URL,
+    apiVersion: "v2",
+    auth: new TokenAuthAdapter(async () => token)
+  });
+}
+async function startDeviceCodeFlow() {
+  const response = await fetch(`${API_BASE_URL}/api/v2/auth/device-code`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      clientId: OAUTH_CONFIG.clientId,
+      scope: "openid profile email offline_access"
+    })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(error.message || `Device code request failed: ${response.status}`);
+  }
+  return response.json();
+}
+async function pollForToken(deviceCode, interval, expiresIn) {
+  const startTime = Date.now();
+  const expireTime = startTime + expiresIn * 1e3;
+  while (Date.now() < expireTime) {
+    await new Promise((resolve) => setTimeout(resolve, interval * 1e3));
+    const response = await fetch(`${API_BASE_URL}/api/v2/auth/device-token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        clientId: OAUTH_CONFIG.clientId,
+        deviceCode,
+        grantType: "urn:ietf:params:oauth:grant-type:device_code"
+      })
+    });
+    if (response.ok) {
+      return response.json();
+    }
+    const error = await response.json().catch(() => ({}));
+    if (error.error === "authorization_pending") {
+      continue;
+    }
+    if (error.error === "slow_down") {
+      interval += 5;
+      continue;
+    }
+    throw new Error(error.message || `Token request failed: ${response.status}`);
+  }
+  throw new Error("Device code expired");
+}
+async function getServerWrapSecret(client) {
+  const response = await client.post("/webauthn/initialize", {});
+  return base64Decode(response.serverWrapSecret);
+}
+async function getCurrentKeyBundle(client) {
+  return client.get("/webauthn/key-bundles/current");
+}
+async function registerTrustedDevice(client, keyBundleId, privateKeyBytes) {
+  const deviceKey = crypto.getRandomValues(new Uint8Array(32));
+  const deviceKeyMaterial = await crypto.subtle.importKey(
+    "raw",
+    deviceKey,
+    "AES-GCM",
+    false,
+    ["encrypt", "decrypt"]
+  );
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    deviceKeyMaterial,
+    privateKeyBytes
+  );
+  const encryptedPayload = base64Encode(
+    new Uint8Array([
+      ...deviceKey,
+      ...iv,
+      ...new Uint8Array(ciphertext)
+    ])
+  );
+  const deviceId = getDeviceId();
+  const response = await client.post("/webauthn/credentials", {
+    userKeyBundleId: keyBundleId,
+    credentialType: "trusted-device",
+    credentialId: base64Encode(new TextEncoder().encode(deviceId)),
+    encryptedPayload,
+    devicePlatform: getDevicePlatform(),
+    deviceUserAgent: getDeviceUserAgent()
+  });
+  return {
+    credentialId: response.id,
+    encryptedPayload
+  };
+}
+async function decryptDeviceCredentials(encryptedPayload) {
+  const packed = base64Decode(encryptedPayload);
+  const deviceKey = packed.slice(0, 32);
+  const iv = packed.slice(32, 44);
+  const ciphertext = packed.slice(44);
+  const deviceKeyMaterial = await crypto.subtle.importKey(
+    "raw",
+    deviceKey,
+    "AES-GCM",
+    false,
+    ["decrypt"]
+  );
+  const plaintext = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv },
+    deviceKeyMaterial,
+    ciphertext
+  );
+  return new Uint8Array(plaintext);
+}
+async function login() {
+  console.log("\nEstateHelm Login");
+  console.log("================\n");
+  console.log("Starting authentication...");
+  const deviceCodeResponse = await startDeviceCodeFlow();
+  console.log(`
+Please visit: ${deviceCodeResponse.verificationUri}`);
+  console.log(`Enter code: ${deviceCodeResponse.userCode}
+`);
+  console.log("Opening browser...");
+  await (0, import_open.default)(deviceCodeResponse.verificationUri);
+  console.log("Waiting for authentication...");
+  const tokenResponse = await pollForToken(
+    deviceCodeResponse.deviceCode,
+    deviceCodeResponse.interval,
+    deviceCodeResponse.expiresIn
+  );
+  console.log("Authentication successful!");
+  console.log(`Token: ${sanitizeToken(tokenResponse.accessToken)}`);
+  await saveBearerToken(tokenResponse.accessToken);
+  await saveRefreshToken(tokenResponse.refreshToken);
+  const client = createApiClient(tokenResponse.accessToken);
+  console.log("\nFetching encryption keys...");
+  const serverWrapSecret = await getServerWrapSecret(client);
+  const keyBundle = await getCurrentKeyBundle(client);
+  console.log(`Key bundle: ${keyBundle.id} (${keyBundle.alg})`);
+  console.log("\nYour Recovery Key is required to decrypt your data.");
+  console.log("Format: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX\n");
+  const recoveryKeyInput = await prompt("Enter your Recovery Key: ");
+  const recoveryKey = parseRecoveryKey(recoveryKeyInput.trim());
+  console.log("Recovery key validated!");
+  const wrapKey = await deriveWrapKey(recoveryKey.bytes, serverWrapSecret);
+  const privateKeyBytes = await decryptPrivateKeyWithWrapKey(
+    keyBundle.encryptedPrivateKey,
+    wrapKey
+  );
+  console.log("Private key decrypted!");
+  console.log("Registering device...");
+  const credentials = await registerTrustedDevice(client, keyBundle.id, privateKeyBytes);
+  await saveDeviceCredentials({
+    credentialId: credentials.credentialId,
+    encryptedPayload: credentials.encryptedPayload,
+    privateKeyBytes: base64Encode(privateKeyBytes)
+  });
+  console.log("\n\u2713 Login complete!");
+  console.log("You can now use: estatehelm mcp");
+}
+async function checkLogin() {
+  const credentials = await getCredentials();
+  if (!credentials) {
+    return { loggedIn: false };
+  }
+  try {
+    const client = createApiClient(credentials.bearerToken);
+    const households = await client.getHouseholds();
+    return {
+      loggedIn: true,
+      households: households.map((h) => ({ id: h.id, name: h.name }))
+    };
+  } catch (error) {
+    return { loggedIn: false };
+  }
+}
+async function logout() {
+  console.log("Logging out...");
+  const credentials = await getCredentials();
+  if (credentials) {
+    try {
+      const client = createApiClient(credentials.bearerToken);
+      await client.delete(`/webauthn/credentials/${credentials.deviceCredentials.credentialId}`);
+      console.log("Device revoked from server");
+    } catch {
+    }
+  }
+  await clearCredentials();
+  console.log("\u2713 Logged out");
+}
+async function getAuthenticatedClient() {
+  const token = await getBearerToken();
+  if (!token) return null;
+  return createApiClient(token);
+}
+async function getPrivateKey() {
+  const credentials = await getCredentials();
+  if (!credentials) return null;
+  try {
+    const privateKeyBytes = await decryptDeviceCredentials(
+      credentials.deviceCredentials.encryptedPayload
+    );
+    return importPrivateKey(privateKeyBytes);
+  } catch {
+    return null;
+  }
+}
+
+// src/server.ts
+var import_server = require("@modelcontextprotocol/sdk/server/index.js");
+var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
+var import_types5 = require("@modelcontextprotocol/sdk/types.js");
+
+// src/filter.ts
+var REDACTION_RULES = {
+  // Password entries
+  password: ["password", "notes"],
+  // Identity documents
+  identity: ["password", "recoveryKey", "securityAnswers"],
+  // Financial accounts
+  bank_account: ["accountNumber", "routingNumber"],
+  investment: ["accountNumber"],
+  // Access codes
+  access_code: ["code", "pin"],
+  // Credentials (show last 4 of document number)
+  credential: ["documentNumber"]
+};
+var PARTIAL_REDACTION_FIELDS = ["documentNumber", "accountNumber"];
+var REDACTED = "[REDACTED]";
+function redactEntity(entity, entityType, mode) {
+  if (mode === "full") {
+    return entity;
+  }
+  const fieldsToRedact = REDACTION_RULES[entityType] || [];
+  if (fieldsToRedact.length === 0) {
+    return entity;
+  }
+  const redacted = { ...entity };
+  for (const field of fieldsToRedact) {
+    if (field in redacted && redacted[field] != null) {
+      const value = redacted[field];
+      if (PARTIAL_REDACTION_FIELDS.includes(field) && typeof value === "string" && value.length > 4) {
+        redacted[field] = `****${value.slice(-4)}`;
+      } else {
+        redacted[field] = REDACTED;
+      }
+    }
+  }
+  return redacted;
+}
+
+// ../cache-sqlite/src/sqliteStore.ts
+var import_better_sqlite3 = __toESM(require("better-sqlite3"));
+
+// ../cache/src/schema.ts
+var DB_VERSION = 3;
+function makeCacheKey(householdId, entityType) {
+  return `${householdId}:${entityType}`;
+}
+function makeMembersCacheKey(householdId) {
+  return `_members_${householdId}`;
+}
+
+// ../cache-sqlite/src/sqliteStore.ts
+var fs2 = __toESM(require("fs"));
+var path2 = __toESM(require("path"));
+var SqliteCacheStore = class {
+  db;
+  constructor(dbPath) {
+    const dir = path2.dirname(dbPath);
+    if (!fs2.existsSync(dir)) {
+      fs2.mkdirSync(dir, { recursive: true });
+    }
+    this.db = new import_better_sqlite3.default(dbPath);
+    this.db.pragma("journal_mode = WAL");
+    this.initializeSchema();
+  }
+  initializeSchema() {
+    const versionRow = this.db.prepare(
+      "SELECT value FROM metadata WHERE key = 'schema_version'"
+    ).get();
+    const currentVersion = versionRow ? parseInt(versionRow.value, 10) : 0;
+    if (currentVersion < DB_VERSION) {
+      this.migrate(currentVersion);
+    }
+  }
+  migrate(fromVersion) {
+    console.log(`[SqliteCache] Migrating from version ${fromVersion} to ${DB_VERSION}`);
+    this.db.exec(`
+      -- Metadata table (key-value store)
+      CREATE TABLE IF NOT EXISTS metadata (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL
+      );
+
+      -- Cache metadata (user/household info)
+      CREATE TABLE IF NOT EXISTS cache_metadata (
+        id TEXT PRIMARY KEY DEFAULT 'metadata',
+        household_id TEXT,
+        user_id TEXT,
+        user_identity TEXT,  -- JSON
+        last_full_sync TEXT,
+        last_changelog_id INTEGER DEFAULT 0,
+        offline_enabled INTEGER DEFAULT 0,
+        created_at TEXT
+      );
+
+      -- Credentials for offline unlock
+      CREATE TABLE IF NOT EXISTS credentials (
+        user_id TEXT PRIMARY KEY,
+        credential_id TEXT NOT NULL,
+        prf_input TEXT NOT NULL,
+        cached_at TEXT NOT NULL
+      );
+
+      -- Encrypted key cache
+      CREATE TABLE IF NOT EXISTS keys (
+        user_id TEXT PRIMARY KEY,
+        household_id TEXT NOT NULL,
+        iv TEXT NOT NULL,
+        encrypted_data TEXT NOT NULL,
+        cached_at TEXT NOT NULL
+      );
+
+      -- Entity cache
+      CREATE TABLE IF NOT EXISTS entities (
+        cache_key TEXT PRIMARY KEY,
+        household_id TEXT NOT NULL,
+        entity_type TEXT NOT NULL,
+        items TEXT NOT NULL,  -- JSON array
+        last_sync TEXT NOT NULL,
+        expected_count INTEGER,
+        changelog_id INTEGER
+      );
+
+      -- Attachment cache
+      CREATE TABLE IF NOT EXISTS attachments (
+        file_id TEXT PRIMARY KEY,
+        encrypted_data BLOB NOT NULL,
+        entity_id TEXT NOT NULL,
+        entity_type TEXT NOT NULL,
+        mime_type TEXT NOT NULL,
+        key_type TEXT NOT NULL,
+        version INTEGER NOT NULL,
+        cached_at TEXT NOT NULL,
+        crypto_version INTEGER,
+        key_derivation_id TEXT
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_attachments_entity_id ON attachments(entity_id);
+    `);
+    this.db.prepare(
+      "INSERT OR REPLACE INTO metadata (key, value) VALUES ('schema_version', ?)"
+    ).run(DB_VERSION.toString());
+    console.log("[SqliteCache] Migration complete");
+  }
+  // ============================================================================
+  // Metadata Operations
+  // ============================================================================
+  async getMetadata() {
+    const row = this.db.prepare(
+      "SELECT * FROM cache_metadata WHERE id = ?"
+    ).get("metadata");
+    if (!row) return null;
+    return {
+      householdId: row.household_id,
+      userId: row.user_id,
+      userIdentity: row.user_identity ? JSON.parse(row.user_identity) : void 0,
+      lastFullSync: row.last_full_sync,
+      lastChangelogId: row.last_changelog_id,
+      offlineEnabled: !!row.offline_enabled,
+      createdAt: row.created_at
+    };
+  }
+  async saveMetadata(metadata) {
+    this.db.prepare(`
+      INSERT OR REPLACE INTO cache_metadata
+      (id, household_id, user_id, user_identity, last_full_sync, last_changelog_id, offline_enabled, created_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      "metadata",
+      metadata.householdId,
+      metadata.userId,
+      metadata.userIdentity ? JSON.stringify(metadata.userIdentity) : null,
+      metadata.lastFullSync,
+      metadata.lastChangelogId,
+      metadata.offlineEnabled ? 1 : 0,
+      metadata.createdAt
+    );
+  }
+  async getLastChangelogId() {
+    const metadata = await this.getMetadata();
+    return metadata?.lastChangelogId ?? 0;
+  }
+  async updateLastChangelogId(changelogId, householdId, userId) {
+    const existing = await this.getMetadata();
+    if (existing) {
+      this.db.prepare(
+        "UPDATE cache_metadata SET last_changelog_id = ? WHERE id = ?"
+      ).run(changelogId, "metadata");
+    } else if (householdId && userId) {
+      await this.saveMetadata({
+        householdId,
+        userId,
+        lastFullSync: null,
+        lastChangelogId: changelogId,
+        offlineEnabled: false,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }
+  // ============================================================================
+  // Credential Operations
+  // ============================================================================
+  async hasOfflineCredential(userId) {
+    const row = this.db.prepare(
+      "SELECT 1 FROM credentials WHERE user_id = ?"
+    ).get(userId);
+    return !!row;
+  }
+  async getOfflineCredential(userId) {
+    const row = this.db.prepare(
+      "SELECT * FROM credentials WHERE user_id = ?"
+    ).get(userId);
+    if (!row) return null;
+    return {
+      userId: row.user_id,
+      credentialId: row.credential_id,
+      prfInput: row.prf_input,
+      cachedAt: row.cached_at
+    };
+  }
+  async saveOfflineCredential(credential) {
+    this.db.prepare(`
+      INSERT OR REPLACE INTO credentials (user_id, credential_id, prf_input, cached_at)
+      VALUES (?, ?, ?, ?)
+    `).run(
+      credential.userId,
+      credential.credentialId,
+      credential.prfInput,
+      credential.cachedAt
+    );
+    console.log("[SqliteCache] Saved offline credential for user:", credential.userId);
+  }
+  async removeOfflineCredential(userId) {
+    this.db.prepare("DELETE FROM credentials WHERE user_id = ?").run(userId);
+  }
+  // ============================================================================
+  // Key Cache Operations
+  // ============================================================================
+  async getKeyCache(userId) {
+    const row = this.db.prepare(
+      "SELECT * FROM keys WHERE user_id = ?"
+    ).get(userId);
+    if (!row) return null;
+    return {
+      userId: row.user_id,
+      householdId: row.household_id,
+      iv: row.iv,
+      encryptedData: row.encrypted_data,
+      cachedAt: row.cached_at
+    };
+  }
+  async saveKeyCache(keyCache) {
+    this.db.prepare(`
+      INSERT OR REPLACE INTO keys (user_id, household_id, iv, encrypted_data, cached_at)
+      VALUES (?, ?, ?, ?, ?)
+    `).run(
+      keyCache.userId,
+      keyCache.householdId,
+      keyCache.iv,
+      keyCache.encryptedData,
+      keyCache.cachedAt
+    );
+    console.log("[SqliteCache] Saved encrypted keys for user:", keyCache.userId);
+  }
+  async removeKeyCache(userId) {
+    this.db.prepare("DELETE FROM keys WHERE user_id = ?").run(userId);
+  }
+  // ============================================================================
+  // Entity Cache Operations
+  // ============================================================================
+  async getEntityCache(householdId, entityType) {
+    const cacheKey = makeCacheKey(householdId, entityType);
+    const row = this.db.prepare(
+      "SELECT * FROM entities WHERE cache_key = ?"
+    ).get(cacheKey);
+    if (!row) return null;
+    const entry = {
+      cacheKey: row.cache_key,
+      householdId: row.household_id,
+      entityType: row.entity_type,
+      items: JSON.parse(row.items),
+      lastSync: row.last_sync,
+      expectedCount: row.expected_count,
+      changelogId: row.changelog_id
+    };
+    if (entry.expectedCount === void 0 || entry.items.length !== entry.expectedCount) {
+      return null;
+    }
+    if (entry.changelogId === void 0) {
+      return null;
+    }
+    return entry;
+  }
+  async getAllEntityCaches(householdId) {
+    const query = householdId ? "SELECT * FROM entities WHERE household_id = ?" : "SELECT * FROM entities";
+    const rows = householdId ? this.db.prepare(query).all(householdId) : this.db.prepare(query).all();
+    return rows.map((row) => ({
+      cacheKey: row.cache_key,
+      householdId: row.household_id,
+      entityType: row.entity_type,
+      items: JSON.parse(row.items),
+      lastSync: row.last_sync,
+      expectedCount: row.expected_count,
+      changelogId: row.changelog_id
+    }));
+  }
+  async saveEntityCache(householdId, entityType, items, changelogId) {
+    const cacheKey = makeCacheKey(householdId, entityType);
+    this.db.prepare(`
+      INSERT OR REPLACE INTO entities
+      (cache_key, household_id, entity_type, items, last_sync, expected_count, changelog_id)
+      VALUES (?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      cacheKey,
+      householdId,
+      entityType,
+      JSON.stringify(items),
+      (/* @__PURE__ */ new Date()).toISOString(),
+      items.length,
+      changelogId
+    );
+  }
+  async updateEntityInCache(householdId, entity) {
+    const { entityType } = entity;
+    const cacheKey = makeCacheKey(householdId, entityType);
+    const existing = await this.getEntityCache(householdId, entityType);
+    const items = existing?.items || [];
+    const existingIndex = items.findIndex((e) => e.id === entity.id);
+    const isUpdate = existingIndex >= 0;
+    if (isUpdate) {
+      items[existingIndex] = entity;
+    } else {
+      items.push(entity);
+    }
+    this.db.prepare(`
+      INSERT OR REPLACE INTO entities
+      (cache_key, household_id, entity_type, items, last_sync, expected_count, changelog_id)
+      VALUES (?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      cacheKey,
+      householdId,
+      entityType,
+      JSON.stringify(items),
+      (/* @__PURE__ */ new Date()).toISOString(),
+      items.length,
+      existing?.changelogId ?? null
+    );
+    return isUpdate;
+  }
+  async removeEntityFromCache(householdId, entityType, entityId) {
+    const cacheKey = makeCacheKey(householdId, entityType);
+    const existing = await this.getEntityCache(householdId, entityType);
+    if (!existing) return;
+    const items = existing.items.filter((e) => e.id !== entityId);
+    this.db.prepare(`
+      UPDATE entities SET items = ?, expected_count = ?, last_sync = ? WHERE cache_key = ?
+    `).run(
+      JSON.stringify(items),
+      items.length,
+      (/* @__PURE__ */ new Date()).toISOString(),
+      cacheKey
+    );
+  }
+  async getEntityVersions(householdId, entityType) {
+    const cache = await this.getEntityCache(householdId, entityType);
+    const versions = /* @__PURE__ */ new Map();
+    if (cache) {
+      for (const entity of cache.items) {
+        versions.set(entity.id, entity.version);
+      }
+    }
+    return versions;
+  }
+  // ============================================================================
+  // Household Members Cache
+  // ============================================================================
+  async getHouseholdMembersCache(householdId) {
+    const cacheKey = makeMembersCacheKey(householdId);
+    const row = this.db.prepare(
+      "SELECT * FROM entities WHERE cache_key = ?"
+    ).get(cacheKey);
+    if (!row) return null;
+    const items = JSON.parse(row.items);
+    if (!items.members) return null;
+    return {
+      householdId: row.household_id,
+      members: items.members,
+      cachedAt: items.cachedAt || row.last_sync
+    };
+  }
+  async saveHouseholdMembersCache(householdId, members) {
+    const cacheKey = makeMembersCacheKey(householdId);
+    const cachedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.prepare(`
+      INSERT OR REPLACE INTO entities
+      (cache_key, household_id, entity_type, items, last_sync, expected_count)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `).run(
+      cacheKey,
+      householdId,
+      "_members",
+      JSON.stringify({ members, cachedAt }),
+      cachedAt,
+      members.length
+    );
+  }
+  // ============================================================================
+  // Attachment Cache Operations
+  // ============================================================================
+  async getAttachmentCache(fileId) {
+    const row = this.db.prepare(
+      "SELECT * FROM attachments WHERE file_id = ?"
+    ).get(fileId);
+    if (!row) return null;
+    return {
+      fileId: row.file_id,
+      encryptedData: row.encrypted_data,
+      entityId: row.entity_id,
+      entityType: row.entity_type,
+      mimeType: row.mime_type,
+      keyType: row.key_type,
+      version: row.version,
+      cachedAt: row.cached_at,
+      cryptoVersion: row.crypto_version,
+      keyDerivationId: row.key_derivation_id
+    };
+  }
+  async saveAttachmentCache(attachment) {
+    let data;
+    if (attachment.encryptedData instanceof Buffer) {
+      data = attachment.encryptedData;
+    } else if (attachment.encryptedData instanceof Blob) {
+      const arrayBuffer = await attachment.encryptedData.arrayBuffer();
+      data = Buffer.from(arrayBuffer);
+    } else {
+      data = Buffer.from(attachment.encryptedData);
+    }
+    this.db.prepare(`
+      INSERT OR REPLACE INTO attachments
+      (file_id, encrypted_data, entity_id, entity_type, mime_type, key_type, version, cached_at, crypto_version, key_derivation_id)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      attachment.fileId,
+      data,
+      attachment.entityId,
+      attachment.entityType,
+      attachment.mimeType,
+      attachment.keyType,
+      attachment.version,
+      attachment.cachedAt,
+      attachment.cryptoVersion ?? null,
+      attachment.keyDerivationId ?? null
+    );
+    console.log("[SqliteCache] Cached attachment:", attachment.fileId);
+  }
+  async removeAttachmentCache(fileId) {
+    this.db.prepare("DELETE FROM attachments WHERE file_id = ?").run(fileId);
+  }
+  async getAttachmentsForEntity(entityId) {
+    const rows = this.db.prepare(
+      "SELECT * FROM attachments WHERE entity_id = ?"
+    ).all(entityId);
+    return rows.map((row) => ({
+      fileId: row.file_id,
+      encryptedData: row.encrypted_data,
+      entityId: row.entity_id,
+      entityType: row.entity_type,
+      mimeType: row.mime_type,
+      keyType: row.key_type,
+      version: row.version,
+      cachedAt: row.cached_at,
+      cryptoVersion: row.crypto_version,
+      keyDerivationId: row.key_derivation_id
+    }));
+  }
+  // ============================================================================
+  // Cache Management
+  // ============================================================================
+  async clearAllCache() {
+    this.db.exec(`
+      DELETE FROM cache_metadata;
+      DELETE FROM credentials;
+      DELETE FROM keys;
+      DELETE FROM entities;
+      DELETE FROM attachments;
+    `);
+    console.log("[SqliteCache] All cache data cleared");
+  }
+  async clearUserCache(userId) {
+    this.db.exec("DELETE FROM cache_metadata");
+    this.db.prepare("DELETE FROM credentials WHERE user_id = ?").run(userId);
+    this.db.prepare("DELETE FROM keys WHERE user_id = ?").run(userId);
+    this.db.exec("DELETE FROM entities");
+    this.db.exec("DELETE FROM attachments");
+    console.log("[SqliteCache] User cache cleared:", userId);
+  }
+  async isOfflineCacheAvailable(userId) {
+    const [metadata, credential, keys] = await Promise.all([
+      this.getMetadata(),
+      this.getOfflineCredential(userId),
+      this.getKeyCache(userId)
+    ]);
+    return !!(metadata && metadata.offlineEnabled && metadata.userId === userId && credential && keys);
+  }
+  async getCacheStats() {
+    const metadata = await this.getMetadata();
+    const entityCaches = await this.getAllEntityCaches();
+    const attachmentCount = this.db.prepare(
+      "SELECT COUNT(*) as count FROM attachments"
+    ).get().count;
+    return {
+      entityTypes: entityCaches.length,
+      totalEntities: entityCaches.reduce((sum, cache) => sum + cache.items.length, 0),
+      attachments: attachmentCount,
+      lastSync: metadata?.lastFullSync || null
+    };
+  }
+  async close() {
+    this.db.close();
+    console.log("[SqliteCache] Database closed");
+  }
+};
+
+// src/cache.ts
+var cacheStore = null;
+var decryptedCache = /* @__PURE__ */ new Map();
+var householdKeysCache = /* @__PURE__ */ new Map();
+var householdsCache = [];
+async function initCache() {
+  if (!cacheStore) {
+    cacheStore = new SqliteCacheStore(CACHE_DB_PATH);
+    console.error(`[Cache] Initialized at ${CACHE_DB_PATH}`);
+  }
+}
+function getCache() {
+  if (!cacheStore) {
+    throw new Error("Cache not initialized. Call initCache() first.");
+  }
+  return cacheStore;
+}
+async function closeCache() {
+  if (cacheStore) {
+    await cacheStore.close();
+    cacheStore = null;
+  }
+  decryptedCache.clear();
+  householdKeysCache.clear();
+}
+async function clearCache() {
+  const cache = getCache();
+  await cache.clearAllCache();
+  decryptedCache.clear();
+  householdKeysCache.clear();
+  householdsCache = [];
+  console.error("[Cache] Cleared");
+}
+async function syncIfNeeded(client, privateKey, force = false) {
+  const cache = getCache();
+  const households = await client.getHouseholds();
+  householdsCache = households.map((h) => ({ id: h.id, name: h.name }));
+  let synced = false;
+  for (const household of households) {
+    await loadHouseholdKeys(client, household.id, privateKey);
+    const localChangelogId = await cache.getLastChangelogId();
+    if (!force && localChangelogId > 0) {
+      try {
+        const response = await client.get(
+          `/households/${household.id}/sync/changes?latestOnly=true`
+        );
+        if (response.latestChangelogId <= localChangelogId) {
+          console.error(`[Cache] Household ${household.id} up to date (changelog ${localChangelogId})`);
+          continue;
+        }
+        console.error(`[Cache] Household ${household.id} has changes (${localChangelogId} -> ${response.latestChangelogId})`);
+      } catch (err) {
+        console.error(`[Cache] Failed to check changelog for ${household.id}:`, err);
+        continue;
+      }
+    }
+    await syncHousehold(client, household.id, cache);
+    synced = true;
+  }
+  return synced;
+}
+async function syncHousehold(client, householdId, cache) {
+  const entityTypes = [
+    "pet",
+    "property",
+    "vehicle",
+    "contact",
+    "insurance",
+    "bank_account",
+    "investment",
+    "subscription",
+    "maintenance_task",
+    "password",
+    "access_code",
+    "document",
+    "medical",
+    "prescription",
+    "credential",
+    "utility"
+  ];
+  let latestChangelogId = 0;
+  for (const entityType of entityTypes) {
+    try {
+      const response = await client.getEntities(householdId, { entityType, batched: false });
+      const items = response.items || [];
+      const cachedItems = items.map((item) => ({
+        id: item.id,
+        entityType: item.entityType,
+        encryptedData: item.encryptedData,
+        keyType: item.keyType,
+        householdId: item.householdId,
+        ownerUserId: item.ownerUserId,
+        version: item.version,
+        createdAt: item.createdAt,
+        updatedAt: item.updatedAt,
+        cachedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }));
+      const changelogResponse = await client.get(
+        `/households/${householdId}/sync/changes?latestOnly=true`
+      );
+      latestChangelogId = Math.max(latestChangelogId, changelogResponse.latestChangelogId);
+      await cache.saveEntityCache(householdId, entityType, cachedItems, latestChangelogId);
+      console.error(`[Cache] Synced ${items.length} ${entityType}(s) for household ${householdId}`);
+    } catch (err) {
+      if (err.status !== 404) {
+        console.error(`[Cache] Failed to sync ${entityType} for ${householdId}:`, err.message);
+      }
+    }
+  }
+  await cache.updateLastChangelogId(latestChangelogId, householdId);
+}
+async function loadHouseholdKeys(client, householdId, privateKey) {
+  if (householdKeysCache.has(`${householdId}:general`)) {
+    return;
+  }
+  try {
+    const keys = await client.getHouseholdKeys(householdId);
+    for (const key of keys) {
+      const cacheKey = `${householdId}:${key.keyType}`;
+      if (householdKeysCache.has(cacheKey)) {
+        continue;
+      }
+      const householdKeyBytes = await unwrapHouseholdKey(
+        key.encryptedKey,
+        privateKey
+      );
+      householdKeysCache.set(cacheKey, householdKeyBytes);
+    }
+    console.error(`[Cache] Loaded ${keys.length} keys for household ${householdId}`);
+  } catch (err) {
+    console.error(`[Cache] Failed to load keys for household ${householdId}:`, err);
+    throw err;
+  }
+}
+function getHouseholdKey(householdId, keyType) {
+  return householdKeysCache.get(`${householdId}:${keyType}`);
+}
+async function getDecryptedEntities(householdId, entityType, privateKey) {
+  const cache = getCache();
+  const cacheEntry = await cache.getEntityCache(householdId, entityType);
+  if (!cacheEntry || cacheEntry.items.length === 0) {
+    return [];
+  }
+  const results = [];
+  for (const item of cacheEntry.items) {
+    const decryptCacheKey = `${householdId}:${entityType}:${item.id}`;
+    if (decryptedCache.has(decryptCacheKey)) {
+      results.push(decryptedCache.get(decryptCacheKey));
+      continue;
+    }
+    try {
+      const keyType = getKeyTypeForEntity(entityType);
+      const householdKeyBytes = getHouseholdKey(householdId, keyType);
+      if (!householdKeyBytes) {
+        console.error(`[Cache] No key for ${householdId}:${keyType}`);
+        continue;
+      }
+      const { iv, ciphertext } = unpackEncryptedBlob(item.encryptedData);
+      const encryptedEntity = {
+        entityId: item.id,
+        entityType: item.entityType,
+        keyType: item.keyType,
+        ciphertext: base64Encode(ciphertext),
+        iv: base64Encode(iv),
+        encryptedAt: new Date(item.createdAt),
+        derivedEntityKey: new Uint8Array()
+      };
+      const decrypted = await decryptEntity(
+        householdKeyBytes,
+        encryptedEntity
+      );
+      const entity = {
+        ...decrypted,
+        id: item.id,
+        entityType: item.entityType,
+        householdId: item.householdId,
+        version: item.version,
+        createdAt: item.createdAt,
+        updatedAt: item.updatedAt
+      };
+      decryptedCache.set(decryptCacheKey, entity);
+      results.push(entity);
+    } catch (err) {
+      console.error(`[Cache] Failed to decrypt ${entityType}:${item.id}:`, err);
+    }
+  }
+  return results;
+}
+async function getHouseholds() {
+  return householdsCache;
+}
+async function getCacheStats() {
+  const cache = getCache();
+  return cache.getCacheStats();
+}
+
+// src/server.ts
+async function startServer(mode) {
+  const config = loadConfig();
+  const privacyMode = mode || config.defaultMode;
+  console.error(`[MCP] Starting server in ${privacyMode} mode`);
+  const client = await getAuthenticatedClient();
+  if (!client) {
+    console.error("[MCP] Not logged in. Run: estatehelm login");
+    process.exit(1);
+  }
+  const privateKey = await getPrivateKey();
+  if (!privateKey) {
+    console.error("[MCP] Failed to load encryption keys. Run: estatehelm login");
+    process.exit(1);
+  }
+  await initCache();
+  console.error("[MCP] Checking for updates...");
+  const synced = await syncIfNeeded(client, privateKey);
+  if (synced) {
+    console.error("[MCP] Cache updated");
+  } else {
+    console.error("[MCP] Cache is up to date");
+  }
+  const server = new import_server.Server(
+    {
+      name: "estatehelm",
+      version: "1.0.0"
+    },
+    {
+      capabilities: {
+        resources: {},
+        tools: {},
+        prompts: {}
+      }
+    }
+  );
+  server.setRequestHandler(import_types5.ListResourcesRequestSchema, async () => {
+    const households = await getHouseholds();
+    const resources = [
+      {
+        uri: "estatehelm://households",
+        name: "All Households",
+        description: "List of all households you have access to",
+        mimeType: "application/json"
+      }
+    ];
+    for (const household of households) {
+      resources.push({
+        uri: `estatehelm://households/${household.id}`,
+        name: household.name,
+        description: `Household: ${household.name}`,
+        mimeType: "application/json"
+      });
+      const entityTypes = [
+        "pet",
+        "property",
+        "vehicle",
+        "contact",
+        "insurance",
+        "bank_account",
+        "investment",
+        "subscription",
+        "maintenance_task",
+        "password",
+        "access_code",
+        "document",
+        "medical",
+        "prescription",
+        "credential",
+        "utility"
+      ];
+      for (const type of entityTypes) {
+        resources.push({
+          uri: `estatehelm://households/${household.id}/${type}`,
+          name: `${household.name} - ${formatEntityType(type)}`,
+          description: `${formatEntityType(type)} in ${household.name}`,
+          mimeType: "application/json"
+        });
+      }
+    }
+    return { resources };
+  });
+  server.setRequestHandler(import_types5.ReadResourceRequestSchema, async (request) => {
+    const uri = request.params.uri;
+    const parsed = parseResourceUri(uri);
+    if (!parsed) {
+      throw new Error(`Invalid resource URI: ${uri}`);
+    }
+    let content;
+    if (parsed.type === "households" && !parsed.householdId) {
+      content = await getHouseholds();
+    } else if (parsed.type === "households" && parsed.householdId && !parsed.entityType) {
+      const households = await getHouseholds();
+      content = households.find((h) => h.id === parsed.householdId);
+      if (!content) {
+        throw new Error(`Household not found: ${parsed.householdId}`);
+      }
+    } else if (parsed.householdId && parsed.entityType) {
+      const entities = await getDecryptedEntities(parsed.householdId, parsed.entityType, privateKey);
+      content = entities.map((e) => redactEntity(e, parsed.entityType, privacyMode));
+    } else {
+      throw new Error(`Unsupported resource: ${uri}`);
+    }
+    return {
+      contents: [
+        {
+          uri,
+          mimeType: "application/json",
+          text: JSON.stringify(content, null, 2)
+        }
+      ]
+    };
+  });
+  server.setRequestHandler(import_types5.ListToolsRequestSchema, async () => {
+    return {
+      tools: [
+        {
+          name: "search_entities",
+          description: "Search across all entities in EstateHelm",
+          inputSchema: {
+            type: "object",
+            properties: {
+              query: {
+                type: "string",
+                description: "Search query"
+              },
+              householdId: {
+                type: "string",
+                description: "Optional: Limit search to a specific household"
+              },
+              entityType: {
+                type: "string",
+                description: "Optional: Limit search to a specific entity type"
+              }
+            },
+            required: ["query"]
+          }
+        },
+        {
+          name: "get_household_summary",
+          description: "Get a summary of a household including counts and key dates",
+          inputSchema: {
+            type: "object",
+            properties: {
+              householdId: {
+                type: "string",
+                description: "The household ID"
+              }
+            },
+            required: ["householdId"]
+          }
+        },
+        {
+          name: "get_expiring_items",
+          description: "Get items expiring within a given number of days",
+          inputSchema: {
+            type: "object",
+            properties: {
+              days: {
+                type: "number",
+                description: "Number of days to look ahead (default: 30)"
+              },
+              householdId: {
+                type: "string",
+                description: "Optional: Limit to a specific household"
+              }
+            }
+          }
+        },
+        {
+          name: "refresh",
+          description: "Force refresh of cached data from the server",
+          inputSchema: {
+            type: "object",
+            properties: {}
+          }
+        }
+      ]
+    };
+  });
+  server.setRequestHandler(import_types5.CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    switch (name) {
+      case "search_entities": {
+        const { query, householdId, entityType } = args;
+        const households = await getHouseholds();
+        const searchHouseholds = householdId ? households.filter((h) => h.id === householdId) : households;
+        const results = [];
+        for (const household of searchHouseholds) {
+          const entityTypes = entityType ? [entityType] : [
+            "pet",
+            "property",
+            "vehicle",
+            "contact",
+            "insurance",
+            "bank_account",
+            "investment",
+            "subscription",
+            "maintenance_task",
+            "password",
+            "access_code"
+          ];
+          for (const type of entityTypes) {
+            const entities = await getDecryptedEntities(household.id, type, privateKey);
+            const matches = entities.filter((e) => searchEntity(e, query));
+            for (const match of matches) {
+              results.push({
+                householdId: household.id,
+                householdName: household.name,
+                entityType: type,
+                entity: redactEntity(match, type, privacyMode)
+              });
+            }
+          }
+        }
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(results, null, 2)
+            }
+          ]
+        };
+      }
+      case "get_household_summary": {
+        const { householdId } = args;
+        const households = await getHouseholds();
+        const household = households.find((h) => h.id === householdId);
+        if (!household) {
+          throw new Error(`Household not found: ${householdId}`);
+        }
+        const entityTypes = [
+          "pet",
+          "property",
+          "vehicle",
+          "contact",
+          "insurance",
+          "bank_account",
+          "investment",
+          "subscription",
+          "maintenance_task",
+          "password",
+          "access_code"
+        ];
+        const counts = {};
+        for (const type of entityTypes) {
+          const entities = await getDecryptedEntities(householdId, type, privateKey);
+          counts[type] = entities.length;
+        }
+        const summary = {
+          household: {
+            id: household.id,
+            name: household.name
+          },
+          counts,
+          totalEntities: Object.values(counts).reduce((a, b) => a + b, 0)
+        };
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(summary, null, 2)
+            }
+          ]
+        };
+      }
+      case "get_expiring_items": {
+        const { days = 30, householdId } = args;
+        const households = await getHouseholds();
+        const searchHouseholds = householdId ? households.filter((h) => h.id === householdId) : households;
+        const now = /* @__PURE__ */ new Date();
+        const cutoff = new Date(now.getTime() + days * 24 * 60 * 60 * 1e3);
+        const expiring = [];
+        for (const household of searchHouseholds) {
+          const insurance = await getDecryptedEntities(household.id, "insurance", privateKey);
+          for (const policy of insurance) {
+            if (policy.expirationDate) {
+              const expires = new Date(policy.expirationDate);
+              if (expires <= cutoff) {
+                expiring.push({
+                  householdId: household.id,
+                  householdName: household.name,
+                  type: "insurance",
+                  name: policy.name || policy.policyNumber,
+                  expiresAt: policy.expirationDate,
+                  daysUntil: Math.ceil((expires.getTime() - now.getTime()) / (24 * 60 * 60 * 1e3))
+                });
+              }
+            }
+          }
+          const vehicles = await getDecryptedEntities(household.id, "vehicle", privateKey);
+          for (const vehicle of vehicles) {
+            if (vehicle.registrationExpiration) {
+              const expires = new Date(vehicle.registrationExpiration);
+              if (expires <= cutoff) {
+                expiring.push({
+                  householdId: household.id,
+                  householdName: household.name,
+                  type: "vehicle_registration",
+                  name: `${vehicle.year || ""} ${vehicle.make || ""} ${vehicle.model || ""}`.trim(),
+                  expiresAt: vehicle.registrationExpiration,
+                  daysUntil: Math.ceil((expires.getTime() - now.getTime()) / (24 * 60 * 60 * 1e3))
+                });
+              }
+            }
+          }
+          const subscriptions = await getDecryptedEntities(household.id, "subscription", privateKey);
+          for (const sub of subscriptions) {
+            if (sub.renewalDate) {
+              const renews = new Date(sub.renewalDate);
+              if (renews <= cutoff) {
+                expiring.push({
+                  householdId: household.id,
+                  householdName: household.name,
+                  type: "subscription",
+                  name: sub.name || sub.serviceName,
+                  expiresAt: sub.renewalDate,
+                  daysUntil: Math.ceil((renews.getTime() - now.getTime()) / (24 * 60 * 60 * 1e3))
+                });
+              }
+            }
+          }
+        }
+        expiring.sort((a, b) => a.daysUntil - b.daysUntil);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(expiring, null, 2)
+            }
+          ]
+        };
+      }
+      case "refresh": {
+        const synced2 = await syncIfNeeded(client, privateKey, true);
+        return {
+          content: [
+            {
+              type: "text",
+              text: synced2 ? "Cache refreshed with latest data" : "Cache was already up to date"
+            }
+          ]
+        };
+      }
+      default:
+        throw new Error(`Unknown tool: ${name}`);
+    }
+  });
+  server.setRequestHandler(import_types5.ListPromptsRequestSchema, async () => {
+    return {
+      prompts: [
+        {
+          name: "household_summary",
+          description: "Get an overview of a household",
+          arguments: [
+            {
+              name: "householdId",
+              description: "Optional household ID (uses first household if not specified)",
+              required: false
+            }
+          ]
+        },
+        {
+          name: "expiring_soon",
+          description: "Show items expiring soon",
+          arguments: [
+            {
+              name: "days",
+              description: "Number of days to look ahead (default: 30)",
+              required: false
+            }
+          ]
+        },
+        {
+          name: "emergency_contacts",
+          description: "Show emergency contacts",
+          arguments: []
+        }
+      ]
+    };
+  });
+  server.setRequestHandler(import_types5.GetPromptRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    switch (name) {
+      case "household_summary": {
+        const householdId = args?.householdId;
+        const households = await getHouseholds();
+        const household = householdId ? households.find((h) => h.id === householdId) : households[0];
+        if (!household) {
+          throw new Error("No household found");
+        }
+        return {
+          messages: [
+            {
+              role: "user",
+              content: {
+                type: "text",
+                text: `Please give me an overview of my household "${household.name}". Include counts of different items, any upcoming expirations, and notable information.`
+              }
+            }
+          ]
+        };
+      }
+      case "expiring_soon": {
+        const days = args?.days || 30;
+        return {
+          messages: [
+            {
+              role: "user",
+              content: {
+                type: "text",
+                text: `What items are expiring in the next ${days} days? Include insurance policies, vehicle registrations, subscriptions, and any other items with expiration dates.`
+              }
+            }
+          ]
+        };
+      }
+      case "emergency_contacts": {
+        return {
+          messages: [
+            {
+              role: "user",
+              content: {
+                type: "text",
+                text: "Show me all emergency contacts across my households. Include their names, phone numbers, and relationship to the household."
+              }
+            }
+          ]
+        };
+      }
+      default:
+        throw new Error(`Unknown prompt: ${name}`);
+    }
+  });
+  const transport = new import_stdio.StdioServerTransport();
+  await server.connect(transport);
+  console.error("[MCP] Server started");
+}
+function parseResourceUri(uri) {
+  const match = uri.match(/^estatehelm:\/\/([^/]+)(?:\/([^/]+))?(?:\/([^/]+))?(?:\/([^/]+))?$/);
+  if (!match) return null;
+  const [, type, householdId, entityType, entityId] = match;
+  return { type, householdId, entityType, entityId };
+}
+function formatEntityType(type) {
+  return type.split("_").map((word) => word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
+}
+function searchEntity(entity, query) {
+  const lowerQuery = query.toLowerCase();
+  const searchFields = [
+    "name",
+    "title",
+    "description",
+    "notes",
+    "make",
+    "model",
+    "policyNumber",
+    "serviceName",
+    "username",
+    "email"
+  ];
+  for (const field of searchFields) {
+    if (entity[field] && String(entity[field]).toLowerCase().includes(lowerQuery)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/index.ts
+var program = new import_commander.Command();
+program.name("estatehelm").description("EstateHelm CLI - MCP server for AI assistants").version("1.0.0");
+program.command("login").description("Authenticate with EstateHelm").action(async () => {
+  try {
+    await login();
+  } catch (err) {
+    console.error("Login failed:", err.message);
+    process.exit(1);
+  }
+});
+program.command("logout").description("Remove credentials and revoke device").action(async () => {
+  try {
+    await initCache();
+    await clearCache();
+    await closeCache();
+    await logout();
+  } catch (err) {
+    console.error("Logout failed:", err.message);
+    process.exit(1);
+  }
+});
+program.command("mcp").description("Start the MCP server").option("-m, --mode <mode>", "Privacy mode: full or safe", "full").option("--poll <interval>", "Background sync interval (e.g., 15m)").action(async (options) => {
+  try {
+    const mode = options.mode;
+    if (mode !== "full" && mode !== "safe") {
+      console.error('Invalid mode. Use "full" or "safe".');
+      process.exit(1);
+    }
+    await startServer(mode);
+  } catch (err) {
+    console.error("MCP server failed:", err.message);
+    process.exit(1);
+  }
+});
+program.command("status").description("Show current login status and cache info").action(async () => {
+  try {
+    const status = await checkLogin();
+    if (!status.loggedIn) {
+      console.log("Not logged in.");
+      console.log("Run: estatehelm login");
+      return;
+    }
+    console.log("\u2713 Logged in");
+    if (status.households && status.households.length > 0) {
+      console.log(`\u2713 Households: ${status.households.map((h) => h.name).join(", ")}`);
+    }
+    try {
+      await initCache();
+      const stats = await getCacheStats();
+      console.log(`\u2713 Cache: ${stats.totalEntities} entities, ${stats.entityTypes} types`);
+      if (stats.lastSync) {
+        console.log(`\u2713 Last sync: ${stats.lastSync}`);
+      }
+      await closeCache();
+    } catch {
+      console.log("\u2713 Cache: Not initialized");
+    }
+    const config = loadConfig();
+    console.log(`\u2713 Default mode: ${config.defaultMode}`);
+  } catch (err) {
+    console.error("Status check failed:", err.message);
+    process.exit(1);
+  }
+});
+program.command("sync").description("Force sync cache from server").action(async () => {
+  try {
+    console.log("Syncing...");
+    const client = await getAuthenticatedClient();
+    if (!client) {
+      console.error("Not logged in. Run: estatehelm login");
+      process.exit(1);
+    }
+    const privateKey = await getPrivateKey();
+    if (!privateKey) {
+      console.error("Failed to load encryption keys. Run: estatehelm login");
+      process.exit(1);
+    }
+    await initCache();
+    await syncIfNeeded(client, privateKey, true);
+    const stats = await getCacheStats();
+    console.log(`\u2713 Synced: ${stats.totalEntities} entities, ${stats.entityTypes} types`);
+    await closeCache();
+  } catch (err) {
+    console.error("Sync failed:", err.message);
+    process.exit(1);
+  }
+});
+var cacheCommand = program.command("cache").description("Cache management commands");
+cacheCommand.command("clear").description("Clear local cache").action(async () => {
+  try {
+    await initCache();
+    await clearCache();
+    await closeCache();
+    console.log("\u2713 Cache cleared");
+  } catch (err) {
+    console.error("Failed to clear cache:", err.message);
+    process.exit(1);
+  }
+});
+cacheCommand.command("stats").description("Show cache statistics").action(async () => {
+  try {
+    await initCache();
+    const stats = await getCacheStats();
+    console.log("Cache Statistics:");
+    console.log(`  Entity types: ${stats.entityTypes}`);
+    console.log(`  Total entities: ${stats.totalEntities}`);
+    console.log(`  Attachments: ${stats.attachments}`);
+    console.log(`  Last sync: ${stats.lastSync || "Never"}`);
+    await closeCache();
+  } catch (err) {
+    console.error("Failed to get cache stats:", err.message);
+    process.exit(1);
+  }
+});
+var configCommand = program.command("config").description("Configuration management");
+configCommand.command("set <key> <value>").description("Set a configuration value").action((key, value) => {
+  try {
+    const config = loadConfig();
+    if (key === "defaultMode") {
+      if (value !== "full" && value !== "safe") {
+        console.error('Invalid mode. Use "full" or "safe".');
+        process.exit(1);
+      }
+      config.defaultMode = value;
+    } else {
+      console.error(`Unknown config key: ${key}`);
+      process.exit(1);
+    }
+    saveConfig(config);
+    console.log(`\u2713 Set ${key} = ${value}`);
+  } catch (err) {
+    console.error("Failed to set config:", err.message);
+    process.exit(1);
+  }
+});
+configCommand.command("get [key]").description("Get configuration value(s)").action((key) => {
+  try {
+    const config = loadConfig();
+    if (key) {
+      const value = config[key];
+      if (value === void 0) {
+        console.error(`Unknown config key: ${key}`);
+        process.exit(1);
+      }
+      console.log(value);
+    } else {
+      console.log("Configuration:");
+      for (const [k, v] of Object.entries(config)) {
+        console.log(`  ${k}: ${v}`);
+      }
+    }
+  } catch (err) {
+    console.error("Failed to get config:", err.message);
+    process.exit(1);
+  }
+});
+program.parse();
+//# sourceMappingURL=index.js.map