unotoken 0.1.0

package/dist/signatures/approval-codes.js

@@ -0,0 +1,407 @@
+/**
+ * Approval code engine for unotoken device signatures.
+ *
+ * Generates and verifies 6-digit numeric codes used to approve new devices.
+ * Codes are cryptographically random, time-limited, and rate-limited.
+ *
+ * Security properties:
+ * - Codes generated with crypto.randomInt (not Math.random)
+ * - Codes stored as SHA-256 hashes in the database (never plaintext)
+ * - Codes expire after 5 minutes (configurable)
+ * - Maximum 3 verification attempts per code (brute-force protection)
+ * - Maximum 3 codes per device fingerprint per hour (rate limiting)
+ * - Expired/used codes cleaned up on next verification attempt
+ *
+ * With a 6-digit code (1M possibilities), 3-attempt limit, and 5-minute
+ * expiry, brute-force is computationally infeasible.
+ *
+ * Table: approval_codes
+ * - id: UUID primary key
+ * - device_fingerprint: SHA-256 hex string identifying the requesting device
+ * - code: SHA-256 hash of the 6-digit numeric code
+ * - created_at: ISO 8601 timestamp
+ * - expires_at: ISO 8601 timestamp (created_at + CODE_EXPIRY_MS)
+ * - used: 0 or 1 (SQLite boolean)
+ * - attempts: number of verification attempts made
+ *
+ * @module
+ */
+import initSqlJs from 'sql.js';
+import { randomUUID, randomInt, createHash } from 'node:crypto';
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import path from 'node:path';
+import { getDeviceDir } from '../oauth/device-secret.js';
+// ─── Constants ──────────────────────────────────────────────────────
+/** Default code expiry: 5 minutes */
+const DEFAULT_CODE_EXPIRY_MS = 5 * 60 * 1000;
+/** Maximum verification attempts per code */
+const MAX_ATTEMPTS = 3;
+/** Maximum codes per device fingerprint per hour */
+const MAX_CODES_PER_HOUR = 3;
+/** Rate limit window: 1 hour */
+const RATE_LIMIT_WINDOW_MS = 60 * 60 * 1000;
+const CODES_DB_FILENAME = 'devices.db';
+// ─── Hashing ────────────────────────────────────────────────────────
+/**
+ * Hash a 6-digit code with SHA-256 for secure storage.
+ *
+ * Even if the database is compromised, the attacker cannot recover
+ * valid codes from their hashes.
+ *
+ * @param code - The plaintext 6-digit code
+ * @returns SHA-256 hex digest
+ */
+export function hashCode(code) {
+    return createHash('sha256').update(code).digest('hex');
+}
+// ─── SQL.js Initialization ──────────────────────────────────────────
+/** Cached sql.js module (loaded once). */
+let sqlJsModule = null;
+async function getSqlJs() {
+    if (!sqlJsModule) {
+        sqlJsModule = await initSqlJs();
+    }
+    return sqlJsModule;
+}
+// ─── ApprovalCodesDatabase ──────────────────────────────────────────
+/**
+ * Manages the approval_codes SQLite table.
+ *
+ * Shares the same database file as DevicesDatabase (devices.db) so that
+ * both tables coexist in the same SQLite file. This simplifies file
+ * management while keeping concerns separated.
+ */
+export class ApprovalCodesDatabase {
+    db;
+    dbPath;
+    codeExpiryMs;
+    constructor(db, dbPath, codeExpiryMs) {
+        this.db = db;
+        this.dbPath = dbPath;
+        this.codeExpiryMs = codeExpiryMs;
+    }
+    /**
+     * Open or create the approval codes database.
+     *
+     * Uses the same devices.db file as DevicesDatabase. Creates the
+     * approval_codes table if it does not exist.
+     *
+     * @param baseDir - Optional base directory (default: ~/.yokotoken)
+     * @param codeExpiryMs - Code expiry in milliseconds (default: 5 minutes)
+     * @returns A ready-to-use ApprovalCodesDatabase instance
+     */
+    static async open(baseDir, codeExpiryMs) {
+        const dir = baseDir ?? getDeviceDir();
+        const dbPath = path.join(dir, CODES_DB_FILENAME);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        const SQL = await getSqlJs();
+        let db;
+        if (existsSync(dbPath)) {
+            const buffer = readFileSync(dbPath);
+            db = new SQL.Database(buffer);
+        }
+        else {
+            db = new SQL.Database();
+        }
+        const instance = new ApprovalCodesDatabase(db, dbPath, codeExpiryMs ?? DEFAULT_CODE_EXPIRY_MS);
+        instance.initSchema();
+        return instance;
+    }
+    /**
+     * Initialize the approval_codes table if it does not exist.
+     */
+    initSchema() {
+        this.db.run(`
+      CREATE TABLE IF NOT EXISTS approval_codes (
+        id                  TEXT PRIMARY KEY,
+        device_fingerprint  TEXT NOT NULL,
+        code                TEXT NOT NULL,
+        created_at          TEXT NOT NULL,
+        expires_at          TEXT NOT NULL,
+        used                INTEGER NOT NULL DEFAULT 0,
+        attempts            INTEGER NOT NULL DEFAULT 0
+      )
+    `);
+        this.save();
+    }
+    /**
+     * Persist the in-memory database to disk.
+     */
+    save() {
+        const dir = path.dirname(this.dbPath);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        const data = this.db.export();
+        writeFileSync(this.dbPath, Buffer.from(data));
+    }
+    // ─── Code Generation ──────────────────────────────────────────────
+    /**
+     * Generate a cryptographically random 6-digit numeric code.
+     *
+     * Uses crypto.randomInt for uniform distribution across [0, 999999].
+     * The result is zero-padded to always return exactly 6 digits.
+     *
+     * @returns A 6-digit string (e.g., "042817")
+     */
+    static generateCode() {
+        const num = randomInt(0, 1_000_000);
+        return num.toString().padStart(6, '0');
+    }
+    // ─── Rate Limiting ────────────────────────────────────────────────
+    /**
+     * Check whether a new code can be created for the given device fingerprint.
+     *
+     * Enforces: max 3 codes per device per hour.
+     *
+     * @param deviceFingerprint - The device fingerprint
+     * @returns true if creating a new code is allowed
+     */
+    canCreateCode(deviceFingerprint) {
+        const windowStart = new Date(Date.now() - RATE_LIMIT_WINDOW_MS).toISOString();
+        const stmt = this.db.prepare('SELECT COUNT(*) as cnt FROM approval_codes WHERE device_fingerprint = ? AND created_at > ?');
+        stmt.bind([deviceFingerprint, windowStart]);
+        let count = 0;
+        if (stmt.step()) {
+            const row = stmt.getAsObject();
+            count = row.cnt;
+        }
+        stmt.free();
+        return count < MAX_CODES_PER_HOUR;
+    }
+    /**
+     * Get the number of codes created for a device in the current hour window.
+     *
+     * @param deviceFingerprint - The device fingerprint
+     * @returns Number of codes created in the last hour
+     */
+    codesCreatedInWindow(deviceFingerprint) {
+        const windowStart = new Date(Date.now() - RATE_LIMIT_WINDOW_MS).toISOString();
+        const stmt = this.db.prepare('SELECT COUNT(*) as cnt FROM approval_codes WHERE device_fingerprint = ? AND created_at > ?');
+        stmt.bind([deviceFingerprint, windowStart]);
+        let count = 0;
+        if (stmt.step()) {
+            const row = stmt.getAsObject();
+            count = row.cnt;
+        }
+        stmt.free();
+        return count;
+    }
+    // ─── Code Creation ────────────────────────────────────────────────
+    /**
+     * Create a new approval code for a device.
+     *
+     * @param deviceFingerprint - The requesting device's fingerprint
+     * @returns Object with the plaintext code (for sending via email) and the record ID,
+     *          or null if rate-limited
+     */
+    createCode(deviceFingerprint) {
+        // Rate limit check
+        if (!this.canCreateCode(deviceFingerprint)) {
+            return null;
+        }
+        const code = ApprovalCodesDatabase.generateCode();
+        const codeHash = hashCode(code);
+        const id = randomUUID();
+        const now = new Date();
+        const createdAt = now.toISOString();
+        const expiresAt = new Date(now.getTime() + this.codeExpiryMs).toISOString();
+        this.db.run(`INSERT INTO approval_codes (id, device_fingerprint, code, created_at, expires_at, used, attempts)
+       VALUES (?, ?, ?, ?, ?, 0, 0)`, [id, deviceFingerprint, codeHash, createdAt, expiresAt]);
+        this.save();
+        return { code, id };
+    }
+    // ─── Verification ─────────────────────────────────────────────────
+    /**
+     * Verify an approval code entered by the user.
+     *
+     * Checks:
+     * 1. Find the most recent active code for this device fingerprint
+     * 2. Check if the code has been used
+     * 3. Check if the code has expired
+     * 4. Check if max attempts exceeded
+     * 5. Compare the hash of user input against stored hash
+     * 6. If mismatch, increment attempts
+     *
+     * Also cleans up expired/used codes on each verification attempt.
+     *
+     * @param deviceFingerprint - The device fingerprint
+     * @param userInput - The 6-digit code entered by the user
+     * @returns VerifyResult with valid boolean and optional reason
+     */
+    verifyCode(deviceFingerprint, userInput) {
+        // Clean up expired/used codes first
+        this.cleanup();
+        // Find the most recent active (unused, non-expired, under attempt limit) code
+        const now = new Date().toISOString();
+        const stmt = this.db.prepare(`SELECT id, code, expires_at, used, attempts
+       FROM approval_codes
+       WHERE device_fingerprint = ?
+         AND used = 0
+         AND attempts < ?
+       ORDER BY created_at DESC
+       LIMIT 1`);
+        stmt.bind([deviceFingerprint, MAX_ATTEMPTS]);
+        let record = null;
+        if (stmt.step()) {
+            const row = stmt.getAsObject();
+            record = {
+                id: row.id,
+                code: row.code,
+                expires_at: row.expires_at,
+                used: row.used,
+                attempts: row.attempts,
+            };
+        }
+        stmt.free();
+        // No active code found
+        if (!record) {
+            return {
+                valid: false,
+                reason: 'No active approval code found. Request a new code.',
+            };
+        }
+        // Check expiry
+        if (now > record.expires_at) {
+            return {
+                valid: false,
+                reason: 'Code expired. Request a new code.',
+            };
+        }
+        // Check attempt limit (should not happen due to query filter, but defensive)
+        if (record.attempts >= MAX_ATTEMPTS) {
+            return {
+                valid: false,
+                reason: `Maximum verification attempts (${MAX_ATTEMPTS}) exceeded. Request a new code.`,
+            };
+        }
+        // Hash the user input and compare
+        const inputHash = hashCode(userInput);
+        if (inputHash === record.code) {
+            // Mark as used
+            this.db.run('UPDATE approval_codes SET used = 1 WHERE id = ?', [record.id]);
+            this.save();
+            return { valid: true };
+        }
+        // Wrong code -- increment attempts
+        const newAttempts = record.attempts + 1;
+        this.db.run('UPDATE approval_codes SET attempts = ? WHERE id = ?', [newAttempts, record.id]);
+        this.save();
+        const remaining = MAX_ATTEMPTS - newAttempts;
+        if (remaining <= 0) {
+            return {
+                valid: false,
+                reason: `Invalid code. Maximum attempts (${MAX_ATTEMPTS}) reached. Request a new code.`,
+            };
+        }
+        return {
+            valid: false,
+            reason: `Invalid code. ${remaining} attempt${remaining === 1 ? '' : 's'} remaining.`,
+        };
+    }
+    // ─── Cleanup ──────────────────────────────────────────────────────
+    /**
+     * Remove expired and used codes from the database.
+     *
+     * Called automatically during verification, but can also be called
+     * manually for maintenance.
+     */
+    cleanup() {
+        const now = new Date().toISOString();
+        // Remove expired codes
+        this.db.run('DELETE FROM approval_codes WHERE expires_at < ?', [now]);
+        // Remove used codes
+        this.db.run('DELETE FROM approval_codes WHERE used = 1');
+        // Remove codes that have hit the max attempt limit
+        this.db.run('DELETE FROM approval_codes WHERE attempts >= ?', [MAX_ATTEMPTS]);
+        this.save();
+    }
+    // ─── Queries ──────────────────────────────────────────────────────
+    /**
+     * Get the number of active (unused, non-expired, under attempt limit) codes
+     * for a device fingerprint.
+     *
+     * @param deviceFingerprint - The device fingerprint
+     * @returns Number of active codes
+     */
+    activeCodeCount(deviceFingerprint) {
+        const now = new Date().toISOString();
+        const stmt = this.db.prepare(`SELECT COUNT(*) as cnt FROM approval_codes
+       WHERE device_fingerprint = ?
+         AND used = 0
+         AND expires_at > ?
+         AND attempts < ?`);
+        stmt.bind([deviceFingerprint, now, MAX_ATTEMPTS]);
+        let count = 0;
+        if (stmt.step()) {
+            const row = stmt.getAsObject();
+            count = row.cnt;
+        }
+        stmt.free();
+        return count;
+    }
+    /**
+     * Get the total number of codes in the database (for testing/debugging).
+     *
+     * @returns Total number of approval_codes rows
+     */
+    totalCodeCount() {
+        const stmt = this.db.prepare('SELECT COUNT(*) as cnt FROM approval_codes');
+        let count = 0;
+        if (stmt.step()) {
+            const row = stmt.getAsObject();
+            count = row.cnt;
+        }
+        stmt.free();
+        return count;
+    }
+    /**
+     * Close the database connection.
+     */
+    close() {
+        this.db.close();
+    }
+}
+// ─── High-level convenience functions ───────────────────────────────
+/**
+ * Generate a new approval code for a device.
+ *
+ * Convenience wrapper that opens the database, creates a code, and closes.
+ *
+ * @param deviceFingerprint - The requesting device's fingerprint
+ * @param baseDir - Optional base directory for the database
+ * @param codeExpiryMs - Optional code expiry in ms (default: 5 minutes)
+ * @returns Object with plaintext code and record ID, or null if rate-limited
+ */
+export async function createApprovalCode(deviceFingerprint, baseDir, codeExpiryMs) {
+    const db = await ApprovalCodesDatabase.open(baseDir, codeExpiryMs);
+    try {
+        return db.createCode(deviceFingerprint);
+    }
+    finally {
+        db.close();
+    }
+}
+/**
+ * Verify a user-entered approval code.
+ *
+ * Convenience wrapper that opens the database, verifies, and closes.
+ *
+ * @param deviceFingerprint - The device fingerprint
+ * @param userInput - The 6-digit code entered by the user
+ * @param baseDir - Optional base directory for the database
+ * @param codeExpiryMs - Optional code expiry in ms (default: 5 minutes)
+ * @returns VerifyResult with valid boolean and optional reason
+ */
+export async function verifyApprovalCode(deviceFingerprint, userInput, baseDir, codeExpiryMs) {
+    const db = await ApprovalCodesDatabase.open(baseDir, codeExpiryMs);
+    try {
+        return db.verifyCode(deviceFingerprint, userInput);
+    }
+    finally {
+        db.close();
+    }
+}
+//# sourceMappingURL=approval-codes.js.map

package/dist/signatures/approval-codes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-codes.js","sourceRoot":"","sources":["../../src/signatures/approval-codes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,SAAS,MAAM,QAAQ,CAAC;AAC/B,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAsBzD,uEAAuE;AAEvE,qCAAqC;AACrC,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7C,6CAA6C;AAC7C,MAAM,YAAY,GAAG,CAAC,CAAC;AAEvB,oDAAoD;AACpD,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,gCAAgC;AAChC,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE5C,MAAM,iBAAiB,GAAG,YAAY,CAAC;AAEvC,uEAAuE;AAEvE;;;;;;;;GAQG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED,uEAAuE;AAEvE,0CAA0C;AAC1C,IAAI,WAAW,GAAiD,IAAI,CAAC;AAErE,KAAK,UAAU,QAAQ;IACrB,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,WAAW,GAAG,MAAM,SAAS,EAAE,CAAC;IAClC,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,uEAAuE;AAEvE;;;;;;GAMG;AACH,MAAM,OAAO,qBAAqB;IACxB,EAAE,CAAkE;IACpE,MAAM,CAAS;IACf,YAAY,CAAS;IAE7B,YACE,EAAmE,EACnE,MAAc,EACd,YAAoB;QAEpB,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED;;;;;;;;;OASG;IACH,MAAM,CAAC,KAAK,CAAC,IAAI,CACf,OAAgB,EAChB,YAAqB;QAErB,MAAM,GAAG,GAAG,OAAO,IAAI,YAAY,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAC;QAEjD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,EAAE,CAAC;QAE7B,IAAI,EAAqC,CAAC;QAC1C,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACpC,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC1B,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,qBAAqB,CACxC,EAAE,EACF,MAAM,EACN,YAAY,IAAI,sBAAsB,CACvC,CAAC;QACF,QAAQ,CAAC,UAAU,EAAE,CAAC;QACtB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,UAAU;QAChB,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC;;;;;;;;;;KAUX,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED;;OAEG;IACK,IAAI;QACV,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;QAC9B,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,qEAAqE;IAErE;;;;;;;OAOG;IACH,MAAM,CAAC,YAAY;QACjB,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACpC,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,qEAAqE;IAErE;;;;;;;OAOG;IACH,aAAa,CAAC,iBAAyB;QACrC,MAAM,WAAW,GAAG,IAAI,IAAI,CAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,oBAAoB,CAClC,CAAC,WAAW,EAAE,CAAC;QAEhB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,4FAA4F,CAC7F,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC,CAAC;QAC5C,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,KAAK,GAAG,GAAG,CAAC,GAAa,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QAEZ,OAAO,KAAK,GAAG,kBAAkB,CAAC;IACpC,CAAC;IAED;;;;;OAKG;IACH,oBAAoB,CAAC,iBAAyB;QAC5C,MAAM,WAAW,GAAG,IAAI,IAAI,CAC1B,IAAI,CAAC,GAAG,EAAE,GAAG,oBAAoB,CAClC,CAAC,WAAW,EAAE,CAAC;QAEhB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,4FAA4F,CAC7F,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC,CAAC;QAC5C,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,KAAK,GAAG,GAAG,CAAC,GAAa,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QAEZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qEAAqE;IAErE;;;;;;OAMG;IACH,UAAU,CACR,iBAAyB;QAEzB,mBAAmB;QACnB,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,qBAAqB,CAAC,YAAY,EAAE,CAAC;QAClD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QAE5E,IAAI,CAAC,EAAE,CAAC,GAAG,CACT;oCAC8B,EAC9B,CAAC,EAAE,EAAE,iBAAiB,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CACxD,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;QAEZ,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACtB,CAAC;IAED,qEAAqE;IAErE;;;;;;;;;;;;;;;;OAgBG;IACH,UAAU,CAAC,iBAAyB,EAAE,SAAiB;QACrD,oCAAoC;QACpC,IAAI,CAAC,OAAO,EAAE,CAAC;QAEf,8EAA8E;QAC9E,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B;;;;;;eAMS,CACV,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC,CAAC;QAE7C,IAAI,MAAM,GAMC,IAAI,CAAC;QAEhB,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,MAAM,GAAG;gBACP,EAAE,EAAE,GAAG,CAAC,EAAY;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAc;gBACxB,UAAU,EAAE,GAAG,CAAC,UAAoB;gBACpC,IAAI,EAAE,GAAG,CAAC,IAAc;gBACxB,QAAQ,EAAE,GAAG,CAAC,QAAkB;aACjC,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QAEZ,uBAAuB;QACvB,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,oDAAoD;aAC7D,CAAC;QACJ,CAAC;QAED,eAAe;QACf,IAAI,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAC5B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,mCAAmC;aAC5C,CAAC;QACJ,CAAC;QAED,6EAA6E;QAC7E,IAAI,MAAM,CAAC,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,kCAAkC,YAAY,iCAAiC;aACxF,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;QACtC,IAAI,SAAS,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;YAC9B,eAAe;YACf,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,iDAAiD,EACjD,CAAC,MAAM,CAAC,EAAE,CAAC,CACZ,CAAC;YACF,IAAI,CAAC,IAAI,EAAE,CAAC;YACZ,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAED,mCAAmC;QACnC,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,qDAAqD,EACrD,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE,CAAC,CACzB,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;QAEZ,MAAM,SAAS,GAAG,YAAY,GAAG,WAAW,CAAC;QAC7C,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACnB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,mCAAmC,YAAY,gCAAgC;aACxF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,iBAAiB,SAAS,WAAW,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,aAAa;SACrF,CAAC;IACJ,CAAC;IAED,qEAAqE;IAErE;;;;;OAKG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC,uBAAuB;QACvB,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,iDAAiD,EACjD,CAAC,GAAG,CAAC,CACN,CAAC;QAEF,oBAAoB;QACpB,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,2CAA2C,CAC5C,CAAC;QAEF,mDAAmD;QACnD,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,gDAAgD,EAChD,CAAC,YAAY,CAAC,CACf,CAAC;QAEF,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,qEAAqE;IAErE;;;;;;OAMG;IACH,eAAe,CAAC,iBAAyB;QACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B;;;;0BAIoB,CACrB,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,CAAC,iBAAiB,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC,CAAC;QAClD,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,KAAK,GAAG,GAAG,CAAC,GAAa,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;OAIG;IACH,cAAc;QACZ,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,4CAA4C,CAC7C,CAAC;QACF,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,KAAK,GAAG,GAAG,CAAC,GAAa,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;CACF;AAED,uEAAuE;AAEvE;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,iBAAyB,EACzB,OAAgB,EAChB,YAAqB;IAErB,MAAM,EAAE,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACnE,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;IAC1C,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,iBAAyB,EACzB,SAAiB,EACjB,OAAgB,EAChB,YAAqB;IAErB,MAAM,EAAE,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACnE,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,UAAU,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC"}

package/dist/signatures/commands.d.ts

@@ -0,0 +1,108 @@
+/**
+ * Device management commands for unotoken CLI.
+ *
+ * Provides the logic behind `unotoken device list|rename|remove`:
+ * - List all approved devices with current-device indicator
+ * - Rename a device by fingerprint prefix
+ * - Remove a device (with confirmation and safety checks)
+ * - Remove all devices except current (nuclear option)
+ *
+ * Fingerprint prefix matching works like git SHA prefixes -- the user
+ * provides the first N characters and the command finds the unique match.
+ * If ambiguous, the command lists matches and asks the user to be more specific.
+ *
+ * @module
+ */
+import { DevicesDatabase, type KnownDevice } from './devices.js';
+export interface DeviceListResult {
+    devices: DeviceListEntry[];
+    currentFingerprint: string;
+}
+export interface DeviceListEntry extends KnownDevice {
+    /** Whether this is the current device */
+    is_current: boolean;
+}
+export interface DeviceRenameResult {
+    success: boolean;
+    fingerprint: string;
+    oldName: string;
+    newName: string;
+    error?: string;
+}
+export interface DeviceRemoveResult {
+    success: boolean;
+    fingerprint: string;
+    name: string;
+    wasCurrentDevice: boolean;
+    error?: string;
+}
+export interface DeviceRemoveAllResult {
+    success: boolean;
+    removedCount: number;
+    error?: string;
+}
+export interface PrefixMatchResult {
+    matches: KnownDevice[];
+    exact: boolean;
+    error?: string;
+}
+/**
+ * Resolve a fingerprint prefix to a single device.
+ *
+ * @param db - The DevicesDatabase instance
+ * @param prefix - The fingerprint prefix (minimum 8 chars)
+ * @returns Match result with the matched devices
+ */
+export declare function resolvePrefix(db: DevicesDatabase, prefix: string): PrefixMatchResult;
+/**
+ * List all approved devices, marking the current device.
+ *
+ * @param baseDir - Optional base directory for config/database files
+ * @returns List of devices with current-device indicator
+ */
+export declare function listDevicesCommand(baseDir?: string): Promise<DeviceListResult>;
+/**
+ * Format the device list for human-readable display.
+ *
+ * @param result - The list result from listDevicesCommand
+ * @returns Formatted string for terminal output
+ */
+export declare function formatDeviceList(result: DeviceListResult): string;
+/**
+ * Rename a device by fingerprint prefix.
+ *
+ * @param prefix - The fingerprint prefix (minimum 8 chars)
+ * @param newName - The new device name
+ * @param baseDir - Optional base directory
+ * @returns Rename result
+ */
+export declare function renameDeviceCommand(prefix: string, newName: string, baseDir?: string): Promise<DeviceRenameResult>;
+/**
+ * Remove a device by fingerprint prefix.
+ *
+ * Safety check: cannot remove the last device if no email is configured
+ * (would lock the user out with no recovery path).
+ *
+ * @param prefix - The fingerprint prefix (minimum 8 chars)
+ * @param baseDir - Optional base directory
+ * @returns Remove result (caller should handle confirmation UI)
+ */
+export declare function removeDeviceCommand(prefix: string, baseDir?: string): Promise<DeviceRemoveResult>;
+/**
+ * Remove all devices except the current one.
+ *
+ * Nuclear option for security incidents -- removes all approved devices
+ * except the device running this command.
+ *
+ * @param baseDir - Optional base directory
+ * @returns Remove-all result
+ */
+export declare function removeAllDevicesCommand(baseDir?: string): Promise<DeviceRemoveAllResult>;
+/**
+ * Format an ambiguous prefix match result for display.
+ *
+ * @param matches - The ambiguous matches
+ * @returns Formatted string listing the matches
+ */
+export declare function formatAmbiguousMatches(matches: KnownDevice[]): string;
+//# sourceMappingURL=commands.d.ts.map

package/dist/signatures/commands.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"commands.d.ts","sourceRoot":"","sources":["../../src/signatures/commands.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,eAAe,EAAE,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAWjE,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,eAAe,EAAE,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,eAAgB,SAAQ,WAAW;IAClD,yCAAyC;IACzC,UAAU,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,gBAAgB,EAAE,OAAO,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,WAAW,EAAE,CAAC;IACvB,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,EAAE,EAAE,eAAe,EACnB,MAAM,EAAE,MAAM,GACb,iBAAiB,CA+BnB;AAID;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,gBAAgB,CAAC,CAe3B;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAqBjE;AAID;;;;;;;GAOG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAuC7B;AAID;;;;;;;;;GASG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAuD7B;AAID;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,qBAAqB,CAAC,CAyBhC;AAID;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,MAAM,CAQrE"}