unotoken 0.1.0

package/dist/signatures/commands.js

@@ -0,0 +1,270 @@
+/**
+ * Device management commands for unotoken CLI.
+ *
+ * Provides the logic behind `unotoken device list|rename|remove`:
+ * - List all approved devices with current-device indicator
+ * - Rename a device by fingerprint prefix
+ * - Remove a device (with confirmation and safety checks)
+ * - Remove all devices except current (nuclear option)
+ *
+ * Fingerprint prefix matching works like git SHA prefixes -- the user
+ * provides the first N characters and the command finds the unique match.
+ * If ambiguous, the command lists matches and asks the user to be more specific.
+ *
+ * @module
+ */
+import { DevicesDatabase } from './devices.js';
+import { generateDeviceFingerprint } from './fingerprint.js';
+import { hasVerifiedEmail } from './email-config.js';
+// ─── Constants ──────────────────────────────────────────────────────
+/** Minimum fingerprint prefix length for matching */
+const MIN_PREFIX_LENGTH = 8;
+// ─── Prefix Resolution ─────────────────────────────────────────────
+/**
+ * Resolve a fingerprint prefix to a single device.
+ *
+ * @param db - The DevicesDatabase instance
+ * @param prefix - The fingerprint prefix (minimum 8 chars)
+ * @returns Match result with the matched devices
+ */
+export function resolvePrefix(db, prefix) {
+    if (prefix.length < MIN_PREFIX_LENGTH) {
+        return {
+            matches: [],
+            exact: false,
+            error: `Fingerprint prefix too short (minimum ${MIN_PREFIX_LENGTH} characters). Got ${prefix.length}.`,
+        };
+    }
+    const matches = db.findByFingerprintPrefix(prefix);
+    if (matches.length === 0) {
+        return {
+            matches: [],
+            exact: false,
+            error: `No device found matching prefix '${prefix}'.`,
+        };
+    }
+    if (matches.length > 1) {
+        return {
+            matches,
+            exact: false,
+            error: `Ambiguous prefix '${prefix}' matches ${matches.length} devices. Be more specific.`,
+        };
+    }
+    return {
+        matches,
+        exact: true,
+    };
+}
+// ─── List Devices ───────────────────────────────────────────────────
+/**
+ * List all approved devices, marking the current device.
+ *
+ * @param baseDir - Optional base directory for config/database files
+ * @returns List of devices with current-device indicator
+ */
+export async function listDevicesCommand(baseDir) {
+    const currentFingerprint = generateDeviceFingerprint(baseDir);
+    const db = await DevicesDatabase.open(baseDir);
+    try {
+        const devices = db.listDevices();
+        const entries = devices.map((d) => ({
+            ...d,
+            is_current: d.fingerprint === currentFingerprint,
+        }));
+        return { devices: entries, currentFingerprint };
+    }
+    finally {
+        db.close();
+    }
+}
+/**
+ * Format the device list for human-readable display.
+ *
+ * @param result - The list result from listDevicesCommand
+ * @returns Formatted string for terminal output
+ */
+export function formatDeviceList(result) {
+    if (result.devices.length === 0) {
+        return 'No approved devices.\n';
+    }
+    const lines = [];
+    lines.push('Approved devices:\n');
+    for (const device of result.devices) {
+        const marker = device.is_current ? ' *' : '  ';
+        const fpShort = device.fingerprint.slice(0, 12) + '...';
+        lines.push(`${marker} ${device.name}`);
+        lines.push(`     Fingerprint:  ${fpShort}`);
+        lines.push(`     Approved:     ${formatDate(device.approved_at)}`);
+        lines.push(`     Last seen:    ${formatDate(device.last_seen_at)}`);
+        lines.push(`     Method:       ${device.approval_method}`);
+        lines.push('');
+    }
+    lines.push(`${result.devices.length} device(s). * = current device`);
+    return lines.join('\n') + '\n';
+}
+// ─── Rename Device ──────────────────────────────────────────────────
+/**
+ * Rename a device by fingerprint prefix.
+ *
+ * @param prefix - The fingerprint prefix (minimum 8 chars)
+ * @param newName - The new device name
+ * @param baseDir - Optional base directory
+ * @returns Rename result
+ */
+export async function renameDeviceCommand(prefix, newName, baseDir) {
+    const db = await DevicesDatabase.open(baseDir);
+    try {
+        const match = resolvePrefix(db, prefix);
+        if (!match.exact) {
+            return {
+                success: false,
+                fingerprint: '',
+                oldName: '',
+                newName,
+                error: match.error,
+            };
+        }
+        const device = match.matches[0];
+        const oldName = device.name;
+        const renamed = db.renameDevice(device.fingerprint, newName);
+        if (!renamed) {
+            return {
+                success: false,
+                fingerprint: device.fingerprint,
+                oldName,
+                newName,
+                error: 'Failed to rename device.',
+            };
+        }
+        return {
+            success: true,
+            fingerprint: device.fingerprint,
+            oldName,
+            newName,
+        };
+    }
+    finally {
+        db.close();
+    }
+}
+// ─── Remove Device ──────────────────────────────────────────────────
+/**
+ * Remove a device by fingerprint prefix.
+ *
+ * Safety check: cannot remove the last device if no email is configured
+ * (would lock the user out with no recovery path).
+ *
+ * @param prefix - The fingerprint prefix (minimum 8 chars)
+ * @param baseDir - Optional base directory
+ * @returns Remove result (caller should handle confirmation UI)
+ */
+export async function removeDeviceCommand(prefix, baseDir) {
+    const db = await DevicesDatabase.open(baseDir);
+    try {
+        const match = resolvePrefix(db, prefix);
+        if (!match.exact) {
+            return {
+                success: false,
+                fingerprint: '',
+                name: '',
+                wasCurrentDevice: false,
+                error: match.error,
+            };
+        }
+        const device = match.matches[0];
+        const currentFingerprint = generateDeviceFingerprint(baseDir);
+        const wasCurrentDevice = device.fingerprint === currentFingerprint;
+        // Safety: cannot remove the last device if no email is configured
+        if (db.countDevices() === 1 && !hasVerifiedEmail(baseDir)) {
+            return {
+                success: false,
+                fingerprint: device.fingerprint,
+                name: device.name,
+                wasCurrentDevice,
+                error: 'Cannot remove the last device when no email is configured. ' +
+                    'This would lock you out with no recovery path. ' +
+                    'Configure an email first: unotoken config email <address>',
+            };
+        }
+        const removed = db.removeDevice(device.fingerprint);
+        if (!removed) {
+            return {
+                success: false,
+                fingerprint: device.fingerprint,
+                name: device.name,
+                wasCurrentDevice,
+                error: 'Failed to remove device.',
+            };
+        }
+        return {
+            success: true,
+            fingerprint: device.fingerprint,
+            name: device.name,
+            wasCurrentDevice,
+        };
+    }
+    finally {
+        db.close();
+    }
+}
+// ─── Remove All Devices ─────────────────────────────────────────────
+/**
+ * Remove all devices except the current one.
+ *
+ * Nuclear option for security incidents -- removes all approved devices
+ * except the device running this command.
+ *
+ * @param baseDir - Optional base directory
+ * @returns Remove-all result
+ */
+export async function removeAllDevicesCommand(baseDir) {
+    const currentFingerprint = generateDeviceFingerprint(baseDir);
+    const db = await DevicesDatabase.open(baseDir);
+    try {
+        // Ensure the current device is actually in the database
+        if (!db.isDeviceKnown(currentFingerprint)) {
+            return {
+                success: false,
+                removedCount: 0,
+                error: 'Current device is not in the approved devices list. ' +
+                    'Cannot remove all devices without keeping the current one.',
+            };
+        }
+        const removedCount = db.removeAllExcept(currentFingerprint);
+        return {
+            success: true,
+            removedCount,
+        };
+    }
+    finally {
+        db.close();
+    }
+}
+// ─── Helpers ────────────────────────────────────────────────────────
+/**
+ * Format an ambiguous prefix match result for display.
+ *
+ * @param matches - The ambiguous matches
+ * @returns Formatted string listing the matches
+ */
+export function formatAmbiguousMatches(matches) {
+    const lines = [];
+    lines.push('Multiple devices match this prefix:\n');
+    for (const device of matches) {
+        lines.push(`  ${device.fingerprint.slice(0, 16)}...  ${device.name}`);
+    }
+    lines.push('\nProvide a longer prefix to uniquely identify the device.');
+    return lines.join('\n') + '\n';
+}
+function formatDate(isoDate) {
+    try {
+        const d = new Date(isoDate);
+        if (isNaN(d.getTime()))
+            return isoDate;
+        return d.toLocaleString();
+    }
+    catch {
+        return isoDate;
+    }
+}
+//# sourceMappingURL=commands.js.map

package/dist/signatures/commands.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"commands.js","sourceRoot":"","sources":["../../src/signatures/commands.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,eAAe,EAAoB,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,uEAAuE;AAEvE,qDAAqD;AACrD,MAAM,iBAAiB,GAAG,CAAC,CAAC;AA0C5B,sEAAsE;AAEtE;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,EAAmB,EACnB,MAAc;IAEd,IAAI,MAAM,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;QACtC,OAAO;YACL,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,yCAAyC,iBAAiB,qBAAqB,MAAM,CAAC,MAAM,GAAG;SACvG,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAEnD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,oCAAoC,MAAM,IAAI;SACtD,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,OAAO;YACP,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,qBAAqB,MAAM,aAAa,OAAO,CAAC,MAAM,6BAA6B;SAC3F,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO;QACP,KAAK,EAAE,IAAI;KACZ,CAAC;AACJ,CAAC;AAED,uEAAuE;AAEvE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAgB;IAEhB,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAE/C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;QACjC,MAAM,OAAO,GAAsB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrD,GAAG,CAAC;YACJ,UAAU,EAAE,CAAC,CAAC,WAAW,KAAK,kBAAkB;SACjD,CAAC,CAAC,CAAC;QAEJ,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;IAClD,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAwB;IACvD,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,OAAO,wBAAwB,CAAC;IAClC,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IAElC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACvC,KAAK,CAAC,IAAI,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;QAC5C,KAAK,CAAC,IAAI,CAAC,sBAAsB,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,sBAAsB,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACpE,KAAK,CAAC,IAAI,CAAC,sBAAsB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,gCAAgC,CAAC,CAAC;IACrE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC;AAED,uEAAuE;AAEvE;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAc,EACd,OAAe,EACf,OAAgB;IAEhB,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAE/C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAExC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACjB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,EAAE;gBACf,OAAO,EAAE,EAAE;gBACX,OAAO;gBACP,KAAK,EAAE,KAAK,CAAC,KAAK;aACnB,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC;QAC5B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAE7D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO;gBACP,OAAO;gBACP,KAAK,EAAE,0BAA0B;aAClC,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO;YACP,OAAO;SACR,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED,uEAAuE;AAEvE;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAc,EACd,OAAgB;IAEhB,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAE/C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAExC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACjB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,EAAE;gBACf,IAAI,EAAE,EAAE;gBACR,gBAAgB,EAAE,KAAK;gBACvB,KAAK,EAAE,KAAK,CAAC,KAAK;aACnB,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QAC9D,MAAM,gBAAgB,GAAG,MAAM,CAAC,WAAW,KAAK,kBAAkB,CAAC;QAEnE,kEAAkE;QAClE,IAAI,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,gBAAgB;gBAChB,KAAK,EACH,6DAA6D;oBAC7D,iDAAiD;oBACjD,2DAA2D;aAC9D,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEpD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,gBAAgB;gBAChB,KAAK,EAAE,0BAA0B;aAClC,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,gBAAgB;SACjB,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED,uEAAuE;AAEvE;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAgB;IAEhB,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAE/C,IAAI,CAAC;QACH,wDAAwD;QACxD,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC1C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,CAAC;gBACf,KAAK,EACH,sDAAsD;oBACtD,4DAA4D;aAC/D,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,EAAE,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC;QAE5D,OAAO;YACL,OAAO,EAAE,IAAI;YACb,YAAY;SACb,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED,uEAAuE;AAEvE;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAsB;IAC3D,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACpD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;IACzE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,UAAU,CAAC,OAAe;IACjC,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YAAE,OAAO,OAAO,CAAC;QACvC,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC"}

package/dist/signatures/devices.d.ts

@@ -0,0 +1,165 @@
+/**
+ * Known devices registry for unotoken device signatures.
+ *
+ * Manages a SQLite database of approved devices. Each device is identified
+ * by its fingerprint (see fingerprint.ts). Devices must be approved before
+ * they can access the vault.
+ *
+ * The registry is stored at ~/.yokotoken/devices.db (separate from the
+ * encrypted vault) because device checks happen BEFORE vault unlock.
+ *
+ * Table: known_devices
+ * - device_id: UUID primary key
+ * - fingerprint: SHA-256 hex string (unique)
+ * - name: human-friendly device name (e.g., "stefan@macbook")
+ * - approved_at: ISO 8601 timestamp
+ * - last_seen_at: ISO 8601 timestamp (updated on each vault operation)
+ * - approval_method: 'email_code' | 'initial_setup'
+ *
+ * @module
+ */
+export type ApprovalMethod = 'email_code' | 'initial_setup';
+export interface KnownDevice {
+    device_id: string;
+    fingerprint: string;
+    name: string;
+    approved_at: string;
+    last_seen_at: string;
+    approval_method: ApprovalMethod;
+}
+/**
+ * Manages the known_devices SQLite database.
+ *
+ * Uses sql.js (SQLite compiled to WASM) for portable, single-file access.
+ * The database lives in memory and is persisted to disk after mutations.
+ */
+export declare class DevicesDatabase {
+    private db;
+    private dbPath;
+    private constructor();
+    /**
+     * Open or create the devices database at the given path.
+     *
+     * @param baseDir - Optional base directory (default: ~/.yokotoken)
+     * @returns A ready-to-use DevicesDatabase instance
+     */
+    static open(baseDir?: string): Promise<DevicesDatabase>;
+    /**
+     * Initialize the known_devices table if it does not exist.
+     */
+    private initSchema;
+    /**
+     * Persist the in-memory database to disk.
+     */
+    private save;
+    /**
+     * Check whether a device with the given fingerprint is registered.
+     *
+     * @param fingerprint - The device fingerprint (SHA-256 hex)
+     * @returns true if the device is in the known_devices table
+     */
+    isDeviceKnown(fingerprint: string): boolean;
+    /**
+     * Register a new device in the known_devices table.
+     *
+     * @param fingerprint - The device fingerprint (SHA-256 hex)
+     * @param name - Human-friendly device name
+     * @param method - How the device was approved
+     * @returns The newly created KnownDevice record
+     * @throws Error if the fingerprint is already registered
+     */
+    registerDevice(fingerprint: string, name: string, method: ApprovalMethod): KnownDevice;
+    /**
+     * Get a known device by fingerprint.
+     *
+     * @param fingerprint - The device fingerprint (SHA-256 hex)
+     * @returns The device record, or null if not found
+     */
+    getDevice(fingerprint: string): KnownDevice | null;
+    /**
+     * Update the last_seen_at timestamp for a device.
+     *
+     * Called on each vault operation from a known device.
+     *
+     * @param fingerprint - The device fingerprint
+     */
+    updateLastSeen(fingerprint: string): void;
+    /**
+     * List all known (approved) devices.
+     *
+     * @returns Array of KnownDevice records, ordered by approved_at ascending
+     */
+    listDevices(): KnownDevice[];
+    /**
+     * Remove a device by fingerprint.
+     *
+     * @param fingerprint - The device fingerprint
+     * @returns true if a device was removed, false if not found
+     */
+    removeDevice(fingerprint: string): boolean;
+    /**
+     * Rename a device by fingerprint.
+     *
+     * @param fingerprint - The device fingerprint
+     * @param newName - The new human-friendly name
+     * @returns true if the device was renamed, false if not found
+     */
+    renameDevice(fingerprint: string, newName: string): boolean;
+    /**
+     * Find devices whose fingerprint starts with the given prefix.
+     *
+     * Works like git SHA prefix matching -- the user provides the first N
+     * characters of the fingerprint and we find matching devices.
+     *
+     * @param prefix - The fingerprint prefix (minimum 8 characters recommended)
+     * @returns Array of matching KnownDevice records
+     */
+    findByFingerprintPrefix(prefix: string): KnownDevice[];
+    /**
+     * Remove all devices except the one with the given fingerprint.
+     *
+     * Used as a nuclear option for security incidents -- removes all
+     * approved devices except the current one.
+     *
+     * @param keepFingerprint - The fingerprint to keep
+     * @returns The number of devices removed
+     */
+    removeAllExcept(keepFingerprint: string): number;
+    /**
+     * Count total known devices.
+     *
+     * @returns The number of registered devices
+     */
+    countDevices(): number;
+    /**
+     * Check if this is the very first device (no devices registered yet).
+     *
+     * Used during initial vault setup to auto-approve the first device
+     * without requiring an email code.
+     *
+     * @returns true if zero devices are registered
+     */
+    isFirstDevice(): boolean;
+    /**
+     * Close the database connection.
+     */
+    close(): void;
+}
+/**
+ * Check if the current device is known and auto-approve the first device.
+ *
+ * This is the main entry point for device checks:
+ * 1. If no devices exist yet (first setup), auto-approves current device
+ * 2. If devices exist, checks if current fingerprint is registered
+ *
+ * @param fingerprint - The current device's fingerprint
+ * @param deviceName - Human-friendly name for this device
+ * @param baseDir - Optional base directory for the devices database
+ * @returns Object with `known` boolean and `autoApproved` boolean
+ */
+export declare function checkDevice(fingerprint: string, deviceName: string, baseDir?: string): Promise<{
+    known: boolean;
+    autoApproved: boolean;
+    device: KnownDevice | null;
+}>;
+//# sourceMappingURL=devices.d.ts.map

package/dist/signatures/devices.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"devices.d.ts","sourceRoot":"","sources":["../../src/signatures/devices.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAUH,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,eAAe,CAAC;AAE5D,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,cAAc,CAAC;CACjC;AAoBD;;;;;GAKG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,EAAE,CAAkE;IAC5E,OAAO,CAAC,MAAM,CAAS;IAEvB,OAAO;IAQP;;;;;OAKG;WACU,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAuB7D;;OAEG;IACH,OAAO,CAAC,UAAU;IAclB;;OAEG;IACH,OAAO,CAAC,IAAI;IASZ;;;;;OAKG;IACH,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO;IAc3C;;;;;;;;OAQG;IACH,cAAc,CACZ,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,cAAc,GACrB,WAAW;IAqBd;;;;;OAKG;IACH,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI;IAqBlD;;;;;;OAMG;IACH,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IASzC;;;;OAIG;IACH,WAAW,IAAI,WAAW,EAAE;IAoB5B;;;;;OAKG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO;IAY1C;;;;;;OAMG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO;IAW3D;;;;;;;;OAQG;IACH,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,EAAE;IAyBtD;;;;;;;;OAQG;IACH,eAAe,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM;IAahD;;;;OAIG;IACH,YAAY,IAAI,MAAM;IAWtB;;;;;;;OAOG;IACH,aAAa,IAAI,OAAO;IAIxB;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd;AAID;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,YAAY,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,WAAW,GAAG,IAAI,CAAA;CAAE,CAAC,CAsBhF"}