unotoken 0.1.0

package/dist/signatures/devices.js

@@ -0,0 +1,344 @@
+/**
+ * Known devices registry for unotoken device signatures.
+ *
+ * Manages a SQLite database of approved devices. Each device is identified
+ * by its fingerprint (see fingerprint.ts). Devices must be approved before
+ * they can access the vault.
+ *
+ * The registry is stored at ~/.yokotoken/devices.db (separate from the
+ * encrypted vault) because device checks happen BEFORE vault unlock.
+ *
+ * Table: known_devices
+ * - device_id: UUID primary key
+ * - fingerprint: SHA-256 hex string (unique)
+ * - name: human-friendly device name (e.g., "stefan@macbook")
+ * - approved_at: ISO 8601 timestamp
+ * - last_seen_at: ISO 8601 timestamp (updated on each vault operation)
+ * - approval_method: 'email_code' | 'initial_setup'
+ *
+ * @module
+ */
+import initSqlJs from 'sql.js';
+import { randomUUID } from 'node:crypto';
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import path from 'node:path';
+import { getDeviceDir } from '../oauth/device-secret.js';
+// ─── Constants ──────────────────────────────────────────────────────
+const DEVICES_DB_FILENAME = 'devices.db';
+// ─── SQL.js Initialization ──────────────────────────────────────────
+/** Cached sql.js module (loaded once). */
+let sqlJsModule = null;
+async function getSqlJs() {
+    if (!sqlJsModule) {
+        sqlJsModule = await initSqlJs();
+    }
+    return sqlJsModule;
+}
+// ─── DevicesDatabase ────────────────────────────────────────────────
+/**
+ * Manages the known_devices SQLite database.
+ *
+ * Uses sql.js (SQLite compiled to WASM) for portable, single-file access.
+ * The database lives in memory and is persisted to disk after mutations.
+ */
+export class DevicesDatabase {
+    db;
+    dbPath;
+    constructor(db, dbPath) {
+        this.db = db;
+        this.dbPath = dbPath;
+    }
+    /**
+     * Open or create the devices database at the given path.
+     *
+     * @param baseDir - Optional base directory (default: ~/.yokotoken)
+     * @returns A ready-to-use DevicesDatabase instance
+     */
+    static async open(baseDir) {
+        const dir = baseDir ?? getDeviceDir();
+        const dbPath = path.join(dir, DEVICES_DB_FILENAME);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        const SQL = await getSqlJs();
+        let db;
+        if (existsSync(dbPath)) {
+            const buffer = readFileSync(dbPath);
+            db = new SQL.Database(buffer);
+        }
+        else {
+            db = new SQL.Database();
+        }
+        const instance = new DevicesDatabase(db, dbPath);
+        instance.initSchema();
+        return instance;
+    }
+    /**
+     * Initialize the known_devices table if it does not exist.
+     */
+    initSchema() {
+        this.db.run(`
+      CREATE TABLE IF NOT EXISTS known_devices (
+        device_id        TEXT PRIMARY KEY,
+        fingerprint      TEXT NOT NULL UNIQUE,
+        name             TEXT NOT NULL,
+        approved_at      TEXT NOT NULL,
+        last_seen_at     TEXT NOT NULL,
+        approval_method  TEXT NOT NULL CHECK (approval_method IN ('email_code', 'initial_setup'))
+      )
+    `);
+        this.save();
+    }
+    /**
+     * Persist the in-memory database to disk.
+     */
+    save() {
+        const dir = path.dirname(this.dbPath);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        const data = this.db.export();
+        writeFileSync(this.dbPath, Buffer.from(data));
+    }
+    /**
+     * Check whether a device with the given fingerprint is registered.
+     *
+     * @param fingerprint - The device fingerprint (SHA-256 hex)
+     * @returns true if the device is in the known_devices table
+     */
+    isDeviceKnown(fingerprint) {
+        const stmt = this.db.prepare('SELECT COUNT(*) as cnt FROM known_devices WHERE fingerprint = ?');
+        stmt.bind([fingerprint]);
+        let count = 0;
+        if (stmt.step()) {
+            const row = stmt.getAsObject();
+            count = row.cnt;
+        }
+        stmt.free();
+        return count > 0;
+    }
+    /**
+     * Register a new device in the known_devices table.
+     *
+     * @param fingerprint - The device fingerprint (SHA-256 hex)
+     * @param name - Human-friendly device name
+     * @param method - How the device was approved
+     * @returns The newly created KnownDevice record
+     * @throws Error if the fingerprint is already registered
+     */
+    registerDevice(fingerprint, name, method) {
+        const now = new Date().toISOString();
+        const deviceId = randomUUID();
+        this.db.run(`INSERT INTO known_devices (device_id, fingerprint, name, approved_at, last_seen_at, approval_method)
+       VALUES (?, ?, ?, ?, ?, ?)`, [deviceId, fingerprint, name, now, now, method]);
+        this.save();
+        return {
+            device_id: deviceId,
+            fingerprint,
+            name,
+            approved_at: now,
+            last_seen_at: now,
+            approval_method: method,
+        };
+    }
+    /**
+     * Get a known device by fingerprint.
+     *
+     * @param fingerprint - The device fingerprint (SHA-256 hex)
+     * @returns The device record, or null if not found
+     */
+    getDevice(fingerprint) {
+        const stmt = this.db.prepare('SELECT device_id, fingerprint, name, approved_at, last_seen_at, approval_method FROM known_devices WHERE fingerprint = ?');
+        stmt.bind([fingerprint]);
+        let device = null;
+        if (stmt.step()) {
+            const row = stmt.getAsObject();
+            device = {
+                device_id: row.device_id,
+                fingerprint: row.fingerprint,
+                name: row.name,
+                approved_at: row.approved_at,
+                last_seen_at: row.last_seen_at,
+                approval_method: row.approval_method,
+            };
+        }
+        stmt.free();
+        return device;
+    }
+    /**
+     * Update the last_seen_at timestamp for a device.
+     *
+     * Called on each vault operation from a known device.
+     *
+     * @param fingerprint - The device fingerprint
+     */
+    updateLastSeen(fingerprint) {
+        const now = new Date().toISOString();
+        this.db.run('UPDATE known_devices SET last_seen_at = ? WHERE fingerprint = ?', [now, fingerprint]);
+        this.save();
+    }
+    /**
+     * List all known (approved) devices.
+     *
+     * @returns Array of KnownDevice records, ordered by approved_at ascending
+     */
+    listDevices() {
+        const devices = [];
+        const stmt = this.db.prepare('SELECT device_id, fingerprint, name, approved_at, last_seen_at, approval_method FROM known_devices ORDER BY approved_at ASC');
+        while (stmt.step()) {
+            const row = stmt.getAsObject();
+            devices.push({
+                device_id: row.device_id,
+                fingerprint: row.fingerprint,
+                name: row.name,
+                approved_at: row.approved_at,
+                last_seen_at: row.last_seen_at,
+                approval_method: row.approval_method,
+            });
+        }
+        stmt.free();
+        return devices;
+    }
+    /**
+     * Remove a device by fingerprint.
+     *
+     * @param fingerprint - The device fingerprint
+     * @returns true if a device was removed, false if not found
+     */
+    removeDevice(fingerprint) {
+        const before = this.isDeviceKnown(fingerprint);
+        if (!before)
+            return false;
+        this.db.run('DELETE FROM known_devices WHERE fingerprint = ?', [fingerprint]);
+        this.save();
+        return true;
+    }
+    /**
+     * Rename a device by fingerprint.
+     *
+     * @param fingerprint - The device fingerprint
+     * @param newName - The new human-friendly name
+     * @returns true if the device was renamed, false if not found
+     */
+    renameDevice(fingerprint, newName) {
+        if (!this.isDeviceKnown(fingerprint))
+            return false;
+        this.db.run('UPDATE known_devices SET name = ? WHERE fingerprint = ?', [newName, fingerprint]);
+        this.save();
+        return true;
+    }
+    /**
+     * Find devices whose fingerprint starts with the given prefix.
+     *
+     * Works like git SHA prefix matching -- the user provides the first N
+     * characters of the fingerprint and we find matching devices.
+     *
+     * @param prefix - The fingerprint prefix (minimum 8 characters recommended)
+     * @returns Array of matching KnownDevice records
+     */
+    findByFingerprintPrefix(prefix) {
+        const devices = [];
+        const pattern = prefix + '%';
+        const stmt = this.db.prepare(`SELECT device_id, fingerprint, name, approved_at, last_seen_at, approval_method
+       FROM known_devices
+       WHERE fingerprint LIKE ?
+       ORDER BY approved_at ASC`);
+        stmt.bind([pattern]);
+        while (stmt.step()) {
+            const row = stmt.getAsObject();
+            devices.push({
+                device_id: row.device_id,
+                fingerprint: row.fingerprint,
+                name: row.name,
+                approved_at: row.approved_at,
+                last_seen_at: row.last_seen_at,
+                approval_method: row.approval_method,
+            });
+        }
+        stmt.free();
+        return devices;
+    }
+    /**
+     * Remove all devices except the one with the given fingerprint.
+     *
+     * Used as a nuclear option for security incidents -- removes all
+     * approved devices except the current one.
+     *
+     * @param keepFingerprint - The fingerprint to keep
+     * @returns The number of devices removed
+     */
+    removeAllExcept(keepFingerprint) {
+        const before = this.countDevices();
+        this.db.run('DELETE FROM known_devices WHERE fingerprint != ?', [keepFingerprint]);
+        this.save();
+        const after = this.countDevices();
+        return before - after;
+    }
+    /**
+     * Count total known devices.
+     *
+     * @returns The number of registered devices
+     */
+    countDevices() {
+        const stmt = this.db.prepare('SELECT COUNT(*) as cnt FROM known_devices');
+        let count = 0;
+        if (stmt.step()) {
+            const row = stmt.getAsObject();
+            count = row.cnt;
+        }
+        stmt.free();
+        return count;
+    }
+    /**
+     * Check if this is the very first device (no devices registered yet).
+     *
+     * Used during initial vault setup to auto-approve the first device
+     * without requiring an email code.
+     *
+     * @returns true if zero devices are registered
+     */
+    isFirstDevice() {
+        return this.countDevices() === 0;
+    }
+    /**
+     * Close the database connection.
+     */
+    close() {
+        this.db.close();
+    }
+}
+// ─── High-level convenience functions ───────────────────────────────
+/**
+ * Check if the current device is known and auto-approve the first device.
+ *
+ * This is the main entry point for device checks:
+ * 1. If no devices exist yet (first setup), auto-approves current device
+ * 2. If devices exist, checks if current fingerprint is registered
+ *
+ * @param fingerprint - The current device's fingerprint
+ * @param deviceName - Human-friendly name for this device
+ * @param baseDir - Optional base directory for the devices database
+ * @returns Object with `known` boolean and `autoApproved` boolean
+ */
+export async function checkDevice(fingerprint, deviceName, baseDir) {
+    const db = await DevicesDatabase.open(baseDir);
+    try {
+        // First device ever — auto-approve
+        if (db.isFirstDevice()) {
+            const device = db.registerDevice(fingerprint, deviceName, 'initial_setup');
+            return { known: true, autoApproved: true, device };
+        }
+        // Check if this device is already known
+        if (db.isDeviceKnown(fingerprint)) {
+            db.updateLastSeen(fingerprint);
+            const device = db.getDevice(fingerprint);
+            return { known: true, autoApproved: false, device };
+        }
+        // Unknown device — needs approval
+        return { known: false, autoApproved: false, device: null };
+    }
+    finally {
+        db.close();
+    }
+}
+//# sourceMappingURL=devices.js.map

package/dist/signatures/devices.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"devices.js","sourceRoot":"","sources":["../../src/signatures/devices.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,SAAS,MAAM,QAAQ,CAAC;AAC/B,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAezD,uEAAuE;AAEvE,MAAM,mBAAmB,GAAG,YAAY,CAAC;AAEzC,uEAAuE;AAEvE,0CAA0C;AAC1C,IAAI,WAAW,GAAiD,IAAI,CAAC;AAErE,KAAK,UAAU,QAAQ;IACrB,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,WAAW,GAAG,MAAM,SAAS,EAAE,CAAC;IAClC,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,uEAAuE;AAEvE;;;;;GAKG;AACH,MAAM,OAAO,eAAe;IAClB,EAAE,CAAkE;IACpE,MAAM,CAAS;IAEvB,YACE,EAAmE,EACnE,MAAc;QAEd,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAgB;QAChC,MAAM,GAAG,GAAG,OAAO,IAAI,YAAY,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;QAEnD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,EAAE,CAAC;QAE7B,IAAI,EAAqC,CAAC;QAC1C,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACpC,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC1B,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACjD,QAAQ,CAAC,UAAU,EAAE,CAAC;QACtB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,UAAU;QAChB,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC;;;;;;;;;KASX,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED;;OAEG;IACK,IAAI;QACV,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;QAC9B,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAChD,CAAC;IAED;;;;;OAKG;IACH,aAAa,CAAC,WAAmB;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,iEAAiE,CAClE,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;QACzB,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,KAAK,GAAG,GAAG,CAAC,GAAa,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,KAAK,GAAG,CAAC,CAAC;IACnB,CAAC;IAED;;;;;;;;OAQG;IACH,cAAc,CACZ,WAAmB,EACnB,IAAY,EACZ,MAAsB;QAEtB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,UAAU,EAAE,CAAC;QAE9B,IAAI,CAAC,EAAE,CAAC,GAAG,CACT;iCAC2B,EAC3B,CAAC,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAChD,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;QAEZ,OAAO;YACL,SAAS,EAAE,QAAQ;YACnB,WAAW;YACX,IAAI;YACJ,WAAW,EAAE,GAAG;YAChB,YAAY,EAAE,GAAG;YACjB,eAAe,EAAE,MAAM;SACxB,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,SAAS,CAAC,WAAmB;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,0HAA0H,CAC3H,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;QACzB,IAAI,MAAM,GAAuB,IAAI,CAAC;QACtC,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,MAAM,GAAG;gBACP,SAAS,EAAE,GAAG,CAAC,SAAmB;gBAClC,WAAW,EAAE,GAAG,CAAC,WAAqB;gBACtC,IAAI,EAAE,GAAG,CAAC,IAAc;gBACxB,WAAW,EAAE,GAAG,CAAC,WAAqB;gBACtC,YAAY,EAAE,GAAG,CAAC,YAAsB;gBACxC,eAAe,EAAE,GAAG,CAAC,eAAiC;aACvD,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,cAAc,CAAC,WAAmB;QAChC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,iEAAiE,EACjE,CAAC,GAAG,EAAE,WAAW,CAAC,CACnB,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED;;;;OAIG;IACH,WAAW;QACT,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,6HAA6H,CAC9H,CAAC;QACF,OAAO,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YACnB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,OAAO,CAAC,IAAI,CAAC;gBACX,SAAS,EAAE,GAAG,CAAC,SAAmB;gBAClC,WAAW,EAAE,GAAG,CAAC,WAAqB;gBACtC,IAAI,EAAE,GAAG,CAAC,IAAc;gBACxB,WAAW,EAAE,GAAG,CAAC,WAAqB;gBACtC,YAAY,EAAE,GAAG,CAAC,YAAsB;gBACxC,eAAe,EAAE,GAAG,CAAC,eAAiC;aACvD,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACH,YAAY,CAAC,WAAmB;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,iDAAiD,EACjD,CAAC,WAAW,CAAC,CACd,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;OAMG;IACH,YAAY,CAAC,WAAmB,EAAE,OAAe;QAC/C,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC;YAAE,OAAO,KAAK,CAAC;QAEnD,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,yDAAyD,EACzD,CAAC,OAAO,EAAE,WAAW,CAAC,CACvB,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;OAQG;IACH,uBAAuB,CAAC,MAAc;QACpC,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,MAAM,GAAG,GAAG,CAAC;QAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B;;;gCAG0B,CAC3B,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YACnB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,OAAO,CAAC,IAAI,CAAC;gBACX,SAAS,EAAE,GAAG,CAAC,SAAmB;gBAClC,WAAW,EAAE,GAAG,CAAC,WAAqB;gBACtC,IAAI,EAAE,GAAG,CAAC,IAAc;gBACxB,WAAW,EAAE,GAAG,CAAC,WAAqB;gBACtC,YAAY,EAAE,GAAG,CAAC,YAAsB;gBACxC,eAAe,EAAE,GAAG,CAAC,eAAiC;aACvD,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;;OAQG;IACH,eAAe,CAAC,eAAuB;QACrC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAEnC,IAAI,CAAC,EAAE,CAAC,GAAG,CACT,kDAAkD,EAClD,CAAC,eAAe,CAAC,CAClB,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;QAEZ,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAClC,OAAO,MAAM,GAAG,KAAK,CAAC;IACxB,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,2CAA2C,CAAC,CAAC;QAC1E,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,KAAK,GAAG,GAAG,CAAC,GAAa,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;OAOG;IACH,aAAa;QACX,OAAO,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;CACF;AAED,uEAAuE;AAEvE;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,WAAmB,EACnB,UAAkB,EAClB,OAAgB;IAEhB,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAE/C,IAAI,CAAC;QACH,mCAAmC;QACnC,IAAI,EAAE,CAAC,aAAa,EAAE,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,EAAE,CAAC,cAAc,CAAC,WAAW,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;YAC3E,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;QAED,wCAAwC;QACxC,IAAI,EAAE,CAAC,aAAa,CAAC,WAAW,CAAC,EAAE,CAAC;YAClC,EAAE,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;YAC/B,MAAM,MAAM,GAAG,EAAE,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YACzC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACtD,CAAC;QAED,kCAAkC;QAClC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC7D,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC"}

package/dist/signatures/email-config.d.ts

@@ -0,0 +1,102 @@
+/**
+ * Email configuration for unotoken device signatures.
+ *
+ * Stores the user's verified email address at ~/.yokotoken/email-config.json.
+ * This email is used to send device approval codes when a new/unknown device
+ * attempts to access the vault.
+ *
+ * The config file contains:
+ * - email: the verified email address
+ * - verified: boolean indicating verification status
+ * - verifiedAt: ISO 8601 timestamp of when verification completed
+ * - resendApiKey: optional custom Resend API key (overrides built-in)
+ *
+ * @module
+ */
+export interface EmailConfig {
+    /** The user's email address */
+    email: string;
+    /** Whether the email has been verified via code entry */
+    verified: boolean;
+    /** ISO 8601 timestamp of when verification was completed */
+    verifiedAt: string;
+    /** Optional custom Resend API key (overrides the built-in key) */
+    resendApiKey?: string;
+}
+/**
+ * Get the path to the email config file.
+ *
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns Absolute path to email-config.json
+ */
+export declare function getEmailConfigPath(baseDir?: string): string;
+/**
+ * Validate an email address format.
+ *
+ * @param email - The email address to validate
+ * @returns true if the email has a valid format
+ */
+export declare function isValidEmail(email: string): boolean;
+/**
+ * Load the email configuration from disk.
+ *
+ * Returns null if no config file exists or if the file is corrupted.
+ *
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns The email config, or null if not configured
+ */
+export declare function loadEmailConfig(baseDir?: string): EmailConfig | null;
+/**
+ * Save the email configuration to disk.
+ *
+ * Creates the directory if it does not exist.
+ *
+ * @param config - The email config to save
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ */
+export declare function saveEmailConfig(config: EmailConfig, baseDir?: string): void;
+/**
+ * Clear (delete) the email configuration file.
+ *
+ * After clearing, device approval codes cannot be sent until a new
+ * email is configured and verified.
+ *
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns true if a config file was deleted, false if none existed
+ */
+export declare function clearEmailConfig(baseDir?: string): boolean;
+/**
+ * Check if a verified email is configured.
+ *
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns true if a verified email config exists
+ */
+export declare function hasVerifiedEmail(baseDir?: string): boolean;
+/**
+ * Get the configured email address (masked for display).
+ *
+ * Masks the local part: first 2 chars + asterisks + last char before @.
+ * Example: stefan@example.com -> st***n@example.com
+ *
+ * @param email - The email address to mask
+ * @returns The masked email string
+ */
+export declare function maskEmail(email: string): string;
+/**
+ * Format the email config for display.
+ *
+ * @param config - The email config to format (or null if not configured)
+ * @returns Human-readable string showing email config
+ */
+export declare function formatEmailConfigForDisplay(config: EmailConfig | null): string;
+/**
+ * Update the Resend API key in the email configuration.
+ *
+ * If no email config exists, creates a placeholder that requires verification.
+ *
+ * @param resendApiKey - The custom Resend API key to set
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns The updated config
+ */
+export declare function setResendApiKey(resendApiKey: string, baseDir?: string): EmailConfig;
+//# sourceMappingURL=email-config.d.ts.map

package/dist/signatures/email-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-config.d.ts","sourceRoot":"","sources":["../../src/signatures/email-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAQH,MAAM,WAAW,WAAW;IAC1B,+BAA+B;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,yDAAyD;IACzD,QAAQ,EAAE,OAAO,CAAC;IAClB,4DAA4D;IAC5D,UAAU,EAAE,MAAM,CAAC;IACnB,kEAAkE;IAClE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAcD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAE3D;AAID;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAInD;AAID;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAqBpE;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAS3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAS1D;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAG1D;AAED;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAW/C;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI,GAAG,MAAM,CAqB9E;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,WAAW,CAgBnF"}

package/dist/signatures/email-config.js

@@ -0,0 +1,188 @@
+/**
+ * Email configuration for unotoken device signatures.
+ *
+ * Stores the user's verified email address at ~/.yokotoken/email-config.json.
+ * This email is used to send device approval codes when a new/unknown device
+ * attempts to access the vault.
+ *
+ * The config file contains:
+ * - email: the verified email address
+ * - verified: boolean indicating verification status
+ * - verifiedAt: ISO 8601 timestamp of when verification completed
+ * - resendApiKey: optional custom Resend API key (overrides built-in)
+ *
+ * @module
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync, unlinkSync } from 'node:fs';
+import path from 'node:path';
+import { getDeviceDir } from '../oauth/device-secret.js';
+// ─── Constants ──────────────────────────────────────────────────────
+const EMAIL_CONFIG_FILENAME = 'email-config.json';
+/**
+ * Basic email validation regex.
+ * Checks for: something@something.something
+ */
+const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+// ─── Path Resolution ────────────────────────────────────────────────
+/**
+ * Get the path to the email config file.
+ *
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns Absolute path to email-config.json
+ */
+export function getEmailConfigPath(baseDir) {
+    return path.join(baseDir ?? getDeviceDir(), EMAIL_CONFIG_FILENAME);
+}
+// ─── Validation ─────────────────────────────────────────────────────
+/**
+ * Validate an email address format.
+ *
+ * @param email - The email address to validate
+ * @returns true if the email has a valid format
+ */
+export function isValidEmail(email) {
+    if (!email || typeof email !== 'string')
+        return false;
+    if (email.length > 254)
+        return false;
+    return EMAIL_REGEX.test(email);
+}
+// ─── Load / Save / Clear ────────────────────────────────────────────
+/**
+ * Load the email configuration from disk.
+ *
+ * Returns null if no config file exists or if the file is corrupted.
+ *
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns The email config, or null if not configured
+ */
+export function loadEmailConfig(baseDir) {
+    const configPath = getEmailConfigPath(baseDir);
+    if (!existsSync(configPath)) {
+        return null;
+    }
+    try {
+        const raw = readFileSync(configPath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        // Validate essential fields
+        if (!parsed.email || typeof parsed.verified !== 'boolean') {
+            return null;
+        }
+        return parsed;
+    }
+    catch {
+        // Corrupted config -- treat as not configured
+        return null;
+    }
+}
+/**
+ * Save the email configuration to disk.
+ *
+ * Creates the directory if it does not exist.
+ *
+ * @param config - The email config to save
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ */
+export function saveEmailConfig(config, baseDir) {
+    const dir = baseDir ?? getDeviceDir();
+    const configPath = getEmailConfigPath(dir);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+    writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+}
+/**
+ * Clear (delete) the email configuration file.
+ *
+ * After clearing, device approval codes cannot be sent until a new
+ * email is configured and verified.
+ *
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns true if a config file was deleted, false if none existed
+ */
+export function clearEmailConfig(baseDir) {
+    const configPath = getEmailConfigPath(baseDir);
+    if (!existsSync(configPath)) {
+        return false;
+    }
+    unlinkSync(configPath);
+    return true;
+}
+/**
+ * Check if a verified email is configured.
+ *
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns true if a verified email config exists
+ */
+export function hasVerifiedEmail(baseDir) {
+    const config = loadEmailConfig(baseDir);
+    return config !== null && config.verified === true;
+}
+/**
+ * Get the configured email address (masked for display).
+ *
+ * Masks the local part: first 2 chars + asterisks + last char before @.
+ * Example: stefan@example.com -> st***n@example.com
+ *
+ * @param email - The email address to mask
+ * @returns The masked email string
+ */
+export function maskEmail(email) {
+    const [local, domain] = email.split('@');
+    if (!local || !domain)
+        return '***@***';
+    if (local.length <= 2) {
+        return `${local[0]}***@${domain}`;
+    }
+    const first = local.slice(0, 2);
+    const last = local.slice(-1);
+    return `${first}${'*'.repeat(Math.max(3, local.length - 3))}${last}@${domain}`;
+}
+/**
+ * Format the email config for display.
+ *
+ * @param config - The email config to format (or null if not configured)
+ * @returns Human-readable string showing email config
+ */
+export function formatEmailConfigForDisplay(config) {
+    if (!config) {
+        return '  No email configured.\n  Set one with: unotoken config email <address>';
+    }
+    const lines = [];
+    lines.push(`  Email:      ${maskEmail(config.email)}`);
+    lines.push(`  Verified:   ${config.verified ? 'Yes' : 'No'}`);
+    if (config.verifiedAt) {
+        try {
+            const d = new Date(config.verifiedAt);
+            lines.push(`  Verified at: ${d.toLocaleString()}`);
+        }
+        catch {
+            lines.push(`  Verified at: ${config.verifiedAt}`);
+        }
+    }
+    lines.push(`  Resend key: ${config.resendApiKey ? 'Custom (user-provided)' : 'Built-in (Indigo-hosted)'}`);
+    return lines.join('\n');
+}
+/**
+ * Update the Resend API key in the email configuration.
+ *
+ * If no email config exists, creates a placeholder that requires verification.
+ *
+ * @param resendApiKey - The custom Resend API key to set
+ * @param baseDir - Optional base directory (default: ~/.yokotoken)
+ * @returns The updated config
+ */
+export function setResendApiKey(resendApiKey, baseDir) {
+    const existing = loadEmailConfig(baseDir);
+    if (existing) {
+        const updated = {
+            ...existing,
+            resendApiKey,
+        };
+        saveEmailConfig(updated, baseDir);
+        return updated;
+    }
+    // No config exists -- cannot just set a key without an email
+    throw new Error('No email configured. Set your email first with: unotoken config email <address>');
+}
+//# sourceMappingURL=email-config.js.map

package/dist/signatures/email-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-config.js","sourceRoot":"","sources":["../../src/signatures/email-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACzF,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAezD,uEAAuE;AAEvE,MAAM,qBAAqB,GAAG,mBAAmB,CAAC;AAElD;;;GAGG;AACH,MAAM,WAAW,GAAG,4BAA4B,CAAC;AAEjD,uEAAuE;AAEvE;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAgB;IACjD,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,YAAY,EAAE,EAAE,qBAAqB,CAAC,CAAC;AACrE,CAAC;AAED,uEAAuE;AAEvE;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACjC,CAAC;AAED,uEAAuE;AAEvE;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE/C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;QAE9C,4BAA4B;QAC5B,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC1D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,MAAmB,EAAE,OAAgB;IACnE,MAAM,GAAG,GAAG,OAAO,IAAI,YAAY,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAE3C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAC7E,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAgB;IAC/C,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE/C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,UAAU,CAAC,UAAU,CAAC,CAAC;IACvB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAgB;IAC/C,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,OAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,QAAQ,KAAK,IAAI,CAAC;AACrD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAExC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,OAAO,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,MAAM,EAAE,CAAC;AACjF,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,MAA0B;IACpE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,yEAAyE,CAAC;IACnF,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,iBAAiB,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACvD,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAE9D,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,0BAA0B,EAAE,CAAC,CAAC;IAE3G,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,YAAoB,EAAE,OAAgB;IACpE,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAE1C,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,OAAO,GAAgB;YAC3B,GAAG,QAAQ;YACX,YAAY;SACb,CAAC;QACF,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAClC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,6DAA6D;IAC7D,MAAM,IAAI,KAAK,CACb,iFAAiF,CAClF,CAAC;AACJ,CAAC"}