Wire hardware-based CLI fingerprint into login flow

[jahooma]

Summary

The hardware-based fingerprint in cli/src/utils/fingerprint.ts (machine-id + CPU + MAC + hostname → SHA-256) existed but was never imported — every login path used Math.random(), so every session.fingerprint_id row was unique and multi-account clustering signals (maxFpShare/maxSigShare) were stuck at 1.

This wires getFingerprintId() into both the TUI login modal and the plain-text login, caches the promise once per process, and pre-fetches during initializeApp so it's resolved by the time the user hits Enter. The resolved id lives in login-store so polling reads from the same place that set it. Added node-machine-id as an explicit CLI dep (previously only transitive via nx). Applies to both codebuff and freebuff since both build from the same cli/ source.

Also deletes two dead duplicates of generateFingerprintId and the fully-unused cli/src/components/login-modal-utils.ts.

Test plan

• Verify a new session row's fingerprint_id now starts with enhanced-…
• Re-login on the same machine yields the same fingerprint_id
• Plain-text login (codebuff login) also produces the enhanced- prefix

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR wires the existing hardware-based getFingerprintId() (machine-id + CPU + MAC + hostname → SHA-256) into the two login paths (TUI modal and plain-text login) and removes three Math.random()-based duplicates that were silently overriding it. A process-lifetime promise cache is added so all auth steps within a session share the same fingerprint, and initializeApp pre-warms it in the background so the result is typically ready before the user presses Enter.

Key changes:

• getFingerprintId() added to fingerprint.ts with a module-level promise cache; calculateFingerprint() remains as the private implementation.
• login-store gains fingerprintId state so the polling hook reads from the same source that the login mutation set it.
• node-machine-id promoted to an explicit CLI dependency.
• Dead files login-modal-utils.ts and the duplicate generateFingerprintId in login/utils.ts deleted.
• One P2 suggestion: the fingerprintId! non-null assertion in use-login-polling.ts is safe today due to ordering guarantees, but adding fingerprintId to the effect guard would make the contract explicit.

Confidence Score: 5/5

Safe to merge; the single P2 is a defensive style improvement that doesn't affect correctness today.

No P0/P1 issues found. The ordering invariant that makes fingerprintId! safe is correctly documented and holds in the current code. The caching strategy is sound, the legacy fallback path remains intact, dead code is cleanly removed, and the explicit dep addition is appropriate.

cli/src/hooks/use-login-polling.ts — the implicit null guard (P2 suggestion only)

Important Files Changed

Filename	Overview
cli/src/utils/fingerprint.ts	Adds getFingerprintId() with process-lifetime promise caching; removes redundant try/catch wrapper in getMachineId(); calculateFingerprint() remains exported as underlying impl
cli/src/state/login-store.ts	Adds `fingerprintId: string
cli/src/hooks/use-login-polling.ts	Loosens fingerprintId param type to `string
cli/src/components/login-modal.tsx	Replaces local useState(() => generateFingerprintId()) with an async await getFingerprintId() call inside fetchLoginUrlAndOpenBrowser; stores result in login-store before mutating
cli/src/init/init-app.ts	Fires void getFingerprintId() during app init to warm the hardware fingerprint before the user hits Enter on the login prompt
cli/src/login/plain-login.ts	Swaps generateFingerprintId() for await getFingerprintId() so plain-text login also uses the hardware fingerprint
cli/src/login/utils.ts	Deletes the Math.random()-based generateFingerprintId() duplicate; remaining helpers are unaffected
cli/src/components/login-modal-utils.ts	Deleted — contained another Math.random() duplicate of generateFingerprintId and an unreferenced parseLogoLines; removal is clean
cli/package.json	Adds node-machine-id ^1.1.12 as an explicit direct dependency; previously only transitive

Sequence Diagram

sequenceDiagram
    participant App as initializeApp
    participant FP as fingerprint.ts
    participant Modal as LoginModal
    participant Store as login-store
    participant Poll as useLoginPolling
    participant API as Login API

    App->>FP: void getFingerprintId() [pre-warm]
    Note over FP: starts calculateFingerprint() promise,<br/>caches it in cachedFingerprintPromise

    Note over Modal: user presses Enter
    Modal->>FP: await getFingerprintId()
    FP-->>Modal: "enhanced-<hash>" (or legacy fallback)
    Modal->>Store: setFingerprintId(id)
    Modal->>API: fetchLoginUrlMutation.mutate(id)
    API-->>Modal: { loginUrl, fingerprintHash, expiresAt }
    Modal->>Store: setFingerprintHash / setExpiresAt / setLoginUrl

    Poll->>Store: reads fingerprintId, fingerprintHash
    Note over Poll: guard: all 4 values non-null?
    Poll->>API: pollLoginStatus({ fingerprintId, fingerprintHash, ... })
    API-->>Poll: { status: "success", user }
    Poll->>Modal: onSuccess(user)

Loading

_{Reviews (1): Last reviewed commit: "Wire hardware-based CLI fingerprint into..." | Re-trigger Greptile}