--- id: TASK-55 title: >- Wire up account settings endpoints (email verification, device registration, guardians) status: Done assignee: - '@claude' created_date: '2026-02-25 22:59' labels: - identity - backend - encryptid dependencies: [] references: - src/encryptid/server.ts - src/encryptid/db.ts - shared/components/rstack-identity.ts priority: high --- ## Description Add server-side endpoints for the three account settings features and wire up the client modals to use them. Email verification uses SMTP with 6-digit codes. Device registration uses WebAuthn for same-device passkey addition. Social recovery uses the existing guardian API. ## Acceptance Criteria - [ ] #1 POST /api/account/email/start sends 6-digit code via SMTP - [ ] #2 POST /api/account/email/verify validates code and sets email on account - [ ] #3 POST /api/account/device/start returns WebAuthn creation options for authenticated user - [ ] #4 POST /api/account/device/complete stores new credential under existing account - [ ] #5 Social recovery modal loads guardians from GET /api/guardians on open - [ ] #6 Adding guardian calls POST /api/guardians with name + optional email - [ ] #7 Removing guardian calls DELETE /api/guardians/:id - [ ] #8 StoredChallenge.type includes device_registration - [ ] #9 StoredRecoveryToken.type includes email_verification ## Final Summary Implemented in commit 914d0e6. Added 4 new server endpoints under /api/account/ namespace. Email verification sends styled HTML email with 6-digit code via Mailcow SMTP, stores as recovery token. Device registration reuses existing challenge/credential infrastructure with new device_registration type. Client social recovery modal rewritten to use existing guardian API (add/remove individual guardians, load on open, show status). DB types extended for new token/challenge types.