fix: deactivate command now removes device server-side

Previously `gitmem-mcp deactivate` only cleared local credentials but left the
device registered in gitmem_license_activations, consuming a device slot
permanently. Now it calls the new gitmem_deactivate_device RPC to free the slot
before clearing local config.

- Add gitmem_deactivate_device() SECURITY DEFINER RPC to schema
- Update deactivate.ts to call RPC with api_key + install_id
- Graceful fallback: local cleanup still happens if server call fails
- Tested full cycle: activate → deactivate → re-activate in Docker clean room

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2 people

schema/setup.sql

@@ -414,3 +414,42 @@ BEGIN
   RETURN QUERY SELECT v_tier, true, 'Valid'::TEXT;
 END;
 $$;
+
+-- ============================================================================
+-- Device Deactivation RPC
+-- Removes a device activation for a license key + install_id pair.
+-- Called by `gitmem-mcp deactivate` to free up a device slot.
+-- ============================================================================
+CREATE OR REPLACE FUNCTION gitmem_deactivate_device(p_api_key TEXT, p_install_id TEXT)
+RETURNS TABLE(success BOOLEAN, message TEXT)
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+DECLARE
+  v_license_id UUID;
+  v_deleted INTEGER;
+BEGIN
+  -- Look up the license
+  SELECT l.id INTO v_license_id
+  FROM gitmem_licenses l
+  WHERE l.api_key = p_api_key;
+
+  IF v_license_id IS NULL THEN
+    RETURN QUERY SELECT false, 'Invalid license key'::TEXT;
+    RETURN;
+  END IF;
+
+  -- Delete the activation for this install_id
+  DELETE FROM gitmem_license_activations a
+  WHERE a.license_id = v_license_id
+    AND a.install_id = p_install_id;
+
+  GET DIAGNOSTICS v_deleted = ROW_COUNT;
+
+  IF v_deleted > 0 THEN
+    RETURN QUERY SELECT true, 'Device deactivated'::TEXT;
+  ELSE
+    RETURN QUERY SELECT true, 'Device was not registered (already deactivated)'::TEXT;
+  END IF;
+END;
+$$;

src/commands/deactivate.ts

@@ -1,15 +1,60 @@
 /**
  * GitMem Pro Deactivation
  *
- * Removes api_key, supabase_url, supabase_key, openrouter_key from config.json.
- * Deletes license-cache.json.
+ * 1. Calls gitmem_deactivate_device RPC to remove this device server-side
+ * 2. Removes api_key, supabase_url, supabase_key, openrouter_key from config.json
+ * 3. Deletes license-cache.json
  * Does NOT remove .gitmem/ directory or local data.
  */
 
 import * as fs from "fs";
 import * as path from "path";
-import { getGitmemDir } from "../services/gitmem-dir.js";
-import { clearLicenseCache } from "../services/license.js";
+import { getGitmemDir, getInstallId } from "../services/gitmem-dir.js";
+import {
+  clearLicenseCache,
+  getLicenseKey,
+  getValidationUrl,
+} from "../services/license.js";
+
+// Same infra endpoint as validation — just different RPC
+const DEACTIVATION_URL =
+  getValidationUrl().replace("gitmem_validate_license", "gitmem_deactivate_device");
+const VALIDATION_ANON_KEY =
+  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImNqcHR4eWV6dXhkaWludWZncnJtIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjYxODY3MDMsImV4cCI6MjA4MTc2MjcwM30.L0oZy3LYCMikmZ15IUU5DnfJmucM37DJ14nUkM3AreY";
+
+async function deactivateDeviceRemote(
+  apiKey: string,
+  installId: string,
+): Promise<{ success: boolean; message: string }> {
+  try {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10000);
+
+    const response = await fetch(DEACTIVATION_URL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        apikey: VALIDATION_ANON_KEY,
+        Authorization: `Bearer ${VALIDATION_ANON_KEY}`,
+      },
+      body: JSON.stringify({ p_api_key: apiKey, p_install_id: installId }),
+      signal: controller.signal,
+    });
+
+    clearTimeout(timeout);
+
+    if (!response.ok) {
+      return { success: false, message: `HTTP ${response.status}` };
+    }
+
+    const rows = (await response.json()) as { success: boolean; message: string }[];
+    const data = Array.isArray(rows) ? rows[0] : rows;
+    return data || { success: false, message: "Empty response" };
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : "Unknown error";
+    return { success: false, message: `Network error: ${message}` };
+  }
+}
 
 export async function main(_args: string[]): Promise<void> {
   const gitmemDir = getGitmemDir();
@@ -28,9 +73,22 @@ export async function main(_args: string[]): Promise<void> {
     process.exit(1);
   }
 
-  const hadKey = !!config.api_key;
+  const apiKey = getLicenseKey();
+  const installId = getInstallId();
+  const hadKey = !!apiKey;
+
+  // Step 1: Remove device server-side (if we have both key and install_id)
+  if (apiKey && installId) {
+    const result = await deactivateDeviceRemote(apiKey, installId);
+    if (result.success) {
+      console.log(`  ✓ ${result.message}`);
+    } else {
+      console.log(`  ⚠ Server deactivation failed: ${result.message}`);
+      console.log("    Local credentials will still be removed.");
+    }
+  }
 
-  // Remove Pro credentials
+  // Step 2: Remove Pro credentials from config
   delete config.api_key;
   delete config.supabase_url;
   delete config.supabase_key;
@@ -39,11 +97,12 @@ export async function main(_args: string[]): Promise<void> {
   // Write back config (preserving project, install_id, feedback_enabled)
   fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
 
-  // Clear license cache
+  // Step 3: Clear license cache
   clearLicenseCache();
 
   if (hadKey) {
-    console.log("Pro tier deactivated.");
+    console.log("\nPro tier deactivated.");
+    console.log("  - Device removed from license server");
     console.log("  - License key removed from config.json");
     console.log("  - Supabase and OpenRouter credentials removed");
     console.log("  - License cache cleared");