vigilar/events/state.py

@@ -5,7 +5,7 @@ import time
 
 from sqlalchemy.engine import Engine
 
-from vigilar.alerts.pin import verify_pin as _verify_pin_hash
+from vigilar.alerts.pin import verify_pin
 from vigilar.config import VigilarConfig
 from vigilar.constants import ArmState, EventType, Severity, Topics
 from vigilar.storage.queries import get_current_arm_state, insert_arm_state, insert_event
@@ -46,7 +46,7 @@ class ArmStateFSM:
         if not self._pin_hash:
             # No PIN configured — allow all transitions
             return True
-        return _verify_pin_hash(pin, self._pin_hash)
+        return verify_pin(pin, self._pin_hash)
 
     def transition(
         self,
@@ -66,7 +66,9 @@ class ArmStateFSM:
         old_state = self._state
         self._state = new_state
 
-        # Log to database (pin_hash column is no longer populated — see #2)
+        # pin_hash is always None here: PBKDF2 uses a random salt per call, so
+        # re-hashing the pin now would produce a value unrelated to the stored
+        # hash, making the column useless for audit correlation. See issue #2.
         insert_arm_state(self._engine, new_state.value, triggered_by, None)
 
         # Log event