Fix USB policy token hash bug

The getPendingUsbPolicy and reportUsbPolicyStatus functions were
comparing the plain token against the tokenHash in the database,
which would never match. Now properly hashing the token before
database lookup.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

convex/usbPolicy.ts

@@ -1,9 +1,20 @@
 import { v } from "convex/values"
 import { mutation, query } from "./_generated/server"
 import type { Id, Doc } from "./_generated/dataModel"
+import { sha256 } from "@noble/hashes/sha256"
 
 const DEFAULT_TENANT_ID = "default"
 
+function toHex(input: Uint8Array) {
+  return Array.from(input)
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("")
+}
+
+function hashToken(token: string) {
+  return toHex(sha256(token))
+}
+
 export const USB_POLICY_VALUES = ["ALLOW", "BLOCK_ALL", "READONLY"] as const
 export type UsbPolicyValue = (typeof USB_POLICY_VALUES)[number]
 
@@ -63,7 +74,7 @@ export const reportUsbPolicyStatus = mutation({
     currentPolicy: v.optional(v.string()),
   },
   handler: async (ctx, args) => {
-    const tokenHash = args.machineToken
+    const tokenHash = hashToken(args.machineToken)
 
     const tokenRecord = await ctx.db
       .query("machineTokens")
@@ -139,7 +150,7 @@ export const getPendingUsbPolicy = query({
     machineToken: v.string(),
   },
   handler: async (ctx, args) => {
-    const tokenHash = args.machineToken
+    const tokenHash = hashToken(args.machineToken)
 
     const tokenRecord = await ctx.db
       .query("machineTokens")