Well, I have some good news. The lock's documentation says that you can't connect it to a zwave hub until after you've set it up using their app, which exposes you to their bad security practices. Fortunately, that's not true. I suspected that might be the case, as I would think that the z-wave alliance would insist on it for certification.
I was able to successfully set mine up with fingerprints and codes, and no app/cloud functionality, by following their directions to enter "standalone mode", and then using the smartstart QR code to pair. There are also some directions on the zwave alliance product page that show you how to enter pairing mode. Something about holding down the number 5.
So far I've only poked around with the lock by sending and monitoring various zwave commands, but what I've seen so far is a little weird.
For each user code I request from the lock, it returns a user code report (good) which, for numeric codes, contains the actual code (good), and for fingerprints contains some set of bytes that is the same for all fingerprints (uhh...). Worse, the status is always returned as 00 (available) for both the code slots that are occupied and the ones that are unused.
I thought that testing these sorts of things was what the zwave alliance was for, to guarantee that products actually operate according to the spec so that they can be compatible with each other.
The good news is that open/close commands seem to work, and return a mostly-spec-compliant DoorOperationReport message. The door sensor is not exposed via zwave at all, so I didn't even bother to install it.
Maybe they'll fix some of these issues with a firmware update (the device advertizes it supports the firmware update command class), but I'm not holding my breath.
So far I haven't tried to make any changes via zwave, other than sending open/close commands. I don't know if I can delete codes/fingerprints, or add codes via zwave.
At least now it's not reliant on their cloud, which I've poked enough to know that I don't trust it. For instance, when I invited my wife via the app by adding her email address, they sent her an email that just said "download the app and create an account using this email address". No verification code to enter, and the account creation process doesn't validate your email either. It does validate your phone number, so I don't understand why they wouldn't use that for sharing access...
What this means is that somehow, when the lock is in it's app-controlled mode, their cloud contains cryptographic material that can allow a newly created user to unlock my door.
