@lambda-kata/licensing 0.1.0

package/LICENSE

@@ -0,0 +1,100 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+Licensed Work: Work Target Insight Function (Work TIF Platform, including all associated components)
+Licensor: Raman Marozau <raman@worktif.com>
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
+
+Additional Notices:
+For attribution notices and full license texts of included third-party dependencies,
+see THIRD_PARTY_LICENSES.txt.

package/README.md

@@ -0,0 +1,315 @@
+# Lambda Kata Licensing
+
+A tamper-resistant native licensing validator for the Lambda Kata SST Integration workspace. This package provides enhanced security through a native C implementation that replaces the existing TypeScript-based licensing validation.
+
+## Features
+
+- **Tamper-Resistant**: Native C implementation prevents JavaScript-based tampering
+- **Fail-Closed Security**: All error conditions result in denying access
+- **Hardened Network**: Compile-time hardcoded endpoints with strict TLS validation
+- **AWS Lambda Compatible**: Optimized for Amazon Linux 2023 (x64 and arm64)
+- **Drop-in Replacement**: Compatible with existing `LicensingService` interface
+
+## Installation
+
+```bash
+npm install @lambda-kata/licensing
+```
+
+## Usage
+
+### Basic Usage
+
+```typescript
+import { NativeLicensingService } from '@lambda-kata/licensing';
+
+const service = new NativeLicensingService();
+const result = await service.checkEntitlement('123456789012');
+
+if (result.entitled) {
+  console.log(`Layer ARN: ${result.layerArn}`);
+} else {
+  console.log(`Not entitled: ${result.message}`);
+}
+```
+
+### Factory Function
+
+```typescript
+import { createLicensingService } from '@lambda-kata/licensing';
+
+const service = createLicensingService();
+const result = await service.checkEntitlement('123456789012');
+```
+
+### Integration with SST Packages
+
+The native validator is designed to be a drop-in replacement for the existing HTTP-based licensing service:
+
+```typescript
+// Before (HTTP-based)
+import { HttpLicensingService } from '@lambda-kata/sst-v2';
+
+// After (Native-based)
+import { NativeLicensingService } from '@lambda-kata/licensing';
+
+// Same interface, enhanced security
+const service = new NativeLicensingService();
+```
+
+## Security Features
+
+### Fail-Closed Architecture
+
+The validator implements a fail-closed security model where any error condition results in denying access:
+
+- Network timeouts or connection failures
+- TLS certificate validation failures
+- Invalid response formats
+- Native addon loading failures
+- Invalid input parameters
+
+### Hardened Network Communication
+
+- **Compile-time endpoints**: Network destinations cannot be modified at runtime
+- **No proxy support**: Ignores proxy environment variables
+- **Strict TLS**: Requires TLS 1.2+ with certificate validation
+- **No redirects**: HTTP redirects are completely disabled
+- **Response authenticity**: Verifies response signatures or certificate pinning
+
+### Minimal Attack Surface
+
+- **Single function interface**: Only `checkEntitlement(accountId: string)` is exposed
+- **Input validation**: Account ID format validated in both JavaScript and native code
+- **No configuration**: All security settings are compile-time constants
+
+## Building
+
+### Prerequisites
+
+- Node.js 18+ with npm/yarn
+- C compiler (gcc/clang)
+- libcurl development headers
+- OpenSSL development headers
+- json-c development headers (Linux only)
+
+### Local Development Build
+
+```bash
+# Install dependencies
+yarn install
+
+# Build native addon
+yarn build:native
+
+# Build TypeScript
+yarn build:ts
+
+# Build everything
+yarn build
+```
+
+### Docker-based Build (Recommended for Lambda)
+
+```bash
+# Build for all architectures
+./scripts/build-docker.sh
+
+# Build for specific architecture
+./scripts/build-docker.sh x64
+./scripts/build-docker.sh arm64
+```
+
+The Docker build produces Lambda Layer packages ready for deployment.
+
+## Testing
+
+```bash
+# Run all tests
+yarn test
+
+# Run tests with coverage
+yarn test:coverage
+
+# Run tests in watch mode
+yarn test:watch
+```
+
+### Test Categories
+
+- **Unit Tests**: Specific examples and edge cases
+- **Property-Based Tests**: Universal properties using fast-check
+- **Integration Tests**: End-to-end validation with mock servers
+- **Security Tests**: Tampering resistance and fail-closed behavior
+
+## API Reference
+
+### NativeLicensingService
+
+#### `checkEntitlement(accountId: string): Promise<LicensingResponse>`
+
+Validates licensing entitlement for an AWS account.
+
+**Parameters:**
+- `accountId` - 12-digit AWS account ID string
+
+**Returns:**
+- `Promise<LicensingResponse>` - Licensing validation result
+
+**Example:**
+```typescript
+const result = await service.checkEntitlement('123456789012');
+```
+
+### LicensingResponse
+
+```typescript
+interface LicensingResponse {
+  entitled: boolean;           // Entitlement status
+  layerArn?: string;          // Customer Lambda Layer ARN (if entitled)
+  message?: string;           // Human-readable status message
+  expiresAt?: string;         // ISO 8601 expiration timestamp
+}
+```
+
+## Error Handling
+
+The validator never throws exceptions. All errors result in a fail-closed response:
+
+```typescript
+{
+  entitled: false,
+  message: "Error description"
+}
+```
+
+Common error messages:
+- `"Invalid account ID format"` - Account ID is not a 12-digit string
+- `"Native validator unavailable"` - Native addon failed to load
+- `"Network error"` - Network communication failed
+- `"Security error"` - TLS or authenticity verification failed
+- `"System error"` - Unexpected system error
+
+## Performance
+
+- **Validation time**: < 5 seconds under normal conditions
+- **Memory usage**: < 1MB heap usage
+- **Addon loading**: < 100ms in Lambda environment
+- **Caching**: 5-minute TTL for successful responses
+- **Connection reuse**: HTTP connections are pooled and reused
+
+## Deployment
+
+### Lambda Layer
+
+The package includes pre-built Lambda Layer packages for both x64 and arm64 architectures:
+
+```bash
+# Extract from build artifacts
+unzip build/native-licensing-validator-amd64.zip -d layer/
+```
+
+Layer structure:
+```
+nodejs/
+└── node_modules/
+    └── @lambda-kata/
+        └── native-licensing-validator/
+            ├── build/Release/lambda_kata_licensing.node
+            ├── out/dist/index.js
+            └── package.json
+```
+
+### npm Package
+
+The package includes prebuilt binaries for supported platforms:
+
+```json
+{
+  "binary": {
+    "napi_versions": [8, 9]
+  }
+}
+```
+
+## Documentation
+
+Comprehensive documentation is available in the [docs/](./docs/) directory:
+
+### Quick Links
+- **[API Reference](./docs/API.md)** - Complete API documentation and usage examples
+- **[Build Instructions](./docs/BUILD.md)** - Build procedures for all architectures
+- **[Deployment Guide](./docs/DEPLOYMENT.md)** - Lambda Layer deployment procedures
+- **[Migration Guide](./docs/MIGRATION.md)** - Migration from TypeScript implementation
+- **[Troubleshooting](./docs/TROUBLESHOOTING.md)** - Common issues and solutions
+- **[Security Model](./docs/SECURITY.md)** - Threat model and security considerations
+- **[Performance Benchmarks](./docs/PERFORMANCE.md)** - Performance analysis and optimization
+
+### Documentation Overview
+
+| Document | Purpose | Audience |
+|----------|---------|----------|
+| [API Reference](./docs/API.md) | Complete API documentation | Developers |
+| [Build Instructions](./docs/BUILD.md) | Build procedures and requirements | Build Engineers |
+| [Deployment Guide](./docs/DEPLOYMENT.md) | Lambda Layer deployment | DevOps Engineers |
+| [Migration Guide](./docs/MIGRATION.md) | TypeScript to Native migration | Developers |
+| [Troubleshooting](./docs/TROUBLESHOOTING.md) | Issue diagnosis and resolution | All Users |
+| [Security Model](./docs/SECURITY.md) | Security architecture and threats | Security Teams |
+| [Performance](./docs/PERFORMANCE.md) | Benchmarks and optimization | Performance Engineers |
+
+## Quick Troubleshooting
+
+### Common Issues
+
+**Native Addon Loading Fails**:
+```typescript
+// Check if addon loaded successfully
+const service = new NativeLicensingService();
+const result = await service.checkEntitlement('123456789012');
+
+if (result.message === 'Native validator unavailable') {
+  console.warn('Native addon not available, using fail-closed fallback');
+}
+```
+
+**Build Issues**:
+- Missing dependencies → Install libcurl-devel, openssl-devel
+- Architecture mismatch → Use Docker build for Lambda compatibility  
+- Node.js version → Ensure Node.js 18+ is installed
+
+**For detailed troubleshooting**, see [Troubleshooting Guide](./docs/TROUBLESHOOTING.md).
+
+## Security Overview
+
+The validator implements defense-in-depth security:
+
+- **Tamper Resistance**: Core logic in compiled native code
+- **Network Security**: Hardcoded endpoints, strict TLS, certificate pinning
+- **Fail-Closed Design**: All errors result in denial of access
+- **Environment Isolation**: Ignores proxy and environment variables
+
+**For complete security analysis**, see [Security Considerations](./docs/SECURITY.md).
+
+## License
+
+MIT License - see [LICENSE](LICENSE) file for details.
+
+## Contributing
+
+1. Fork the repository
+2. Create a feature branch
+3. Make changes with tests
+4. Run the full test suite
+5. Submit a pull request
+
+All contributions must maintain the security properties and fail-closed behavior of the validator.
+
+## Support
+
+For issues and questions:
+
+1. Check the [troubleshooting guide](#troubleshooting)
+2. Review existing [GitHub issues](https://github.com/lambda-kata/licensing/issues)
+3. Create a new issue with detailed reproduction steps
+
+Security issues should be reported privately to the maintainers.

package/out/dist/index.js

@@ -0,0 +1 @@
+"use strict";var a=Object.defineProperty;var h=Object.getOwnPropertyDescriptor;var u=Object.getOwnPropertyNames;var v=Object.prototype.hasOwnProperty;var c=(i,t)=>()=>(i&&(t=i(i=0)),t);var f=(i,t)=>{for(var e in t)a(i,e,{get:t[e],enumerable:!0})},m=(i,t,e,r)=>{if(t&&typeof t=="object"||typeof t=="function")for(let s of u(t))!v.call(i,s)&&s!==e&&a(i,s,{get:()=>t[s],enumerable:!(r=h(t,s))||r.enumerable});return i};var d=i=>m(a({},"__esModule",{value:!0}),i);function l(){let i=n.y();i.M(),i.L();let t=i.h();console.T(`[PERF] Optimizations applied - Loading: ${t.v}ms, Memory: ${Math._(t.o/1024)}KB`)}var n,p=c(()=>{"use strict";n=class i{static m=null;e;j;d;constructor(){this.j=Date.u(),this.d=process.o().I,this.e={o:0,v:0,g:0,f:0}}static y(){return i.m||(i.m=new i),i.m}M(){global.b&&global.b(),this.V(),this.C(),this.J()}L(){let t=Date.u();this.Q(),this.W(),this.X(),this.Y();let e=Date.u();this.e.v=e-t,this.e.v>100&&console.O(`[PERF] Startup time ${this.e.v}ms exceeds 100ms target`)}h(){let t=process.o().I;return this.e.o=t-this.d,{...this.e}}x(){this.e.g++}r(t){this.e.g=Math.ut(0,this.e.g-1);let e=.1;this.e.f=e*(t?1:0)+(1-e)*this.e.f}V(){process.a.D==="production"&&(process.a.R=process.a.R||"",["--optimize-for-size","--max-old-space-size=64","--gc-interval=100","--expose-gc"].Z(e=>{process.a.R.vt(e)||(process.a.R+=` ${e}`)}))}C(){let t=["Invalid account ID format","Native validator unavailable","System error","Network error","Security error","Memory allocation error"],e=new Map;t.Z(r=>{e.ft(r,r)})}J(){if(process.a.D==="test"||process.a.mt)return;let t=setInterval(()=>{let r=process.o().I-this.d;r>800*1024&&(console.O(`[PERF] Memory usage ${Math._(r/1024)}KB approaching 1MB limit`),global.b&&global.b()),this.e.o=r},3e4);process.dt("exit",()=>{clearInterval(t)})}Q(){let t=/^\d{12}$/;global.k={N:t}}W(){let t=[];for(let e=0;e<5;e++)t.tt({i:!1,s:null,F:null,U:null});global.et={it:t,gt:0}}X(){let t=[];for(let e=0;e<16;e++)t.tt("");global.yt=t}Y(){(global.k?.N||/^\d{12}$/).A("123456789012");let r=global.et;if(r){let s=r.it[0];s.i=!1}process.o()}}});var b={};f(b,{NativeLicensingService:()=>o,createLicensingService:()=>y,default:()=>g});module.exports=d(b);function y(){return new o}var o,g,x=c(()=>{p();l();o=class{p=null;c=!1;t;constructor(){this.t=n.y()}async S(t){this.t.x();try{if(!this.B(t))return this.l("Invalid account ID format provided",{nt:typeof t=="string"?t.H:"not-string",ot:typeof t}),this.t.r(!1),{i:!1,s:"Invalid account ID format"};if(this.c||this.K(),!this.p)return this.l("Native validator unavailable",{c:this.c}),this.t.r(!1),{i:!1,s:"Native validator unavailable"};let e=await this.p.S(t);this.w("Validation completed",{i:e.i,at:!!e.F,ct:!!e.s,lt:!!e.U});let s=this.t.h().f>.3;return this.t.r(s),e}catch(e){return this.l("Unexpected error during validation",{q:e instanceof Error?e.constructor.E:typeof e,G:this.z(e)}),this.t.r(!1),{i:!1,s:"System error"}}}pt(t){this.t.x();try{if(!this.B(t))return this.l("Invalid account ID format provided (sync)",{nt:typeof t=="string"?t.H:"not-string",ot:typeof t}),this.t.r(!1),{i:!1,s:"Invalid account ID format"};if(this.c||this.K(),!this.p)return this.l("Native validator unavailable (sync)",{c:this.c}),this.t.r(!1),{i:!1,s:"Native validator unavailable"};let e=this.p.pt(t);return this.w("Sync validation completed",{i:e.i,at:!!e.F,ct:!!e.s,lt:!!e.U}),this.t.r(!0),e}catch(e){return this.l("Unexpected error during sync validation",{q:e instanceof Error?e.constructor.E:typeof e,G:this.z(e)}),this.t.r(!1),{i:!1,s:"System error"}}}st(){return this.t.h()}B(t){return typeof t!="string"||t.H!==12?!1:/^\d{12}$/.A(t)}K(){this.c=!0;try{this.p=require("../build/Release/lambda_kata_licensing.node"),this.w("Native addon loaded successfully",{})}catch(t){this.l("Failed to load native licensing validator",{q:t instanceof Error?t.constructor.E:typeof t,G:this.z(t)}),this.p=null}}$(){return process.a.D==="production"}z(t){return this.$()?t instanceof Error?`${t.constructor.E} occurred`:"Unknown error occurred":t instanceof Error?t.s:typeof t=="string"?t:String(t)}w(t,e){this.$()?console.T(`[INFO] native-licensing-validator: ${t}`):console.T(`[INFO] native-licensing-validator: ${t}`,e)}l(t,e){this.$()?console.ht("[ERROR] native-licensing-validator: System error occurred"):console.ht(`[ERROR] native-licensing-validator: ${t}`,e)}},g=o});x();0&&(module.exports={NativeLicensingService,createLicensingService});

package/out/tsc/index.d.ts

@@ -0,0 +1,218 @@
+/**
+ * @fileoverview Native Licensing Validator
+ *
+ * This module provides a tamper - resistant native licensing validator
+ * for the Lambda Kata SST Integration workspace.It implements the
+ * existing LicensingService interface while providing enhanced security
+ * through native C implementation.
+ *
+ * @example
+ * ```typescript
+ * import { NativeLicensingService } from '@lambda-kata/licensing';
+ *
+ * const service = new NativeLicensingService();
+ * const result = await service.checkEntitlement('123456789012');
+ * console.log(result.entitled); // true or false
+ * ```
+ */
+/**
+ * @interface LicensingResponse
+ *
+ * Response format for licensing validation checks.
+ * Compatible with existing HttpLicensingService interface.
+ */
+export interface LicensingResponse {
+    /** Whether the account is entitled to use Lambda Kata */
+    entitled: boolean;
+    /** Customer-specific Lambda Layer ARN (if entitled) */
+    layerArn?: string;
+    /** Human-readable status message */
+    message?: string;
+    /** ISO 8601 expiration timestamp (if applicable) */
+    expiresAt?: string;
+}
+/**
+ * @interface LicensingService
+ *
+ * Interface for licensing validation services.
+ * Maintains compatibility with existing SST integration packages.
+ */
+export interface LicensingService {
+    /**
+     * Check entitlement for an AWS account (async)
+     *
+     * @param accountId - 12-digit AWS account ID
+     * @returns Promise resolving to licensing response
+     */
+    checkEntitlement(accountId: string): Promise<LicensingResponse>;
+    /**
+     * Check entitlement for an AWS account (sync)
+     *
+     * WARNING: This method blocks the Node.js event loop.
+     * Use only when async operations are not possible (e.g., CDK synthesis).
+     *
+     * This method is optional for backward compatibility with existing
+     * implementations that only provide async validation.
+     *
+     * @param accountId - 12-digit AWS account ID
+     * @returns Licensing response (synchronous)
+     */
+    checkEntitlementSync?(accountId: string): LicensingResponse;
+}
+/**
+ * @class NativeLicensingService
+ *
+ * Tamper-resistant native licensing validator implementation.
+ *
+ * This class provides a secure implementation of the LicensingService
+ * interface using a native C addon. It implements fail-closed security
+ * where any error condition results in denying access.
+ *
+ * @remarks Validates: Requirements 6.1, 6.2, 6.3, 6.4, 6.5
+ *
+ * @example
+ * ```typescript
+ * const service = new NativeLicensingService();
+ *
+ * // Check entitlement for an account
+ * const result = await service.checkEntitlement('123456789012');
+ * if (result.entitled) {
+ *   console.log(`Layer ARN: ${result.layerArn}`);
+ * }
+ * ```
+ */
+export declare class NativeLicensingService implements LicensingService {
+    private addon;
+    private addonLoadAttempted;
+    private performanceOptimizer;
+    /**
+     * Create a new NativeLicensingService instance
+     *
+     * The native addon is loaded lazily on first use to avoid
+     * blocking the constructor if the addon is unavailable.
+     */
+    constructor();
+    /**
+     * Check entitlement for an AWS account
+     *
+     * This method validates the account ID format and delegates to the
+     * native addon for secure validation. If the addon is unavailable,
+     * it returns a fail-closed response.
+     *
+     * @param accountId - 12-digit AWS account ID string
+     * @returns Promise resolving to licensing response
+     *
+     * @throws Never throws - all errors result in fail-closed response
+     *
+     * @example
+     * ```typescript
+     * const service = new NativeLicensingService();
+     * const result = await service.checkEntitlement('123456789012');
+     * ```
+     */
+    checkEntitlement(accountId: string): Promise<LicensingResponse>;
+    /**
+     * Check entitlement for an AWS account SYNCHRONOUSLY
+     *
+     * WARNING: This method blocks the Node.js event loop.
+     * Use only when async operations are not possible (e.g., CDK synthesis).
+     *
+     * This method validates the account ID format and delegates to the
+     * native addon for secure validation. If the addon is unavailable,
+     * it returns a fail-closed response.
+     *
+     * @param accountId - 12-digit AWS account ID string
+     * @returns Licensing response (synchronous)
+     *
+     * @throws Never throws - all errors result in fail-closed response
+     *
+     * @example
+     * ```typescript
+     * const service = new NativeLicensingService();
+     * const result = service.checkEntitlementSync('123456789012');
+     * ```
+     */
+    checkEntitlementSync(accountId: string): LicensingResponse;
+    /**
+     * Get current performance metrics
+     *
+     * @returns Current performance metrics including memory usage and timing
+     */
+    getPerformanceMetrics(): import("./performance-optimizations").PerformanceMetrics;
+    /**
+     * Validate account ID format
+     *
+     * Checks that the account ID is a 12-digit string.
+     * This validation is performed in JavaScript for fail-fast behavior.
+     *
+     * @param accountId - Account ID to validate
+     * @returns True if valid format, false otherwise
+     *
+     * @private
+     */
+    private isValidAccountId;
+    /**
+     * Load the native addon
+     *
+     * Attempts to load the native addon module. If loading fails,
+     * the addon remains null and all requests will fail closed.
+     *
+     * @private
+     */
+    private loadAddon;
+    /**
+     * Check if running in production mode
+     *
+     * @returns True if production mode, false otherwise
+     * @private
+     */
+    private isProductionMode;
+    /**
+     * Sanitize error message for logging
+     *
+     * Removes potentially sensitive information from error messages
+     * in production mode.
+     *
+     * @param error - Error object or message
+     * @returns Sanitized error message
+     * @private
+     */
+    private sanitizeErrorMessage;
+    /**
+     * Log informational message
+     *
+     * @param message - Log message
+     * @param context - Additional context (will be sanitized)
+     * @private
+     */
+    private logInfo;
+    /**
+     * Log error message
+     *
+     * @param message - Error message
+     * @param context - Additional context (will be sanitized)
+     * @private
+     */
+    private logError;
+}
+/**
+ * Default export for convenience
+ */
+export default NativeLicensingService;
+/**
+ * Create a new NativeLicensingService instance
+ *
+ * Factory function for creating licensing service instances.
+ *
+ * @returns New NativeLicensingService instance
+ *
+ * @example
+ * ```typescript
+ * import { createLicensingService } from '@lambda-kata/licensing';
+ *
+ * const service = createLicensingService();
+ * const result = await service.checkEntitlement('123456789012');
+ * ```
+ */
+export declare function createLicensingService(): LicensingService;
+//# sourceMappingURL=index.d.ts.map

package/out/tsc/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAaA;;;;;;;;;;;;;;;;GAgBG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,yDAAyD;IACzD,QAAQ,EAAE,OAAO,CAAC;IAClB,uDAAuD;IACvD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;;OAKG;IACH,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAEhE;;;;;;;;;;;OAWG;IACH,oBAAoB,CAAC,CAAC,SAAS,EAAE,MAAM,GAAG,iBAAiB,CAAC;CAC7D;AAaD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,sBAAuB,YAAW,gBAAgB;IAC7D,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,kBAAkB,CAAS;IACnC,OAAO,CAAC,oBAAoB,CAAuB;IAEnD;;;;;OAKG;;IAQH;;;;;;;;;;;;;;;;;OAiBG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAoErE;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,iBAAiB;IAkE1D;;;;OAIG;IACH,qBAAqB;IAIrB;;;;;;;;;;OAUG;IACH,OAAO,CAAC,gBAAgB;IAaxB;;;;;;;OAOG;IACH,OAAO,CAAC,SAAS;IAqBjB;;;;;OAKG;IACH,OAAO,CAAC,gBAAgB;IAIxB;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IAsB5B;;;;;;OAMG;IACH,OAAO,CAAC,OAAO;IAUf;;;;;;OAMG;IACH,OAAO,CAAC,QAAQ;CASjB;AAED;;GAEG;AACH,eAAe,sBAAsB,CAAC;AAEtC;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,sBAAsB,IAAI,gBAAgB,CAEzD"}

package/out/tsc/performance-optimizations.d.ts

@@ -0,0 +1,164 @@
+/**
+ * @fileoverview Performance optimizations for native licensing validator
+ *
+ * This module implements memory usage and startup time optimizations
+ * to meet the performance requirements (< 1MB memory, 100ms addon loading).
+ *
+ * @remarks Validates: Requirements 10.2, 10.4
+ */
+/**
+ * @interface PerformanceMetrics
+ *
+ * Structure for tracking performance metrics during operation.
+ */
+export interface PerformanceMetrics {
+    /** Memory usage in bytes */
+    memoryUsage: number;
+    /** Addon loading time in milliseconds */
+    loadingTime: number;
+    /** Number of active requests */
+    activeRequests: number;
+    /** Cache hit rate (0-1) */
+    cacheHitRate: number;
+}
+/**
+ * @class PerformanceOptimizer
+ *
+ * Implements performance optimizations for the native licensing validator.
+ * Focuses on memory efficiency and fast startup times.
+ */
+export declare class PerformanceOptimizer {
+    private static instance;
+    private metrics;
+    private startupTime;
+    private memoryBaseline;
+    private constructor();
+    /**
+     * Get singleton instance of performance optimizer
+     *
+     * @returns PerformanceOptimizer instance
+     */
+    static getInstance(): PerformanceOptimizer;
+    /**
+     * Optimize memory usage by implementing lazy loading and resource pooling
+     *
+     * This method implements several memory optimization strategies:
+     * 1. Lazy addon loading to avoid upfront memory allocation
+     * 2. String interning for common messages
+     * 3. Memory pool for frequently allocated structures
+     * 4. Garbage collection hints for V8
+     */
+    optimizeMemoryUsage(): void;
+    /**
+     * Optimize startup time by preloading critical resources
+     *
+     * This method implements startup optimizations:
+     * 1. Precompile frequently used regular expressions
+     * 2. Pre-allocate small object pools
+     * 3. Initialize cache structures
+     * 4. Warm up critical code paths
+     */
+    optimizeStartupTime(): void;
+    /**
+     * Get current performance metrics
+     *
+     * @returns Current performance metrics
+     */
+    getMetrics(): PerformanceMetrics;
+    /**
+     * Track request start for performance monitoring
+     */
+    trackRequestStart(): void;
+    /**
+     * Track request end for performance monitoring
+     *
+     * @param cacheHit Whether this request was a cache hit
+     */
+    trackRequestEnd(cacheHit: boolean): void;
+    /**
+     * Configure V8 memory optimizations
+     *
+     * @private
+     */
+    private configureV8MemoryOptimizations;
+    /**
+     * Initialize string interning for common messages
+     *
+     * @private
+     */
+    private initializeStringInterning;
+    /**
+     * Setup memory monitoring
+     *
+     * @private
+     */
+    private setupMemoryMonitoring;
+    /**
+     * Precompile regex patterns for performance
+     *
+     * @private
+     */
+    private precompileRegexPatterns;
+    /**
+     * Initialize object pools for frequently allocated objects
+     *
+     * @private
+     */
+    private initializeObjectPools;
+    /**
+     * Initialize optimized cache settings
+     *
+     * @private
+     */
+    private initializeOptimizedCache;
+    /**
+     * Warm up critical code paths
+     *
+     * @private
+     */
+    private warmupCodePaths;
+}
+/**
+ * @class OptimizedNativeLicensingService
+ *
+ * Performance-optimized version of NativeLicensingService that implements
+ * memory and startup time optimizations.
+ */
+export declare class OptimizedNativeLicensingService {
+    private optimizer;
+    private baseService;
+    constructor();
+    /**
+     * Lazy load the base service to minimize startup time
+     *
+     * @private
+     */
+    private loadBaseService;
+    /**
+     * Optimized checkEntitlement method
+     *
+     * @param accountId Account ID to check
+     * @returns Promise resolving to licensing response
+     */
+    checkEntitlement(accountId: string): Promise<any>;
+    /**
+     * Get performance metrics
+     *
+     * @returns Current performance metrics
+     */
+    getPerformanceMetrics(): PerformanceMetrics;
+}
+/**
+ * Factory function for creating optimized licensing service
+ *
+ * @returns Optimized licensing service instance
+ */
+export declare function createOptimizedLicensingService(): OptimizedNativeLicensingService;
+/**
+ * Apply global performance optimizations
+ *
+ * This function should be called once during module initialization
+ * to apply system-wide performance optimizations.
+ */
+export declare function applyGlobalOptimizations(): void;
+//# sourceMappingURL=performance-optimizations.d.ts.map

package/out/tsc/performance-optimizations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"performance-optimizations.d.ts","sourceRoot":"","sources":["../../src/performance-optimizations.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,yCAAyC;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,2BAA2B;IAC3B,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAqC;IAC5D,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,cAAc,CAAS;IAE/B,OAAO;IAWP;;;;OAIG;WACW,WAAW,IAAI,oBAAoB;IAOjD;;;;;;;;OAQG;IACI,mBAAmB,IAAI,IAAI;IAiBlC;;;;;;;;OAQG;IACI,mBAAmB,IAAI,IAAI;IAwBlC;;;;OAIG;IACI,UAAU,IAAI,kBAAkB;IAOvC;;OAEG;IACI,iBAAiB,IAAI,IAAI;IAIhC;;;;OAIG;IACI,eAAe,CAAC,QAAQ,EAAE,OAAO,GAAG,IAAI;IAQ/C;;;;OAIG;IACH,OAAO,CAAC,8BAA8B;IAwBtC;;;;OAIG;IACH,OAAO,CAAC,yBAAyB;IAoBjC;;;;OAIG;IACH,OAAO,CAAC,qBAAqB;IA8B7B;;;;OAIG;IACH,OAAO,CAAC,uBAAuB;IAU/B;;;;OAIG;IACH,OAAO,CAAC,qBAAqB;IAmB7B;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;IAahC;;;;OAIG;IACH,OAAO,CAAC,eAAe;CAgBxB;AAED;;;;;GAKG;AACH,qBAAa,+BAA+B;IAC1C,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,WAAW,CAAM;;IAUzB;;;;OAIG;YACW,eAAe;IAgB7B;;;;;OAKG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAkCvD;;;;OAIG;IACH,qBAAqB,IAAI,kBAAkB;CAG5C;AAED;;;;GAIG;AACH,wBAAgB,+BAA+B,IAAI,+BAA+B,CAEjF;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAQ/C"}

package/package.json

@@ -0,0 +1,96 @@
+{
+    "name": "@lambda-kata/licensing",
+    "version": "0.1.0",
+    "description": "Tamper-resistant native licensing validator for Lambda Kata Integration",
+    "main": "out/dist/index.js",
+    "types": "out/tsc/index.d.ts",
+    "license": "SEE LICENSE IN LICENSE",
+    "author": "Lambda Kata Team",
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/lambda-kata/licensing.git"
+    },
+    "keywords": [
+        "lambda-kata",
+        "licensing",
+        "native",
+        "node-api",
+        "security",
+        "aws-lambda"
+    ],
+    "engines": {
+        "node": ">=18.0.0"
+    },
+    "os": [
+        "linux"
+    ],
+    "cpu": [
+        "x64",
+        "arm64"
+    ],
+    "scripts": {
+        "build": "yarn build:clean && yarn build:native && yarn build:ts && yarn build:types",
+        "build:clean": "rm -rf out/ build/ prebuilt/",
+        "build:native": "node-gyp rebuild || echo 'Native build failed - addon will be unavailable'",
+        "build:native:docker": "./scripts/build-docker.sh",
+        "build:ts": "esbuild src/index.ts --bundle --platform=node --target=node18 --format=cjs --outfile=out/dist/index.js --tree-shaking=true --minify --mangle-props=^[a-zA-Z_$][a-zA-Z0-9_$]*$ --external:*.node",
+        "build:types": "tsc --emitDeclarationOnly --outDir out/tsc",
+        "build:all": "./scripts/build-all.sh",
+        "build:prebuilt": "./scripts/build-prebuilt.sh",
+        "test": "npx jest --runInBand --colors --verbose --testTimeout=15000 --forceExit --detectOpenHandles --no-cache",
+        "test:watch": "npx jest --watch --testTimeout=15000 --runInBand --no-cache",
+        "test:coverage": "npx jest --coverage --runInBand --colors --verbose --testTimeout=15000 --forceExit --detectOpenHandles --no-cache",
+        "test:safe": "npx jest --runInBand --colors --verbose --testTimeout=10000 --forceExit --detectOpenHandles --no-cache --testPathIgnorePatterns='.*\\.property\\.test\\.ts'",
+        "test:unit": "npx jest --runInBand --colors --verbose --testTimeout=10000 --forceExit --detectOpenHandles --no-cache --testPathPattern='.*\\.test\\.ts' --testPathIgnorePatterns='.*\\.property\\.test\\.ts'",
+        "test:property": "npx jest --runInBand --colors --verbose --testTimeout=20000 --forceExit --detectOpenHandles --no-cache --testPathPattern='.*\\.property\\.test\\.ts'",
+        "test:deployment": "./scripts/test-deployment.sh",
+        "lint": "eslint src/ test/ --ext .ts",
+        "lint:fix": "eslint src/ test/ --ext .ts --fix",
+        "docs": "typedoc src/index.ts --out docs/",
+        "prepack": "yarn build:prebuilt || echo 'WARNING: Prebuilt binaries not available, package may not work correctly'",
+        "install": "node scripts/install.js",
+        "postinstall": "node scripts/postinstall.js || echo 'Postinstall script failed, using fallback mode'"
+    },
+    "files": [
+        "out/",
+        "prebuilt/",
+        "README.md",
+        "LICENSE"
+    ],
+    "dependencies": {
+        "node-addon-api": "^7.0.0"
+    },
+    "devDependencies": {
+        "@types/jest": "^29.5.0",
+        "@types/node": "^20.0.0",
+        "@typescript-eslint/eslint-plugin": "^6.0.0",
+        "@typescript-eslint/parser": "^6.0.0",
+        "esbuild": "^0.19.0",
+        "eslint": "^8.0.0",
+        "fast-check": "^3.15.0",
+        "jest": "^29.5.0",
+        "node-gyp": "^10.0.0",
+        "ts-jest": "^29.1.0",
+        "typedoc": "^0.25.0",
+        "typescript": "^5.0.0"
+    },
+    "peerDependencies": {
+        "aws-cdk-lib": "^2.0.0",
+        "constructs": "^10.0.0"
+    },
+    "peerDependenciesMeta": {
+        "aws-cdk-lib": {
+            "optional": true
+        },
+        "constructs": {
+            "optional": true
+        }
+    },
+    "gypfile": true,
+    "binary": {
+        "napi_versions": [
+            8,
+            9
+        ]
+    }
+}