@nepopsx/cli 0.0.22 → 0.0.24

package/dist/config/api-config.js

@@ -13,12 +13,21 @@ export function readLocalConfig(rootDir) {
     }
     try {
         const raw = JSON.parse(readFileSync(configPath, 'utf-8'));
-        return typeof raw.api_url === 'string' ? { api_url: raw.api_url } : {};
+        const out = {};
+        if (typeof raw.api_url === 'string')
+            out.api_url = raw.api_url;
+        if (raw.auth && typeof raw.auth.token === 'string')
+            out.auth = raw.auth;
+        return out;
     }
     catch {
         return {};
     }
 }
+/** The device token from `nepopsx login` — the one credential the CLI sends as a Bearer token. */
+export function readDeviceToken(rootDir) {
+    return readLocalConfig(rootDir).auth?.token ?? null;
+}
 export function writeLocalConfig(rootDir, config) {
     const configPath = getLocalConfigPath(rootDir);
     mkdirSync(join(rootDir, NEPOPSX_DIR), { recursive: true });

package/dist/config/api-config.js.map

@@ -1 +1 @@
-{"version":3,"file":"api-config.js","sourceRoot":"","sources":["../../src/config/api-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,WAAW,GAAG,UAAU,CAAC;AAC/B,MAAM,WAAW,GAAG,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,gBAAgB,GAAG,4BAA4B,CAAC;AAM7D,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,OAAO,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAuB,CAAC;QAChF,OAAO,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,MAA0B;IAC1E,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACtC,sDAAsD;IACtD,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,uBAAuB,MAAM,CAAC,QAAQ,wCAAwC,CAAC,CAAC;IAClG,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAExD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC;IAChC,CAAC;IAED,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC/C,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO,gBAAgB,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,MAAc;IACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,gBAAgB,CAAC,OAAO,EAAE;QACxB,GAAG,QAAQ;QACX,OAAO,EAAE,UAAU;KACpB,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAuB,EAAE,GAAG,QAAQ,EAAE,CAAC;IACjD,OAAO,IAAI,CAAC,OAAO,CAAC;IACpB,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;AAClC,CAAC"}
+{"version":3,"file":"api-config.js","sourceRoot":"","sources":["../../src/config/api-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,WAAW,GAAG,UAAU,CAAC;AAC/B,MAAM,WAAW,GAAG,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,gBAAgB,GAAG,4BAA4B,CAAC;AAQ7D,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,OAAO,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAuB,CAAC;QAChF,MAAM,GAAG,GAAuB,EAAE,CAAC;QACnC,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;YAAE,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;QAC/D,IAAI,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QACxE,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,kGAAkG;AAClG,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,OAAO,eAAe,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,IAAI,IAAI,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,MAA0B;IAC1E,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACtC,sDAAsD;IACtD,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,uBAAuB,MAAM,CAAC,QAAQ,wCAAwC,CAAC,CAAC;IAClG,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAExD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC;IAChC,CAAC;IAED,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC/C,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO,gBAAgB,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,MAAc;IACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,gBAAgB,CAAC,OAAO,EAAE;QACxB,GAAG,QAAQ;QACX,OAAO,EAAE,UAAU;KACpB,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAuB,EAAE,GAAG,QAAQ,EAAE,CAAC;IACjD,OAAO,IAAI,CAAC,OAAO,CAAC;IACpB,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;AAClC,CAAC"}

package/dist/index.js

@@ -4,7 +4,6 @@ import { upCommand } from './commands/up.js';
 import { syncCommand } from './commands/sync.js';
 import { doctorCommand } from './commands/doctor.js';
 import { installCommand } from './commands/install.js';
-import { activateCommand } from './commands/activate.js';
 import { decodeCommand } from './commands/decode.js';
 import { loginCommand } from './commands/login.js';
 import { scanCommand } from './commands/scan.js';
@@ -57,11 +56,6 @@ program
     .description('Validate workspace.yaml and check workspace health')
     .option('-c, --config <path>', 'Path to workspace.yaml', '.nepopsx/workspace.yaml')
     .action(doctorCommand);
-program
-    .command('activate <key>')
-    .description('Activate an NEPOPSX license key for this machine')
-    .option('-c, --config <path>', 'Path to workspace.yaml', '.nepopsx/workspace.yaml')
-    .action(activateCommand);
 program
     .command('decode <file>')
     .description('Forensic decode — extract fingerprint from a generated file')

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAE9B,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CAAC,mDAAmD,CAAC;KAChE,OAAO,CAAC,QAAQ,CAAC,CAAC;AAErB,OAAO;KACJ,OAAO,CAAC,IAAI,CAAC;KACb,WAAW,CAAC,sJAAsJ,CAAC;KACnK,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,gBAAgB,EAAE,mDAAmD,CAAC;KAC7E,MAAM,CAAC,4BAA4B,EAAE,sEAAsE,CAAC;KAC5G,MAAM,CAAC,UAAU,EAAE,2EAA2E,CAAC;KAC/F,MAAM,CAAC,WAAW,EAAE,kFAAkF,CAAC;KACvG,MAAM,CAAC,SAAS,CAAC,CAAC;AAErB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,mBAAmB,EAAE,0CAA0C,CAAC;KACvE,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,6EAA6E,CAAC;KAC1F,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,UAAU,EAAE,+DAA+D,CAAC;KACnF,MAAM,CAAC,oBAAoB,EAAE,8CAA8C,CAAC;KAC5E,MAAM,CAAC,WAAW,EAAE,iCAAiC,CAAC;KACtD,MAAM,CAAC,WAAW,EAAE,qDAAqD,CAAC;KAC1E,MAAM,CAAC,mBAAmB,EAAE,uDAAuD,CAAC;KACpF,MAAM,CAAC,OAAO,EAAE,iEAAiE,CAAC;KAClF,MAAM,CAAC,SAAS,EAAE,2EAA2E,CAAC;KAC9F,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,iBAAiB,CAAC;KAC1B,WAAW,CAAC,gEAAgE,CAAC;KAC7E,MAAM,CAAC,iBAAiB,EAAE,6BAA6B,CAAC;KACxD,MAAM,CAAC,SAAS,EAAE,gEAAgE,CAAC;KACnF,MAAM,CAAC,gBAAgB,EAAE,6DAA6D,CAAC;KACvF,MAAM,CAAC,WAAW,EAAE,qDAAqD,CAAC;KAC1E,MAAM,CAAC,UAAU,EAAE,uEAAuE,CAAC;KAC3F,MAAM,CAAC,4BAA4B,EAAE,+EAA+E,CAAC;KACrH,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,oDAAoD,CAAC;KACjE,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,WAAW,CAAC,kDAAkD,CAAC;KAC/D,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,eAAe,CAAC,CAAC;AAE3B,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,6DAA6D,CAAC;KAC1E,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,oGAAoG,CAAC;KACjH,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,cAAc,EAAE,wDAAwD,CAAC;KAChF,MAAM,CAAC,YAAY,CAAC,CAAC;AAExB,MAAM,aAAa,GAAG,OAAO;KAC1B,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,0DAA0D,CAAC,CAAC;AAE3E,aAAa;KACV,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,+CAA+C,CAAC;KAC5D,MAAM,CAAC,iBAAiB,CAAC,CAAC;AAE7B,aAAa;KACV,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CAAC,+DAA+D,CAAC;KAC5E,MAAM,CAAC,gBAAgB,CAAC,CAAC;AAE5B,aAAa;KACV,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,0DAA0D,CAAC;KACvE,MAAM,CAAC,kBAAkB,CAAC,CAAC;AAE9B,SAAS,iBAAiB,CAAC,KAAa,EAAE,QAAkB;IAC1D,OAAO,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,WAAW,CAAC,sEAAsE,CAAC;KACnF,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,oBAAoB,EAAE,gBAAgB,CAAC;KAC9C,MAAM,CAAC,gBAAgB,EAAE,0CAA0C,CAAC;KACpE,MAAM,CAAC,WAAW,EAAE,oBAAoB,CAAC;KACzC,MAAM,CAAC,oBAAoB,CAAC,CAAC;AAEhC,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,gHAAgH,CAAC;KAC7H,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,oBAAoB,EAAE,gBAAgB,CAAC;KAC9C,MAAM,CAAC,gBAAgB,EAAE,6CAA6C,CAAC;KACvE,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,0EAA0E,CAAC;KACvF,MAAM,CAAC,WAAW,EAAE,wBAAwB,CAAC;KAC7C,MAAM,CAAC,mBAAmB,EAAE,sDAAsD,CAAC;KACnF,MAAM,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;KAC1C,MAAM,CAAC,kBAAkB,EAAE,4DAA4D,CAAC;KACxF,MAAM,CAAC,mBAAmB,EAAE,0BAA0B,EAAE,OAAO,CAAC;KAChE,MAAM,CAAC,yBAAyB,EAAE,qCAAqC,EAAE,OAAO,CAAC;KACjF,MAAM,CAAC,gBAAgB,EAAE,6BAA6B,EAAE,GAAG,CAAC;KAC5D,MAAM,CAAC,WAAW,EAAE,yCAAyC,CAAC;KAC9D,MAAM,CAAC,WAAW,EAAE,wCAAwC,CAAC;KAC7D,MAAM,CAAC,eAAe,EAAE,oCAAoC,CAAC;KAC7D,MAAM,CAAC,kBAAkB,EAAE,+BAA+B,EAAE,iBAAiB,EAAE,EAAE,CAAC;KAClF,MAAM,CAAC,SAAS,EAAE,2DAA2D,CAAC;KAC9E,MAAM,CAAC,gBAAgB,EAAE,qDAAqD,CAAC;KAC/E,MAAM,CAAC,UAAU,EAAE,mEAAmE,CAAC;KACvF,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,OAAO,CAAC,KAAK,EAAE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAE9B,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CAAC,mDAAmD,CAAC;KAChE,OAAO,CAAC,QAAQ,CAAC,CAAC;AAErB,OAAO;KACJ,OAAO,CAAC,IAAI,CAAC;KACb,WAAW,CAAC,sJAAsJ,CAAC;KACnK,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,gBAAgB,EAAE,mDAAmD,CAAC;KAC7E,MAAM,CAAC,4BAA4B,EAAE,sEAAsE,CAAC;KAC5G,MAAM,CAAC,UAAU,EAAE,2EAA2E,CAAC;KAC/F,MAAM,CAAC,WAAW,EAAE,kFAAkF,CAAC;KACvG,MAAM,CAAC,SAAS,CAAC,CAAC;AAErB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,mBAAmB,EAAE,0CAA0C,CAAC;KACvE,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,6EAA6E,CAAC;KAC1F,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,UAAU,EAAE,+DAA+D,CAAC;KACnF,MAAM,CAAC,oBAAoB,EAAE,8CAA8C,CAAC;KAC5E,MAAM,CAAC,WAAW,EAAE,iCAAiC,CAAC;KACtD,MAAM,CAAC,WAAW,EAAE,qDAAqD,CAAC;KAC1E,MAAM,CAAC,mBAAmB,EAAE,uDAAuD,CAAC;KACpF,MAAM,CAAC,OAAO,EAAE,iEAAiE,CAAC;KAClF,MAAM,CAAC,SAAS,EAAE,2EAA2E,CAAC;KAC9F,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,iBAAiB,CAAC;KAC1B,WAAW,CAAC,gEAAgE,CAAC;KAC7E,MAAM,CAAC,iBAAiB,EAAE,6BAA6B,CAAC;KACxD,MAAM,CAAC,SAAS,EAAE,gEAAgE,CAAC;KACnF,MAAM,CAAC,gBAAgB,EAAE,6DAA6D,CAAC;KACvF,MAAM,CAAC,WAAW,EAAE,qDAAqD,CAAC;KAC1E,MAAM,CAAC,UAAU,EAAE,uEAAuE,CAAC;KAC3F,MAAM,CAAC,4BAA4B,EAAE,+EAA+E,CAAC;KACrH,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,oDAAoD,CAAC;KACjE,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,6DAA6D,CAAC;KAC1E,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,oGAAoG,CAAC;KACjH,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,cAAc,EAAE,wDAAwD,CAAC;KAChF,MAAM,CAAC,YAAY,CAAC,CAAC;AAExB,MAAM,aAAa,GAAG,OAAO;KAC1B,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,0DAA0D,CAAC,CAAC;AAE3E,aAAa;KACV,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,+CAA+C,CAAC;KAC5D,MAAM,CAAC,iBAAiB,CAAC,CAAC;AAE7B,aAAa;KACV,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CAAC,+DAA+D,CAAC;KAC5E,MAAM,CAAC,gBAAgB,CAAC,CAAC;AAE5B,aAAa;KACV,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,0DAA0D,CAAC;KACvE,MAAM,CAAC,kBAAkB,CAAC,CAAC;AAE9B,SAAS,iBAAiB,CAAC,KAAa,EAAE,QAAkB;IAC1D,OAAO,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,WAAW,CAAC,sEAAsE,CAAC;KACnF,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,oBAAoB,EAAE,gBAAgB,CAAC;KAC9C,MAAM,CAAC,gBAAgB,EAAE,0CAA0C,CAAC;KACpE,MAAM,CAAC,WAAW,EAAE,oBAAoB,CAAC;KACzC,MAAM,CAAC,oBAAoB,CAAC,CAAC;AAEhC,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,gHAAgH,CAAC;KAC7H,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,EAAE,yBAAyB,CAAC;KAClF,MAAM,CAAC,oBAAoB,EAAE,gBAAgB,CAAC;KAC9C,MAAM,CAAC,gBAAgB,EAAE,6CAA6C,CAAC;KACvE,MAAM,CAAC,cAAc,CAAC,CAAC;AAE1B,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,0EAA0E,CAAC;KACvF,MAAM,CAAC,WAAW,EAAE,wBAAwB,CAAC;KAC7C,MAAM,CAAC,mBAAmB,EAAE,sDAAsD,CAAC;KACnF,MAAM,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;KAC1C,MAAM,CAAC,kBAAkB,EAAE,4DAA4D,CAAC;KACxF,MAAM,CAAC,mBAAmB,EAAE,0BAA0B,EAAE,OAAO,CAAC;KAChE,MAAM,CAAC,yBAAyB,EAAE,qCAAqC,EAAE,OAAO,CAAC;KACjF,MAAM,CAAC,gBAAgB,EAAE,6BAA6B,EAAE,GAAG,CAAC;KAC5D,MAAM,CAAC,WAAW,EAAE,yCAAyC,CAAC;KAC9D,MAAM,CAAC,WAAW,EAAE,wCAAwC,CAAC;KAC7D,MAAM,CAAC,eAAe,EAAE,oCAAoC,CAAC;KAC7D,MAAM,CAAC,kBAAkB,EAAE,+BAA+B,EAAE,iBAAiB,EAAE,EAAE,CAAC;KAClF,MAAM,CAAC,SAAS,EAAE,2DAA2D,CAAC;KAC9E,MAAM,CAAC,gBAAgB,EAAE,qDAAqD,CAAC;KAC/E,MAAM,CAAC,UAAU,EAAE,mEAAmE,CAAC;KACvF,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/licensing/entitlement-cache.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Short-TTL disk cache for the org's resolved {@link Entitlement}.
+ *
+ * `validate`/`refresh` populate this; commands read it to display the current plan/limits
+ * without a network round-trip per invocation. Keyed by license key, so switching orgs/keys
+ * (or re-activating) invalidates automatically. Advisory/display only — never an enforcement
+ * authority (the server's 402 is the only hard gate).
+ */
+import type { Entitlement } from '@nepopsx/core';
+/** Return the cached entitlement for `licenseKey`, or `null` on miss/expiry/key-mismatch. */
+export declare function getCachedEntitlement(rootDir: string, licenseKey: string): Entitlement | null;
+/** Cache `entitlement` against `licenseKey`. */
+export declare function setCachedEntitlement(rootDir: string, licenseKey: string, entitlement: Entitlement): void;
+/** Drop the cached entitlement (e.g. on logout / re-activate / org switch). */
+export declare function clearCachedEntitlement(rootDir: string): void;
+/**
+ * Whether the backend is the entitlement authority for this license — true once a recent
+ * `validate`/`refresh` cached a resolved entitlement (a newer backend per ADR 0001).
+ *
+ * Commands use this to decide between *advisory* warnings (server enforces; let it 402) and
+ * the legacy *local* hard-blocks (older backend that does not enforce). This keeps the
+ * package-first rollout from regressing limit enforcement before the backend ships its gates.
+ */
+export declare function serverEnforces(rootDir: string, licenseKey: string): boolean;
+//# sourceMappingURL=entitlement-cache.d.ts.map

package/dist/licensing/entitlement-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlement-cache.d.ts","sourceRoot":"","sources":["../../src/licensing/entitlement-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAiBjD,6FAA6F;AAC7F,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAI5F;AAED,gDAAgD;AAChD,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,GAAG,IAAI,CAExG;AAED,+EAA+E;AAC/E,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAE5D;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAE3E"}

package/dist/licensing/entitlement-cache.js

@@ -0,0 +1,42 @@
+/**
+ * Short-TTL disk cache for the org's resolved {@link Entitlement}.
+ *
+ * `validate`/`refresh` populate this; commands read it to display the current plan/limits
+ * without a network round-trip per invocation. Keyed by license key, so switching orgs/keys
+ * (or re-activating) invalidates automatically. Advisory/display only — never an enforcement
+ * authority (the server's 402 is the only hard gate).
+ */
+import { readDiskCache, writeDiskCache, clearDiskCache } from '../utils/disk-cache.js';
+const ENTITLEMENT_CACHE_FILE = 'entitlement.json';
+/** TTL mirrors the backend's resolved-entitlement cache; overridable for tests/dev. */
+function ttlMs() {
+    const sec = Number(process.env.CLI_ENTITLEMENT_CACHE_TTL_SEC);
+    return (Number.isFinite(sec) && sec > 0 ? sec : 90) * 1000;
+}
+/** Return the cached entitlement for `licenseKey`, or `null` on miss/expiry/key-mismatch. */
+export function getCachedEntitlement(rootDir, licenseKey) {
+    const cached = readDiskCache(rootDir, ENTITLEMENT_CACHE_FILE);
+    if (!cached || cached.key !== licenseKey)
+        return null;
+    return cached.entitlement;
+}
+/** Cache `entitlement` against `licenseKey`. */
+export function setCachedEntitlement(rootDir, licenseKey, entitlement) {
+    writeDiskCache(rootDir, ENTITLEMENT_CACHE_FILE, { key: licenseKey, entitlement }, ttlMs());
+}
+/** Drop the cached entitlement (e.g. on logout / re-activate / org switch). */
+export function clearCachedEntitlement(rootDir) {
+    clearDiskCache(rootDir, ENTITLEMENT_CACHE_FILE);
+}
+/**
+ * Whether the backend is the entitlement authority for this license — true once a recent
+ * `validate`/`refresh` cached a resolved entitlement (a newer backend per ADR 0001).
+ *
+ * Commands use this to decide between *advisory* warnings (server enforces; let it 402) and
+ * the legacy *local* hard-blocks (older backend that does not enforce). This keeps the
+ * package-first rollout from regressing limit enforcement before the backend ships its gates.
+ */
+export function serverEnforces(rootDir, licenseKey) {
+    return getCachedEntitlement(rootDir, licenseKey) !== null;
+}
+//# sourceMappingURL=entitlement-cache.js.map

package/dist/licensing/entitlement-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlement-cache.js","sourceRoot":"","sources":["../../src/licensing/entitlement-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAEvF,MAAM,sBAAsB,GAAG,kBAAkB,CAAC;AAElD,uFAAuF;AACvF,SAAS,KAAK;IACZ,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAC9D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC;AAC7D,CAAC;AAQD,6FAA6F;AAC7F,MAAM,UAAU,oBAAoB,CAAC,OAAe,EAAE,UAAkB;IACtE,MAAM,MAAM,GAAG,aAAa,CAAoB,OAAO,EAAE,sBAAsB,CAAC,CAAC;IACjF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,OAAO,MAAM,CAAC,WAAW,CAAC;AAC5B,CAAC;AAED,gDAAgD;AAChD,MAAM,UAAU,oBAAoB,CAAC,OAAe,EAAE,UAAkB,EAAE,WAAwB;IAChG,cAAc,CAAoB,OAAO,EAAE,sBAAsB,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;AAChH,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,cAAc,CAAC,OAAO,EAAE,sBAAsB,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,UAAkB;IAChE,OAAO,oBAAoB,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,IAAI,CAAC;AAC5D,CAAC"}

package/dist/licensing/index.d.ts

@@ -1,7 +1,8 @@
 /**
  * Licensing barrel — re-export all licensing modules.
  */
-export { readLicense, writeLicense, reconcileLicenseWorkspace, activateLicense, validateLicense, enforceTierLimits, isDevMode, type ActivationResult, type TierViolation, } from './license-manager.js';
+export { readLicense, writeLicense, reconcileLicenseWorkspace, validateLicense, resolveEntitlement, enforceTierLimits, isDevMode, type TierViolation, } from './license-manager.js';
+export { getCachedEntitlement, setCachedEntitlement, clearCachedEntitlement, serverEnforces, } from './entitlement-cache.js';
 export { fetchRemoteTemplates, type TemplateBundle, } from './template-fetch.js';
 export { applySteganography, decodeSteganography, forensicDecode, fingerprintToId, } from './fingerprint.js';
 export { resolveWorkspaceName, readWorkspaceNameFromDisk, UNKNOWN_WORKSPACE, } from './workspace-name.js';

package/dist/licensing/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/licensing/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,WAAW,EACX,YAAY,EACZ,yBAAyB,EACzB,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,aAAa,GACnB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,oBAAoB,EACpB,KAAK,cAAc,GACpB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,iBAAiB,GAClB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/licensing/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,WAAW,EACX,YAAY,EACZ,yBAAyB,EACzB,eAAe,EACf,kBAAkB,EAClB,iBAAiB,EACjB,SAAS,EACT,KAAK,aAAa,GACnB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,cAAc,GACf,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,KAAK,cAAc,GACpB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,iBAAiB,GAClB,MAAM,qBAAqB,CAAC"}

package/dist/licensing/index.js

@@ -1,7 +1,8 @@
 /**
  * Licensing barrel — re-export all licensing modules.
  */
-export { readLicense, writeLicense, reconcileLicenseWorkspace, activateLicense, validateLicense, enforceTierLimits, isDevMode, } from './license-manager.js';
+export { readLicense, writeLicense, reconcileLicenseWorkspace, validateLicense, resolveEntitlement, enforceTierLimits, isDevMode, } from './license-manager.js';
+export { getCachedEntitlement, setCachedEntitlement, clearCachedEntitlement, serverEnforces, } from './entitlement-cache.js';
 export { fetchRemoteTemplates, } from './template-fetch.js';
 export { applySteganography, decodeSteganography, forensicDecode, fingerprintToId, } from './fingerprint.js';
 export { resolveWorkspaceName, readWorkspaceNameFromDisk, UNKNOWN_WORKSPACE, } from './workspace-name.js';

package/dist/licensing/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/licensing/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,WAAW,EACX,YAAY,EACZ,yBAAyB,EACzB,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,SAAS,GAGV,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,oBAAoB,GAErB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,iBAAiB,GAClB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/licensing/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,WAAW,EACX,YAAY,EACZ,yBAAyB,EACzB,eAAe,EACf,kBAAkB,EAClB,iBAAiB,EACjB,SAAS,GAEV,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,cAAc,GACf,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,GAErB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,iBAAiB,GAClB,MAAM,qBAAqB,CAAC"}

package/dist/licensing/installer.d.ts

@@ -1,10 +1,10 @@
 /**
- * Agent bundle installer — downloads, decrypts, verifies, and writes
+ * Agent bundle installer — downloads, decodes, verifies, and writes
  * agent template files from the NEPOPSX API.
  *
  * Flow:
- *   1. downloadBundle  — POST /v1/templates/:agent/:version  (auth: Bearer <key>)
- *   2. decryptBundle   — AES-256-GCM, key = SHA-256(licenseKey + ":nepopsx-template-key")
+ *   1. downloadBundle  — POST /v1/templates/:agent/:version  (auth: Bearer <device token>)
+ *   2. decryptBundle   — base64-decode the plaintext payload (served over TLS)
  *   3. verifyBundleSha — SHA-256 of raw JSON must match server-provided sha256
  *   4. writeAgentFiles — atomic write via temp + rename into .github/<relative-path>
  */
@@ -12,8 +12,6 @@ import type { License, OutputProvider } from "@nepopsx/core";
 import type { CustomInstruction } from "../generator/render.js";
 export interface EncryptedBundle {
     payload: string;
-    iv: string;
-    tag: string;
     agent: string;
     version: string;
     sha256: string;
@@ -33,10 +31,11 @@ export interface AgentBootstrapConfig {
 export declare function downloadBundle(cwd: string, license: License, agent: string, version: string, customInstructions?: CustomInstruction[], providers?: OutputProvider[]): Promise<EncryptedBundle>;
 export declare function downloadBootstrapConfig(cwd: string, license: License, agent: string, version: string, customInstructions?: CustomInstruction[]): Promise<AgentBootstrapConfig>;
 /**
- * Decrypt an AES-256-GCM bundle using the license key.
- * Returns the raw JSON string (not yet parsed).
+ * Decode a bundle payload. The backend now serves plaintext base64 over TLS to an
+ * authenticated request (no at-rest encryption). Returns the raw JSON string. The
+ * second arg is accepted-and-ignored for call-site compatibility.
  */
-export declare function decryptBundle(bundle: EncryptedBundle, licenseKey: string): string;
+export declare function decryptBundle(bundle: EncryptedBundle, _credential?: string): string;
 /**
  * Verify that the decrypted JSON matches the server's sha256.
  * Throws if the digest does not match.

package/dist/licensing/installer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"installer.d.ts","sourceRoot":"","sources":["../../src/licensing/installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAOH,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAG7D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAIhE,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC;AAID;;GAEG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EACf,kBAAkB,GAAE,iBAAiB,EAAO,EAC5C,SAAS,GAAE,cAAc,EAAO,GAC/B,OAAO,CAAC,eAAe,CAAC,CA2B1B;AAED,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EACf,kBAAkB,GAAE,iBAAiB,EAAO,GAC3C,OAAO,CAAC,oBAAoB,CAAC,CA6B/B;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAcjF;AAID;;;GAGG;AACH,wBAAgB,eAAe,CAAC,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAOhF;AAID;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAChC,aAAa,EAAE,CAmBjB"}
+{"version":3,"file":"installer.d.ts","sourceRoot":"","sources":["../../src/licensing/installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAOH,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAG7D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAIhE,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC;AAID;;GAEG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EACf,kBAAkB,GAAE,iBAAiB,EAAO,EAC5C,SAAS,GAAE,cAAc,EAAO,GAC/B,OAAO,CAAC,eAAe,CAAC,CA2B1B;AAED,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EACf,kBAAkB,GAAE,iBAAiB,EAAO,GAC3C,OAAO,CAAC,oBAAoB,CAAC,CA6B/B;AAID;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,eAAe,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAEnF;AAID;;;GAGG;AACH,wBAAgB,eAAe,CAAC,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAOhF;AAID;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAChC,aAAa,EAAE,CAmBjB"}

package/dist/licensing/installer.js

@@ -1,14 +1,14 @@
 /**
- * Agent bundle installer — downloads, decrypts, verifies, and writes
+ * Agent bundle installer — downloads, decodes, verifies, and writes
  * agent template files from the NEPOPSX API.
  *
  * Flow:
- *   1. downloadBundle  — POST /v1/templates/:agent/:version  (auth: Bearer <key>)
- *   2. decryptBundle   — AES-256-GCM, key = SHA-256(licenseKey + ":nepopsx-template-key")
+ *   1. downloadBundle  — POST /v1/templates/:agent/:version  (auth: Bearer <device token>)
+ *   2. decryptBundle   — base64-decode the plaintext payload (served over TLS)
  *   3. verifyBundleSha — SHA-256 of raw JSON must match server-provided sha256
  *   4. writeAgentFiles — atomic write via temp + rename into .github/<relative-path>
  */
-import { createDecipheriv, createHash } from "node:crypto";
+import { createHash } from "node:crypto";
 import { existsSync, mkdirSync, renameSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { resolveApiBase } from "../config/api-config.js";
@@ -65,20 +65,12 @@ export async function downloadBootstrapConfig(cwd, license, agent, version, cust
 }
 // ─── Decrypt ────────────────────────────────────────────────
 /**
- * Decrypt an AES-256-GCM bundle using the license key.
- * Returns the raw JSON string (not yet parsed).
+ * Decode a bundle payload. The backend now serves plaintext base64 over TLS to an
+ * authenticated request (no at-rest encryption). Returns the raw JSON string. The
+ * second arg is accepted-and-ignored for call-site compatibility.
  */
-export function decryptBundle(bundle, licenseKey) {
-    const key = createHash("sha256")
-        .update(`${licenseKey}:nepopsx-template-key`)
-        .digest();
-    const iv = Buffer.from(bundle.iv, "base64");
-    const tag = Buffer.from(bundle.tag, "base64");
-    const encrypted = Buffer.from(bundle.payload, "base64");
-    const decipher = createDecipheriv("aes-256-gcm", key, iv);
-    decipher.setAuthTag(tag);
-    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
-    return decrypted.toString("utf-8");
+export function decryptBundle(bundle, _credential) {
+    return Buffer.from(bundle.payload, "base64").toString("utf-8");
 }
 // ─── Verify ─────────────────────────────────────────────────
 /**

package/dist/licensing/installer.js.map

@@ -1 +1 @@
-{"version":3,"file":"installer.js","sourceRoot":"","sources":["../../src/licensing/installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAyB3D,+DAA+D;AAE/D;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAW,EACX,OAAgB,EAChB,KAAa,EACb,OAAe,EACf,qBAA0C,EAAE,EAC5C,YAA8B,EAAE;IAEhC,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,GAAG,OAAO,cAAc,kBAAkB,CAAC,KAAK,CAAC,IAAI,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;IAE/F,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE;QAC3C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,OAAO,CAAC,GAAG,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,SAAS,EAAE,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC;YAC7C,mBAAmB,EAAE,kBAAkB;YACvC,0DAA0D;YAC1D,SAAS;SACV,CAAC;KACH,EAAE,mBAAmB,CAAC,CAAC;IAExB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,2BAA2B,QAAQ,CAAC,MAAM,MAAM,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE,CAC9E,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA8B,CAAC;AACrD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAW,EACX,OAAgB,EAChB,KAAa,EACb,OAAe,EACf,qBAA0C,EAAE;IAE5C,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,GAAG,OAAO,cAAc,kBAAkB,CAAC,KAAK,CAAC,IAAI,kBAAkB,CAAC,OAAO,CAAC,mBAAmB,CAAC;IAEhH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CACrC,GAAG,EACH;QACE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,OAAO,CAAC,GAAG,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,SAAS,EAAE,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC;YAC7C,mBAAmB,EAAE,kBAAkB;SACxC,CAAC;KACH,EACD,mBAAmB,CACpB,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,qCAAqC,QAAQ,CAAC,MAAM,MAAM,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAmC,CAAC;AAC1D,CAAC;AAED,+DAA+D;AAE/D;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,MAAuB,EAAE,UAAkB;IACvE,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,CAAC;SAC7B,MAAM,CAAC,GAAG,UAAU,uBAAuB,CAAC;SAC5C,MAAM,EAAE,CAAC;IAEZ,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAExD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAEzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,OAAO,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,+DAA+D;AAE/D;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,aAAqB,EAAE,WAAmB;IACxE,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjF,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,gEAAgE,WAAW,iBAAiB,MAAM,EAAE,CACrG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,+DAA+D;AAE/D;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAW,EACX,SAAiC;IAEjC,MAAM,OAAO,GAAoB,EAAE,CAAC;IAEpC,KAAK,MAAM,CAAC,YAAY,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9B,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;QAE1B,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1C,CAAC;QAED,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QACrC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAEtB,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
+{"version":3,"file":"installer.js","sourceRoot":"","sources":["../../src/licensing/installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAuB3D,+DAA+D;AAE/D;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAW,EACX,OAAgB,EAChB,KAAa,EACb,OAAe,EACf,qBAA0C,EAAE,EAC5C,YAA8B,EAAE;IAEhC,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,GAAG,OAAO,cAAc,kBAAkB,CAAC,KAAK,CAAC,IAAI,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;IAE/F,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE;QAC3C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,OAAO,CAAC,GAAG,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,SAAS,EAAE,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC;YAC7C,mBAAmB,EAAE,kBAAkB;YACvC,0DAA0D;YAC1D,SAAS;SACV,CAAC;KACH,EAAE,mBAAmB,CAAC,CAAC;IAExB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,2BAA2B,QAAQ,CAAC,MAAM,MAAM,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE,CAC9E,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA8B,CAAC;AACrD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAW,EACX,OAAgB,EAChB,KAAa,EACb,OAAe,EACf,qBAA0C,EAAE;IAE5C,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,GAAG,OAAO,cAAc,kBAAkB,CAAC,KAAK,CAAC,IAAI,kBAAkB,CAAC,OAAO,CAAC,mBAAmB,CAAC;IAEhH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CACrC,GAAG,EACH;QACE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,OAAO,CAAC,GAAG,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,SAAS,EAAE,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC;YAC7C,mBAAmB,EAAE,kBAAkB;SACxC,CAAC;KACH,EACD,mBAAmB,CACpB,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,KAAK,CACb,qCAAqC,QAAQ,CAAC,MAAM,MAAM,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAmC,CAAC;AAC1D,CAAC;AAED,+DAA+D;AAE/D;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,MAAuB,EAAE,WAAoB;IACzE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjE,CAAC;AAED,+DAA+D;AAE/D;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,aAAqB,EAAE,WAAmB;IACxE,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjF,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,gEAAgE,WAAW,iBAAiB,MAAM,EAAE,CACrG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,+DAA+D;AAE/D;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAW,EACX,SAAiC;IAEjC,MAAM,OAAO,GAAoB,EAAE,CAAC;IAEpC,KAAK,MAAM,CAAC,YAAY,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9B,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;QAE1B,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1C,CAAC;QAED,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QACrC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAEtB,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/licensing/license-manager.d.ts

@@ -1,42 +1,34 @@
 /**
- * License manager — handles license activation, validation,
- * online refresh, and tier-based feature gating.
+ * Auth/session helpers. Post-migration the CLI has ONE credential: the opaque
+ * device token from `nepopsx login`, stored in `.nepopsx/config.json`. The
+ * `License` shape is kept as a thin compatibility view — `.key` IS the device
+ * token — so existing commands send the right Bearer credential unchanged. Auth
+ * and entitlement are server-authoritative now (the backend 401/402s); there is
+ * no license.json, no machine binding, and no online validate/refresh.
  */
-import { type License, type LicenseStatus, type LicenseTier, type WorkspaceConfig } from '@nepopsx/core';
+import { type License, type LicenseStatus, type LicenseTier, type WorkspaceConfig, type Entitlement } from '@nepopsx/core';
 /**
- * Read the local license file. Returns null if not found or invalid.
+ * Build a `License`-shaped view from the stored device token. `.key` IS the opaque
+ * `opsx_dvc_…` token sent as a Bearer credential; `org`/`tier` come from the plan
+ * captured at login; `workspace` is the live local name. Returns null if not
+ * logged in. (No license.json — the device token in config.json is the credential.)
  */
 export declare function readLicense(rootDir: string): License | null;
+/** No-op: the workspace is sourced live from disk in `readLicense` now. */
+export declare function reconcileLicenseWorkspace<T extends License | null>(_rootDir: string, license: T): T;
+/** No-op kept for callers: there is no license.json to write any more. */
+export declare function writeLicense(_rootDir: string, _license: License): void;
 /**
- * Write license to disk. Creates .nepopsx/ if needed.
+ * Confirm a device token is present. Auth + entitlement are enforced by the
+ * backend (401/402) — this no longer calls the server.
  */
-export declare function writeLicense(rootDir: string, license: License): void;
+export declare function validateLicense(rootDir: string, _config: WorkspaceConfig): Promise<LicenseStatus>;
 /**
- * Heal the license's `workspace` field against the live `workspace.yaml`.
- *
- * The license is activated before `workspace.yaml` exists, so it is born with
- * `workspace: "unknown"`. Once the real config exists, reconcile the in-memory
- * license (and persist it) so every downstream `license.workspace` read — and
- * every backend call derived from it — uses the live workspace name instead of
- * the stale snapshot. Best-effort: returns the license unchanged when the config
- * is absent or already matches. Accepts/returns `null` for the no-license path.
+ * Resolve the org's entitlement for DISPLAY: cache → synthesized from the plan
+ * manifest + the session's plan. Advisory only — the backend's 402s are the hard
+ * authority. Never throws.
  */
-export declare function reconcileLicenseWorkspace<T extends License | null>(rootDir: string, license: T): T;
-export interface ActivationResult {
-    success: boolean;
-    license?: License;
-    error?: string;
-}
-/**
- * Activate a license key for this machine + workspace.
- * Calls the remote API to validate the key and bind it.
- */
-export declare function activateLicense(rootDir: string, licenseKey: string, workspaceName: string): Promise<ActivationResult>;
-/**
- * Validate the current license. Attempts online refresh if expired.
- * Returns detailed status.
- */
-export declare function validateLicense(rootDir: string, config: WorkspaceConfig): Promise<LicenseStatus>;
+export declare function resolveEntitlement(rootDir: string, license: License): Promise<Entitlement>;
 export interface TierViolation {
     feature: string;
     limit: string;
@@ -44,18 +36,11 @@ export interface TierViolation {
     required_tier: LicenseTier;
 }
 /**
-/**
- * Check if the workspace config exceeds the license tier's limits.
- *
- * Only scale limits are enforced here — agent quality (customs, philosophy,
- * prompts) is identical across all tiers. The differentiators are:
- *   - how many services / agent packages are allowed
- *   - access to LLM-powered scan (team+)
+ * Check whether the workspace config exceeds the tier's scale limits.
+ * **Advisory only** — the server is the enforcement authority (402). Surface as a
+ * warning + upgrade hint and proceed; never hard-block on this result.
  */
 export declare function enforceTierLimits(config: WorkspaceConfig, tier: LicenseTier): TierViolation[];
-/**
- * Check if the CLI is running in dev mode (for NEPOPSX agent developers).
- * Set NEPOPSX_DEV=1 to bypass license checks.
- */
+/** Set NEPOPSX_DEV=1 to bypass auth checks (for NEPOPSX agent developers). */
 export declare function isDevMode(): boolean;
 //# sourceMappingURL=license-manager.d.ts.map

package/dist/licensing/license-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"license-manager.d.ts","sourceRoot":"","sources":["../../src/licensing/license-manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EACL,KAAK,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,WAAW,EAAmB,KAAK,eAAe,EAG1F,MAAM,eAAe,CAAC;AAWvB;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CAiB3D;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAUpE;AAED;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CAAC,CAAC,SAAS,OAAO,GAAG,IAAI,EAChE,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,CAAC,GACT,CAAC,CAWH;AAID,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,gBAAgB,CAAC,CAoD3B;AAID;;;GAGG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,aAAa,CAAC,CAsIxB;AA+CD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,WAAW,GAAG,aAAa,EAAE,CA4B7F;AAID;;;GAGG;AACH,wBAAgB,SAAS,IAAI,OAAO,CAEnC"}
+{"version":3,"file":"license-manager.d.ts","sourceRoot":"","sources":["../../src/licensing/license-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,WAAW,EAIjB,MAAM,eAAe,CAAC;AAQvB;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CAc3D;AAED,2EAA2E;AAC3E,wBAAgB,yBAAyB,CAAC,CAAC,SAAS,OAAO,GAAG,IAAI,EAChE,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,CAAC,GACT,CAAC,CAEH;AAED,0EAA0E;AAC1E,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,IAAI,CAEtE;AAID;;;GAGG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CA0BxB;AAID;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,WAAW,CAAC,CActB;AAID,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,WAAW,CAAC;CAC5B;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,GAChB,aAAa,EAAE,CA4BjB;AAID,8EAA8E;AAC9E,wBAAgB,SAAS,IAAI,OAAO,CAEnC"}