@ornexus/neocortex 3.9.21 → 3.9.23

package/install.ps1

@@ -15,7 +15,7 @@ param(
     [string]$ServerUrl = "https://api.neocortex.ornexus.com"
 )
 
-$VERSION = "3.9.21"
+$VERSION = "3.9.23"
 
 # =============================================================================
 # CONFIGURACOES
@@ -388,6 +388,20 @@ function Invoke-AutoCleanupLegacy {
     # --- Categoria 7: Antigravity ---
     # Configs legadas de Antigravity sao gerenciadas pelo adapter, sem path fixo global
 
+    # --- Categoria 8: Plaintext cache cleanup (Epic 62 - GAP 1) ---
+    $cacheDir = "$env:USERPROFILE\.neocortex\cache"
+    if (Test-Path $cacheDir -PathType Container) {
+        # Remove plaintext menu-cache.json
+        Remove-LegacyItem "$cacheDir\menu-cache.json" "cache plaintext (menu)"
+
+        # Remove any non-.enc files in cache dir (excluding directories)
+        Get-ChildItem -Path $cacheDir -File -ErrorAction SilentlyContinue | Where-Object {
+            $_.Extension -ne ".enc"
+        } | ForEach-Object {
+            Remove-LegacyItem $_.FullName "cache plaintext"
+        }
+    }
+
     # --- Resultado ---
     $removed = $script:autoRemoved
     if ($removed -gt 0) {
@@ -586,6 +600,25 @@ function Set-ThinClientConfig {
         try {
             $existingConfig = Get-Content $configFile -Raw | ConvertFrom-Json -ErrorAction SilentlyContinue
             if ($existingConfig.mode -eq "active" -or $existingConfig.mode -eq "local" -or $existingConfig.mode -eq "remote") {
+                # --- Config schema migration (Epic 62 - GAP 4) ---
+                if (-not $existingConfig.configVersion) {
+                    Write-Dbg "Migrando schema do config.json (adicionando configVersion)"
+                    try {
+                        # Add configVersion
+                        $existingConfig | Add-Member -NotePropertyName "configVersion" -NotePropertyValue 1 -Force
+                        # Remove known obsolete fields
+                        $existingConfig.PSObject.Properties.Remove("version")
+                        $existingConfig.PSObject.Properties.Remove("cache")
+                        # Clean obsolete tier:3 from old base template
+                        if ($existingConfig.tier -eq 3 -and $existingConfig.mode -eq "pending-activation") {
+                            $existingConfig.PSObject.Properties.Remove("tier")
+                        }
+                        $existingConfig | ConvertTo-Json -Depth 5 | Out-File -FilePath $configFile -Encoding utf8
+                        Write-Dbg "Config migrada para configVersion 1"
+                    } catch {
+                        Write-Dbg "Falha na migracao do config: $_"
+                    }
+                }
                 Write-Dbg "Config existente preservada (mode=$($existingConfig.mode))"
                 return
             }
@@ -593,15 +626,9 @@ function Set-ThinClientConfig {
     }
 
     $config = @{
-        version = $VERSION
+        configVersion = 1
         mode = "pending-activation"
         serverUrl = $NEOCORTEX_SERVER_URL
-        tier = 3
-        cache = @{
-            enabled = $true
-            directory = "$configDir\cache"
-            encryption = "AES-256-GCM"
-        }
         resilience = @{
             circuitBreaker = $true
             maxRetries = 3
@@ -656,13 +683,42 @@ function Install-Core {
         Set-ThinClientConfig
     }
 
-    # Write version file
+    # --- Version-aware cache purge on upgrade (Epic 62 - GAP 2+3) ---
     $pkgJsonPath = Join-Path $script:SourceDir "package.json"
+    $pkgVersion = $null
     if (Test-Path $pkgJsonPath) {
         $pkgJson = Get-Content $pkgJsonPath -Raw | ConvertFrom-Json -ErrorAction SilentlyContinue
-        if ($pkgJson.version) {
-            $pkgJson.version | Out-File -FilePath "$script:DestDir\.version" -Encoding utf8 -NoNewline
+        $pkgVersion = $pkgJson.version
+    }
+
+    if ($pkgVersion) {
+        $oldVersion = $null
+        # Read existing .version from either location
+        $versionPaths = @("$script:DestDir\.version", "$env:USERPROFILE\.neocortex\.version")
+        foreach ($vp in $versionPaths) {
+            if (Test-Path $vp -PathType Leaf) {
+                $oldVersion = (Get-Content $vp -Raw -ErrorAction SilentlyContinue).Trim()
+                if ($oldVersion) { break }
+            }
+        }
+
+        # If version changed, purge all cache files
+        if ($oldVersion -and $oldVersion -ne $pkgVersion) {
+            $cachePurgeDir = "$env:USERPROFILE\.neocortex\cache"
+            if (Test-Path $cachePurgeDir -PathType Container) {
+                $purged = 0
+                Get-ChildItem -Path $cachePurgeDir -File -ErrorAction SilentlyContinue | ForEach-Object {
+                    Remove-Item $_.FullName -Force -ErrorAction SilentlyContinue
+                    $purged++
+                }
+                if ($purged -gt 0) {
+                    Write-Info "Cache purgado: versao alterada de $oldVersion para $pkgVersion ($purged arquivo(s))"
+                }
+            }
         }
+
+        # Write version file
+        $pkgVersion | Out-File -FilePath "$script:DestDir\.version" -Encoding utf8 -NoNewline
     }
 
     if ($LOCAL_MODE) {

package/install.sh

@@ -4,7 +4,7 @@
 # Development Orchestrator
 
 # Versao do instalador
-VERSION="3.9.21"
+VERSION="3.9.23"
 
 # Flags
 MIGRATION_DETECTED=false
@@ -415,6 +415,22 @@ auto_cleanup_legacy() {
     # ─── Categoria 7: Antigravity ─────────────────────────────────────────
     # Configs legadas de Antigravity sao gerenciadas pelo adapter, sem path fixo global
 
+    # ─── Categoria 8: Plaintext cache cleanup (Epic 62 - GAP 1) ─────────
+    local cache_dir="$HOME/.neocortex/cache"
+    if [ -d "$cache_dir" ]; then
+        # Remove plaintext menu-cache.json
+        _remove_legacy "$cache_dir/menu-cache.json" "cache plaintext (menu)"
+
+        # Remove any non-.enc files in cache dir (excluding directories)
+        for cache_file in "$cache_dir"/*; do
+            [ -f "$cache_file" ] || continue
+            case "$cache_file" in
+                *.enc) continue ;;  # Keep encrypted cache files
+                *) _remove_legacy "$cache_file" "cache plaintext" ;;
+            esac
+        done
+    fi
+
     # ─── Resultado ────────────────────────────────────────────────────────
     if [ $removed -gt 0 ]; then
         ok "$removed artefato(s) legado(s) removido(s) automaticamente"
@@ -569,12 +585,45 @@ setup_thin_client_config() {
     mkdir -p "$config_dir" 2>/dev/null
     mkdir -p "$config_dir/cache" 2>/dev/null
 
+    # Story 61.4 - F4 remediation: restrictive permissions
+    chmod 700 "$config_dir" 2>/dev/null
+    chmod 700 "$config_dir/cache" 2>/dev/null
+
     if [ -f "$config_file" ]; then
         # Preservar config existente, atualizar apenas serverUrl se necessario
         local existing_mode
         existing_mode=$(grep '"mode"' "$config_file" 2>/dev/null | head -1 | sed 's/.*"mode"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
 
         if [ "$existing_mode" = "active" ] || [ "$existing_mode" = "local" ] || [ "$existing_mode" = "remote" ]; then
+            # ─── Config schema migration (Epic 62 - GAP 4) ────────────────
+            # Check if config needs schema migration
+            local has_config_version
+            has_config_version=$(grep '"configVersion"' "$config_file" 2>/dev/null)
+            if [ -z "$has_config_version" ]; then
+                debug "Migrando schema do config.json (adicionando configVersion)"
+                if command -v node >/dev/null 2>&1; then
+                    node -e "
+const fs = require('fs');
+const path = '$config_file';
+try {
+    const cfg = JSON.parse(fs.readFileSync(path, 'utf-8'));
+    // Add configVersion
+    cfg.configVersion = 1;
+    // Remove known obsolete fields from old base template
+    delete cfg.version;
+    delete cfg.cache;
+    // Clean obsolete tier:3 from old base template (preserve real tier values)
+    if (cfg.tier === 3 && cfg.mode === 'pending-activation') {
+        delete cfg.tier;
+    }
+    fs.writeFileSync(path, JSON.stringify(cfg, null, 2) + '\n');
+}" 2>/dev/null
+                    chmod 600 "$config_file" 2>/dev/null
+                    debug "Config migrada para configVersion 1"
+                fi
+            fi
+            # Story 61.4 - ensure permissions are always enforced even on existing configs
+            chmod 600 "$config_file" 2>/dev/null
             debug "Config existente preservada (mode=$existing_mode)"
             return 0
         fi
@@ -583,15 +632,9 @@ setup_thin_client_config() {
     # Criar config base para thin client
     cat > "$config_file" << EOFCONFIG
 {
-  "version": "${VERSION}",
+  "configVersion": 1,
   "mode": "pending-activation",
   "serverUrl": "${NEOCORTEX_SERVER_URL}",
-  "tier": 3,
-  "cache": {
-    "enabled": true,
-    "directory": "${config_dir}/cache",
-    "encryption": "AES-256-GCM"
-  },
   "resilience": {
     "circuitBreaker": true,
     "maxRetries": 3,
@@ -602,6 +645,9 @@ setup_thin_client_config() {
 }
 EOFCONFIG
 
+    # Story 61.4 - F4 remediation: config file readable only by owner
+    chmod 600 "$config_file" 2>/dev/null
+
     debug "Thin client config criada: $config_file"
 }
 
@@ -637,12 +683,45 @@ install_core() {
     # Thin-client ONLY: zero IP on client, all content from server
     setup_thin_client_config
 
-    # Write version file
+    # ─── Version-aware cache purge on upgrade (Epic 62 - GAP 2+3) ───────
     local pkg_version=""
     if [ -f "$SOURCE_DIR/package.json" ]; then
         pkg_version=$(grep '"version"' "$SOURCE_DIR/package.json" 2>/dev/null | head -1 | sed 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
     fi
-    [ -n "$pkg_version" ] && echo "$pkg_version" > "$DEST_DIR/.version"
+
+    if [ -n "$pkg_version" ]; then
+        local old_version=""
+        # Read existing .version from either location
+        if [ -f "$DEST_DIR/.version" ]; then
+            old_version=$(cat "$DEST_DIR/.version" 2>/dev/null | tr -d '[:space:]')
+        elif [ -f "$HOME/.neocortex/.version" ]; then
+            old_version=$(cat "$HOME/.neocortex/.version" 2>/dev/null | tr -d '[:space:]')
+        fi
+
+        # If version changed, purge all cache files
+        if [ -n "$old_version" ] && [ "$old_version" != "$pkg_version" ]; then
+            local cache_dir="$HOME/.neocortex/cache"
+            if [ -d "$cache_dir" ]; then
+                local purged=0
+                # Remove all .enc files
+                for enc_file in "$cache_dir"/*.enc; do
+                    [ -f "$enc_file" ] || continue
+                    rm -f "$enc_file" 2>/dev/null && purged=$((purged + 1))
+                done
+                # Remove menu-cache.json (redundancy with 62.1)
+                [ -f "$cache_dir/menu-cache.json" ] && rm -f "$cache_dir/menu-cache.json" 2>/dev/null && purged=$((purged + 1))
+                # Remove any other non-directory files
+                for cache_file in "$cache_dir"/*; do
+                    [ -f "$cache_file" ] || continue
+                    rm -f "$cache_file" 2>/dev/null && purged=$((purged + 1))
+                done
+                [ $purged -gt 0 ] && info "Cache purgado: versao alterada de $old_version para $pkg_version ($purged arquivo(s))"
+            fi
+        fi
+
+        # Write version file
+        echo "$pkg_version" > "$DEST_DIR/.version"
+    fi
 
     if [ $errors -eq 0 ]; then
         ok "Core instalado ${DIM}(thin client configurado) [modo remoto]${NC}"

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ornexus/neocortex",
-  "version": "3.9.21",
-  "description": "Neocortex v3.9.21 - Orquestrador de Desenvolvimento de Epics & Stories para Claude Code",
+  "version": "3.9.23",
+  "description": "Neocortex v3.9.23 - Orquestrador de Desenvolvimento de Epics & Stories para Claude Code",
   "keywords": [
     "claude",
     "claude-code",
@@ -52,7 +52,10 @@
     "install.js",
     "install.sh",
     "install.ps1",
+    "postinstall.js",
     "packages/client/dist/",
+    "!packages/client/dist/**/*.js.map",
+    "!packages/client/dist/**/*.d.ts.map",
     "targets-stubs/"
   ],
   "scripts": {
@@ -60,7 +63,7 @@
     "build:clean": "rm -rf packages/shared/dist packages/client/dist && npm run build",
     "build:client": "npm run build -w packages/client",
     "build:shared": "npm run build -w packages/shared",
-    "postinstall": "node -e \"console.log('\\nNeocortex instalado!\\n\\nUso:\\n  @neocortex @docs/stories/1.1.story.md\\n  @neocortex @epic-1\\n  @neocortex *status\\n')\"",
+    "postinstall": "node postinstall.js",
     "sync": "node sync-version.js",
     "validate": "bash scripts/validate-pre-publish.sh",
     "test:e2e": "bash scripts/e2e-smoke-test.sh",

package/packages/client/dist/agent/refresh-stubs.js

@@ -39,6 +39,26 @@ const STUB_TARGETS = [
         sourceDir: 'gemini-cli',
         files: ['agent.md'],
     },
+    {
+        destDir: join(homedir(), '.cursor', 'agents'),
+        sourceDir: 'cursor',
+        files: ['agent.md'],
+    },
+    {
+        destDir: join(homedir(), '.codex'),
+        sourceDir: 'codex',
+        files: ['agents.md'],
+    },
+    {
+        destDir: join(homedir(), '.vscode'),
+        sourceDir: 'vscode',
+        files: ['agent.md'],
+    },
+    {
+        destDir: join(homedir(), '.agent', 'skills', 'neocortex'),
+        sourceDir: 'antigravity',
+        files: ['skill/SKILL.md'],
+    },
 ];
 // -- Package Root Resolution --------------------------------------------------
 /**
@@ -127,7 +147,8 @@ export function refreshStubs(cliVersion) {
                     const src = join(sourceDir, file);
                     const dest = join(target.destDir, file);
                     if (existsSync(src)) {
-                        mkdirSync(target.destDir, { recursive: true });
+                        // Ensure parent directory exists (handles nested paths like skill/SKILL.md)
+                        mkdirSync(dirname(dest), { recursive: true });
                         copyFileSync(src, dest);
                         copiedAny = true;
                     }

package/packages/client/dist/commands/activate.js

@@ -29,6 +29,7 @@ import { getMachineFingerprint } from '../machine/fingerprint.js';
 import { updateAgentDescription } from '../agent/update-description.js';
 import { refreshStubs } from '../agent/refresh-stubs.js';
 import { updateAgentYaml } from '../agent/update-agent-yaml.js';
+import { saveSecureConfig, setSecureDirPermissions } from '../config/secure-config.js';
 // ── Version Resolution ────────────────────────────────────────────────────
 function getInstalledVersion() {
     try {
@@ -94,11 +95,31 @@ function loadExistingConfig() {
 }
 /**
  * Save user config after successful activation.
- * License key is stored to enable LicenseClient re-creation in invoke.
+ * License key is encrypted using machine fingerprint (Story 61.2).
+ * File permissions set to 600 (Story 61.4).
  */
 function saveConfig(config) {
+    // Ensure directories exist with secure permissions
     mkdirSync(CONFIG_DIR, { recursive: true });
-    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+    setSecureDirPermissions(CONFIG_DIR);
+    const cacheDir = join(CONFIG_DIR, 'cache');
+    mkdirSync(cacheDir, { recursive: true });
+    setSecureDirPermissions(cacheDir);
+    if (config.licenseKey) {
+        // Use secure config writer which encrypts the license key
+        saveSecureConfig({
+            serverUrl: config.serverUrl,
+            mode: config.mode,
+            machineId: config.machineId,
+            activatedAt: config.activatedAt,
+            tier: config.tier,
+            licenseKey: config.licenseKey,
+        });
+    }
+    else {
+        // Fallback: write without license key (should not happen in normal flow)
+        writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+    }
 }
 // ── Activate Command ──────────────────────────────────────────────────────
 /**

package/packages/client/dist/commands/invoke.js

@@ -19,17 +19,17 @@
  *
  * Story 45.2 - AC1-AC6
  */
-import { existsSync, readFileSync, mkdirSync, writeFileSync } from 'node:fs';
+import { existsSync, readFileSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
 import { LicenseClient } from '../license/license-client.js';
 import { EncryptedCache } from '../cache/encrypted-cache.js';
 import { NoOpCache } from '../types/index.js';
 import { TierAwareClient } from '../tier/tier-aware-client.js';
+import { loadSecureConfig } from '../config/secure-config.js';
 // ── Constants ─────────────────────────────────────────────────────────────
 const DEFAULT_SERVER_URL = 'https://api.neocortex.ornexus.com';
 const CONFIG_DIR = join(homedir(), '.neocortex');
-const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
 const CACHE_DIR = join(CONFIG_DIR, 'cache');
 const MENU_CACHE_FILE = join(CACHE_DIR, 'menu-cache.json');
 const MENU_CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
@@ -115,18 +115,24 @@ export function collectStateSnapshot(projectRoot) {
         epics,
     };
 }
-// ── Menu Cache ────────────────────────────────────────────────────────────
-function getMenuCache() {
+// ── Menu Cache (Encrypted - Story 61.1) ──────────────────────────────────
+const MENU_CACHE_KEY = 'neocortex:menu:cache';
+/**
+ * Read menu cache from EncryptedCache.
+ * Falls back gracefully: if decryption fails or data is stale, returns null.
+ * Also cleans up legacy plaintext menu-cache.json if it exists.
+ */
+async function getMenuCache(encryptedCache) {
     try {
-        if (!existsSync(MENU_CACHE_FILE))
+        const raw = await encryptedCache.get(MENU_CACHE_KEY);
+        if (!raw)
             return null;
-        const raw = readFileSync(MENU_CACHE_FILE, 'utf-8');
         const cache = JSON.parse(raw);
         // Invalidate on version mismatch (stale cache from previous install)
         if (cache.version !== CLIENT_VERSION) {
             return null;
         }
-        // Check TTL
+        // Check TTL (EncryptedCache also has TTL, but we double-check for version-based invalidation)
         if (Date.now() - cache.cachedAt > MENU_CACHE_TTL_MS) {
             return null; // Expired
         }
@@ -136,33 +142,47 @@ function getMenuCache() {
         return null;
     }
 }
-function setMenuCache(instructions, metadata) {
+/**
+ * Write menu cache to EncryptedCache.
+ * Deletes legacy plaintext menu-cache.json on first encrypted write.
+ */
+async function setMenuCache(encryptedCache, instructions, metadata) {
     try {
-        mkdirSync(CACHE_DIR, { recursive: true });
         const cache = {
             instructions,
             metadata,
             cachedAt: Date.now(),
             version: CLIENT_VERSION,
         };
-        writeFileSync(MENU_CACHE_FILE, JSON.stringify(cache), 'utf-8');
+        await encryptedCache.set(MENU_CACHE_KEY, JSON.stringify(cache), MENU_CACHE_TTL_MS);
+        // Delete legacy plaintext menu-cache.json if it exists (F1 remediation)
+        deleteLegacyMenuCache();
     }
     catch {
         // Cache write failure is non-critical
     }
 }
-// ── Config Loading ────────────────────────────────────────────────────────
-function loadConfig() {
+/**
+ * Remove legacy plaintext menu-cache.json file.
+ * Called after successful encrypted write to prevent IP leakage.
+ */
+function deleteLegacyMenuCache() {
     try {
-        if (existsSync(CONFIG_FILE)) {
-            const raw = readFileSync(CONFIG_FILE, 'utf-8');
-            return JSON.parse(raw);
+        if (existsSync(MENU_CACHE_FILE)) {
+            unlinkSync(MENU_CACHE_FILE);
         }
     }
     catch {
-        // Ignore
+        // Non-critical: best-effort cleanup
     }
-    return null;
+}
+// ── Config Loading (Story 61.2 - Secure) ─────────────────────────────────
+/**
+ * Load config with automatic decryption of license key.
+ * Handles migration from plaintext licenseKey to encryptedLicenseKey.
+ */
+function loadConfig() {
+    return loadSecureConfig();
 }
 async function getAuthTokenAndClient(serverUrl, licenseKey) {
     try {
@@ -262,10 +282,14 @@ export async function invoke(options) {
     const serverUrl = (options.serverUrl ?? config?.serverUrl ?? DEFAULT_SERVER_URL).replace(/\/+$/, '');
     // 2. Collect state snapshot
     const stateSnapshot = collectStateSnapshot(projectRoot);
+    // 2a. Create encrypted cache for menu (uses licenseKey as passphrase)
+    const menuCache = config?.licenseKey
+        ? new EncryptedCache({ cacheDir: CACHE_DIR, passphrase: config.licenseKey })
+        : null;
     // 3. Check menu cache for empty invocations (AC6)
     const trimmedArgs = options.args.trim();
-    if (!trimmedArgs) {
-        const cachedMenu = getMenuCache();
+    if (!trimmedArgs && menuCache) {
+        const cachedMenu = await getMenuCache(menuCache);
         if (cachedMenu) {
             return {
                 success: true,
@@ -331,9 +355,9 @@ export async function invoke(options) {
             exitCode,
         };
     }
-    // 6. Cache menu responses (AC6)
-    if (!trimmedArgs && result.data.metadata?.mode === 'menu') {
-        setMenuCache(result.data.instructions, result.data.metadata);
+    // 6. Cache menu responses (AC6) - encrypted (Story 61.1)
+    if (!trimmedArgs && result.data.metadata?.mode === 'menu' && menuCache) {
+        setMenuCache(menuCache, result.data.instructions, result.data.metadata).catch(() => { });
     }
     // 6a. Update cached quota from server response metadata (Epic 60)
     if (result.data.metadata) {

package/packages/client/dist/config/secure-config.d.ts

@@ -0,0 +1,69 @@
+/**
+ * @license FSL-1.1
+ * Copyright (c) 2026 OrNexus AI
+ *
+ * This file is part of Neocortex CLI, licensed under the
+ * Functional Source License, Version 1.1 (FSL-1.1).
+ *
+ * Change Date: February 20, 2029
+ * Change License: MIT
+ *
+ * See the LICENSE file in the project root for full license text.
+ */
+/** Resolved config with decrypted license key */
+export interface SecureConfig {
+    readonly serverUrl?: string;
+    readonly mode?: string;
+    readonly machineId?: string;
+    readonly activatedAt?: string;
+    readonly tier?: string;
+    readonly licenseKey?: string;
+}
+/**
+ * Encrypt a license key using the machine fingerprint as passphrase.
+ * Returns the encrypted envelope string.
+ */
+export declare function encryptLicenseKey(licenseKey: string): string;
+/**
+ * Decrypt a license key using the machine fingerprint as passphrase.
+ * Returns the plaintext key or null if decryption fails (hardware changed).
+ */
+export declare function decryptLicenseKey(encryptedKey: string): string | null;
+/**
+ * Set restrictive file permissions (600) on config files.
+ * Skipped on Windows where chmod is not meaningful.
+ * Story 61.4 - F4 remediation.
+ */
+export declare function setSecureFilePermissions(filePath: string): void;
+/**
+ * Set restrictive directory permissions (700) on config directories.
+ * Skipped on Windows where chmod is not meaningful.
+ * Story 61.4 - F4 remediation.
+ */
+export declare function setSecureDirPermissions(dirPath: string): void;
+/**
+ * Load config from ~/.neocortex/config.json with automatic migration.
+ *
+ * If the config contains a plaintext `licenseKey` (old format), it is:
+ * 1. Encrypted using machine fingerprint
+ * 2. Stored as `encryptedLicenseKey`
+ * 3. Old `licenseKey` field removed
+ * 4. Config rewritten to disk
+ *
+ * If decryption of `encryptedLicenseKey` fails (hardware change),
+ * returns config with licenseKey = undefined.
+ */
+export declare function loadSecureConfig(): SecureConfig | null;
+/**
+ * Save config after activation with encrypted license key.
+ * This is the primary write path called from activate.ts.
+ */
+export declare function saveSecureConfig(config: {
+    serverUrl: string;
+    mode: string;
+    machineId: string;
+    activatedAt: string;
+    tier?: string;
+    licenseKey: string;
+}): void;
+//# sourceMappingURL=secure-config.d.ts.map