@ornexus/neocortex 4.0.1 → 4.0.2

package/packages/client/dist/config/resolver-selection.js

@@ -1,278 +1 @@
-/**
- * @license FSL-1.1
- * Copyright (c) 2026 OrNexus AI
- *
- * This file is part of Neocortex CLI, licensed under the
- * Functional Source License, Version 1.1 (FSL-1.1).
- *
- * Change Date: February 20, 2029
- * Change License: MIT
- *
- * See the LICENSE file in the project root for full license text.
- */
-/**
- * @neocortex/client - Resolver Selection Factory
- *
- * Factory function that selects the appropriate AssetResolver
- * based on CLI flags, environment variables, and auto-detection.
- *
- * Decision chain (priority order):
- * 1. forceLocal option (--local flag) -> LocalResolver
- * 2. NEOCORTEX_MODE=local env -> LocalResolver
- * 3. NEOCORTEX_MODE=remote env -> RemoteResolver
- * 4. core/ directory exists locally -> LocalResolver (dev mode)
- * 4.5. Feature flag cutover (hash(machine) % 100 < remotePercentage) -> RemoteResolver
- * 5. Valid license key present + no core/ -> RemoteResolver
- * 6. Default -> LocalResolver (safe fallback)
- */
-import { access, readFile, writeFile, mkdir } from 'node:fs/promises';
-import { join, resolve } from 'node:path';
-import { homedir } from 'node:os';
-import { createHash } from 'node:crypto';
-import { LocalResolver } from '../resolvers/local-resolver.js';
-import { RemoteResolver } from '../resolvers/remote-resolver.js';
-import { DEFAULT_SERVER_URL } from '../constants.js';
-// ── Feature Flag (Story 43.7) ───────────────────────────────────────────
-const CONFIG_CACHE_FILE = join(homedir(), '.neocortex', 'feature-flags.json');
-const CONFIG_CACHE_TTL_MS = 3600_000; // 1 hour
-/**
- * Check if this machine should use remote mode based on server feature flags.
- * Uses hash(machine_fingerprint) % 100 < remotePercentage to determine bucket.
- * Caches the server config for 1 hour.
- *
- * Returns 'remote' | 'local' | 'skip' (skip = no flag applies)
- */
-async function checkFeatureFlag(options) {
-    try {
-        // Check env override
-        const envPercentage = process.env['NEOCORTEX_REMOTE_PERCENTAGE'];
-        if (envPercentage !== undefined) {
-            const pct = parseInt(envPercentage, 10);
-            if (isNaN(pct) || pct <= 0)
-                return 'skip';
-            return isInRemoteBucket(pct) ? 'remote' : 'local';
-        }
-        // Try cached config
-        const cached = await loadFeatureFlagCache();
-        if (cached) {
-            if (cached.forceLocal)
-                return 'local';
-            if (cached.forceRemote)
-                return 'remote';
-            if (cached.remotePercentage <= 0)
-                return 'skip';
-            return isInRemoteBucket(cached.remotePercentage) ? 'remote' : 'local';
-        }
-        // Fetch from server (non-blocking, fail gracefully)
-        const serverUrl = getServerUrl(options);
-        const config = await fetchFeatureFlags(serverUrl);
-        if (config) {
-            await saveFeatureFlagCache(config);
-            if (config.forceLocal)
-                return 'local';
-            if (config.forceRemote)
-                return 'remote';
-            if (config.remotePercentage <= 0)
-                return 'skip';
-            return isInRemoteBucket(config.remotePercentage) ? 'remote' : 'local';
-        }
-        return 'skip'; // No flag info available
-    }
-    catch {
-        return 'skip'; // Never block on feature flag errors
-    }
-}
-/**
- * Deterministic bucket assignment using machine fingerprint hash.
- * hash(machine_id) % 100 < percentage = in remote bucket
- */
-function isInRemoteBucket(percentage) {
-    const machineId = process.env['NEOCORTEX_MACHINE_ID'] ?? 'default';
-    const hash = createHash('sha256').update(machineId).digest();
-    const bucket = hash.readUInt16BE(0) % 100;
-    return bucket < percentage;
-}
-async function loadFeatureFlagCache() {
-    try {
-        const raw = await readFile(CONFIG_CACHE_FILE, 'utf-8');
-        const cached = JSON.parse(raw);
-        if (Date.now() - cached.fetchedAt < CONFIG_CACHE_TTL_MS) {
-            return cached;
-        }
-        return null; // Expired
-    }
-    catch {
-        return null;
-    }
-}
-async function saveFeatureFlagCache(config) {
-    try {
-        await mkdir(join(homedir(), '.neocortex'), { recursive: true });
-        await writeFile(CONFIG_CACHE_FILE, JSON.stringify(config), 'utf-8');
-    }
-    catch {
-        // Non-critical - ignore
-    }
-}
-async function fetchFeatureFlags(serverUrl) {
-    try {
-        const controller = new AbortController();
-        const timeout = setTimeout(() => controller.abort(), 5000);
-        const response = await fetch(`${serverUrl}/api/v1/config`, {
-            signal: controller.signal,
-        });
-        clearTimeout(timeout);
-        if (!response.ok)
-            return null;
-        const data = (await response.json());
-        return {
-            remotePercentage: data.remotePercentage ?? 0,
-            forceRemote: data.forceRemote ?? false,
-            forceLocal: data.forceLocal ?? false,
-            fetchedAt: Date.now(),
-        };
-    }
-    catch {
-        return null;
-    }
-}
-// ── Detection Helpers ───────────────────────────────────────────────────
-/**
- * Check if the core/ directory exists at the given project root.
- * This indicates development mode.
- */
-async function detectLocalMode(projectRoot) {
-    try {
-        await access(join(projectRoot, 'core'));
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Get license key from environment or options.
- */
-function getLicenseKey(options) {
-    return options?.licenseKey || process.env['NEOCORTEX_LICENSE_KEY'] || undefined;
-}
-/**
- * Get server URL from environment or options.
- */
-function getServerUrl(options) {
-    return (options?.serverUrl ||
-        process.env['NEOCORTEX_SERVER_URL'] ||
-        DEFAULT_SERVER_URL);
-}
-// ── Factory Function ────────────────────────────────────────────────────
-/**
- * Create the appropriate AssetResolver based on configuration.
- *
- * Selection follows a strict priority chain:
- * 1. forceLocal option -> LocalResolver
- * 2. NEOCORTEX_MODE=local -> LocalResolver
- * 3. NEOCORTEX_MODE=remote -> RemoteResolver
- * 4. core/ exists locally -> LocalResolver
- * 5. License key + no core/ -> RemoteResolver
- * 6. Default -> LocalResolver
- *
- * @param options - Optional configuration overrides
- * @returns Configured AssetResolver ready for use
- */
-export async function createResolver(options) {
-    const result = await selectResolver(options);
-    return result.resolver;
-}
-/**
- * Select resolver with full result including reason.
- * Useful for logging/debugging why a specific resolver was chosen.
- */
-export async function selectResolver(options) {
-    const projectRoot = resolve(options?.projectRoot || process.cwd());
-    const neocortexMode = process.env['NEOCORTEX_MODE']?.toLowerCase();
-    // 1. forceLocal option (--local CLI flag)
-    if (options?.forceLocal) {
-        return {
-            resolver: new LocalResolver({ projectRoot }),
-            reason: 'Forced local mode via --local flag',
-            mode: 'local',
-        };
-    }
-    // 2. NEOCORTEX_MODE=local
-    if (neocortexMode === 'local') {
-        return {
-            resolver: new LocalResolver({ projectRoot }),
-            reason: 'NEOCORTEX_MODE=local environment variable',
-            mode: 'local',
-        };
-    }
-    // 3. NEOCORTEX_MODE=remote
-    if (neocortexMode === 'remote') {
-        const licenseKey = getLicenseKey(options);
-        if (!licenseKey) {
-            // Fall back to local if no license key for remote mode
-            return {
-                resolver: new LocalResolver({ projectRoot }),
-                reason: 'NEOCORTEX_MODE=remote but no license key found, falling back to local',
-                mode: 'local',
-            };
-        }
-        return {
-            resolver: new RemoteResolver({
-                serverUrl: getServerUrl(options),
-                licenseKey,
-                cacheProvider: options?.cacheProvider,
-                licenseClient: options?.licenseClient,
-            }),
-            reason: 'NEOCORTEX_MODE=remote environment variable',
-            mode: 'remote',
-        };
-    }
-    // 4. Auto-detect: core/ directory exists -> dev mode
-    const hasLocalCore = await detectLocalMode(projectRoot);
-    if (hasLocalCore) {
-        return {
-            resolver: new LocalResolver({ projectRoot }),
-            reason: 'Auto-detected development mode (core/ directory exists)',
-            mode: 'local',
-        };
-    }
-    // 4.5. Feature flag cutover check (Story 43.7)
-    // If server config says remotePercentage > 0, check if this machine is in the bucket
-    const featureFlagResult = await checkFeatureFlag(options);
-    if (featureFlagResult === 'remote') {
-        const licenseKey = getLicenseKey(options);
-        if (licenseKey) {
-            return {
-                resolver: new RemoteResolver({
-                    serverUrl: getServerUrl(options),
-                    licenseKey,
-                    cacheProvider: options?.cacheProvider,
-                    licenseClient: options?.licenseClient,
-                }),
-                reason: 'Feature flag cutover: machine in remote bucket',
-                mode: 'remote',
-            };
-        }
-    }
-    // 5. License key present + no core/ -> production mode
-    const licenseKey = getLicenseKey(options);
-    if (licenseKey) {
-        return {
-            resolver: new RemoteResolver({
-                serverUrl: getServerUrl(options),
-                licenseKey,
-                cacheProvider: options?.cacheProvider,
-                licenseClient: options?.licenseClient,
-            }),
-            reason: 'Auto-detected production mode (license key present, no core/ directory)',
-            mode: 'remote',
-        };
-    }
-    // 6. Default -> LocalResolver (safe fallback)
-    return {
-        resolver: new LocalResolver({ projectRoot }),
-        reason: 'Default fallback to local mode',
-        mode: 'local',
-    };
-}
+import{access as E,readFile as h,writeFile as R,mkdir as C}from"node:fs/promises";import{join as i,resolve as w}from"node:path";import{homedir as d}from"node:os";import{createHash as g}from"node:crypto";import{LocalResolver as l}from"../resolvers/local-resolver.js";import{RemoteResolver as u}from"../resolvers/remote-resolver.js";import{DEFAULT_SERVER_URL as O}from"../constants.js";const v=i(d(),".neocortex","feature-flags.json"),y=36e5;async function _(e){try{const r=process.env.NEOCORTEX_REMOTE_PERCENTAGE;if(r!==void 0){const n=parseInt(r,10);return isNaN(n)||n<=0?"skip":f(n)?"remote":"local"}const t=await F();if(t)return t.forceLocal?"local":t.forceRemote?"remote":t.remotePercentage<=0?"skip":f(t.remotePercentage)?"remote":"local";const c=s(e),o=await L(c);return o?(await p(o),o.forceLocal?"local":o.forceRemote?"remote":o.remotePercentage<=0?"skip":f(o.remotePercentage)?"remote":"local"):"skip"}catch{return"skip"}}function f(e){const r=process.env.NEOCORTEX_MACHINE_ID??"default";return g("sha256").update(r).digest().readUInt16BE(0)%100<e}async function F(){try{const e=await h(v,"utf-8"),r=JSON.parse(e);return Date.now()-r.fetchedAt<y?r:null}catch{return null}}async function p(e){try{await C(i(d(),".neocortex"),{recursive:!0}),await R(v,JSON.stringify(e),"utf-8")}catch{}}async function L(e){try{const r=new AbortController,t=setTimeout(()=>r.abort(),5e3),c=await fetch(`${e}/api/v1/config`,{signal:r.signal});if(clearTimeout(t),!c.ok)return null;const o=await c.json();return{remotePercentage:o.remotePercentage??0,forceRemote:o.forceRemote??!1,forceLocal:o.forceLocal??!1,fetchedAt:Date.now()}}catch{return null}}async function N(e){try{return await E(i(e,"core")),!0}catch{return!1}}function m(e){return e?.licenseKey||process.env.NEOCORTEX_LICENSE_KEY||void 0}function s(e){return e?.serverUrl||process.env.NEOCORTEX_SERVER_URL||O}async function M(e){return(await k(e)).resolver}async function k(e){const r=w(e?.projectRoot||process.cwd()),t=process.env.NEOCORTEX_MODE?.toLowerCase();if(e?.forceLocal)return{resolver:new l({projectRoot:r}),reason:"Forced local mode via --local flag",mode:"local"};if(t==="local")return{resolver:new l({projectRoot:r}),reason:"NEOCORTEX_MODE=local environment variable",mode:"local"};if(t==="remote"){const a=m(e);return a?{resolver:new u({serverUrl:s(e),licenseKey:a,cacheProvider:e?.cacheProvider,licenseClient:e?.licenseClient}),reason:"NEOCORTEX_MODE=remote environment variable",mode:"remote"}:{resolver:new l({projectRoot:r}),reason:"NEOCORTEX_MODE=remote but no license key found, falling back to local",mode:"local"}}if(await N(r))return{resolver:new l({projectRoot:r}),reason:"Auto-detected development mode (core/ directory exists)",mode:"local"};if(await _(e)==="remote"){const a=m(e);if(a)return{resolver:new u({serverUrl:s(e),licenseKey:a,cacheProvider:e?.cacheProvider,licenseClient:e?.licenseClient}),reason:"Feature flag cutover: machine in remote bucket",mode:"remote"}}const n=m(e);return n?{resolver:new u({serverUrl:s(e),licenseKey:n,cacheProvider:e?.cacheProvider,licenseClient:e?.licenseClient}),reason:"Auto-detected production mode (license key present, no core/ directory)",mode:"remote"}:{resolver:new l({projectRoot:r}),reason:"Default fallback to local mode",mode:"local"}}export{M as createResolver,k as selectResolver};

package/packages/client/dist/config/secure-config.js

@@ -1,269 +1,12 @@
-/**
- * @license FSL-1.1
- * Copyright (c) 2026 OrNexus AI
- *
- * This file is part of Neocortex CLI, licensed under the
- * Functional Source License, Version 1.1 (FSL-1.1).
- *
- * Change Date: February 20, 2029
- * Change License: MIT
- *
- * See the LICENSE file in the project root for full license text.
- */
-/**
- * @neocortex/client - Secure Config
- *
- * Handles reading and writing config.json with encrypted license key.
- * Uses machine fingerprint as encryption seed so the key is bound
- * to the physical machine.
- *
- * Story 61.2 - F2 remediation: license key no longer stored in plaintext.
- *
- * Migration: if config has plaintext `licenseKey`, it is silently
- * migrated to `encryptedLicenseKey` on first read.
- *
- * If decryption fails (e.g. hardware change), returns null for
- * licenseKey, requiring re-activation.
- */
-import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from 'node:fs';
-import { execSync } from 'node:child_process';
-import { join } from 'node:path';
-import { homedir } from 'node:os';
-import { encrypt, decrypt } from '../cache/crypto-utils.js';
-import { getMachineFingerprint } from '../machine/fingerprint.js';
-import { DEFAULT_SERVER_URL } from '../constants.js';
-// ── Constants ────────────────────────────────────────────────────────────
-const CONFIG_DIR = join(homedir(), '.neocortex');
-const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
-// ── Types ────────────────────────────────────────────────────────────────
-/** Current config schema version (Epic 62 - FR8) */
-const CURRENT_CONFIG_VERSION = 1;
-// ── License Key Encryption ──────────────────────────────────────────────
-/**
- * Encrypt a license key using the machine fingerprint as passphrase.
- * Returns the encrypted envelope string.
- */
-export function encryptLicenseKey(licenseKey) {
-    const fingerprint = getMachineFingerprint();
-    return encrypt(licenseKey, fingerprint);
-}
-/**
- * Decrypt a license key using the machine fingerprint as passphrase.
- * Returns the plaintext key or null if decryption fails (hardware changed).
- */
-export function decryptLicenseKey(encryptedKey) {
-    try {
-        const fingerprint = getMachineFingerprint();
-        const result = decrypt(encryptedKey, fingerprint);
-        // expired flag is not relevant for license keys (no TTL)
-        return result.plaintext;
-    }
-    catch {
-        return null;
-    }
-}
-// ── Secure File Permissions ─────────────────────────────────────────────
-/**
- * Set restrictive file permissions on config files.
- * Unix: chmod 600 (owner read/write only).
- * Windows: icacls to remove inheritance and grant Full Control only to current user.
- * Story 61.4 - F4 remediation.
- * Story 66.1 - Windows ACL via icacls.
- */
-export function setSecureFilePermissions(filePath) {
-    try {
-        if (process.platform === 'win32') {
-            const username = process.env.USERNAME || process.env.USER || '';
-            if (!username)
-                return;
-            execSync(`icacls "${filePath}" /inheritance:r /grant:r "${username}:(F)"`, { stdio: 'pipe', timeout: 5000 });
-        }
-        else {
-            chmodSync(filePath, 0o600);
-        }
-    }
-    catch {
-        // Fail-open: ACL/chmod is hardening, not blocking
-    }
-}
-/**
- * Set restrictive directory permissions on config directories.
- * Unix: chmod 700 (owner read/write/execute only).
- * Windows: icacls with (OI)(CI) for propagation to child objects.
- * Story 61.4 - F4 remediation.
- * Story 66.1 - Windows ACL via icacls.
- */
-export function setSecureDirPermissions(dirPath) {
-    try {
-        if (process.platform === 'win32') {
-            const username = process.env.USERNAME || process.env.USER || '';
-            if (!username)
-                return;
-            execSync(`icacls "${dirPath}" /inheritance:r /grant:r "${username}:(OI)(CI)(F)"`, { stdio: 'pipe', timeout: 5000 });
-        }
-        else {
-            chmodSync(dirPath, 0o700);
-        }
-    }
-    catch {
-        // Fail-open: ACL/chmod is hardening, not blocking
-    }
-}
-// ── Localhost Warning ────────────────────────────────────────────────────
-/**
- * Story 32.08: Warn if serverUrl points to localhost.
- * Informative only -- does NOT modify config.
- */
-let localhostWarningShown = false;
-function warnIfLocalhost(config) {
-    if (localhostWarningShown)
-        return;
-    const url = config.serverUrl;
-    if (!url)
-        return;
-    const isLocal = /^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)(:\d+)?/i.test(url);
-    if (isLocal) {
-        localhostWarningShown = true;
-        console.warn('\n[!] Warning: connected to local server (' + url + ').\n' +
-            '    To use production, run: neocortex activate YOUR-LICENSE-KEY\n' +
-            '    Get yours at https://neocortex.ornexus.com/login\n');
-    }
-}
-// ── Config Read/Write ───────────────────────────────────────────────────
-/**
- * Load config from ~/.neocortex/config.json with automatic migration.
- *
- * If the config contains a plaintext `licenseKey` (old format), it is:
- * 1. Encrypted using machine fingerprint
- * 2. Stored as `encryptedLicenseKey`
- * 3. Old `licenseKey` field removed
- * 4. Config rewritten to disk
- *
- * If decryption of `encryptedLicenseKey` fails (hardware change),
- * returns config with licenseKey = undefined.
- */
-export function loadSecureConfig() {
-    try {
-        if (!existsSync(CONFIG_FILE))
-            return null;
-        const raw = readFileSync(CONFIG_FILE, 'utf-8');
-        // Strip UTF-8 BOM if present (PowerShell 5.1 writes BOM via Out-File -Encoding utf8)
-        // Defense in depth: handles configs written by old PS 5.1 installers (Epic 63 - Story 63.1)
-        const config = JSON.parse(raw.replace(/^\uFEFF/, ''));
-        // Migration path: plaintext licenseKey -> encrypted
-        if (config.licenseKey && !config.encryptedLicenseKey) {
-            const encrypted = encryptLicenseKey(config.licenseKey);
-            const migratedConfig = { ...config };
-            const plainKey = migratedConfig.licenseKey;
-            delete migratedConfig.licenseKey;
-            migratedConfig.encryptedLicenseKey = encrypted;
-            // Ensure configVersion is preserved or added during migration
-            if (!migratedConfig.configVersion) {
-                migratedConfig.configVersion = CURRENT_CONFIG_VERSION;
-            }
-            writeSecureConfig(migratedConfig);
-            return {
-                serverUrl: config.serverUrl,
-                mode: config.mode,
-                machineId: config.machineId,
-                activatedAt: config.activatedAt,
-                tier: config.tier,
-                licenseKey: plainKey,
-                keyType: config.keyType,
-            };
-        }
-        // Decrypt encrypted license key
-        let licenseKey;
-        if (config.encryptedLicenseKey) {
-            const decrypted = decryptLicenseKey(config.encryptedLicenseKey);
-            if (decrypted) {
-                licenseKey = decrypted;
-            }
-            // If decryption fails, licenseKey remains undefined -> requires re-activation
-            // Story P26.06 below handles the fingerprint change warning
-        }
-        const result = {
-            serverUrl: config.serverUrl,
-            mode: config.mode,
-            machineId: config.machineId,
-            activatedAt: config.activatedAt,
-            tier: config.tier,
-            licenseKey,
-            keyType: config.keyType,
-        };
-        // Story P26.04 + P26.06: Detect fingerprint change early and warn
-        // This catches the issue BEFORE the user tries to invoke and gets a confusing error
-        if (config.machineId && !licenseKey && config.encryptedLicenseKey) {
-            const currentFp = getMachineFingerprint();
-            if (config.machineId !== currentFp) {
-                console.warn(`\n[!] Machine fingerprint changed (was: ${config.machineId.slice(0, 12)}..., now: ${currentFp.slice(0, 12)}...).` +
-                    '\n    Your encrypted credentials are no longer valid.' +
-                    '\n    Re-activate with: neocortex activate YOUR-LICENSE-KEY\n');
-            }
-        }
-        // Story 32.08: Warn if serverUrl points to localhost
-        warnIfLocalhost(result);
-        // Story 70.05: Auto-repair localhost serverUrl if not intentional.
-        // If serverUrl points to localhost and NEOCORTEX_SERVER_URL env is not set
-        // to localhost (i.e., user didn't explicitly request local), repair to production.
-        // This is an in-memory repair only -- does NOT rewrite the config file on disk.
-        if (result.serverUrl && !process.env['NEOCORTEX_SERVER_URL']) {
-            const isLocal = /^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)(:\d+)?/i.test(result.serverUrl);
-            if (isLocal) {
-                const repairedUrl = DEFAULT_SERVER_URL;
-                console.warn(`[neocortex] Auto-repairing serverUrl: ${result.serverUrl} -> ${repairedUrl}\n` +
-                    `[neocortex] To keep localhost, set NEOCORTEX_SERVER_URL=${result.serverUrl}\n`);
-                return { ...result, serverUrl: repairedUrl };
-            }
-        }
-        // Story P46.02: Auto-repair old ornexus.com URL to neocortex.sh.
-        // The old domain api.neocortex.ornexus.com remains as a CNAME, but new installs
-        // should use the canonical api.neocortex.sh. In-memory only -- does NOT rewrite disk.
-        // Suppressed by NEOCORTEX_SERVER_URL env var (developer override).
-        if (result.serverUrl && !process.env['NEOCORTEX_SERVER_URL']) {
-            const isOldDomain = /^https?:\/\/api\.neocortex\.ornexus\.com/i.test(result.serverUrl);
-            if (isOldDomain) {
-                const repairedUrl = result.serverUrl.replace(/^(https?:\/\/)api\.neocortex\.ornexus\.com/i, '$1api.neocortex.sh');
-                return { ...result, serverUrl: repairedUrl };
-            }
-        }
-        return result;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Write config to disk with encrypted license key and secure permissions.
- * The licenseKey field should already be encrypted as encryptedLicenseKey.
- */
-function writeSecureConfig(config) {
-    mkdirSync(CONFIG_DIR, { recursive: true });
-    setSecureDirPermissions(CONFIG_DIR);
-    const cacheDir = join(CONFIG_DIR, 'cache');
-    if (existsSync(cacheDir)) {
-        setSecureDirPermissions(cacheDir);
-    }
-    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', 'utf-8');
-    setSecureFilePermissions(CONFIG_FILE);
-}
-/**
- * Save config after activation with encrypted license key.
- * This is the primary write path called from activate.ts.
- */
-export function saveSecureConfig(config) {
-    const encrypted = encryptLicenseKey(config.licenseKey);
-    // Auto-detect keyType from key prefix if not explicitly provided
-    const keyType = config.keyType ?? (config.licenseKey.startsWith('nxk_') ? 'api_key' : 'license');
-    const diskConfig = {
-        configVersion: CURRENT_CONFIG_VERSION,
-        serverUrl: config.serverUrl,
-        mode: config.mode,
-        machineId: config.machineId,
-        activatedAt: config.activatedAt,
-        tier: config.tier,
-        encryptedLicenseKey: encrypted,
-        keyType,
-    };
-    writeSecureConfig(diskConfig);
-}
+import{existsSync as p,readFileSync as U,writeFileSync as R,mkdirSync as S,chmodSync as y}from"node:fs";import{execSync as d}from"node:child_process";import{join as a}from"node:path";import{homedir as x}from"node:os";import{encrypt as L,decrypt as I}from"../cache/crypto-utils.js";import{getMachineFingerprint as l}from"../machine/fingerprint.js";import{DEFAULT_SERVER_URL as K}from"../constants.js";const o=a(x(),".neocortex"),s=a(o,"config.json"),u=1;function f(r){const e=l();return L(r,e)}function g(r){try{const e=l();return I(r,e).plaintext}catch{return null}}function O(r){try{if(process.platform==="win32"){const e=process.env.USERNAME||process.env.USER||"";if(!e)return;d(`icacls "${r}" /inheritance:r /grant:r "${e}:(F)"`,{stdio:"pipe",timeout:5e3})}else y(r,384)}catch{}}function m(r){try{if(process.platform==="win32"){const e=process.env.USERNAME||process.env.USER||"";if(!e)return;d(`icacls "${r}" /inheritance:r /grant:r "${e}:(OI)(CI)(F)"`,{stdio:"pipe",timeout:5e3})}else y(r,448)}catch{}}let v=!1;function C(r){if(v)return;const e=r.serverUrl;if(!e)return;/^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)(:\d+)?/i.test(e)&&(v=!0,console.warn(`
+[!] Warning: connected to local server (`+e+`).
+    To use production, run: neocortex activate YOUR-LICENSE-KEY
+    Get yours at https://neocortex.ornexus.com/login
+`))}function $(){try{if(!p(s))return null;const r=U(s,"utf-8"),e=JSON.parse(r.replace(/^\uFEFF/,""));if(e.licenseKey&&!e.encryptedLicenseKey){const c=f(e.licenseKey),t={...e},E=t.licenseKey;return delete t.licenseKey,t.encryptedLicenseKey=c,t.configVersion||(t.configVersion=u),h(t),{serverUrl:e.serverUrl,mode:e.mode,machineId:e.machineId,activatedAt:e.activatedAt,tier:e.tier,licenseKey:E,keyType:e.keyType}}let i;if(e.encryptedLicenseKey){const c=g(e.encryptedLicenseKey);c&&(i=c)}const n={serverUrl:e.serverUrl,mode:e.mode,machineId:e.machineId,activatedAt:e.activatedAt,tier:e.tier,licenseKey:i,keyType:e.keyType};if(e.machineId&&!i&&e.encryptedLicenseKey){const c=l();e.machineId!==c&&console.warn(`
+[!] Machine fingerprint changed (was: ${e.machineId.slice(0,12)}..., now: ${c.slice(0,12)}...).
+    Your encrypted credentials are no longer valid.
+    Re-activate with: neocortex activate YOUR-LICENSE-KEY
+`)}if(C(n),n.serverUrl&&!process.env.NEOCORTEX_SERVER_URL&&/^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)(:\d+)?/i.test(n.serverUrl)){const t=K;return console.warn(`[neocortex] Auto-repairing serverUrl: ${n.serverUrl} -> ${t}
+[neocortex] To keep localhost, set NEOCORTEX_SERVER_URL=${n.serverUrl}
+`),{...n,serverUrl:t}}if(n.serverUrl&&!process.env.NEOCORTEX_SERVER_URL&&/^https?:\/\/api\.neocortex\.ornexus\.com/i.test(n.serverUrl)){const t=n.serverUrl.replace(/^(https?:\/\/)api\.neocortex\.ornexus\.com/i,"$1api.neocortex.sh");return{...n,serverUrl:t}}return n}catch{return null}}function h(r){S(o,{recursive:!0}),m(o);const e=a(o,"cache");p(e)&&m(e),R(s,JSON.stringify(r,null,2)+`
+`,"utf-8"),O(s)}function V(r){const e=f(r.licenseKey),i=r.keyType??(r.licenseKey.startsWith("nxk_")?"api_key":"license"),n={configVersion:u,serverUrl:r.serverUrl,mode:r.mode,machineId:r.machineId,activatedAt:r.activatedAt,tier:r.tier,encryptedLicenseKey:e,keyType:i};h(n)}export{g as decryptLicenseKey,f as encryptLicenseKey,$ as loadSecureConfig,V as saveSecureConfig,m as setSecureDirPermissions,O as setSecureFilePermissions};

package/packages/client/dist/constants.js

@@ -1,25 +1 @@
-/**
- * @license FSL-1.1
- * Copyright (c) 2026 OrNexus AI
- *
- * This file is part of Neocortex CLI, licensed under the
- * Functional Source License, Version 1.1 (FSL-1.1).
- *
- * Change Date: February 20, 2029
- * Change License: MIT
- *
- * See the LICENSE file in the project root for full license text.
- */
-/**
- * Production server URL.
- *
- * Single Source of Truth for the default Neocortex IP Protection Server URL.
- * All client-side code MUST import this constant instead of hardcoding the URL.
- *
- * Shell scripts (install.sh, install.ps1) cannot import from TypeScript,
- * so they maintain a hardcoded copy with a comment referencing this file.
- *
- * Epic 70 - Story 70.03
- * Epic P46 - Story P46.01: migrated from api.neocortex.ornexus.com to api.neocortex.sh
- */
-export const DEFAULT_SERVER_URL = 'https://api.neocortex.sh';
+const t="https://api.neocortex.sh";export{t as DEFAULT_SERVER_URL};