@ornexus/neocortex 4.0.1 → 4.0.2

package/packages/client/dist/license/license-client.js

@@ -1,257 +1 @@
-/**
- * @license FSL-1.1
- * Copyright (c) 2026 OrNexus AI
- *
- * This file is part of Neocortex CLI, licensed under the
- * Functional Source License, Version 1.1 (FSL-1.1).
- *
- * Change Date: February 20, 2029
- * Change License: MIT
- *
- * See the LICENSE file in the project root for full license text.
- */
-/**
- * @neocortex/client - License Client
- *
- * Manages license activation, JWT token caching, and proactive refresh.
- * Integrates with the IP Protection Server's license endpoints and
- * uses EncryptedCache for persistent token storage.
- *
- * Story 31.01: REFRESH_THRESHOLD_S fixed from 3600 to 300 (5 min)
- * Story 31.02: Refresh token support (store, use, rotate)
- * Story 31.03: Refresh token persistence in EncryptedCache
- *
- * NEVER throws exceptions - returns null on failure (graceful degradation).
- */
-import { decodeJwt } from 'jose';
-import { NoOpCache } from '../types/index.js';
-import { getMachineFingerprint } from '../machine/fingerprint.js';
-// ── Constants ────────────────────────────────────────────────────────────
-const CACHE_KEY = 'neocortex:jwt:token';
-const REFRESH_CACHE_KEY = 'neocortex:jwt:refresh_token';
-const REFRESH_THRESHOLD_S = 300; // 5 minutes before expiry
-const REFRESH_TOKEN_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days (matches server REFRESH_TOKEN_TTL_DAYS)
-const DEFAULT_CLIENT_VERSION = '0.1.0';
-// ── LicenseClient ────────────────────────────────────────────────────────
-export class LicenseClient {
-    serverUrl;
-    licenseKey;
-    cache;
-    clientVersion;
-    machineId;
-    token = null;
-    refreshToken = null;
-    constructor(options) {
-        this.serverUrl = options.serverUrl.replace(/\/+$/, '');
-        this.licenseKey = options.licenseKey;
-        this.cache = options.cacheProvider ?? new NoOpCache();
-        this.clientVersion = options.clientVersion ?? DEFAULT_CLIENT_VERSION;
-        this.machineId = getMachineFingerprint();
-    }
-    /**
-     * Get a valid JWT token. Checks memory, cache, refresh token, then activation.
-     * NEVER throws - returns null on failure.
-     *
-     * Flow:
-     * 1. in-memory JWT valid? -> return
-     * 2. in-memory JWT needs-refresh? -> refresh(refresh_token) -> return
-     * 3. cached JWT valid? -> return
-     * 4. cached JWT needs-refresh? -> refresh(refresh_token) -> return
-     * 5. cached refresh_token exists? -> refresh(refresh_token) -> return  (Story 31.02)
-     * 6. activate() -> return
-     */
-    async getToken() {
-        try {
-            // 1. Check in-memory token
-            if (this.token) {
-                const validity = this.checkTokenValidity(this.token);
-                if (validity === 'valid')
-                    return this.token;
-                if (validity === 'needs-refresh') {
-                    const refreshed = await this.refresh();
-                    return refreshed?.token ?? this.token; // fallback to current if refresh fails
-                }
-                // expired or invalid - clear memory
-                this.token = null;
-            }
-            // 2. Check JWT cache
-            const cached = await this.loadFromCache();
-            if (cached) {
-                this.token = cached;
-                const validity = this.checkTokenValidity(cached);
-                if (validity === 'valid')
-                    return cached;
-                if (validity === 'needs-refresh') {
-                    const refreshed = await this.refresh();
-                    return refreshed?.token ?? cached; // fallback to current if refresh fails
-                }
-                // expired - clear
-                this.token = null;
-            }
-            // 3. Try refresh with cached refresh_token (Story 31.02/31.03)
-            // Lazy load refresh_token from cache if not in memory
-            if (!this.refreshToken) {
-                this.refreshToken = await this.loadRefreshTokenFromCache();
-            }
-            if (this.refreshToken) {
-                const refreshed = await this.refresh();
-                if (refreshed?.token)
-                    return refreshed.token;
-            }
-            // 4. Activate (last resort)
-            const result = await this.activate();
-            return result?.token ?? null;
-        }
-        catch {
-            return null;
-        }
-    }
-    /**
-     * Activate the license by calling POST /api/v1/license/activate.
-     * Stores token and refresh_token in memory and cache on success.
-     * NEVER throws - returns null on failure.
-     */
-    async activate() {
-        try {
-            const response = await fetch(`${this.serverUrl}/api/v1/license/activate`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({
-                    license_key: this.licenseKey,
-                    machine_id: this.machineId,
-                    client_version: this.clientVersion,
-                }),
-            });
-            if (!response.ok)
-                return null;
-            const data = (await response.json());
-            this.token = data.token;
-            this.refreshToken = data.refresh_token ?? null;
-            // Persist JWT to cache (fire-and-forget)
-            this.cache.set(CACHE_KEY, data.token, data.expires_in * 1000).catch(() => { });
-            // Persist refresh token with 7-day TTL (fire-and-forget)
-            if (data.refresh_token) {
-                this.cache.set(REFRESH_CACHE_KEY, data.refresh_token, REFRESH_TOKEN_TTL_MS).catch(() => { });
-            }
-            return {
-                token: data.token,
-                expiresIn: data.expires_in,
-                refreshToken: data.refresh_token,
-            };
-        }
-        catch {
-            return null;
-        }
-    }
-    /**
-     * Refresh using refresh_token by calling POST /api/v1/license/refresh.
-     * Sends refresh_token in body (no Authorization header needed).
-     * Handles token rotation: stores the new refresh_token from response.
-     * NEVER throws - returns null on failure.
-     *
-     * Story 31.02: Signature changed from refresh(currentToken) to refresh().
-     * The refresh_token in the body is the credential, not the JWT.
-     *
-     * @param _currentToken - Deprecated. Kept for backward compat but ignored.
-     */
-    async refresh(_currentToken) {
-        try {
-            // Load refresh_token: in-memory first, then cache
-            const rt = this.refreshToken ?? await this.loadRefreshTokenFromCache();
-            if (!rt) {
-                // No refresh token available -- cannot use new flow
-                return null;
-            }
-            const response = await fetch(`${this.serverUrl}/api/v1/license/refresh`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ refresh_token: rt }),
-            });
-            if (!response.ok) {
-                // Refresh token invalid/expired -- clear it
-                this.refreshToken = null;
-                this.cache.set(REFRESH_CACHE_KEY, '', 1).catch(() => { }); // expire immediately
-                return null;
-            }
-            const data = (await response.json());
-            this.token = data.token;
-            // Token rotation: server issues new refresh token
-            this.refreshToken = data.refresh_token ?? null;
-            // Persist JWT to cache (fire-and-forget)
-            this.cache.set(CACHE_KEY, data.token, data.expires_in * 1000).catch(() => { });
-            // Persist rotated refresh token (fire-and-forget)
-            if (data.refresh_token) {
-                this.cache.set(REFRESH_CACHE_KEY, data.refresh_token, REFRESH_TOKEN_TTL_MS).catch(() => { });
-            }
-            return {
-                token: data.token,
-                expiresIn: data.expires_in,
-                refreshToken: data.refresh_token,
-            };
-        }
-        catch {
-            return null;
-        }
-    }
-    /**
-     * Force-refresh the token.
-     * Used when tier_changed is detected or a 401 response indicates the token is expired.
-     * Falls back to re-activation if refresh fails.
-     * NEVER throws - returns new token or null on failure.
-     *
-     * Story 18.8: Updated to prefer refresh over re-activate (preserves updated tier).
-     * Story 31.02: Uses refresh_token flow instead of JWT-based refresh.
-     */
-    async forceRefresh() {
-        try {
-            // 1. Try refresh with refresh_token first
-            const refreshResult = await this.refresh();
-            if (refreshResult?.token)
-                return refreshResult.token;
-            // 2. Refresh failed -- clear everything and re-activate
-            this.token = null;
-            this.refreshToken = null;
-            await this.cache.clear().catch(() => { });
-            const result = await this.activate();
-            return result?.token ?? null;
-        }
-        catch {
-            return null;
-        }
-    }
-    // ── Private Methods ─────────────────────────────────────────────────
-    checkTokenValidity(token) {
-        try {
-            const payload = decodeJwt(token);
-            if (!payload.exp)
-                return 'expired';
-            const now = Math.floor(Date.now() / 1000);
-            if (payload.exp <= now)
-                return 'expired';
-            if (payload.exp - now <= REFRESH_THRESHOLD_S)
-                return 'needs-refresh';
-            return 'valid';
-        }
-        catch {
-            return 'expired';
-        }
-    }
-    async loadFromCache() {
-        try {
-            return await this.cache.get(CACHE_KEY);
-        }
-        catch {
-            return null;
-        }
-    }
-    async loadRefreshTokenFromCache() {
-        try {
-            const rt = await this.cache.get(REFRESH_CACHE_KEY);
-            // Guard against empty/expired entries
-            return rt && rt.length > 0 ? rt : null;
-        }
-        catch {
-            return null;
-        }
-    }
-}
+import{decodeJwt as c}from"jose";import{NoOpCache as o}from"../types/index.js";import{getMachineFingerprint as a}from"../machine/fingerprint.js";const i="neocortex:jwt:token",s="neocortex:jwt:refresh_token",l=300,h=10080*60*1e3,f="0.1.0";class T{serverUrl;licenseKey;cache;clientVersion;machineId;token=null;refreshToken=null;constructor(e){this.serverUrl=e.serverUrl.replace(/\/+$/,""),this.licenseKey=e.licenseKey,this.cache=e.cacheProvider??new o,this.clientVersion=e.clientVersion??f,this.machineId=a()}async getToken(){try{if(this.token){const r=this.checkTokenValidity(this.token);if(r==="valid")return this.token;if(r==="needs-refresh")return(await this.refresh())?.token??this.token;this.token=null}const e=await this.loadFromCache();if(e){this.token=e;const r=this.checkTokenValidity(e);if(r==="valid")return e;if(r==="needs-refresh")return(await this.refresh())?.token??e;this.token=null}if(this.refreshToken||(this.refreshToken=await this.loadRefreshTokenFromCache()),this.refreshToken){const r=await this.refresh();if(r?.token)return r.token}return(await this.activate())?.token??null}catch{return null}}async activate(){try{const e=await fetch(`${this.serverUrl}/api/v1/license/activate`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({license_key:this.licenseKey,machine_id:this.machineId,client_version:this.clientVersion})});if(!e.ok)return null;const t=await e.json();return this.token=t.token,this.refreshToken=t.refresh_token??null,this.cache.set(i,t.token,t.expires_in*1e3).catch(()=>{}),t.refresh_token&&this.cache.set(s,t.refresh_token,h).catch(()=>{}),{token:t.token,expiresIn:t.expires_in,refreshToken:t.refresh_token}}catch{return null}}async refresh(e){try{const t=this.refreshToken??await this.loadRefreshTokenFromCache();if(!t)return null;const r=await fetch(`${this.serverUrl}/api/v1/license/refresh`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({refresh_token:t})});if(!r.ok)return this.refreshToken=null,this.cache.set(s,"",1).catch(()=>{}),null;const n=await r.json();return this.token=n.token,this.refreshToken=n.refresh_token??null,this.cache.set(i,n.token,n.expires_in*1e3).catch(()=>{}),n.refresh_token&&this.cache.set(s,n.refresh_token,h).catch(()=>{}),{token:n.token,expiresIn:n.expires_in,refreshToken:n.refresh_token}}catch{return null}}async forceRefresh(){try{const e=await this.refresh();return e?.token?e.token:(this.token=null,this.refreshToken=null,await this.cache.clear().catch(()=>{}),(await this.activate())?.token??null)}catch{return null}}checkTokenValidity(e){try{const t=c(e);if(!t.exp)return"expired";const r=Math.floor(Date.now()/1e3);return t.exp<=r?"expired":t.exp-r<=l?"needs-refresh":"valid"}catch{return"expired"}}async loadFromCache(){try{return await this.cache.get(i)}catch{return null}}async loadRefreshTokenFromCache(){try{const e=await this.cache.get(s);return e&&e.length>0?e:null}catch{return null}}}export{T as LicenseClient};

package/packages/client/dist/machine/fingerprint.js

@@ -1,160 +1,2 @@
-/**
- * @license FSL-1.1
- * Copyright (c) 2026 OrNexus AI
- *
- * This file is part of Neocortex CLI, licensed under the
- * Functional Source License, Version 1.1 (FSL-1.1).
- *
- * Change Date: February 20, 2029
- * Change License: MIT
- *
- * See the LICENSE file in the project root for full license text.
- */
-/**
- * @neocortex/client - Machine Fingerprint
- *
- * Generates a stable, deterministic machine identifier from hardware/OS
- * attributes using SHA-256. Used for license activation machine tracking.
- */
-import { createHash } from 'node:crypto';
-import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from 'node:fs';
-import { join } from 'node:path';
-import { arch, cpus, homedir, hostname, networkInterfaces, platform } from 'node:os';
-const ALL_ZEROS_MAC = '00:00:00:00:00:00';
-/** Path to the persisted machine-id file */
-const NEOCORTEX_DIR = join(homedir(), '.neocortex');
-const MACHINE_ID_FILE = join(NEOCORTEX_DIR, '.machine-id');
-/**
- * Collect sorted, non-internal MAC addresses from network interfaces.
- * Filters out internal/loopback interfaces and all-zeros MACs.
- */
-function collectMacAddresses() {
-    const interfaces = networkInterfaces();
-    const macs = [];
-    for (const entries of Object.values(interfaces)) {
-        if (!entries)
-            continue;
-        for (const entry of entries) {
-            if (!entry.internal && entry.mac !== ALL_ZEROS_MAC) {
-                macs.push(entry.mac);
-            }
-        }
-    }
-    // Sort for determinism regardless of NIC enumeration order
-    return [...new Set(macs)].sort();
-}
-/**
- * Generate a hardware-based fingerprint (not persisted).
- * This is the original computation used as fallback and for seeding.
- *
- * @returns 64-character hex string (SHA-256 digest)
- */
-export function computeHardwareFingerprint() {
-    const host = hostname();
-    const plat = platform();
-    const architecture = arch();
-    const cpuList = cpus();
-    const cpuModel = cpuList.length > 0 ? cpuList[0].model : '';
-    const macs = collectMacAddresses();
-    const input = `${host}|${plat}|${architecture}|${cpuModel}|${macs.join(',')}`;
-    return createHash('sha256').update(input).digest('hex');
-}
-/**
- * Set restrictive file permissions (chmod 600) on a file.
- * Fail-open: never throws.
- */
-function setFilePermissions600(filePath) {
-    try {
-        if (process.platform !== 'win32') {
-            chmodSync(filePath, 0o600);
-        }
-        // Windows ACL handled by secure-config.ts setSecureFilePermissions() if needed
-    }
-    catch {
-        // Fail-open
-    }
-}
-/**
- * Read persisted machine ID from disk.
- * Returns null if file doesn't exist or can't be read.
- */
-function readPersistedMachineId() {
-    try {
-        if (!existsSync(MACHINE_ID_FILE))
-            return null;
-        const raw = readFileSync(MACHINE_ID_FILE, 'utf-8').trim();
-        // Validate: must be a 64-char hex string
-        if (/^[a-f0-9]{64}$/.test(raw))
-            return raw;
-        return null;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Persist machine ID to disk.
- * Creates ~/.neocortex/ if needed. Sets chmod 600 on the file.
- * Fail-open: never throws.
- */
-function persistMachineId(machineId) {
-    try {
-        mkdirSync(NEOCORTEX_DIR, { recursive: true });
-        writeFileSync(MACHINE_ID_FILE, machineId + '\n', 'utf-8');
-        setFilePermissions600(MACHINE_ID_FILE);
-    }
-    catch {
-        // Fail-open: if disk fails, fingerprint still works from hardware
-    }
-}
-/**
- * Check if config.json has a machineId field that can seed .machine-id.
- * This provides backward compatibility for existing installations.
- */
-function readMachineIdFromConfig() {
-    try {
-        const configPath = join(NEOCORTEX_DIR, 'config.json');
-        if (!existsSync(configPath))
-            return null;
-        const raw = readFileSync(configPath, 'utf-8');
-        const config = JSON.parse(raw.replace(/^\uFEFF/, ''));
-        const machineId = config.machineId;
-        if (typeof machineId === 'string' && /^[a-f0-9]{64}$/.test(machineId)) {
-            return machineId;
-        }
-        return null;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Generate a stable machine fingerprint as a SHA-256 hex digest.
- *
- * Story P26.01: On first call, generates from hardware and persists to
- * ~/.neocortex/.machine-id. On subsequent calls, reads from disk.
- * This ensures the fingerprint remains stable even if hardware attributes
- * change (e.g., USB NIC added/removed, hostname change).
- *
- * Backward compat: if config.json has machineId, uses that to seed .machine-id.
- *
- * Fail-open: if disk operations fail, falls back to hardware-generated fingerprint.
- *
- * @returns 64-character hex string (SHA-256 digest)
- */
-export function getMachineFingerprint() {
-    // 1. Try reading persisted machine ID from disk
-    const persisted = readPersistedMachineId();
-    if (persisted)
-        return persisted;
-    // 2. Check config.json for backward-compatible machineId
-    const fromConfig = readMachineIdFromConfig();
-    if (fromConfig) {
-        persistMachineId(fromConfig);
-        return fromConfig;
-    }
-    // 3. Generate from hardware and persist
-    const fingerprint = computeHardwareFingerprint();
-    persistMachineId(fingerprint);
-    return fingerprint;
-}
+import{createHash as p}from"node:crypto";import{existsSync as s,readFileSync as a,writeFileSync as h,mkdirSync as d,chmodSync as g}from"node:fs";import{join as o}from"node:path";import{arch as y,cpus as F,homedir as I,hostname as M,networkInterfaces as S,platform as w}from"node:os";const $="00:00:00:00:00:00",i=o(I(),".neocortex"),c=o(i,".machine-id");function E(){const t=S(),n=[];for(const e of Object.values(t))if(e)for(const r of e)!r.internal&&r.mac!==$&&n.push(r.mac);return[...new Set(n)].sort()}function x(){const t=M(),n=w(),e=y(),r=F(),u=r.length>0?r[0].model:"",m=E(),l=`${t}|${n}|${e}|${u}|${m.join(",")}`;return p("sha256").update(l).digest("hex")}function C(t){try{process.platform!=="win32"&&g(t,384)}catch{}}function O(){try{if(!s(c))return null;const t=a(c,"utf-8").trim();return/^[a-f0-9]{64}$/.test(t)?t:null}catch{return null}}function f(t){try{d(i,{recursive:!0}),h(c,t+`
+`,"utf-8"),C(c)}catch{}}function _(){try{const t=o(i,"config.json");if(!s(t))return null;const n=a(t,"utf-8"),r=JSON.parse(n.replace(/^\uFEFF/,"")).machineId;return typeof r=="string"&&/^[a-f0-9]{64}$/.test(r)?r:null}catch{return null}}function N(){const t=O();if(t)return t;const n=_();if(n)return f(n),n;const e=x();return f(e),e}export{x as computeHardwareFingerprint,N as getMachineFingerprint};

package/packages/client/dist/machine/index.js

@@ -1,5 +1 @@
-/**
- * @license FSL-1.1
- * Copyright (c) 2026 OrNexus AI
- */
-export { getMachineFingerprint } from './fingerprint.js';
+import{getMachineFingerprint as i}from"./fingerprint.js";export{i as getMachineFingerprint};

package/packages/client/dist/resilience/circuit-breaker.js

@@ -1,170 +1 @@
-/**
- * @license FSL-1.1
- * Copyright (c) 2026 OrNexus AI
- *
- * This file is part of Neocortex CLI, licensed under the
- * Functional Source License, Version 1.1 (FSL-1.1).
- *
- * Change Date: February 20, 2029
- * Change License: MIT
- *
- * See the LICENSE file in the project root for full license text.
- */
-/**
- * @neocortex/client - Persistent Circuit Breaker
- *
- * Circuit breaker with file-based state persistence for the CLI client.
- * Tracks server health using window-based failure counting and persists
- * state between CLI invocations at ~/.neocortex/.circuit-state.
- *
- * States:
- *   CLOSED    - Normal operation, requests pass through
- *   OPEN      - Circuit tripped, requests fail immediately (use cache)
- *   HALF_OPEN - Testing if server recovered (one probe request allowed)
- *
- * Story 42.9
- */
-import { readFile, writeFile, mkdir } from 'node:fs/promises';
-import { dirname } from 'node:path';
-import { homedir } from 'node:os';
-import { join } from 'node:path';
-// ── Defaults ──────────────────────────────────────────────────────────────
-const DEFAULT_CONFIG = {
-    failureThreshold: 3,
-    failureWindowMs: 60_000,
-    halfOpenAfterMs: 60_000,
-    stateFilePath: join(homedir(), '.neocortex', '.circuit-state'),
-};
-const INITIAL_STATE = {
-    state: 'CLOSED',
-    failures: [],
-    openedAt: null,
-    lastProbeAt: null,
-};
-// ── ClientCircuitBreaker ──────────────────────────────────────────────────
-export class ClientCircuitBreaker {
-    config;
-    internalState;
-    constructor(config, initialState) {
-        this.config = { ...DEFAULT_CONFIG, ...config };
-        this.internalState = initialState ? { ...initialState } : { ...INITIAL_STATE, failures: [] };
-    }
-    /**
-     * Check if a request can be made to the server.
-     * Returns false if circuit is OPEN (fail-fast to cache).
-     */
-    canCall() {
-        this.pruneExpiredFailures();
-        switch (this.internalState.state) {
-            case 'CLOSED':
-                return true;
-            case 'OPEN': {
-                const now = Date.now();
-                const openedAt = this.internalState.openedAt ?? 0;
-                if (now - openedAt >= this.config.halfOpenAfterMs) {
-                    this.internalState.state = 'HALF_OPEN';
-                    this.internalState.lastProbeAt = now;
-                    return true;
-                }
-                return false;
-            }
-            case 'HALF_OPEN':
-                return true;
-            default:
-                return true;
-        }
-    }
-    /**
-     * Record a successful server response. Closes the circuit.
-     */
-    async recordSuccess() {
-        this.internalState.state = 'CLOSED';
-        this.internalState.failures = [];
-        this.internalState.openedAt = null;
-        this.internalState.lastProbeAt = null;
-        await this.saveToDisk();
-    }
-    /**
-     * Record a failed server response. Opens circuit after threshold failures in window.
-     */
-    async recordFailure() {
-        const now = Date.now();
-        this.internalState.failures.push({ timestamp: now });
-        this.pruneExpiredFailures();
-        if (this.internalState.failures.length >= this.config.failureThreshold) {
-            this.internalState.state = 'OPEN';
-            this.internalState.openedAt = now;
-        }
-        // If in HALF_OPEN and probe fails, go back to OPEN
-        if (this.internalState.state === 'HALF_OPEN') {
-            this.internalState.state = 'OPEN';
-            this.internalState.openedAt = now;
-        }
-        await this.saveToDisk();
-    }
-    /**
-     * Get current circuit breaker state (copy).
-     */
-    getState() {
-        this.pruneExpiredFailures();
-        return {
-            state: this.internalState.state,
-            failures: [...this.internalState.failures],
-            openedAt: this.internalState.openedAt,
-            lastProbeAt: this.internalState.lastProbeAt,
-        };
-    }
-    /**
-     * Reset circuit breaker to initial CLOSED state.
-     */
-    async reset() {
-        this.internalState = { ...INITIAL_STATE, failures: [] };
-        await this.saveToDisk();
-    }
-    /**
-     * Load circuit breaker state from disk.
-     */
-    static async loadFromDisk(path) {
-        const filePath = path ?? DEFAULT_CONFIG.stateFilePath;
-        try {
-            const raw = await readFile(filePath, 'utf8');
-            const data = JSON.parse(raw);
-            // Validate loaded state
-            if (!data.state || !Array.isArray(data.failures)) {
-                return new ClientCircuitBreaker({ stateFilePath: filePath });
-            }
-            return new ClientCircuitBreaker({ stateFilePath: filePath }, data);
-        }
-        catch {
-            // File doesn't exist or is corrupted - start fresh
-            return new ClientCircuitBreaker({ stateFilePath: filePath });
-        }
-    }
-    // ── Private ─────────────────────────────────────────────────────────
-    /**
-     * Remove failures outside the counting window.
-     */
-    pruneExpiredFailures() {
-        const cutoff = Date.now() - this.config.failureWindowMs;
-        this.internalState.failures = this.internalState.failures.filter((f) => f.timestamp > cutoff);
-    }
-    /**
-     * Persist state to disk with atomic write.
-     */
-    async saveToDisk() {
-        try {
-            const dir = dirname(this.config.stateFilePath);
-            await mkdir(dir, { recursive: true });
-            const tmpPath = `${this.config.stateFilePath}.tmp`;
-            const data = JSON.stringify(this.internalState, null, 2);
-            await writeFile(tmpPath, data, 'utf8');
-            // Atomic rename
-            const { rename } = await import('node:fs/promises');
-            await rename(tmpPath, this.config.stateFilePath);
-        }
-        catch {
-            // Persistence failures are non-critical - circuit breaker
-            // still works in-memory for current session
-        }
-    }
-}
+import{readFile as l,writeFile as o,mkdir as h}from"node:fs/promises";import{dirname as u}from"node:path";import{homedir as c}from"node:os";import{join as f}from"node:path";const n={failureThreshold:3,failureWindowMs:6e4,halfOpenAfterMs:6e4,stateFilePath:f(c(),".neocortex",".circuit-state")},r={state:"CLOSED",failures:[],openedAt:null,lastProbeAt:null};class i{config;internalState;constructor(t,e){this.config={...n,...t},this.internalState=e?{...e}:{...r,failures:[]}}canCall(){switch(this.pruneExpiredFailures(),this.internalState.state){case"CLOSED":return!0;case"OPEN":{const t=Date.now(),e=this.internalState.openedAt??0;return t-e>=this.config.halfOpenAfterMs?(this.internalState.state="HALF_OPEN",this.internalState.lastProbeAt=t,!0):!1}case"HALF_OPEN":return!0;default:return!0}}async recordSuccess(){this.internalState.state="CLOSED",this.internalState.failures=[],this.internalState.openedAt=null,this.internalState.lastProbeAt=null,await this.saveToDisk()}async recordFailure(){const t=Date.now();this.internalState.failures.push({timestamp:t}),this.pruneExpiredFailures(),this.internalState.failures.length>=this.config.failureThreshold&&(this.internalState.state="OPEN",this.internalState.openedAt=t),this.internalState.state==="HALF_OPEN"&&(this.internalState.state="OPEN",this.internalState.openedAt=t),await this.saveToDisk()}getState(){return this.pruneExpiredFailures(),{state:this.internalState.state,failures:[...this.internalState.failures],openedAt:this.internalState.openedAt,lastProbeAt:this.internalState.lastProbeAt}}async reset(){this.internalState={...r,failures:[]},await this.saveToDisk()}static async loadFromDisk(t){const e=t??n.stateFilePath;try{const s=await l(e,"utf8"),a=JSON.parse(s);return!a.state||!Array.isArray(a.failures)?new i({stateFilePath:e}):new i({stateFilePath:e},a)}catch{return new i({stateFilePath:e})}}pruneExpiredFailures(){const t=Date.now()-this.config.failureWindowMs;this.internalState.failures=this.internalState.failures.filter(e=>e.timestamp>t)}async saveToDisk(){try{const t=u(this.config.stateFilePath);await h(t,{recursive:!0});const e=`${this.config.stateFilePath}.tmp`,s=JSON.stringify(this.internalState,null,2);await o(e,s,"utf8");const{rename:a}=await import("node:fs/promises");await a(e,this.config.stateFilePath)}catch{}}}export{i as ClientCircuitBreaker};