@ornexus/neocortex 4.0.1

package/packages/client/dist/config/resolver-selection.js

@@ -0,0 +1,278 @@
+/**
+ * @license FSL-1.1
+ * Copyright (c) 2026 OrNexus AI
+ *
+ * This file is part of Neocortex CLI, licensed under the
+ * Functional Source License, Version 1.1 (FSL-1.1).
+ *
+ * Change Date: February 20, 2029
+ * Change License: MIT
+ *
+ * See the LICENSE file in the project root for full license text.
+ */
+/**
+ * @neocortex/client - Resolver Selection Factory
+ *
+ * Factory function that selects the appropriate AssetResolver
+ * based on CLI flags, environment variables, and auto-detection.
+ *
+ * Decision chain (priority order):
+ * 1. forceLocal option (--local flag) -> LocalResolver
+ * 2. NEOCORTEX_MODE=local env -> LocalResolver
+ * 3. NEOCORTEX_MODE=remote env -> RemoteResolver
+ * 4. core/ directory exists locally -> LocalResolver (dev mode)
+ * 4.5. Feature flag cutover (hash(machine) % 100 < remotePercentage) -> RemoteResolver
+ * 5. Valid license key present + no core/ -> RemoteResolver
+ * 6. Default -> LocalResolver (safe fallback)
+ */
+import { access, readFile, writeFile, mkdir } from 'node:fs/promises';
+import { join, resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { createHash } from 'node:crypto';
+import { LocalResolver } from '../resolvers/local-resolver.js';
+import { RemoteResolver } from '../resolvers/remote-resolver.js';
+import { DEFAULT_SERVER_URL } from '../constants.js';
+// ── Feature Flag (Story 43.7) ───────────────────────────────────────────
+const CONFIG_CACHE_FILE = join(homedir(), '.neocortex', 'feature-flags.json');
+const CONFIG_CACHE_TTL_MS = 3600_000; // 1 hour
+/**
+ * Check if this machine should use remote mode based on server feature flags.
+ * Uses hash(machine_fingerprint) % 100 < remotePercentage to determine bucket.
+ * Caches the server config for 1 hour.
+ *
+ * Returns 'remote' | 'local' | 'skip' (skip = no flag applies)
+ */
+async function checkFeatureFlag(options) {
+    try {
+        // Check env override
+        const envPercentage = process.env['NEOCORTEX_REMOTE_PERCENTAGE'];
+        if (envPercentage !== undefined) {
+            const pct = parseInt(envPercentage, 10);
+            if (isNaN(pct) || pct <= 0)
+                return 'skip';
+            return isInRemoteBucket(pct) ? 'remote' : 'local';
+        }
+        // Try cached config
+        const cached = await loadFeatureFlagCache();
+        if (cached) {
+            if (cached.forceLocal)
+                return 'local';
+            if (cached.forceRemote)
+                return 'remote';
+            if (cached.remotePercentage <= 0)
+                return 'skip';
+            return isInRemoteBucket(cached.remotePercentage) ? 'remote' : 'local';
+        }
+        // Fetch from server (non-blocking, fail gracefully)
+        const serverUrl = getServerUrl(options);
+        const config = await fetchFeatureFlags(serverUrl);
+        if (config) {
+            await saveFeatureFlagCache(config);
+            if (config.forceLocal)
+                return 'local';
+            if (config.forceRemote)
+                return 'remote';
+            if (config.remotePercentage <= 0)
+                return 'skip';
+            return isInRemoteBucket(config.remotePercentage) ? 'remote' : 'local';
+        }
+        return 'skip'; // No flag info available
+    }
+    catch {
+        return 'skip'; // Never block on feature flag errors
+    }
+}
+/**
+ * Deterministic bucket assignment using machine fingerprint hash.
+ * hash(machine_id) % 100 < percentage = in remote bucket
+ */
+function isInRemoteBucket(percentage) {
+    const machineId = process.env['NEOCORTEX_MACHINE_ID'] ?? 'default';
+    const hash = createHash('sha256').update(machineId).digest();
+    const bucket = hash.readUInt16BE(0) % 100;
+    return bucket < percentage;
+}
+async function loadFeatureFlagCache() {
+    try {
+        const raw = await readFile(CONFIG_CACHE_FILE, 'utf-8');
+        const cached = JSON.parse(raw);
+        if (Date.now() - cached.fetchedAt < CONFIG_CACHE_TTL_MS) {
+            return cached;
+        }
+        return null; // Expired
+    }
+    catch {
+        return null;
+    }
+}
+async function saveFeatureFlagCache(config) {
+    try {
+        await mkdir(join(homedir(), '.neocortex'), { recursive: true });
+        await writeFile(CONFIG_CACHE_FILE, JSON.stringify(config), 'utf-8');
+    }
+    catch {
+        // Non-critical - ignore
+    }
+}
+async function fetchFeatureFlags(serverUrl) {
+    try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 5000);
+        const response = await fetch(`${serverUrl}/api/v1/config`, {
+            signal: controller.signal,
+        });
+        clearTimeout(timeout);
+        if (!response.ok)
+            return null;
+        const data = (await response.json());
+        return {
+            remotePercentage: data.remotePercentage ?? 0,
+            forceRemote: data.forceRemote ?? false,
+            forceLocal: data.forceLocal ?? false,
+            fetchedAt: Date.now(),
+        };
+    }
+    catch {
+        return null;
+    }
+}
+// ── Detection Helpers ───────────────────────────────────────────────────
+/**
+ * Check if the core/ directory exists at the given project root.
+ * This indicates development mode.
+ */
+async function detectLocalMode(projectRoot) {
+    try {
+        await access(join(projectRoot, 'core'));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Get license key from environment or options.
+ */
+function getLicenseKey(options) {
+    return options?.licenseKey || process.env['NEOCORTEX_LICENSE_KEY'] || undefined;
+}
+/**
+ * Get server URL from environment or options.
+ */
+function getServerUrl(options) {
+    return (options?.serverUrl ||
+        process.env['NEOCORTEX_SERVER_URL'] ||
+        DEFAULT_SERVER_URL);
+}
+// ── Factory Function ────────────────────────────────────────────────────
+/**
+ * Create the appropriate AssetResolver based on configuration.
+ *
+ * Selection follows a strict priority chain:
+ * 1. forceLocal option -> LocalResolver
+ * 2. NEOCORTEX_MODE=local -> LocalResolver
+ * 3. NEOCORTEX_MODE=remote -> RemoteResolver
+ * 4. core/ exists locally -> LocalResolver
+ * 5. License key + no core/ -> RemoteResolver
+ * 6. Default -> LocalResolver
+ *
+ * @param options - Optional configuration overrides
+ * @returns Configured AssetResolver ready for use
+ */
+export async function createResolver(options) {
+    const result = await selectResolver(options);
+    return result.resolver;
+}
+/**
+ * Select resolver with full result including reason.
+ * Useful for logging/debugging why a specific resolver was chosen.
+ */
+export async function selectResolver(options) {
+    const projectRoot = resolve(options?.projectRoot || process.cwd());
+    const neocortexMode = process.env['NEOCORTEX_MODE']?.toLowerCase();
+    // 1. forceLocal option (--local CLI flag)
+    if (options?.forceLocal) {
+        return {
+            resolver: new LocalResolver({ projectRoot }),
+            reason: 'Forced local mode via --local flag',
+            mode: 'local',
+        };
+    }
+    // 2. NEOCORTEX_MODE=local
+    if (neocortexMode === 'local') {
+        return {
+            resolver: new LocalResolver({ projectRoot }),
+            reason: 'NEOCORTEX_MODE=local environment variable',
+            mode: 'local',
+        };
+    }
+    // 3. NEOCORTEX_MODE=remote
+    if (neocortexMode === 'remote') {
+        const licenseKey = getLicenseKey(options);
+        if (!licenseKey) {
+            // Fall back to local if no license key for remote mode
+            return {
+                resolver: new LocalResolver({ projectRoot }),
+                reason: 'NEOCORTEX_MODE=remote but no license key found, falling back to local',
+                mode: 'local',
+            };
+        }
+        return {
+            resolver: new RemoteResolver({
+                serverUrl: getServerUrl(options),
+                licenseKey,
+                cacheProvider: options?.cacheProvider,
+                licenseClient: options?.licenseClient,
+            }),
+            reason: 'NEOCORTEX_MODE=remote environment variable',
+            mode: 'remote',
+        };
+    }
+    // 4. Auto-detect: core/ directory exists -> dev mode
+    const hasLocalCore = await detectLocalMode(projectRoot);
+    if (hasLocalCore) {
+        return {
+            resolver: new LocalResolver({ projectRoot }),
+            reason: 'Auto-detected development mode (core/ directory exists)',
+            mode: 'local',
+        };
+    }
+    // 4.5. Feature flag cutover check (Story 43.7)
+    // If server config says remotePercentage > 0, check if this machine is in the bucket
+    const featureFlagResult = await checkFeatureFlag(options);
+    if (featureFlagResult === 'remote') {
+        const licenseKey = getLicenseKey(options);
+        if (licenseKey) {
+            return {
+                resolver: new RemoteResolver({
+                    serverUrl: getServerUrl(options),
+                    licenseKey,
+                    cacheProvider: options?.cacheProvider,
+                    licenseClient: options?.licenseClient,
+                }),
+                reason: 'Feature flag cutover: machine in remote bucket',
+                mode: 'remote',
+            };
+        }
+    }
+    // 5. License key present + no core/ -> production mode
+    const licenseKey = getLicenseKey(options);
+    if (licenseKey) {
+        return {
+            resolver: new RemoteResolver({
+                serverUrl: getServerUrl(options),
+                licenseKey,
+                cacheProvider: options?.cacheProvider,
+                licenseClient: options?.licenseClient,
+            }),
+            reason: 'Auto-detected production mode (license key present, no core/ directory)',
+            mode: 'remote',
+        };
+    }
+    // 6. Default -> LocalResolver (safe fallback)
+    return {
+        resolver: new LocalResolver({ projectRoot }),
+        reason: 'Default fallback to local mode',
+        mode: 'local',
+    };
+}

package/packages/client/dist/config/secure-config.d.ts

@@ -0,0 +1,78 @@
+/**
+ * @license FSL-1.1
+ * Copyright (c) 2026 OrNexus AI
+ *
+ * This file is part of Neocortex CLI, licensed under the
+ * Functional Source License, Version 1.1 (FSL-1.1).
+ *
+ * Change Date: February 20, 2029
+ * Change License: MIT
+ *
+ * See the LICENSE file in the project root for full license text.
+ */
+/** Key type discriminator (Story 29.04) */
+export type KeyType = 'license' | 'api_key';
+/** Resolved config with decrypted license key */
+export interface SecureConfig {
+    readonly serverUrl?: string;
+    readonly mode?: string;
+    readonly machineId?: string;
+    readonly activatedAt?: string;
+    readonly tier?: string;
+    readonly licenseKey?: string;
+    /** Key type: 'license' (NX-...) or 'api_key' (nxk_...). undefined = legacy (treat as license). Story 29.04 */
+    readonly keyType?: KeyType;
+}
+/**
+ * Encrypt a license key using the machine fingerprint as passphrase.
+ * Returns the encrypted envelope string.
+ */
+export declare function encryptLicenseKey(licenseKey: string): string;
+/**
+ * Decrypt a license key using the machine fingerprint as passphrase.
+ * Returns the plaintext key or null if decryption fails (hardware changed).
+ */
+export declare function decryptLicenseKey(encryptedKey: string): string | null;
+/**
+ * Set restrictive file permissions on config files.
+ * Unix: chmod 600 (owner read/write only).
+ * Windows: icacls to remove inheritance and grant Full Control only to current user.
+ * Story 61.4 - F4 remediation.
+ * Story 66.1 - Windows ACL via icacls.
+ */
+export declare function setSecureFilePermissions(filePath: string): void;
+/**
+ * Set restrictive directory permissions on config directories.
+ * Unix: chmod 700 (owner read/write/execute only).
+ * Windows: icacls with (OI)(CI) for propagation to child objects.
+ * Story 61.4 - F4 remediation.
+ * Story 66.1 - Windows ACL via icacls.
+ */
+export declare function setSecureDirPermissions(dirPath: string): void;
+/**
+ * Load config from ~/.neocortex/config.json with automatic migration.
+ *
+ * If the config contains a plaintext `licenseKey` (old format), it is:
+ * 1. Encrypted using machine fingerprint
+ * 2. Stored as `encryptedLicenseKey`
+ * 3. Old `licenseKey` field removed
+ * 4. Config rewritten to disk
+ *
+ * If decryption of `encryptedLicenseKey` fails (hardware change),
+ * returns config with licenseKey = undefined.
+ */
+export declare function loadSecureConfig(): SecureConfig | null;
+/**
+ * Save config after activation with encrypted license key.
+ * This is the primary write path called from activate.ts.
+ */
+export declare function saveSecureConfig(config: {
+    serverUrl: string;
+    mode: string;
+    machineId: string;
+    activatedAt: string;
+    tier?: string;
+    licenseKey: string;
+    /** Key type: 'license' (NX-...) or 'api_key' (nxk_...). Auto-detected from key prefix if omitted. Story 29.04 */
+    keyType?: KeyType;
+}): void;

package/packages/client/dist/config/secure-config.js

@@ -0,0 +1,269 @@
+/**
+ * @license FSL-1.1
+ * Copyright (c) 2026 OrNexus AI
+ *
+ * This file is part of Neocortex CLI, licensed under the
+ * Functional Source License, Version 1.1 (FSL-1.1).
+ *
+ * Change Date: February 20, 2029
+ * Change License: MIT
+ *
+ * See the LICENSE file in the project root for full license text.
+ */
+/**
+ * @neocortex/client - Secure Config
+ *
+ * Handles reading and writing config.json with encrypted license key.
+ * Uses machine fingerprint as encryption seed so the key is bound
+ * to the physical machine.
+ *
+ * Story 61.2 - F2 remediation: license key no longer stored in plaintext.
+ *
+ * Migration: if config has plaintext `licenseKey`, it is silently
+ * migrated to `encryptedLicenseKey` on first read.
+ *
+ * If decryption fails (e.g. hardware change), returns null for
+ * licenseKey, requiring re-activation.
+ */
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { encrypt, decrypt } from '../cache/crypto-utils.js';
+import { getMachineFingerprint } from '../machine/fingerprint.js';
+import { DEFAULT_SERVER_URL } from '../constants.js';
+// ── Constants ────────────────────────────────────────────────────────────
+const CONFIG_DIR = join(homedir(), '.neocortex');
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+// ── Types ────────────────────────────────────────────────────────────────
+/** Current config schema version (Epic 62 - FR8) */
+const CURRENT_CONFIG_VERSION = 1;
+// ── License Key Encryption ──────────────────────────────────────────────
+/**
+ * Encrypt a license key using the machine fingerprint as passphrase.
+ * Returns the encrypted envelope string.
+ */
+export function encryptLicenseKey(licenseKey) {
+    const fingerprint = getMachineFingerprint();
+    return encrypt(licenseKey, fingerprint);
+}
+/**
+ * Decrypt a license key using the machine fingerprint as passphrase.
+ * Returns the plaintext key or null if decryption fails (hardware changed).
+ */
+export function decryptLicenseKey(encryptedKey) {
+    try {
+        const fingerprint = getMachineFingerprint();
+        const result = decrypt(encryptedKey, fingerprint);
+        // expired flag is not relevant for license keys (no TTL)
+        return result.plaintext;
+    }
+    catch {
+        return null;
+    }
+}
+// ── Secure File Permissions ─────────────────────────────────────────────
+/**
+ * Set restrictive file permissions on config files.
+ * Unix: chmod 600 (owner read/write only).
+ * Windows: icacls to remove inheritance and grant Full Control only to current user.
+ * Story 61.4 - F4 remediation.
+ * Story 66.1 - Windows ACL via icacls.
+ */
+export function setSecureFilePermissions(filePath) {
+    try {
+        if (process.platform === 'win32') {
+            const username = process.env.USERNAME || process.env.USER || '';
+            if (!username)
+                return;
+            execSync(`icacls "${filePath}" /inheritance:r /grant:r "${username}:(F)"`, { stdio: 'pipe', timeout: 5000 });
+        }
+        else {
+            chmodSync(filePath, 0o600);
+        }
+    }
+    catch {
+        // Fail-open: ACL/chmod is hardening, not blocking
+    }
+}
+/**
+ * Set restrictive directory permissions on config directories.
+ * Unix: chmod 700 (owner read/write/execute only).
+ * Windows: icacls with (OI)(CI) for propagation to child objects.
+ * Story 61.4 - F4 remediation.
+ * Story 66.1 - Windows ACL via icacls.
+ */
+export function setSecureDirPermissions(dirPath) {
+    try {
+        if (process.platform === 'win32') {
+            const username = process.env.USERNAME || process.env.USER || '';
+            if (!username)
+                return;
+            execSync(`icacls "${dirPath}" /inheritance:r /grant:r "${username}:(OI)(CI)(F)"`, { stdio: 'pipe', timeout: 5000 });
+        }
+        else {
+            chmodSync(dirPath, 0o700);
+        }
+    }
+    catch {
+        // Fail-open: ACL/chmod is hardening, not blocking
+    }
+}
+// ── Localhost Warning ────────────────────────────────────────────────────
+/**
+ * Story 32.08: Warn if serverUrl points to localhost.
+ * Informative only -- does NOT modify config.
+ */
+let localhostWarningShown = false;
+function warnIfLocalhost(config) {
+    if (localhostWarningShown)
+        return;
+    const url = config.serverUrl;
+    if (!url)
+        return;
+    const isLocal = /^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)(:\d+)?/i.test(url);
+    if (isLocal) {
+        localhostWarningShown = true;
+        console.warn('\n[!] Warning: connected to local server (' + url + ').\n' +
+            '    To use production, run: neocortex activate YOUR-LICENSE-KEY\n' +
+            '    Get yours at https://neocortex.ornexus.com/login\n');
+    }
+}
+// ── Config Read/Write ───────────────────────────────────────────────────
+/**
+ * Load config from ~/.neocortex/config.json with automatic migration.
+ *
+ * If the config contains a plaintext `licenseKey` (old format), it is:
+ * 1. Encrypted using machine fingerprint
+ * 2. Stored as `encryptedLicenseKey`
+ * 3. Old `licenseKey` field removed
+ * 4. Config rewritten to disk
+ *
+ * If decryption of `encryptedLicenseKey` fails (hardware change),
+ * returns config with licenseKey = undefined.
+ */
+export function loadSecureConfig() {
+    try {
+        if (!existsSync(CONFIG_FILE))
+            return null;
+        const raw = readFileSync(CONFIG_FILE, 'utf-8');
+        // Strip UTF-8 BOM if present (PowerShell 5.1 writes BOM via Out-File -Encoding utf8)
+        // Defense in depth: handles configs written by old PS 5.1 installers (Epic 63 - Story 63.1)
+        const config = JSON.parse(raw.replace(/^\uFEFF/, ''));
+        // Migration path: plaintext licenseKey -> encrypted
+        if (config.licenseKey && !config.encryptedLicenseKey) {
+            const encrypted = encryptLicenseKey(config.licenseKey);
+            const migratedConfig = { ...config };
+            const plainKey = migratedConfig.licenseKey;
+            delete migratedConfig.licenseKey;
+            migratedConfig.encryptedLicenseKey = encrypted;
+            // Ensure configVersion is preserved or added during migration
+            if (!migratedConfig.configVersion) {
+                migratedConfig.configVersion = CURRENT_CONFIG_VERSION;
+            }
+            writeSecureConfig(migratedConfig);
+            return {
+                serverUrl: config.serverUrl,
+                mode: config.mode,
+                machineId: config.machineId,
+                activatedAt: config.activatedAt,
+                tier: config.tier,
+                licenseKey: plainKey,
+                keyType: config.keyType,
+            };
+        }
+        // Decrypt encrypted license key
+        let licenseKey;
+        if (config.encryptedLicenseKey) {
+            const decrypted = decryptLicenseKey(config.encryptedLicenseKey);
+            if (decrypted) {
+                licenseKey = decrypted;
+            }
+            // If decryption fails, licenseKey remains undefined -> requires re-activation
+            // Story P26.06 below handles the fingerprint change warning
+        }
+        const result = {
+            serverUrl: config.serverUrl,
+            mode: config.mode,
+            machineId: config.machineId,
+            activatedAt: config.activatedAt,
+            tier: config.tier,
+            licenseKey,
+            keyType: config.keyType,
+        };
+        // Story P26.04 + P26.06: Detect fingerprint change early and warn
+        // This catches the issue BEFORE the user tries to invoke and gets a confusing error
+        if (config.machineId && !licenseKey && config.encryptedLicenseKey) {
+            const currentFp = getMachineFingerprint();
+            if (config.machineId !== currentFp) {
+                console.warn(`\n[!] Machine fingerprint changed (was: ${config.machineId.slice(0, 12)}..., now: ${currentFp.slice(0, 12)}...).` +
+                    '\n    Your encrypted credentials are no longer valid.' +
+                    '\n    Re-activate with: neocortex activate YOUR-LICENSE-KEY\n');
+            }
+        }
+        // Story 32.08: Warn if serverUrl points to localhost
+        warnIfLocalhost(result);
+        // Story 70.05: Auto-repair localhost serverUrl if not intentional.
+        // If serverUrl points to localhost and NEOCORTEX_SERVER_URL env is not set
+        // to localhost (i.e., user didn't explicitly request local), repair to production.
+        // This is an in-memory repair only -- does NOT rewrite the config file on disk.
+        if (result.serverUrl && !process.env['NEOCORTEX_SERVER_URL']) {
+            const isLocal = /^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)(:\d+)?/i.test(result.serverUrl);
+            if (isLocal) {
+                const repairedUrl = DEFAULT_SERVER_URL;
+                console.warn(`[neocortex] Auto-repairing serverUrl: ${result.serverUrl} -> ${repairedUrl}\n` +
+                    `[neocortex] To keep localhost, set NEOCORTEX_SERVER_URL=${result.serverUrl}\n`);
+                return { ...result, serverUrl: repairedUrl };
+            }
+        }
+        // Story P46.02: Auto-repair old ornexus.com URL to neocortex.sh.
+        // The old domain api.neocortex.ornexus.com remains as a CNAME, but new installs
+        // should use the canonical api.neocortex.sh. In-memory only -- does NOT rewrite disk.
+        // Suppressed by NEOCORTEX_SERVER_URL env var (developer override).
+        if (result.serverUrl && !process.env['NEOCORTEX_SERVER_URL']) {
+            const isOldDomain = /^https?:\/\/api\.neocortex\.ornexus\.com/i.test(result.serverUrl);
+            if (isOldDomain) {
+                const repairedUrl = result.serverUrl.replace(/^(https?:\/\/)api\.neocortex\.ornexus\.com/i, '$1api.neocortex.sh');
+                return { ...result, serverUrl: repairedUrl };
+            }
+        }
+        return result;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Write config to disk with encrypted license key and secure permissions.
+ * The licenseKey field should already be encrypted as encryptedLicenseKey.
+ */
+function writeSecureConfig(config) {
+    mkdirSync(CONFIG_DIR, { recursive: true });
+    setSecureDirPermissions(CONFIG_DIR);
+    const cacheDir = join(CONFIG_DIR, 'cache');
+    if (existsSync(cacheDir)) {
+        setSecureDirPermissions(cacheDir);
+    }
+    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+    setSecureFilePermissions(CONFIG_FILE);
+}
+/**
+ * Save config after activation with encrypted license key.
+ * This is the primary write path called from activate.ts.
+ */
+export function saveSecureConfig(config) {
+    const encrypted = encryptLicenseKey(config.licenseKey);
+    // Auto-detect keyType from key prefix if not explicitly provided
+    const keyType = config.keyType ?? (config.licenseKey.startsWith('nxk_') ? 'api_key' : 'license');
+    const diskConfig = {
+        configVersion: CURRENT_CONFIG_VERSION,
+        serverUrl: config.serverUrl,
+        mode: config.mode,
+        machineId: config.machineId,
+        activatedAt: config.activatedAt,
+        tier: config.tier,
+        encryptedLicenseKey: encrypted,
+        keyType,
+    };
+    writeSecureConfig(diskConfig);
+}

package/packages/client/dist/constants.d.ts

@@ -0,0 +1,25 @@
+/**
+ * @license FSL-1.1
+ * Copyright (c) 2026 OrNexus AI
+ *
+ * This file is part of Neocortex CLI, licensed under the
+ * Functional Source License, Version 1.1 (FSL-1.1).
+ *
+ * Change Date: February 20, 2029
+ * Change License: MIT
+ *
+ * See the LICENSE file in the project root for full license text.
+ */
+/**
+ * Production server URL.
+ *
+ * Single Source of Truth for the default Neocortex IP Protection Server URL.
+ * All client-side code MUST import this constant instead of hardcoding the URL.
+ *
+ * Shell scripts (install.sh, install.ps1) cannot import from TypeScript,
+ * so they maintain a hardcoded copy with a comment referencing this file.
+ *
+ * Epic 70 - Story 70.03
+ * Epic P46 - Story P46.01: migrated from api.neocortex.ornexus.com to api.neocortex.sh
+ */
+export declare const DEFAULT_SERVER_URL = "https://api.neocortex.sh";

package/packages/client/dist/constants.js

@@ -0,0 +1,25 @@
+/**
+ * @license FSL-1.1
+ * Copyright (c) 2026 OrNexus AI
+ *
+ * This file is part of Neocortex CLI, licensed under the
+ * Functional Source License, Version 1.1 (FSL-1.1).
+ *
+ * Change Date: February 20, 2029
+ * Change License: MIT
+ *
+ * See the LICENSE file in the project root for full license text.
+ */
+/**
+ * Production server URL.
+ *
+ * Single Source of Truth for the default Neocortex IP Protection Server URL.
+ * All client-side code MUST import this constant instead of hardcoding the URL.
+ *
+ * Shell scripts (install.sh, install.ps1) cannot import from TypeScript,
+ * so they maintain a hardcoded copy with a comment referencing this file.
+ *
+ * Epic 70 - Story 70.03
+ * Epic P46 - Story P46.01: migrated from api.neocortex.ornexus.com to api.neocortex.sh
+ */
+export const DEFAULT_SERVER_URL = 'https://api.neocortex.sh';