@revealui/core 0.0.1-pre.3 → 0.2.0

package/dist/instance/logger.js

@@ -0,0 +1,42 @@
+/**
+ * RevealUI Logger
+ *
+ * Production-safe logging utility for RevealUI framework operations.
+ * Info/warn messages are no-ops in production to avoid console pollution.
+ */
+/**
+ * Production-safe logger implementation
+ * Info/warn messages are completely silenced in production
+ */
+export class Logger {
+    info(...args) {
+        // Info messages are never logged in production
+        if (process.env.NODE_ENV !== 'production') {
+            console.log('[RevealUI]', ...args);
+        }
+    }
+    warn(...args) {
+        // Warning messages are never logged in production
+        if (process.env.NODE_ENV !== 'production') {
+            console.warn('[RevealUI]', ...args);
+        }
+    }
+    error(...args) {
+        console.error('[RevealUI]', ...args);
+    }
+    debug(...args) {
+        if (process.env.NODE_ENV !== 'production') {
+            console.debug('[RevealUI]', ...args);
+        }
+    }
+}
+/**
+ * Creates a new logger instance
+ */
+export function createLogger() {
+    return new Logger();
+}
+/**
+ * Default logger instance
+ */
+export const defaultLogger = new Logger();

package/dist/instance/methods/create.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Create Method
+ *
+ * Creates a new document in a collection with hook handling.
+ */
+import type { RevealCreateOptions, RevealDocument, RevealUIInstance } from '../../types/index.js';
+export declare function create(instance: RevealUIInstance, ensureDbConnected: () => Promise<void>, options: RevealCreateOptions & {
+    collection: string;
+}): Promise<RevealDocument>;
+//# sourceMappingURL=create.d.ts.map

package/dist/instance/methods/create.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create.d.ts","sourceRoot":"","sources":["../../../src/instance/methods/create.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAIjG,wBAAsB,MAAM,CAC1B,QAAQ,EAAE,gBAAgB,EAC1B,iBAAiB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,EACtC,OAAO,EAAE,mBAAmB,GAAG;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,GACpD,OAAO,CAAC,cAAc,CAAC,CAyCzB"}

package/dist/instance/methods/create.js

@@ -0,0 +1,38 @@
+/**
+ * Create Method
+ *
+ * Creates a new document in a collection with hook handling.
+ */
+import { validateJWTFromRequest } from '../../utils/jwt-validation.js';
+import { callHooks } from './hooks.js';
+export async function create(instance, ensureDbConnected, options) {
+    await ensureDbConnected();
+    const { collection, req } = options;
+    // Validate JWT token if authorization header is provided
+    await validateJWTFromRequest(req);
+    if (!instance.collections[collection]) {
+        throw new Error(`Collection '${collection}' not found`);
+    }
+    const collectionConfig = instance.config.collections?.find((c) => c.slug === collection);
+    // Enforce collection-level access control
+    if (collectionConfig?.access?.create && options.req) {
+        const canCreate = await collectionConfig.access.create({ req: options.req, data: options.data });
+        if (!canCreate) {
+            throw new Error('Access denied: you do not have permission to create in this collection');
+        }
+    }
+    let doc = await instance.collections[collection].create(options);
+    // Call afterChange hooks
+    if (collectionConfig?.hooks?.afterChange && req) {
+        doc = await callHooks(collectionConfig.hooks.afterChange, {
+            doc,
+            context: {
+                revealui: instance,
+                collection,
+                operation: 'create',
+                req,
+            },
+        }, instance);
+    }
+    return doc;
+}

package/dist/instance/methods/delete.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Delete Method
+ *
+ * Deletes a document from a collection.
+ */
+import type { RevealDeleteOptions, RevealDocument, RevealUIInstance } from '../../types/index.js';
+export declare function deleteMethod(instance: RevealUIInstance, ensureDbConnected: () => Promise<void>, options: RevealDeleteOptions & {
+    collection: string;
+}): Promise<RevealDocument>;
+//# sourceMappingURL=delete.d.ts.map

package/dist/instance/methods/delete.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delete.d.ts","sourceRoot":"","sources":["../../../src/instance/methods/delete.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAGjG,wBAAsB,YAAY,CAChC,QAAQ,EAAE,gBAAgB,EAC1B,iBAAiB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,EACtC,OAAO,EAAE,mBAAmB,GAAG;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,GACpD,OAAO,CAAC,cAAc,CAAC,CAqBzB"}

package/dist/instance/methods/delete.js

@@ -0,0 +1,24 @@
+/**
+ * Delete Method
+ *
+ * Deletes a document from a collection.
+ */
+import { validateJWTFromRequest } from '../../utils/jwt-validation.js';
+export async function deleteMethod(instance, ensureDbConnected, options) {
+    await ensureDbConnected();
+    const { collection, req } = options;
+    // Validate JWT token if authorization header is provided
+    await validateJWTFromRequest(req);
+    if (!instance.collections[collection]) {
+        throw new Error(`Collection '${collection}' not found`);
+    }
+    // Enforce collection-level access control
+    const collectionConfig = instance.config.collections?.find((c) => c.slug === collection);
+    if (collectionConfig?.access?.delete && options.req) {
+        const canDelete = await collectionConfig.access.delete({ req: options.req, id: options.id });
+        if (!canDelete) {
+            throw new Error('Access denied: you do not have permission to delete in this collection');
+        }
+    }
+    return instance.collections[collection].delete(options);
+}

package/dist/instance/methods/find.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Find Method
+ *
+ * Finds multiple documents from a collection with validation and DataLoader setup.
+ */
+import type { RevealFindOptions, RevealPaginatedResult, RevealUIInstance } from '../../types/index.js';
+export declare function find(instance: RevealUIInstance, ensureDbConnected: () => Promise<void>, options: RevealFindOptions & {
+    collection: string;
+}): Promise<RevealPaginatedResult>;
+//# sourceMappingURL=find.d.ts.map

package/dist/instance/methods/find.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"find.d.ts","sourceRoot":"","sources":["../../../src/instance/methods/find.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EACV,iBAAiB,EACjB,qBAAqB,EACrB,gBAAgB,EACjB,MAAM,sBAAsB,CAAA;AAG7B,wBAAsB,IAAI,CACxB,QAAQ,EAAE,gBAAgB,EAC1B,iBAAiB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,EACtC,OAAO,EAAE,iBAAiB,GAAG;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,GAClD,OAAO,CAAC,qBAAqB,CAAC,CAmBhC"}

package/dist/instance/methods/find.js

@@ -0,0 +1,23 @@
+/**
+ * Find Method
+ *
+ * Finds multiple documents from a collection with validation and DataLoader setup.
+ */
+import { getDataLoader } from '../../dataloader.js';
+import { validateJWTFromRequest } from '../../utils/jwt-validation.js';
+export async function find(instance, ensureDbConnected, options) {
+    await ensureDbConnected();
+    const { collection, req } = options;
+    // Validate JWT token if authorization header is provided
+    await validateJWTFromRequest(req);
+    if (!instance.collections[collection]) {
+        throw new Error(`Collection '${collection}' not found`);
+    }
+    // Ensure request context has DataLoader if needed
+    if (req && !req.dataLoader) {
+        req.revealui = instance;
+        req.transactionID = req.transactionID || 'default';
+        req.dataLoader = getDataLoader(req);
+    }
+    return instance.collections[collection].find(options);
+}

package/dist/instance/methods/findById.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Find By ID Method
+ *
+ * Finds a single document by ID from a collection with validation and DataLoader setup.
+ */
+import type { RevealDocument, RevealRequest, RevealUIInstance } from '../../types/index.js';
+export declare function findByID(instance: RevealUIInstance, ensureDbConnected: () => Promise<void>, options: {
+    collection: string;
+    id: string | number;
+    depth?: number;
+    req?: RevealRequest;
+}): Promise<RevealDocument | null>;
+//# sourceMappingURL=findById.d.ts.map

package/dist/instance/methods/findById.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"findById.d.ts","sourceRoot":"","sources":["../../../src/instance/methods/findById.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAG3F,wBAAsB,QAAQ,CAC5B,QAAQ,EAAE,gBAAgB,EAC1B,iBAAiB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,EACtC,OAAO,EAAE;IACP,UAAU,EAAE,MAAM,CAAA;IAClB,EAAE,EAAE,MAAM,GAAG,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,GAAG,CAAC,EAAE,aAAa,CAAA;CACpB,GACA,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAmBhC"}

package/dist/instance/methods/findById.js

@@ -0,0 +1,23 @@
+/**
+ * Find By ID Method
+ *
+ * Finds a single document by ID from a collection with validation and DataLoader setup.
+ */
+import { getDataLoader } from '../../dataloader.js';
+import { validateJWTFromRequest } from '../../utils/jwt-validation.js';
+export async function findByID(instance, ensureDbConnected, options) {
+    await ensureDbConnected();
+    const { collection, req } = options;
+    // Validate JWT token if authorization header is provided
+    await validateJWTFromRequest(req);
+    if (!instance.collections[collection]) {
+        throw new Error(`Collection '${collection}' not found`);
+    }
+    // Initialize DataLoader for the request if it doesn't exist
+    if (req && !req.dataLoader) {
+        req.revealui = instance;
+        req.transactionID = req.transactionID || 'default';
+        req.dataLoader = getDataLoader(req);
+    }
+    return instance.collections[collection].findByID(options);
+}

package/dist/instance/methods/hooks.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Instance Hooks
+ *
+ * Utilities for calling instance-level hooks.
+ */
+import type { RevealAfterChangeHook, RevealDocument, RevealHookContext, RevealUIInstance } from '../../types/index.js';
+/**
+ * Helper function to call hooks
+ */
+export declare function callHooks(hooks: RevealAfterChangeHook[] | undefined, args: {
+    doc: RevealDocument;
+    context: RevealHookContext;
+}, revealui: RevealUIInstance): Promise<RevealDocument>;
+//# sourceMappingURL=hooks.d.ts.map

package/dist/instance/methods/hooks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hooks.d.ts","sourceRoot":"","sources":["../../../src/instance/methods/hooks.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,qBAAqB,EACrB,cAAc,EACd,iBAAiB,EAEjB,gBAAgB,EACjB,MAAM,sBAAsB,CAAA;AAE7B;;GAEG;AACH,wBAAsB,SAAS,CAC7B,KAAK,EAAE,qBAAqB,EAAE,GAAG,SAAS,EAC1C,IAAI,EAAE;IACJ,GAAG,EAAE,cAAc,CAAA;IACnB,OAAO,EAAE,iBAAiB,CAAA;CAC3B,EACD,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,cAAc,CAAC,CAwBzB"}

package/dist/instance/methods/hooks.js

@@ -0,0 +1,32 @@
+/**
+ * Instance Hooks
+ *
+ * Utilities for calling instance-level hooks.
+ */
+/**
+ * Helper function to call hooks
+ */
+export async function callHooks(hooks, args, revealui) {
+    let result = args.doc;
+    if (!hooks)
+        return result;
+    for (const hook of hooks) {
+        try {
+            const hookResult = await hook({
+                doc: result,
+                context: args.context,
+                req: args.context.req || {},
+                operation: args.context.operation || 'update',
+                previousDoc: args.context.previousDoc,
+                collection: args.context.collection || '',
+            });
+            if (hookResult !== undefined) {
+                result = hookResult;
+            }
+        }
+        catch (error) {
+            revealui.logger.error(`Hook execution failed: ${error}`);
+        }
+    }
+    return result;
+}

package/dist/instance/methods/update.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Update Method
+ *
+ * Updates an existing document in a collection with hook handling.
+ */
+import type { RevealDocument, RevealUIInstance, RevealUpdateOptions } from '../../types/index.js';
+export declare function update(instance: RevealUIInstance, ensureDbConnected: () => Promise<void>, options: RevealUpdateOptions & {
+    collection: string;
+}): Promise<RevealDocument>;
+//# sourceMappingURL=update.d.ts.map

package/dist/instance/methods/update.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../src/instance/methods/update.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAIjG,wBAAsB,MAAM,CAC1B,QAAQ,EAAE,gBAAgB,EAC1B,iBAAiB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,EACtC,OAAO,EAAE,mBAAmB,GAAG;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,GACpD,OAAO,CAAC,cAAc,CAAC,CA6CzB"}

package/dist/instance/methods/update.js

@@ -0,0 +1,42 @@
+/**
+ * Update Method
+ *
+ * Updates an existing document in a collection with hook handling.
+ */
+import { validateJWTFromRequest } from '../../utils/jwt-validation.js';
+import { callHooks } from './hooks.js';
+export async function update(instance, ensureDbConnected, options) {
+    await ensureDbConnected();
+    const { collection, req } = options;
+    // Validate JWT token if authorization header is provided
+    await validateJWTFromRequest(req);
+    if (!instance.collections[collection]) {
+        throw new Error(`Collection '${collection}' not found`);
+    }
+    const collectionConfig = instance.config.collections?.find((c) => c.slug === collection);
+    // Enforce collection-level access control
+    if (collectionConfig?.access?.update && options.req) {
+        const canUpdate = await collectionConfig.access.update({ req: options.req, id: options.id });
+        if (!canUpdate) {
+            throw new Error('Access denied: you do not have permission to update in this collection');
+        }
+    }
+    const previousDoc = await instance.collections[collection].findByID({
+        id: options.id,
+    });
+    let doc = await instance.collections[collection].update(options);
+    // Call afterChange hooks
+    if (collectionConfig?.hooks?.afterChange && req) {
+        doc = await callHooks(collectionConfig.hooks.afterChange, {
+            doc,
+            context: {
+                revealui: instance,
+                collection,
+                operation: 'update',
+                previousDoc: previousDoc,
+                req,
+            },
+        }, instance);
+    }
+    return doc;
+}

package/dist/license.d.ts

@@ -0,0 +1,73 @@
+/**
+ * License validation for RevealUI Pro/Enterprise tiers.
+ *
+ * @dependencies
+ * - jose - JWT token verification (Web Crypto API)
+ * - zod - Schema validation for license payloads
+ */
+import { z } from 'zod';
+/** Available license tiers */
+export type LicenseTier = 'free' | 'pro' | 'enterprise';
+/** Decoded license payload schema */
+declare const licensePayloadSchema: z.ZodObject<{
+    tier: z.ZodEnum<{
+        pro: "pro";
+        enterprise: "enterprise";
+    }>;
+    customerId: z.ZodString;
+    domains: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    maxSites: z.ZodOptional<z.ZodNumber>;
+    maxUsers: z.ZodOptional<z.ZodNumber>;
+    iat: z.ZodOptional<z.ZodNumber>;
+    exp: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+export type LicensePayload = z.infer<typeof licensePayloadSchema>;
+/**
+ * Validates a license key JWT and returns the decoded payload.
+ * Returns null if the key is invalid, expired, or missing.
+ */
+export declare function validateLicenseKey(licenseKey: string, publicKey: string): Promise<LicensePayload | null>;
+/**
+ * Initialize the license system. Call once at application startup.
+ * Reads REVEALUI_LICENSE_KEY and REVEALUI_LICENSE_PUBLIC_KEY from environment.
+ *
+ * @returns The resolved license tier
+ */
+export declare function initializeLicense(): Promise<LicenseTier>;
+/**
+ * Returns the current license tier.
+ * If the license hasn't been initialized, returns 'free'.
+ */
+export declare function getCurrentTier(): LicenseTier;
+/**
+ * Returns the full license payload, or null if no valid license.
+ */
+export declare function getLicensePayload(): LicensePayload | null;
+/**
+ * Checks whether the current license is at least the given tier.
+ */
+export declare function isLicensed(requiredTier: LicenseTier): boolean;
+/**
+ * Returns the maximum number of sites allowed by the current license.
+ */
+export declare function getMaxSites(): number;
+/**
+ * Returns the maximum number of users/editors allowed by the current license.
+ */
+export declare function getMaxUsers(): number;
+/**
+ * Generates a signed license key JWT.
+ * This is a server-only function — requires the private key.
+ *
+ * @param payload - License payload (tier, customerId, limits)
+ * @param privateKey - RS256 or ES256 private key (PEM format)
+ * @param expiresInSeconds - JWT expiration in seconds. Defaults to 1 year.
+ * @returns Signed JWT string
+ */
+export declare function generateLicenseKey(payload: Omit<LicensePayload, 'iat' | 'exp'>, privateKey: string, expiresInSeconds?: number): Promise<string>;
+/**
+ * Reset license state. Primarily for testing.
+ */
+export declare function resetLicenseState(): void;
+export {};
+//# sourceMappingURL=license.d.ts.map

package/dist/license.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"license.d.ts","sourceRoot":"","sources":["../src/license.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,8BAA8B;AAC9B,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,KAAK,GAAG,YAAY,CAAA;AAEvD,qCAAqC;AACrC,QAAA,MAAM,oBAAoB;;;;;;;;;;;iBAexB,CAAA;AAEF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AA+BjE;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAgBhC;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,WAAW,CAAC,CAuB9D;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,WAAW,CAE5C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,GAAG,IAAI,CAEzD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,YAAY,EAAE,WAAW,GAAG,OAAO,CAQ7D;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,MAAM,CAIpC;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,MAAM,CAIpC;AAED;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,IAAI,CAAC,cAAc,EAAE,KAAK,GAAG,KAAK,CAAC,EAC5C,UAAU,EAAE,MAAM,EAClB,gBAAgB,SAAqB,GACpC,OAAO,CAAC,MAAM,CAAC,CAOjB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}

package/dist/license.js

@@ -0,0 +1,157 @@
+/**
+ * License validation for RevealUI Pro/Enterprise tiers.
+ *
+ * @dependencies
+ * - jose - JWT token verification (Web Crypto API)
+ * - zod - Schema validation for license payloads
+ */
+import { importPKCS8, importSPKI, jwtVerify, SignJWT } from 'jose';
+import { z } from 'zod';
+/** Decoded license payload schema */
+const licensePayloadSchema = z.object({
+    /** License tier */
+    tier: z.enum(['pro', 'enterprise']),
+    /** Organization or customer ID */
+    customerId: z.string(),
+    /** Licensed domain(s) */
+    domains: z.array(z.string()).optional(),
+    /** Maximum number of sites allowed */
+    maxSites: z.number().int().positive().optional(),
+    /** Maximum number of users/editors allowed */
+    maxUsers: z.number().int().positive().optional(),
+    /** License issued-at timestamp */
+    iat: z.number().optional(),
+    /** License expiration timestamp */
+    exp: z.number().optional(),
+});
+let cachedState = {
+    tier: 'free',
+    payload: null,
+    validatedAt: null,
+};
+/**
+ * The public key used to verify license JWTs.
+ * In production, this is fetched from the license server.
+ * For local development, it reads from REVEALUI_LICENSE_PUBLIC_KEY env var.
+ */
+function getPublicKey() {
+    return process.env.REVEALUI_LICENSE_PUBLIC_KEY ?? null;
+}
+/**
+ * Reads the license key from environment.
+ */
+function getLicenseKey() {
+    return process.env.REVEALUI_LICENSE_KEY ?? null;
+}
+/**
+ * Validates a license key JWT and returns the decoded payload.
+ * Returns null if the key is invalid, expired, or missing.
+ */
+export async function validateLicenseKey(licenseKey, publicKey) {
+    try {
+        const key = await importSPKI(publicKey, 'RS256');
+        const { payload } = await jwtVerify(licenseKey, key, {
+            algorithms: ['RS256', 'ES256'],
+        });
+        const result = licensePayloadSchema.safeParse(payload);
+        if (!result.success) {
+            return null;
+        }
+        return result.data;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Initialize the license system. Call once at application startup.
+ * Reads REVEALUI_LICENSE_KEY and REVEALUI_LICENSE_PUBLIC_KEY from environment.
+ *
+ * @returns The resolved license tier
+ */
+export async function initializeLicense() {
+    const licenseKey = getLicenseKey();
+    const publicKey = getPublicKey();
+    if (!(licenseKey && publicKey)) {
+        cachedState = { tier: 'free', payload: null, validatedAt: Date.now() };
+        return 'free';
+    }
+    const payload = await validateLicenseKey(licenseKey, publicKey);
+    if (!payload) {
+        cachedState = { tier: 'free', payload: null, validatedAt: Date.now() };
+        return 'free';
+    }
+    cachedState = {
+        tier: payload.tier,
+        payload,
+        validatedAt: Date.now(),
+    };
+    return payload.tier;
+}
+/**
+ * Returns the current license tier.
+ * If the license hasn't been initialized, returns 'free'.
+ */
+export function getCurrentTier() {
+    return cachedState.tier;
+}
+/**
+ * Returns the full license payload, or null if no valid license.
+ */
+export function getLicensePayload() {
+    return cachedState.payload;
+}
+/**
+ * Checks whether the current license is at least the given tier.
+ */
+export function isLicensed(requiredTier) {
+    const tierRank = {
+        free: 0,
+        pro: 1,
+        enterprise: 2,
+    };
+    return tierRank[cachedState.tier] >= tierRank[requiredTier];
+}
+/**
+ * Returns the maximum number of sites allowed by the current license.
+ */
+export function getMaxSites() {
+    if (cachedState.tier === 'enterprise')
+        return Infinity;
+    if (cachedState.tier === 'pro')
+        return cachedState.payload?.maxSites ?? 5;
+    return 1;
+}
+/**
+ * Returns the maximum number of users/editors allowed by the current license.
+ */
+export function getMaxUsers() {
+    if (cachedState.tier === 'enterprise')
+        return Infinity;
+    if (cachedState.tier === 'pro')
+        return cachedState.payload?.maxUsers ?? 25;
+    return 3;
+}
+/**
+ * Generates a signed license key JWT.
+ * This is a server-only function — requires the private key.
+ *
+ * @param payload - License payload (tier, customerId, limits)
+ * @param privateKey - RS256 or ES256 private key (PEM format)
+ * @param expiresInSeconds - JWT expiration in seconds. Defaults to 1 year.
+ * @returns Signed JWT string
+ */
+export async function generateLicenseKey(payload, privateKey, expiresInSeconds = 365 * 24 * 60 * 60) {
+    const key = await importPKCS8(privateKey, 'RS256');
+    return new SignJWT({ ...payload })
+        .setProtectedHeader({ alg: 'RS256' })
+        .setIssuedAt()
+        .setExpirationTime(`${expiresInSeconds}s`)
+        .sign(key);
+}
+/**
+ * Reset license state. Primarily for testing.
+ */
+export function resetLicenseState() {
+    cachedState = { tier: 'free', payload: null, validatedAt: null };
+}