brew-tui 0.6.2 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/{brewbar-installer-WJZKSELD.js → brewbar-installer-DCF37YM3.js} +2 -2
- package/build/{brewfile-manager-OITSKEHY.js → brewfile-manager-6LXONGSA.js} +4 -4
- package/build/{chunk-QPXROTAP.js → chunk-3OIVIQWW.js} +59 -17
- package/build/chunk-3OIVIQWW.js.map +1 -0
- package/build/{chunk-KSIAKLE2.js → chunk-3VDIKVS3.js} +3 -3
- package/build/{chunk-5MYWF5D7.js → chunk-FIPCCYL6.js} +2 -2
- package/build/{chunk-Z2VN4VYQ.js → chunk-JYHINZVV.js} +19 -4
- package/build/chunk-JYHINZVV.js.map +1 -0
- package/build/{chunk-6NA4INJS.js → chunk-OHMNJ3EA.js} +39 -3
- package/build/chunk-OHMNJ3EA.js.map +1 -0
- package/build/{chunk-EHIBIFCB.js → chunk-QZZZAAWG.js} +4 -2
- package/build/chunk-QZZZAAWG.js.map +1 -0
- package/build/{chunk-PVSE6XO7.js → chunk-VLREAA5F.js} +19 -3
- package/build/{chunk-PVSE6XO7.js.map → chunk-VLREAA5F.js.map} +1 -1
- package/build/compliance-checker-MAREAFDH.js +12 -0
- package/build/{history-logger-ZGYRAFON.js → history-logger-FJ3HZSFU.js} +3 -3
- package/build/index.js +1061 -850
- package/build/index.js.map +1 -1
- package/build/{snapshot-YWIOFQ5H.js → snapshot-JDRSBMG6.js} +3 -3
- package/build/{sync-engine-DIYXV66P.js → sync-engine-CIL6C44Z.js} +5 -5
- package/build/version-check-RA6SHCXI.js +64 -0
- package/build/version-check-RA6SHCXI.js.map +1 -0
- package/package.json +1 -1
- package/build/chunk-6NA4INJS.js.map +0 -1
- package/build/chunk-EHIBIFCB.js.map +0 -1
- package/build/chunk-QPXROTAP.js.map +0 -1
- package/build/chunk-Z2VN4VYQ.js.map +0 -1
- package/build/compliance-checker-7NMFKWTI.js +0 -12
- /package/build/{brewbar-installer-WJZKSELD.js.map → brewbar-installer-DCF37YM3.js.map} +0 -0
- /package/build/{brewfile-manager-OITSKEHY.js.map → brewfile-manager-6LXONGSA.js.map} +0 -0
- /package/build/{chunk-KSIAKLE2.js.map → chunk-3VDIKVS3.js.map} +0 -0
- /package/build/{chunk-5MYWF5D7.js.map → chunk-FIPCCYL6.js.map} +0 -0
- /package/build/{compliance-checker-7NMFKWTI.js.map → compliance-checker-MAREAFDH.js.map} +0 -0
- /package/build/{history-logger-ZGYRAFON.js.map → history-logger-FJ3HZSFU.js.map} +0 -0
- /package/build/{snapshot-YWIOFQ5H.js.map → snapshot-JDRSBMG6.js.map} +0 -0
- /package/build/{sync-engine-DIYXV66P.js.map → sync-engine-CIL6C44Z.js.map} +0 -0
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import {
|
|
2
2
|
fetchWithTimeout,
|
|
3
3
|
t
|
|
4
|
-
} from "./chunk-
|
|
4
|
+
} from "./chunk-OHMNJ3EA.js";
|
|
5
5
|
import "./chunk-KDHEUNRI.js";
|
|
6
6
|
|
|
7
7
|
// src/lib/brewbar-installer.ts
|
|
@@ -125,4 +125,4 @@ export {
|
|
|
125
125
|
launchBrewBar,
|
|
126
126
|
uninstallBrewBar
|
|
127
127
|
};
|
|
128
|
-
//# sourceMappingURL=brewbar-installer-
|
|
128
|
+
//# sourceMappingURL=brewbar-installer-DCF37YM3.js.map
|
|
@@ -5,9 +5,9 @@ import {
|
|
|
5
5
|
loadBrewfile,
|
|
6
6
|
reconcile,
|
|
7
7
|
saveBrewfile
|
|
8
|
-
} from "./chunk-
|
|
9
|
-
import "./chunk-
|
|
10
|
-
import "./chunk-
|
|
8
|
+
} from "./chunk-3VDIKVS3.js";
|
|
9
|
+
import "./chunk-VLREAA5F.js";
|
|
10
|
+
import "./chunk-QZZZAAWG.js";
|
|
11
11
|
import "./chunk-KDHEUNRI.js";
|
|
12
12
|
export {
|
|
13
13
|
BREWFILE_PATH,
|
|
@@ -17,4 +17,4 @@ export {
|
|
|
17
17
|
reconcile,
|
|
18
18
|
saveBrewfile
|
|
19
19
|
};
|
|
20
|
-
//# sourceMappingURL=brewfile-manager-
|
|
20
|
+
//# sourceMappingURL=brewfile-manager-6LXONGSA.js.map
|
|
@@ -1,16 +1,16 @@
|
|
|
1
1
|
import {
|
|
2
2
|
captureSnapshot
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-VLREAA5F.js";
|
|
4
4
|
import {
|
|
5
5
|
DATA_DIR,
|
|
6
6
|
LICENSE_PATH,
|
|
7
7
|
ensureDataDirs,
|
|
8
8
|
getMachineId
|
|
9
|
-
} from "./chunk-
|
|
9
|
+
} from "./chunk-QZZZAAWG.js";
|
|
10
10
|
import {
|
|
11
11
|
fetchWithRetry,
|
|
12
12
|
t
|
|
13
|
-
} from "./chunk-
|
|
13
|
+
} from "./chunk-OHMNJ3EA.js";
|
|
14
14
|
import {
|
|
15
15
|
logger
|
|
16
16
|
} from "./chunk-KDHEUNRI.js";
|
|
@@ -22,6 +22,23 @@ import { hostname } from "os";
|
|
|
22
22
|
|
|
23
23
|
// src/lib/sync/crypto.ts
|
|
24
24
|
import { createCipheriv, createDecipheriv, randomBytes, scryptSync, hkdfSync } from "crypto";
|
|
25
|
+
|
|
26
|
+
// src/lib/sync/types.ts
|
|
27
|
+
function isSyncPayload(value) {
|
|
28
|
+
if (typeof value !== "object" || value === null) return false;
|
|
29
|
+
const machines = value.machines;
|
|
30
|
+
if (typeof machines !== "object" || machines === null || Array.isArray(machines)) return false;
|
|
31
|
+
for (const m of Object.values(machines)) {
|
|
32
|
+
if (typeof m !== "object" || m === null) return false;
|
|
33
|
+
const state = m;
|
|
34
|
+
if (typeof state.machineId !== "string" || typeof state.machineName !== "string" || typeof state.updatedAt !== "string" || typeof state.snapshot !== "object") {
|
|
35
|
+
return false;
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
return true;
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
// src/lib/sync/crypto.ts
|
|
25
42
|
var ENCRYPTION_SECRET = "brew-tui-sync-aes256gcm-v1";
|
|
26
43
|
var HKDF_SALT = "brew-tui-sync-salt-v1";
|
|
27
44
|
var keyCache = /* @__PURE__ */ new Map();
|
|
@@ -61,7 +78,9 @@ function decryptPayload(encrypted, iv, tag, licenseKey) {
|
|
|
61
78
|
const decipher = createDecipheriv("aes-256-gcm", key, ivBuf);
|
|
62
79
|
decipher.setAuthTag(tagBuf);
|
|
63
80
|
const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
|
|
64
|
-
|
|
81
|
+
const parsed = JSON.parse(plaintext.toString("utf-8"));
|
|
82
|
+
if (!isSyncPayload(parsed)) throw new Error("Invalid sync payload shape");
|
|
83
|
+
return parsed;
|
|
65
84
|
} catch {
|
|
66
85
|
}
|
|
67
86
|
}
|
|
@@ -94,6 +113,25 @@ function isValidEnvelope(v) {
|
|
|
94
113
|
return obj["schemaVersion"] === 1 && typeof obj["encrypted"] === "string" && typeof obj["iv"] === "string" && typeof obj["tag"] === "string" && typeof obj["updatedAt"] === "string";
|
|
95
114
|
}
|
|
96
115
|
async function readSyncEnvelope() {
|
|
116
|
+
try {
|
|
117
|
+
const info = await stat(ICLOUD_SYNC_PATH);
|
|
118
|
+
if (info.size === 0) {
|
|
119
|
+
logger.warn("sync: iCloud envelope exists but is empty (placeholder?)");
|
|
120
|
+
return null;
|
|
121
|
+
}
|
|
122
|
+
} catch (err) {
|
|
123
|
+
if (err instanceof Error && err.code === "ENOENT") {
|
|
124
|
+
try {
|
|
125
|
+
const placeholder = ICLOUD_SYNC_PATH.replace(/sync\.json$/, ".sync.json.icloud");
|
|
126
|
+
await stat(placeholder);
|
|
127
|
+
logger.warn("sync: iCloud placeholder present, file not yet downloaded");
|
|
128
|
+
} catch {
|
|
129
|
+
}
|
|
130
|
+
return null;
|
|
131
|
+
}
|
|
132
|
+
logger.warn("sync: could not stat iCloud envelope", { error: String(err) });
|
|
133
|
+
return null;
|
|
134
|
+
}
|
|
97
135
|
try {
|
|
98
136
|
const raw = await readFile(ICLOUD_SYNC_PATH, "utf-8");
|
|
99
137
|
const parsed = JSON.parse(raw);
|
|
@@ -103,9 +141,6 @@ async function readSyncEnvelope() {
|
|
|
103
141
|
}
|
|
104
142
|
return parsed;
|
|
105
143
|
} catch (err) {
|
|
106
|
-
if (err instanceof Error && err.code === "ENOENT") {
|
|
107
|
-
return null;
|
|
108
|
-
}
|
|
109
144
|
logger.warn("sync: could not read iCloud envelope", { error: String(err) });
|
|
110
145
|
return null;
|
|
111
146
|
}
|
|
@@ -227,6 +262,13 @@ async function deactivateLicense(key, instanceId) {
|
|
|
227
262
|
);
|
|
228
263
|
}
|
|
229
264
|
|
|
265
|
+
// src/lib/license/types.ts
|
|
266
|
+
function isLicenseData(value) {
|
|
267
|
+
if (typeof value !== "object" || value === null) return false;
|
|
268
|
+
const v = value;
|
|
269
|
+
return typeof v.key === "string" && typeof v.instanceId === "string" && (v.status === "active" || v.status === "expired" || v.status === "inactive") && typeof v.customerEmail === "string" && typeof v.customerName === "string" && (v.plan === "pro" || v.plan === "team") && typeof v.activatedAt === "string" && (v.expiresAt === null || typeof v.expiresAt === "string") && typeof v.lastValidatedAt === "string";
|
|
270
|
+
}
|
|
271
|
+
|
|
230
272
|
// src/lib/license/license-manager.ts
|
|
231
273
|
var REVALIDATION_INTERVAL_MS = 24 * 60 * 60 * 1e3;
|
|
232
274
|
var GRACE_PERIOD_MS = 7 * 24 * 60 * 60 * 1e3;
|
|
@@ -304,8 +346,12 @@ async function decryptLicenseData(encrypted, iv, tag) {
|
|
|
304
346
|
const decipher = createDecipheriv2("aes-256-gcm", key, ivBuf);
|
|
305
347
|
decipher.setAuthTag(tagBuf);
|
|
306
348
|
const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
|
|
349
|
+
const parsed = JSON.parse(plaintext.toString("utf-8"));
|
|
350
|
+
if (!isLicenseData(parsed)) {
|
|
351
|
+
throw new Error("Decrypted license payload failed shape validation");
|
|
352
|
+
}
|
|
307
353
|
_decryptedWithLegacyKey = isLegacy;
|
|
308
|
-
return
|
|
354
|
+
return parsed;
|
|
309
355
|
} catch (err) {
|
|
310
356
|
lastErr = err;
|
|
311
357
|
}
|
|
@@ -469,14 +515,10 @@ async function revalidate(license) {
|
|
|
469
515
|
}
|
|
470
516
|
async function deactivate(license) {
|
|
471
517
|
let remoteSuccess = false;
|
|
472
|
-
|
|
473
|
-
|
|
474
|
-
|
|
475
|
-
|
|
476
|
-
break;
|
|
477
|
-
} catch {
|
|
478
|
-
if (attempt < 2) await new Promise((r) => setTimeout(r, 1e3));
|
|
479
|
-
}
|
|
518
|
+
try {
|
|
519
|
+
await deactivateLicense(license.key, license.instanceId);
|
|
520
|
+
remoteSuccess = true;
|
|
521
|
+
} catch {
|
|
480
522
|
}
|
|
481
523
|
await clearLicense();
|
|
482
524
|
return { remoteSuccess };
|
|
@@ -676,4 +718,4 @@ export {
|
|
|
676
718
|
sync,
|
|
677
719
|
applyConflictResolutions
|
|
678
720
|
};
|
|
679
|
-
//# sourceMappingURL=chunk-
|
|
721
|
+
//# sourceMappingURL=chunk-3OIVIQWW.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/lib/sync/sync-engine.ts","../src/lib/sync/crypto.ts","../src/lib/sync/types.ts","../src/lib/sync/backends/icloud-backend.ts","../src/lib/license/license-manager.ts","../src/lib/license/polar-api.ts","../src/lib/license/types.ts"],"sourcesContent":["import { readFile, writeFile, rename } from 'node:fs/promises';\nimport { join } from 'node:path';\nimport { hostname } from 'node:os';\nimport { encryptPayload, decryptPayload } from './crypto.js';\nimport {\n readSyncEnvelope,\n writeSyncEnvelope,\n isICloudAvailable,\n} from './backends/icloud-backend.js';\nimport { captureSnapshot } from '../state-snapshot/snapshot.js';\nimport { DATA_DIR, getMachineId } from '../data-dir.js';\nimport { loadLicense } from '../license/license-manager.js';\nimport { logger } from '../../utils/logger.js';\nimport type {\n SyncConfig,\n SyncPayload,\n SyncConflict,\n SyncResult,\n MachineState,\n SyncEnvelope,\n} from './types.js';\nimport type { BrewfileSchema } from '../brewfile/types.js';\n\nconst SYNC_CONFIG_PATH = join(DATA_DIR, 'sync-config.json');\n\n// ── Config I/O ──────────────────────────────────────────────────────────────\n\nexport async function loadSyncConfig(): Promise<SyncConfig | null> {\n try {\n const raw = await readFile(SYNC_CONFIG_PATH, 'utf-8');\n return JSON.parse(raw) as SyncConfig;\n } catch {\n return null;\n }\n}\n\nexport async function saveSyncConfig(config: SyncConfig): Promise<void> {\n const tmpPath = SYNC_CONFIG_PATH + '.tmp';\n await writeFile(tmpPath, JSON.stringify(config, null, 2), {\n encoding: 'utf-8',\n mode: 0o600,\n });\n await rename(tmpPath, SYNC_CONFIG_PATH);\n}\n\n// ── Machine ID ───────────────────────────────────────────────────────────────\n// Single canonical implementation lives in data-dir.ts. The previous fallback\n// to os.hostname() here meant two different machines with the same hostname\n// (common on freshly-imaged corporate fleets) collided in sync state.\n\nexport { getMachineId };\n\n// ── Conflict detection ───────────────────────────────────────────────────────\n\nfunction detectConflicts(\n localSnapshot: { formulae: Array<{ name: string; version: string }>; casks: Array<{ name: string; version: string }> },\n otherMachines: MachineState[],\n localMachineId: string,\n): SyncConflict[] {\n const conflicts: SyncConflict[] = [];\n\n const localFormulaMap = new Map(localSnapshot.formulae.map((f) => [f.name, f.version]));\n const localCaskMap = new Map(localSnapshot.casks.map((c) => [c.name, c.version]));\n\n for (const machine of otherMachines) {\n if (machine.machineId === localMachineId) continue;\n\n // Check formula conflicts: same package, different version on both machines\n for (const remoteFormula of machine.snapshot.formulae) {\n const localVersion = localFormulaMap.get(remoteFormula.name);\n if (localVersion !== undefined && localVersion !== remoteFormula.version) {\n conflicts.push({\n packageName: remoteFormula.name,\n packageType: 'formula',\n localVersion,\n remoteMachine: machine.machineName,\n remoteVersion: remoteFormula.version,\n });\n }\n }\n\n // Check cask conflicts\n for (const remoteCask of machine.snapshot.casks) {\n const localVersion = localCaskMap.get(remoteCask.name);\n if (localVersion !== undefined && localVersion !== remoteCask.version) {\n conflicts.push({\n packageName: remoteCask.name,\n packageType: 'cask',\n localVersion,\n remoteMachine: machine.machineName,\n remoteVersion: remoteCask.version,\n });\n }\n }\n }\n\n return conflicts;\n}\n\n// ── Merge ────────────────────────────────────────────────────────────────────\n\nasync function writeEnvelope(payload: SyncPayload, licenseKey: string): Promise<string> {\n const now = new Date().toISOString();\n const { encrypted, iv, tag } = encryptPayload(payload, licenseKey);\n const envelope: SyncEnvelope = {\n schemaVersion: 1,\n encrypted,\n iv,\n tag,\n updatedAt: now,\n };\n await writeSyncEnvelope(envelope);\n return now;\n}\n\nasync function loadLicenseKeyOrThrow(): Promise<string> {\n // Sync requires Pro, and Pro requires a license. Read it lazily so\n // sync-store callers don't have to plumb the key through every call.\n const license = await loadLicense();\n if (!license || !license.key) {\n throw new Error('Sync requires an active license');\n }\n return license.key;\n}\n\nfunction mergePayload(existing: SyncPayload, localState: MachineState): SyncPayload {\n return {\n machines: {\n ...existing.machines,\n [localState.machineId]: localState,\n },\n };\n}\n\n// ── Main sync function ───────────────────────────────────────────────────────\n\nexport async function sync(\n isPro: boolean,\n currentBrewfile?: BrewfileSchema,\n): Promise<SyncResult> {\n if (!isPro) {\n throw new Error('Pro license required');\n }\n\n const available = await isICloudAvailable();\n if (!available) {\n return {\n success: false,\n conflicts: [],\n resolvedCount: 0,\n error: 'iCloud Drive not available',\n };\n }\n\n const licenseKey = await loadLicenseKeyOrThrow();\n\n let existingPayload: SyncPayload | null = null;\n\n try {\n const envelope = await readSyncEnvelope();\n if (envelope) {\n existingPayload = decryptPayload(envelope.encrypted, envelope.iv, envelope.tag, licenseKey);\n }\n } catch (err) {\n logger.warn('sync: could not decrypt existing payload, starting fresh', { error: String(err) });\n existingPayload = null;\n }\n\n // Capture current local state\n const snapshot = await captureSnapshot();\n const machineId = await getMachineId();\n const machineName = hostname();\n\n const localState: MachineState = {\n machineId,\n machineName,\n updatedAt: new Date().toISOString(),\n snapshot,\n ...(currentBrewfile ? { brewfile: currentBrewfile } : {}),\n };\n\n // Detect conflicts against other machines in the payload\n const otherMachines = existingPayload\n ? Object.values(existingPayload.machines).filter((m) => m.machineId !== machineId)\n : [];\n\n const conflicts = detectConflicts(snapshot, otherMachines, machineId);\n\n // Always write the local machine state to the payload, even when conflicts\n // exist, so that applyConflictResolutions() has a local entry to update.\n // Without this, the iCloud envelope keeps only remote machines, and\n // resolution updates are silently dropped (they require localMachine to exist).\n const basePayload: SyncPayload = existingPayload ?? { machines: {} };\n const mergedPayload = mergePayload(basePayload, localState);\n\n if (conflicts.length > 0) {\n // Persist local state, then surface conflicts so the user can resolve them.\n await writeEnvelope(mergedPayload, licenseKey);\n return {\n success: false,\n conflicts,\n resolvedCount: 0,\n };\n }\n\n const now = await writeEnvelope(mergedPayload, licenseKey);\n\n // Update local sync config\n const existingConfig = await loadSyncConfig();\n await saveSyncConfig({\n enabled: true,\n machineId,\n machineName,\n ...(existingConfig ?? {}),\n lastSync: now,\n });\n\n logger.info('sync: completed successfully', { machineId, machines: Object.keys(mergedPayload.machines).length });\n\n return {\n success: true,\n conflicts: [],\n resolvedCount: 0,\n };\n}\n\n// ── Conflict resolution ──────────────────────────────────────────────────────\n\nexport async function applyConflictResolutions(\n payload: SyncPayload,\n resolutions: Array<{ conflict: SyncConflict; resolution: 'use-local' | 'use-remote' }>,\n localMachineId: string,\n): Promise<void> {\n // Work on a mutable copy\n const updatedPayload: SyncPayload = {\n machines: { ...payload.machines },\n };\n\n for (const { conflict, resolution } of resolutions) {\n if (resolution !== 'use-remote') continue;\n // Re-read latest local machine on every iteration so consecutive resolutions\n // build on top of each other instead of overwriting prior changes.\n const localMachine = updatedPayload.machines[localMachineId];\n if (!localMachine) {\n logger.warn('sync: cannot apply resolution, local machine missing in payload', { localMachineId });\n continue;\n }\n if (conflict.packageType === 'formula') {\n updatedPayload.machines[localMachineId] = {\n ...localMachine,\n snapshot: {\n ...localMachine.snapshot,\n formulae: localMachine.snapshot.formulae.map((f) =>\n f.name === conflict.packageName\n ? { ...f, version: conflict.remoteVersion }\n : f,\n ),\n },\n };\n } else {\n updatedPayload.machines[localMachineId] = {\n ...localMachine,\n snapshot: {\n ...localMachine.snapshot,\n casks: localMachine.snapshot.casks.map((c) =>\n c.name === conflict.packageName\n ? { ...c, version: conflict.remoteVersion }\n : c,\n ),\n },\n };\n }\n }\n\n const licenseKey = await loadLicenseKeyOrThrow();\n await writeEnvelope(updatedPayload, licenseKey);\n logger.info('sync: conflict resolutions applied', { count: resolutions.length });\n}\n","import { createCipheriv, createDecipheriv, randomBytes, scryptSync, hkdfSync } from 'node:crypto';\nimport { isSyncPayload, type SyncPayload } from './types.js';\n\n// SEG-003: Cross-machine sync encryption.\n// The two constants below are public (compiled into the npm bundle). The\n// per-user secret factor is the Polar license key, which only the user's\n// own machines hold and which Polar issues — so any two of the user's\n// machines derive the same key, but bundle + iCloud snoop is no longer\n// enough to decrypt: the attacker also needs the license key.\n//\n// HKDF-SHA256 over scrypt: the license key is high-entropy by construction\n// (Polar issues UUID-style keys), so the cost-hardening of scrypt isn't\n// what's protecting the key — the secrecy of the license key is. HKDF is\n// also faster, so machines don't pay scrypt's CPU tax on every sync.\nconst ENCRYPTION_SECRET = 'brew-tui-sync-aes256gcm-v1';\nconst HKDF_SALT = 'brew-tui-sync-salt-v1';\n\nconst keyCache = new Map<string, Buffer>();\nlet _legacyKey: Buffer | null = null;\n\nfunction deriveEncryptionKey(licenseKey: string): Buffer {\n const cached = keyCache.get(licenseKey);\n if (cached) return cached;\n const derived = Buffer.from(hkdfSync('sha256', ENCRYPTION_SECRET, HKDF_SALT, licenseKey, 32));\n keyCache.set(licenseKey, derived);\n return derived;\n}\n\n// Legacy key — scrypt(SECRET, SALT), no license-key factor. Used as a\n// decryption fallback for envelopes written by 0.6.2 and earlier.\n// TODO(SEG-003, 0.6.3): remove `_legacyKey` after telemetry confirms zero\n// fallback decrypts in the wild.\nfunction deriveLegacyKey(): Buffer {\n if (!_legacyKey) {\n _legacyKey = scryptSync(ENCRYPTION_SECRET, HKDF_SALT, 32, { N: 16384, r: 8, p: 1 });\n }\n return _legacyKey;\n}\n\nexport function encryptPayload(data: SyncPayload, licenseKey: string): { encrypted: string; iv: string; tag: string } {\n const key = deriveEncryptionKey(licenseKey);\n const iv = randomBytes(12); // 96-bit IV for GCM\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n\n const plaintext = JSON.stringify(data);\n const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()]);\n const tag = cipher.getAuthTag();\n\n return {\n encrypted: ciphertext.toString('base64'),\n iv: iv.toString('base64'),\n tag: tag.toString('base64'),\n };\n}\n\nexport function decryptPayload(encrypted: string, iv: string, tag: string, licenseKey: string): SyncPayload {\n const ivBuf = Buffer.from(iv, 'base64');\n const tagBuf = Buffer.from(tag, 'base64');\n const ciphertext = Buffer.from(encrypted, 'base64');\n\n // Try the licenseKey-bound key first; fall back to the legacy bundle-only\n // key for envelopes written by 0.6.2 and earlier. Re-encryption happens\n // automatically on the next sync write because writeEnvelope always uses\n // the current key.\n for (const key of [deriveEncryptionKey(licenseKey), deriveLegacyKey()]) {\n try {\n const decipher = createDecipheriv('aes-256-gcm', key, ivBuf);\n decipher.setAuthTag(tagBuf);\n const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n const parsed: unknown = JSON.parse(plaintext.toString('utf-8'));\n if (!isSyncPayload(parsed)) throw new Error('Invalid sync payload shape');\n return parsed;\n } catch { /* try next */ }\n }\n throw new Error('Failed to decrypt sync payload');\n}\n","import type { BrewSnapshot } from '../state-snapshot/snapshot.js';\nimport type { BrewfileSchema } from '../brewfile/types.js';\n\nexport interface SyncConfig {\n enabled: boolean;\n machineId: string;\n machineName: string;\n lastSync?: string; // ISO 8601\n}\n\nexport interface MachineState {\n machineId: string;\n machineName: string;\n updatedAt: string; // ISO 8601\n snapshot: BrewSnapshot;\n brewfile?: BrewfileSchema;\n}\n\nexport interface SyncPayload {\n machines: Record<string, MachineState>;\n}\n\n// BK-008: type guard for sync envelopes after AES-GCM decrypt. Defends against\n// truncated or migrated payloads landing as undefined accesses downstream.\nexport function isSyncPayload(value: unknown): value is SyncPayload {\n if (typeof value !== 'object' || value === null) return false;\n const machines = (value as Record<string, unknown>).machines;\n if (typeof machines !== 'object' || machines === null || Array.isArray(machines)) return false;\n for (const m of Object.values(machines as Record<string, unknown>)) {\n if (typeof m !== 'object' || m === null) return false;\n const state = m as Record<string, unknown>;\n if (\n typeof state.machineId !== 'string' ||\n typeof state.machineName !== 'string' ||\n typeof state.updatedAt !== 'string' ||\n typeof state.snapshot !== 'object'\n ) {\n return false;\n }\n }\n return true;\n}\n\nexport interface SyncEnvelope {\n schemaVersion: 1;\n encrypted: string;\n iv: string;\n tag: string;\n updatedAt: string; // ISO 8601 — plaintext for BrewBar monitoring\n}\n\nexport type ConflictResolution = 'use-local' | 'use-remote' | 'merge-union';\n\nexport interface SyncConflict {\n packageName: string;\n packageType: 'formula' | 'cask';\n localVersion: string;\n remoteMachine: string;\n remoteVersion: string;\n}\n\nexport interface SyncResult {\n success: boolean;\n conflicts: SyncConflict[];\n resolvedCount: number;\n error?: string;\n}\n","import { readFile, writeFile, rename, mkdir, stat } from 'node:fs/promises';\nimport { homedir } from 'node:os';\nimport { join } from 'node:path';\nimport { logger } from '../../../utils/logger.js';\nimport type { SyncEnvelope } from '../types.js';\n\nconst ICLOUD_BASE = join(\n homedir(),\n 'Library', 'Mobile Documents', 'com~apple~CloudDocs',\n);\nexport const ICLOUD_SYNC_DIR = join(ICLOUD_BASE, 'BrewTUI');\nexport const ICLOUD_SYNC_PATH = join(ICLOUD_SYNC_DIR, 'sync.json');\n\nexport async function isICloudAvailable(): Promise<boolean> {\n try {\n await stat(ICLOUD_BASE);\n return true;\n } catch {\n return false;\n }\n}\n\nfunction isValidEnvelope(v: unknown): v is SyncEnvelope {\n if (!v || typeof v !== 'object') return false;\n const obj = v as Record<string, unknown>;\n return (\n obj['schemaVersion'] === 1 &&\n typeof obj['encrypted'] === 'string' &&\n typeof obj['iv'] === 'string' &&\n typeof obj['tag'] === 'string' &&\n typeof obj['updatedAt'] === 'string'\n );\n}\n\nexport async function readSyncEnvelope(): Promise<SyncEnvelope | null> {\n // BK-012: iCloud may leave an undownloaded placeholder at the path. Reading\n // returns 0 bytes (or ENOENT for the file but a sibling .icloud entry).\n // Treat empty / missing-but-pending as \"not yet ready\" without surfacing\n // a misleading \"no remote state\" to the caller.\n try {\n const info = await stat(ICLOUD_SYNC_PATH);\n if (info.size === 0) {\n logger.warn('sync: iCloud envelope exists but is empty (placeholder?)');\n return null;\n }\n } catch (err: unknown) {\n if (err instanceof Error && (err as NodeJS.ErrnoException).code === 'ENOENT') {\n // First-sync case OR pending download — check for the placeholder sibling.\n try {\n const placeholder = ICLOUD_SYNC_PATH.replace(/sync\\.json$/, '.sync.json.icloud');\n await stat(placeholder);\n logger.warn('sync: iCloud placeholder present, file not yet downloaded');\n } catch { /* genuinely absent */ }\n return null;\n }\n logger.warn('sync: could not stat iCloud envelope', { error: String(err) });\n return null;\n }\n\n try {\n const raw = await readFile(ICLOUD_SYNC_PATH, 'utf-8');\n const parsed: unknown = JSON.parse(raw);\n if (!isValidEnvelope(parsed)) {\n logger.warn('sync: invalid envelope structure in iCloud file');\n return null;\n }\n return parsed;\n } catch (err: unknown) {\n logger.warn('sync: could not read iCloud envelope', { error: String(err) });\n return null;\n }\n}\n\nexport async function writeSyncEnvelope(envelope: SyncEnvelope): Promise<void> {\n await mkdir(ICLOUD_SYNC_DIR, { recursive: true });\n const tmpPath = ICLOUD_SYNC_PATH + '.tmp';\n await writeFile(tmpPath, JSON.stringify(envelope, null, 2), {\n encoding: 'utf-8',\n mode: 0o600,\n });\n await rename(tmpPath, ICLOUD_SYNC_PATH);\n}\n","import { readFile, writeFile, rename, rm } from 'node:fs/promises';\nimport { createCipheriv, createDecipheriv, randomBytes, scryptSync, hkdfSync } from 'node:crypto';\nimport { LICENSE_PATH, ensureDataDirs, getMachineId } from '../data-dir.js';\nimport { activateLicense as apiActivate, validateLicense as apiValidate, deactivateLicense as apiDeactivate } from './polar-api.js';\nimport { t } from '../../i18n/index.js';\nimport { isLicenseData, type LicenseData, type LicenseFile } from './types.js';\n\n// SEG-009 guard: previously a hardcoded map bypassed Polar entirely. The\n// function is kept as an always-null export so a regression test can pin\n// the behaviour and the import site in license-store stays stable.\nexport function getBuiltinAccountType(_email: string): 'pro' | 'team' | 'free' | null {\n return null;\n}\n\nconst REVALIDATION_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24h\nconst GRACE_PERIOD_MS = 7 * 24 * 60 * 60 * 1000; // 7 days\n\n// ── Layer 18: Client-side rate limiting on activations ──\nconst ACTIVATION_COOLDOWN_MS = 30_000; // 30 seconds between attempts\nconst MAX_ATTEMPTS = 5;\nconst LOCKOUT_MS = 15 * 60 * 1000; // 15 min lockout after max attempts\n\ninterface ActivationTracker {\n attempts: number;\n lastAttempt: number;\n lockedUntil: number;\n}\n\n// UX-004: rate-limit state is intentionally in-memory only. It is a first\n// filter to slow down brute force inside one TUI session — the authoritative\n// activation throttle lives in the Polar backend, which sees attempts across\n// process restarts. Persisting this client-side would invite users to delete\n// the file and reset themselves; the trade-off is documented here on purpose.\nconst tracker: ActivationTracker = {\n attempts: 0,\n lastAttempt: 0,\n lockedUntil: 0,\n};\n\nfunction checkRateLimit(): void {\n const now = Date.now();\n\n // Check lockout\n if (now < tracker.lockedUntil) {\n const remaining = Math.ceil((tracker.lockedUntil - now) / 60000);\n throw new Error(t('cli_rateLimited', { minutes: remaining }));\n }\n\n // Check cooldown\n if (now - tracker.lastAttempt < ACTIVATION_COOLDOWN_MS) {\n throw new Error(t('cli_cooldown'));\n }\n}\n\nfunction recordAttempt(success: boolean): void {\n const now = Date.now();\n tracker.lastAttempt = now;\n\n if (success) {\n tracker.attempts = 0;\n return;\n }\n\n tracker.attempts++;\n if (tracker.attempts >= MAX_ATTEMPTS) {\n tracker.lockedUntil = now + LOCKOUT_MS;\n tracker.attempts = 0;\n }\n}\n\n// SECURITY (SEG-002): the bundle-only constants below USED to be the entire\n// derivation input — anyone with the npm bundle could decrypt any user's\n// license.json. Now the per-user machineId is mixed into the HKDF info, so\n// the bundle alone is no longer sufficient: an attacker also needs the\n// target's ~/.brew-tui/machine-id. The two constants stay published; what's\n// secret is the user's local machineId, which never leaves the machine.\n//\n// HKDF-SHA256 was chosen over scrypt because Swift's CryptoKit (used by\n// BrewBar to read the same license.json) ships HKDF natively but not scrypt.\n// machineId is a UUIDv4 with 122 bits of entropy, so the cost-hardening of\n// scrypt is not what's protecting the key — the secrecy of the machineId is.\nconst ENCRYPTION_SECRET = 'brew-tui-license-aes256gcm-v1';\nconst HKDF_SALT = 'brew-tui-salt-v1';\n\nlet _derivedKey: Buffer | null = null;\nlet _legacyKey: Buffer | null = null;\nlet _decryptedWithLegacyKey = false;\n\nasync function deriveEncryptionKey(): Promise<Buffer> {\n if (_derivedKey) return _derivedKey;\n const machineId = await getMachineId();\n // HKDF: ikm = SECRET, salt = HKDF_SALT, info = machineId, len = 32\n const derived = hkdfSync('sha256', ENCRYPTION_SECRET, HKDF_SALT, machineId, 32);\n _derivedKey = Buffer.from(derived);\n return _derivedKey;\n}\n\n// Legacy key — scrypt(SECRET, SALT) with no machineId. Pre-existing\n// license.json files written by 0.6.2 and earlier are ciphered with this.\n// decryptLicenseData falls back to it; the next saveLicense re-ciphers\n// using the HKDF key. TODO(SEG-003, 0.6.3): remove `_legacyKey` after\n// telemetry confirms zero fallback decrypts in the wild.\nfunction deriveLegacyKey(): Buffer {\n if (!_legacyKey) _legacyKey = scryptSync(ENCRYPTION_SECRET, HKDF_SALT, 32);\n return _legacyKey;\n}\n\nasync function encryptLicenseData(data: LicenseData): Promise<{ encrypted: string; iv: string; tag: string }> {\n const key = await deriveEncryptionKey();\n const iv = randomBytes(12); // 96-bit IV for GCM\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n\n const plaintext = JSON.stringify(data);\n const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()]);\n const tag = cipher.getAuthTag();\n\n return {\n encrypted: ciphertext.toString('base64'),\n iv: iv.toString('base64'),\n tag: tag.toString('base64'),\n };\n}\n\nasync function decryptLicenseData(encrypted: string, iv: string, tag: string): Promise<LicenseData> {\n const ivBuf = Buffer.from(iv, 'base64');\n const tagBuf = Buffer.from(tag, 'base64');\n const ciphertext = Buffer.from(encrypted, 'base64');\n\n // Try the current (machine-bound) key first; fall back to the legacy\n // (bundle-only) key for upgrade compatibility.\n const candidates: Array<[Buffer, boolean]> = [\n [await deriveEncryptionKey(), false],\n [deriveLegacyKey(), true],\n ];\n let lastErr: unknown;\n for (const [key, isLegacy] of candidates) {\n try {\n const decipher = createDecipheriv('aes-256-gcm', key, ivBuf);\n decipher.setAuthTag(tagBuf);\n const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n const parsed: unknown = JSON.parse(plaintext.toString('utf-8'));\n if (!isLicenseData(parsed)) {\n throw new Error('Decrypted license payload failed shape validation');\n }\n _decryptedWithLegacyKey = isLegacy;\n return parsed;\n } catch (err) { lastErr = err; }\n }\n throw lastErr instanceof Error ? lastErr : new Error('Failed to decrypt license');\n}\n\n// BK-003: Type guard for license data format\nfunction isLicenseFile(obj: unknown): obj is LicenseFile {\n return typeof obj === 'object' && obj !== null && (obj as Record<string, unknown>).version === 1;\n}\n\nfunction isEncryptedLicenseFile(obj: unknown): obj is LicenseFile & { encrypted: string; iv: string; tag: string } {\n if (!isLicenseFile(obj)) return false;\n const record = obj as unknown as Record<string, unknown>;\n return typeof record.encrypted === 'string'\n && typeof record.iv === 'string'\n && typeof record.tag === 'string';\n}\n\nexport async function loadLicense(): Promise<LicenseData | null> {\n try {\n const raw = await readFile(LICENSE_PATH, 'utf-8');\n const parsed: unknown = JSON.parse(raw);\n\n // BK-003: Validate parsed data\n if (!isLicenseFile(parsed)) {\n throw new Error('Invalid license data format');\n }\n\n const file = parsed as LicenseFile;\n\n if (file.version !== 1) {\n // Future: add migration logic here\n throw new Error('Unsupported data version');\n }\n\n // New encrypted format\n if (isEncryptedLicenseFile(file)) {\n const data = await decryptLicenseData(file.encrypted!, file.iv!, file.tag!);\n\n // SEG-002: Check machine ID if stored in the envelope.\n // getMachineId() now always resolves a value — if the user's machine-id\n // file was wiped, a new UUID is created and this check rejects the\n // license, prompting reactivation. Same behaviour the polar-api flow\n // already had on save.\n const fileRecord = file as unknown as Record<string, unknown>;\n if (fileRecord.machineId) {\n const currentMachineId = await getMachineId();\n if (fileRecord.machineId !== currentMachineId) {\n throw new Error('License was activated on a different machine');\n }\n }\n\n // If we fell back to the legacy bundle-only key, re-cipher with the\n // current machine-bound key so future reads use the strong path.\n if (_decryptedWithLegacyKey) {\n _decryptedWithLegacyKey = false;\n try { await saveLicense(data); } catch { /* best effort */ }\n }\n\n return data;\n }\n\n // Legacy unencrypted format — migrate to encrypted on read\n if (file.license) {\n const data = file.license;\n // Re-save in encrypted format\n await saveLicense(data);\n return data;\n }\n\n return null;\n } catch {\n return null;\n }\n}\n\nexport async function saveLicense(data: LicenseData): Promise<void> {\n await ensureDataDirs();\n const { encrypted, iv, tag } = await encryptLicenseData(data);\n // SEG-002: Include machineId in the envelope for portability detection\n const machineId = await getMachineId();\n const file: Record<string, unknown> = { version: 1, encrypted, iv, tag, machineId };\n const tmpPath = LICENSE_PATH + '.tmp';\n await writeFile(tmpPath, JSON.stringify(file, null, 2), { encoding: 'utf-8', mode: 0o600 });\n await rename(tmpPath, LICENSE_PATH);\n}\n\nexport async function clearLicense(): Promise<void> {\n try {\n await rm(LICENSE_PATH);\n } catch { /* file may not exist */ }\n}\n\nexport function isExpired(license: LicenseData): boolean {\n if (!license.expiresAt) return false;\n const expiry = new Date(license.expiresAt).getTime();\n // Fail closed on corrupted/unparseable dates: NaN comparisons are always\n // false, so the previous version treated a garbage expiresAt as \"never\n // expires\", which is exploitable.\n if (isNaN(expiry)) return true;\n return expiry < Date.now();\n}\n\nexport function needsRevalidation(license: LicenseData): boolean {\n const lastValidated = new Date(license.lastValidatedAt).getTime();\n if (isNaN(lastValidated)) return true; // corrupted date → force revalidation\n return Date.now() - lastValidated > REVALIDATION_INTERVAL_MS;\n}\n\nexport function isWithinGracePeriod(license: LicenseData): boolean {\n const lastValidated = new Date(license.lastValidatedAt).getTime();\n if (isNaN(lastValidated)) return false; // corrupted date → no grace\n return Date.now() - lastValidated < GRACE_PERIOD_MS;\n}\n\n// ── Layer 15: Gradual degradation after extended offline ──\n\nexport type DegradationLevel = 'none' | 'warning' | 'limited' | 'expired';\nexport type RevalidationResult = 'valid' | 'grace' | 'expired';\n\n/**\n * Returns the degradation level based on time since last server validation.\n * - 0-7 days: none (full access)\n * - 7-14 days: warning (shows a notice but still works)\n * - 14-30 days: limited (some features disabled)\n * - 30+ days: expired (all Pro features disabled)\n */\nexport function getDegradationLevel(license: LicenseData): DegradationLevel {\n const lastValidated = new Date(license.lastValidatedAt).getTime();\n if (isNaN(lastValidated)) return 'expired'; // corrupted date → deny access\n const elapsed = Date.now() - lastValidated;\n if (elapsed < 0) return 'none'; // clock skew: future timestamp → treat as fresh\n const days = elapsed / (24 * 60 * 60 * 1000);\n\n if (days <= 7) return 'none';\n if (days <= 14) return 'warning';\n if (days <= 30) return 'limited';\n return 'expired';\n}\n\n// Layer 10: License key format validation\nfunction validateLicenseKey(key: string): void {\n // Polar keys are UUID-like: 8-4-4-4-12 hex chars or similar\n // Reject obviously invalid keys to avoid unnecessary API calls\n if (key.length < 10 || key.length > 100) {\n throw new Error('Invalid license key format');\n }\n // Only allow alphanumeric, hyphens, underscores\n if (!/^[\\w-]+$/.test(key)) {\n throw new Error('Invalid license key format');\n }\n}\n\n// Polar license-key benefits use distinct prefixes per tier:\n// Pro Monthly/Yearly → \"BTUI-...\"\n// Team Monthly/Yearly → \"BTUI-T-...\"\n// We detect the tier from the prefix instead of looking up the productId,\n// because Polar's customer-portal license endpoints don't echo product info\n// in the activation response.\nfunction detectPlan(key: string): 'pro' | 'team' {\n const upper = key.toUpperCase();\n return upper.startsWith('BTUI-T-') || upper.startsWith('BTUI-T_') ? 'team' : 'pro';\n}\n\nexport async function activate(key: string): Promise<LicenseData> {\n validateLicenseKey(key);\n checkRateLimit();\n\n let success = false;\n try {\n const res = await apiActivate(key);\n\n if (!res.activated) {\n throw new Error(res.error ?? 'Activation failed');\n }\n\n const license: LicenseData = {\n key,\n instanceId: res.instance.id,\n status: 'active',\n customerEmail: res.meta.customer_email,\n customerName: res.meta.customer_name,\n plan: detectPlan(key),\n activatedAt: new Date().toISOString(),\n expiresAt: res.license_key.expires_at,\n lastValidatedAt: new Date().toISOString(),\n };\n\n await saveLicense(license);\n success = true;\n return license;\n } finally {\n recordAttempt(success);\n }\n}\n\n/**\n * Revalidate the license against the server.\n * This also serves as Layer 19 (telemetry): each validation call\n * allows Polar to track activation count, last-seen timestamp,\n * and detect if the activation limit is exceeded (license sharing).\n */\n// EP-006: Detect if an error is a network error vs validation/contract error\nfunction isNetworkError(err: unknown): boolean {\n const msg = err instanceof Error ? err.message : String(err);\n return /fetch failed|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|network|timeout|abort/i.test(msg);\n}\n\nexport async function revalidate(license: LicenseData): Promise<RevalidationResult> {\n try {\n const res = await apiValidate(license.key, license.instanceId);\n\n if (res.valid) {\n const updated: LicenseData = {\n ...license,\n lastValidatedAt: new Date().toISOString(),\n status: 'active',\n expiresAt: res.license_key.expires_at,\n };\n await saveLicense(updated);\n return 'valid';\n }\n\n await saveLicense({ ...license, status: 'expired' });\n return 'expired';\n } catch (err) {\n // EP-006: Network errors trigger grace period; validation/contract errors mean expired\n if (isNetworkError(err)) {\n return isWithinGracePeriod(license) ? 'grace' : 'expired';\n }\n // Unexpected response or contract violation — treat as expired\n await saveLicense({ ...license, status: 'expired' });\n return 'expired';\n }\n}\n\nexport async function deactivate(license: LicenseData): Promise<{ remoteSuccess: boolean }> {\n // EP-001: apiDeactivate already wraps fetchWithRetry (3 attempts). The\n // outer loop multiplied that into 9 POSTs — Polar would count each as a\n // separate request and a flaky network would amplify load 3×.\n let remoteSuccess = false;\n try {\n await apiDeactivate(license.key, license.instanceId);\n remoteSuccess = true;\n } catch { /* local clear still happens below */ }\n await clearLicense();\n return { remoteSuccess };\n}\n","import type { PolarActivateResponse, PolarValidateResponse } from './types.js';\nimport { fetchWithRetry } from '../fetch-timeout.js';\nimport { getMachineId } from '../data-dir.js';\n\nconst BASE_URL = 'https://api.polar.sh/v1/customer-portal/license-keys';\n\n// ── GOV-004: Public organization ID (not a secret) ──\n// This is the public Polar organization identifier used for license key operations.\n// Found at: polar.sh/dashboard -> Settings -> General\nexport const POLAR_ORGANIZATION_ID = 'b8f245c0-d116-4457-92fb-1bda47139f82';\n\n// Polar product IDs (public, not secret) — useful for analytics, support, and\n// future server-side validation that wants to confirm what the customer bought.\nexport const POLAR_PRODUCT_IDS = {\n proMonthly: 'b925b882-464c-40c1-9ffd-b088ab31d9a3',\n proYearly: '8f97bb81-b950-4bc3-97c5-8133dd817d0b',\n teamMonthly: '7cf3fcb2-560d-4fbb-9936-15efac511b23',\n teamYearly: 'd096914d-902d-47b0-8d62-5c7e6fc4e087',\n} as const;\n\n// Public checkout URLs surfaced from the landing page and the CLI upgrade prompt.\n// Team links carry ?quantity=3 because Polar has no native min-seats enforcement\n// and the Team tier is sold from 3 seats up.\nexport const POLAR_CHECKOUT_URLS = {\n proMonthly: 'https://buy.polar.sh/polar_cl_QW1ZJ9887bU74drGr7JfujQfm3RKYnn1fuvc53DqD6D',\n proYearly: 'https://buy.polar.sh/polar_cl_yQsiUeDelyyEQznbWffD1j77JAyP24ra7iEVQ22PA4h',\n teamMonthly: 'https://buy.polar.sh/polar_cl_CO6xqSzKgFiQJwXnhZYGqisOP04Wspi0KKZSn38NjFZ?quantity=3',\n teamYearly: 'https://buy.polar.sh/polar_cl_BZowqmtaKwWEkRJNtBcashWg7oZOH6OhnnsJ204opNA?quantity=3',\n} as const;\n\n// Layer 11: API URL validation\nfunction validateApiUrl(url: string): void {\n const parsed = new URL(url);\n if (parsed.protocol !== 'https:') {\n throw new Error('HTTPS required for license API');\n }\n if (!parsed.hostname.endsWith('polar.sh')) {\n throw new Error('Invalid API host');\n }\n}\n\n// Raw Polar response shapes\ninterface PolarActivation {\n id: string; // activation_id\n license_key: {\n status: string;\n expires_at: string | null;\n };\n}\n\ninterface PolarValidated {\n id: string;\n status: string; // 'granted' | 'revoked' | 'disabled'\n expires_at: string | null;\n customer: {\n email: string | null;\n name: string | null;\n };\n activation: { id: string } | null;\n}\n\nasync function post<T>(endpoint: string, body: Record<string, unknown>, expectEmpty = false): Promise<T> {\n const url = `${BASE_URL}/${endpoint}`;\n validateApiUrl(url);\n\n const res = await fetchWithRetry(url, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(body),\n }, 15_000);\n\n if (!res.ok) {\n let message = `Request failed with status ${res.status}`;\n try {\n const errBody = await res.json() as { detail?: string; error?: string; message?: string };\n if (typeof errBody.detail === 'string') message = errBody.detail;\n else if (typeof errBody.error === 'string') message = errBody.error;\n else if (typeof errBody.message === 'string') message = errBody.message;\n } catch {\n // non-JSON error body — use generic message above\n }\n throw new Error(message);\n }\n\n if (expectEmpty || res.status === 204) return undefined as T;\n return res.json() as Promise<T>;\n}\n\nexport async function activateLicense(key: string): Promise<PolarActivateResponse> {\n const machineId = await getMachineId();\n\n const activation = await post<PolarActivation>('activate', {\n key,\n organization_id: POLAR_ORGANIZATION_ID,\n label: machineId, // SEG-004: Use machine UUID instead of hostname\n });\n\n // EP-001: Runtime validation of activation response\n if (!activation || typeof activation.id !== 'string' || !activation.license_key) {\n throw new Error('Invalid activation response: missing required fields');\n }\n\n // Polar's activate response doesn't include customer info — fetch it via validate\n let customerEmail = '';\n let customerName = '';\n try {\n const validated = await post<PolarValidated>('validate', {\n key,\n organization_id: POLAR_ORGANIZATION_ID,\n activation_id: activation.id,\n });\n customerEmail = validated.customer?.email ?? '';\n customerName = validated.customer?.name ?? '';\n } catch {\n // customer info is non-critical — activation still succeeds\n }\n\n return {\n activated: true,\n error: null,\n instance: { id: activation.id },\n license_key: {\n id: 0,\n status: activation.license_key.status,\n key,\n activation_limit: 0,\n activations_count: 0,\n expires_at: activation.license_key.expires_at,\n },\n meta: { customer_email: customerEmail, customer_name: customerName },\n };\n}\n\nexport async function validateLicense(key: string, instanceId: string): Promise<PolarValidateResponse> {\n const res = await post<PolarValidated>('validate', {\n key,\n organization_id: POLAR_ORGANIZATION_ID,\n activation_id: instanceId,\n });\n\n // EP-002: Runtime validation of validate response\n if (!res || typeof res.id !== 'string' || typeof res.status !== 'string' || !res.customer) {\n throw new Error('Invalid validation response: missing required fields');\n }\n\n const notExpired = res.expires_at === null || new Date(res.expires_at) > new Date();\n const valid = res.status === 'granted' && notExpired;\n\n return {\n valid,\n error: valid ? null : `License ${res.status}`,\n license_key: {\n id: 0,\n status: res.status,\n key,\n expires_at: res.expires_at,\n },\n instance: { id: instanceId },\n };\n}\n\nexport async function deactivateLicense(key: string, instanceId: string): Promise<void> {\n await post<void>(\n 'deactivate',\n { key, organization_id: POLAR_ORGANIZATION_ID, activation_id: instanceId },\n true,\n );\n}\n","export interface LicenseData {\n key: string;\n instanceId: string;\n status: 'active' | 'expired' | 'inactive';\n customerEmail: string;\n customerName: string;\n plan: 'pro' | 'team';\n activatedAt: string;\n expiresAt: string | null;\n lastValidatedAt: string;\n}\n\n// BK-006: type guard for license payload after AES-GCM decrypt. A corrupt or\n// migrated file could JSON.parse to anything — refuse instead of crashing on\n// undefined accesses downstream.\nexport function isLicenseData(value: unknown): value is LicenseData {\n if (typeof value !== 'object' || value === null) return false;\n const v = value as Record<string, unknown>;\n return (\n typeof v.key === 'string' &&\n typeof v.instanceId === 'string' &&\n (v.status === 'active' || v.status === 'expired' || v.status === 'inactive') &&\n typeof v.customerEmail === 'string' &&\n typeof v.customerName === 'string' &&\n (v.plan === 'pro' || v.plan === 'team') &&\n typeof v.activatedAt === 'string' &&\n (v.expiresAt === null || typeof v.expiresAt === 'string') &&\n typeof v.lastValidatedAt === 'string'\n );\n}\n\nexport interface LicenseFile {\n version: 1;\n license?: LicenseData | null; // legacy unencrypted\n hmac?: string; // legacy\n encrypted?: string; // AES-256-GCM encrypted license JSON\n iv?: string;\n tag?: string;\n}\n\nexport type LicenseStatus = 'free' | 'pro' | 'team' | 'expired' | 'validating';\n\nexport interface PolarActivateResponse {\n activated: boolean;\n error: string | null;\n license_key: {\n id: number;\n status: string;\n key: string;\n activation_limit: number;\n activations_count: number;\n expires_at: string | null;\n };\n instance: { id: string };\n meta: { customer_name: string; customer_email: string };\n}\n\nexport interface PolarValidateResponse {\n valid: boolean;\n error: string | null;\n license_key: {\n id: number;\n status: string;\n key: string;\n expires_at: string | null;\n };\n instance: { id: string };\n}\n\nexport type ProFeatureId =\n | 'profiles'\n | 'smart-cleanup'\n | 'history'\n | 'security-audit'\n | 'rollback'\n | 'brewfile'\n | 'sync'\n | 'impact-analysis';\n\nexport type TeamFeatureId = 'compliance';\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA,SAAS,YAAAA,WAAU,aAAAC,YAAW,UAAAC,eAAc;AAC5C,SAAS,QAAAC,aAAY;AACrB,SAAS,gBAAgB;;;ACFzB,SAAS,gBAAgB,kBAAkB,aAAa,YAAY,gBAAgB;;;ACwB7E,SAAS,cAAc,OAAsC;AAClE,MAAI,OAAO,UAAU,YAAY,UAAU,KAAM,QAAO;AACxD,QAAM,WAAY,MAAkC;AACpD,MAAI,OAAO,aAAa,YAAY,aAAa,QAAQ,MAAM,QAAQ,QAAQ,EAAG,QAAO;AACzF,aAAW,KAAK,OAAO,OAAO,QAAmC,GAAG;AAClE,QAAI,OAAO,MAAM,YAAY,MAAM,KAAM,QAAO;AAChD,UAAM,QAAQ;AACd,QACE,OAAO,MAAM,cAAc,YAC3B,OAAO,MAAM,gBAAgB,YAC7B,OAAO,MAAM,cAAc,YAC3B,OAAO,MAAM,aAAa,UAC1B;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;;;AD3BA,IAAM,oBAAoB;AAC1B,IAAM,YAAY;AAElB,IAAM,WAAW,oBAAI,IAAoB;AACzC,IAAI,aAA4B;AAEhC,SAAS,oBAAoB,YAA4B;AACvD,QAAM,SAAS,SAAS,IAAI,UAAU;AACtC,MAAI,OAAQ,QAAO;AACnB,QAAM,UAAU,OAAO,KAAK,SAAS,UAAU,mBAAmB,WAAW,YAAY,EAAE,CAAC;AAC5F,WAAS,IAAI,YAAY,OAAO;AAChC,SAAO;AACT;AAMA,SAAS,kBAA0B;AACjC,MAAI,CAAC,YAAY;AACf,iBAAa,WAAW,mBAAmB,WAAW,IAAI,EAAE,GAAG,OAAO,GAAG,GAAG,GAAG,EAAE,CAAC;AAAA,EACpF;AACA,SAAO;AACT;AAEO,SAAS,eAAe,MAAmB,YAAoE;AACpH,QAAM,MAAM,oBAAoB,UAAU;AAC1C,QAAM,KAAK,YAAY,EAAE;AACzB,QAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAEpD,QAAM,YAAY,KAAK,UAAU,IAAI;AACrC,QAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,WAAW,OAAO,GAAG,OAAO,MAAM,CAAC,CAAC;AACpF,QAAM,MAAM,OAAO,WAAW;AAE9B,SAAO;AAAA,IACL,WAAW,WAAW,SAAS,QAAQ;AAAA,IACvC,IAAI,GAAG,SAAS,QAAQ;AAAA,IACxB,KAAK,IAAI,SAAS,QAAQ;AAAA,EAC5B;AACF;AAEO,SAAS,eAAe,WAAmB,IAAY,KAAa,YAAiC;AAC1G,QAAM,QAAQ,OAAO,KAAK,IAAI,QAAQ;AACtC,QAAM,SAAS,OAAO,KAAK,KAAK,QAAQ;AACxC,QAAM,aAAa,OAAO,KAAK,WAAW,QAAQ;AAMlD,aAAW,OAAO,CAAC,oBAAoB,UAAU,GAAG,gBAAgB,CAAC,GAAG;AACtE,QAAI;AACF,YAAM,WAAW,iBAAiB,eAAe,KAAK,KAAK;AAC3D,eAAS,WAAW,MAAM;AAC1B,YAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,YAAM,SAAkB,KAAK,MAAM,UAAU,SAAS,OAAO,CAAC;AAC9D,UAAI,CAAC,cAAc,MAAM,EAAG,OAAM,IAAI,MAAM,4BAA4B;AACxE,aAAO;AAAA,IACT,QAAQ;AAAA,IAAiB;AAAA,EAC3B;AACA,QAAM,IAAI,MAAM,gCAAgC;AAClD;;;AE3EA,SAAS,UAAU,WAAW,QAAQ,OAAO,YAAY;AACzD,SAAS,eAAe;AACxB,SAAS,YAAY;AAIrB,IAAM,cAAc;AAAA,EAClB,QAAQ;AAAA,EACR;AAAA,EAAW;AAAA,EAAoB;AACjC;AACO,IAAM,kBAAkB,KAAK,aAAa,SAAS;AACnD,IAAM,mBAAmB,KAAK,iBAAiB,WAAW;AAEjE,eAAsB,oBAAsC;AAC1D,MAAI;AACF,UAAM,KAAK,WAAW;AACtB,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,gBAAgB,GAA+B;AACtD,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,MAAM;AACZ,SACE,IAAI,eAAe,MAAM,KACzB,OAAO,IAAI,WAAW,MAAM,YAC5B,OAAO,IAAI,IAAI,MAAM,YACrB,OAAO,IAAI,KAAK,MAAM,YACtB,OAAO,IAAI,WAAW,MAAM;AAEhC;AAEA,eAAsB,mBAAiD;AAKrE,MAAI;AACF,UAAM,OAAO,MAAM,KAAK,gBAAgB;AACxC,QAAI,KAAK,SAAS,GAAG;AACnB,aAAO,KAAK,0DAA0D;AACtE,aAAO;AAAA,IACT;AAAA,EACF,SAAS,KAAc;AACrB,QAAI,eAAe,SAAU,IAA8B,SAAS,UAAU;AAE5E,UAAI;AACF,cAAM,cAAc,iBAAiB,QAAQ,eAAe,mBAAmB;AAC/E,cAAM,KAAK,WAAW;AACtB,eAAO,KAAK,2DAA2D;AAAA,MACzE,QAAQ;AAAA,MAAyB;AACjC,aAAO;AAAA,IACT;AACA,WAAO,KAAK,wCAAwC,EAAE,OAAO,OAAO,GAAG,EAAE,CAAC;AAC1E,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,MAAM,MAAM,SAAS,kBAAkB,OAAO;AACpD,UAAM,SAAkB,KAAK,MAAM,GAAG;AACtC,QAAI,CAAC,gBAAgB,MAAM,GAAG;AAC5B,aAAO,KAAK,iDAAiD;AAC7D,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,SAAS,KAAc;AACrB,WAAO,KAAK,wCAAwC,EAAE,OAAO,OAAO,GAAG,EAAE,CAAC;AAC1E,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,kBAAkB,UAAuC;AAC7E,QAAM,MAAM,iBAAiB,EAAE,WAAW,KAAK,CAAC;AAChD,QAAM,UAAU,mBAAmB;AACnC,QAAM,UAAU,SAAS,KAAK,UAAU,UAAU,MAAM,CAAC,GAAG;AAAA,IAC1D,UAAU;AAAA,IACV,MAAM;AAAA,EACR,CAAC;AACD,QAAM,OAAO,SAAS,gBAAgB;AACxC;;;ACjFA,SAAS,YAAAC,WAAU,aAAAC,YAAW,UAAAC,SAAQ,UAAU;AAChD,SAAS,kBAAAC,iBAAgB,oBAAAC,mBAAkB,eAAAC,cAAa,cAAAC,aAAY,YAAAC,iBAAgB;;;ACGpF,IAAM,WAAW;AAKV,IAAM,wBAAwB;AAsBrC,SAAS,eAAe,KAAmB;AACzC,QAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,MAAI,OAAO,aAAa,UAAU;AAChC,UAAM,IAAI,MAAM,gCAAgC;AAAA,EAClD;AACA,MAAI,CAAC,OAAO,SAAS,SAAS,UAAU,GAAG;AACzC,UAAM,IAAI,MAAM,kBAAkB;AAAA,EACpC;AACF;AAsBA,eAAe,KAAQ,UAAkB,MAA+B,cAAc,OAAmB;AACvG,QAAM,MAAM,GAAG,QAAQ,IAAI,QAAQ;AACnC,iBAAe,GAAG;AAElB,QAAM,MAAM,MAAM,eAAe,KAAK;AAAA,IACpC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,GAAG,IAAM;AAET,MAAI,CAAC,IAAI,IAAI;AACX,QAAI,UAAU,8BAA8B,IAAI,MAAM;AACtD,QAAI;AACF,YAAM,UAAU,MAAM,IAAI,KAAK;AAC/B,UAAI,OAAO,QAAQ,WAAW,SAAU,WAAU,QAAQ;AAAA,eACjD,OAAO,QAAQ,UAAU,SAAU,WAAU,QAAQ;AAAA,eACrD,OAAO,QAAQ,YAAY,SAAU,WAAU,QAAQ;AAAA,IAClE,QAAQ;AAAA,IAER;AACA,UAAM,IAAI,MAAM,OAAO;AAAA,EACzB;AAEA,MAAI,eAAe,IAAI,WAAW,IAAK,QAAO;AAC9C,SAAO,IAAI,KAAK;AAClB;AAEA,eAAsB,gBAAgB,KAA6C;AACjF,QAAM,YAAY,MAAM,aAAa;AAErC,QAAM,aAAa,MAAM,KAAsB,YAAY;AAAA,IACzD;AAAA,IACA,iBAAiB;AAAA,IACjB,OAAO;AAAA;AAAA,EACT,CAAC;AAGD,MAAI,CAAC,cAAc,OAAO,WAAW,OAAO,YAAY,CAAC,WAAW,aAAa;AAC/E,UAAM,IAAI,MAAM,sDAAsD;AAAA,EACxE;AAGA,MAAI,gBAAgB;AACpB,MAAI,eAAe;AACnB,MAAI;AACF,UAAM,YAAY,MAAM,KAAqB,YAAY;AAAA,MACvD;AAAA,MACA,iBAAiB;AAAA,MACjB,eAAe,WAAW;AAAA,IAC5B,CAAC;AACD,oBAAgB,UAAU,UAAU,SAAS;AAC7C,mBAAe,UAAU,UAAU,QAAQ;AAAA,EAC7C,QAAQ;AAAA,EAER;AAEA,SAAO;AAAA,IACL,WAAW;AAAA,IACX,OAAO;AAAA,IACP,UAAU,EAAE,IAAI,WAAW,GAAG;AAAA,IAC9B,aAAa;AAAA,MACX,IAAI;AAAA,MACJ,QAAQ,WAAW,YAAY;AAAA,MAC/B;AAAA,MACA,kBAAkB;AAAA,MAClB,mBAAmB;AAAA,MACnB,YAAY,WAAW,YAAY;AAAA,IACrC;AAAA,IACA,MAAM,EAAE,gBAAgB,eAAe,eAAe,aAAa;AAAA,EACrE;AACF;AAEA,eAAsB,gBAAgB,KAAa,YAAoD;AACrG,QAAM,MAAM,MAAM,KAAqB,YAAY;AAAA,IACjD;AAAA,IACA,iBAAiB;AAAA,IACjB,eAAe;AAAA,EACjB,CAAC;AAGD,MAAI,CAAC,OAAO,OAAO,IAAI,OAAO,YAAY,OAAO,IAAI,WAAW,YAAY,CAAC,IAAI,UAAU;AACzF,UAAM,IAAI,MAAM,sDAAsD;AAAA,EACxE;AAEA,QAAM,aAAa,IAAI,eAAe,QAAQ,IAAI,KAAK,IAAI,UAAU,IAAI,oBAAI,KAAK;AAClF,QAAM,QAAQ,IAAI,WAAW,aAAa;AAE1C,SAAO;AAAA,IACL;AAAA,IACA,OAAO,QAAQ,OAAO,WAAW,IAAI,MAAM;AAAA,IAC3C,aAAa;AAAA,MACX,IAAI;AAAA,MACJ,QAAQ,IAAI;AAAA,MACZ;AAAA,MACA,YAAY,IAAI;AAAA,IAClB;AAAA,IACA,UAAU,EAAE,IAAI,WAAW;AAAA,EAC7B;AACF;AAEA,eAAsB,kBAAkB,KAAa,YAAmC;AACtF,QAAM;AAAA,IACJ;AAAA,IACA,EAAE,KAAK,iBAAiB,uBAAuB,eAAe,WAAW;AAAA,IACzE;AAAA,EACF;AACF;;;ACxJO,SAAS,cAAc,OAAsC;AAClE,MAAI,OAAO,UAAU,YAAY,UAAU,KAAM,QAAO;AACxD,QAAM,IAAI;AACV,SACE,OAAO,EAAE,QAAQ,YACjB,OAAO,EAAE,eAAe,aACvB,EAAE,WAAW,YAAY,EAAE,WAAW,aAAa,EAAE,WAAW,eACjE,OAAO,EAAE,kBAAkB,YAC3B,OAAO,EAAE,iBAAiB,aACzB,EAAE,SAAS,SAAS,EAAE,SAAS,WAChC,OAAO,EAAE,gBAAgB,aACxB,EAAE,cAAc,QAAQ,OAAO,EAAE,cAAc,aAChD,OAAO,EAAE,oBAAoB;AAEjC;;;AFfA,IAAM,2BAA2B,KAAK,KAAK,KAAK;AAChD,IAAM,kBAAkB,IAAI,KAAK,KAAK,KAAK;AAG3C,IAAM,yBAAyB;AAC/B,IAAM,eAAe;AACrB,IAAM,aAAa,KAAK,KAAK;AAa7B,IAAM,UAA6B;AAAA,EACjC,UAAU;AAAA,EACV,aAAa;AAAA,EACb,aAAa;AACf;AAEA,SAAS,iBAAuB;AAC9B,QAAM,MAAM,KAAK,IAAI;AAGrB,MAAI,MAAM,QAAQ,aAAa;AAC7B,UAAM,YAAY,KAAK,MAAM,QAAQ,cAAc,OAAO,GAAK;AAC/D,UAAM,IAAI,MAAM,EAAE,mBAAmB,EAAE,SAAS,UAAU,CAAC,CAAC;AAAA,EAC9D;AAGA,MAAI,MAAM,QAAQ,cAAc,wBAAwB;AACtD,UAAM,IAAI,MAAM,EAAE,cAAc,CAAC;AAAA,EACnC;AACF;AAEA,SAAS,cAAc,SAAwB;AAC7C,QAAM,MAAM,KAAK,IAAI;AACrB,UAAQ,cAAc;AAEtB,MAAI,SAAS;AACX,YAAQ,WAAW;AACnB;AAAA,EACF;AAEA,UAAQ;AACR,MAAI,QAAQ,YAAY,cAAc;AACpC,YAAQ,cAAc,MAAM;AAC5B,YAAQ,WAAW;AAAA,EACrB;AACF;AAaA,IAAMC,qBAAoB;AAC1B,IAAMC,aAAY;AAElB,IAAI,cAA6B;AACjC,IAAIC,cAA4B;AAChC,IAAI,0BAA0B;AAE9B,eAAeC,uBAAuC;AACpD,MAAI,YAAa,QAAO;AACxB,QAAM,YAAY,MAAM,aAAa;AAErC,QAAM,UAAUC,UAAS,UAAUJ,oBAAmBC,YAAW,WAAW,EAAE;AAC9E,gBAAc,OAAO,KAAK,OAAO;AACjC,SAAO;AACT;AAOA,SAASI,mBAA0B;AACjC,MAAI,CAACH,YAAY,CAAAA,cAAaI,YAAWN,oBAAmBC,YAAW,EAAE;AACzE,SAAOC;AACT;AAEA,eAAe,mBAAmB,MAA4E;AAC5G,QAAM,MAAM,MAAMC,qBAAoB;AACtC,QAAM,KAAKI,aAAY,EAAE;AACzB,QAAM,SAASC,gBAAe,eAAe,KAAK,EAAE;AAEpD,QAAM,YAAY,KAAK,UAAU,IAAI;AACrC,QAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,WAAW,OAAO,GAAG,OAAO,MAAM,CAAC,CAAC;AACpF,QAAM,MAAM,OAAO,WAAW;AAE9B,SAAO;AAAA,IACL,WAAW,WAAW,SAAS,QAAQ;AAAA,IACvC,IAAI,GAAG,SAAS,QAAQ;AAAA,IACxB,KAAK,IAAI,SAAS,QAAQ;AAAA,EAC5B;AACF;AAEA,eAAe,mBAAmB,WAAmB,IAAY,KAAmC;AAClG,QAAM,QAAQ,OAAO,KAAK,IAAI,QAAQ;AACtC,QAAM,SAAS,OAAO,KAAK,KAAK,QAAQ;AACxC,QAAM,aAAa,OAAO,KAAK,WAAW,QAAQ;AAIlD,QAAM,aAAuC;AAAA,IAC3C,CAAC,MAAML,qBAAoB,GAAG,KAAK;AAAA,IACnC,CAACE,iBAAgB,GAAG,IAAI;AAAA,EAC1B;AACA,MAAI;AACJ,aAAW,CAAC,KAAK,QAAQ,KAAK,YAAY;AACxC,QAAI;AACF,YAAM,WAAWI,kBAAiB,eAAe,KAAK,KAAK;AAC3D,eAAS,WAAW,MAAM;AAC1B,YAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,YAAM,SAAkB,KAAK,MAAM,UAAU,SAAS,OAAO,CAAC;AAC9D,UAAI,CAAC,cAAc,MAAM,GAAG;AAC1B,cAAM,IAAI,MAAM,mDAAmD;AAAA,MACrE;AACA,gCAA0B;AAC1B,aAAO;AAAA,IACT,SAAS,KAAK;AAAE,gBAAU;AAAA,IAAK;AAAA,EACjC;AACA,QAAM,mBAAmB,QAAQ,UAAU,IAAI,MAAM,2BAA2B;AAClF;AAGA,SAAS,cAAc,KAAkC;AACvD,SAAO,OAAO,QAAQ,YAAY,QAAQ,QAAS,IAAgC,YAAY;AACjG;AAEA,SAAS,uBAAuB,KAAmF;AACjH,MAAI,CAAC,cAAc,GAAG,EAAG,QAAO;AAChC,QAAM,SAAS;AACf,SAAO,OAAO,OAAO,cAAc,YAC9B,OAAO,OAAO,OAAO,YACrB,OAAO,OAAO,QAAQ;AAC7B;AAEA,eAAsB,cAA2C;AAC/D,MAAI;AACF,UAAM,MAAM,MAAMC,UAAS,cAAc,OAAO;AAChD,UAAM,SAAkB,KAAK,MAAM,GAAG;AAGtC,QAAI,CAAC,cAAc,MAAM,GAAG;AAC1B,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AAEA,UAAM,OAAO;AAEb,QAAI,KAAK,YAAY,GAAG;AAEtB,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAGA,QAAI,uBAAuB,IAAI,GAAG;AAChC,YAAM,OAAO,MAAM,mBAAmB,KAAK,WAAY,KAAK,IAAK,KAAK,GAAI;AAO1E,YAAM,aAAa;AACnB,UAAI,WAAW,WAAW;AACxB,cAAM,mBAAmB,MAAM,aAAa;AAC5C,YAAI,WAAW,cAAc,kBAAkB;AAC7C,gBAAM,IAAI,MAAM,8CAA8C;AAAA,QAChE;AAAA,MACF;AAIA,UAAI,yBAAyB;AAC3B,kCAA0B;AAC1B,YAAI;AAAE,gBAAM,YAAY,IAAI;AAAA,QAAG,QAAQ;AAAA,QAAoB;AAAA,MAC7D;AAEA,aAAO;AAAA,IACT;AAGA,QAAI,KAAK,SAAS;AAChB,YAAM,OAAO,KAAK;AAElB,YAAM,YAAY,IAAI;AACtB,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,YAAY,MAAkC;AAClE,QAAM,eAAe;AACrB,QAAM,EAAE,WAAW,IAAI,IAAI,IAAI,MAAM,mBAAmB,IAAI;AAE5D,QAAM,YAAY,MAAM,aAAa;AACrC,QAAM,OAAgC,EAAE,SAAS,GAAG,WAAW,IAAI,KAAK,UAAU;AAClF,QAAM,UAAU,eAAe;AAC/B,QAAMC,WAAU,SAAS,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,UAAU,SAAS,MAAM,IAAM,CAAC;AAC1F,QAAMC,QAAO,SAAS,YAAY;AACpC;AAEA,eAAsB,eAA8B;AAClD,MAAI;AACF,UAAM,GAAG,YAAY;AAAA,EACvB,QAAQ;AAAA,EAA2B;AACrC;AAEO,SAAS,UAAU,SAA+B;AACvD,MAAI,CAAC,QAAQ,UAAW,QAAO;AAC/B,QAAM,SAAS,IAAI,KAAK,QAAQ,SAAS,EAAE,QAAQ;AAInD,MAAI,MAAM,MAAM,EAAG,QAAO;AAC1B,SAAO,SAAS,KAAK,IAAI;AAC3B;AAEO,SAAS,kBAAkB,SAA+B;AAC/D,QAAM,gBAAgB,IAAI,KAAK,QAAQ,eAAe,EAAE,QAAQ;AAChE,MAAI,MAAM,aAAa,EAAG,QAAO;AACjC,SAAO,KAAK,IAAI,IAAI,gBAAgB;AACtC;AAEO,SAAS,oBAAoB,SAA+B;AACjE,QAAM,gBAAgB,IAAI,KAAK,QAAQ,eAAe,EAAE,QAAQ;AAChE,MAAI,MAAM,aAAa,EAAG,QAAO;AACjC,SAAO,KAAK,IAAI,IAAI,gBAAgB;AACtC;AAcO,SAAS,oBAAoB,SAAwC;AAC1E,QAAM,gBAAgB,IAAI,KAAK,QAAQ,eAAe,EAAE,QAAQ;AAChE,MAAI,MAAM,aAAa,EAAG,QAAO;AACjC,QAAM,UAAU,KAAK,IAAI,IAAI;AAC7B,MAAI,UAAU,EAAG,QAAO;AACxB,QAAM,OAAO,WAAW,KAAK,KAAK,KAAK;AAEvC,MAAI,QAAQ,EAAG,QAAO;AACtB,MAAI,QAAQ,GAAI,QAAO;AACvB,MAAI,QAAQ,GAAI,QAAO;AACvB,SAAO;AACT;AAGA,SAAS,mBAAmB,KAAmB;AAG7C,MAAI,IAAI,SAAS,MAAM,IAAI,SAAS,KAAK;AACvC,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,MAAI,CAAC,WAAW,KAAK,GAAG,GAAG;AACzB,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AACF;AAQA,SAAS,WAAW,KAA6B;AAC/C,QAAM,QAAQ,IAAI,YAAY;AAC9B,SAAO,MAAM,WAAW,SAAS,KAAK,MAAM,WAAW,SAAS,IAAI,SAAS;AAC/E;AAEA,eAAsB,SAAS,KAAmC;AAChE,qBAAmB,GAAG;AACtB,iBAAe;AAEf,MAAI,UAAU;AACd,MAAI;AACF,UAAM,MAAM,MAAM,gBAAY,GAAG;AAEjC,QAAI,CAAC,IAAI,WAAW;AAClB,YAAM,IAAI,MAAM,IAAI,SAAS,mBAAmB;AAAA,IAClD;AAEA,UAAM,UAAuB;AAAA,MAC3B;AAAA,MACA,YAAY,IAAI,SAAS;AAAA,MACzB,QAAQ;AAAA,MACR,eAAe,IAAI,KAAK;AAAA,MACxB,cAAc,IAAI,KAAK;AAAA,MACvB,MAAM,WAAW,GAAG;AAAA,MACpB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,MACpC,WAAW,IAAI,YAAY;AAAA,MAC3B,kBAAiB,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC1C;AAEA,UAAM,YAAY,OAAO;AACzB,cAAU;AACV,WAAO;AAAA,EACT,UAAE;AACA,kBAAc,OAAO;AAAA,EACvB;AACF;AASA,SAAS,eAAe,KAAuB;AAC7C,QAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,SAAO,uEAAuE,KAAK,GAAG;AACxF;AAEA,eAAsB,WAAW,SAAmD;AAClF,MAAI;AACF,UAAM,MAAM,MAAM,gBAAY,QAAQ,KAAK,QAAQ,UAAU;AAE7D,QAAI,IAAI,OAAO;AACb,YAAM,UAAuB;AAAA,QAC3B,GAAG;AAAA,QACH,kBAAiB,oBAAI,KAAK,GAAE,YAAY;AAAA,QACxC,QAAQ;AAAA,QACR,WAAW,IAAI,YAAY;AAAA,MAC7B;AACA,YAAM,YAAY,OAAO;AACzB,aAAO;AAAA,IACT;AAEA,UAAM,YAAY,EAAE,GAAG,SAAS,QAAQ,UAAU,CAAC;AACnD,WAAO;AAAA,EACT,SAAS,KAAK;AAEZ,QAAI,eAAe,GAAG,GAAG;AACvB,aAAO,oBAAoB,OAAO,IAAI,UAAU;AAAA,IAClD;AAEA,UAAM,YAAY,EAAE,GAAG,SAAS,QAAQ,UAAU,CAAC;AACnD,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,WAAW,SAA2D;AAI1F,MAAI,gBAAgB;AACpB,MAAI;AACF,UAAM,kBAAc,QAAQ,KAAK,QAAQ,UAAU;AACnD,oBAAgB;AAAA,EAClB,QAAQ;AAAA,EAAwC;AAChD,QAAM,aAAa;AACnB,SAAO,EAAE,cAAc;AACzB;;;AJlXA,IAAM,mBAAmBC,MAAK,UAAU,kBAAkB;AAI1D,eAAsB,iBAA6C;AACjE,MAAI;AACF,UAAM,MAAM,MAAMC,UAAS,kBAAkB,OAAO;AACpD,WAAO,KAAK,MAAM,GAAG;AAAA,EACvB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,eAAe,QAAmC;AACtE,QAAM,UAAU,mBAAmB;AACnC,QAAMC,WAAU,SAAS,KAAK,UAAU,QAAQ,MAAM,CAAC,GAAG;AAAA,IACxD,UAAU;AAAA,IACV,MAAM;AAAA,EACR,CAAC;AACD,QAAMC,QAAO,SAAS,gBAAgB;AACxC;AAWA,SAAS,gBACP,eACA,eACA,gBACgB;AAChB,QAAM,YAA4B,CAAC;AAEnC,QAAM,kBAAkB,IAAI,IAAI,cAAc,SAAS,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AACtF,QAAM,eAAe,IAAI,IAAI,cAAc,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAEhF,aAAW,WAAW,eAAe;AACnC,QAAI,QAAQ,cAAc,eAAgB;AAG1C,eAAW,iBAAiB,QAAQ,SAAS,UAAU;AACrD,YAAM,eAAe,gBAAgB,IAAI,cAAc,IAAI;AAC3D,UAAI,iBAAiB,UAAa,iBAAiB,cAAc,SAAS;AACxE,kBAAU,KAAK;AAAA,UACb,aAAa,cAAc;AAAA,UAC3B,aAAa;AAAA,UACb;AAAA,UACA,eAAe,QAAQ;AAAA,UACvB,eAAe,cAAc;AAAA,QAC/B,CAAC;AAAA,MACH;AAAA,IACF;AAGA,eAAW,cAAc,QAAQ,SAAS,OAAO;AAC/C,YAAM,eAAe,aAAa,IAAI,WAAW,IAAI;AACrD,UAAI,iBAAiB,UAAa,iBAAiB,WAAW,SAAS;AACrE,kBAAU,KAAK;AAAA,UACb,aAAa,WAAW;AAAA,UACxB,aAAa;AAAA,UACb;AAAA,UACA,eAAe,QAAQ;AAAA,UACvB,eAAe,WAAW;AAAA,QAC5B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAIA,eAAe,cAAc,SAAsB,YAAqC;AACtF,QAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,QAAM,EAAE,WAAW,IAAI,IAAI,IAAI,eAAe,SAAS,UAAU;AACjE,QAAM,WAAyB;AAAA,IAC7B,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACb;AACA,QAAM,kBAAkB,QAAQ;AAChC,SAAO;AACT;AAEA,eAAe,wBAAyC;AAGtD,QAAM,UAAU,MAAM,YAAY;AAClC,MAAI,CAAC,WAAW,CAAC,QAAQ,KAAK;AAC5B,UAAM,IAAI,MAAM,iCAAiC;AAAA,EACnD;AACA,SAAO,QAAQ;AACjB;AAEA,SAAS,aAAa,UAAuB,YAAuC;AAClF,SAAO;AAAA,IACL,UAAU;AAAA,MACR,GAAG,SAAS;AAAA,MACZ,CAAC,WAAW,SAAS,GAAG;AAAA,IAC1B;AAAA,EACF;AACF;AAIA,eAAsB,KACpB,OACA,iBACqB;AACrB,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,sBAAsB;AAAA,EACxC;AAEA,QAAM,YAAY,MAAM,kBAAkB;AAC1C,MAAI,CAAC,WAAW;AACd,WAAO;AAAA,MACL,SAAS;AAAA,MACT,WAAW,CAAC;AAAA,MACZ,eAAe;AAAA,MACf,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,aAAa,MAAM,sBAAsB;AAE/C,MAAI,kBAAsC;AAE1C,MAAI;AACF,UAAM,WAAW,MAAM,iBAAiB;AACxC,QAAI,UAAU;AACZ,wBAAkB,eAAe,SAAS,WAAW,SAAS,IAAI,SAAS,KAAK,UAAU;AAAA,IAC5F;AAAA,EACF,SAAS,KAAK;AACZ,WAAO,KAAK,4DAA4D,EAAE,OAAO,OAAO,GAAG,EAAE,CAAC;AAC9F,sBAAkB;AAAA,EACpB;AAGA,QAAM,WAAW,MAAM,gBAAgB;AACvC,QAAM,YAAY,MAAM,aAAa;AACrC,QAAM,cAAc,SAAS;AAE7B,QAAM,aAA2B;AAAA,IAC/B;AAAA,IACA;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC;AAAA,IACA,GAAI,kBAAkB,EAAE,UAAU,gBAAgB,IAAI,CAAC;AAAA,EACzD;AAGA,QAAM,gBAAgB,kBAClB,OAAO,OAAO,gBAAgB,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,cAAc,SAAS,IAC/E,CAAC;AAEL,QAAM,YAAY,gBAAgB,UAAU,eAAe,SAAS;AAMpE,QAAM,cAA2B,mBAAmB,EAAE,UAAU,CAAC,EAAE;AACnE,QAAM,gBAAgB,aAAa,aAAa,UAAU;AAE1D,MAAI,UAAU,SAAS,GAAG;AAExB,UAAM,cAAc,eAAe,UAAU;AAC7C,WAAO;AAAA,MACL,SAAS;AAAA,MACT;AAAA,MACA,eAAe;AAAA,IACjB;AAAA,EACF;AAEA,QAAM,MAAM,MAAM,cAAc,eAAe,UAAU;AAGzD,QAAM,iBAAiB,MAAM,eAAe;AAC5C,QAAM,eAAe;AAAA,IACnB,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA,GAAI,kBAAkB,CAAC;AAAA,IACvB,UAAU;AAAA,EACZ,CAAC;AAED,SAAO,KAAK,gCAAgC,EAAE,WAAW,UAAU,OAAO,KAAK,cAAc,QAAQ,EAAE,OAAO,CAAC;AAE/G,SAAO;AAAA,IACL,SAAS;AAAA,IACT,WAAW,CAAC;AAAA,IACZ,eAAe;AAAA,EACjB;AACF;AAIA,eAAsB,yBACpB,SACA,aACA,gBACe;AAEf,QAAM,iBAA8B;AAAA,IAClC,UAAU,EAAE,GAAG,QAAQ,SAAS;AAAA,EAClC;AAEA,aAAW,EAAE,UAAU,WAAW,KAAK,aAAa;AAClD,QAAI,eAAe,aAAc;AAGjC,UAAM,eAAe,eAAe,SAAS,cAAc;AAC3D,QAAI,CAAC,cAAc;AACjB,aAAO,KAAK,mEAAmE,EAAE,eAAe,CAAC;AACjG;AAAA,IACF;AACA,QAAI,SAAS,gBAAgB,WAAW;AACtC,qBAAe,SAAS,cAAc,IAAI;AAAA,QACxC,GAAG;AAAA,QACH,UAAU;AAAA,UACR,GAAG,aAAa;AAAA,UAChB,UAAU,aAAa,SAAS,SAAS;AAAA,YAAI,CAAC,MAC5C,EAAE,SAAS,SAAS,cAChB,EAAE,GAAG,GAAG,SAAS,SAAS,cAAc,IACxC;AAAA,UACN;AAAA,QACF;AAAA,MACF;AAAA,IACF,OAAO;AACL,qBAAe,SAAS,cAAc,IAAI;AAAA,QACxC,GAAG;AAAA,QACH,UAAU;AAAA,UACR,GAAG,aAAa;AAAA,UAChB,OAAO,aAAa,SAAS,MAAM;AAAA,YAAI,CAAC,MACtC,EAAE,SAAS,SAAS,cAChB,EAAE,GAAG,GAAG,SAAS,SAAS,cAAc,IACxC;AAAA,UACN;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAa,MAAM,sBAAsB;AAC/C,QAAM,cAAc,gBAAgB,UAAU;AAC9C,SAAO,KAAK,sCAAsC,EAAE,OAAO,YAAY,OAAO,CAAC;AACjF;","names":["readFile","writeFile","rename","join","readFile","writeFile","rename","createCipheriv","createDecipheriv","randomBytes","scryptSync","hkdfSync","ENCRYPTION_SECRET","HKDF_SALT","_legacyKey","deriveEncryptionKey","hkdfSync","deriveLegacyKey","scryptSync","randomBytes","createCipheriv","createDecipheriv","readFile","writeFile","rename","join","readFile","writeFile","rename"]}
|
|
@@ -2,11 +2,11 @@ import {
|
|
|
2
2
|
captureSnapshot,
|
|
3
3
|
saveSnapshot,
|
|
4
4
|
streamBrew
|
|
5
|
-
} from "./chunk-
|
|
5
|
+
} from "./chunk-VLREAA5F.js";
|
|
6
6
|
import {
|
|
7
7
|
DATA_DIR,
|
|
8
8
|
ensureDataDirs
|
|
9
|
-
} from "./chunk-
|
|
9
|
+
} from "./chunk-QZZZAAWG.js";
|
|
10
10
|
import {
|
|
11
11
|
logger
|
|
12
12
|
} from "./chunk-KDHEUNRI.js";
|
|
@@ -464,4 +464,4 @@ export {
|
|
|
464
464
|
computeDrift,
|
|
465
465
|
reconcile
|
|
466
466
|
};
|
|
467
|
-
//# sourceMappingURL=chunk-
|
|
467
|
+
//# sourceMappingURL=chunk-3VDIKVS3.js.map
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import {
|
|
2
2
|
captureSnapshot
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-VLREAA5F.js";
|
|
4
4
|
|
|
5
5
|
// src/lib/compliance/compliance-checker.ts
|
|
6
6
|
import { hostname } from "os";
|
|
@@ -120,4 +120,4 @@ export {
|
|
|
120
120
|
versionAtLeast,
|
|
121
121
|
checkCompliance
|
|
122
122
|
};
|
|
123
|
-
//# sourceMappingURL=chunk-
|
|
123
|
+
//# sourceMappingURL=chunk-FIPCCYL6.js.map
|
|
@@ -1,18 +1,33 @@
|
|
|
1
1
|
import {
|
|
2
2
|
HISTORY_PATH,
|
|
3
3
|
ensureDataDirs
|
|
4
|
-
} from "./chunk-
|
|
4
|
+
} from "./chunk-QZZZAAWG.js";
|
|
5
5
|
|
|
6
6
|
// src/lib/history/history-logger.ts
|
|
7
|
-
import { readFile, writeFile, rename, open, unlink } from "fs/promises";
|
|
7
|
+
import { readFile, writeFile, rename, open, unlink, stat } from "fs/promises";
|
|
8
8
|
import { randomUUID } from "crypto";
|
|
9
9
|
var MAX_ENTRIES = 1e3;
|
|
10
10
|
function assertPro(isPro) {
|
|
11
11
|
if (!isPro) throw new Error("Pro license required");
|
|
12
12
|
}
|
|
13
13
|
var lockPath = HISTORY_PATH + ".lock";
|
|
14
|
+
var LOCK_TTL_MS = 3e4;
|
|
15
|
+
async function tryAcquireLock() {
|
|
16
|
+
const fd = await open(lockPath, "wx").catch(() => null);
|
|
17
|
+
if (fd) return fd;
|
|
18
|
+
try {
|
|
19
|
+
const info = await stat(lockPath);
|
|
20
|
+
if (Date.now() - info.mtime.getTime() > LOCK_TTL_MS) {
|
|
21
|
+
await unlink(lockPath).catch(() => {
|
|
22
|
+
});
|
|
23
|
+
return await open(lockPath, "wx").catch(() => null);
|
|
24
|
+
}
|
|
25
|
+
} catch {
|
|
26
|
+
}
|
|
27
|
+
return null;
|
|
28
|
+
}
|
|
14
29
|
async function withLock(fn) {
|
|
15
|
-
const lockFd = await
|
|
30
|
+
const lockFd = await tryAcquireLock();
|
|
16
31
|
if (!lockFd) throw new Error("History file is locked by another process");
|
|
17
32
|
try {
|
|
18
33
|
return await fn();
|
|
@@ -86,4 +101,4 @@ export {
|
|
|
86
101
|
appendEntry,
|
|
87
102
|
clearHistory
|
|
88
103
|
};
|
|
89
|
-
//# sourceMappingURL=chunk-
|
|
104
|
+
//# sourceMappingURL=chunk-JYHINZVV.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/lib/history/history-logger.ts"],"sourcesContent":["import { readFile, writeFile, rename, open, unlink, stat } from 'node:fs/promises';\nimport { randomUUID } from 'node:crypto';\nimport { HISTORY_PATH, ensureDataDirs } from '../data-dir.js';\nimport type { HistoryEntry, HistoryFile, HistoryAction } from './types.js';\n\nconst MAX_ENTRIES = 1000;\n\nfunction assertPro(isPro: boolean): void {\n if (!isPro) throw new Error('Pro license required');\n}\n\n// ── BK-004 + BK-007: file locking with stale-lock recovery ──\n// A crash between open('wx') and unlink leaves an orphan lockfile that would\n// block every future write. Reclaim a lock whose mtime is older than this TTL.\nconst lockPath = HISTORY_PATH + '.lock';\nconst LOCK_TTL_MS = 30_000;\n\nasync function tryAcquireLock(): Promise<Awaited<ReturnType<typeof open>> | null> {\n const fd = await open(lockPath, 'wx').catch(() => null);\n if (fd) return fd;\n\n // Lock exists — is it stale?\n try {\n const info = await stat(lockPath);\n if (Date.now() - info.mtime.getTime() > LOCK_TTL_MS) {\n await unlink(lockPath).catch(() => {});\n return await open(lockPath, 'wx').catch(() => null);\n }\n } catch { /* race with another writer; fall through */ }\n return null;\n}\n\nasync function withLock<T>(fn: () => Promise<T>): Promise<T> {\n const lockFd = await tryAcquireLock();\n if (!lockFd) throw new Error('History file is locked by another process');\n try {\n return await fn();\n } finally {\n await lockFd.close();\n await unlink(lockPath).catch(() => {});\n }\n}\n\n/** Map brew subcommand to a history action type */\nexport function detectAction(args: string[]): { action: HistoryAction; packageName: string | null } | null {\n const cmd = args[0];\n if (cmd === 'install') return { action: 'install', packageName: args[1] ?? null };\n if (cmd === 'uninstall') {\n const name = args.find((a) => !a.startsWith('-')) === 'uninstall'\n ? args.find((a, i) => i > 0 && !a.startsWith('-')) ?? null\n : args[1] ?? null;\n return { action: 'uninstall', packageName: name };\n }\n if (cmd === 'upgrade') {\n if (args.length === 1) return { action: 'upgrade-all', packageName: null };\n return { action: 'upgrade', packageName: args[1] ?? null };\n }\n return null;\n}\n\nexport async function loadHistory(isPro: boolean): Promise<HistoryEntry[]> {\n assertPro(isPro);\n\n try {\n const raw = await readFile(HISTORY_PATH, 'utf-8');\n const file = JSON.parse(raw) as HistoryFile;\n if (file.version !== 1) {\n // Future: add migration logic here\n throw new Error('Unsupported data version');\n }\n const entries = file.entries;\n return Array.isArray(entries) ? entries : [];\n } catch {\n return [];\n }\n}\n\nasync function saveHistory(entries: HistoryEntry[]): Promise<void> {\n await ensureDataDirs();\n const file: HistoryFile = { version: 1, entries };\n const tmp = HISTORY_PATH + '.tmp';\n await writeFile(tmp, JSON.stringify(file, null, 2), { encoding: 'utf-8', mode: 0o600 });\n await rename(tmp, HISTORY_PATH);\n}\n\nexport async function appendEntry(\n isPro: boolean,\n action: HistoryAction,\n packageName: string | null,\n success: boolean,\n error: string | null = null,\n): Promise<void> {\n assertPro(isPro);\n\n await withLock(async () => {\n const entries = await loadHistory(isPro);\n\n const entry: HistoryEntry = {\n id: randomUUID(),\n action,\n packageName,\n timestamp: new Date().toISOString(),\n success,\n error,\n };\n\n entries.unshift(entry);\n\n if (entries.length > MAX_ENTRIES) {\n entries.length = MAX_ENTRIES;\n }\n\n await saveHistory(entries);\n });\n}\n\nexport async function clearHistory(isPro: boolean): Promise<void> {\n assertPro(isPro);\n await saveHistory([]);\n}\n"],"mappings":";;;;;;AAAA,SAAS,UAAU,WAAW,QAAQ,MAAM,QAAQ,YAAY;AAChE,SAAS,kBAAkB;AAI3B,IAAM,cAAc;AAEpB,SAAS,UAAU,OAAsB;AACvC,MAAI,CAAC,MAAO,OAAM,IAAI,MAAM,sBAAsB;AACpD;AAKA,IAAM,WAAW,eAAe;AAChC,IAAM,cAAc;AAEpB,eAAe,iBAAmE;AAChF,QAAM,KAAK,MAAM,KAAK,UAAU,IAAI,EAAE,MAAM,MAAM,IAAI;AACtD,MAAI,GAAI,QAAO;AAGf,MAAI;AACF,UAAM,OAAO,MAAM,KAAK,QAAQ;AAChC,QAAI,KAAK,IAAI,IAAI,KAAK,MAAM,QAAQ,IAAI,aAAa;AACnD,YAAM,OAAO,QAAQ,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AACrC,aAAO,MAAM,KAAK,UAAU,IAAI,EAAE,MAAM,MAAM,IAAI;AAAA,IACpD;AAAA,EACF,QAAQ;AAAA,EAA+C;AACvD,SAAO;AACT;AAEA,eAAe,SAAY,IAAkC;AAC3D,QAAM,SAAS,MAAM,eAAe;AACpC,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,2CAA2C;AACxE,MAAI;AACF,WAAO,MAAM,GAAG;AAAA,EAClB,UAAE;AACA,UAAM,OAAO,MAAM;AACnB,UAAM,OAAO,QAAQ,EAAE,MAAM,MAAM;AAAA,IAAC,CAAC;AAAA,EACvC;AACF;AAGO,SAAS,aAAa,MAA8E;AACzG,QAAM,MAAM,KAAK,CAAC;AAClB,MAAI,QAAQ,UAAW,QAAO,EAAE,QAAQ,WAAW,aAAa,KAAK,CAAC,KAAK,KAAK;AAChF,MAAI,QAAQ,aAAa;AACvB,UAAM,OAAO,KAAK,KAAK,CAAC,MAAM,CAAC,EAAE,WAAW,GAAG,CAAC,MAAM,cAClD,KAAK,KAAK,CAAC,GAAG,MAAM,IAAI,KAAK,CAAC,EAAE,WAAW,GAAG,CAAC,KAAK,OACpD,KAAK,CAAC,KAAK;AACf,WAAO,EAAE,QAAQ,aAAa,aAAa,KAAK;AAAA,EAClD;AACA,MAAI,QAAQ,WAAW;AACrB,QAAI,KAAK,WAAW,EAAG,QAAO,EAAE,QAAQ,eAAe,aAAa,KAAK;AACzE,WAAO,EAAE,QAAQ,WAAW,aAAa,KAAK,CAAC,KAAK,KAAK;AAAA,EAC3D;AACA,SAAO;AACT;AAEA,eAAsB,YAAY,OAAyC;AACzE,YAAU,KAAK;AAEf,MAAI;AACF,UAAM,MAAM,MAAM,SAAS,cAAc,OAAO;AAChD,UAAM,OAAO,KAAK,MAAM,GAAG;AAC3B,QAAI,KAAK,YAAY,GAAG;AAEtB,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AACA,UAAM,UAAU,KAAK;AACrB,WAAO,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC;AAAA,EAC7C,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEA,eAAe,YAAY,SAAwC;AACjE,QAAM,eAAe;AACrB,QAAM,OAAoB,EAAE,SAAS,GAAG,QAAQ;AAChD,QAAM,MAAM,eAAe;AAC3B,QAAM,UAAU,KAAK,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,UAAU,SAAS,MAAM,IAAM,CAAC;AACtF,QAAM,OAAO,KAAK,YAAY;AAChC;AAEA,eAAsB,YACpB,OACA,QACA,aACA,SACA,QAAuB,MACR;AACf,YAAU,KAAK;AAEf,QAAM,SAAS,YAAY;AACzB,UAAM,UAAU,MAAM,YAAY,KAAK;AAEvC,UAAM,QAAsB;AAAA,MAC1B,IAAI,WAAW;AAAA,MACf;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,MACA;AAAA,IACF;AAEA,YAAQ,QAAQ,KAAK;AAErB,QAAI,QAAQ,SAAS,aAAa;AAChC,cAAQ,SAAS;AAAA,IACnB;AAEA,UAAM,YAAY,OAAO;AAAA,EAC3B,CAAC;AACH;AAEA,eAAsB,aAAa,OAA+B;AAChE,YAAU,KAAK;AACf,QAAM,YAAY,CAAC,CAAC;AACtB;","names":[]}
|
|
@@ -11,6 +11,21 @@ var en = {
|
|
|
11
11
|
app_title: "Brew-TUI",
|
|
12
12
|
pro_badge: "PRO",
|
|
13
13
|
app_version: "Brew-TUI v{{version}}",
|
|
14
|
+
// ── UX-002: first-run welcome ──
|
|
15
|
+
welcome_title: "Welcome to Brew-TUI",
|
|
16
|
+
welcome_intro: "A visual terminal interface for Homebrew. Browse installed packages, see what is outdated, manage services and run upgrades \u2014 all from the keyboard.",
|
|
17
|
+
welcome_keysHeader: "Essential keys",
|
|
18
|
+
welcome_keyJumpView: "Jump to view 1\u201310",
|
|
19
|
+
welcome_keyCycleView: "Cycle through views",
|
|
20
|
+
welcome_keyMove: "Move up / down in lists",
|
|
21
|
+
welcome_keySearch: "Filter the current list",
|
|
22
|
+
welcome_keySelect: "Open the selected package",
|
|
23
|
+
welcome_keyBack: "Go back / cancel",
|
|
24
|
+
welcome_keyLocale: "Toggle language (English / Spanish)",
|
|
25
|
+
welcome_keyQuit: "Quit Brew-TUI",
|
|
26
|
+
welcome_proHeader: "Optional Pro features",
|
|
27
|
+
welcome_proIntro: "Profiles, smart cleanup, history, security audit, sync and more \u2014 activate from the Account view with a license key.",
|
|
28
|
+
welcome_continueHint: "Press Enter, Space or Esc to continue \u2192",
|
|
14
29
|
// ── View labels (header tab bar) ──
|
|
15
30
|
view_dashboard: "Dashboard",
|
|
16
31
|
view_installed: "Installed",
|
|
@@ -258,6 +273,7 @@ var en = {
|
|
|
258
273
|
security_high: "High",
|
|
259
274
|
security_medium: "Medium",
|
|
260
275
|
security_noVulns: "No known vulnerabilities found in your installed packages!",
|
|
276
|
+
security_coverage_warning: "Note: OSV scans the Bitnami dataset, which does not cover every Homebrew formula. Absence of CVEs is not a guarantee of safety.",
|
|
261
277
|
security_fixedIn: "Fixed in: {{version}}",
|
|
262
278
|
security_confirmUpgrade: "Upgrade {{name}} to fix vulnerabilities?",
|
|
263
279
|
// ── Account ──
|
|
@@ -267,7 +283,6 @@ var en = {
|
|
|
267
283
|
account_pro: "[Pro]",
|
|
268
284
|
account_free: "[Free]",
|
|
269
285
|
account_expired: "[Expired]",
|
|
270
|
-
account_validating: "[Validating...]",
|
|
271
286
|
account_emailLabel: "Email:",
|
|
272
287
|
account_nameLabel: "Name:",
|
|
273
288
|
account_planLabel: "Plan:",
|
|
@@ -354,6 +369,8 @@ var en = {
|
|
|
354
369
|
cli_brewbarMacOnly: "\u2718 BrewBar is only available on macOS.",
|
|
355
370
|
cli_brewbarDownloadFailed: "\u2718 Failed to download BrewBar: {{error}}",
|
|
356
371
|
cli_brewbarAutoFailed: "\u26A0 BrewBar auto-launch failed: {{error}}",
|
|
372
|
+
cli_brewbarUpdating: "Updating BrewBar from {{installed}} to {{expected}} to match Brew-TUI...",
|
|
373
|
+
cli_brewbarVersionMismatch: "\u26A0 BrewBar {{installed}} is out of sync with Brew-TUI {{expected}}. Run: brew-tui install-brewbar --force",
|
|
357
374
|
cli_deactivateRemoteFailed: "\u26A0 Warning: Could not reach the server to deactivate remotely. The license was removed locally but may still count as active.",
|
|
358
375
|
// ── License degradation (Layer 15) ──
|
|
359
376
|
license_offlineWarning: "Your license has not been validated for {{days}} days. Please connect to the internet.",
|
|
@@ -393,6 +410,7 @@ var en = {
|
|
|
393
410
|
dashboard_lastUpdated: "Last updated: {{time}}",
|
|
394
411
|
// ── SCR-014: Services last error ──
|
|
395
412
|
services_lastError: "Last error: {{error}}",
|
|
413
|
+
services_errorPermission: "Permission denied \u2014 this service requires sudo. Run the action from a terminal with elevated privileges.",
|
|
396
414
|
// ── SCR-010: Generic network error ──
|
|
397
415
|
error_network: "Network error: unable to reach the server.",
|
|
398
416
|
// ── ARQ-005: Security cache ──
|
|
@@ -507,6 +525,21 @@ var es = {
|
|
|
507
525
|
app_title: "Brew-TUI",
|
|
508
526
|
pro_badge: "PRO",
|
|
509
527
|
app_version: "Brew-TUI v{{version}}",
|
|
528
|
+
// ── UX-002: bienvenida en primera ejecución ──
|
|
529
|
+
welcome_title: "Bienvenido a Brew-TUI",
|
|
530
|
+
welcome_intro: "Una interfaz visual de terminal para Homebrew. Explora paquetes instalados, ve cu\xE1les est\xE1n desactualizados, gestiona servicios y ejecuta upgrades \u2014 todo con el teclado.",
|
|
531
|
+
welcome_keysHeader: "Teclas esenciales",
|
|
532
|
+
welcome_keyJumpView: "Ir directamente a la vista 1\u201310",
|
|
533
|
+
welcome_keyCycleView: "Recorrer vistas",
|
|
534
|
+
welcome_keyMove: "Subir / bajar en listas",
|
|
535
|
+
welcome_keySearch: "Filtrar la lista actual",
|
|
536
|
+
welcome_keySelect: "Abrir el paquete seleccionado",
|
|
537
|
+
welcome_keyBack: "Volver / cancelar",
|
|
538
|
+
welcome_keyLocale: "Cambiar idioma (ingl\xE9s / espa\xF1ol)",
|
|
539
|
+
welcome_keyQuit: "Salir de Brew-TUI",
|
|
540
|
+
welcome_proHeader: "Funcionalidades Pro opcionales",
|
|
541
|
+
welcome_proIntro: "Perfiles, limpieza inteligente, historial, auditor\xEDa de seguridad, sync y m\xE1s \u2014 act\xEDvalas desde la vista Cuenta con una clave de licencia.",
|
|
542
|
+
welcome_continueHint: "Pulsa Enter, Espacio o Esc para continuar \u2192",
|
|
510
543
|
// ── View labels (header tab bar) ──
|
|
511
544
|
view_dashboard: "Inicio",
|
|
512
545
|
view_installed: "Instalados",
|
|
@@ -753,6 +786,7 @@ var es = {
|
|
|
753
786
|
security_high: "Altos",
|
|
754
787
|
security_medium: "Medios",
|
|
755
788
|
security_noVulns: "\xA1No se encontraron vulnerabilidades conocidas en tus paquetes instalados!",
|
|
789
|
+
security_coverage_warning: "Nota: OSV escanea el dataset Bitnami, que no cubre todas las f\xF3rmulas de Homebrew. La ausencia de CVEs no garantiza seguridad total.",
|
|
756
790
|
security_fixedIn: "Corregido en: {{version}}",
|
|
757
791
|
security_confirmUpgrade: "\xBFActualizar {{name}} para corregir vulnerabilidades?",
|
|
758
792
|
// ── Account ──
|
|
@@ -762,7 +796,6 @@ var es = {
|
|
|
762
796
|
account_pro: "[Pro]",
|
|
763
797
|
account_free: "[Gratis]",
|
|
764
798
|
account_expired: "[Expirada]",
|
|
765
|
-
account_validating: "[Validando...]",
|
|
766
799
|
account_emailLabel: "Email:",
|
|
767
800
|
account_nameLabel: "Nombre:",
|
|
768
801
|
account_planLabel: "Plan:",
|
|
@@ -849,6 +882,8 @@ var es = {
|
|
|
849
882
|
cli_brewbarMacOnly: "\u2718 BrewBar solo est\xE1 disponible en macOS.",
|
|
850
883
|
cli_brewbarDownloadFailed: "\u2718 Error al descargar BrewBar: {{error}}",
|
|
851
884
|
cli_brewbarAutoFailed: "\u26A0 No se pudo lanzar BrewBar autom\xE1ticamente: {{error}}",
|
|
885
|
+
cli_brewbarUpdating: "Actualizando BrewBar de {{installed}} a {{expected}} para igualar Brew-TUI...",
|
|
886
|
+
cli_brewbarVersionMismatch: "\u26A0 BrewBar {{installed}} no coincide con Brew-TUI {{expected}}. Ejecuta: brew-tui install-brewbar --force",
|
|
852
887
|
cli_deactivateRemoteFailed: "\u26A0 Advertencia: No se pudo contactar al servidor para desactivar remotamente. La licencia se elimin\xF3 localmente pero puede seguir contando como activa.",
|
|
853
888
|
// ── License degradation (Layer 15) ──
|
|
854
889
|
license_offlineWarning: "Tu licencia no se ha validado en {{days}} d\xEDas. Por favor con\xE9ctate a internet.",
|
|
@@ -888,6 +923,7 @@ var es = {
|
|
|
888
923
|
dashboard_lastUpdated: "\xDAltima actualizaci\xF3n: {{time}}",
|
|
889
924
|
// ── SCR-014: Services last error ──
|
|
890
925
|
services_lastError: "\xDAltimo error: {{error}}",
|
|
926
|
+
services_errorPermission: "Permiso denegado \u2014 este servicio requiere sudo. Ej\xE9cutalo desde un terminal con privilegios elevados.",
|
|
891
927
|
// ── SCR-010: Generic network error ──
|
|
892
928
|
error_network: "Error de red: no se puede conectar con el servidor.",
|
|
893
929
|
// ── ARQ-005: Security cache ──
|
|
@@ -1081,4 +1117,4 @@ export {
|
|
|
1081
1117
|
fetchWithTimeout,
|
|
1082
1118
|
fetchWithRetry
|
|
1083
1119
|
};
|
|
1084
|
-
//# sourceMappingURL=chunk-
|
|
1120
|
+
//# sourceMappingURL=chunk-OHMNJ3EA.js.map
|