closeclaw 3.0.4 → 3.0.5

package/dist/cli.cjs

@@ -417,10 +417,20 @@ function verifyLicense(key) {
     throw new Error("License key is required (set NODE_ENV=development to bypass)");
   }
   try {
+    const parts = key.split(".");
+    if (parts.length !== 3) throw new Error("Invalid JWT format");
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
+    if (header.alg !== "EdDSA") throw new Error(`Unsupported algorithm: ${header.alg}`);
     const publicKey = (0, import_node_crypto2.createPublicKey)(ED25519_PUBLIC_KEY_PEM);
-    const decoded = import_jsonwebtoken.default.verify(key, publicKey, {
-      algorithms: ["EdDSA"]
-    });
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signature = Buffer.from(signatureB64, "base64url");
+    const valid = (0, import_node_crypto2.verify)(null, Buffer.from(signingInput), publicKey, signature);
+    if (!valid) throw new Error("Invalid signature");
+    const decoded = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+    if (typeof decoded.exp === "number" && decoded.exp < Math.floor(Date.now() / 1e3)) {
+      throw new Error("License expired");
+    }
     if (!decoded.sub || typeof decoded.sub !== "string") {
       throw new Error("License missing 'sub' claim");
     }
@@ -448,10 +458,10 @@ function verifyLicense(key) {
     _devMode = false;
     return _license;
   } catch (err) {
-    if (err instanceof import_jsonwebtoken.default.TokenExpiredError) {
+    if (err instanceof jwt.TokenExpiredError) {
       throw new Error("License key has expired");
     }
-    if (err instanceof import_jsonwebtoken.default.JsonWebTokenError) {
+    if (err instanceof jwt.JsonWebTokenError) {
       throw new Error(`Invalid license key: ${err.message}`);
     }
     throw err;
@@ -480,11 +490,10 @@ function _resetLicense() {
   _license = null;
   _devMode = false;
 }
-var import_jsonwebtoken, import_node_crypto2, ED25519_PUBLIC_KEY_PEM, _license, _devMode, DEV_LICENSE;
+var import_node_crypto2, ED25519_PUBLIC_KEY_PEM, _license, _devMode, DEV_LICENSE;
 var init_license = __esm({
   "src/license.ts"() {
     "use strict";
-    import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
     import_node_crypto2 = require("crypto");
     init_connection();
     ED25519_PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
@@ -960,13 +969,13 @@ function getSecret() {
   return _secret;
 }
 function signAccessToken(payload) {
-  return import_jsonwebtoken2.default.sign(payload, getSecret(), {
+  return import_jsonwebtoken.default.sign(payload, getSecret(), {
     algorithm: "HS256",
     expiresIn: "15m"
   });
 }
 function verifyAccessToken(token) {
-  return import_jsonwebtoken2.default.verify(token, getSecret(), {
+  return import_jsonwebtoken.default.verify(token, getSecret(), {
     algorithms: ["HS256"]
   });
 }
@@ -976,11 +985,11 @@ function generateRefreshToken() {
 function _resetSecret() {
   _secret = null;
 }
-var import_jsonwebtoken2, import_node_crypto4, import_node_fs2, import_node_path2, _secret;
+var import_jsonwebtoken, import_node_crypto4, import_node_fs2, import_node_path2, _secret;
 var init_jwt = __esm({
   "src/auth/jwt.ts"() {
     "use strict";
-    import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
+    import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
     import_node_crypto4 = require("crypto");
     import_node_fs2 = require("fs");
     import_node_path2 = require("path");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "closeclaw",
-  "version": "3.0.4",
+  "version": "3.0.5",
   "description": "CloseClaw — AI-powered project management platform. One command, full stack.",
   "license": "UNLICENSED",
   "type": "module",