create-qa-architect 5.0.7 → 5.4.3

package/lib/licensing.js

@@ -7,6 +7,15 @@ const fs = require('fs')
 const path = require('path')
 const os = require('os')
 const crypto = require('crypto')
+const {
+  LICENSE_KEY_PATTERN,
+  buildLicensePayload,
+  hashEmail,
+  signPayload,
+  stableStringify,
+  verifyPayload,
+  loadKeyFromEnv,
+} = require('./license-signing')
 
 // License storage locations
 // Support environment variable override for testing (like telemetry/error-reporter)
@@ -42,11 +51,34 @@ Object.defineProperty(exports, 'LICENSE_FILE', {
  * - TEAM: Contact us (Organizations) - coming soon
  * - ENTERPRISE: Contact us (Large Orgs) - coming soon
  */
-const LICENSE_TIERS = {
+// DR23 fix: Freeze object to prevent accidental or malicious mutation
+const LICENSE_TIERS = Object.freeze({
   FREE: 'FREE',
   PRO: 'PRO',
   TEAM: 'TEAM',
   ENTERPRISE: 'ENTERPRISE',
+})
+
+function normalizeLicenseKey(key) {
+  if (typeof key !== 'string') return ''
+  return key.trim().toUpperCase()
+}
+
+/**
+ * DR23 fix: Deep freeze helper to prevent mutation at any level
+ */
+function deepFreeze(obj) {
+  Object.freeze(obj)
+  Object.getOwnPropertyNames(obj).forEach(prop => {
+    if (
+      obj[prop] !== null &&
+      (typeof obj[prop] === 'object' || typeof obj[prop] === 'function') &&
+      !Object.isFrozen(obj[prop])
+    ) {
+      deepFreeze(obj[prop])
+    }
+  })
+  return obj
 }
 
 /**
@@ -56,8 +88,10 @@ const LICENSE_TIERS = {
  * PRO: Solo devs/small teams - unlimited, full features
  * TEAM: Organizations - per-seat, shared policies
  * ENTERPRISE: Large orgs - SSO, compliance, SLA
+ *
+ * DR23 fix: Deep frozen to prevent accidental or malicious mutation
  */
-const FEATURES = {
+const FEATURES = deepFreeze({
   [LICENSE_TIERS.FREE]: {
     // Caps (enforced in setup.js and CLI)
     maxPrivateRepos: 1,
@@ -75,10 +109,28 @@ const FEATURES = {
     advancedWorkflows: false,
     notifications: false,
     multiRepo: false,
+    // Quality tools
+    lighthouseCI: true, // ✅ Basic Lighthouse (no thresholds)
+    lighthouseThresholds: false, // ❌ PRO feature - custom thresholds
+    bundleSizeLimits: false, // ❌ PRO feature
+    axeAccessibility: true, // ✅ Basic a11y testing
+    conventionalCommits: true, // ✅ Commit message enforcement
+    coverageThresholds: false, // ❌ PRO feature
+    // Pre-launch validation
+    prelaunchValidation: true, // ✅ Basic prelaunch checks
+    seoValidation: true, // ✅ Sitemap, robots, meta tags
+    linkValidation: true, // ✅ Broken link detection
+    docsValidation: true, // ✅ Documentation completeness
+    envValidation: false, // ❌ PRO feature - env vars audit
+    // CI/CD optimization
+    ciCostAnalysis: false, // ❌ PRO feature - GitHub Actions cost analysis
     roadmap: [
       '✅ ESLint, Prettier, Stylelint configuration',
       '✅ Basic Husky pre-commit hooks',
       '✅ Basic npm dependency monitoring (10 PRs/month)',
+      '✅ Lighthouse CI (basic, no thresholds)',
+      '✅ axe-core accessibility testing',
+      '✅ Conventional commits (commitlint)',
       '⚠️ Limited: 1 private repo, JS/TS only',
       '❌ No security scanning (Gitleaks, ESLint security)',
       '❌ No Smart Test Strategy',
@@ -102,6 +154,21 @@ const FEATURES = {
     advancedWorkflows: false,
     notifications: false,
     multiRepo: false,
+    // Quality tools - all enabled
+    lighthouseCI: true, // ✅ Full Lighthouse CI
+    lighthouseThresholds: true, // ✅ Custom performance/a11y thresholds
+    bundleSizeLimits: true, // ✅ Bundle size enforcement
+    axeAccessibility: true, // ✅ Advanced a11y testing
+    conventionalCommits: true, // ✅ Commit message enforcement
+    coverageThresholds: true, // ✅ Coverage threshold enforcement
+    // Pre-launch validation - all enabled
+    prelaunchValidation: true, // ✅ Full prelaunch suite
+    seoValidation: true, // ✅ Sitemap, robots, meta tags
+    linkValidation: true, // ✅ Broken link detection
+    docsValidation: true, // ✅ Documentation completeness
+    envValidation: true, // ✅ Env vars audit
+    // CI/CD optimization
+    ciCostAnalysis: true, // ✅ GitHub Actions cost analysis
     roadmap: [
       '✅ Unlimited repos and runs',
       '✅ Smart Test Strategy (70% faster pre-push validation)',
@@ -109,8 +176,11 @@ const FEATURES = {
       '✅ TypeScript production protection',
       '✅ Multi-language (Python, Rust, Ruby)',
       '✅ Framework-aware dependency grouping',
+      '✅ Lighthouse CI with custom thresholds',
+      '✅ Bundle size limits (size-limit)',
+      '✅ Coverage threshold enforcement',
+      '✅ Pre-launch validation with env vars audit',
       '✅ Email support (24-48h response)',
-      '🔄 Performance budgets - Coming Q1 2026',
     ],
   },
   [LICENSE_TIERS.TEAM]: {
@@ -139,6 +209,21 @@ const FEATURES = {
     advancedWorkflows: true,
     notifications: true,
     multiRepo: true,
+    // Quality tools - all enabled (inherited from PRO)
+    lighthouseCI: true,
+    lighthouseThresholds: true,
+    bundleSizeLimits: true,
+    axeAccessibility: true,
+    conventionalCommits: true,
+    coverageThresholds: true,
+    // Pre-launch validation - all enabled (inherited from PRO)
+    prelaunchValidation: true,
+    seoValidation: true,
+    linkValidation: true,
+    docsValidation: true,
+    envValidation: true,
+    // CI/CD optimization - inherited from PRO
+    ciCostAnalysis: true,
     roadmap: [
       '✅ All PRO features included',
       '✅ Per-seat licensing (5-seat minimum)',
@@ -175,6 +260,21 @@ const FEATURES = {
     advancedWorkflows: true,
     notifications: true,
     multiRepo: true,
+    // Quality tools - all enabled (inherited from TEAM)
+    lighthouseCI: true,
+    lighthouseThresholds: true,
+    bundleSizeLimits: true,
+    axeAccessibility: true,
+    conventionalCommits: true,
+    coverageThresholds: true,
+    // Pre-launch validation - all enabled (inherited from TEAM)
+    prelaunchValidation: true,
+    seoValidation: true,
+    linkValidation: true,
+    docsValidation: true,
+    envValidation: true,
+    // CI/CD optimization - inherited from TEAM
+    ciCostAnalysis: true,
     // Enterprise-specific
     ssoIntegration: true, // SSO/SAML
     scimReady: true,
@@ -198,13 +298,19 @@ const FEATURES = {
       '✅ Optional on-prem license server',
     ],
   },
-}
+})
 
 /**
  * Check if developer/owner mode is enabled
  * Allows the tool creator to use all features without a license
+ * Security: Production mode always enforces license checks
  */
 function isDeveloperMode() {
+  // Security: Production mode never allows developer bypass
+  if (process.env.NODE_ENV === 'production') {
+    return false
+  }
+
   // Check environment variable
   if (process.env.QAA_DEVELOPER === 'true') {
     return true
@@ -216,8 +322,19 @@ function isDeveloperMode() {
     if (fs.existsSync(developerMarkerFile)) {
       return true
     }
-  } catch {
-    // Ignore errors checking for marker file
+  } catch (error) {
+    // DR10 fix: Halt on ELOOP in production (security issue)
+    if (error?.code === 'ELOOP') {
+      const message =
+        'Symlink loop detected in license directory - possible security issue'
+      if (process.env.NODE_ENV === 'production') {
+        throw new Error(message)
+      } else {
+        console.warn(`⚠️  ${message}`)
+      }
+    } else if (process.env.DEBUG && error?.code !== 'ENOENT') {
+      console.warn(`⚠️  Developer mode check failed: ${error.message}`)
+    }
   }
 
   return false
@@ -248,23 +365,24 @@ function getLicenseInfo() {
       return { tier: LICENSE_TIERS.FREE, valid: true }
     }
 
-    // Check if license is valid
-    if (!localLicense.valid) {
+    const licenseKey = normalizeLicenseKey(
+      localLicense.licenseKey || localLicense.key
+    )
+    if (!licenseKey || !localLicense.email) {
       return {
         tier: LICENSE_TIERS.FREE,
         valid: true,
-        error:
-          'License signature verification failed - license may have been tampered with',
+        error: 'Invalid license format',
       }
     }
 
-    // Check for required fields
-    const licenseKey = localLicense.licenseKey || localLicense.key
-    if (!licenseKey || !localLicense.email) {
+    // Check if license is valid
+    if (!localLicense.valid) {
       return {
         tier: LICENSE_TIERS.FREE,
         valid: true,
-        error: 'Invalid license format',
+        error:
+          'License signature verification failed - license may have been tampered with',
       }
     }
 
@@ -309,17 +427,16 @@ function getLicenseInfo() {
  * Supports both legacy format and new Stripe-generated keys
  */
 function validateLicenseKey(key, tier) {
-  // New Stripe format: QAA-XXXX-XXXX-XXXX-XXXX
-  const stripeFormat = /^QAA-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}$/
-
-  if (stripeFormat.test(key)) {
+  const normalizedKey = normalizeLicenseKey(key)
+  // TD15 fix: Use shared constant for license key pattern
+  if (LICENSE_KEY_PATTERN.test(normalizedKey)) {
     // Stripe-generated key - always valid if properly formatted
     return true
   }
 
   // Legacy format validation for backward compatibility
   const expectedPrefix = `QAA-${tier.toUpperCase()}-`
-  return key.startsWith(expectedPrefix) && key.length > 20
+  return normalizedKey.startsWith(expectedPrefix) && normalizedKey.length > 20
 }
 
 /**
@@ -327,19 +444,27 @@ function validateLicenseKey(key, tier) {
  */
 function verifyLicenseSignature(payload, signature) {
   try {
-    const secret =
-      process.env.LICENSE_SIGNING_SECRET || 'cqa-dev-secret-change-in-prod'
-    const expectedSignature = crypto
-      .createHmac('sha256', secret)
-      .update(JSON.stringify(payload))
-      .digest('hex')
-
-    return crypto.timingSafeEqual(
-      Buffer.from(signature),
-      Buffer.from(expectedSignature)
+    const publicKey = loadKeyFromEnv(
+      process.env.QAA_LICENSE_PUBLIC_KEY,
+      process.env.QAA_LICENSE_PUBLIC_KEY_PATH
     )
-  } catch {
-    // If signature verification fails, treat as invalid
+    if (!publicKey) {
+      // TD12 fix: Log warning when public key is missing in non-dev mode
+      // Security: Production mode never allows developer bypass
+      const isDevMode =
+        process.env.NODE_ENV !== 'production' &&
+        process.env.QAA_DEVELOPER === 'true'
+      if (!isDevMode) {
+        console.warn(
+          '⚠️  License public key not configured - signature verification skipped'
+        )
+      }
+      return isDevMode
+    }
+    return verifyPayload(payload, signature, publicKey)
+  } catch (error) {
+    // TD12 fix: Log verification failures instead of silently returning false
+    console.warn(`⚠️  Signature verification failed: ${error.message}`)
     return false
   }
 }
@@ -376,7 +501,6 @@ function getSupportedLanguages() {
  */
 function showUpgradeMessage(feature) {
   const license = getLicenseInfo()
-  const _tierFeatures = FEATURES[license.tier] || FEATURES[LICENSE_TIERS.FREE]
 
   console.log(`\n🔒 ${feature} is a premium feature`)
   console.log(`📊 Current license: ${license.tier.toUpperCase()}`)
@@ -431,22 +555,68 @@ function showUpgradeMessage(feature) {
  */
 function saveLicense(tier, key, email, expires = null) {
   try {
+    // DR24 fix: Validate tier is a valid LICENSE_TIERS value
+    const validTiers = Object.values(LICENSE_TIERS)
+    if (!validTiers.includes(tier)) {
+      return {
+        success: false,
+        error: `Invalid tier "${tier}". Must be one of: ${validTiers.join(', ')}`,
+      }
+    }
+
+    // DR21 fix: Validate email format before hashing
+    if (email) {
+      const normalizedEmail = require('./license-signing').normalizeEmail(email)
+      if (!normalizedEmail) {
+        return {
+          success: false,
+          error: `Invalid email format: "${email}". Must be valid email address (e.g., user@example.com)`,
+        }
+      }
+    }
+
     const licenseDir = getLicenseDir()
     const licenseFile = getLicenseFile()
+    const normalizedKey = normalizeLicenseKey(key)
+    const privateKey = loadKeyFromEnv(
+      process.env.LICENSE_REGISTRY_PRIVATE_KEY,
+      process.env.LICENSE_REGISTRY_PRIVATE_KEY_PATH
+    )
 
     if (!fs.existsSync(licenseDir)) {
-      fs.mkdirSync(licenseDir, { recursive: true })
+      fs.mkdirSync(licenseDir, { recursive: true, mode: 0o700 })
+    }
+
+    if (!privateKey) {
+      return {
+        success: false,
+        error:
+          'LICENSE_REGISTRY_PRIVATE_KEY or LICENSE_REGISTRY_PRIVATE_KEY_PATH is required to save a signed license',
+      }
     }
 
+    const payload = buildLicensePayload({
+      licenseKey: normalizedKey,
+      tier,
+      isFounder: false,
+      emailHash: hashEmail(email),
+      issued: new Date().toISOString(),
+    })
+    const signature = signPayload(payload, privateKey)
+
     const licenseData = {
       tier,
-      key,
+      licenseKey: normalizedKey,
       email,
       expires,
       activated: new Date().toISOString(),
+      payload,
+      signature,
     }
 
-    fs.writeFileSync(licenseFile, JSON.stringify(licenseData, null, 2))
+    fs.writeFileSync(licenseFile, JSON.stringify(licenseData, null, 2), {
+      mode: 0o600,
+    })
     return { success: true }
   } catch (error) {
     return { success: false, error: error.message }
@@ -458,16 +628,26 @@ function saveLicense(tier, key, email, expires = null) {
  */
 function saveLicenseWithSignature(tier, key, email, validation) {
   try {
+    // DR24 fix: Validate tier is a valid LICENSE_TIERS value
+    const validTiers = Object.values(LICENSE_TIERS)
+    if (!validTiers.includes(tier)) {
+      return {
+        success: false,
+        error: `Invalid tier "${tier}". Must be one of: ${validTiers.join(', ')}`,
+      }
+    }
+
     const licenseDir = getLicenseDir()
     const licenseFile = getLicenseFile()
+    const normalizedKey = normalizeLicenseKey(key)
 
     if (!fs.existsSync(licenseDir)) {
-      fs.mkdirSync(licenseDir, { recursive: true })
+      fs.mkdirSync(licenseDir, { recursive: true, mode: 0o700 })
     }
 
     const licenseData = {
       tier,
-      licenseKey: key, // ✅ Changed from 'key' to 'licenseKey' to match StripeIntegration
+      licenseKey: normalizedKey, // ✅ Changed from 'key' to 'licenseKey' to match StripeIntegration
       email,
       expires: validation.expires,
       activated: new Date().toISOString(),
@@ -479,7 +659,9 @@ function saveLicenseWithSignature(tier, key, email, validation) {
       issued: validation.issued,
     }
 
-    fs.writeFileSync(licenseFile, JSON.stringify(licenseData, null, 2))
+    fs.writeFileSync(licenseFile, JSON.stringify(licenseData, null, 2), {
+      mode: 0o600,
+    })
     return { success: true }
   } catch (error) {
     return { success: false, error: error.message }
@@ -535,11 +717,28 @@ async function addLegitimateKey(
   purchaseEmail = null
 ) {
   try {
+    // DR21 fix: Validate email format before hashing
+    if (purchaseEmail) {
+      const normalizedEmail =
+        require('./license-signing').normalizeEmail(purchaseEmail)
+      if (!normalizedEmail) {
+        return {
+          success: false,
+          error: `Invalid email format: "${purchaseEmail}". Must be valid email address (e.g., user@example.com)`,
+        }
+      }
+    }
+
+    const normalizedKey = normalizeLicenseKey(licenseKey)
     // Use the same license directory as the CLI
     const licenseDir =
       process.env.QAA_LICENSE_DIR ||
       path.join(os.homedir(), '.create-qa-architect')
     const legitimateDBFile = path.join(licenseDir, 'legitimate-licenses.json')
+    const privateKey = loadKeyFromEnv(
+      process.env.LICENSE_REGISTRY_PRIVATE_KEY,
+      process.env.LICENSE_REGISTRY_PRIVATE_KEY_PATH
+    )
 
     // Ensure directory exists
     if (!fs.existsSync(licenseDir)) {
@@ -551,43 +750,82 @@ async function addLegitimateKey(
     if (fs.existsSync(legitimateDBFile)) {
       try {
         database = JSON.parse(fs.readFileSync(legitimateDBFile, 'utf8'))
-      } catch {
-        console.error(
-          'Warning: Could not parse existing database, creating new one'
-        )
+      } catch (parseError) {
+        // DR8 fix: Return error instead of continuing with corrupted database
+        const backupPath = `${legitimateDBFile}.corrupted.${Date.now()}`
+        let backupSucceeded = false
+
+        try {
+          fs.copyFileSync(legitimateDBFile, backupPath)
+          backupSucceeded = true
+          console.error(
+            `⚠️  Database corruption detected. Backed up to ${backupPath}`
+          )
+        } catch (backupError) {
+          console.error(
+            `❌ CRITICAL: Could not backup corrupted database: ${backupError.message}`
+          )
+        }
+
+        // Always return error on corruption - forces investigation
+        return {
+          success: false,
+          error: backupSucceeded
+            ? `License database corrupted (backup saved to ${backupPath}). Manual review required before adding keys.`
+            : `License database corrupted AND backup failed. Cannot proceed without data loss risk. Parse error: ${parseError.message}`,
+        }
       }
     }
 
-    // Initialize metadata if needed
-    if (!database._metadata) {
-      database._metadata = {
-        version: '1.0',
-        created: new Date().toISOString(),
-        description: 'Legitimate license database - populated by admin/webhook',
+    if (!privateKey) {
+      return {
+        success: false,
+        error:
+          'LICENSE_REGISTRY_PRIVATE_KEY or LICENSE_REGISTRY_PRIVATE_KEY_PATH is required to add legitimate keys',
       }
     }
 
-    // Add license
-    database[licenseKey] = {
-      customerId,
+    const issued = new Date().toISOString()
+    const emailHash = hashEmail(purchaseEmail)
+    const payload = buildLicensePayload({
+      licenseKey: normalizedKey,
       tier,
       isFounder,
-      email: purchaseEmail,
-      addedDate: new Date().toISOString(),
-      addedBy: 'admin_tool',
+      emailHash,
+      issued,
+    })
+    const signature = signPayload(payload, privateKey)
+
+    const { _metadata, ...existingLicenses } = database
+    const licenses = {
+      ...existingLicenses,
+      [normalizedKey]: {
+        tier,
+        isFounder,
+        issued,
+        emailHash,
+        signature,
+        keyId: process.env.LICENSE_REGISTRY_KEY_ID || 'default',
+      },
     }
 
-    // Update metadata
-    database._metadata.lastUpdate = new Date().toISOString()
-    database._metadata.totalLicenses = Object.keys(database).length - 1 // Exclude metadata
-
-    // Calculate SHA256 checksum for integrity verification (MANDATORY)
-    const { _metadata, ...licensesOnly } = database
-    const sha256 = crypto
+    const registrySignature = signPayload(licenses, privateKey)
+    const hash = crypto
       .createHash('sha256')
-      .update(JSON.stringify(licensesOnly))
+      .update(stableStringify(licenses))
       .digest('hex')
-    database._metadata.sha256 = sha256
+    const metadata = {
+      version: '1.0',
+      created: _metadata?.created || new Date().toISOString(),
+      lastUpdate: new Date().toISOString(),
+      description: 'Legitimate license database - populated by admin/webhook',
+      algorithm: 'ed25519',
+      keyId: process.env.LICENSE_REGISTRY_KEY_ID || 'default',
+      registrySignature,
+      hash,
+      totalLicenses: Object.keys(licenses).length,
+    }
+    database = { _metadata: metadata, ...licenses }
 
     // Save database
     fs.writeFileSync(legitimateDBFile, JSON.stringify(database, null, 2))
@@ -608,60 +846,60 @@ async function addLegitimateKey(
 
 /**
  * Interactive license activation prompt
+ * DR27 fix: Converted from callback-based readline to async/await pattern
  */
 async function promptLicenseActivation() {
-  const readline = require('readline')
+  const readline = require('readline/promises')
 
   const rl = readline.createInterface({
     input: process.stdin,
     output: process.stdout,
   })
 
-  return new Promise(resolve => {
+  try {
     console.log('\n🔑 License Activation')
     console.log(
       'Enter your license key from the purchase confirmation email.\n'
     )
 
-    rl.question('License key (QAA-XXXX-XXXX-XXXX-XXXX): ', licenseKey => {
-      if (!licenseKey.trim()) {
-        console.log('❌ License key required')
-        rl.close()
-        resolve({ success: false })
-        return
-      }
+    const licenseKey = await rl.question(
+      'License key (QAA-XXXX-XXXX-XXXX-XXXX): '
+    )
 
-      rl.question('Email address: ', async email => {
-        if (!email.trim()) {
-          console.log('❌ Email address required')
-          rl.close()
-          resolve({ success: false })
-          return
-        }
+    if (!licenseKey.trim()) {
+      console.log('❌ License key required')
+      rl.close()
+      return { success: false }
+    }
 
-        rl.close()
+    const email = await rl.question('Email address: ')
 
-        const result = await activateLicense(licenseKey.trim(), email.trim())
+    if (!email.trim()) {
+      console.log('❌ Email address required')
+      rl.close()
+      return { success: false }
+    }
 
-        if (
-          !result.success &&
-          result.error &&
-          result.error.includes('not found')
-        ) {
-          console.log('\n📞 License activation assistance:')
-          console.log(
-            '   If you purchased this license, please contact support at:'
-          )
-          console.log('   Email: support@vibebuildlab.com')
-          console.log(
-            '   Include your license key and purchase email for verification.'
-          )
-        }
+    rl.close()
 
-        resolve(result)
-      })
-    })
-  })
+    const result = await activateLicense(licenseKey.trim(), email.trim())
+
+    if (!result.success && result.error && result.error.includes('not found')) {
+      console.log('\n📞 License activation assistance:')
+      console.log(
+        '   If you purchased this license, please contact support at:'
+      )
+      console.log('   Email: support@vibebuildlab.com')
+      console.log(
+        '   Include your license key and purchase email for verification.'
+      )
+    }
+
+    return result
+  } catch (error) {
+    rl.close()
+    return { success: false, error: error.message }
+  }
 }
 
 /**
@@ -743,14 +981,74 @@ function loadUsage() {
 
       return data
     }
-  } catch {
-    // Ignore errors reading usage file
+  } catch (error) {
+    // DR8 fix: Prevent quota bypass through file corruption
+    if (error instanceof SyntaxError) {
+      const usageFile = getUsageFile()
+      console.error(`\n❌ CRITICAL: Usage tracking file is corrupted`)
+      console.error(`   File: ${usageFile}`)
+      console.error(`   Parse error: ${error.message}\n`)
+
+      // Backup corrupted file for forensics
+      const backupPath = `${usageFile}.corrupted.${Date.now()}`
+      try {
+        fs.copyFileSync(usageFile, backupPath)
+        console.log(`   ✅ Backup saved: ${backupPath}`)
+      } catch (_backupError) {
+        console.error(`   ❌ Could not create backup`)
+      }
+
+      const license = getLicenseInfo()
+
+      if (license.tier === LICENSE_TIERS.FREE) {
+        console.error(`\n⚠️  FREE TIER CORRUPTION POLICY:`)
+        console.error(
+          `   To prevent quota bypass, your usage has been reset to maximum.`
+        )
+        console.error(`   This is a security measure, not a penalty.\n`)
+        console.error(`   To restore your usage:`)
+        console.error(`   1. Review the backup file: ${backupPath}`)
+        console.error(`   2. If data looks correct, manually fix JSON syntax`)
+        console.error(`   3. Copy corrected JSON back to: ${usageFile}`)
+        console.error(
+          `   4. Or delete ${usageFile} to start fresh this month\n`
+        )
+        console.error(`   If this keeps happening, please report the issue.`)
+
+        // Provide clear recovery path
+        console.error(`\n🔧 Quick fix: rm ${usageFile}`)
+        console.error(
+          `   This will reset your usage to 0 for the current month.\n`
+        )
+
+        const caps = FEATURES[LICENSE_TIERS.FREE]
+        return {
+          month: getCurrentMonth(),
+          prePushRuns: caps.maxPrePushRunsPerMonth,
+          dependencyPRs: caps.maxDependencyPRsPerMonth,
+          repos: Array.from(
+            { length: caps.maxPrivateRepos },
+            (_item, index) => `corrupted-${index + 1}`
+          ),
+        }
+      }
+    } else if (process.env.DEBUG && error?.code !== 'ENOENT') {
+      console.warn(`⚠️  Could not read usage file: ${error.message}`)
+    }
   }
 
   // Default usage data
+  return getDefaultUsage()
+}
+
+function getCurrentMonth() {
   const now = new Date()
+  return `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, '0')}`
+}
+
+function getDefaultUsage() {
   return {
-    month: `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, '0')}`,
+    month: getCurrentMonth(),
     prePushRuns: 0,
     dependencyPRs: 0,
     repos: [],
@@ -764,12 +1062,42 @@ function saveUsage(usage) {
   try {
     const licenseDir = getLicenseDir()
     if (!fs.existsSync(licenseDir)) {
-      fs.mkdirSync(licenseDir, { recursive: true })
+      fs.mkdirSync(licenseDir, { recursive: true, mode: 0o700 })
     }
-    fs.writeFileSync(getUsageFile(), JSON.stringify(usage, null, 2))
+    fs.writeFileSync(getUsageFile(), JSON.stringify(usage, null, 2), {
+      mode: 0o600,
+    })
     return true
-  } catch {
-    return false
+  } catch (error) {
+    const license = getLicenseInfo()
+    const usageFile = getUsageFile()
+
+    // For FREE tier, this is critical - can't track quota
+    if (license.tier === LICENSE_TIERS.FREE) {
+      console.error(`\n❌ CRITICAL: Cannot save usage tracking data`)
+      console.error(`   File: ${usageFile}`)
+      console.error(`   Error: ${error.message} (${error.code})`)
+      console.error(`\n   FREE tier quota enforcement requires usage tracking.`)
+      console.error(`   Please fix this filesystem issue:\n`)
+
+      if (error.code === 'ENOSPC') {
+        console.error(`   • Disk full - free up space`)
+      } else if (error.code === 'EACCES') {
+        console.error(`   • Permission denied - check directory permissions`)
+        console.error(`   • Try: chmod 700 ${getLicenseDir()}`)
+      } else if (error.code === 'EROFS') {
+        console.error(`   • Filesystem is readonly - remount as read-write`)
+      } else {
+        console.error(`   • Unexpected error - please report this issue`)
+      }
+
+      throw error // Don't allow FREE tier to continue without tracking
+    } else {
+      // Pro/Team/Enterprise - warn but don't fail
+      console.warn(`⚠️  Failed to save usage data: ${error.message}`)
+      console.warn(`   This won't affect Pro/Team/Enterprise functionality`)
+      return false
+    }
   }
 }