delimit-cli 4.5.10 → 4.5.12

package/gateway/ai/license.py

@@ -26,12 +26,23 @@ try:
         # Autonomous build loop
         "delimit_next_task", "delimit_task_complete",
         "delimit_loop_status", "delimit_loop_config",
-        # LED-1253: vendor-news riff MCP wrappers
-        "delimit_vendor_news_scan", "delimit_vendor_news_health",
-        "delimit_vendor_news_draft",
     })
 except ImportError:
-    # license_core not available (development mode or missing binary)
+    # license_core not available — three known cases:
+    #   1. Development mode (running from gateway source, no compiled .so)
+    #   2. Customer on a non-Linux platform (mac/windows) — first ship is
+    #      Linux-only; cross-platform binaries land in a follow-up.
+    #   3. Bundle integrity issue (.so missing or corrupt).
+    # Fail-closed: do not crash. Fall back to a Python-only implementation
+    # so the CLI keeps working; Pro features that depend on the compiled
+    # core may be downgraded.
+    import sys as _sys
+    print(
+        "delimit: license_core native module not loadable on this platform; "
+        "falling back to Python implementation. Pro features may be downgraded — "
+        "contact pro@delimit.ai if you need cross-platform Pro support.",
+        file=_sys.stderr,
+    )
     import json
     import os
     import time
@@ -82,9 +93,6 @@ except ImportError:
         # Autonomous build loop
         "delimit_next_task", "delimit_task_complete",
         "delimit_loop_status", "delimit_loop_config",
-        # LED-1253: vendor-news riff MCP wrappers
-        "delimit_vendor_news_scan", "delimit_vendor_news_health",
-        "delimit_vendor_news_draft",
     })
     FREE_TRIAL_LIMITS = {"delimit_deliberate": 3}
 
@@ -122,7 +130,7 @@ except ImportError:
         import hashlib
         import urllib.request
         key = data.get("key", "")
-        if not key or key.startswith("JAMSONS"):
+        if not key:
             data["last_validated_at"] = time.time()
             data["validation_status"] = "current"
             _write_license(data)
@@ -177,9 +185,6 @@ except ImportError:
             return False
         if not data.get("valid", False):
             return False
-        key = data.get("key", "")
-        if key.startswith("JAMSONS"):
-            return True
         last_validated = data.get("last_validated_at", data.get("activated_at", 0))
         if last_validated == 0:
             return True
@@ -235,28 +240,10 @@ except ImportError:
         LICENSE_FILE.write_text(json.dumps(license_data, indent=2))
         return {"status": "activated", "tier": "pro", "message": "Activated (offline fallback). Will validate on next network access."}
 
-
-# ─── LED-2060 (P1): test-mode license bypass ─────────────────────────────
-# tests/conftest.py sets DELIMIT_TEST_MODE=1 at session start. Without this
-# wrapper, every test that exercises a Pro tool got back a premium_required
-# error and asserted-against-the-wrong-shape, blocking CI on every PR.
-# Bypass is scoped: only active when the env var is explicitly set, only
-# returns None (the "no gate" sentinel), and wraps both compiled-binary
-# and fallback paths. Customers never hit this path because their
-# environments don't set DELIMIT_TEST_MODE.
-import os as _os
-
-_original_require_premium = require_premium  # type: ignore[has-type]
-_original_is_premium = is_premium  # type: ignore[has-type]
-
-
-def require_premium(tool_name: str):  # type: ignore[no-redef]
-    if _os.environ.get("DELIMIT_TEST_MODE") == "1":
-        return None
-    return _original_require_premium(tool_name)
-
-
-def is_premium() -> bool:  # type: ignore[no-redef]
-    if _os.environ.get("DELIMIT_TEST_MODE") == "1":
-        return True
-    return _original_is_premium()
+# ─── LED-1254 (P0 SECURITY) ──────────────────────────────────────────────
+# The DELIMIT_TEST_MODE bypass that previously lived here was removed:
+# it allowed any user who grepped the installed source to set
+# DELIMIT_TEST_MODE=1 and unconditionally bypass every Pro license check.
+# Test-time bypass is now provided exclusively by tests/conftest.py via
+# monkeypatch on require_premium / is_premium. The shipped library no
+# longer reads any test-mode env var.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "4.5.10",
+  "version": "4.5.12",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [
@@ -32,6 +32,8 @@
     "!gateway/ai/content_grounding/",
     "!gateway/ai/inbox_drafts/",
     "!gateway/ai/inbox_executor.py",
+    "!gateway/ai/license_core.py",
+    "gateway/ai/license_core.cpython-*-*.so",
     "scripts/",
     "!scripts/crosspost_devto.py",
     "!scripts/repo_targeting.py",

package/scripts/build-license-core.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+# LED-1259: Compile gateway/ai/license_core.py to a native .so via Nuitka,
+# then strip the plaintext .py from the bundle so customers cannot grep
+# the validation logic for bypass identifiers.
+#
+# Linux-only first ship. Mac/Windows expansion is filed as a follow-up
+# ledger item — non-linux customers will hit the Python fallback in
+# license.py (degraded Pro features) until we ship per-platform binaries.
+#
+# Idempotent: safe to re-run; will rebuild on every invocation.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+NPM_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+AI_DIR="$NPM_ROOT/gateway/ai"
+SRC="$AI_DIR/license_core.py"
+
+# ── Platform gate ────────────────────────────────────────────────────
+UNAME_S="$(uname -s)"
+UNAME_M="$(uname -m)"
+if [ "$UNAME_S" != "Linux" ]; then
+    echo "⚠️  build-license-core: non-Linux host ($UNAME_S) — skipping compile."
+    echo "   First ship is linux-only. The bundle will fall back to .py."
+    exit 0
+fi
+
+if [ ! -f "$SRC" ]; then
+    echo "❌ Source not found: $SRC"
+    exit 1
+fi
+
+# ── Toolchain check ──────────────────────────────────────────────────
+PY="${PYTHON:-python3}"
+if ! command -v "$PY" >/dev/null 2>&1; then
+    echo "❌ python3 not found"
+    exit 1
+fi
+
+PY_VER="$($PY -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')"
+echo "🔧 build-license-core: python=$PY ($PY_VER), arch=$UNAME_M"
+
+if ! "$PY" -m nuitka --version >/dev/null 2>&1; then
+    echo "📦 nuitka not installed — installing via pip..."
+    "$PY" -m pip install --quiet --user nuitka
+fi
+
+NUITKA_VER="$($PY -m nuitka --version 2>&1 | head -1)"
+echo "   nuitka=$NUITKA_VER"
+
+# ── Compile ──────────────────────────────────────────────────────────
+echo "🔨 Compiling license_core.py → .so (this takes ~30s)..."
+cd "$AI_DIR"
+"$PY" -m nuitka --module --quiet --remove-output --output-dir=. license_core.py
+
+# ── Verify output ────────────────────────────────────────────────────
+SO_FILE="$(ls -1 license_core.cpython-*-*.so 2>/dev/null | head -1 || true)"
+if [ -z "$SO_FILE" ] || [ ! -f "$SO_FILE" ]; then
+    echo "❌ Compile failed — no .so produced in $AI_DIR"
+    ls -la "$AI_DIR"/license_core* 2>&1 || true
+    exit 1
+fi
+
+SO_SIZE="$(stat -c%s "$SO_FILE")"
+echo "   ✅ produced: $SO_FILE ($SO_SIZE bytes)"
+
+# ── Bypass-identifier scan ───────────────────────────────────────────
+# Customers must not be able to `strings | grep` the .so for known
+# bypass class names. Fail the build if any leak through.
+BYPASS_HITS="$(strings "$SO_FILE" | grep -iE 'DELIMIT_TEST_MODE|DELIMIT_INTERNAL_LICENSE_KEY|JAMSONS' || true)"
+if [ -n "$BYPASS_HITS" ]; then
+    echo "❌ Bypass identifiers found in compiled .so:"
+    echo "$BYPASS_HITS"
+    exit 1
+fi
+echo "   ✅ strings-grep clean (no bypass identifiers)"
+
+# ── Drop the plaintext source from the bundle ────────────────────────
+# .npmignore + package.json will also exclude it, but removing here is
+# belt-and-suspenders so dev/test inspection of the bundle dir matches
+# what gets packed.
+rm -f "$AI_DIR/license_core.py"
+echo "   ✅ removed plaintext license_core.py from bundle"
+
+echo "✅ build-license-core complete: $SO_FILE"

package/scripts/test-license-core-so.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+# LED-1259: Verify that the compiled license_core .so:
+#   1. Compiles cleanly from gateway/ai/license_core.py
+#   2. Imports successfully when the .py is absent
+#   3. Exposes all public functions/constants the shim relies on
+#   4. Returns correct validation verdicts for known-valid / known-expired
+#      license dicts
+#   5. Contains zero bypass identifiers in `strings` output
+#
+# Runs in an isolated tmp dir so it doesn't pollute the bundle layout.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+NPM_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+SRC="$NPM_ROOT/gateway/ai/license_core.py"
+
+if [ "$(uname -s)" != "Linux" ]; then
+    echo "⏭️  test-license-core-so: non-Linux host — skipping (Linux-only first ship)"
+    exit 0
+fi
+
+if [ ! -f "$SRC" ]; then
+    echo "ℹ️  license_core.py not in bundle (already compiled or pre-build) — copying from gateway src for test"
+    GW_SRC="${GATEWAY_OVERRIDE:-/home/delimit/delimit-gateway}/ai/license_core.py"
+    if [ ! -f "$GW_SRC" ]; then
+        echo "❌ No license_core.py source found (bundle or gateway). Cannot test."
+        exit 1
+    fi
+    SRC="$GW_SRC"
+fi
+
+PY="${PYTHON:-python3}"
+TMP="$(mktemp -d)"
+trap 'rm -rf "$TMP"' EXIT
+
+echo "🧪 test-license-core-so: building in $TMP"
+mkdir -p "$TMP/ai"
+touch "$TMP/ai/__init__.py"
+cp "$SRC" "$TMP/license_core.py"
+
+cd "$TMP"
+"$PY" -m nuitka --module --quiet --remove-output --output-dir=. license_core.py 2>&1 | tail -3
+
+SO_FILE="$(ls -1 license_core.cpython-*-*.so 2>/dev/null | head -1)"
+if [ -z "$SO_FILE" ]; then
+    echo "❌ Compile failed — no .so produced"
+    exit 1
+fi
+echo "  ✅ compiled: $SO_FILE ($(stat -c%s "$SO_FILE") bytes)"
+
+# Strings-grep for bypass identifiers
+HITS="$(strings "$SO_FILE" | grep -iE 'DELIMIT_TEST_MODE|DELIMIT_INTERNAL_LICENSE_KEY|JAMSONS' || true)"
+if [ -n "$HITS" ]; then
+    echo "❌ Bypass identifiers leaked into .so:"
+    echo "$HITS"
+    exit 1
+fi
+echo "  ✅ strings-grep clean"
+
+# Move .so under ai/, drop the .py, run import + behaviour checks
+mv "$SO_FILE" "ai/$SO_FILE"
+rm -f license_core.py
+
+"$PY" - <<'PY'
+import os, sys, time
+sys.path.insert(0, ".")
+
+# Import via the compiled .so only — no .py present
+from ai.license_core import (
+    is_license_valid, revalidate_license, needs_revalidation,
+    PRO_TOOLS, LICENSE_FILE, FREE_TRIAL_LIMITS, activate,
+    load_license, check_premium, gate_tool,
+)
+
+assert isinstance(PRO_TOOLS, frozenset) and len(PRO_TOOLS) > 0, "PRO_TOOLS must be a non-empty frozenset"
+assert FREE_TRIAL_LIMITS.get("delimit_deliberate") == 3, "FREE_TRIAL_LIMITS missing delimit_deliberate=3"
+assert "delimit_deliberate" in PRO_TOOLS, "PRO_TOOLS must include delimit_deliberate"
+assert callable(activate), "activate must be callable"
+assert callable(revalidate_license), "revalidate_license must be callable"
+
+# Known-valid: pro tier, recent last_validated_at
+valid_recent = {"tier": "pro", "valid": True, "last_validated_at": time.time()}
+assert is_license_valid(valid_recent) is True, "recent pro license should be valid"
+assert needs_revalidation(valid_recent) is False, "recent pro license should not need revalidation"
+
+# Known-invalid: pro tier but last_validated_at > 44 days ago (beyond hard cutoff)
+expired = {"tier": "pro", "valid": True, "last_validated_at": time.time() - 60 * 86400}
+assert is_license_valid(expired) is False, "expired (60d) pro license must be invalid"
+assert needs_revalidation(expired) is True, "expired (60d) pro license must need revalidation"
+
+# Free tier never valid for Pro
+free = {"tier": "free", "valid": True}
+assert is_license_valid(free) is False, "free tier must not pass is_license_valid"
+
+# valid=False forces invalid even when timestamp is recent
+revoked = {"tier": "pro", "valid": False, "last_validated_at": time.time()}
+assert is_license_valid(revoked) is False, "revoked license must be invalid"
+
+# Legacy file with no timestamps — should signal needs_revalidation=True
+legacy = {"tier": "pro", "valid": True}
+assert needs_revalidation(legacy) is True, "legacy license without timestamps must need revalidation"
+
+print("ALL_OK")
+PY
+
+echo "✅ test-license-core-so: all checks passed"

package/gateway/ai/license_core.py

@@ -1,355 +0,0 @@
-"""
-Delimit license enforcement core — compiled with Nuitka.
-Contains: validation logic, re-validation, usage tracking, entitlement checks.
-This module is distributed as a native binary (.so/.pyd), not readable Python.
-"""
-import hashlib
-import json
-import time
-from pathlib import Path
-
-LICENSE_FILE = Path.home() / ".delimit" / "license.json"
-USAGE_FILE = Path.home() / ".delimit" / "usage.json"
-LS_VALIDATE_URL = "https://api.lemonsqueezy.com/v1/licenses/validate"
-
-REVALIDATION_INTERVAL = 30 * 86400  # 30 days
-GRACE_PERIOD = 7 * 86400
-HARD_BLOCK = 14 * 86400
-
-# Pro tools that require a license
-PRO_TOOLS = frozenset({
-    "delimit_gov_evaluate",
-    "delimit_gov_policy", "delimit_gov_run", "delimit_gov_verify",
-    "delimit_os_plan", "delimit_os_status", "delimit_os_gates",
-    "delimit_deploy_plan", "delimit_deploy_build", "delimit_deploy_publish",
-    "delimit_deploy_verify", "delimit_deploy_rollback", "delimit_deploy_status",
-    "delimit_deploy_site", "delimit_deploy_npm",
-    # delimit_memory_store + delimit_memory_recent are FREE (LED-193 — basic
-    # store + recent retrieval). Only delimit_memory_search is Pro.
-    "delimit_memory_search",
-    "delimit_vault_search", "delimit_vault_snapshot", "delimit_vault_health",
-    "delimit_evidence_collect", "delimit_evidence_verify",
-    "delimit_deliberate", "delimit_models",
-    "delimit_obs_metrics", "delimit_obs_logs", "delimit_obs_status",
-    "delimit_release_plan", "delimit_release_status", "delimit_release_sync",
-    "delimit_cost_analyze", "delimit_cost_optimize", "delimit_cost_alert",
-    "delimit_social_post", "delimit_social_generate", "delimit_social_history",
-    "delimit_screen_record", "delimit_screenshot",
-    "delimit_notify",
-    # Agent orchestration
-    "delimit_agent_dispatch", "delimit_agent_status",
-    "delimit_agent_complete", "delimit_agent_handoff",
-    # Worker Pool v2 executor (LED-981)
-    "delimit_executor",
-})
-
-# Free trial limits
-FREE_TRIAL_LIMITS = {
-    "delimit_deliberate": 3,
-}
-
-
-def needs_revalidation(data: dict) -> bool:
-    """Check if a license needs re-validation (30+ days since last check).
-
-    Args:
-        data: License data dict (from license.json).
-
-    Returns:
-        True if 30+ days have elapsed since last_validated_at (or activated_at
-        as fallback). Also returns True if neither timestamp exists (legacy
-        license.json files without last_validated_at).
-    """
-    if data.get("tier") not in ("pro", "enterprise"):
-        return False
-    last_validated = data.get("last_validated_at", data.get("activated_at", 0))
-    if last_validated == 0:
-        return True  # Legacy file — treat as needing validation
-    return (time.time() - last_validated) > REVALIDATION_INTERVAL
-
-
-def revalidate_license(data: dict) -> dict:
-    """Re-validate a license against Lemon Squeezy.
-
-    Privacy-preserving: only sends license_key and instance_name (machine hash).
-    Non-blocking: network failures return offline grace status, never crash.
-
-    Args:
-        data: License data dict (must contain 'key').
-
-    Returns:
-        Dict with 'status' key:
-          - "valid": API confirmed license is active, last_validated_at updated
-          - "grace": API unreachable or returned invalid, but within grace period
-          - "expired": beyond grace + hard block cutoff, Pro tools should be blocked
-        Also includes 'updated_data' with the (possibly modified) license data.
-    """
-    key = data.get("key", "")
-    # Internal/founder keys always pass
-    if not key or key.startswith("JAMSONS"):
-        data["last_validated_at"] = time.time()
-        data["validation_status"] = "current"
-        _write_license(data)
-        return {"status": "valid", "updated_data": data}
-
-    last_validated = data.get("last_validated_at", data.get("activated_at", 0))
-    elapsed = time.time() - last_validated
-
-    # Try API call
-    api_valid = _call_lemon_squeezy(data)
-
-    if api_valid is True:
-        data["last_validated_at"] = time.time()
-        data["validation_status"] = "current"
-        data.pop("grace_days_remaining", None)
-        _write_license(data)
-        return {"status": "valid", "updated_data": data}
-
-    # API said invalid or was unreachable — check grace/expiry windows
-    if elapsed > REVALIDATION_INTERVAL + HARD_BLOCK:
-        data["validation_status"] = "expired"
-        data["valid"] = False
-        _write_license(data)
-        return {
-            "status": "expired",
-            "updated_data": data,
-            "reason": "License expired — no successful re-validation in 44 days. Renew at https://delimit.ai/pricing",
-        }
-
-    if elapsed > REVALIDATION_INTERVAL + GRACE_PERIOD:
-        days_left = max(0, int((REVALIDATION_INTERVAL + HARD_BLOCK - elapsed) / 86400))
-        data["validation_status"] = "grace_period"
-        data["grace_days_remaining"] = days_left
-        _write_license(data)
-        return {
-            "status": "grace",
-            "updated_data": data,
-            "grace_days_remaining": days_left,
-            "message": f"License re-validation failed. {days_left} days until Pro features are disabled.",
-        }
-
-    # Within first 7 days after revalidation interval — soft pending
-    data["validation_status"] = "revalidation_pending"
-    _write_license(data)
-    return {"status": "grace", "updated_data": data}
-
-
-def is_license_valid(data: dict) -> bool:
-    """Check if a license is currently valid for Pro tool access.
-
-    Returns True if:
-      - last_validated_at is within 30 days (current), OR
-      - last_validated_at is within 37 days (30 + 7 grace), OR
-      - last_validated_at is within 44 days (30 + 14 hard cutoff)
-    Returns False if beyond 44 days with no successful re-validation.
-
-    Backwards compatible: missing last_validated_at falls back to activated_at,
-    and missing both returns False (triggers re-validation).
-    """
-    if data.get("tier") not in ("pro", "enterprise"):
-        return False
-    if not data.get("valid", False):
-        return False
-    # Internal/founder keys always valid
-    key = data.get("key", "")
-    if key.startswith("JAMSONS"):
-        return True
-    last_validated = data.get("last_validated_at", data.get("activated_at", 0))
-    if last_validated == 0:
-        return True  # Legacy — allow access but needs_revalidation will trigger check
-    elapsed = time.time() - last_validated
-    return elapsed <= (REVALIDATION_INTERVAL + HARD_BLOCK)
-
-
-def _write_license(data: dict) -> None:
-    """Persist license data to disk."""
-    try:
-        LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
-        LICENSE_FILE.write_text(json.dumps(data, indent=2))
-    except Exception:
-        pass  # Non-blocking — don't crash on disk errors
-
-
-def _call_lemon_squeezy(data: dict) -> bool | None:
-    """Call Lemon Squeezy validation API. Privacy-preserving.
-
-    Only sends license_key and instance_name (machine hash).
-
-    Returns:
-        True if valid, False if invalid, None if unreachable.
-    """
-    key = data.get("key", "")
-    machine_hash = data.get("machine_hash", hashlib.sha256(str(Path.home()).encode()).hexdigest()[:16])
-    try:
-        import urllib.request
-        req_data = json.dumps({
-            "license_key": key,
-            "instance_name": machine_hash,
-        }).encode()
-        req = urllib.request.Request(
-            LS_VALIDATE_URL, data=req_data,
-            headers={"Content-Type": "application/json", "Accept": "application/json"},
-            method="POST",
-        )
-        with urllib.request.urlopen(req, timeout=10) as resp:
-            result = json.loads(resp.read())
-        return result.get("valid", False)
-    except Exception:
-        return None  # Unreachable — caller should use grace period
-
-
-def load_license() -> dict:
-    """Load and validate license with periodic re-validation.
-
-    Re-validates against Lemon Squeezy every 30 days. On failure, provides
-    a 7-day grace period followed by a 7-day warning period. After 44 days
-    without successful re-validation, Pro tools are blocked.
-    """
-    if not LICENSE_FILE.exists():
-        return {"tier": "free", "valid": True}
-    try:
-        data = json.loads(LICENSE_FILE.read_text())
-        if data.get("expires_at") and data["expires_at"] < time.time():
-            return {"tier": "free", "valid": True, "expired": True}
-
-        if data.get("tier") in ("pro", "enterprise") and data.get("valid"):
-            if needs_revalidation(data):
-                result = revalidate_license(data)
-                data = result["updated_data"]
-                if result["status"] == "expired":
-                    return {"tier": "free", "valid": True, "revoked": True,
-                            "reason": result.get("reason", "License expired. Renew at https://delimit.ai/pricing")}
-        return data
-    except Exception:
-        return {"tier": "free", "valid": True}
-
-
-def check_premium() -> bool:
-    """Check if user has a valid premium license.
-
-    Uses load_license() which triggers re-validation if needed, then
-    checks is_license_valid() on the result.
-    """
-    lic = load_license()
-    return is_license_valid(lic)
-
-
-def gate_tool(tool_name: str) -> dict | None:
-    """Gate a Pro tool. Returns None if allowed, error dict if blocked."""
-    # Normalize: accept both "os_plan" and "delimit_os_plan"
-    full_name = tool_name if tool_name.startswith("delimit_") else f"delimit_{tool_name}"
-    if full_name not in PRO_TOOLS:
-        return None
-    if check_premium():
-        return None
-
-    # Check free trial
-    limit = FREE_TRIAL_LIMITS.get(tool_name)
-    if limit is not None:
-        used = _get_monthly_usage(tool_name)
-        if used < limit:
-            _increment_usage(tool_name)
-            return None
-        return {
-            "error": f"Free trial limit reached ({limit}/month). Upgrade to Pro for unlimited.",
-            "status": "trial_exhausted",
-            "tool": tool_name,
-            "used": used,
-            "limit": limit,
-            "upgrade_url": "https://delimit.ai/pricing",
-        }
-
-    return {
-        "error": f"'{tool_name}' requires Delimit Pro ($10/mo). Upgrade at https://delimit.ai/pricing",
-        "status": "premium_required",
-        "tool": tool_name,
-        "current_tier": load_license().get("tier", "free"),
-    }
-
-
-def activate(key: str) -> dict:
-    """Activate a license key."""
-    import re
-    if not key or len(key) < 10:
-        return {"error": "Invalid license key format"}
-    # Accept DELIMIT-XXXX-XXXX-XXXX pattern or Lemon Squeezy format
-    if key.startswith("DELIMIT-") and not re.match(r"^DELIMIT-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$", key):
-        return {"error": "Invalid key format. Expected: DELIMIT-XXXX-XXXX-XXXX"}
-
-    machine_hash = hashlib.sha256(str(Path.home()).encode()).hexdigest()[:16]
-
-    try:
-        import urllib.request
-        data = json.dumps({"license_key": key, "instance_name": machine_hash}).encode()
-        req = urllib.request.Request(
-            LS_VALIDATE_URL, data=data,
-            headers={"Content-Type": "application/json", "Accept": "application/json"},
-            method="POST",
-        )
-        with urllib.request.urlopen(req, timeout=10) as resp:
-            result = json.loads(resp.read())
-
-        if result.get("valid"):
-            license_data = {
-                "key": key, "tier": "pro", "valid": True,
-                "activated_at": time.time(), "last_validated_at": time.time(),
-                "machine_hash": machine_hash,
-                "instance_id": result.get("instance", {}).get("id"),
-                "validated_via": "lemon_squeezy",
-            }
-            LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
-            LICENSE_FILE.write_text(json.dumps(license_data, indent=2))
-            return {"status": "activated", "tier": "pro"}
-        return {"error": "Invalid license key.", "status": "invalid"}
-
-    except Exception:
-        license_data = {
-            "key": key, "tier": "pro", "valid": True,
-            "activated_at": time.time(), "last_validated_at": time.time(),
-            "machine_hash": machine_hash, "validated_via": "offline",
-        }
-        LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
-        LICENSE_FILE.write_text(json.dumps(license_data, indent=2))
-        return {"status": "activated", "tier": "pro", "message": "Activated offline."}
-
-
-def _revalidate(data: dict) -> dict:
-    """Re-validate against Lemon Squeezy (legacy wrapper).
-
-    Deprecated: use revalidate_license() for the full status/grace workflow.
-    Kept for backwards compatibility with any external callers.
-    """
-    result = _call_lemon_squeezy(data)
-    if result is True:
-        return {"valid": True}
-    if result is False:
-        return {"valid": False}
-    # None = unreachable — grant offline grace
-    return {"valid": True, "offline": True}
-
-
-def _get_monthly_usage(tool_name: str) -> int:
-    if not USAGE_FILE.exists():
-        return 0
-    try:
-        data = json.loads(USAGE_FILE.read_text())
-        return data.get(time.strftime("%Y-%m"), {}).get(tool_name, 0)
-    except Exception:
-        return 0
-
-
-def _increment_usage(tool_name: str) -> int:
-    month_key = time.strftime("%Y-%m")
-    data = {}
-    if USAGE_FILE.exists():
-        try:
-            data = json.loads(USAGE_FILE.read_text())
-        except Exception:
-            pass
-    if month_key not in data:
-        data[month_key] = {}
-    data[month_key][tool_name] = data[month_key].get(tool_name, 0) + 1
-    count = data[month_key][tool_name]
-    USAGE_FILE.parent.mkdir(parents=True, exist_ok=True)
-    USAGE_FILE.write_text(json.dumps(data, indent=2))
-    return count