guardrail-core 1.0.0

package/dist/entitlements.d.ts

@@ -0,0 +1,149 @@
+/**
+ * Entitlements System - SINGLE SOURCE OF TRUTH
+ *
+ * This module is the canonical entitlements implementation for Guardrail.
+ * It handles feature access, usage limits, tier enforcement, and seat management.
+ *
+ * IMPORTANT: This TypeScript file is compiled to dist/entitlements.js
+ * DO NOT create separate entitlements.js files elsewhere in the codebase.
+ * All consumers (API, CLI, etc.) should import from @guardrail/core.
+ */
+import { Feature, SEAT_PRICING, SeatPricing, TIER_CONFIG, Tier, TierConfig, calculateEffectiveSeats, canAddMember, formatSeatInfo, getMinimumTierForFeature, getTierConfig, isValidTier, validateSeatReduction } from './tier-config';
+export type { Feature, SeatPricing, Tier, TierConfig };
+export { SEAT_PRICING, TIER_CONFIG, calculateEffectiveSeats, canAddMember, formatSeatInfo, getMinimumTierForFeature, getTierConfig, isValidTier, validateSeatReduction };
+export interface UsageRecord {
+    tier: Tier;
+    userId?: string;
+    email?: string;
+    periodStart: string;
+    periodEnd: string;
+    usage: {
+        scans: number;
+        realityRuns: number;
+        aiAgentRuns: number;
+        gateRuns: number;
+        fixRuns: number;
+    };
+    lastUpdated: string;
+    lastServerSync?: string;
+    pendingSync?: boolean;
+}
+export interface EntitlementCheck {
+    allowed: boolean;
+    reason?: string;
+    usage?: number;
+    limit?: number;
+    upgradePrompt?: string;
+    source?: 'server' | 'cache' | 'local' | 'offline';
+}
+export interface SeatCheck {
+    allowed: boolean;
+    reason?: string;
+    effectiveSeats: number;
+    baseSeats: number;
+    purchasedSeats: number;
+    currentMembers: number;
+}
+export interface OrganizationSeats {
+    tier: Tier;
+    baseSeats: number;
+    purchasedExtraSeats: number;
+    effectiveSeats: number;
+    currentMembers: number;
+    seatPricing: SeatPricing;
+}
+export declare class EntitlementsManager {
+    private configDir;
+    private usageFile;
+    private licenseFile;
+    constructor();
+    /**
+     * Get current tier from license file or environment
+     */
+    getCurrentTier(): Promise<Tier>;
+    /**
+     * Validate API key against server and return tier
+     *
+     * SECURITY: Tier is determined server-side only.
+     * The API key string contains NO tier information.
+     */
+    private validateApiKeyWithServer;
+    /**
+     * Check if a feature is available for the current tier
+     */
+    checkFeature(feature: Feature): Promise<EntitlementCheck>;
+    /**
+     * Check usage limits
+     */
+    checkLimit(limitType: 'scans' | 'realityRuns' | 'aiAgentRuns'): Promise<EntitlementCheck>;
+    /**
+     * Track usage
+     */
+    trackUsage(type: 'scans' | 'realityRuns' | 'aiAgentRuns' | 'gateRuns' | 'fixRuns', count?: number): Promise<void>;
+    /**
+     * Enforce feature access (throws if not allowed)
+     */
+    enforceFeature(feature: Feature): Promise<void>;
+    /**
+     * Enforce usage limits (throws if exceeded)
+     */
+    enforceLimit(limitType: 'scans' | 'realityRuns' | 'aiAgentRuns'): Promise<void>;
+    /**
+     * Check if a member can be added to an organization
+     */
+    checkSeatLimit(tier: Tier, currentMemberCount: number, purchasedExtraSeats?: number): SeatCheck;
+    /**
+     * Get organization seat information
+     */
+    getOrganizationSeats(tier: Tier, purchasedExtraSeats: number, currentMembers: number): OrganizationSeats;
+    /**
+     * Validate seat reduction before processing
+     */
+    validateSeatReduction(currentMemberCount: number, currentPurchasedSeats: number, newPurchasedSeats: number, tier: Tier): {
+        safe: boolean;
+        requiresAction: boolean;
+        excessMembers: number;
+        message: string;
+    };
+    /**
+     * Get usage for current billing period
+     */
+    getUsage(): Promise<UsageRecord>;
+    /**
+     * Get tier configuration
+     */
+    getTierConfig(tier: Tier): TierConfig;
+    /**
+     * Get all tier configurations
+     */
+    getAllTiers(): Record<Tier, TierConfig>;
+    /**
+     * Get usage summary for display
+     */
+    getUsageSummary(): Promise<string>;
+    /**
+     * Format upgrade prompt for CLI output
+     */
+    formatUpgradePrompt(currentTier: Tier, requiredTier: Tier | null, feature: Feature): string;
+    /**
+     * Format limit exceeded prompt
+     */
+    formatLimitUpgradePrompt(currentTier: Tier, limitType: string, current: number, limit: number): string;
+    private isNewBillingPeriod;
+    private createNewUsageRecord;
+    private ensureConfigDir;
+    private saveUsage;
+    private readLicense;
+    private progressBar;
+}
+export declare const entitlements: EntitlementsManager;
+export declare const checkFeature: (feature: Feature) => Promise<EntitlementCheck>;
+export declare const checkLimit: (limitType: "scans" | "realityRuns" | "aiAgentRuns") => Promise<EntitlementCheck>;
+export declare const enforceFeature: (feature: Feature) => Promise<void>;
+export declare const enforceLimit: (limitType: "scans" | "realityRuns" | "aiAgentRuns") => Promise<void>;
+export declare const trackUsage: (type: "scans" | "realityRuns" | "aiAgentRuns" | "gateRuns" | "fixRuns", count?: number) => Promise<void>;
+export declare const getCurrentTier: () => Promise<"free" | "starter" | "pro" | "compliance" | "enterprise" | "unlimited">;
+export declare const getUsageSummary: () => Promise<string>;
+export declare const checkSeatLimit: (tier: Tier, currentMemberCount: number, purchasedExtraSeats?: number) => SeatCheck;
+export declare const getOrganizationSeats: (tier: Tier, purchasedExtraSeats: number, currentMembers: number) => OrganizationSeats;
+//# sourceMappingURL=entitlements.d.ts.map

package/dist/entitlements.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlements.d.ts","sourceRoot":"","sources":["../src/entitlements.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH,OAAO,EACH,OAAO,EACP,YAAY,EACZ,WAAW,EACX,WAAW,EACX,IAAI,EACJ,UAAU,EACV,uBAAuB,EACvB,YAAY,EACZ,cAAc,EACd,wBAAwB,EACxB,aAAa,EACb,WAAW,EACX,qBAAqB,EACxB,MAAM,eAAe,CAAC;AAGvB,YAAY,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AAGnD,OAAO,EACH,YAAY,EACZ,WAAW,EACX,uBAAuB,EACvB,YAAY,EACZ,cAAc,EACd,wBAAwB,EACxB,aAAa,EACb,WAAW,EACX,qBAAqB,EACxB,CAAC;AAMN,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,IAAI,CAAC;IACX,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,GAAG,OAAO,GAAG,SAAS,CAAC;CACnD;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,IAAI,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,WAAW,CAAC;CAC1B;AAMD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,WAAW,CAAS;;IAQ5B;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAmCrC;;;;;OAKG;YACW,wBAAwB;IA4BtC;;OAEG;IACG,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAmB/D;;OAEG;IACG,UAAU,CAAC,SAAS,EAAE,OAAO,GAAG,aAAa,GAAG,aAAa,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAmC/F;;OAEG;IACG,UAAU,CAAC,IAAI,EAAE,OAAO,GAAG,aAAa,GAAG,aAAa,GAAG,UAAU,GAAG,SAAS,EAAE,KAAK,GAAE,MAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAO1H;;OAEG;IACG,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAWrD;;OAEG;IACG,YAAY,CAAC,SAAS,EAAE,OAAO,GAAG,aAAa,GAAG,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAgBrF;;OAEG;IACH,cAAc,CACZ,IAAI,EAAE,IAAI,EACV,kBAAkB,EAAE,MAAM,EAC1B,mBAAmB,GAAE,MAAU,GAC9B,SAAS;IAeZ;;OAEG;IACH,oBAAoB,CAClB,IAAI,EAAE,IAAI,EACV,mBAAmB,EAAE,MAAM,EAC3B,cAAc,EAAE,MAAM,GACrB,iBAAiB;IAepB;;OAEG;IACH,qBAAqB,CACnB,kBAAkB,EAAE,MAAM,EAC1B,qBAAqB,EAAE,MAAM,EAC7B,iBAAiB,EAAE,MAAM,EACzB,IAAI,EAAE,IAAI,GACT;QAAE,IAAI,EAAE,OAAO,CAAC;QAAC,cAAc,EAAE,OAAO,CAAC;QAAC,aAAa,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAerF;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,WAAW,CAAC;IAiBtC;;OAEG;IACH,aAAa,CAAC,IAAI,EAAE,IAAI,GAAG,UAAU;IAIrC;;OAEG;IACH,WAAW,IAAI,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC;IAIvC;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IA6BxC;;OAEG;IACH,mBAAmB,CAAC,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,GAAG,IAAI,EAAE,OAAO,EAAE,OAAO,GAAG,MAAM;IA8B3F;;OAEG;IACH,wBAAwB,CAAC,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;IAoCtG,OAAO,CAAC,kBAAkB;IAW1B,OAAO,CAAC,oBAAoB;YAoBd,eAAe;YAQf,SAAS;YAKT,WAAW;IASzB,OAAO,CAAC,WAAW;CAMpB;AAMD,eAAO,MAAM,YAAY,qBAA4B,CAAC;AAGtD,eAAO,MAAM,YAAY,GAAI,SAAS,OAAO,8BAAuC,CAAC;AACrF,eAAO,MAAM,UAAU,GAAI,WAAW,OAAO,GAAG,aAAa,GAAG,aAAa,8BAAuC,CAAC;AACrH,eAAO,MAAM,cAAc,GAAI,SAAS,OAAO,kBAAyC,CAAC;AACzF,eAAO,MAAM,YAAY,GAAI,WAAW,OAAO,GAAG,aAAa,GAAG,aAAa,kBAAyC,CAAC;AACzH,eAAO,MAAM,UAAU,GAAI,MAAM,OAAO,GAAG,aAAa,GAAG,aAAa,GAAG,UAAU,GAAG,SAAS,EAAE,QAAQ,MAAM,kBAAyC,CAAC;AAC3J,eAAO,MAAM,cAAc,uFAAsC,CAAC;AAClE,eAAO,MAAM,eAAe,uBAAuC,CAAC;AACpE,eAAO,MAAM,cAAc,GAAI,MAAM,IAAI,EAAE,oBAAoB,MAAM,EAAE,sBAAsB,MAAM,cACvB,CAAC;AAC7E,eAAO,MAAM,oBAAoB,GAAI,MAAM,IAAI,EAAE,qBAAqB,MAAM,EAAE,gBAAgB,MAAM,sBACtB,CAAC"}

package/dist/entitlements.js

@@ -0,0 +1,464 @@
+"use strict";
+/**
+ * Entitlements System - SINGLE SOURCE OF TRUTH
+ *
+ * This module is the canonical entitlements implementation for Guardrail.
+ * It handles feature access, usage limits, tier enforcement, and seat management.
+ *
+ * IMPORTANT: This TypeScript file is compiled to dist/entitlements.js
+ * DO NOT create separate entitlements.js files elsewhere in the codebase.
+ * All consumers (API, CLI, etc.) should import from @guardrail/core.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getOrganizationSeats = exports.checkSeatLimit = exports.getUsageSummary = exports.getCurrentTier = exports.trackUsage = exports.enforceLimit = exports.enforceFeature = exports.checkLimit = exports.checkFeature = exports.entitlements = exports.EntitlementsManager = exports.validateSeatReduction = exports.isValidTier = exports.getTierConfig = exports.getMinimumTierForFeature = exports.formatSeatInfo = exports.canAddMember = exports.calculateEffectiveSeats = exports.TIER_CONFIG = exports.SEAT_PRICING = void 0;
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const tier_config_1 = require("./tier-config");
+Object.defineProperty(exports, "SEAT_PRICING", { enumerable: true, get: function () { return tier_config_1.SEAT_PRICING; } });
+Object.defineProperty(exports, "TIER_CONFIG", { enumerable: true, get: function () { return tier_config_1.TIER_CONFIG; } });
+Object.defineProperty(exports, "calculateEffectiveSeats", { enumerable: true, get: function () { return tier_config_1.calculateEffectiveSeats; } });
+Object.defineProperty(exports, "canAddMember", { enumerable: true, get: function () { return tier_config_1.canAddMember; } });
+Object.defineProperty(exports, "formatSeatInfo", { enumerable: true, get: function () { return tier_config_1.formatSeatInfo; } });
+Object.defineProperty(exports, "getMinimumTierForFeature", { enumerable: true, get: function () { return tier_config_1.getMinimumTierForFeature; } });
+Object.defineProperty(exports, "getTierConfig", { enumerable: true, get: function () { return tier_config_1.getTierConfig; } });
+Object.defineProperty(exports, "isValidTier", { enumerable: true, get: function () { return tier_config_1.isValidTier; } });
+Object.defineProperty(exports, "validateSeatReduction", { enumerable: true, get: function () { return tier_config_1.validateSeatReduction; } });
+// ============================================================================
+// ENTITLEMENTS MANAGER
+// ============================================================================
+class EntitlementsManager {
+    configDir;
+    usageFile;
+    licenseFile;
+    constructor() {
+        this.configDir = path.join(os.homedir(), '.guardrail');
+        this.usageFile = path.join(this.configDir, 'usage.json');
+        this.licenseFile = path.join(this.configDir, 'license.json');
+    }
+    /**
+     * Get current tier from license file or environment
+     */
+    async getCurrentTier() {
+        // Skip entitlements check if explicitly disabled
+        if (process.env['GUARDRAIL_SKIP_ENTITLEMENTS'] === '1') {
+            return 'unlimited';
+        }
+        // Check environment override (for CI/testing)
+        if (process.env['GUARDRAIL_TIER']) {
+            return process.env['GUARDRAIL_TIER'];
+        }
+        // Check for license file
+        try {
+            const license = await this.readLicense();
+            if (license?.tier && (0, tier_config_1.isValidTier)(license.tier)) {
+                // Check expiration
+                if (license.expiresAt && new Date(license.expiresAt) < new Date()) {
+                    return 'free';
+                }
+                return license.tier;
+            }
+        }
+        catch {
+            // No license file
+        }
+        // Check for API key - validate against server (NO local tier parsing)
+        const apiKey = process.env['GUARDRAIL_API_KEY'];
+        if (apiKey) {
+            const tier = await this.validateApiKeyWithServer(apiKey);
+            if (tier)
+                return tier;
+        }
+        return 'free';
+    }
+    /**
+     * Validate API key against server and return tier
+     *
+     * SECURITY: Tier is determined server-side only.
+     * The API key string contains NO tier information.
+     */
+    async validateApiKeyWithServer(apiKey) {
+        const apiUrl = process.env['GUARDRAIL_API_URL'] || 'https://api.getguardrail.io';
+        try {
+            const response = await fetch(`${apiUrl}/api/api-keys/validate`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                },
+                body: JSON.stringify({ apiKey }),
+            });
+            if (!response.ok) {
+                return null;
+            }
+            const result = await response.json();
+            if (result.valid && result.tier && (0, tier_config_1.isValidTier)(result.tier)) {
+                return result.tier;
+            }
+        }
+        catch {
+            // Network error or server unavailable - fall back to free tier
+        }
+        return null;
+    }
+    /**
+     * Check if a feature is available for the current tier
+     */
+    async checkFeature(feature) {
+        const tier = await this.getCurrentTier();
+        const config = tier_config_1.TIER_CONFIG[tier];
+        // Unlimited tier has all features
+        if (tier === 'unlimited' || config.features.includes(feature)) {
+            return { allowed: true };
+        }
+        // Find the minimum tier that has this feature
+        const requiredTier = (0, tier_config_1.getMinimumTierForFeature)(feature);
+        return {
+            allowed: false,
+            reason: `'${feature}' requires ${requiredTier || 'higher'} tier`,
+            upgradePrompt: this.formatUpgradePrompt(tier, requiredTier, feature),
+        };
+    }
+    /**
+     * Check usage limits
+     */
+    async checkLimit(limitType) {
+        const tier = await this.getCurrentTier();
+        const config = tier_config_1.TIER_CONFIG[tier];
+        const usage = await this.getUsage();
+        const limitMap = {
+            scans: 'scansPerMonth',
+            realityRuns: 'realityRunsPerMonth',
+            aiAgentRuns: 'aiAgentRunsPerMonth',
+        };
+        const limitKey = limitMap[limitType];
+        const limit = config.limits[limitKey];
+        const current = usage.usage[limitType] || 0;
+        // Handle unlimited (-1)
+        if (limit === -1 || current < limit) {
+            return {
+                allowed: true,
+                usage: current,
+                limit: limit === -1 ? -1 : limit,
+                source: 'local',
+            };
+        }
+        return {
+            allowed: false,
+            reason: `Monthly ${limitType} limit reached (${current}/${limit})`,
+            usage: current,
+            limit,
+            upgradePrompt: this.formatLimitUpgradePrompt(tier, limitType, current, limit),
+            source: 'local',
+        };
+    }
+    /**
+     * Track usage
+     */
+    async trackUsage(type, count = 1) {
+        const usage = await this.getUsage();
+        usage.usage[type] = (usage.usage[type] || 0) + count;
+        usage.lastUpdated = new Date().toISOString();
+        await this.saveUsage(usage);
+    }
+    /**
+     * Enforce feature access (throws if not allowed)
+     */
+    async enforceFeature(feature) {
+        const check = await this.checkFeature(feature);
+        if (!check.allowed) {
+            const error = new Error(check.reason);
+            error.code = 'FEATURE_NOT_AVAILABLE';
+            error.upgradePrompt = check.upgradePrompt;
+            error.feature = feature;
+            throw error;
+        }
+    }
+    /**
+     * Enforce usage limits (throws if exceeded)
+     */
+    async enforceLimit(limitType) {
+        const check = await this.checkLimit(limitType);
+        if (!check.allowed) {
+            const error = new Error(check.reason);
+            error.code = 'LIMIT_EXCEEDED';
+            error.upgradePrompt = check.upgradePrompt;
+            error.usage = check.usage;
+            error.limit = check.limit;
+            throw error;
+        }
+    }
+    // ============================================================================
+    // SEAT MANAGEMENT
+    // ============================================================================
+    /**
+     * Check if a member can be added to an organization
+     */
+    checkSeatLimit(tier, currentMemberCount, purchasedExtraSeats = 0) {
+        const config = tier_config_1.TIER_CONFIG[tier];
+        const baseSeats = config.limits.teamMembers;
+        const result = (0, tier_config_1.canAddMember)(tier, currentMemberCount, purchasedExtraSeats);
+        return {
+            allowed: result.allowed,
+            reason: result.reason,
+            effectiveSeats: result.effectiveSeats === Infinity ? -1 : result.effectiveSeats,
+            baseSeats: baseSeats === -1 ? -1 : baseSeats,
+            purchasedSeats: purchasedExtraSeats,
+            currentMembers: currentMemberCount,
+        };
+    }
+    /**
+     * Get organization seat information
+     */
+    getOrganizationSeats(tier, purchasedExtraSeats, currentMembers) {
+        const config = tier_config_1.TIER_CONFIG[tier];
+        const baseSeats = config.limits.teamMembers;
+        const effectiveSeats = (0, tier_config_1.calculateEffectiveSeats)(tier, purchasedExtraSeats);
+        return {
+            tier,
+            baseSeats: baseSeats === -1 ? -1 : baseSeats,
+            purchasedExtraSeats,
+            effectiveSeats: effectiveSeats === Infinity ? -1 : effectiveSeats,
+            currentMembers,
+            seatPricing: tier_config_1.SEAT_PRICING[tier],
+        };
+    }
+    /**
+     * Validate seat reduction before processing
+     */
+    validateSeatReduction(currentMemberCount, currentPurchasedSeats, newPurchasedSeats, tier) {
+        const currentEffective = (0, tier_config_1.calculateEffectiveSeats)(tier, currentPurchasedSeats);
+        const newEffective = (0, tier_config_1.calculateEffectiveSeats)(tier, newPurchasedSeats);
+        return (0, tier_config_1.validateSeatReduction)(currentMemberCount, currentEffective === Infinity ? -1 : currentEffective, newEffective === Infinity ? -1 : newEffective);
+    }
+    // ============================================================================
+    // USAGE MANAGEMENT
+    // ============================================================================
+    /**
+     * Get usage for current billing period
+     */
+    async getUsage() {
+        try {
+            await this.ensureConfigDir();
+            const content = await fs.promises.readFile(this.usageFile, 'utf8');
+            const usage = JSON.parse(content);
+            // Check if we need to reset for new period
+            if (this.isNewBillingPeriod(usage.periodStart)) {
+                return this.createNewUsageRecord();
+            }
+            return usage;
+        }
+        catch {
+            return this.createNewUsageRecord();
+        }
+    }
+    /**
+     * Get tier configuration
+     */
+    getTierConfig(tier) {
+        return tier_config_1.TIER_CONFIG[tier];
+    }
+    /**
+     * Get all tier configurations
+     */
+    getAllTiers() {
+        return tier_config_1.TIER_CONFIG;
+    }
+    /**
+     * Get usage summary for display
+     */
+    async getUsageSummary() {
+        const tier = await this.getCurrentTier();
+        const config = tier_config_1.TIER_CONFIG[tier];
+        const usage = await this.getUsage();
+        const formatLimit = (current, limit) => {
+            if (limit === -1)
+                return `${current} (unlimited)`;
+            const pct = Math.round((current / limit) * 100);
+            const bar = this.progressBar(pct);
+            return `${current}/${limit} ${bar} ${pct}%`;
+        };
+        let summary = '\n';
+        summary += `📊 Usage Summary (${config.name} tier)\n`;
+        summary += '─'.repeat(50) + '\n';
+        summary += `Scans:        ${formatLimit(usage.usage.scans, config.limits.scansPerMonth)}\n`;
+        summary += `Reality Runs: ${formatLimit(usage.usage.realityRuns, config.limits.realityRunsPerMonth)}\n`;
+        summary += `AI Agent:     ${formatLimit(usage.usage.aiAgentRuns, config.limits.aiAgentRunsPerMonth)}\n`;
+        summary += `Team Seats:   ${(0, tier_config_1.formatSeatInfo)(tier)}\n`;
+        summary += '─'.repeat(50) + '\n';
+        summary += `Period: ${usage.periodStart.split('T')[0]} to ${usage.periodEnd.split('T')[0]}\n`;
+        return summary;
+    }
+    // ============================================================================
+    // UPGRADE PROMPTS
+    // ============================================================================
+    /**
+     * Format upgrade prompt for CLI output
+     */
+    formatUpgradePrompt(currentTier, requiredTier, feature) {
+        const required = requiredTier ? tier_config_1.TIER_CONFIG[requiredTier] : null;
+        let prompt = '\n';
+        prompt += '╭─────────────────────────────────────────────────────────────╮\n';
+        prompt += '│  ⚡ UPGRADE REQUIRED                                        │\n';
+        prompt += '├─────────────────────────────────────────────────────────────┤\n';
+        prompt += `│  Feature: ${feature.padEnd(48)}│\n`;
+        prompt += `│  Your tier: ${currentTier.padEnd(46)}│\n`;
+        if (required) {
+            prompt += `│  Required: ${requiredTier} ($${required.price}/month)`.padEnd(62) + '│\n';
+            prompt += '├─────────────────────────────────────────────────────────────┤\n';
+            prompt += `│  ${required.name} includes:`.padEnd(62) + '│\n';
+            // Show key features of required tier
+            const keyFeatures = required.features.slice(0, 5);
+            for (const f of keyFeatures) {
+                prompt += `│    ✓ ${f}`.padEnd(62) + '│\n';
+            }
+        }
+        prompt += '├─────────────────────────────────────────────────────────────┤\n';
+        prompt += '│  → guardrail upgrade                                        │\n';
+        prompt += '│  → https://getguardrail.io/pricing                          │\n';
+        prompt += '╰─────────────────────────────────────────────────────────────╯\n';
+        return prompt;
+    }
+    /**
+     * Format limit exceeded prompt
+     */
+    formatLimitUpgradePrompt(currentTier, limitType, current, limit) {
+        const config = tier_config_1.TIER_CONFIG[currentTier];
+        const nextConfig = tier_config_1.TIER_CONFIG[config.upsell.nextTier];
+        let prompt = '\n';
+        prompt += '╭─────────────────────────────────────────────────────────────╮\n';
+        prompt += '│  ⚠️  MONTHLY LIMIT REACHED                                   │\n';
+        prompt += '├─────────────────────────────────────────────────────────────┤\n';
+        prompt += `│  ${limitType}: ${current}/${limit} used this month`.padEnd(62) + '│\n';
+        prompt += `│  Your tier: ${currentTier} ($${config.price}/month)`.padEnd(62) + '│\n';
+        prompt += '├─────────────────────────────────────────────────────────────┤\n';
+        prompt += `│  ${config.upsell.message}`.substring(0, 58).padEnd(62) + '│\n';
+        if (nextConfig && config.upsell.nextTier !== 'unlimited') {
+            const nextLimitMap = {
+                scans: 'scansPerMonth',
+                realityRuns: 'realityRunsPerMonth',
+                aiAgentRuns: 'aiAgentRunsPerMonth',
+            };
+            const nextLimit = nextConfig.limits[nextLimitMap[limitType] || 'scansPerMonth'];
+            prompt += '├─────────────────────────────────────────────────────────────┤\n';
+            prompt += `│  ${nextConfig.name} ($${nextConfig.price}/mo): ${nextLimit === -1 ? 'Unlimited' : nextLimit} ${limitType}/month`.padEnd(62) + '│\n';
+        }
+        prompt += '├─────────────────────────────────────────────────────────────┤\n';
+        prompt += '│  → guardrail upgrade                                        │\n';
+        prompt += '│  → https://getguardrail.io/pricing                          │\n';
+        prompt += '╰─────────────────────────────────────────────────────────────╯\n';
+        return prompt;
+    }
+    // ============================================================================
+    // PRIVATE HELPERS
+    // ============================================================================
+    isNewBillingPeriod(periodStart) {
+        const start = new Date(periodStart);
+        const now = new Date();
+        // Monthly billing period
+        const nextPeriod = new Date(start);
+        nextPeriod.setMonth(nextPeriod.getMonth() + 1);
+        return now >= nextPeriod;
+    }
+    createNewUsageRecord() {
+        const now = new Date();
+        const periodEnd = new Date(now);
+        periodEnd.setMonth(periodEnd.getMonth() + 1);
+        return {
+            tier: 'free',
+            periodStart: now.toISOString(),
+            periodEnd: periodEnd.toISOString(),
+            usage: {
+                scans: 0,
+                realityRuns: 0,
+                aiAgentRuns: 0,
+                gateRuns: 0,
+                fixRuns: 0,
+            },
+            lastUpdated: now.toISOString(),
+        };
+    }
+    async ensureConfigDir() {
+        try {
+            await fs.promises.mkdir(this.configDir, { recursive: true });
+        }
+        catch {
+            // Directory exists
+        }
+    }
+    async saveUsage(usage) {
+        await this.ensureConfigDir();
+        await fs.promises.writeFile(this.usageFile, JSON.stringify(usage, null, 2));
+    }
+    async readLicense() {
+        try {
+            const content = await fs.promises.readFile(this.licenseFile, 'utf8');
+            return JSON.parse(content);
+        }
+        catch {
+            return null;
+        }
+    }
+    progressBar(percent) {
+        const filled = Math.min(10, Math.round(percent / 10));
+        const empty = 10 - filled;
+        const color = percent >= 90 ? '🔴' : percent >= 70 ? '🟡' : '🟢';
+        return `[${color.repeat(filled)}${'░'.repeat(empty)}]`;
+    }
+}
+exports.EntitlementsManager = EntitlementsManager;
+// ============================================================================
+// SINGLETON EXPORT
+// ============================================================================
+exports.entitlements = new EntitlementsManager();
+// Convenience exports
+const checkFeature = (feature) => exports.entitlements.checkFeature(feature);
+exports.checkFeature = checkFeature;
+const checkLimit = (limitType) => exports.entitlements.checkLimit(limitType);
+exports.checkLimit = checkLimit;
+const enforceFeature = (feature) => exports.entitlements.enforceFeature(feature);
+exports.enforceFeature = enforceFeature;
+const enforceLimit = (limitType) => exports.entitlements.enforceLimit(limitType);
+exports.enforceLimit = enforceLimit;
+const trackUsage = (type, count) => exports.entitlements.trackUsage(type, count);
+exports.trackUsage = trackUsage;
+const getCurrentTier = () => exports.entitlements.getCurrentTier();
+exports.getCurrentTier = getCurrentTier;
+const getUsageSummary = () => exports.entitlements.getUsageSummary();
+exports.getUsageSummary = getUsageSummary;
+const checkSeatLimit = (tier, currentMemberCount, purchasedExtraSeats) => exports.entitlements.checkSeatLimit(tier, currentMemberCount, purchasedExtraSeats);
+exports.checkSeatLimit = checkSeatLimit;
+const getOrganizationSeats = (tier, purchasedExtraSeats, currentMembers) => exports.entitlements.getOrganizationSeats(tier, purchasedExtraSeats, currentMembers);
+exports.getOrganizationSeats = getOrganizationSeats;