labgate 0.5.10 → 0.5.12

package/README.md

@@ -33,7 +33,7 @@ LabGate runs your AI coding agent inside a sandboxed container with:
 
 - **Scoped filesystem** — only your working directory and configured paths are visible
 - **Credential blocking** — `.ssh`, `.aws`, `.env`, `.gnupg`, and other sensitive paths are hidden by default
-- **Network isolation** — no outbound network by default (configurable)
+- **Network policy** — configurable network modes (`host`, `filtered`, `none`)
 - **Command blocking** — `ssh`, `curl`, `wget`, and other commands are blocked by default
 - **Audit logging** — session start/stop and mount configuration logged to `~/.labgate/logs/`
 - **Dashboard instructions editor** — view and update per-session `AGENTS.md` / `CLAUDE.md` from the UI
@@ -54,16 +54,22 @@ Or start fresh:
 labgate init --force
 ```
 
+Or reset a single setting back to defaults:
+
+```bash
+labgate config reset image
+```
+
 ### Key settings
 
 | Setting | Default | What it does |
 |---------|---------|-------------|
 | `runtime` | `auto` | `auto`, `apptainer`, or `podman` |
-| `image` | `node:20-slim` | Container image |
+| `image` | `docker.io/library/node:20-bookworm` | Container image |
 | `session_timeout_hours` | `8` | Max session length |
 | `filesystem.blocked_patterns` | `.ssh, .aws, .env, ...` | Hidden from sandbox |
 | `filesystem.extra_paths` | `[]` | Additional mounts |
-| `network.mode` | `none` | `none`, `filtered`, or `host` |
+| `network.mode` | `host` | `none`, `filtered`, or `host` |
 | `commands.blacklist` | `ssh, curl, wget, ...` | Blocked commands |
 
 ## Commands
@@ -75,6 +81,11 @@ labgate feedback            # submit feedback (interactive or piped)
 labgate status              # list running sessions
 labgate stop <id>           # stop a session
 labgate ui                  # start dashboard server (owner-only Unix socket by default)
+labgate register <activation-key> [--server <url>]            # activate + install enterprise license
+labgate license             # show enterprise license status
+labgate license install <key-or-file> [--system|--user|--path]  # install enterprise license key
+labgate policy init [--institution ... --admin ...]             # create policy template
+labgate policy validate [file]                                   # validate policy JSON
 labgate logs [-n 20]        # view recent audit events
 labgate logs --follow       # stream new audit events
 labgate init [--force]      # create/reset config
@@ -103,7 +114,8 @@ labgate feedback "Short feedback message"
 
 If `LABGATE_FEEDBACK_URL` is set, LabGate will `POST` feedback JSON to that URL.
 If `LABGATE_FEEDBACK_TOKEN` is set, it will be sent as a Bearer token.
-If no URL is configured or the request fails, feedback is saved locally at `~/.labgate/feedback.jsonl`.
+If no URL is configured, LabGate defaults to `https://labgate.dev/api/feedback`.
+If the request fails (or `LABGATE_FEEDBACK_DISABLE=1`), feedback is saved locally at `~/.labgate/feedback.jsonl`.
 
 ## Testing
 
@@ -121,6 +133,49 @@ npm test                  # unit + integration
 npm run release:check     # verify + npm pack --dry-run
 ```
 
+### Corporate mode smoke test (local or HPC)
+
+```bash
+# 1) Create a signed enterprise key (issuer side)
+export LABGATE_LICENSE_SECRET='replace-with-your-signing-secret'
+LICENSE_KEY="$(npx tsx scripts/generate-license.ts \
+  --institution 'Example University' \
+  --tier pro \
+  --expires 2099-12-31 2>/dev/null)"
+
+# 2) Install key on target host (admin side)
+labgate license install "$LICENSE_KEY" --path /tmp/labgate/license.key --overwrite
+# HPC system-wide install (root):
+# sudo labgate license install "$LICENSE_KEY" --system --overwrite
+
+# Optional online activation (instead of direct install):
+# Uses default endpoint: https://labgate.dev/api/license/activate
+# labgate register '<activation-key-from-vendor>' --path /tmp/labgate/license.key --overwrite
+# Optional custom endpoint:
+# export LABGATE_ACTIVATION_URL='https://your-control-plane.example.com/api/license/activate'
+
+# 3) Bootstrap and validate policy
+labgate policy init --path /tmp/labgate/policy.json --admin "$(whoami)" --force
+labgate policy validate /tmp/labgate/policy.json
+
+# 4) Verify forced settings are locked for users
+LABGATE_LICENSE_PATH=/tmp/labgate/license.key \
+LABGATE_POLICY_PATH=/tmp/labgate/policy.json \
+labgate config set runtime auto
+# expected: error about admin-locked field
+
+# 5) Open dashboard and verify UI lock labels ("set by admin")
+LABGATE_LICENSE_PATH=/tmp/labgate/license.key \
+LABGATE_POLICY_PATH=/tmp/labgate/policy.json \
+labgate ui --port 7700
+```
+
+Automated enterprise coverage:
+
+```bash
+npx vitest run -c vitest.integration.config.ts src/lib/cli.enterprise.integration.test.ts src/lib/ui.integration.test.ts
+```
+
 CI automation runs `npm run verify` on every push to `main` and on pull requests (`.github/workflows/ci.yml`).
 `npm run test:integration` automatically rebuilds `better-sqlite3` first to avoid Node ABI mismatch errors after Node upgrades.
 

package/dist/cli.js

@@ -36,6 +36,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const commander_1 = require("commander");
 const path_1 = require("path");
 const fs_1 = require("fs");
+const os_1 = require("os");
 const config_js_1 = require("./lib/config.js");
 const init_js_1 = require("./lib/init.js");
 const container_js_1 = require("./lib/container.js");
@@ -43,6 +44,7 @@ const runtime_js_1 = require("./lib/runtime.js");
 const feedback_js_1 = require("./lib/feedback.js");
 const log = __importStar(require("./lib/log.js"));
 const AGENTS = ['claude', 'codex'];
+const DEFAULT_ACTIVATION_URL = 'https://labgate.dev/api/license/activate';
 // Read version from package.json so it stays in sync
 const pkgPath = (0, path_1.resolve)(__dirname, '..', 'package.json');
 const PKG_VERSION = JSON.parse((0, fs_1.readFileSync)(pkgPath, 'utf-8')).version;
@@ -181,6 +183,39 @@ configCmd
         process.exit(1);
     }
 });
+configCmd
+    .command('reset')
+    .description('Reset (unset) a config value so defaults apply')
+    .argument('<key>', 'Config key (e.g. image, network.mode, slurm.enabled)')
+    .action((key) => {
+    const defaultValue = getNestedValue(config_js_1.DEFAULT_CONFIG, key);
+    if (defaultValue === undefined) {
+        console.error(`Unknown config key: ${key}`);
+        process.exit(1);
+    }
+    const configPath = (0, config_js_1.getConfigPath)();
+    if (!(0, fs_1.existsSync)(configPath)) {
+        console.error('No config file found. Run "labgate init" first.');
+        process.exit(1);
+    }
+    try {
+        const rawText = (0, fs_1.readFileSync)(configPath, 'utf-8');
+        const stripped = stripJsonComments(rawText).trim();
+        const obj = stripped ? JSON.parse(stripped) : {};
+        const deleted = deleteNestedValue(obj, key);
+        if (!deleted) {
+            console.log(`No user override for ${key} (already using defaults / policy).`);
+            return;
+        }
+        (0, fs_1.writeFileSync)(configPath, JSON.stringify(obj, null, 2) + '\n', { encoding: 'utf-8', mode: config_js_1.PRIVATE_FILE_MODE });
+        (0, config_js_1.ensurePrivateFile)(configPath);
+        console.log(`Reset ${key} (unset from user config).`);
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+    }
+});
 configCmd
     .command('show')
     .description('Show the full resolved config')
@@ -528,39 +563,178 @@ slurmCmd
     await main();
 });
 // ── labgate license ──────────────────────────────────────
-program
+const licenseCmd = program
     .command('license')
-    .description('Show enterprise license status')
+    .description('Manage enterprise license');
+licenseCmd
     .action(async () => {
-    const { validateLicense } = await import('./lib/license.js');
-    const status = validateLicense();
-    if (!status.filePath && !status.error) {
-        console.log('No enterprise license found.');
-        console.log('License file locations (checked in order):');
-        console.log('  1. $LABGATE_LICENSE_PATH (env var)');
-        console.log('  2. /etc/labgate/license.key');
-        console.log('  3. ~/.labgate/license.key');
-        return;
+    await printLicenseStatus();
+});
+licenseCmd
+    .command('install')
+    .description('Install an enterprise license key (raw key or file path)')
+    .argument('<keyOrFile>', 'License key string or path to a file containing the key')
+    .option('--system', 'Install to /etc/labgate/license.key')
+    .option('--user', `Install to ${(0, path_1.join)((0, os_1.homedir)(), '.labgate', 'license.key')}`)
+    .option('--path <path>', 'Install to a custom path')
+    .option('--overwrite', 'Overwrite existing target file')
+    .action(async (keyOrFile, opts) => {
+    try {
+        const sourcePath = (0, path_1.resolve)(keyOrFile);
+        const raw = (0, fs_1.existsSync)(sourcePath) ? (0, fs_1.readFileSync)(sourcePath, 'utf-8') : keyOrFile;
+        const targetPath = resolveLicenseTargetPath(opts);
+        await installLicenseKeyAtPath(raw, targetPath, !!opts.overwrite);
+        console.log(`License installed: ${targetPath}`);
+        await printLicenseStatus(targetPath);
     }
-    if (status.filePath) {
-        console.log(`License file: ${status.filePath}`);
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
     }
-    if (status.error) {
-        console.log(`Status: INVALID — ${status.error}`);
-        if (status.payload) {
-            console.log(`Institution: ${status.payload.institution}`);
-            console.log(`Expires: ${status.payload.expires}`);
+});
+// ── labgate register ─────────────────────────────────────
+program
+    .command('register')
+    .description('Activate enterprise license with an activation key and install it locally')
+    .argument('<activationKey>', 'Activation key issued by LabGate')
+    .option('--server <url>', `Activation endpoint URL override (default: ${DEFAULT_ACTIVATION_URL})`)
+    .option('--token <token>', 'Optional bearer token for activation API (or LABGATE_ACTIVATION_TOKEN)')
+    .option('--timeout <ms>', 'Activation request timeout in milliseconds', '15000')
+    .option('--system', 'Install to /etc/labgate/license.key')
+    .option('--user', `Install to ${(0, path_1.join)((0, os_1.homedir)(), '.labgate', 'license.key')}`)
+    .option('--path <path>', 'Install to a custom path')
+    .option('--overwrite', 'Overwrite existing target file')
+    .action(async (activationKey, opts) => {
+    try {
+        const serverUrl = (opts.server || process.env.LABGATE_ACTIVATION_URL || DEFAULT_ACTIVATION_URL).trim();
+        const key = (activationKey || '').trim();
+        if (!key) {
+            console.error('Error: activation key is empty.');
+            process.exit(1);
         }
-        return;
+        const timeoutMs = parseInt(opts.timeout, 10);
+        if (!Number.isFinite(timeoutMs) || timeoutMs < 1000 || timeoutMs > 300000) {
+            console.error('Error: --timeout must be an integer between 1000 and 300000.');
+            process.exit(1);
+        }
+        const token = (opts.token || process.env.LABGATE_ACTIVATION_TOKEN || '').trim() || undefined;
+        const targetPath = resolveLicenseTargetPath(opts);
+        console.log(`Activating enterprise license via ${serverUrl} ...`);
+        const activation = await activateEnterpriseLicense({
+            serverUrl,
+            activationKey: key,
+            timeoutMs,
+            token,
+        });
+        await installLicenseKeyAtPath(activation.licenseKey, targetPath, !!opts.overwrite);
+        console.log(`License installed: ${targetPath}`);
+        await printLicenseStatus(targetPath);
+        if (activation.message) {
+            console.log(`Activation: ${activation.message}`);
+        }
+        console.log('Next: run "labgate ui" and open Admin > Policy to enforce institution settings.');
     }
-    if (status.valid && status.payload) {
-        console.log(`Status: VALID`);
-        console.log(`Institution: ${status.payload.institution}`);
-        console.log(`Tier: ${status.payload.tier}`);
-        console.log(`License ID: ${status.payload.id}`);
-        console.log(`Issued: ${status.payload.issued}`);
-        console.log(`Expires: ${status.payload.expires}`);
-        console.log(`Days remaining: ${status.daysRemaining}`);
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+    }
+});
+// ── labgate policy ───────────────────────────────────────
+const policyCmd = program
+    .command('policy')
+    .description('Manage enterprise admin policy');
+policyCmd
+    .command('validate')
+    .description('Validate a policy JSON file')
+    .argument('[file]', 'Path to policy JSON (defaults to system policy path)')
+    .action(async (file) => {
+    try {
+        const { getSystemPolicyPath, validatePolicy } = await import('./lib/policy.js');
+        const policyPath = file ? (0, path_1.resolve)(file) : getSystemPolicyPath();
+        if (!(0, fs_1.existsSync)(policyPath)) {
+            console.error(`Error: policy file not found: ${policyPath}`);
+            process.exit(1);
+        }
+        const rawText = (0, fs_1.readFileSync)(policyPath, 'utf-8');
+        const stripped = stripJsonComments(rawText);
+        const parsed = JSON.parse(stripped);
+        const errors = validatePolicy(parsed);
+        if (errors.length > 0) {
+            console.error(`Policy INVALID: ${policyPath}`);
+            for (const e of errors) {
+                console.error(`  - ${e}`);
+            }
+            process.exit(1);
+        }
+        console.log(`Policy VALID: ${policyPath}`);
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+    }
+});
+policyCmd
+    .command('init')
+    .description('Create an enterprise policy template')
+    .option('--path <path>', 'Write policy to a custom path')
+    .option('--institution <name>', 'Institution name shown in UI')
+    .option('--admin <username>', 'Admin username (repeatable)', collectStringOption, [])
+    .option('--runtime <runtime>', 'Forced runtime (auto|apptainer|podman)', 'apptainer')
+    .option('--force', 'Overwrite existing policy file')
+    .action(async (opts) => {
+    try {
+        const policyMod = await import('./lib/policy.js');
+        const { getSystemPolicyPath, savePolicy, validatePolicy } = policyMod;
+        const targetPath = opts.path ? (0, path_1.resolve)(opts.path) : getSystemPolicyPath();
+        if ((0, fs_1.existsSync)(targetPath) && !opts.force) {
+            console.error(`Error: policy already exists: ${targetPath}`);
+            console.error('Use --force to overwrite.');
+            process.exit(1);
+        }
+        const runtime = (opts.runtime || '').trim().toLowerCase();
+        if (!['auto', 'apptainer', 'podman'].includes(runtime)) {
+            console.error('Error: --runtime must be one of: auto, apptainer, podman');
+            process.exit(1);
+        }
+        const licenseStatus = await (async () => {
+            const { validateLicense } = await import('./lib/license.js');
+            return validateLicense();
+        })();
+        const institution = (opts.institution || '').trim()
+            || licenseStatus.payload?.institution
+            || 'Your Institution';
+        const admins = (opts.admin || []).map(a => String(a).trim()).filter(Boolean);
+        const bootstrapAdmin = (0, os_1.userInfo)().username;
+        if (!admins.includes(bootstrapAdmin))
+            admins.unshift(bootstrapAdmin);
+        const policy = {
+            version: 1,
+            institution,
+            admins: { usernames: [...new Set(admins)] },
+            force: {
+                runtime: runtime,
+            },
+            constraints: {},
+        };
+        const errors = validatePolicy(policy);
+        if (errors.length > 0) {
+            console.error('Generated policy is invalid:');
+            for (const e of errors) {
+                console.error(`  - ${e}`);
+            }
+            process.exit(1);
+        }
+        const dirMode = targetPath.startsWith('/etc/') ? 0o755 : 0o700;
+        (0, fs_1.mkdirSync)((0, path_1.dirname)(targetPath), { recursive: true, mode: dirMode });
+        savePolicy(policy, targetPath);
+        console.log(`Policy written: ${targetPath}`);
+        console.log(`Institution: ${institution}`);
+        console.log(`Admins: ${policy.admins.usernames.join(', ')}`);
+        console.log(`Forced runtime: ${runtime}`);
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
     }
 });
 // ── Dot-notation helpers ──────────────────────────────────
@@ -585,6 +759,181 @@ function setNestedValue(obj, key, value) {
     }
     current[parts[parts.length - 1]] = value;
 }
+function deleteNestedValue(obj, key) {
+    const parts = key.split('.').filter(Boolean);
+    if (parts.length === 0)
+        return false;
+    const stack = [obj];
+    let current = obj;
+    for (let i = 0; i < parts.length - 1; i++) {
+        if (current == null || typeof current !== 'object')
+            return false;
+        current = current[parts[i]];
+        stack.push(current);
+    }
+    const parent = stack[stack.length - 1];
+    const last = parts[parts.length - 1];
+    if (parent == null || typeof parent !== 'object')
+        return false;
+    if (!Object.prototype.hasOwnProperty.call(parent, last))
+        return false;
+    delete parent[last];
+    // Prune empty parent objects (e.g. resetting "network.mode" should remove "network" if empty)
+    for (let i = stack.length - 1; i > 0; i--) {
+        const node = stack[i];
+        if (node == null || typeof node !== 'object')
+            break;
+        if (Array.isArray(node))
+            break;
+        if (Object.keys(node).length > 0)
+            break;
+        const parentNode = stack[i - 1];
+        const prop = parts[i - 1];
+        if (parentNode && typeof parentNode === 'object') {
+            delete parentNode[prop];
+        }
+    }
+    return true;
+}
+function stripJsonComments(rawText) {
+    return rawText
+        .split('\n')
+        .filter(line => !line.trimStart().startsWith('//'))
+        .join('\n');
+}
+function collectStringOption(value, previous) {
+    previous.push(value);
+    return previous;
+}
+function resolveLicenseTargetPath(opts) {
+    const explicitTargets = [opts.system, opts.user, !!opts.path].filter(Boolean).length;
+    if (explicitTargets > 1) {
+        throw new Error('use only one of --system, --user, or --path.');
+    }
+    const isRoot = typeof process.getuid === 'function' && process.getuid() === 0;
+    return opts.path
+        ? (0, path_1.resolve)(opts.path)
+        : opts.system
+            ? '/etc/labgate/license.key'
+            : opts.user
+                ? (0, path_1.join)((0, os_1.homedir)(), '.labgate', 'license.key')
+                : (isRoot ? '/etc/labgate/license.key' : (0, path_1.join)((0, os_1.homedir)(), '.labgate', 'license.key'));
+}
+async function installLicenseKeyAtPath(rawLicenseKey, targetPath, overwrite) {
+    const key = (rawLicenseKey || '').trim();
+    if (!key) {
+        throw new Error('license key is empty.');
+    }
+    if ((0, fs_1.existsSync)(targetPath) && !overwrite) {
+        throw new Error(`target already exists: ${targetPath}. Use --overwrite to replace it.`);
+    }
+    const targetDir = (0, path_1.dirname)(targetPath);
+    const dirMode = targetPath.startsWith('/etc/') ? 0o755 : 0o700;
+    (0, fs_1.mkdirSync)(targetDir, { recursive: true, mode: dirMode });
+    (0, fs_1.writeFileSync)(targetPath, key + '\n', { encoding: 'utf-8', mode: config_js_1.PRIVATE_FILE_MODE });
+    (0, config_js_1.ensurePrivateFile)(targetPath);
+    const previousLicensePath = process.env.LABGATE_LICENSE_PATH;
+    process.env.LABGATE_LICENSE_PATH = targetPath;
+    const { validateLicense } = await import('./lib/license.js');
+    const status = validateLicense();
+    if (previousLicensePath === undefined) {
+        delete process.env.LABGATE_LICENSE_PATH;
+    }
+    else {
+        process.env.LABGATE_LICENSE_PATH = previousLicensePath;
+    }
+    if (!status.valid) {
+        try {
+            (0, fs_1.unlinkSync)(targetPath);
+        }
+        catch { /* best effort cleanup */ }
+        throw new Error(`installed key is invalid: ${status.error ?? 'unknown error'}`);
+    }
+}
+async function activateEnterpriseLicense(input) {
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(input.serverUrl);
+    }
+    catch {
+        throw new Error(`invalid activation URL: ${input.serverUrl}`);
+    }
+    if (!['http:', 'https:'].includes(parsedUrl.protocol)) {
+        throw new Error(`invalid activation URL protocol: ${parsedUrl.protocol}`);
+    }
+    const headers = {
+        'Content-Type': 'application/json',
+    };
+    if (input.token) {
+        headers.authorization = `Bearer ${input.token}`;
+    }
+    const payload = {
+        activation_key: input.activationKey,
+        client: {
+            product: 'labgate',
+            version: PKG_VERSION,
+            hostname: (0, os_1.hostname)(),
+            username: (0, os_1.userInfo)().username,
+            platform: process.platform,
+            arch: process.arch,
+        },
+    };
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), input.timeoutMs);
+    let response;
+    try {
+        response = await fetch(parsedUrl.toString(), {
+            method: 'POST',
+            headers,
+            body: JSON.stringify(payload),
+            signal: controller.signal,
+        });
+    }
+    catch (err) {
+        if (err?.name === 'AbortError') {
+            throw new Error(`activation request timed out after ${input.timeoutMs}ms`);
+        }
+        throw new Error(`activation request failed: ${err?.message ?? String(err)}`);
+    }
+    finally {
+        clearTimeout(timer);
+    }
+    const raw = await response.text();
+    let body = {};
+    if (raw.trim()) {
+        try {
+            body = JSON.parse(raw);
+        }
+        catch {
+            if (!response.ok) {
+                throw new Error(`activation failed: HTTP ${response.status} ${response.statusText}`);
+            }
+            throw new Error('activation server returned invalid JSON');
+        }
+    }
+    if (!response.ok) {
+        const detail = pickString(body.error, body.message, body.detail) || `HTTP ${response.status} ${response.statusText}`;
+        throw new Error(`activation failed: ${detail}`);
+    }
+    const licenseKey = pickString(body.license_key, body.licenseKey, body.key);
+    if (!licenseKey) {
+        throw new Error('activation response missing license key');
+    }
+    return {
+        licenseKey,
+        message: pickString(body.message),
+    };
+}
+function pickString(...values) {
+    for (const value of values) {
+        if (typeof value === 'string') {
+            const trimmed = value.trim();
+            if (trimmed)
+                return trimmed;
+        }
+    }
+    return undefined;
+}
 async function runAgent(agent, workdir, opts) {
     // Resolve workdir
     const resolved = (0, path_1.resolve)(workdir);
@@ -601,6 +950,11 @@ async function runAgent(agent, workdir, opts) {
     // Use effective config (merges user config with admin policy if enterprise)
     const effective = (0, config_js_1.loadEffectiveConfig)();
     const config = effective.config;
+    if (config.network.mode === 'none' && (agent === 'claude' || agent === 'codex')) {
+        log.error(`network.mode=none is not supported for ${agent}. ` +
+            'Set network.mode to "host" or "filtered".');
+        process.exit(1);
+    }
     if (verbose) {
         log.header('Config');
         const rows = [
@@ -646,6 +1000,50 @@ async function runAgent(agent, workdir, opts) {
         sharedAuditDir: effective.sharedAuditDir,
     });
 }
+async function printLicenseStatus(licensePathOverride) {
+    const previousLicensePath = process.env.LABGATE_LICENSE_PATH;
+    if (licensePathOverride) {
+        process.env.LABGATE_LICENSE_PATH = licensePathOverride;
+    }
+    const { validateLicense } = await import('./lib/license.js');
+    const status = validateLicense();
+    if (licensePathOverride) {
+        if (previousLicensePath === undefined) {
+            delete process.env.LABGATE_LICENSE_PATH;
+        }
+        else {
+            process.env.LABGATE_LICENSE_PATH = previousLicensePath;
+        }
+    }
+    if (!status.filePath && !status.error) {
+        console.log('No enterprise license found.');
+        console.log('License file locations (checked in order):');
+        console.log('  1. $LABGATE_LICENSE_PATH (env var)');
+        console.log('  2. /etc/labgate/license.key');
+        console.log('  3. ~/.labgate/license.key');
+        return;
+    }
+    if (status.filePath) {
+        console.log(`License file: ${status.filePath}`);
+    }
+    if (status.error) {
+        console.log(`Status: INVALID — ${status.error}`);
+        if (status.payload) {
+            console.log(`Institution: ${status.payload.institution}`);
+            console.log(`Expires: ${status.payload.expires}`);
+        }
+        return;
+    }
+    if (status.valid && status.payload) {
+        console.log(`Status: VALID`);
+        console.log(`Institution: ${status.payload.institution}`);
+        console.log(`Tier: ${status.payload.tier}`);
+        console.log(`License ID: ${status.payload.id}`);
+        console.log(`Issued: ${status.payload.issued}`);
+        console.log(`Expires: ${status.payload.expires}`);
+        console.log(`Days remaining: ${status.daysRemaining}`);
+    }
+}
 // Commander uses -V for version by default. Keep backward compatibility and
 // provide lowercase -v as a user-friendly alias.
 if (process.argv.length === 3 && process.argv[2] === '-v') {