nsauditor-ai 0.1.10 → 0.1.11

package/cli.mjs

@@ -13,7 +13,7 @@ import { parseHostArg, parseHostFile } from './utils/host_iterator.mjs';
 import { buildSarifLog } from './utils/sarif.mjs';
 import { buildCsv } from './utils/export_csv.mjs';
 import { recordScan, getLastScan, computeDiff, formatDiffReport, pruneForCE, HISTORY_FILE } from './utils/scan_history.mjs';
-import { getTierFromEnv } from './utils/license.mjs';
+import { getTierFromEnv, loadLicense } from './utils/license.mjs';
 import { resolveCapabilities, hasCapability } from './utils/capabilities.mjs';
 import { createScheduler } from './utils/scheduler.mjs';
 import { buildDeltaReport, formatDeltaSummary, hasSignificantChanges } from './utils/delta_reporter.mjs';
@@ -722,23 +722,35 @@ function maxSeverityInConclusion(conclusion) {
 async function main() {
   const { cmd, host, plugins, insecureHttps, hostFile, parallel, failOn, outputFormat, watch, intervalMinutes, webhookUrl, alertSeverity, ports } = await parseArgs(process.argv);
 
+  // Verify license JWT at startup (~5ms for ES256). Populates _verifiedTier
+  // so all subsequent getTierFromEnv() calls return the cryptographically
+  // validated tier instead of relying on prefix detection alone.
+  await loadLicense();
+
   if (cmd === 'license') {
-    const { getTierFromEnv } = await import('./utils/license.mjs');
     const { resolveCapabilities } = await import('./utils/capabilities.mjs');
-    // TODO: replace getTierFromEnv() with loadLicense() for full license validation
-    const tier = getTierFromEnv();
-    const caps = resolveCapabilities(tier);
     const key = process.env.NSAUDITOR_LICENSE_KEY;
     const rawArgs = process.argv.slice(2);
 
     if (rawArgs.includes('--status')) {
+      const result = await loadLicense(key);
       const tierLabel = { ce: 'Community Edition (CE)', pro: 'Pro', enterprise: 'Enterprise' };
-      console.log(`License status: ${tierLabel[tier] ?? tier}`);
-      console.log(`License key: ${key ? `set (${key.slice(0, 8)}...)` : 'not set — running CE'}`);
-      if (!key) {
-        console.log('\n→ Start a free 14-day Pro trial: https://www.nsauditor.com/ai/trial');
+      if (result.valid) {
+        console.log(`✓ ${tierLabel[result.tier]} license active`);
+        console.log(`  Org: ${result.org}`);
+        console.log(`  Seats: ${result.seats}`);
+        console.log(`  License ID: ${result.licenseId}`);
+        console.log(`  Expires: ${result.expiresAt}`);
+      } else {
+        console.log(`✗ ${tierLabel[result.tier] ?? 'Community Edition (CE)'}`);
+        console.log(`  Reason: ${result.reason}`);
+        if (!key) {
+          console.log('\n→ Start a free 14-day Pro trial: https://www.nsauditor.com/ai/trial');
+        }
       }
     } else if (rawArgs.includes('--capabilities')) {
+      const tier = getTierFromEnv();
+      const caps = resolveCapabilities(tier);
       console.log(`Active capabilities for tier: ${tier}\n`);
       for (const [name, enabled] of Object.entries(caps)) {
         console.log(`  ${enabled ? '✓' : '✗'} ${name}`);

package/mcp_server.mjs

@@ -19,7 +19,7 @@ import {
   CallToolRequestSchema,
   ListToolsRequestSchema,
 } from '@modelcontextprotocol/sdk/types.js';
-import { getTierFromEnv } from './utils/license.mjs';
+import { getTierFromEnv, loadLicense } from './utils/license.mjs';
 import { resolveCapabilities } from './utils/capabilities.mjs';
 
 const _require = createRequire(import.meta.url);
@@ -29,7 +29,8 @@ const { version: TOOL_VERSION } = _require('./package.json');
 // License tier & capability resolution (module-level, overridable for tests)
 // ---------------------------------------------------------------------------
 
-// TODO: replace getTierFromEnv() with loadLicense() for full license validation.
+// Module-level: prefix-based tier for immediate use. loadLicense() runs async
+// at server startup (below) and upgrades _tier to the cryptographically verified value.
 let _tier = getTierFromEnv();
 let _capabilities = resolveCapabilities(_tier);
 
@@ -380,6 +381,12 @@ const isMainModule =
     process.argv[1].endsWith('mcp_server'));
 
 if (isMainModule) {
+  // Verify license JWT before accepting MCP requests — upgrades _tier from
+  // prefix-based to cryptographically verified.
+  await loadLicense();
+  _tier = getTierFromEnv();
+  _capabilities = resolveCapabilities(_tier);
+
   const server = createServer();
   const transport = new StdioServerTransport();
   await server.connect(transport);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,
@@ -25,6 +25,7 @@
     "oui-data": "^1.1.427",
     "simple-wappalyzer": "^1.1.75",
     "snmp-native": "^1.2.0",
+    "jose": "^6.2.0",
     "uuid": "^13.0.0",
     "xml2js": "^0.6.2"
   },

package/utils/license.mjs

@@ -1,27 +1,110 @@
 // utils/license.mjs
-// CE stub — full license validation coming in a future release.
+// JWT license verification for NSAuditor AI.
+// Uses ES256 (ECDSA P-256) public key embedded below — no file I/O needed.
+//
+// KEY ROTATION: If the private key is compromised, generate a new EC P-256 key
+// pair, update PUBLIC_KEY_PEM below, and ship a CE update. All existing JWTs
+// become invalid. See license-manager docs/architecture.md for full procedure.
+
+import { jwtVerify, importSPKI } from 'jose';
+
+// ES256 public key — embedded directly so it works in npm package (no file read).
+// Corresponding private key is in the license-manager service (NEVER shipped here).
+const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDMDuTDV5dPqNafE473AIlCCdbLX7
+u8cSY2dN6mfevYnOydP0SXLHCfWHr+SlpZpA2BiU6GKEk+QdIlWXOgGZsA==
+-----END PUBLIC KEY-----`;
+
+// Set by loadLicense(), read by getTierFromEnv().
+// Starts null — before loadLicense() runs, getTierFromEnv() returns 'ce' (safe default).
+// CE (Community Edition) is free and always works without a license.
+let _verifiedTier = null;
 
 /**
- * Parse tier from NSAUDITOR_LICENSE_KEY environment variable.
- * Stub uses key prefix: pro_* → 'pro', enterprise_* → 'enterprise'.
+ * Synchronous tier detection.
+ * Returns 'pro' | 'enterprise' | 'ce'.
+ *
+ * Before loadLicense() runs: returns 'ce' (Community Edition — safe default).
+ * After loadLicense() runs: returns the cryptographically verified tier.
+ *
+ * CE is the free default — licensed features only activate after loadLicense()
+ * confirms the JWT signature. This prevents prefix spoofing from granting
+ * elevated privileges during the startup window.
+ *
+ * MUST remain synchronous — called in hot paths (cli.mjs, plugin_manager, mcp_server).
  */
 export function getTierFromEnv() {
-  const key = process.env.NSAUDITOR_LICENSE_KEY;
-  if (!key) return 'ce';
-  if (key.startsWith('pro_')) return 'pro';
-  if (key.startsWith('enterprise_')) return 'enterprise';
+  if (_verifiedTier !== null) return _verifiedTier;
+
+  // Not yet verified — CE is the safe default.
+  // Call loadLicense() at startup to enable Pro/Enterprise.
   return 'ce';
 }
 
 /**
- * Validate a license key string.
- * Gracefully degrades to CE on any failure — never throws.
+ * Full async JWT verification. Call once at startup.
+ * On success, caches verified tier so subsequent getTierFromEnv() calls
+ * return the cryptographically validated result.
  *
- * @param {string|undefined} keyStr
- * @returns {Promise<{valid: boolean, tier: string, reason: string}>}
+ * Never throws — degrades to 'ce' on any failure.
+ *
+ * @param {string} [keyStr] - License key; defaults to NSAUDITOR_LICENSE_KEY env var.
+ * @returns {Promise<{valid: boolean, tier: string, org?: string, seats?: number,
+ *   licenseId?: string, capabilities?: string[], expiresAt?: string, reason?: string}>}
  */
 export async function loadLicense(keyStr) {
-  if (!keyStr) return { valid: false, tier: 'ce', reason: 'no key provided' };
-  // TODO: implement full license validation
-  return { valid: false, tier: 'ce', reason: 'license validation not yet implemented' };
+  const raw = keyStr ?? process.env.NSAUDITOR_LICENSE_KEY;
+  if (!raw) return { valid: false, tier: 'ce', reason: 'no key provided' };
+
+  // Strip tier prefix
+  let token = raw;
+  let prefixTier = null;
+  if (raw.startsWith('pro_'))        { token = raw.slice(4);  prefixTier = 'pro'; }
+  else if (raw.startsWith('enterprise_')) { token = raw.slice(11); prefixTier = 'enterprise'; }
+  else return { valid: false, tier: 'ce', reason: 'unknown key format' };
+
+  try {
+    const publicKey = await importSPKI(PUBLIC_KEY_PEM, 'ES256');
+    const { payload } = await jwtVerify(token, publicKey, {
+      issuer: 'nsasoft',
+      audience: 'nsauditor-ai',
+      subject: 'license',
+      algorithms: ['ES256'],
+      clockTolerance: 120,
+    });
+
+    // Cross-check: prefix must match JWT tier claim
+    if (payload.tier !== prefixTier) {
+      return { valid: false, tier: 'ce', reason: 'tier mismatch' };
+    }
+
+    // Cache verified tier for synchronous access
+    _verifiedTier = payload.tier;
+
+    return {
+      valid: true,
+      tier: payload.tier,
+      org: payload.org,
+      seats: payload.seats,
+      licenseId: payload.licenseId,
+      capabilities: payload.capabilities,
+      expiresAt: new Date(payload.exp * 1000).toISOString(),
+    };
+  } catch {
+    // Verification failure — actively downgrade to CE (prevents prefix spoofing).
+    // Generic reason to avoid leaking jose internals to end users.
+    _verifiedTier = 'ce';
+    return { valid: false, tier: 'ce', reason: 'invalid license key' };
+  }
+}
+
+/**
+ * @internal Test-only. Reset cached verified tier between tests.
+ * Disabled in production to prevent accidental tier cache clearing.
+ */
+export function _resetCache() {
+  if (process.env.NODE_ENV === 'production') {
+    throw new Error('_resetCache is test-only and disabled in production');
+  }
+  _verifiedTier = null;
 }