npm - nsauditor-ai - Versions diffs - 0.1.10 → 0.1.12 - Mend

nsauditor-ai 0.1.10 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -7,7 +7,7 @@ A modular, AI-assisted network security audit platform that scans, understands,
 [![npm](https://img.shields.io/npm/v/nsauditor-ai.svg)](https://www.npmjs.com/package/nsauditor-ai)
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 [![Node.js 20+](https://img.shields.io/badge/node-20%2B-green.svg)](https://nodejs.org)
-[![Tests](https://img.shields.io/badge/tests-493%20passing-brightgreen.svg)](#tests)
+[![Tests](https://img.shields.io/badge/tests-506%20passing-brightgreen.svg)](#tests)
 ---
@@ -532,17 +532,13 @@ export default {
 ## Pro & Enterprise Activation
-Install the EE package alongside the CE platform:
+After purchasing at [nsauditor.com/ai/pricing](https://www.nsauditor.com/ai/pricing), you'll receive an email with your license key and an npm install command. Two steps:
 ```bash
-npm install -g @nsasoft/nsauditor-ai-ee
-```
-Set your license key:
+# 1. Install EE package (one-time, token included in email)
+npm install -g @nsasoft/nsauditor-ai-ee --//registry.npmjs.org/:_authToken=npm_xxxxx
-```bash
-echo "NSAUDITOR_LICENSE_KEY=pro_eyJhbGci..." >> ~/.nsauditor/.env
-# or export directly
+# 2. Set your license key
 export NSAUDITOR_LICENSE_KEY=pro_eyJhbGci...
 ```
@@ -556,6 +552,8 @@ nsauditor-ai license --capabilities
 # ✓ intelligenceEngine  ✓ riskScoring  ✓ proAI  ✓ advancedCTEM ...
 ```
+License keys are delivered automatically via Stripe webhook — no manual processing. Subscription renewals generate a fresh key and email it to you before the current one expires.
 No license key? Everything in this repository works perfectly without one. The CE is not crippled — it's a complete, production-ready security scanner.
 → [Pricing](https://www.nsauditor.com/ai/pricing) · [Start free trial](https://www.nsauditor.com/ai/trial) · [Enterprise contact](https://www.nsauditor.com/ai/enterprise)
@@ -564,7 +562,7 @@ No license key? Everything in this repository works perfectly without one. The C
 ## Tests
-Run all 487 tests:
+Run all 506 tests:
 ```bash
 npm test

package/cli.mjs CHANGED Viewed

@@ -13,7 +13,7 @@ import { parseHostArg, parseHostFile } from './utils/host_iterator.mjs';
 import { buildSarifLog } from './utils/sarif.mjs';
 import { buildCsv } from './utils/export_csv.mjs';
 import { recordScan, getLastScan, computeDiff, formatDiffReport, pruneForCE, HISTORY_FILE } from './utils/scan_history.mjs';
-import { getTierFromEnv } from './utils/license.mjs';
+import { getTierFromEnv, loadLicense } from './utils/license.mjs';
 import { resolveCapabilities, hasCapability } from './utils/capabilities.mjs';
 import { createScheduler } from './utils/scheduler.mjs';
 import { buildDeltaReport, formatDeltaSummary, hasSignificantChanges } from './utils/delta_reporter.mjs';
@@ -722,23 +722,35 @@ function maxSeverityInConclusion(conclusion) {
 async function main() {
   const { cmd, host, plugins, insecureHttps, hostFile, parallel, failOn, outputFormat, watch, intervalMinutes, webhookUrl, alertSeverity, ports } = await parseArgs(process.argv);
+  // Verify license JWT at startup (~5ms for ES256). Populates _verifiedTier
+  // so all subsequent getTierFromEnv() calls return the cryptographically
+  // validated tier instead of relying on prefix detection alone.
+  await loadLicense();
   if (cmd === 'license') {
-    const { getTierFromEnv } = await import('./utils/license.mjs');
     const { resolveCapabilities } = await import('./utils/capabilities.mjs');
-    // TODO: replace getTierFromEnv() with loadLicense() for full license validation
-    const tier = getTierFromEnv();
-    const caps = resolveCapabilities(tier);
     const key = process.env.NSAUDITOR_LICENSE_KEY;
     const rawArgs = process.argv.slice(2);
     if (rawArgs.includes('--status')) {
+      const result = await loadLicense(key);
       const tierLabel = { ce: 'Community Edition (CE)', pro: 'Pro', enterprise: 'Enterprise' };
-      console.log(`License status: ${tierLabel[tier] ?? tier}`);
-      console.log(`License key: ${key ? `set (${key.slice(0, 8)}...)` : 'not set — running CE'}`);
-      if (!key) {
-        console.log('\n→ Start a free 14-day Pro trial: https://www.nsauditor.com/ai/trial');
+      if (result.valid) {
+        console.log(`✓ ${tierLabel[result.tier]} license active`);
+        console.log(`  Org: ${result.org}`);
+        console.log(`  Seats: ${result.seats}`);
+        console.log(`  License ID: ${result.licenseId}`);
+        console.log(`  Expires: ${result.expiresAt}`);
+      } else {
+        console.log(`✗ ${tierLabel[result.tier] ?? 'Community Edition (CE)'}`);
+        console.log(`  Reason: ${result.reason}`);
+        if (!key) {
+          console.log('\n→ Start a free 14-day Pro trial: https://www.nsauditor.com/ai/trial');
+        }
       }
     } else if (rawArgs.includes('--capabilities')) {
+      const tier = getTierFromEnv();
+      const caps = resolveCapabilities(tier);
       console.log(`Active capabilities for tier: ${tier}\n`);
       for (const [name, enabled] of Object.entries(caps)) {
         console.log(`  ${enabled ? '✓' : '✗'} ${name}`);

package/mcp_server.mjs CHANGED Viewed

@@ -19,7 +19,7 @@ import {
   CallToolRequestSchema,
   ListToolsRequestSchema,
 } from '@modelcontextprotocol/sdk/types.js';
-import { getTierFromEnv } from './utils/license.mjs';
+import { getTierFromEnv, loadLicense } from './utils/license.mjs';
 import { resolveCapabilities } from './utils/capabilities.mjs';
 const _require = createRequire(import.meta.url);
@@ -29,7 +29,8 @@ const { version: TOOL_VERSION } = _require('./package.json');
 // License tier & capability resolution (module-level, overridable for tests)
 // ---------------------------------------------------------------------------
-// TODO: replace getTierFromEnv() with loadLicense() for full license validation.
+// Module-level: prefix-based tier for immediate use. loadLicense() runs async
+// at server startup (below) and upgrades _tier to the cryptographically verified value.
 let _tier = getTierFromEnv();
 let _capabilities = resolveCapabilities(_tier);
@@ -380,6 +381,12 @@ const isMainModule =
     process.argv[1].endsWith('mcp_server'));
 if (isMainModule) {
+  // Verify license JWT before accepting MCP requests — upgrades _tier from
+  // prefix-based to cryptographically verified.
+  await loadLicense();
+  _tier = getTierFromEnv();
+  _capabilities = resolveCapabilities(_tier);
   const server = createServer();
   const transport = new StdioServerTransport();
   await server.connect(transport);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.10",
+  "version": "0.1.12",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,
@@ -25,6 +25,7 @@
     "oui-data": "^1.1.427",
     "simple-wappalyzer": "^1.1.75",
     "snmp-native": "^1.2.0",
+    "jose": "^6.2.0",
     "uuid": "^13.0.0",
     "xml2js": "^0.6.2"
   },

package/utils/license.mjs CHANGED Viewed

@@ -1,27 +1,127 @@
 // utils/license.mjs
-// CE stub — full license validation coming in a future release.
+// JWT license verification for NSAuditor AI.
+// Uses ES256 (ECDSA P-256) public key embedded below — no file I/O needed.
+//
+// KEY ROTATION: If the private key is compromised, generate a new EC P-256 key
+// pair, update PUBLIC_KEY_PEM below, and ship a CE update. All existing JWTs
+// become invalid. See license-manager docs/architecture.md for full procedure.
+import { jwtVerify, importSPKI } from 'jose';
+// ES256 public key — embedded directly so it works in npm package (no file read).
+// Corresponding private key is in the license-manager service (NEVER shipped here).
+const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDMDuTDV5dPqNafE473AIlCCdbLX7
+u8cSY2dN6mfevYnOydP0SXLHCfWHr+SlpZpA2BiU6GKEk+QdIlWXOgGZsA==
+-----END PUBLIC KEY-----`;
+// Set by loadLicense(), read by getTierFromEnv().
+// Starts null — before loadLicense() runs, getTierFromEnv() returns 'ce' (safe default).
+// CE (Community Edition) is free and always works without a license.
+let _verifiedTier = null;
 /**
- * Parse tier from NSAUDITOR_LICENSE_KEY environment variable.
- * Stub uses key prefix: pro_* → 'pro', enterprise_* → 'enterprise'.
+ * Synchronous tier detection.
+ * Returns 'pro' | 'enterprise' | 'ce'.
+ *
+ * Before loadLicense() runs: returns 'ce' (Community Edition — safe default).
+ * After loadLicense() runs: returns the cryptographically verified tier.
+ *
+ * CE is the free default — licensed features only activate after loadLicense()
+ * confirms the JWT signature. This prevents prefix spoofing from granting
+ * elevated privileges during the startup window.
+ *
+ * MUST remain synchronous — called in hot paths (cli.mjs, plugin_manager, mcp_server).
  */
 export function getTierFromEnv() {
-  const key = process.env.NSAUDITOR_LICENSE_KEY;
-  if (!key) return 'ce';
-  if (key.startsWith('pro_')) return 'pro';
-  if (key.startsWith('enterprise_')) return 'enterprise';
+  if (_verifiedTier !== null) return _verifiedTier;
+  // Not yet verified — CE is the safe default.
+  // Call loadLicense() at startup to enable Pro/Enterprise.
   return 'ce';
 }
 /**
- * Validate a license key string.
- * Gracefully degrades to CE on any failure — never throws.
+ * Full async JWT verification. Call once at startup.
+ * On success, caches verified tier so subsequent getTierFromEnv() calls
+ * return the cryptographically validated result.
+ *
+ * Never throws — degrades to 'ce' on any failure.
  *
- * @param {string|undefined} keyStr
- * @returns {Promise<{valid: boolean, tier: string, reason: string}>}
+ * @param {string} [keyStr] - License key; defaults to NSAUDITOR_LICENSE_KEY env var.
+ * @returns {Promise<{valid: boolean, tier: string, org?: string, seats?: number,
+ *   licenseId?: string, capabilities?: string[], expiresAt?: string, reason?: string}>}
  */
 export async function loadLicense(keyStr) {
-  if (!keyStr) return { valid: false, tier: 'ce', reason: 'no key provided' };
-  // TODO: implement full license validation
-  return { valid: false, tier: 'ce', reason: 'license validation not yet implemented' };
+  const raw = keyStr ?? process.env.NSAUDITOR_LICENSE_KEY;
+  if (!raw) return { valid: false, tier: 'ce', reason: 'no key provided' };
+  // Strip tier prefix
+  let token = raw;
+  let prefixTier = null;
+  if (raw.startsWith('pro_'))        { token = raw.slice(4);  prefixTier = 'pro'; }
+  else if (raw.startsWith('enterprise_')) { token = raw.slice(11); prefixTier = 'enterprise'; }
+  else return { valid: false, tier: 'ce', reason: 'unknown key format' };
+  try {
+    const publicKey = await importSPKI(PUBLIC_KEY_PEM, 'ES256');
+    const { payload } = await jwtVerify(token, publicKey, {
+      issuer: 'nsasoft',
+      audience: 'nsauditor-ai',
+      subject: 'license',
+      algorithms: ['ES256'],
+      clockTolerance: 120,
+    });
+    // Cross-check: prefix must match JWT tier claim
+    if (payload.tier !== prefixTier) {
+      return { valid: false, tier: 'ce', reason: 'tier mismatch' };
+    }
+    // Cache verified tier for synchronous access
+    _verifiedTier = payload.tier;
+    // Compute days until expiry for renewal warnings (air-gapped VPC support)
+    const expiresAt = new Date(payload.exp * 1000);
+    const daysUntilExpiry = Math.max(0, Math.floor((expiresAt - Date.now()) / 86_400_000));
+    let expiryWarning = null;
+    if (daysUntilExpiry <= 1) {
+      expiryWarning = 'License expires tomorrow — update NSAUDITOR_LICENSE_KEY now';
+    } else if (daysUntilExpiry <= 7) {
+      expiryWarning = `License expires in ${daysUntilExpiry} days — check email for renewal key`;
+    }
+    if (expiryWarning) {
+      console.warn(`\u26A0  ${expiryWarning}`);
+    }
+    return {
+      valid: true,
+      tier: payload.tier,
+      org: payload.org,
+      seats: payload.seats,
+      licenseId: payload.licenseId,
+      capabilities: payload.capabilities,
+      expiresAt: expiresAt.toISOString(),
+      daysUntilExpiry,
+      expiryWarning,
+    };
+  } catch {
+    // Verification failure — actively downgrade to CE (prevents prefix spoofing).
+    // Generic reason to avoid leaking jose internals to end users.
+    _verifiedTier = 'ce';
+    return { valid: false, tier: 'ce', reason: 'invalid license key' };
+  }
+}
+/**
+ * @internal Test-only. Reset cached verified tier between tests.
+ * Disabled in production to prevent accidental tier cache clearing.
+ */
+export function _resetCache() {
+  if (process.env.NODE_ENV === 'production') {
+    throw new Error('_resetCache is test-only and disabled in production');
+  }
+  _verifiedTier = null;
 }