sdtk-kit 1.6.0 → 1.7.1

package/README.md

@@ -119,7 +119,7 @@ are the mechanism that puts `sdtk`, `sdtk-spec`, `sdtk-code`, `sdtk-ops`,
 - **Major version bumps** in any sub-toolkit require a coordinated `sdtk-kit` major-bump and re-publish.
 - If you need exact version control per toolkit, use standalone packages instead.
 
-Current dependency ranges (as of sdtk-kit v1.6.0):
+Current dependency ranges (as of sdtk-kit v1.7.1):
 
 | Package          | Version |
 |------------------|---------|

package/assets/keys/sdtk-entitlement-public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuxpjOnU2tGqY4jqQIWWQ
+mMTStgAAri8UguT+okkLEOjPav+bnHU2brobXadkVvsiX5P0cSjvjKSCdxjD97uM
+MCRhCzhSJ27cHkWdXzlREpI2xUaQK78Mmv712zuCzoQbNp4cKcDTxXFsaAdJd5S8
+0S88lPdiWFv6DI+tN1t0U7Lv3v3iIEtHdzRkYNxX958tHHuZWIrvJ6oQushZLngy
+/WpD9L3/ZraAtf+eBcK4bVc5nvcdvoQx+OEygr0tfRJlFqRp/cHkz/MyHSu7yXWa
+NtUD/zYb9jnN/DmG5O3kTD8iIQYzBErAzQ9bfMGm0J4QgTctxZLdDCy9zpBeNXva
+QwIDAQAB
+-----END PUBLIC KEY-----

package/bin/sdtk.js

@@ -4,11 +4,14 @@
 // `sdtk` — unified entry point for the SDTK suite (BK-268).
 //
 //   sdtk init --runtime <claude|codex>   one-command setup for all five toolkits
+//   sdtk activate --license <KEY>        activate SDTK Pro (unlocks all premium features)
+//   sdtk update [--check-only]           update all five toolkit CLIs
 //   sdtk --help                          top-level help
 //   sdtk --version                       sdtk-kit version + resolved per-kit versions
 //   sdtk                                 no args → help
 //
 // `init` delegates to each toolkit's own shipped init (see src/lib/unified-init.js).
+// `activate` calls the backend activation API and installs the entitlement + packs.
 
 const SUB_KITS = [
   "sdtk-spec-kit",
@@ -23,11 +26,17 @@ function helpText() {
     "sdtk — unified SDTK suite CLI",
     "",
     "Usage:",
+    "  sdtk activate --license <KEY>                  Activate SDTK Pro (all premium features)",
     "  sdtk init --runtime <claude|codex> [options]   Initialise all five toolkits",
     "  sdtk update [--check-only]                     Update all five toolkit CLIs",
     "  sdtk --help                                    Show this help",
     "  sdtk --version                                 Show versions",
     "",
+    "activate options:",
+    "  --license <KEY>            Required. License key in SDTK-XXXX-YYYY format.",
+    "  --json                     Output result as JSON.",
+    "  --activation-url <url>     Override activation API endpoint (advanced).",
+    "",
     "init options:",
     "  --runtime <claude|codex>   Required. Runtime for the runtime-aware kits",
     "                             (spec/ops/code and design place skills under",
@@ -101,6 +110,18 @@ function main(argv) {
     return cmdUpdate(argv.slice(1));
   }
 
+  if (command === "activate") {
+    // eslint-disable-next-line global-require
+    const { cmdActivate } = require("../src/commands/activate");
+    cmdActivate(argv.slice(1)).then((code) => {
+      process.exitCode = code;
+    }).catch((err) => {
+      console.error(`sdtk activate: unexpected error: ${err.message}`);
+      process.exitCode = 2;
+    });
+    return 0; // exitCode will be overwritten by the Promise above
+  }
+
   console.error(`sdtk: unknown command '${command}'.`);
   console.error("Run `sdtk --help` for usage.");
   return 2;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdtk-kit",
-  "version": "1.6.0",
+  "version": "1.7.1",
   "description": "Install all five SDTK toolkits in one command. Meta-package for sdtk-spec-kit, sdtk-code-kit, sdtk-ops-kit, sdtk-design-kit, and sdtk-wiki-kit.",
   "type": "commonjs",
   "bin": {
@@ -15,6 +15,7 @@
     "bin/",
     "src/",
     "scripts/",
+    "assets/",
     "README.md",
     "LICENSE"
   ],

package/src/commands/activate.js

@@ -0,0 +1,62 @@
+"use strict";
+
+const { activateWithLicense } = require("../lib/license-activation");
+
+function parseActivateArgs(args) {
+  let licenseKey = null;
+  let json = false;
+  let activationUrl;
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--license") {
+      if (i + 1 >= args.length) throw new Error("--license requires a value");
+      licenseKey = args[++i];
+    } else if (arg === "--json") {
+      json = true;
+    } else if (arg === "--activation-url") {
+      if (i + 1 >= args.length) throw new Error("--activation-url requires a value");
+      activationUrl = args[++i];
+    } else {
+      throw new Error(`Unknown option: ${arg}`);
+    }
+  }
+
+  return { licenseKey, json, activationUrl };
+}
+
+async function cmdActivate(args) {
+  let options;
+  try {
+    options = parseActivateArgs(args);
+  } catch (err) {
+    console.error(`Error: ${err.message}`);
+    console.error("Usage: sdtk activate --license <KEY> [--json]");
+    return 1;
+  }
+
+  if (!options.licenseKey) {
+    console.error("Error: --license is required");
+    console.error("Usage: sdtk activate --license <KEY> [--json]");
+    return 1;
+  }
+
+  const result = await activateWithLicense({
+    licenseKey: options.licenseKey,
+    activationUrl: options.activationUrl,
+  });
+
+  if (options.json) {
+    console.log(JSON.stringify({ success: result.success, decision: result.decision, message: result.message }, null, 2));
+  } else {
+    if (result.success) {
+      console.log(result.message);
+    } else {
+      console.error(result.message);
+    }
+  }
+
+  return result.exitCode;
+}
+
+module.exports = { cmdActivate };

package/src/lib/license-activation.js

@@ -0,0 +1,495 @@
+"use strict";
+
+/**
+ * Umbrella `sdtk activate` implementation.
+ *
+ * Ported from sdtk-spec-kit/src/lib/license-activation.js with two key changes:
+ *   1. Installs ALL packs from the activation response (not just product === "spec").
+ *   2. Pack directories use the pack's own `product` field dynamically so each
+ *      kit's loader can find its pack at the expected path
+ *      (~/.sdtk/packs/{product}/{id}/{version}/).
+ *
+ * State paths are shared with the other kits:
+ *   ~/.sdtk/entitlements.json   — signed manifest (verified before write)
+ *   ~/.sdtk/activation.json     — lightweight activation metadata
+ *   ~/.sdtk/packs/              — pack cache root
+ */
+
+const fs = require("fs");
+const os = require("os");
+const crypto = require("crypto");
+const path = require("path");
+
+// ---------------------------------------------------------------------------
+// Suite-state paths (mirrors sdtk-spec-kit/src/lib/suite-state.js)
+// ---------------------------------------------------------------------------
+
+function getSuiteRoot() {
+  return path.join(os.homedir(), ".sdtk");
+}
+
+function getEntitlementsFile() {
+  return path.join(getSuiteRoot(), "entitlements.json");
+}
+
+function getActivationFile() {
+  return path.join(getSuiteRoot(), "activation.json");
+}
+
+function getPacksRoot() {
+  return path.join(getSuiteRoot(), "packs");
+}
+
+function ensureDir(dirPath) {
+  fs.mkdirSync(dirPath, { recursive: true });
+}
+
+function hardenFilePermissions(filePath) {
+  try {
+    if (process.platform === "win32") {
+      const { execFileSync } = require("child_process");
+      const username = os.userInfo().username;
+      execFileSync("icacls", [filePath, "/inheritance:r", "/grant:r", `${username}:(F)`], {
+        stdio: "ignore",
+      });
+    } else {
+      fs.chmodSync(filePath, 0o600);
+    }
+    return true;
+  } catch (_e) {
+    return false;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Public key resolution
+// ---------------------------------------------------------------------------
+
+function resolvePublicKey() {
+  if (process.env.SDTK_ENTITLEMENT_PUBLIC_KEY) {
+    return process.env.SDTK_ENTITLEMENT_PUBLIC_KEY;
+  }
+  try {
+    const bundledKeyPath = path.join(
+      __dirname, "..", "..", "assets", "keys", "sdtk-entitlement-public.pem"
+    );
+    if (fs.existsSync(bundledKeyPath)) {
+      return fs.readFileSync(bundledKeyPath, "utf8");
+    }
+  } catch (_e) {
+    // fall through
+  }
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Manifest canonicalization + verification
+// ---------------------------------------------------------------------------
+
+function canonicalize(value) {
+  if (Array.isArray(value)) return value.map(canonicalize);
+  if (value !== null && typeof value === "object") {
+    const sorted = {};
+    for (const key of Object.keys(value).sort()) {
+      sorted[key] = canonicalize(value[key]);
+    }
+    return sorted;
+  }
+  return value;
+}
+
+function buildCanonicalPayload(manifest) {
+  const { signature: _sig, ...rest } = manifest;
+  return Buffer.from(JSON.stringify(canonicalize(rest)), "utf8");
+}
+
+const REQUIRED_MANIFEST_FIELDS = [
+  "schema_version", "customer_id", "plan", "products", "capabilities",
+  "issued_at", "expires_at", "offline_grace_until",
+];
+
+function evaluateManifestObject(manifest, now) {
+  if (!manifest || typeof manifest !== "object" || Array.isArray(manifest)) {
+    return { state: "malformed", manifest: null };
+  }
+  for (const field of REQUIRED_MANIFEST_FIELDS) {
+    if (!(field in manifest)) return { state: "malformed", manifest };
+  }
+  if (typeof manifest.schema_version !== "number") return { state: "malformed", manifest };
+  if (typeof manifest.customer_id !== "string" || !manifest.customer_id) return { state: "malformed", manifest };
+  if (typeof manifest.plan !== "string" || !manifest.plan) return { state: "malformed", manifest };
+  if (!manifest.products || typeof manifest.products !== "object" || Array.isArray(manifest.products)) return { state: "malformed", manifest };
+  if (!Array.isArray(manifest.capabilities)) return { state: "malformed", manifest };
+  if (typeof manifest.issued_at !== "string" || typeof manifest.expires_at !== "string" || typeof manifest.offline_grace_until !== "string") return { state: "malformed", manifest };
+  if (!("signature" in manifest) || !manifest.signature || typeof manifest.signature !== "string") return { state: "unsigned", manifest };
+
+  const publicKeyPem = resolvePublicKey();
+  if (!publicKeyPem) return { state: "untrusted-key", manifest };
+
+  let verified = false;
+  try {
+    const verifier = crypto.createVerify("RSA-SHA256");
+    verifier.update(buildCanonicalPayload(manifest));
+    verified = verifier.verify(publicKeyPem, Buffer.from(manifest.signature, "base64"));
+  } catch (_e) {
+    return { state: "invalid-signature", manifest };
+  }
+  if (!verified) return { state: "invalid-signature", manifest };
+
+  const expiresAt = new Date(manifest.expires_at).getTime();
+  const graceUntil = new Date(manifest.offline_grace_until).getTime();
+  if (isNaN(expiresAt) || isNaN(graceUntil)) return { state: "malformed", manifest };
+
+  const nowMs = now !== undefined ? now : Date.now();
+  if (nowMs < expiresAt) return { state: "active", manifest };
+  if (nowMs < graceUntil) return { state: "grace", manifest };
+  return { state: "expired", manifest };
+}
+
+// ---------------------------------------------------------------------------
+// Pack installation (umbrella version: dynamic product, no product filter)
+// ---------------------------------------------------------------------------
+
+const SAFE_PACK_PART_RE = /^[A-Za-z0-9._-]+$/;
+
+function isSafePackPathPart(value) {
+  return typeof value === "string" && SAFE_PACK_PART_RE.test(value) && value !== "." && value !== "..";
+}
+
+const REQUIRED_PACK_FIELDS = ["id", "product", "version", "capabilities", "source", "sha256"];
+
+function validatePackMetaForInstall(meta) {
+  if (!meta || typeof meta !== "object" || Array.isArray(meta)) {
+    return { valid: false, reason: "pack metadata is not an object" };
+  }
+  for (const field of REQUIRED_PACK_FIELDS) {
+    if (!(field in meta)) return { valid: false, reason: `missing required field: ${field}` };
+  }
+  if (!isSafePackPathPart(meta.id)) return { valid: false, reason: "id must be a safe identifier" };
+  if (!isSafePackPathPart(meta.product)) return { valid: false, reason: "product must be a safe identifier" };
+  if (!isSafePackPathPart(meta.version)) return { valid: false, reason: "version must be a safe identifier" };
+  if (!Array.isArray(meta.capabilities)) return { valid: false, reason: "capabilities must be an array" };
+  if (!meta.source || typeof meta.source !== "object" || Array.isArray(meta.source) || meta.source.type !== "github-content") {
+    return { valid: false, reason: 'source.type must be "github-content"' };
+  }
+  if (typeof meta.source.path !== "string" || !meta.source.path) {
+    return { valid: false, reason: "source.path must be a non-empty string" };
+  }
+  if (typeof meta.sha256 !== "string" || !/^[0-9a-f]{64}$/.test(meta.sha256)) {
+    return { valid: false, reason: "sha256 must be a 64-character lowercase hex string" };
+  }
+  return { valid: true };
+}
+
+function computeSha256(bytes) {
+  return crypto.createHash("sha256").update(bytes).digest("hex");
+}
+
+function getPackDir(product, packId, packVersion) {
+  return path.join(getPacksRoot(), product, packId, packVersion);
+}
+
+function writePackToCache(packMeta, packBytes) {
+  const validation = validatePackMetaForInstall(packMeta);
+  if (!validation.valid) {
+    return { success: false, reason: `Invalid pack metadata: ${validation.reason}` };
+  }
+  if (!Buffer.isBuffer(packBytes)) {
+    return { success: false, reason: "packBytes must be a Buffer" };
+  }
+  if (computeSha256(packBytes) !== packMeta.sha256) {
+    return { success: false, reason: `SHA256 mismatch for pack "${packMeta.id}@${packMeta.version}"` };
+  }
+
+  const packDir = getPackDir(packMeta.product, packMeta.id, packMeta.version);
+  try {
+    ensureDir(packDir);
+  } catch (err) {
+    return { success: false, reason: `Failed to create pack dir: ${err.message}` };
+  }
+
+  const tmpFile = path.join(packDir, `.pack.js.${process.pid}.${Date.now()}.tmp`);
+  try {
+    fs.writeFileSync(tmpFile, packBytes);
+  } catch (err) {
+    return { success: false, reason: `Failed to write pack temp file: ${err.message}` };
+  }
+
+  const finalPackFile = path.join(packDir, "pack.js");
+  try {
+    if (fs.existsSync(finalPackFile)) fs.unlinkSync(finalPackFile);
+    fs.renameSync(tmpFile, finalPackFile);
+  } catch (err) {
+    try { fs.unlinkSync(tmpFile); } catch (_) {}
+    return { success: false, reason: `Failed to move pack to cache: ${err.message}` };
+  }
+
+  try {
+    fs.writeFileSync(
+      path.join(packDir, "pack.json"),
+      JSON.stringify({
+        id: packMeta.id,
+        product: packMeta.product,
+        version: packMeta.version,
+        capabilities: packMeta.capabilities,
+        sha256: packMeta.sha256,
+        source: packMeta.source,
+        installed_at: new Date().toISOString(),
+        entrypoint: "pack.js",
+      }, null, 2),
+      "utf8"
+    );
+  } catch (err) {
+    return { success: false, reason: `Failed to write pack.json: ${err.message}` };
+  }
+
+  return { success: true };
+}
+
+function installAllPacks(premiumPacks) {
+  const errors = [];
+  if (!Array.isArray(premiumPacks)) return { success: true, errors: [] };
+
+  for (const packEntry of premiumPacks) {
+    if (!packEntry || !packEntry.bytes || typeof packEntry.bytes !== "string") continue;
+
+    const validation = validatePackMetaForInstall(packEntry);
+    if (!validation.valid) {
+      errors.push(`Pack "${packEntry && packEntry.id || "unknown"}": ${validation.reason}`);
+      continue;
+    }
+
+    let packBytes;
+    try {
+      packBytes = Buffer.from(packEntry.bytes, "base64");
+    } catch (err) {
+      errors.push(`Pack "${packEntry.id}": Failed to decode bytes: ${err.message}`);
+      continue;
+    }
+
+    const writeResult = writePackToCache(packEntry, packBytes);
+    if (!writeResult.success) {
+      errors.push(`Pack "${packEntry.id}": ${writeResult.reason}`);
+    }
+  }
+
+  return { success: errors.length === 0, errors };
+}
+
+// ---------------------------------------------------------------------------
+// Activation state persistence
+// ---------------------------------------------------------------------------
+
+function persistEntitlementAndActivation(manifest, activation) {
+  const entitlementsFile = getEntitlementsFile();
+  try {
+    ensureDir(path.dirname(entitlementsFile));
+    fs.writeFileSync(entitlementsFile, JSON.stringify(manifest, null, 2), "utf8");
+    hardenFilePermissions(entitlementsFile);
+
+    const activationFile = getActivationFile();
+    ensureDir(path.dirname(activationFile));
+    fs.writeFileSync(
+      activationFile,
+      JSON.stringify({
+        provider: "license",
+        customer_id: manifest.customer_id,
+        plan: manifest.plan,
+        machine_id: activation.machine_id,
+        decision: activation.decision || "activated",
+        activated_at: new Date().toISOString(),
+      }, null, 2),
+      "utf8"
+    );
+    hardenFilePermissions(activationFile);
+    return { success: true };
+  } catch (err) {
+    return { success: false, error: err.message };
+  }
+}
+
+function rollbackPartialState() {
+  try {
+    const activationFile = getActivationFile();
+    if (fs.existsSync(activationFile)) fs.unlinkSync(activationFile);
+  } catch (_e) {}
+}
+
+// ---------------------------------------------------------------------------
+// Machine ID
+// ---------------------------------------------------------------------------
+
+function buildMachineId() {
+  const combined = `${os.hostname()}-${process.platform}-${os.cpus().length}`;
+  return crypto.createHash("sha256").update(combined).digest("hex").substring(0, 16);
+}
+
+// ---------------------------------------------------------------------------
+// HTTP activation request
+// ---------------------------------------------------------------------------
+
+async function postActivationRequest({ activationUrl, licenseKey, machineId }) {
+  const pkg = require("../../package.json");
+  const body = {
+    license_key: licenseKey,
+    machine_id: machineId,
+    cli_version: pkg.version,
+    os: process.platform,
+    hostname: os.hostname(),
+  };
+
+  try {
+    const response = await fetch(activationUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+    });
+    const rawText = await response.text();
+    let data = null;
+    try { if (rawText) data = JSON.parse(rawText); } catch (_) {}
+
+    if (!response.ok) {
+      const deniedReason =
+        data && data.decision === "denied" && data.manifest && typeof data.manifest.error === "string"
+          ? data.manifest.error : null;
+      return {
+        success: false,
+        error: deniedReason || (data && typeof data.error === "string" ? data.error : null) ||
+          `Activation API returned status ${response.status}`,
+      };
+    }
+    if (!data || typeof data !== "object") {
+      return { success: false, error: "Activation API returned a non-JSON response" };
+    }
+    return { success: true, response: data };
+  } catch (err) {
+    return { success: false, error: `Network error: ${err.message}` };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Response validation
+// ---------------------------------------------------------------------------
+
+function validateActivationResponse(response) {
+  if (!response || typeof response !== "object") {
+    return { valid: false, reason: "Response is not an object" };
+  }
+  if (!response.decision || !["activated", "already_activated", "denied"].includes(response.decision)) {
+    return { valid: false, reason: "Invalid decision in response" };
+  }
+  if (!response.manifest || typeof response.manifest !== "object") {
+    return { valid: false, reason: "Response is missing manifest" };
+  }
+  if (response.decision === "denied") {
+    return { valid: false, reason: response.manifest.error || "Activation was denied by server" };
+  }
+  if (!response.activation || typeof response.activation !== "object") {
+    return { valid: false, reason: "Response is missing activation metadata" };
+  }
+  if (typeof response.activation.machine_id !== "string") {
+    return { valid: false, reason: "Response activation.machine_id is invalid" };
+  }
+  return { valid: true };
+}
+
+// ---------------------------------------------------------------------------
+// Main activation flow
+// ---------------------------------------------------------------------------
+
+async function activateWithLicense({ licenseKey, activationUrl } = {}) {
+  if (!activationUrl) {
+    activationUrl = process.env.SDTK_ACTIVATION_URL || "https://sdtk.dev/api/activate";
+  }
+
+  const result = { success: false, message: "", exitCode: 1 };
+
+  if (!licenseKey || typeof licenseKey !== "string" || !licenseKey.trim()) {
+    result.message = "License key is required. Usage: sdtk activate --license <KEY>";
+    return result;
+  }
+
+  const machineId = buildMachineId();
+
+  const apiResult = await postActivationRequest({
+    activationUrl,
+    licenseKey: licenseKey.trim(),
+    machineId,
+  });
+
+  if (!apiResult.success) {
+    result.message = `Activation failed: ${apiResult.error}`;
+    rollbackPartialState();
+    return result;
+  }
+
+  const validation = validateActivationResponse(apiResult.response);
+  if (!validation.valid) {
+    result.message = `Invalid activation response: ${validation.reason}`;
+    rollbackPartialState();
+    return result;
+  }
+
+  const { decision, manifest, activation } = apiResult.response;
+
+  if (decision === "denied") {
+    result.message = manifest.error || "Activation was denied by the server.";
+    rollbackPartialState();
+    return result;
+  }
+
+  const { state, manifest: verifiedManifest } = evaluateManifestObject(manifest, Date.now());
+  if (state !== "active" && state !== "grace") {
+    const reasons = {
+      malformed: "Manifest is malformed",
+      unsigned: "Manifest is not signed",
+      "untrusted-key": "Trust root not configured",
+      "invalid-signature": "Manifest signature is invalid (exit code 3)",
+      expired: "Entitlement has expired",
+    };
+    result.message = `Manifest verification failed: ${reasons[state] || state}`;
+    result.exitCode = state === "invalid-signature" ? 3 : 1;
+    rollbackPartialState();
+    return result;
+  }
+
+  // Install ALL packs (umbrella scope: no product filter)
+  const packResult = installAllPacks(apiResult.response.premium_packs);
+  if (!packResult.success) {
+    result.message = `Pack installation failed: ${packResult.errors.join("; ")}`;
+    rollbackPartialState();
+    return result;
+  }
+
+  const persistResult = persistEntitlementAndActivation(verifiedManifest, activation);
+  if (!persistResult.success) {
+    result.message = `Failed to save activation state: ${persistResult.error}`;
+    result.exitCode = 4;
+    rollbackPartialState();
+    return result;
+  }
+
+  result.success = true;
+  result.decision = decision;
+  result.exitCode = 0;
+
+  if (decision === "already_activated") {
+    result.message = `SDTK Pro already activated on this machine (customer: ${verifiedManifest.customer_id}, plan: ${verifiedManifest.plan}).`;
+  } else {
+    const capCount = Array.isArray(verifiedManifest.capabilities) ? verifiedManifest.capabilities.length : 0;
+    const packCount = Array.isArray(apiResult.response.premium_packs) ? apiResult.response.premium_packs.length : 0;
+    result.message = [
+      `SDTK Pro activated successfully!`,
+      `  Customer : ${verifiedManifest.customer_id}`,
+      `  Plan     : ${verifiedManifest.plan}`,
+      `  Features : ${capCount} capabilities, ${packCount} pack(s) installed`,
+      `  Expires  : ${verifiedManifest.expires_at}`,
+      ``,
+      `All SDTK premium features are now available on this machine.`,
+    ].join("\n");
+  }
+
+  return result;
+}
+
+module.exports = { activateWithLicense, buildMachineId };