shieldcortex 2.17.0 → 2.18.0

package/dist/license/gate.js

@@ -0,0 +1,84 @@
+/**
+ * Feature gating — the central guard for Pro/Team features.
+ *
+ * Usage:
+ *   requireFeature('custom_injection_patterns');  // throws FeatureGatedError if not Pro+
+ *   isFeatureEnabled('cloud_sync');               // returns boolean (soft check)
+ */
+import { getLicenseTier } from './store.js';
+import { TIER_RANK } from './keys.js';
+const FEATURE_TIERS = {
+    custom_injection_patterns: 'pro',
+    custom_iron_dome_policies: 'pro',
+    custom_firewall_rules: 'pro',
+    audit_export: 'pro',
+    skill_scanner_deep: 'pro',
+    cloud_sync: 'team',
+    team_management: 'team',
+    shared_patterns: 'team',
+};
+const FEATURE_DESCRIPTIONS = {
+    custom_injection_patterns: 'Define up to 50 custom regex patterns for detecting domain-specific threats.',
+    custom_iron_dome_policies: 'Create custom Iron Dome policies with tailored action gates and trust levels.',
+    custom_firewall_rules: 'Add custom firewall rules to block or allow specific content patterns.',
+    audit_export: 'Export your full audit trail as JSON or CSV for compliance reporting.',
+    skill_scanner_deep: 'Deep skill scanning with multi-file analysis and semantic intent detection.',
+    cloud_sync: 'Sync audit data across devices for centralised team visibility.',
+    team_management: 'Manage team members, invites, and shared security policies.',
+    shared_patterns: 'Share custom injection patterns and policies across your team.',
+};
+// ── Error class ──────────────────────────────────────────
+export class FeatureGatedError extends Error {
+    feature;
+    requiredTier;
+    constructor(feature, requiredTier) {
+        const tierLabel = requiredTier.charAt(0).toUpperCase() + requiredTier.slice(1);
+        const desc = FEATURE_DESCRIPTIONS[feature];
+        super(`This feature requires a ${tierLabel} licence.\n\n` +
+            `${desc}\n\n` +
+            `  Upgrade:  https://shieldcortex.ai/pricing\n` +
+            `  Activate: shieldcortex license activate <key>`);
+        this.feature = feature;
+        this.requiredTier = requiredTier;
+        this.name = 'FeatureGatedError';
+    }
+}
+// ── Guards ────────────────────────────────────────────────
+/**
+ * Check if a feature is enabled under the current licence tier.
+ * Use for soft checks (e.g. hiding UI elements, silent returns).
+ */
+export function isFeatureEnabled(feature) {
+    const requiredTier = FEATURE_TIERS[feature];
+    const currentTier = getLicenseTier();
+    return TIER_RANK[currentTier] >= TIER_RANK[requiredTier];
+}
+/**
+ * Require a feature — throws FeatureGatedError if the current licence
+ * doesn't include it. Use at the entry point of gated features.
+ */
+export function requireFeature(feature) {
+    if (!isFeatureEnabled(feature)) {
+        throw new FeatureGatedError(feature, FEATURE_TIERS[feature]);
+    }
+}
+/**
+ * Get the minimum tier required for a feature.
+ */
+export function getRequiredTier(feature) {
+    return FEATURE_TIERS[feature];
+}
+/**
+ * List all features with their required tier and current availability.
+ */
+export function listFeatures() {
+    const currentTier = getLicenseTier();
+    const currentRank = TIER_RANK[currentTier];
+    return Object.keys(FEATURE_TIERS).map((feature) => ({
+        feature,
+        requiredTier: FEATURE_TIERS[feature],
+        enabled: currentRank >= TIER_RANK[FEATURE_TIERS[feature]],
+        description: FEATURE_DESCRIPTIONS[feature],
+    }));
+}
+//# sourceMappingURL=gate.js.map

package/dist/license/gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../src/license/gate.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAoB,MAAM,WAAW,CAAC;AAcxD,MAAM,aAAa,GAAsC;IACvD,yBAAyB,EAAE,KAAK;IAChC,yBAAyB,EAAE,KAAK;IAChC,qBAAqB,EAAE,KAAK;IAC5B,YAAY,EAAE,KAAK;IACnB,kBAAkB,EAAE,KAAK;IACzB,UAAU,EAAE,MAAM;IAClB,eAAe,EAAE,MAAM;IACvB,eAAe,EAAE,MAAM;CACxB,CAAC;AAEF,MAAM,oBAAoB,GAAiC;IACzD,yBAAyB,EAAE,8EAA8E;IACzG,yBAAyB,EAAE,+EAA+E;IAC1G,qBAAqB,EAAE,wEAAwE;IAC/F,YAAY,EAAE,uEAAuE;IACrF,kBAAkB,EAAE,6EAA6E;IACjG,UAAU,EAAE,iEAAiE;IAC7E,eAAe,EAAE,6DAA6D;IAC9E,eAAe,EAAE,gEAAgE;CAClF,CAAC;AAEF,4DAA4D;AAE5D,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAEjC;IACA;IAFT,YACS,OAAqB,EACrB,YAAyB;QAEhC,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC/E,MAAM,IAAI,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAC3C,KAAK,CACH,2BAA2B,SAAS,eAAe;YACnD,GAAG,IAAI,MAAM;YACb,+CAA+C;YAC/C,iDAAiD,CAClD,CAAC;QAVK,YAAO,GAAP,OAAO,CAAc;QACrB,iBAAY,GAAZ,YAAY,CAAa;QAUhC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAqB;IACpD,MAAM,YAAY,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,OAAO,SAAS,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,YAAY,CAAC,CAAC;AAC3D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,OAAqB;IAClD,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,iBAAiB,CAAC,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAqB;IACnD,OAAO,aAAa,CAAC,OAAO,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY;IAM1B,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,WAAW,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;IAE3C,OAAQ,MAAM,CAAC,IAAI,CAAC,aAAa,CAAoB,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACtE,OAAO;QACP,YAAY,EAAE,aAAa,CAAC,OAAO,CAAC;QACpC,OAAO,EAAE,WAAW,IAAI,SAAS,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACzD,WAAW,EAAE,oBAAoB,CAAC,OAAO,CAAC;KAC3C,CAAC,CAAC,CAAC;AACN,CAAC"}

package/dist/license/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * License module — re-exports for public API and internal use.
+ */
+export { getLicense, getLicenseTier, getLicenseFile, clearLicenseCache } from './store.js';
+export { verifyLicenseKey, parseLicensePayload } from './verify.js';
+export { isFeatureEnabled, requireFeature, getRequiredTier, listFeatures, FeatureGatedError, } from './gate.js';
+export { scheduleOnlineValidation } from './validate.js';
+export type { LicenseTier, LicenseInfo, LicensePayload, LicenseFile } from './keys.js';
+export type { GatedFeature } from './gate.js';
+export { TIER_RANK, KEY_PREFIXES, EXPIRY_GRACE_DAYS } from './keys.js';
+export { handleLicenseCommand } from './cli.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/license/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/license/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC3F,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,YAAY,EACZ,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAGzD,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACvF,YAAY,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAGvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC"}

package/dist/license/index.js

@@ -0,0 +1,12 @@
+/**
+ * License module — re-exports for public API and internal use.
+ */
+// ── Public API (exported from lib.ts) ────────────────────
+export { getLicense, getLicenseTier, getLicenseFile, clearLicenseCache } from './store.js';
+export { verifyLicenseKey, parseLicensePayload } from './verify.js';
+export { isFeatureEnabled, requireFeature, getRequiredTier, listFeatures, FeatureGatedError, } from './gate.js';
+export { scheduleOnlineValidation } from './validate.js';
+export { TIER_RANK, KEY_PREFIXES, EXPIRY_GRACE_DAYS } from './keys.js';
+// ── CLI (imported lazily from src/index.ts) ──────────────
+export { handleLicenseCommand } from './cli.js';
+//# sourceMappingURL=index.js.map

package/dist/license/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/license/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,4DAA4D;AAC5D,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC3F,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,eAAe,EACf,YAAY,EACZ,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAKzD,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAEvE,4DAA4D;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC"}

package/dist/license/keys.d.ts

@@ -0,0 +1,50 @@
+/**
+ * License key types, constants, and the Ed25519 public key used to verify licence keys offline.
+ *
+ * The private key lives ONLY in the SaaS API (Fly.io secrets).
+ * This public key can verify signatures but cannot create them.
+ */
+/**
+ * Ed25519 public key in DER (SPKI) hex format.
+ * Generated once; the matching private key is stored in Fly.io as LICENSE_SIGNING_KEY.
+ */
+export declare const LICENSE_PUBLIC_KEY_HEX = "302a300506032b657003210053e006dc81bf14eda2b2481868f7bbad49b614b3dafe24f950202c4f712f955d";
+export type LicenseTier = 'free' | 'pro' | 'team' | 'enterprise';
+/** The signed payload embedded inside a license key. */
+export interface LicensePayload {
+    tier: Exclude<LicenseTier, 'free'>;
+    teamId: number;
+    email: string;
+    /** Expiry — Unix seconds */
+    exp: number;
+    /** Issued-at — Unix seconds */
+    iat: number;
+    /** Stripe subscription ID — used for online revocation checks */
+    sid: string;
+}
+/** The result of verifying a license key. */
+export interface LicenseInfo {
+    valid: boolean;
+    tier: LicenseTier;
+    email: string | null;
+    expiresAt: Date | null;
+    daysUntilExpiry: number | null;
+    teamId: number | null;
+    subscriptionId: string | null;
+}
+/** Stored in ~/.shieldcortex/license.json */
+export interface LicenseFile {
+    key: string;
+    activatedAt: string;
+    lastValidatedAt: string | null;
+    validationStatus: 'valid' | 'expired' | 'revoked' | 'unvalidated';
+}
+/** Key prefix convention: sc_{tier}_ */
+export declare const KEY_PREFIXES: Record<Exclude<LicenseTier, 'free'>, string>;
+/** Tier rank for comparison (higher = more permissive) */
+export declare const TIER_RANK: Record<LicenseTier, number>;
+/** Grace period after expiry (days) — covers Stripe dunning retries */
+export declare const EXPIRY_GRACE_DAYS = 7;
+/** How often to run online validation (ms) */
+export declare const ONLINE_VALIDATION_INTERVAL_MS: number;
+//# sourceMappingURL=keys.d.ts.map

package/dist/license/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/license/keys.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,eAAO,MAAM,sBAAsB,6FACyD,CAAC;AAI7F,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,KAAK,GAAG,MAAM,GAAG,YAAY,CAAC;AAEjE,wDAAwD;AACxD,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,+BAA+B;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,iEAAiE;IACjE,GAAG,EAAE,MAAM,CAAC;CACb;AAED,6CAA6C;AAC7C,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,EAAE,WAAW,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,6CAA6C;AAC7C,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,gBAAgB,EAAE,OAAO,GAAG,SAAS,GAAG,SAAS,GAAG,aAAa,CAAC;CACnE;AAID,wCAAwC;AACxC,eAAO,MAAM,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,CAIrE,CAAC;AAEF,0DAA0D;AAC1D,eAAO,MAAM,SAAS,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAKjD,CAAC;AAEF,uEAAuE;AACvE,eAAO,MAAM,iBAAiB,IAAI,CAAC;AAEnC,8CAA8C;AAC9C,eAAO,MAAM,6BAA6B,QAAsB,CAAC"}

package/dist/license/keys.js

@@ -0,0 +1,30 @@
+/**
+ * License key types, constants, and the Ed25519 public key used to verify licence keys offline.
+ *
+ * The private key lives ONLY in the SaaS API (Fly.io secrets).
+ * This public key can verify signatures but cannot create them.
+ */
+/**
+ * Ed25519 public key in DER (SPKI) hex format.
+ * Generated once; the matching private key is stored in Fly.io as LICENSE_SIGNING_KEY.
+ */
+export const LICENSE_PUBLIC_KEY_HEX = '302a300506032b657003210053e006dc81bf14eda2b2481868f7bbad49b614b3dafe24f950202c4f712f955d';
+// ── Constants ────────────────────────────────────────────
+/** Key prefix convention: sc_{tier}_ */
+export const KEY_PREFIXES = {
+    pro: 'sc_pro_',
+    team: 'sc_team_',
+    enterprise: 'sc_ent_',
+};
+/** Tier rank for comparison (higher = more permissive) */
+export const TIER_RANK = {
+    free: 0,
+    pro: 1,
+    team: 2,
+    enterprise: 3,
+};
+/** Grace period after expiry (days) — covers Stripe dunning retries */
+export const EXPIRY_GRACE_DAYS = 7;
+/** How often to run online validation (ms) */
+export const ONLINE_VALIDATION_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
+//# sourceMappingURL=keys.js.map

package/dist/license/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/license/keys.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GACjC,0FAA0F,CAAC;AAsC7F,4DAA4D;AAE5D,wCAAwC;AACxC,MAAM,CAAC,MAAM,YAAY,GAAiD;IACxE,GAAG,EAAE,SAAS;IACd,IAAI,EAAE,UAAU;IAChB,UAAU,EAAE,SAAS;CACtB,CAAC;AAEF,0DAA0D;AAC1D,MAAM,CAAC,MAAM,SAAS,GAAgC;IACpD,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;IACP,UAAU,EAAE,CAAC;CACd,CAAC;AAEF,uEAAuE;AACvE,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAEnC,8CAA8C;AAC9C,MAAM,CAAC,MAAM,6BAA6B,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW"}

package/dist/license/store.d.ts

@@ -0,0 +1,45 @@
+/**
+ * License file I/O — reads/writes ~/.shieldcortex/license.json
+ *
+ * The Ed25519 signature on the key itself provides integrity for the tier
+ * and expiry. The validationStatus field is advisory — a tampered value
+ * only persists until the next online validation (≤24h). HMAC is not
+ * needed here because the hard security boundary is the signed key, not
+ * the JSON file.
+ *
+ * License is cached in memory after first read.
+ */
+import type { LicenseTier, LicenseInfo, LicenseFile } from './keys.js';
+/** Clear the in-memory cache (useful for testing or after activation). */
+export declare function clearLicenseCache(): void;
+/**
+ * Read and verify the stored license.
+ * Returns a LicenseInfo with tier='free' if no license exists or verification fails.
+ */
+export declare function getLicense(): LicenseInfo;
+/**
+ * Quick accessor for the current licence tier.
+ * Returns 'free' if no valid licence exists.
+ */
+export declare function getLicenseTier(): LicenseTier;
+/**
+ * Read the raw license file data (for status display).
+ * Returns null if no license file exists.
+ */
+export declare function getLicenseFile(): LicenseFile | null;
+/**
+ * Activate a license key — verify it, then store in license.json.
+ * Returns the verified LicenseInfo.
+ * Throws if the key is invalid.
+ */
+export declare function activateLicense(key: string): LicenseInfo;
+/**
+ * Remove the license file (deactivate).
+ */
+export declare function deactivateLicense(): void;
+/**
+ * Update the validation status and timestamp in the license file.
+ * Called by the online validation module.
+ */
+export declare function updateValidationStatus(status: LicenseFile['validationStatus']): void;
+//# sourceMappingURL=store.d.ts.map

package/dist/license/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/license/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AASvE,0EAA0E;AAC1E,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAID;;;GAGG;AACH,wBAAgB,UAAU,IAAI,WAAW,CA0CxC;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,WAAW,CAE5C;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,WAAW,GAAG,IAAI,CAOnD;AAID;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAmBxD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CASxC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,WAAW,CAAC,kBAAkB,CAAC,GAAG,IAAI,CAepF"}

package/dist/license/store.js

@@ -0,0 +1,148 @@
+/**
+ * License file I/O — reads/writes ~/.shieldcortex/license.json
+ *
+ * The Ed25519 signature on the key itself provides integrity for the tier
+ * and expiry. The validationStatus field is advisory — a tampered value
+ * only persists until the next online validation (≤24h). HMAC is not
+ * needed here because the hard security boundary is the signed key, not
+ * the JSON file.
+ *
+ * License is cached in memory after first read.
+ */
+import { readFileSync, writeFileSync, existsSync, unlinkSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { verifyLicenseKey } from './verify.js';
+const CONFIG_DIR = join(homedir(), '.shieldcortex');
+const LICENSE_FILE = join(CONFIG_DIR, 'license.json');
+// ── Cache ────────────────────────────────────────────────
+let cachedLicense = null;
+/** Clear the in-memory cache (useful for testing or after activation). */
+export function clearLicenseCache() {
+    cachedLicense = null;
+}
+// ── Read ─────────────────────────────────────────────────
+/**
+ * Read and verify the stored license.
+ * Returns a LicenseInfo with tier='free' if no license exists or verification fails.
+ */
+export function getLicense() {
+    if (cachedLicense)
+        return cachedLicense;
+    const FREE = {
+        valid: false,
+        tier: 'free',
+        email: null,
+        expiresAt: null,
+        daysUntilExpiry: null,
+        teamId: null,
+        subscriptionId: null,
+    };
+    try {
+        if (!existsSync(LICENSE_FILE)) {
+            cachedLicense = FREE;
+            return FREE;
+        }
+        const raw = JSON.parse(readFileSync(LICENSE_FILE, 'utf-8'));
+        if (!raw.key) {
+            cachedLicense = FREE;
+            return FREE;
+        }
+        // Check if previously marked as revoked or expired by online validation.
+        // Revoked = subscription cancelled (hard block).
+        // Expired = advisory; verifyLicenseKey() applies the 7-day grace period
+        // so we only hard-block on revoked here.
+        if (raw.validationStatus === 'revoked') {
+            cachedLicense = FREE;
+            return FREE;
+        }
+        // Verify the key cryptographically (checks exp + grace period)
+        const info = verifyLicenseKey(raw.key);
+        cachedLicense = info;
+        return info;
+    }
+    catch {
+        cachedLicense = FREE;
+        return FREE;
+    }
+}
+/**
+ * Quick accessor for the current licence tier.
+ * Returns 'free' if no valid licence exists.
+ */
+export function getLicenseTier() {
+    return getLicense().tier;
+}
+/**
+ * Read the raw license file data (for status display).
+ * Returns null if no license file exists.
+ */
+export function getLicenseFile() {
+    try {
+        if (!existsSync(LICENSE_FILE))
+            return null;
+        return JSON.parse(readFileSync(LICENSE_FILE, 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+// ── Write ────────────────────────────────────────────────
+/**
+ * Activate a license key — verify it, then store in license.json.
+ * Returns the verified LicenseInfo.
+ * Throws if the key is invalid.
+ */
+export function activateLicense(key) {
+    const info = verifyLicenseKey(key);
+    if (!info.valid) {
+        throw new Error('Invalid or expired licence key. Check the key and try again.');
+    }
+    const file = {
+        key,
+        activatedAt: new Date().toISOString(),
+        lastValidatedAt: null,
+        validationStatus: 'unvalidated',
+    };
+    mkdirSync(CONFIG_DIR, { recursive: true });
+    writeFileSync(LICENSE_FILE, JSON.stringify(file, null, 2) + '\n', { mode: 0o600 });
+    // Invalidate cache
+    cachedLicense = info;
+    return info;
+}
+/**
+ * Remove the license file (deactivate).
+ */
+export function deactivateLicense() {
+    try {
+        if (existsSync(LICENSE_FILE)) {
+            unlinkSync(LICENSE_FILE);
+        }
+    }
+    catch {
+        // Best effort
+    }
+    cachedLicense = null;
+}
+/**
+ * Update the validation status and timestamp in the license file.
+ * Called by the online validation module.
+ */
+export function updateValidationStatus(status) {
+    try {
+        if (!existsSync(LICENSE_FILE))
+            return;
+        const raw = JSON.parse(readFileSync(LICENSE_FILE, 'utf-8'));
+        raw.validationStatus = status;
+        raw.lastValidatedAt = new Date().toISOString();
+        writeFileSync(LICENSE_FILE, JSON.stringify(raw, null, 2) + '\n', { mode: 0o600 });
+        // If revoked or expired, invalidate cache so next getLicense() re-verifies
+        if (status === 'revoked' || status === 'expired') {
+            cachedLicense = null;
+        }
+    }
+    catch {
+        // Best effort
+    }
+}
+//# sourceMappingURL=store.js.map

package/dist/license/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/license/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACpF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG/C,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,eAAe,CAAC,CAAC;AACpD,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;AAEtD,4DAA4D;AAE5D,IAAI,aAAa,GAAuB,IAAI,CAAC;AAE7C,0EAA0E;AAC1E,MAAM,UAAU,iBAAiB;IAC/B,aAAa,GAAG,IAAI,CAAC;AACvB,CAAC;AAED,4DAA4D;AAE5D;;;GAGG;AACH,MAAM,UAAU,UAAU;IACxB,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC;IAExC,MAAM,IAAI,GAAgB;QACxB,KAAK,EAAE,KAAK;QACZ,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,IAAI;QACf,eAAe,EAAE,IAAI;QACrB,MAAM,EAAE,IAAI;QACZ,cAAc,EAAE,IAAI;KACrB,CAAC;IAEF,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,aAAa,GAAG,IAAI,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAgB,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QACzE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACb,aAAa,GAAG,IAAI,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,yEAAyE;QACzE,iDAAiD;QACjD,wEAAwE;QACxE,yCAAyC;QACzC,IAAI,GAAG,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACvC,aAAa,GAAG,IAAI,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,+DAA+D;QAC/D,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,aAAa,GAAG,IAAI,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,IAAI,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC5B,OAAO,UAAU,EAAE,CAAC,IAAI,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3C,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,4DAA4D;AAE5D;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAgB;QACxB,GAAG;QACH,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,eAAe,EAAE,IAAI;QACrB,gBAAgB,EAAE,aAAa;KAChC,CAAC;IAEF,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEnF,mBAAmB;IACnB,aAAa,GAAG,IAAI,CAAC;IACrB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC7B,UAAU,CAAC,YAAY,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;IACD,aAAa,GAAG,IAAI,CAAC;AACvB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAAuC;IAC5E,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,OAAO;QACtC,MAAM,GAAG,GAAgB,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QACzE,GAAG,CAAC,gBAAgB,GAAG,MAAM,CAAC;QAC9B,GAAG,CAAC,eAAe,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/C,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAElF,2EAA2E;QAC3E,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACjD,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC"}

package/dist/license/validate.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Periodic online licence validation — catches revocations.
+ *
+ * Fire-and-forget, never blocks. Same pattern as syncToCloud() in cloud/sync.ts.
+ * If offline, the licence stays valid until its exp date.
+ */
+type ValidationStatus = 'valid' | 'revoked' | 'expired';
+/**
+ * Run online validation if enough time has passed since the last check.
+ * Non-blocking — errors are silently ignored.
+ */
+export declare function scheduleOnlineValidation(): void;
+/**
+ * Validate the stored licence key against the SaaS API.
+ * Called periodically (every 24h) and once on activation.
+ */
+export declare function validateOnline(): Promise<void>;
+/**
+ * Run a one-time validation immediately (used during activation).
+ * Returns the validation status, or 'unvalidated' if the check fails.
+ */
+export declare function validateOnceNow(): Promise<ValidationStatus | 'unvalidated'>;
+export {};
+//# sourceMappingURL=validate.d.ts.map

package/dist/license/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/license/validate.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,KAAK,gBAAgB,GAAG,OAAO,GAAG,SAAS,GAAG,SAAS,CAAC;AAIxD;;;GAGG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAO/C;AAmCD;;;GAGG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAYpD;AAED;;;GAGG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,gBAAgB,GAAG,aAAa,CAAC,CAajF"}

package/dist/license/validate.js

@@ -0,0 +1,86 @@
+/**
+ * Periodic online licence validation — catches revocations.
+ *
+ * Fire-and-forget, never blocks. Same pattern as syncToCloud() in cloud/sync.ts.
+ * If offline, the licence stays valid until its exp date.
+ */
+import { getLicenseFile, updateValidationStatus } from './store.js';
+import { parseLicensePayload } from './verify.js';
+import { ONLINE_VALIDATION_INTERVAL_MS } from './keys.js';
+import { getCloudConfig } from '../cloud/config.js';
+let lastValidationAttempt = 0;
+/**
+ * Run online validation if enough time has passed since the last check.
+ * Non-blocking — errors are silently ignored.
+ */
+export function scheduleOnlineValidation() {
+    const now = Date.now();
+    if (now - lastValidationAttempt < ONLINE_VALIDATION_INTERVAL_MS)
+        return;
+    lastValidationAttempt = now;
+    // Fire-and-forget
+    validateOnline().catch(() => { });
+}
+// ── Shared HTTP helper ──────────────────────────────────
+/**
+ * Fetch the validation status from the SaaS API.
+ * Returns null on network error, timeout, or server error.
+ */
+async function fetchValidationStatus(sid) {
+    const config = getCloudConfig();
+    const baseUrl = config.cloudBaseUrl || 'https://api.shieldcortex.ai';
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10_000);
+    try {
+        const res = await fetch(`${baseUrl}/v1/license/validate?sid=${encodeURIComponent(sid)}`, { signal: controller.signal });
+        if (!res.ok)
+            return null;
+        const data = await res.json();
+        if (data.status === 'unknown')
+            return null; // Subscription not found — treat as network error
+        return data.status === 'active' ? 'valid' : data.status;
+    }
+    catch {
+        return null;
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+// ── Public API ──────────────────────────────────────────
+/**
+ * Validate the stored licence key against the SaaS API.
+ * Called periodically (every 24h) and once on activation.
+ */
+export async function validateOnline() {
+    const file = getLicenseFile();
+    if (!file?.key)
+        return;
+    const payload = parseLicensePayload(file.key);
+    if (!payload?.sid)
+        return;
+    const status = await fetchValidationStatus(payload.sid);
+    if (status) {
+        updateValidationStatus(status);
+    }
+    // If null (network error), leave status unchanged — licence stays valid
+}
+/**
+ * Run a one-time validation immediately (used during activation).
+ * Returns the validation status, or 'unvalidated' if the check fails.
+ */
+export async function validateOnceNow() {
+    const file = getLicenseFile();
+    if (!file?.key)
+        return 'unvalidated';
+    const payload = parseLicensePayload(file.key);
+    if (!payload?.sid)
+        return 'unvalidated';
+    const status = await fetchValidationStatus(payload.sid);
+    if (status) {
+        updateValidationStatus(status);
+        return status;
+    }
+    return 'unvalidated';
+}
+//# sourceMappingURL=validate.js.map

package/dist/license/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/license/validate.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,6BAA6B,EAAE,MAAM,WAAW,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAIpD,IAAI,qBAAqB,GAAG,CAAC,CAAC;AAE9B;;;GAGG;AACH,MAAM,UAAU,wBAAwB;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,qBAAqB,GAAG,6BAA6B;QAAE,OAAO;IACxE,qBAAqB,GAAG,GAAG,CAAC;IAE5B,kBAAkB;IAClB,cAAc,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AACnC,CAAC;AAED,2DAA2D;AAE3D;;;GAGG;AACH,KAAK,UAAU,qBAAqB,CAAC,GAAW;IAC9C,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAChC,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,IAAI,6BAA6B,CAAC;IAErE,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;IAE7D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,OAAO,4BAA4B,kBAAkB,CAAC,GAAG,CAAC,EAAE,EAC/D,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAC9B,CAAC;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA8D,CAAC;QAC1F,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC,CAAC,kDAAkD;QAC9F,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;AACH,CAAC;AAED,2DAA2D;AAE3D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;IAC9B,IAAI,CAAC,IAAI,EAAE,GAAG;QAAE,OAAO;IAEvB,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,OAAO,EAAE,GAAG;QAAE,OAAO;IAE1B,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,MAAM,EAAE,CAAC;QACX,sBAAsB,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IACD,wEAAwE;AAC1E,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;IAC9B,IAAI,CAAC,IAAI,EAAE,GAAG;QAAE,OAAO,aAAa,CAAC;IAErC,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,OAAO,EAAE,GAAG;QAAE,OAAO,aAAa,CAAC;IAExC,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,MAAM,EAAE,CAAC;QACX,sBAAsB,CAAC,MAAM,CAAC,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC"}

package/dist/license/verify.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Offline Ed25519 licence key verification.
+ *
+ * Uses Node.js built-in crypto (available since Node 18).
+ * Zero external dependencies.
+ */
+import { type LicensePayload, type LicenseInfo } from './keys.js';
+/**
+ * Parse the payload JSON from a license key without verifying the signature.
+ * Returns null if parsing fails.
+ */
+export declare function parseLicensePayload(key: string): LicensePayload | null;
+/**
+ * Verify a license key's Ed25519 signature and check expiry.
+ * This is completely offline — no network calls.
+ */
+export declare function verifyLicenseKey(key: string): LicenseInfo;
+//# sourceMappingURL=verify.d.ts.map

package/dist/license/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/license/verify.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAKL,KAAK,cAAc,EACnB,KAAK,WAAW,EACjB,MAAM,WAAW,CAAC;AA4CnB;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI,CAiBtE;AAID;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAuDzD"}