sourcecode 1.35.35__tar.gz → 1.35.36__tar.gz

{sourcecode-1.35.35 → sourcecode-1.35.36}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sourcecode
-Version: 1.35.35
+Version: 1.35.36
 Summary: Persistent structural context and ultra-fast repeated analysis for AI coding agents
 License-File: LICENSE
 Keywords: agents,ai,codebase,context,developer-tools,llm
@@ -40,7 +40,7 @@ Description-Content-Type: text/markdown
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.35-blue)
+![Version](https://img.shields.io/badge/version-1.35.36-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---
@@ -114,7 +114,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.35.35
+# sourcecode 1.35.36
 ```
 
 ---

{sourcecode-1.35.35 → sourcecode-1.35.36}/README.md

@@ -2,7 +2,7 @@
 
 **Persistent structural context and ultra-fast repeated analysis for AI coding agents.**
 
-![Version](https://img.shields.io/badge/version-1.35.35-blue)
+![Version](https://img.shields.io/badge/version-1.35.36-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-green)
 
 ---
@@ -76,7 +76,7 @@ pipx install sourcecode
 
 ```bash
 sourcecode version
-# sourcecode 1.35.35
+# sourcecode 1.35.36
 ```
 
 ---

{sourcecode-1.35.35 → sourcecode-1.35.36}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "sourcecode"
-version = "1.35.35"
+version = "1.35.36"
 description = "Persistent structural context and ultra-fast repeated analysis for AI coding agents"
 readme = "README.md"
 requires-python = ">=3.9"

{sourcecode-1.35.35 → sourcecode-1.35.36}/src/sourcecode/__init__.py

@@ -1,3 +1,3 @@
 """sourcecode — Deterministic codebase context maps for AI coding agents."""
 
-__version__ = "1.35.35"
+__version__ = "1.35.36"

{sourcecode-1.35.35 → sourcecode-1.35.36}/src/sourcecode/license.py

@@ -40,10 +40,15 @@ from typing import Optional
 # Supabase endpoint config — hardcoded for production; override via env for dev
 # ---------------------------------------------------------------------------
 _DEFAULT_SUPABASE_URL: str = "https://qkndlmyekvujjdgthtmz.supabase.co"
+# Public anon/publishable key — safe to ship in client code. RLS plus the
+# service-role key (server-only, in the Edge Function secrets) protect the data.
+# Paste your project's anon key here so `sourcecode activate` works out of the
+# box; env var still overrides for testing against another project.
+_DEFAULT_SUPABASE_ANON_KEY: str = "sb_publishable_qiJFLWjbBbTqjg-fb0mAGA_cl8PBOKH"
 _SUPABASE_URL: str = os.environ.get("SOURCECODE_SUPABASE_URL", _DEFAULT_SUPABASE_URL)
 _SUPABASE_ANON_KEY: str = os.environ.get(
     "SOURCECODE_SUPABASE_ANON_KEY",
-    "",  # Set SOURCECODE_SUPABASE_ANON_KEY to your project anon key
+    _DEFAULT_SUPABASE_ANON_KEY,
 )
 if _SUPABASE_URL != _DEFAULT_SUPABASE_URL:
     sys.stderr.write(

sourcecode-1.35.36/supabase/functions/README.md

@@ -0,0 +1,35 @@
+# Supabase Edge Functions
+
+Backend for the Pro license flow. The CLI side lives in
+`src/sourcecode/license.py`.
+
+## Functions
+
+| Function | Purpose | JWT |
+|----------|---------|-----|
+| `get-license` | Validates a license key for `sourcecode activate` and the 30-min revalidation. Returns `{valid, plan, status, features, email}`. | `--no-verify-jwt` |
+| `lemonsqueezy-webhook` | Lemon Squeezy purchase/subscription webhook. Stores the LS native key, sets plan/status, handles revocation. | `--no-verify-jwt` |
+
+Both deploy with JWT verification OFF: the CLI authenticates with the public
+publishable key (not a JWT), and the webhook authenticates via HMAC signature.
+
+## Secrets (Supabase dashboard -> Edge Functions -> Secrets)
+
+- `SUPABASE_URL`
+- `SUPABASE_SERVICE_ROLE_KEY`
+- `LEMON_SQUEEZY_WEBHOOK_SECRET` (webhook only)
+
+## Deploy
+
+```bash
+supabase functions deploy get-license --no-verify-jwt
+supabase functions deploy lemonsqueezy-webhook --no-verify-jwt
+```
+
+## Lemon Squeezy config
+
+- Keep **Generate license keys** ON for every Pro variant (LS emails the key;
+  the webhook stores that same native key — single key system).
+- Subscribe the webhook to: `license_key_created`, `order_created`,
+  `subscription_created/updated/resumed/unpaused`,
+  `subscription_payment_success`, `subscription_expired`, `subscription_paused`.

sourcecode-1.35.36/supabase/functions/get-license/index.ts

@@ -0,0 +1,83 @@
+import { serve } from "https://deno.land/std@0.177.0/http/server.ts";
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
+
+// License validation endpoint hit by the CLI's `sourcecode activate <key>` and
+// by the 30-min background revalidation (license.py: _call_get_license).
+// Deploy with --no-verify-jwt: the CLI authenticates with the public
+// publishable key, which is not a legacy-secret JWT. Protection is the exact
+// license_key the caller must present + service-role lookup, not a JWT.
+const SUPABASE_URL = Deno.env.get("SUPABASE_URL")!;
+const SUPABASE_SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+
+// Same format the CLI validates (license.py:72)
+const LICENSE_KEY_RE = /^[A-Za-z0-9_\-]{1,200}$/;
+
+const json = (body: unknown, status = 200) =>
+  new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" },
+  });
+
+serve(async (req: Request) => {
+  if (req.method !== "POST") {
+    return json({ valid: false, error: "method_not_allowed" }, 405);
+  }
+
+  let payload: Record<string, unknown>;
+  try {
+    payload = await req.json();
+  } catch {
+    return json({ valid: false, error: "invalid_json" }, 400);
+  }
+
+  const licenseKey = ((payload.license_key as string) ?? "").trim();
+  if (!licenseKey || !LICENSE_KEY_RE.test(licenseKey)) {
+    return json({ valid: false, error: "invalid_license_format" });
+  }
+
+  const supabase = createClient(SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY);
+
+  const { data: user, error } = await supabase
+    .from("users")
+    .select("email, plan, status, features")
+    .eq("license_key", licenseKey)
+    .maybeSingle();
+
+  if (error) {
+    console.error("DB error", error);
+    return json({ valid: false, error: "db_error" }, 500);
+  }
+
+  if (!user) {
+    return json({ valid: false, error: "license_not_found" });
+  }
+
+  const active = (user.status ?? "active") === "active";
+  const isPro = user.plan === "pro";
+
+  // Revocation: status != active OR plan != pro -> valid:false.
+  // The CLI revalidates every 30 min and clears its cache on this response.
+  if (!active || !isPro) {
+    return json({
+      valid: false,
+      error: !isPro ? "not_pro" : "inactive",
+      plan: user.plan ?? "free",
+      status: user.status ?? "inactive",
+    });
+  }
+
+  // features may arrive as jsonb (array) or as a JSON string — normalize
+  let features = user.features as unknown;
+  if (typeof features === "string") {
+    try { features = JSON.parse(features); } catch { features = []; }
+  }
+  if (!Array.isArray(features)) features = [];
+
+  return json({
+    valid: true,
+    plan: user.plan,
+    status: user.status ?? "active",
+    features,
+    email: user.email ?? "",
+  });
+});

sourcecode-1.35.36/supabase/functions/lemonsqueezy-webhook/index.ts

@@ -0,0 +1,163 @@
+import { serve } from "https://deno.land/std@0.177.0/http/server.ts";
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
+
+// Lemon Squeezy webhook. Source of truth for plan/status and the license key.
+// Deploy with --no-verify-jwt (Lemon Squeezy does not send a Supabase JWT;
+// HMAC signature is the authentication). Keep "Generate license keys" ON on
+// every Pro variant: LS emails the key to the customer and we store that same
+// native key here, so there is a single key system end to end.
+const LEMON_SQUEEZY_WEBHOOK_SECRET = Deno.env.get("LEMON_SQUEEZY_WEBHOOK_SECRET")!;
+const SUPABASE_URL = Deno.env.get("SUPABASE_URL")!;
+const SUPABASE_SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+
+const PRO_FEATURES = ["impact", "review-pr", "generate-tests", "mcp"];
+
+// The license key is delivered by this event (LS generates + emails it):
+const LICENSE_EVENTS = ["license_key_created"];
+// Activate / keep Pro:
+const ACTIVATE_EVENTS = [
+  "order_created",
+  "subscription_created",
+  "subscription_updated",
+  "subscription_resumed",
+  "subscription_unpaused",
+  "subscription_payment_success",
+];
+// Revocation — real end of access. NOT subscription_cancelled: that keeps
+// access until period end; LS sends subscription_expired when it actually ends.
+const REVOKE_EVENTS = [
+  "subscription_expired",
+  "subscription_paused",
+];
+const HANDLED_EVENTS = [...LICENSE_EVENTS, ...ACTIVATE_EVENTS, ...REVOKE_EVENTS];
+
+async function verifySignature(rawBody: string, signature: string): Promise<boolean> {
+  if (!signature) return false;
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(LEMON_SQUEEZY_WEBHOOK_SECRET),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"],
+  );
+  const expected = await crypto.subtle.sign("HMAC", key, encoder.encode(rawBody));
+  const expectedHex = Array.from(new Uint8Array(expected))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+  return expectedHex === signature;
+}
+
+const json = (body: unknown, status = 200) =>
+  new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" },
+  });
+
+serve(async (req: Request) => {
+  if (req.method !== "POST") return new Response("Method not allowed", { status: 405 });
+
+  const rawBody = await req.text();
+  const signature =
+    req.headers.get("X-Signature") ?? req.headers.get("x-signature") ?? "";
+
+  if (!(await verifySignature(rawBody, signature))) {
+    console.error("Invalid webhook signature");
+    return new Response("Unauthorized", { status: 401 });
+  }
+
+  let payload: Record<string, unknown>;
+  try {
+    payload = JSON.parse(rawBody);
+  } catch {
+    return new Response("Bad request: invalid JSON", { status: 400 });
+  }
+
+  const meta = payload.meta as Record<string, unknown>;
+  const data = payload.data as Record<string, unknown>;
+  const eventName = meta?.event_name as string;
+  const eventId = meta?.event_id as string | undefined;
+
+  if (!HANDLED_EVENTS.includes(eventName)) {
+    return json({ received: true, skipped: true });
+  }
+
+  const attributes = data?.attributes as Record<string, unknown>;
+  const email = ((attributes?.user_email ?? attributes?.customer_email) as string ?? "")
+    .toLowerCase();
+
+  if (!email || !email.includes("@")) {
+    console.error("No valid email in payload", { eventName });
+    return new Response("Bad request: no email", { status: 400 });
+  }
+
+  const supabase = createClient(SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY);
+
+  // Idempotency
+  if (eventId) {
+    const { data: existing } = await supabase
+      .from("license_events").select("id").eq("event_id", eventId).maybeSingle();
+    if (existing) return json({ received: true, duplicate: true });
+  }
+
+  const { data: existingUser } = await supabase
+    .from("users").select("id, license_key").eq("email", email).maybeSingle();
+
+  let userId = existingUser?.id;
+  const now = new Date().toISOString();
+
+  // #3  license_key_created -> store the native Lemon Squeezy key
+  if (LICENSE_EVENTS.includes(eventName)) {
+    const lsKey = attributes?.key as string;
+    if (!lsKey) {
+      console.error("license_key_created without attributes.key");
+      return new Response("Bad request: no key", { status: 400 });
+    }
+    const { data: up, error } = await supabase.from("users").upsert(
+      { email, plan: "pro", status: "active", features: PRO_FEATURES,
+        license_key: lsKey, updated_at: now },
+      { onConflict: "email", ignoreDuplicates: false },
+    ).select("id").single();
+    if (error) { console.error("upsert key", error); return json({ error: "DB" }, 500); }
+    userId = up?.id ?? userId;
+  }
+
+  // #4  Revocation -> status inactive (does NOT touch license_key or plan)
+  else if (REVOKE_EVENTS.includes(eventName)) {
+    const { error } = await supabase.from("users")
+      .update({ status: "inactive", updated_at: now }).eq("email", email);
+    if (error) console.error("revoke", error);
+    if (userId) {
+      await supabase.from("subscriptions").update({ status: "inactive" }).eq("user_id", userId);
+    }
+  }
+
+  // Activation -> plan pro + active (preserves existing license_key)
+  else {
+    const { data: up, error } = await supabase.from("users").upsert(
+      { email, plan: "pro", status: "active", features: PRO_FEATURES, updated_at: now },
+      { onConflict: "email", ignoreDuplicates: false },
+    ).select("id").single();
+    if (error) { console.error("upsert activate", error); return json({ error: "DB" }, 500); }
+    userId = up?.id ?? userId;
+
+    const periodEnd = (attributes?.renews_at ?? attributes?.ends_at ?? null) as string | null;
+    await supabase.from("subscriptions").upsert(
+      { user_id: userId, provider: "lemonsqueezy", status: "active",
+        current_period_end: periodEnd, created_at: now },
+      { onConflict: "user_id" },
+    );
+  }
+
+  // Audit
+  const { error: evErr } = await supabase.from("license_events").insert({
+    user_id: userId ?? null,
+    event_type: eventName,
+    event_id: eventId ?? null,
+    payload: JSON.parse(JSON.stringify(payload)),
+  });
+  if (evErr) console.error("license_event insert", evErr);
+
+  console.log(`Processed ${eventName} for ${email}`);
+  return json({ received: true, email, event: eventName });
+});