Introduction

@ngaf/licensing is the shared license-check helper used by the framework packages. It verifies compact Ed25519-signed tokens offline, evaluates the result into a small status set, and emits non-blocking warnings when appropriate.

The package itself is MIT licensed. COMMERCIAL.md states that the libraries in this repository are free to use, modify, and distribute in commercial and noncommercial projects. The proprietary part called out there is the internal minting service, not this package.

#Public API shape

The main entry point exports:

APIPurpose
verifyLicense()verifies token signature against a public key
evaluateLicense()turns a verify result and current time into a status
runLicenseCheck()verifies, evaluates, and warns once
emitNag()emits the warning for non-licensed statuses
signLicense()signs claims with an Ed25519 private key
inferNoncommercial()returns a default noncommercial hint from NODE_ENV
LICENSE_PUBLIC_KEYbundled public key

@noble/ed25519 is the only peer dependency.

#Token model

A token is:

<base64url(payload-json)>.<base64url(ed25519-signature)>

The payload must match LicenseClaims:

type LicenseTier = 'developer-seat' | 'app-deployment' | 'enterprise';
 
interface LicenseClaims {
  sub: string;
  tier: LicenseTier;
  iat: number;
  exp: number;
  seats: number;
}

seats must be a number greater than or equal to 1.

#Status model

evaluateLicense() returns one of:

StatusMeaning
licensedsignature verified and nowSec <= exp
gracesignature verified, expired, but still inside the grace window
expiredsignature verified and outside the grace window
missingno token and not marked noncommercial
tamperedtoken was malformed or failed signature verification
noncommercialno token and isNoncommercial was true

The default grace window is 14 days.

#Runtime posture

The higher-level check is designed not to block app startup:

  • signature verification is local;
  • warning output goes through console.warn unless a custom warn function is supplied;
  • no network request is made by the licensing check.

The code returns statuses instead of throwing for normal license states. Consumers can choose what to do with the status, but the framework packages use it as a warning and visibility mechanism, not as an app kill switch.