fix: real license validation — call Polar API directly, fail-closed

Fixes 4 audit findings:
1. Remove soft validation (was trivially bypassable with any ps_pro_ prefix)
2. Use Polar customer-portal endpoint (public, no server token needed)
3. Fail-closed on network error (was fail-open, allowing deliberate bypass)
4. Remove --api-key CLI flag (keys via env var only, prevents shell history exposure)
5. Exit 1 when --simulate requested but license validation fails

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: oxxo

apps/cli/src/index.ts

@@ -36,7 +36,7 @@ program
   .option('--record [dir]', 'Record simulator walkthrough video (requires --simulate, saves .webm)')
   .option('--upload', 'Upload HTML report to GitHub Gist and return shareable URL (requires GITHUB_TOKEN)')
   .option('--vision', 'Run AI vision analysis on each screen with GPT-4o (requires PROTOSCAN_API_KEY or OPENAI_API_KEY)')
-  .option('--api-key <key>', 'ProtoScan API key for server-side vision (or set PROTOSCAN_API_KEY env var)')
+  // PROTOSCAN_API_KEY via env var only — never pass keys as CLI args (shell history exposure)
   .option('--max-vision-cost <usd>', 'Maximum USD to spend on vision analysis', '5')
   .action(async (input: string, options) => {
     // Parse Figma URL or raw file key
@@ -84,7 +84,7 @@ program
 
       let simulatorIssues: Issue[] = [];
       if (options.simulate) {
-        const proKey = options.apiKey ?? process.env.PROTOSCAN_API_KEY;
+        const proKey = process.env.PROTOSCAN_API_KEY;
         if (!proKey) {
           console.error('');
           console.error('  ⚡ --simulate is a ProtoScan Pro feature.');
@@ -93,12 +93,15 @@ program
           console.error('');
           console.error('  Static analysis will continue without simulation.');
           console.error('');
-        } else if (!(await validateLicenseKey(proKey)).valid) {
-          console.error('');
-          console.error('  ⚠ Invalid or expired PROTOSCAN_API_KEY.');
-          console.error('  Renew at: https://protoscan.dev/pro');
-          console.error('');
         } else {
+          const license = await validateLicenseKey(proKey);
+          if (!license.valid) {
+            console.error('');
+            console.error(`  ⚠ ${license.error ?? 'Invalid or expired PROTOSCAN_API_KEY.'}`);
+            console.error('  Get or renew your key at: https://protoscan.dev/pro');
+            console.error('');
+            process.exit(1);
+          }
           try {
             const recordDir = options.record === true ? '.' : (options.record || undefined);
             if (recordDir) {
@@ -127,7 +130,7 @@ program
 
       let visionIssues: Issue[] = [];
       if (options.vision) {
-        const protoscanKey = options.apiKey ?? process.env.PROTOSCAN_API_KEY;
+        const protoscanKey = process.env.PROTOSCAN_API_KEY;
         const openaiKey = process.env.OPENAI_API_KEY;
         const screenCount = graph.nodes.size;
         const COST_PER_SCREEN = 0.005;

packages/core/src/license.ts

@@ -1,35 +1,29 @@
 const POLAR_ORG_ID = '1a0b8ee1-1f06-44ea-b6f4-99d7687be563';
-const VALIDATE_URL = 'https://api.polar.sh/v1/license-keys/validate';
+const VALIDATE_URL = 'https://api.polar.sh/v1/customer-portal/license-keys/validate';
 
 export interface LicenseValidation {
   valid: boolean;
   error?: string;
 }
 
 /**
- * Validate a ProtoScan API key (Polar.sh license key) against the Polar API.
- * Requires POLAR_ACCESS_TOKEN env var for server-side validation.
- * Returns { valid: true } if key is active, { valid: false, error } otherwise.
+ * Validate a ProtoScan API key (Polar.sh license key) against the public
+ * customer-portal endpoint. No server-side token needed — the endpoint
+ * accepts organization_id + key directly.
+ *
+ * Fail-closed: network errors return invalid (user must be online to validate).
  */
 export async function validateLicenseKey(key: string): Promise<LicenseValidation> {
-  const polarToken = process.env.POLAR_ACCESS_TOKEN;
-  if (!polarToken) {
-    // No server token — accept any key with the right prefix as a soft check.
-    // Full validation happens when POLAR_ACCESS_TOKEN is configured (production).
-    if (key.startsWith('ps_pro_') && key.length > 10) {
-      return { valid: true };
-    }
-    return { valid: false, error: 'Invalid key format. Keys start with ps_pro_' };
+  if (!key || key.length < 5) {
+    return { valid: false, error: 'Invalid key format.' };
   }
 
   try {
     const res = await fetch(VALIDATE_URL, {
       method: 'POST',
-      headers: {
-        'Authorization': `Bearer ${polarToken}`,
-        'Content-Type': 'application/json',
-      },
+      headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ key, organization_id: POLAR_ORG_ID }),
+      signal: AbortSignal.timeout(10_000),
     });
 
     if (res.ok) {
@@ -41,8 +35,8 @@ export async function validateLicenseKey(key: string): Promise<LicenseValidation
     }
 
     return { valid: false, error: `Validation failed (HTTP ${res.status})` };
-  } catch {
-    // Network error — fail open to avoid blocking users when Polar is down
-    return { valid: true };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { valid: false, error: `Unable to verify license — check your network connection. (${msg})` };
   }
 }