npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@oshon-ai/license-core

v0.9.1

Published

Offline Ed25519 license verification for Oshon commercial packages. Zero phone-home, embedded public key, grace + lapse semantics built in.

Downloads

254

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

oshonoshon

Keywords

oshonoshon-ailicenselicense-verificationed25519jwtoffline-verificationcommercial-licensedesign-system

Readme

@oshon-ai/license-core

Offline Ed25519 license verification for Oshon's commercial packages. Zero phone-home, embedded public key, grace + lapse semantics built in.

The library itself is MIT. The licenses it validates are commercial — see LICENSE-COMMERCIAL.md at the repo root.

Why it exists

Every Oshon Pro package (@oshon-ai/data, governance, patterns, brand-forge, cli-pro, mcp-server-pro) needs to verify a paying customer's license at boot. We do that with a signed JWT (Ed25519) that ships on the customer's machine — no network calls to verify, no analytics, no phone-home.

The signing private key lives in the Oshon issuer service. The verifying public key is baked into this package. Together they form a one-way cryptographic boundary: customers can read what's in their license, but they can't forge a new one or extend an expired one.

Install

pnpm add @oshon-ai/license-core

Usage

import { verifyLicense, loadLicense } from '@oshon-ai/license-core';

// Resolve the license JWT from $OSHON_LICENSE / ~/.oshon/license / etc.
const jwt = await loadLicense();
if (!jwt) {
  throw new Error('No Oshon license found. Run `oshon login`.');
}

const result = await verifyLicense(jwt, {
  expectedMajorVersion: 'v1',
});

switch (result.status) {
  case 'valid':
    // Full functionality. If `gracePeriodEndsAt` is non-null,
    // the license is past its `period_end` but inside grace —
    // tell the customer to renew.
    break;

  case 'lapsed':
    // The paid period elapsed and grace ran out. The customer
    // KEEPS perpetual use of the version they already installed
    // (see `LICENSE-COMMERCIAL.md` §4(e)) — but refuse to
    // download / install / upgrade to a newer version.
    console.warn(`License lapsed on ${result.lapsedAt.toISOString()}`);
    break;

  case 'invalid':
    // Bad signature, malformed JWT, or audience mismatch (e.g.
    // a v1 license being used to run a v2 package). Refuse to load.
    throw new Error(`Invalid Oshon license: ${result.reason}`);
}

Three-state result

| Status | Meaning | What the package should do | | ---------- | ------------------------------------------------------------------ | ----------------------------------- | | valid | Active subscription, signature OK, audience matches | Run normally, allow updates | | lapsed | Subscription canceled or paid period + grace expired | Keep installed version, block updates | | invalid | Signature failed, malformed, wrong issuer, or audience mismatch | Refuse to load |

Lapse semantics

Oshon's commercial license includes a perpetuity clause: when a customer's subscription lapses, they keep the right to use the specific version they already installed — forever. They just don't get any new versions, security patches, or support.

This package implements that by returning status: 'lapsed' instead of status: 'invalid' when the paid period has elapsed. The consuming Pro package keeps running fine; the cli-pro upgrade command and the postinstall hook in commercial packages check the status and refuse to advance the installed version.

Audience checks (major version)

Each license is issued for one or more major versions — encoded in the JWT's standard aud claim. A v1 license has aud: ['v1'] and is rejected when running v2 packages with expectedMajorVersion: 'v2'.

This is how LICENSE-COMMERCIAL.md §3 enforces "v2 / v3 require new license purchases" — the runtime simply refuses to load.

Resolution sources (in order)

loadLicense() tries these in order; first non-empty wins:

  1. opts.jwt — explicit string from the caller
  2. opts.customResolver() — for Bun, Deno, edge runtimes
  3. process.env.OSHON_LICENSE (override the env var name via opts.envVarName)
  4. opts.filePath — explicit path
  5. ~/.oshon/license — user-scope canonical location
  6. ./.oshon/license — project-scope canonical location

Returns null if nothing was found. Verification is the consumer's call (fail-closed, or fall through to a free tier).

Security model

  • Embedded public key. Tampering with the bundled key in this package will cause verifyLicense to reject every legitimate license — there's no fallback or alternate key.
  • Strict algorithm pinning. Only EdDSA is accepted. An attacker can't downgrade to a weaker JWS algorithm by editing the JWT header.
  • Strict issuer pinning. Only oshon.ai is accepted as iss.
  • Clock-skew tolerance. Defaults to 60 seconds; tunable via clockSkewSeconds.
  • Grace window. Defaults to 7 days past period_end before the license flips to lapsed; tunable via gracePeriodDays. Buys time for renewal payments to settle.

License (the validator)

MIT. See LICENSE.