From 4ce76f8c756a832ecdb5cd00303db427687852fd Mon Sep 17 00:00:00 2001
From: Keysat <licensing@keysat.xyz>
Date: Fri, 19 Jun 2026 09:23:07 -0500
Subject: [PATCH] Update licensing-tiers guide: signed-key entitlement ceiling

---
 docs/guides/licensing-tiers.md | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/docs/guides/licensing-tiers.md b/docs/guides/licensing-tiers.md
index 35ec173..2f436aa 100644
--- a/docs/guides/licensing-tiers.md
+++ b/docs/guides/licensing-tiers.md
@@ -23,12 +23,16 @@ license lifts those caps and unlocks `recurring_billing` + `zaprite_payments`.
 Treat any "marketplace build refuses to start without a license" wording in code
 comments or copy as stale.
 
-## Live entitlements
+## Live entitlements, clamped to the signed key
 
-Tier gates must read **LIVE** entitlements from `licenses.entitlements` (refreshed
-hourly by `refresh_self_tier_from_db` in `license_self.rs`), **not** the
-entitlements baked into the signed payload at issue time. The signed payload is a
-point-in-time snapshot; entitlements can change after issuance.
+Tier gates read **live** entitlements from `licenses.entitlements`, refreshed
+hourly by `refresh_self_tier_from_db` in `license_self.rs`, so issuer-applied
+**downgrades, suspensions, and revocations** reach a running daemon without a
+restart. The signed self-license key is the **ceiling**: the live DB row may
+*narrow* the tier but never *widen* it past what the signature grants
+(`clamp_to_signed_ceiling`). A genuine **upgrade** therefore comes from a
+re-issued key — re-run the StartOS "Activate Keysat license" action — not from
+editing the DB row.
 
 ## Never silently widen a tier