Update licensing-tiers guide: signed-key entitlement ceiling
This commit is contained in:
Keysat
@@ -23,12 +23,16 @@ license lifts those caps and unlocks `recurring_billing` + `zaprite_payments`.
|
|||||||
Treat any "marketplace build refuses to start without a license" wording in code
|
Treat any "marketplace build refuses to start without a license" wording in code
|
||||||
comments or copy as stale.
|
comments or copy as stale.
|
||||||
|
|
||||||
## Live entitlements
|
## Live entitlements, clamped to the signed key
|
||||||
|
|
||||||
Tier gates must read **LIVE** entitlements from `licenses.entitlements` (refreshed
|
Tier gates read **live** entitlements from `licenses.entitlements`, refreshed
|
||||||
hourly by `refresh_self_tier_from_db` in `license_self.rs`), **not** the
|
hourly by `refresh_self_tier_from_db` in `license_self.rs`, so issuer-applied
|
||||||
entitlements baked into the signed payload at issue time. The signed payload is a
|
**downgrades, suspensions, and revocations** reach a running daemon without a
|
||||||
point-in-time snapshot; entitlements can change after issuance.
|
restart. The signed self-license key is the **ceiling**: the live DB row may
|
||||||
|
*narrow* the tier but never *widen* it past what the signature grants
|
||||||
|
(`clamp_to_signed_ceiling`). A genuine **upgrade** therefore comes from a
|
||||||
|
re-issued key — re-run the StartOS "Activate Keysat license" action — not from
|
||||||
|
editing the DB row.
|
||||||
|
|
||||||
## Never silently widen a tier
|
## Never silently widen a tier
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user