From 543a247adaefeb881d6d9a82ceb7ce5102dc11b9 Mon Sep 17 00:00:00 2001
From: Keysat <licensing@keysat.xyz>
Date: Fri, 19 Jun 2026 11:48:26 -0500
Subject: [PATCH] Note self-license expiry re-check in licensing-tiers guide

---
 docs/guides/licensing-tiers.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/guides/licensing-tiers.md b/docs/guides/licensing-tiers.md
index 2f436aa..fc5458d 100644
--- a/docs/guides/licensing-tiers.md
+++ b/docs/guides/licensing-tiers.md
@@ -27,8 +27,10 @@ comments or copy as stale.
 
 Tier gates read **live** entitlements from `licenses.entitlements`, refreshed
 hourly by `refresh_self_tier_from_db` in `license_self.rs`, so issuer-applied
-**downgrades, suspensions, and revocations** reach a running daemon without a
-restart. The signed self-license key is the **ceiling**: the live DB row may
+**downgrades, suspensions, and revocations** — plus the key's own **expiry**
+(the refresh re-verifies the on-disk key, demoting an expired one) — reach a
+running daemon without a restart. The signed self-license key is the
+**ceiling**: the live DB row may
 *narrow* the tier but never *widen* it past what the signature grants
 (`clamp_to_signed_ceiling`). A genuine **upgrade** therefore comes from a
 re-issued key — re-run the StartOS "Activate Keysat license" action — not from