grant/keysat-root
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc37b2d46bf8c835eeb03a7ef7daeaba605ba2d6
keysat-root/PORTING_SDK_TO_NEW_LANGUAGES.md
T
Keysat 843ff0e5d7 Initial backup of root workspace files 
Glue files not covered by subproject repos: top-level docs, logo,
keysat-design-system, and crosscheck tests. Subproject folders are
gitignored (each has its own Gitea remote).
2026-06-12 17:51:40 -05:00

267 lines
13 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Porting Keysat SDK to New Languages — v0.2 Roadmap
This document is a working spec for adding first-class language support
beyond the v0.1 Rust + TypeScript SDKs. Use it as the contributor brief
when you (or someone you hire) sit down to write the Python SDK, the Go
SDK, etc.
**Scope:** v0.1 ships with `licensing-client` (Rust crate) and
`@keysat/licensing-client` (npm). Anyone integrating Keysat into software
written in another language has to either write their own thin verifier
against the documented wire format, or wait for an official SDK. v0.2's
goal is to remove that friction for the languages where most paid
software actually ships.
---
## Language priorities for v0.2
In rough order of how often each comes up in indie / small-team paid
software, and how complete the Ed25519 + base32 ecosystem is:
| Priority | Language | Rationale | Crypto status |
|----------|-------------|------------------------------------------------------------------------|---------------|
| 1 | Python | Server-side software, CLIs, ML tools, scientific software. | `cryptography` mature, Ed25519 native |
| 2 | Go | Backend services, CLIs, infrastructure tools. | `crypto/ed25519` in stdlib |
| 3 | C# / .NET | Windows desktop apps, games (Unity), enterprise tools. | `NSec` or `BouncyCastle` |
| 4 | Swift | macOS + iOS apps. Largest paid-app market. | `CryptoKit` Ed25519 native (iOS 13+) |
| 5 | Java/Kotlin | Android apps, enterprise software. | `BouncyCastle` |
| 6 | C++ | Native games, audio/video tools. | `libsodium` |
Picking just two as the first batch: **Python** (already has the reference
signer code, already proven to interoperate) and **Go** (most-requested
language for self-hosted server software).
---
## Wire format — the single source of truth
Every SDK must implement the exact byte layout already documented and
test-fixtured in this repo. Do not invent a new layout.
**Authoritative source files.** Read all three before writing a line of
code:
- `licensing-service/src/crypto/mod.rs` — Rust impl, comment-heavy.
Defines `LicensePayload`, encoding, decoding, and the v1↔v2 boundary.
- `licensing-client-ts/src/key.ts` — second independent impl in TS.
- `tests/crosscheck/reference_signer.py` — third independent impl in
Python. Uses `cryptography` rather than `pynacl` — different
underlying primitive impl, so agreement is meaningful.
**Format summary** (read the source for byte-exact details):
- Key string shape: `LIC1-<base32-payload>-<base32-signature>` with
Crockford base32 alphabet (uppercase, no padding, with the standard
Crockford alphabet substitutions: I↔1, L↔1, O↔0).
- Signature: Ed25519 over the raw payload bytes.
- Payload: a fixed-prefix binary structure with `version | flags |
product_id (UUID, 16 bytes) | license_id (UUID, 16 bytes) | issued_at
(i64 unix seconds) | expires_at (i64 unix seconds, 0 means perpetual)
| fingerprint_hash (32 bytes, all zeros if unbound)`. v2 adds a
variable-length tail of UTF-8 entitlements. v1 (legacy) is fixed at
74 bytes with no entitlements.
- Flags: bit 0 = `FINGERPRINT_BOUND`, bit 1 = `TRIAL`. Reserve all
other bits for future expansion; SDKs must preserve unknown flags
on parse rather than rejecting.
- Fingerprint: client-supplied raw string, hashed by the SDK to SHA-256
before being sent to the server. The server stores only the hash.
If the v0.1 Rust source and this doc ever disagree on a byte, the Rust
source wins and this doc gets fixed.
---
## Functional parity matrix — what every SDK must do
Ordered roughly by integration value:
| Feature | Required | Notes |
|----------------------------------|----------|----------------------------------------------------------------|
| Parse a `LIC1-...-...` key | Required | Both v1 and v2 layouts. |
| Verify Ed25519 signature offline | Required | Given the issuer's PEM-encoded public key. |
| Detect expiry (`isExpiredAt`) | Required | Pure-function helper, no clock dep — caller supplies time. |
| Detect tamper / bad signature | Required | Distinct error type from "expired" or "wrong product". |
| Check entitlements | Required | Boolean helper given a key + entitlement slug. |
| Compute fingerprint hash | Required | SHA-256 hex; raw input never leaves the host (server-side hashed too). |
| HTTP `validate` call | Required | Returns reason on rejection (`revoked`, `fingerprint_mismatch`, `not_found`, `bad_signature`, `product_mismatch`). |
| HTTP `machines/heartbeat` | Recommended | Updates `last_heartbeat_at` on the bound machine. |
| HTTP `machines/activate` | Recommended | Explicit seat activation. |
| HTTP `machines/deactivate` | Recommended | Free a seat. |
| HTTP `purchase/start` + poll | Recommended | Drives the BTCPay flow from inside the app. Optional but very common. |
| HTTP `redeem` (free codes) | Recommended | One-shot redemption of `free_license` codes. |
| Public key from PEM | Required | Should accept the exact PEM string `GET /v1/pubkey` returns. |
| Public key from raw bytes | Optional | Convenience for compiled-in keys. |
| Browser/server agnostic | Where possible | TS SDK runs in both. Python & Go are server-only by nature; that's fine. |
Two boolean rules of thumb:
1. **Network failures must not propagate as license-invalid.** Every SDK's
online methods must distinguish "could not reach server" from "server
rejected the key." Callers will treat the first as "status unknown,
fall back to offline check" and the second as "actually invalid."
2. **Offline check must be the default code path.** All SDKs put the
offline verifier on the easy path. Online validation is opt-in. This
is what protects the seller's customers from the seller's downtime.
---
## Cross-language test vectors
`tests/crosscheck/vector.json` is the canonical fixture. Every new SDK
must pass every fixture in there before being released. The current
contents (read the file for the source-of-truth values):
- `v1` — legacy fixed-74 layout, fingerprint-bound. Tests the legacy
parser branch.
- `v2` — trial key, fingerprint-bound, explicit expiry, two
entitlements. Tests the variable-length tail parser.
- `v2_perpetual_unbound` — the common case for a paid purchase. v2, no
expiry, no binding, no entitlements.
For every new SDK, `tests/crosscheck/` should grow a new
`run_<lang>.<ext>` runner that loads `vector.json` and asserts:
1. Each key parses cleanly and field-for-field matches the fixture.
2. Each key's signature verifies against the fixture's PEM public key.
3. Tampering with one byte of the key string produces a verification
error.
4. Fingerprint binding succeeds with the matching fingerprint and fails
with a different one.
5. Entitlement lookup returns true for declared entitlements and false
for absent ones.
6. `isExpiredAt` flips at the documented boundary.
7. `hashFingerprint("hello")` matches Python's
`hashlib.sha256("hello".encode()).hexdigest()`.
If a runner can pass all seven, the SDK is wire-compatible.
---
## Per-language porting checklist
Apply this checklist when starting a new SDK in language `L`. It's
intentionally generic — adapt to L's conventions.
### Phase 0 — read
- [ ] Read this document end to end.
- [ ] Read `licensing-service/src/crypto/mod.rs` (the byte-exact source).
- [ ] Read `licensing-client-rust/src/lib.rs` and
`licensing-client-ts/src/key.ts` to see two existing impls.
- [ ] Read `tests/crosscheck/reference_signer.py` for a third.
- [ ] Run the existing TypeScript cross-check (`tests/crosscheck/run_ts.mjs`)
to confirm the fixtures in your local clone are valid.
### Phase 1 — offline verifier (the bulk of the value)
- [ ] Pick / vendor an Ed25519 verifier library for L. Use the most
mainstream option (stdlib if L has it, otherwise the most-used
package). Avoid hand-rolling crypto.
- [ ] Pick / vendor a Crockford base32 decoder. If none exists in L's
ecosystem, write ~30 lines (the alphabet is fixed; decoding is a
simple table lookup).
- [ ] Implement `PublicKey::from_pem` (or idiomatic equivalent) that
accepts the exact string `GET /v1/pubkey` returns.
- [ ] Implement `parseLicenseKey(string) -> LicenseKey` that handles
both v1 and v2 layouts, preserves unknown flag bits, and rejects
malformed inputs with a clear error type.
- [ ] Implement `Verifier::verify(key) -> VerifyOk | Error` that does
base32 decode → split sig from payload → ed25519 verify → return
parsed payload.
- [ ] Implement `isExpiredAt(key, time)` and `hasEntitlement(key,
slug)` as pure helpers.
- [ ] Implement `hashFingerprint(string) -> hex string`.
- [ ] Pass fixtures 16 in `vector.json` via a new
`tests/crosscheck/run_<lang>.<ext>` runner.
### Phase 2 — online client (optional features)
- [ ] Decide on an HTTP library that's idiomatic for L. Avoid pinning to
something exotic — most users will already have a default.
- [ ] Implement `Client::new(baseUrl)`. Strip trailing slashes
defensively.
- [ ] Implement `Client::baseUrl()` getter (we use this in v0.1 to
compute redirect URLs).
- [ ] Implement `Client::fetchPubkeyPem()`.
- [ ] Implement `Client::validate(key, productSlug, fingerprint)`.
Distinguish network errors from server-side rejections in the
return type.
- [ ] Implement `Client::heartbeat(key, fingerprint)`.
- [ ] Implement `Client::activate(key, fingerprint, opts)`.
- [ ] Implement `Client::deactivate(key, fingerprint, reason?)`.
- [ ] Implement `Client::startPurchase(productSlug, opts)` — opts
includes optional `code`, `buyerEmail`, `redirectUrl`.
- [ ] Implement `Client::pollPurchase(invoiceId)`.
- [ ] Implement `Client::waitForLicense(invoiceId, opts?)` — convenience
polling loop. Throw on terminal states (`expired`, `invalid`).
- [ ] Implement `Client::redeemFreeLicense(productSlug, code, opts?)` —
the no-BTCPay path for `free_license` codes.
### Phase 3 — packaging + release
- [ ] Pick a package name. Keep it close to `keysat-licensing-client`
modulo language conventions.
- [ ] Pin compatible language version. Document it (Python ≥ 3.10, Go
≥ 1.21, etc.).
- [ ] Write a README mirroring the structure of
`licensing-client-ts/README.md` (5-line offline check + 10-line
online check + purchase flow + browser usage if applicable).
- [ ] Add an `examples/` directory with at least an offline-verify
example and an online-validate example.
- [ ] Hook the SDK's tests into CI in this monorepo so a v1 wire-format
change automatically breaks every SDK.
- [ ] Publish to the language registry (PyPI / pkg.go.dev / Maven /
SwiftPM / NuGet).
---
## Distribution & naming
| Language | Package name | Registry |
|-------------|-----------------------------|------------------|
| Rust | `licensing-client` | crates.io |
| TypeScript | `@keysat/licensing-client` | npm |
| Python | `keysat-licensing-client` | PyPI |
| Go | `github.com/keysat-xyz/keysat-go/client` | pkg.go.dev (Go modules use the import path) |
| Java/Kotlin | `xyz.keysat.licensing-client` | Maven Central |
| Swift | `KeysatLicensingClient` | Swift Package Manager (Git tag) |
| C# / .NET | `Keysat.LicensingClient` | NuGet |
| C++ | `keysat-licensing-client` | vcpkg / Conan |
---
## Versioning
Every SDK starts at `0.1.0` and tracks the wire-format version
independently of its own SemVer. Wire-format breaking changes (a new
required field in the payload, e.g.) bump every SDK's minor version
simultaneously. Wire-compatible additions (a new optional flag bit) bump
the patch version.
A wire-format change requires:
1. Update `licensing-service/src/crypto/mod.rs` first.
2. Add new fixtures to `tests/crosscheck/vector.json`.
3. Update every SDK to pass the new fixtures.
4. Release coordinated minor versions.
This is a real coordination tax. The mitigation is to keep wire-format
changes infrequent and additive.
---
## Maintenance burden — be honest about it
Each SDK is a long-tail liability. Every breaking change in the wire
format is N times the work, where N is the number of SDKs. Every CVE in
a transitive HTTP or crypto dependency is a release per language. Be
realistic about how many SDKs the team can credibly maintain. Two or
three first-class is plausibly forever; six or seven becomes a
not-getting-around-to-it problem.
The escape valve: keep the wire format documented well enough that an
abandoned SDK is straightforward to fork or replace. If the wire-format
section of this doc is ever harder to read than the code, we've
regressed and need to fix it.
Reference in New Issue View Git Blame Copy Permalink