docs(license): document activation flow, tier system, dev bypass
- USER-GUIDE EN + ES gain a §0 "First launch — activation" section covering paid blob activation, 1-year trial, renewal, file location, and device-swap. - REQUIREMENTS §17a "Licensing" — storage path, activation model, lifetime, tier list, dev bypass env var. Test count: 1995. - DEVELOPER gains a "Licensing" recipe in the Extension recipes section: public API, feature-flag add, tier add, minting via the creator-only script. - DECISIONS §9b — log the offline-HMAC choice with the threat-model trade-off (motivated piracy not stopped; honor-system + 30-day refund covers casual sharing). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -175,6 +175,33 @@ $49-79/bundle · $149 full suite (when 3+ exist).
|
||||
| May 1 (v1.6) | Mark Format Standardizer **Ready** | 199-row buyer corpus passing; Tier 1 + most Tier 2 built. |
|
||||
| May 1 (v1.6) | Add `src/core/errors.py` structured hierarchy | Uniform helpful messages across CLI + GUI. See TECHNICAL §7. |
|
||||
| May 13 (v1.6) | Ship in-house JSON i18n + EN/ES packs | Expand addressable market (Spanish-first buyers, LatAm bookkeepers) without a `gettext` build step. JSON packs editable by non-devs; parity test prevents drift. See TECHNICAL §10b. |
|
||||
| May 13 (v1.6) | Ship licensing: 1-year HMAC-signed blobs, name+email registration, offline verification, tier-scaffolded for future SKUs | Unlock the lifetime-update business model without recurring infra. Honor-system DRM (HMAC + 30-day refund) — sufficient at $49. See §9b below. |
|
||||
|
||||
## 9b. Licensing model
|
||||
|
||||
**Decision (v1.6)**: offline HMAC-signed license blobs, 1-year lifetime, name + email registration required. Tier-scaffolded so future SKUs (PRO, ENTERPRISE) can carve per-tool feature sets without code changes.
|
||||
|
||||
| Option | Verdict |
|
||||
|---|---|
|
||||
| **Offline HMAC blob (chosen)** | **CHOSEN.** No server, no internet, fits the no-touch constraint. Honor-system at this price point. |
|
||||
| Online activation check | Rejected. Conflicts with the "your data never leaves your computer" promise; introduces support load (server downtime, network issues). |
|
||||
| No license at all | Rejected. The lifetime-update value prop requires *some* gating to make renewal meaningful. |
|
||||
| Time-bombed binary (PyInstaller --no-license) | Rejected. Can't deliver renewals without re-shipping the installer. |
|
||||
| Hardware-locked license | Rejected. Friction on legitimate device-swaps; doesn't match the buyer persona's tolerance. |
|
||||
|
||||
**Threat model**: a motivated reverse engineer can pull the HMAC secret out of the binary, mint their own licenses, and bypass the check. That's acceptable — the goal is to discourage casual blob-sharing among non-technical buyers, not stop targeted piracy. The 30-day refund window covers the same gap from a different angle (anyone who shares their blob is implicitly authorizing the buyer to issue them a refund-on-demand).
|
||||
|
||||
**What's enforced**:
|
||||
- License blob signature must match (HMAC-SHA256 with the build secret).
|
||||
- Buyer-entered name + email must match the values embedded in the blob.
|
||||
- Expiry date must be in the future.
|
||||
- Tier must include the requested feature.
|
||||
|
||||
**What's NOT enforced**:
|
||||
- Number of devices the same blob is used on (no concurrent-use detection).
|
||||
- Reverse-engineered re-signing of expired blobs (would require RSA / online check).
|
||||
|
||||
**Future SKUs**: the ``FEATURES_BY_TIER`` table in ``src/license/features.py`` is the single source of truth for "which tools each tier unlocks". Adding a PRO SKU that excludes the pipeline runner is a 1-line edit there + a 1-line edit at the gate site. No consumer-code churn.
|
||||
|
||||
## 8. Re-lock triggers
|
||||
|
||||
|
||||
Reference in New Issue
Block a user