feat: automatic local restrictions for AGPL §13 and Hub unreachability

mrdevrobot · mrdevrobot · commit 17318aa440bf · 2026-03-15T22:52:26.000+01:00
Two new local restriction policies applied independently of Hub responses:

1. AGPL-3.0 §13 violation (License:SourceUrl not configured)
   - Detected at startup in Program.cs
   - Applies SEVERE restrictions immediately (200ms delay, query limit 100, cache off)
   - LogCritical to make the issue clearly visible in logs

2. LicenseHub unreachable (applies only to unlicensed instances)
   - Tracked via HeartbeatWorker._lastSuccessfulHeartbeat
   - Days counted from last successful heartbeat (or from startup if never succeeded)
   - 7 consecutive days  → MEDIUM-SEVERE (50ms delay, cache off, banner)
   - 30 consecutive days → SEVERE (200ms delay, query limit 100, cache off, banner)
   - Licensed instances (LicenseLoadResult.Ok) are exempt — heartbeat is telemetry only

Restriction presets defined as static fields in RestrictionService:
  - RestrictionService.MediumSevere
  - RestrictionService.Severe
  - RestrictionService.FromMissedHeartbeatDays(int days) helper
diff --git a/src/BLite.Server/License/HeartbeatWorker.cs b/src/BLite.Server/License/HeartbeatWorker.cs
@@ -28,6 +28,10 @@ public sealed class HeartbeatWorker : BackgroundService
     private readonly string                   _licenseFilePath;
     private readonly DateTime                 _startedAt = DateTime.UtcNow;
 
+    // Tracks the last time a heartbeat response was successfully received.
+    // Null = never succeeded since startup.
+    private DateTime? _lastSuccessfulHeartbeat;
+
     public HeartbeatWorker(
         IConfiguration cfg,
         LicenseManager license,
@@ -60,7 +64,6 @@ protected override async Task ExecuteAsync(CancellationToken stoppingToken)
 
     private async Task SendHeartbeatAsync(CancellationToken ct)
     {
-
         try
         {
             var jwt = !string.IsNullOrEmpty(_licenseFilePath) && File.Exists(_licenseFilePath)
@@ -84,9 +87,12 @@ private async Task SendHeartbeatAsync(CancellationToken ct)
             if (!resp.IsSuccessStatusCode)
             {
                 _log.LogWarning("Heartbeat returned {Status}.", (int)resp.StatusCode);
+                ApplyLocalPolicy();
                 return;
             }
 
+            _lastSuccessfulHeartbeat = DateTime.UtcNow;
+
             var body = await resp.Content.ReadFromJsonAsync<HeartbeatResponseDto>(JsonOpts, ct);
             if (body?.Restrictions is { } r)
             {
@@ -105,7 +111,7 @@ private async Task SendHeartbeatAsync(CancellationToken ct)
             }
             else
             {
-                // Hub returned no restrictions — clear any previously active ones
+                // Hub returned no restrictions — clear any previously active local policy
                 _restrictions.Update(RestrictionSnapshot.None);
             }
 
@@ -115,9 +121,34 @@ private async Task SendHeartbeatAsync(CancellationToken ct)
         catch (Exception ex)
         {
             _log.LogWarning("Heartbeat failed: {Msg}", ex.Message);
+            ApplyLocalPolicy();
         }
     }
 
+    // ── Local policy ──────────────────────────────────────────────────────────
+
+    private void ApplyLocalPolicy()
+    {
+        // If a valid license is present, missed heartbeats are tolerated —
+        // the heartbeat is telemetry-only for licensed instances.
+        if (_license.Result == LicenseLoadResult.Ok)
+            return;
+
+        var missedDays = _lastSuccessfulHeartbeat.HasValue
+            ? (int)(DateTime.UtcNow - _lastSuccessfulHeartbeat.Value).TotalDays
+            : (int)(DateTime.UtcNow - _startedAt).TotalDays;
+
+        var snapshot = RestrictionService.FromMissedHeartbeatDays(missedDays);
+
+        if (snapshot.HasAny)
+            _log.LogWarning(
+                "Hub unreachable for {Days} day(s). Applying {Level} restrictions.",
+                missedDays,
+                missedDays >= 30 ? "SEVERE" : "MEDIUM-SEVERE");
+
+        _restrictions.Update(snapshot);
+    }
+
     private static string GetVersion()
         => typeof(HeartbeatWorker).Assembly.GetName().Version?.ToString() ?? "0.0.0";
 
diff --git a/src/BLite.Server/License/RestrictionService.cs b/src/BLite.Server/License/RestrictionService.cs
@@ -4,15 +4,54 @@
 // Restrictions are set by the LicenseHub heartbeat response and applied
 // across all gRPC calls, REST calls, query cache, and the Studio UI.
 // All fields default to zero / false (no restrictions active).
+//
+// Local overrides (applied regardless of the Hub response):
+//   • AGPL §13 violation  — SourceUrl not configured         → Severe
+//   • Hub unreachable 7d  — no successful heartbeat in 7 days  → MediumSevere
+//   • Hub unreachable 30d — no successful heartbeat in 30 days → Severe
 
 namespace BLite.Server.License;
 
 /// <summary>
-/// Thread-safe holder for the operational restrictions received from LicenseHub.
-/// Updated by <see cref="HeartbeatWorker"/> after every successful heartbeat.
+/// Thread-safe holder for the operational restrictions.
+/// May be updated by:
+///   1. <see cref="HeartbeatWorker"/> with restrictions received from LicenseHub.
+///   2. Local policy checks (SourceUrl missing, prolonged Hub unreachability).
 /// </summary>
 public sealed class RestrictionService
 {
+    // ── Preset snapshots ─────────────────────────────────────────────────────
+
+    /// <summary>
+    /// Medium-severe: applied after 7 consecutive days without a successful
+    /// heartbeat to the LicenseHub.
+    /// 50 ms per call is painful at any real-world RPS.
+    /// </summary>
+    public static readonly RestrictionSnapshot MediumSevere = new()
+    {
+        OperationDelayMs  = 50,
+        DisableQueryCache = true,
+        WarnBannerMessage = "⚠ This server has been unable to contact the BLite LicenseHub for 7+ days. " +
+                            "Please ensure the server can reach licensehub.blitedb.com.",
+    };
+
+    /// <summary>
+    /// Severe: applied after 30 consecutive days without heartbeat, OR when
+    /// the AGPL-3.0 §13 source URL is not configured.
+    /// 200 ms per call makes the server effectively unusable at production load.
+    /// </summary>
+    public static readonly RestrictionSnapshot Severe = new()
+    {
+        OperationDelayMs  = 200,
+        QueryResultLimit  = 100,
+        DisableQueryCache = true,
+        WarnBannerMessage = "🚨 Critical compliance issue detected. " +
+                            "This server is subject to severe operational restrictions. " +
+                            "Contact support@blitedb.com.",
+    };
+
+    // ── State ────────────────────────────────────────────────────────────────
+
     // Volatile read is safe for reading a reference type on all current .NET
     // memory models; writes go through Interlocked.Exchange for atomicity.
     private volatile RestrictionSnapshot _current = RestrictionSnapshot.None;
@@ -22,6 +61,20 @@ public sealed class RestrictionService
     /// <summary>Atomically replaces the active restriction set.</summary>
     public void Update(RestrictionSnapshot snapshot) =>
         Interlocked.Exchange(ref _current, snapshot);
+
+    // ── Local policy helpers ──────────────────────────────────────────────────
+
+    /// <summary>
+    /// Returns the restriction snapshot that must be applied locally due to
+    /// prolonged Hub unreachability, ignoring any Hub-driven snapshot.
+    /// Returns <see cref="RestrictionSnapshot.None"/> when within tolerance.
+    /// </summary>
+    public static RestrictionSnapshot FromMissedHeartbeatDays(int days) => days switch
+    {
+        >= 30 => Severe,
+        >= 7  => MediumSevere,
+        _     => RestrictionSnapshot.None,
+    };
 }
 
 /// <summary>
diff --git a/src/BLite.Server/Program.cs b/src/BLite.Server/Program.cs
@@ -279,6 +279,30 @@ static string ResolveAppPath(string path) =>
 if (app.Environment.IsDevelopment())
     app.MapGrpcReflectionService();
 
+// ── AGPL §13 compliance check ────────────────────────────────────────────────
+// If no SourceUrl is configured the server is violating AGPL-3.0 §13
+// (network use = distribution; source must be disclosed).
+// Apply severe restrictions immediately so the issue is hard to ignore.
+{
+    var configuredSourceUrl = app.Configuration.GetValue<string>("License:SourceUrl");
+    if (string.IsNullOrWhiteSpace(configuredSourceUrl))
+    {
+        var restrictions = app.Services.GetRequiredService<RestrictionService>();
+        restrictions.Update(new RestrictionSnapshot
+        {
+            OperationDelayMs  = 200,
+            QueryResultLimit  = 100,
+            DisableQueryCache = true,
+            WarnBannerMessage = "🚨 AGPL-3.0 §13 violation: License:SourceUrl is not configured. " +
+                                "Set LICENSE__SOURCEURL to a publicly accessible URL that serves the " +
+                                "source code of this running server. Severe restrictions are active.",
+        });
+        app.Logger.LogCritical(
+            "AGPL-3.0 §13 violation: License:SourceUrl is not set. " +
+            "Severe operational restrictions have been applied automatically.");
+    }
+}
+
 // Forward headers from reverse proxy (X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host).
 // Required for correct host matching (RequireHost) and HTTPS detection when behind nginx/Plesk.
 app.UseForwardedHeaders(new ForwardedHeadersOptions
