chore(license): move owlicgen out of the product; add dev entitlement bypass (#702)

* chore(license): remove owlicgen from the product; add dev entitlement bypass

owlicgen mints/signs license JWTs — that is Hanalyx-as-issuer infrastructure,
not part of the product customers run (and the repo is heading to open source).
Remove cmd/owlicgen; it is preserved as issuer reference under
~/hanalyx/OWAR/licensing/ with an implementation guide for the hanalyx.com
dashboard team. The product keeps only license *verification* (internal/license),
never minting. Nothing automated depended on owlicgen (tests mint JWTs via their
own fixtures).

To keep local paid-feature testing working without minting a license, add a
build-tag-gated dev entitlement bypass:
- entitlements_release.go (//go:build !dev): devEntitlementsEnabled()=false —
  physically absent from release binaries; IsEnabled behaves normally.
- entitlements_dev.go (//go:build dev): unlocks features only when
  OPENWATCH_DEV_MODE=true. Two gates (build tag AND env), so a release binary
  can never unlock paid features from the environment alone.
- IsEnabled short-circuits on the bypass.
- scripts/openwatch.sh builds with -tags dev and sets OPENWATCH_DEV_MODE=true.
- Tests both ways: release build asserts the bypass is OFF even with the env set
  (release-safety guard); -tags dev build asserts it gates on the env var.

Also reword the api-license AC and the LoadJWT comment that name-dropped owlicgen.

* chore(license): dev entitlement bypass + drop owlicgen prose refs

Completes the owlicgen removal (the deletion landed in the previous commit):
- build-tag-gated dev entitlement bypass (entitlements_{release,dev}.go) wired
  into IsEnabled; OFF in release builds, ON only under -tags dev with
  OPENWATCH_DEV_MODE=true. Tests assert both directions.
- scripts/openwatch.sh builds -tags dev and sets OPENWATCH_DEV_MODE=true so local
  dev keeps paid-feature access without minting a license.
- reword api-license AC-10 and the LoadJWT comment that referenced owlicgen.

Author: remyluslosius

cmd/owlicgen/main.go

@@ -0,0 +1,14 @@
+//go:build dev
+
+package license
+
+import "os"
+
+// devEntitlementsEnabled reports whether the local-dev entitlement bypass is
+// active. This variant is compiled ONLY into `-tags dev` builds (never
+// released), and even then unlocks paid features only when OPENWATCH_DEV_MODE=true.
+// Two independent gates — the build tag AND the env var — so paid features can be
+// exercised locally (e.g. via scripts/openwatch.sh) without minting a license,
+// while a release binary contains none of this code. Replaces the local use of
+// the removed owlicgen tool.
+func devEntitlementsEnabled() bool { return os.Getenv("OPENWATCH_DEV_MODE") == "true" }

internal/license/entitlements_dev.go

@@ -0,0 +1,19 @@
+//go:build dev
+
+package license
+
+import "testing"
+
+// TestDevEntitlements_OnUnderDevTag verifies the local-dev bypass behaves as
+// documented in `-tags dev` builds: gated on OPENWATCH_DEV_MODE, off by default,
+// on when set. Compiled only under -tags dev (the launcher's build mode).
+func TestDevEntitlements_OnUnderDevTag(t *testing.T) {
+	t.Setenv("OPENWATCH_DEV_MODE", "")
+	if devEntitlementsEnabled() {
+		t.Fatal("bypass should be off when OPENWATCH_DEV_MODE is unset, even under -tags dev")
+	}
+	t.Setenv("OPENWATCH_DEV_MODE", "true")
+	if !devEntitlementsEnabled() {
+		t.Fatal("bypass should be on under -tags dev with OPENWATCH_DEV_MODE=true")
+	}
+}

internal/license/entitlements_dev_test.go

@@ -0,0 +1,11 @@
+//go:build !dev
+
+package license
+
+// devEntitlementsEnabled reports whether the local-dev entitlement bypass is
+// active. In release builds (the default — no `dev` build tag) it is always
+// false: the bypass is physically absent from shipped binaries, so a production
+// install can never unlock paid features without a real license, regardless of
+// environment. The dev variant lives in entitlements_dev.go (built only under
+// `-tags dev`).
+func devEntitlementsEnabled() bool { return false }

internal/license/entitlements_release.go

@@ -0,0 +1,17 @@
+//go:build !dev
+
+package license
+
+import "testing"
+
+// TestDevEntitlements_OffInReleaseBuilds is a release-safety guard. The default
+// build carries no `dev` tag, so the dev entitlement bypass MUST be off even
+// with OPENWATCH_DEV_MODE set — otherwise a release binary could unlock paid
+// features from the environment alone. This runs in normal CI (no -tags dev) and
+// fails if the release variant ever starts returning true.
+func TestDevEntitlements_OffInReleaseBuilds(t *testing.T) {
+	t.Setenv("OPENWATCH_DEV_MODE", "true")
+	if devEntitlementsEnabled() {
+		t.Fatal("dev entitlement bypass is active in a non-dev build; it must be physically absent from release binaries")
+	}
+}

internal/license/entitlements_test.go

@@ -65,7 +65,8 @@ func LoadFile(path string, opts VerifyOptions) (VerifyResult, error) {
 }
 
 // LoadJWT validates a raw JWT string and swaps it into runtime state on
-// success. Useful for tests and for owlicgen-driven local installs.
+// success. Useful for tests and for installing a license JWT minted by the
+// Hanalyx issuer (the product only verifies licenses; it never mints them).
 func LoadJWT(jwtBlob string, opts VerifyOptions) (VerifyResult, error) {
 	if err := Init(); err != nil {
 		return VerifyMalformedJWT, err

internal/license/service.go

@@ -22,6 +22,12 @@ var (
 //
 // p99 < 50ns; no allocation. Spec AC-8, AC-9.
 func IsEnabled(f Feature) bool {
+	// Local-dev bypass: only ever true in `-tags dev` builds with
+	// OPENWATCH_DEV_MODE=true (see entitlements_{dev,release}.go). Always false
+	// in release binaries — the bypass code is not compiled in.
+	if devEntitlementsEnabled() {
+		return true
+	}
 	s := current.Load()
 	return s.IsEnabled(f)
 }

internal/license/state.go

@@ -182,7 +182,11 @@ backend_start() {
   ow_version="$( . "$ROOT/packaging/version.env" >/dev/null 2>&1; echo "${VERSION:-dev}" )"
   ow_commit="$(git -C "$ROOT" rev-parse --short HEAD 2>/dev/null || echo unknown)"
   ow_built="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
-  go build -ldflags "\
+  # -tags dev compiles the local-dev entitlement bypass (entitlements_dev.go) so
+  # paid features can be exercised locally without a license. The bypass is
+  # physically absent from release builds (the Makefile does not pass this tag)
+  # and still requires OPENWATCH_DEV_MODE=true at runtime (set below).
+  go build -tags dev -ldflags "\
     -X github.com/Hanalyx/openwatch/internal/version.Version=${ow_version} \
     -X github.com/Hanalyx/openwatch/internal/version.Commit=${ow_commit} \
     -X github.com/Hanalyx/openwatch/internal/version.BuildTime=${ow_built}" \
@@ -193,6 +197,7 @@ backend_start() {
   OPENWATCH_SERVER_TLS_KEY="$TLS_DIR/key.pem" \
   OPENWATCH_IDENTITY_JWT_PRIVATE_KEY="$JWT_KEY" \
   OPENWATCH_IDENTITY_CREDENTIAL_KEY_FILE="$CRED_KEY" \
+  OPENWATCH_DEV_MODE="true" \
     nohup "$BIN" serve >"$BE_LOG" 2>&1 &
   echo $! > "$BE_PID"
   poll_health "https://${OPENWATCH_SERVER_LISTEN}/api/v1/health" "$BE_PID" "$BE_LOG" "backend" 1

scripts/openwatch.sh

@@ -84,5 +84,5 @@ spec:
       description: POST /:premium-echo with license that includes premium_diagnostics returns 200 with echoed message.
       priority: critical
     - id: AC-10
-      description: Installing license (owlicgen + file drop + SIGHUP) makes GET /license reflect new state without restart.
+      description: Installing license (file drop + SIGHUP) makes GET /license reflect new state without restart.
       priority: high