chore(license): move owlicgen out of the product; add dev entitlement bypass#702
Merged
Conversation
… bypass owlicgen mints/signs license JWTs — that is Hanalyx-as-issuer infrastructure, not part of the product customers run (and the repo is heading to open source). Remove cmd/owlicgen; it is preserved as issuer reference under ~/hanalyx/OWAR/licensing/ with an implementation guide for the hanalyx.com dashboard team. The product keeps only license *verification* (internal/license), never minting. Nothing automated depended on owlicgen (tests mint JWTs via their own fixtures). To keep local paid-feature testing working without minting a license, add a build-tag-gated dev entitlement bypass: - entitlements_release.go (//go:build !dev): devEntitlementsEnabled()=false — physically absent from release binaries; IsEnabled behaves normally. - entitlements_dev.go (//go:build dev): unlocks features only when OPENWATCH_DEV_MODE=true. Two gates (build tag AND env), so a release binary can never unlock paid features from the environment alone. - IsEnabled short-circuits on the bypass. - scripts/openwatch.sh builds with -tags dev and sets OPENWATCH_DEV_MODE=true. - Tests both ways: release build asserts the bypass is OFF even with the env set (release-safety guard); -tags dev build asserts it gates on the env var. Also reword the api-license AC and the LoadJWT comment that name-dropped owlicgen.
Completes the owlicgen removal (the deletion landed in the previous commit):
- build-tag-gated dev entitlement bypass (entitlements_{release,dev}.go) wired
into IsEnabled; OFF in release builds, ON only under -tags dev with
OPENWATCH_DEV_MODE=true. Tests assert both directions.
- scripts/openwatch.sh builds -tags dev and sets OPENWATCH_DEV_MODE=true so local
dev keeps paid-feature access without minting a license.
- reword api-license AC-10 and the LoadJWT comment that referenced owlicgen.
remyluslosius
added a commit
that referenced
this pull request
Jun 27, 2026
Stage 1 docs freeze for rc.17. - packaging/version.env -> 0.2.0-rc.17 - CHANGELOG.md: roll [Unreleased] into a dated [0.2.0-rc.17] section; add the two operator-facing security entries from this cycle (real offline license/policy signing keys + build guard; OIDC/notification SSRF hardening). - refresh the rc version string in the SERVICE_DOWN / DISK_FULL runbooks. Bundles since rc.16: #701 (SEC-H1 real signing keys + regression guards), #702 (owlicgen removed from the product), #703 (SEC-H2 OIDC SSRF guard + non-gating transactionlog perf test). Verified: changelog format gate green, version injects, specter check + coverage 100%.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
owlicgenmints/signs license JWTs — that is Hanalyx-as-issuer infrastructure, not part of the product customers run, and the repo is heading to open source. It should not ship a license minting tool. The product keeps only license verification (internal/license); it can verify a license but never mint one.The tool is preserved as issuer reference under
~/hanalyx/OWAR/licensing/alongside an implementation guide for the hanalyx.com dashboard team. Nothing automated depended on owlicgen (tests mint JWTs via their own fixtures; Makefile/packaging build only./cmd/openwatch).What changed
cmd/owlicgen.entitlements_release.go(//go:build !dev):devEntitlementsEnabled()=false— physically absent from release binaries;IsEnabledbehaves normally.entitlements_dev.go(//go:build dev): unlocks features only whenOPENWATCH_DEV_MODE=true. Two independent gates (build tag AND env var), so a release binary can never unlock paid features from the environment alone.IsEnabledshort-circuits on the bypass.scripts/openwatch.shbuilds-tags devand setsOPENWATCH_DEV_MODE=true.api-licenseAC-10 description and theLoadJWTcomment that named owlicgen.Safety
There is no production guard on
OPENWATCH_DEV_MODEtoday, so the bypass is build-tag-gated (absent from release builds), not env-only. Tests assert both directions:OPENWATCH_DEV_MODE=true(release-safety guard)-tags devbuild: bypass gates correctly on the env varVerification
go build ./...andgo build -tags dev ./...both cleango test ./internal/license/...(default) and-tags devboth passgofmt/go vetclean;specter check114 specs, coverage 100% (api-license 10/10)Related (not in this PR)
~/hanalyx/OWAR/licensing/OWLICGEN_DASHBOARD_GUIDE.mddocs/engineering/signing_keys_adr.md(local) +~/hanalyx/OWAR/licensing/VENDOR_CONTENT_KEY.md