Skip to content

chore(license): move owlicgen out of the product; add dev entitlement bypass#702

Merged
remyluslosius merged 2 commits into
mainfrom
chore/move-owlicgen-out
Jun 27, 2026
Merged

chore(license): move owlicgen out of the product; add dev entitlement bypass#702
remyluslosius merged 2 commits into
mainfrom
chore/move-owlicgen-out

Conversation

@remyluslosius

Copy link
Copy Markdown
Contributor

Why

owlicgen mints/signs license JWTs — that is Hanalyx-as-issuer infrastructure, not part of the product customers run, and the repo is heading to open source. It should not ship a license minting tool. The product keeps only license verification (internal/license); it can verify a license but never mint one.

The tool is preserved as issuer reference under ~/hanalyx/OWAR/licensing/ alongside an implementation guide for the hanalyx.com dashboard team. Nothing automated depended on owlicgen (tests mint JWTs via their own fixtures; Makefile/packaging build only ./cmd/openwatch).

What changed

  • Remove cmd/owlicgen.
  • Dev entitlement bypass so local paid-feature testing still works without minting a license:
    • entitlements_release.go (//go:build !dev): devEntitlementsEnabled()=false — physically absent from release binaries; IsEnabled behaves normally.
    • entitlements_dev.go (//go:build dev): unlocks features only when OPENWATCH_DEV_MODE=true. Two independent gates (build tag AND env var), so a release binary can never unlock paid features from the environment alone.
    • IsEnabled short-circuits on the bypass.
    • scripts/openwatch.sh builds -tags dev and sets OPENWATCH_DEV_MODE=true.
  • Reword the api-license AC-10 description and the LoadJWT comment that named owlicgen.

Safety

There is no production guard on OPENWATCH_DEV_MODE today, so the bypass is build-tag-gated (absent from release builds), not env-only. Tests assert both directions:

  • default build: bypass is off even with OPENWATCH_DEV_MODE=true (release-safety guard)
  • -tags dev build: bypass gates correctly on the env var

Verification

  • go build ./... and go build -tags dev ./... both clean
  • go test ./internal/license/... (default) and -tags dev both pass
  • server license/premium gating tests pass (bypass inert in release)
  • gofmt/go vet clean; specter check 114 specs, coverage 100% (api-license 10/10)

Related (not in this PR)

  • Issuer guide: ~/hanalyx/OWAR/licensing/OWLICGEN_DASHBOARD_GUIDE.md
  • Signing-keys design: docs/engineering/signing_keys_adr.md (local) + ~/hanalyx/OWAR/licensing/VENDOR_CONTENT_KEY.md

… bypass

owlicgen mints/signs license JWTs — that is Hanalyx-as-issuer infrastructure,
not part of the product customers run (and the repo is heading to open source).
Remove cmd/owlicgen; it is preserved as issuer reference under
~/hanalyx/OWAR/licensing/ with an implementation guide for the hanalyx.com
dashboard team. The product keeps only license *verification* (internal/license),
never minting. Nothing automated depended on owlicgen (tests mint JWTs via their
own fixtures).

To keep local paid-feature testing working without minting a license, add a
build-tag-gated dev entitlement bypass:
- entitlements_release.go (//go:build !dev): devEntitlementsEnabled()=false —
  physically absent from release binaries; IsEnabled behaves normally.
- entitlements_dev.go (//go:build dev): unlocks features only when
  OPENWATCH_DEV_MODE=true. Two gates (build tag AND env), so a release binary
  can never unlock paid features from the environment alone.
- IsEnabled short-circuits on the bypass.
- scripts/openwatch.sh builds with -tags dev and sets OPENWATCH_DEV_MODE=true.
- Tests both ways: release build asserts the bypass is OFF even with the env set
  (release-safety guard); -tags dev build asserts it gates on the env var.

Also reword the api-license AC and the LoadJWT comment that name-dropped owlicgen.
Completes the owlicgen removal (the deletion landed in the previous commit):
- build-tag-gated dev entitlement bypass (entitlements_{release,dev}.go) wired
  into IsEnabled; OFF in release builds, ON only under -tags dev with
  OPENWATCH_DEV_MODE=true. Tests assert both directions.
- scripts/openwatch.sh builds -tags dev and sets OPENWATCH_DEV_MODE=true so local
  dev keeps paid-feature access without minting a license.
- reword api-license AC-10 and the LoadJWT comment that referenced owlicgen.
@remyluslosius remyluslosius merged commit 9dbf7e8 into main Jun 27, 2026
13 checks passed
@remyluslosius remyluslosius deleted the chore/move-owlicgen-out branch June 27, 2026 15:14
remyluslosius added a commit that referenced this pull request Jun 27, 2026
Stage 1 docs freeze for rc.17.
- packaging/version.env -> 0.2.0-rc.17
- CHANGELOG.md: roll [Unreleased] into a dated [0.2.0-rc.17] section; add the
  two operator-facing security entries from this cycle (real offline
  license/policy signing keys + build guard; OIDC/notification SSRF hardening).
- refresh the rc version string in the SERVICE_DOWN / DISK_FULL runbooks.

Bundles since rc.16: #701 (SEC-H1 real signing keys + regression guards),
#702 (owlicgen removed from the product), #703 (SEC-H2 OIDC SSRF guard +
non-gating transactionlog perf test). Verified: changelog format gate green,
version injects, specter check + coverage 100%.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant