prod-guard-oss

← Back to index

Licensing

This document explains the prod-guard licensing model, how licenses work, how they are validated, and what happens when a license is missing or expired.

---

Overview

prod-guard uses a signed offline license model. No network calls, no SaaS dependency, and no runtime activation are required.

Licensing is designed to be:

• Offline-first – no external connectivity required
• Secure – cryptographically signed licenses
• Predictable – behavior is deterministic at startup
• Production-safe – no license server failures

---

License Types

prod-guard currently supports the following license types:

• FREE – default, no license required
• PREMIUM – enables advanced production checks

The license tier controls which checks are allowed to execute.

---

What a License Enables

Capability	FREE	PREMIUM
FREE checks (PG-0xx / PG-1xx)	✔	✔
PREMIUM checks (PG-2xx)	✘	✔
Offline usage	✔	✔
Startup validation	✔	✔

---

License File

A prod-guard license is distributed as a single file, typically named:

prodguard.lic

The license file contains:

• License payload (JSON)
• Cryptographic signature (Ed25519)

The payload includes:

• Licensee name
• License tier
• Issue date
• Expiration date

---

Cryptographic Model

prod-guard uses Ed25519 for license signing and verification.

• Licenses are signed using a private key (offline, CLI-only)
• Applications embed the public key for verification

At runtime:

• The license file is read
• The payload is verified against the signature
• No private key is ever shipped with applications

---

License Validation Lifecycle

License validation happens once at application startup.

1. Read license file
2. Parse payload and signature
3. Verify cryptographic signature
4. Check expiration date
5. Create a runtime LicenseContext

The result is cached and reused during the entire application lifecycle.

---

Behavior Without a License

If no license is present:

• FREE checks are executed
• PREMIUM checks are skipped
• Warnings are logged for skipped PREMIUM checks

Example log:

[prod-guard] premium check PG-203 present but no valid license found

---

Expired Licenses

Expired licenses behave the same as missing licenses, with explicit logging.

• PREMIUM checks are skipped
• FREE checks continue to run
• A warning is logged indicating expiration

Example log:

[prod-guard] license expired on 2026-01-23 (licensee: Vicente_lopez)

---

Expiration Warnings

prod-guard emits proactive warnings before license expiration.

By default:

• A warning is logged when the license expires within a configurable number of days

Example:

[prod-guard] License expires in 14 days (licensee: Vicente_lopez)

---

Configuration

The license file location is configured via properties or YAML:

prodguard:
  license:
    path: ./prodguard.lic

If the property is not set, prod-guard runs in FREE mode.

---

Operational Guarantees

• No license calls during runtime
• No remote dependencies
• No startup delays due to licensing
• No application shutdown on license failure

Licensing never blocks application startup by itself.

---

Why This Model

This licensing approach was chosen to align with production constraints:

• Air-gapped environments
• Regulated industries
• CI/CD and containerized deployments
• Predictable startup behavior

---

Next Steps

← Back to index

• Configuration – YAML / properties reference
• Checks Reference – full list of checks and tiers
• Architecture – internal design and flow
• Pricing – Price and how to get license