From be1d71c61d3b707cc7196a0befaae86142f47996 Mon Sep 17 00:00:00 2001
From: ChesnoTech <263363000+ChesnoTech@users.noreply.github.com>
Date: Fri, 8 May 2026 00:27:54 +0300
Subject: [PATCH 1/2] =?UTF-8?q?P0:=20anti-piracy=20hardening=20=E2=80=94?=
 =?UTF-8?q?=20RS256=20JWT=20+=20DB=20row=20HMAC=20+=20remove=20wildcard?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Eliminates trivial license-bypass paths from the threat model:

1. JWT signing HS256 -> RS256 (asymmetric)
   - Hardcoded secret 'keygate-community-verification-key-2026' no longer
     enables forging enterprise tokens. Private key only on Cloudflare
     Worker (LICENSE_PRIVATE_KEY secret); public key embedded in
     license-helpers.php for verify-only.
   - PHP decodeLicenseJwt() uses openssl_verify(OPENSSL_ALGO_SHA256).
   - Worker uses crypto.subtle RSASSA-PKCS1-v1_5 SHA-256.
   - Removed createLicenseJwt() — local code never signs in prod.
   - 90-day legacy HS256 verify window via LEGACY_HS256_SECRET +
     /api/migrate route for existing customers.

2. DB row integrity HMAC
   - New column license_info.integrity_hmac (CHAR(64)).
   - Per-instance license_row_secret in system_config, rotated on every
     successful registerLicense().
   - getEffectiveLicense(), canAddTechnician(), canAddKeys(), and
     isFeatureAvailable() all re-check HMAC; mismatch -> forced
     community fallback + validation_status='invalid'.
   - Defeats direct INSERT bypass: attacker needs both row fields AND
     the per-instance secret, and the secret rotates.

3. Wildcard instance_id='*' removed
   - Worker GitHub Sponsors / LemonSqueezy / T-Bank flows no longer
     issue wildcard tokens. Pending purchases stored as
     pending_claim:true; customer binds via /api/claim with their
     installation's instance_id.
   - registerLicense() rejects wildcard payloads.

4. Dev license generation hardened
   - Local signing removed. /api/dev-issue Worker route gated by
     DEV_TOKEN secret. LicenseController calls Worker, requires admin
     to paste DEV_TOKEN.

5. Frontend
   - "Claim license" card (GitHub Sponsors / pending purchases).
   - "Migrate legacy license" card (HS256 -> RS256).
   - DEV_TOKEN input on Dev Tools card.
   - 12 new i18n keys in en.json + ru.json.

Files:
- license-server/worker.js, wrangler.toml — RS256 signer, /api/claim,
  /api/migrate, /api/dev-issue, no-wildcard issuance
- functions/license-helpers.php — RS256 verify, row HMAC, secret
  rotation, wildcard rejection
- controllers/admin/LicenseController.php — Worker dev-issue, claim,
  migrate handlers
- admin_v2.php — register license_claim, license_migrate actions
- database/license_p0_hmac_migration.sql — integrity_hmac column
- database/docker-init/00-init.sh, install/ajax.php — migration phase 27
- frontend/api/license.ts, hooks/use-license.ts, pages/license/index.tsx,
  test/api-contracts.test.ts, i18n/en.json, i18n/ru.json
- .gitignore — exclude license-server/.keys/

Backward-compat: v2.2.0 community installs auto-fallback to community
on first boot post-upgrade (HS256 rejected, banner prompts
re-register). Single existing paid customer migrates via /api/migrate.

Verification (live PHP smoke test):
- RS256 token verifies via openssl_verify -> OK
- Legacy HS256 token verifies during migration window -> OK
- Tampered JWT signature -> rejected
- HMAC compute returns 64 hex chars

Phase 1 of 3. P1 (hardware-fingerprint + rebind quota) and P2
(phone-home grace + revocation) follow in separate PRs.

Plan: ~/.claude/plans/polymorphic-coalescing-bumblebee.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitignore                                    |   3 +
 FINAL_PRODUCTION_SYSTEM/admin_v2.php          |   2 +
 .../controllers/admin/LicenseController.php   | 166 +++++++-
 .../database/docker-init/00-init.sh           |   3 +
 .../database/license_p0_hmac_migration.sql    |  18 +
 .../frontend/src/api/license.ts               |  29 +-
 .../frontend/src/hooks/use-license.ts         |  36 +-
 .../frontend/src/i18n/en.json                 |  12 +
 .../frontend/src/i18n/ru.json                 |  12 +
 .../frontend/src/pages/license/index.tsx      |  99 ++++-
 .../frontend/src/test/api-contracts.test.ts   |   2 +
 .../functions/license-helpers.php             | 238 ++++++++++--
 FINAL_PRODUCTION_SYSTEM/install/ajax.php      |   1 +
 license-server/worker.js                      | 367 ++++++++++++++----
 license-server/wrangler.toml                  |  27 +-
 15 files changed, 878 insertions(+), 137 deletions(-)
 create mode 100644 FINAL_PRODUCTION_SYSTEM/database/license_p0_hmac_migration.sql

diff --git a/.gitignore b/.gitignore
index c0bd259..2417e1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,6 +30,9 @@ FINAL_PRODUCTION_SYSTEM/uploads/client-resources/
 FINAL_PRODUCTION_SYSTEM/install/install.log
 FINAL_PRODUCTION_SYSTEM/install/.progress.json
 
+# ── License-server private keys (never committed; uploaded to CF) ──
+license-server/.keys/
+
 # ── PHP Dependencies (managed by Composer) ────────────────
 FINAL_PRODUCTION_SYSTEM/vendor/
 
diff --git a/FINAL_PRODUCTION_SYSTEM/admin_v2.php b/FINAL_PRODUCTION_SYSTEM/admin_v2.php
index 5937524..d8d7039 100644
--- a/FINAL_PRODUCTION_SYSTEM/admin_v2.php
+++ b/FINAL_PRODUCTION_SYSTEM/admin_v2.php
@@ -337,6 +337,8 @@
     'license_register'         => ['LicenseController.php', 'handle_license_register',       true,  true],
     'license_deactivate'       => ['LicenseController.php', 'handle_license_deactivate',     true,  true],
     'license_generate_dev'     => ['LicenseController.php', 'handle_license_generate_dev',   true,  true],
+    'license_claim'            => ['LicenseController.php', 'handle_license_claim',          true,  true],
+    'license_migrate'          => ['LicenseController.php', 'handle_license_migrate',        true,  true],
 
     // system upgrade
     'upgrade_check_github'     => ['UpgradeController.php', 'handle_upgrade_check_github',     false, true],
diff --git a/FINAL_PRODUCTION_SYSTEM/controllers/admin/LicenseController.php b/FINAL_PRODUCTION_SYSTEM/controllers/admin/LicenseController.php
index 4020115..d975954 100644
--- a/FINAL_PRODUCTION_SYSTEM/controllers/admin/LicenseController.php
+++ b/FINAL_PRODUCTION_SYSTEM/controllers/admin/LicenseController.php
@@ -89,8 +89,11 @@ function handle_license_deactivate(PDO $pdo, array $admin_session, $json_input):
     jsonResponse(['success' => true, 'message' => 'License deactivated']);
 }
 
-// ── Generate Development License (dev/testing only) ──
-
+// ── Generate Development License (calls Worker /api/dev-issue) ──
+//
+// Local signing was removed in v2.3.0 (P0 hardening). The Worker is the
+// only entity that holds the RS256 private key. Founder provides a
+// DEV_TOKEN (matching the Cloudflare secret) to authorize.
 function handle_license_generate_dev(PDO $pdo, array $admin_session, $json_input): void {
     requirePermission('system_settings', $admin_session);
 
@@ -101,34 +104,155 @@ function handle_license_generate_dev(PDO $pdo, array $admin_session, $json_input
         return;
     }
 
-    $tier = $json_input['tier'] ?? 'pro';
+    $tier      = $json_input['tier'] ?? 'pro';
+    $devToken  = $json_input['dev_token'] ?? '';
     if (!isset(LICENSE_TIERS[$tier])) {
         jsonResponse(['success' => false, 'error' => 'Invalid tier']);
         return;
     }
+    if (empty($devToken)) {
+        jsonResponse([
+            'success' => false,
+            'error'   => 'DEV_TOKEN required. Set the same value via wrangler secret put DEV_TOKEN on the Worker.',
+        ]);
+        return;
+    }
 
     $instanceId = getInstanceId($pdo);
-    $tierDef = LICENSE_TIERS[$tier];
-
-    $payload = [
-        'iss'              => 'keygate-dev',
-        'tier'             => $tier,
-        'instance_id'      => $instanceId,
-        'email'            => 'dev@localhost',
-        'name'             => 'Development License',
-        'max_technicians'  => $tierDef['max_technicians'],
-        'max_keys'         => $tierDef['max_keys'],
-        'iat'              => time(),
-        'exp'              => time() + (365 * 86400), // 1 year
-    ];
-
-    $jwt = createLicenseJwt($payload);
+
+    $body = json_encode([
+        'tier'        => $tier,
+        'email'       => 'dev@localhost',
+        'instance_id' => $instanceId,
+        'dev_token'   => $devToken,
+    ]);
+    $ctx = stream_context_create([
+        'http' => [
+            'method'  => 'POST',
+            'header'  => "Content-Type: application/json\r\n",
+            'content' => $body,
+            'timeout' => 10,
+            'ignore_errors' => true,
+        ],
+    ]);
+    $resp = @file_get_contents(KEYGATE_LICENSE_SERVER . '/api/dev-issue', false, $ctx);
+    if ($resp === false) {
+        jsonResponse(['success' => false, 'error' => 'Could not reach license server. Check network.']);
+        return;
+    }
+    $decoded = json_decode($resp, true);
+    if (!is_array($decoded)) {
+        jsonResponse(['success' => false, 'error' => 'License server returned invalid response.']);
+        return;
+    }
+
+    if (empty($decoded['success'])) {
+        jsonResponse(['success' => false, 'error' => $decoded['error'] ?? 'Worker rejected request.']);
+        return;
+    }
 
     jsonResponse([
         'success'     => true,
-        'license_key' => $jwt,
-        'tier'        => $tier,
+        'license_key' => $decoded['license_key'],
+        'tier'        => $decoded['tier'] ?? $tier,
+        'instance_id' => $instanceId,
+        'expires_at'  => $decoded['expires_at'] ?? null,
+        'message'     => 'Development license issued by Worker. Paste into Registration field.',
+    ]);
+}
+
+// ── Claim license (GitHub Sponsors / pending payments) ──
+//
+// Body: { email, sponsor_login? }
+// Calls Worker /api/claim with the local instance_id. Worker mints an
+// RS256 JWT bound to this install.
+function handle_license_claim(PDO $pdo, array $admin_session, $json_input): void {
+    requirePermission('system_settings', $admin_session);
+
+    $email         = trim($json_input['email'] ?? '');
+    $sponsorLogin  = trim($json_input['sponsor_login'] ?? '');
+    if (empty($email)) {
+        jsonResponse(['success' => false, 'error' => 'Email is required']);
+        return;
+    }
+
+    $instanceId = getInstanceId($pdo);
+    $body = json_encode([
+        'email'         => $email,
+        'instance_id'   => $instanceId,
+        'sponsor_login' => $sponsorLogin ?: null,
+    ]);
+    $ctx = stream_context_create([
+        'http' => [
+            'method'  => 'POST',
+            'header'  => "Content-Type: application/json\r\n",
+            'content' => $body,
+            'timeout' => 10,
+            'ignore_errors' => true,
+        ],
+    ]);
+    $resp = @file_get_contents(KEYGATE_LICENSE_SERVER . '/api/claim', false, $ctx);
+    if ($resp === false) {
+        jsonResponse(['success' => false, 'error' => 'Could not reach license server']);
+        return;
+    }
+    $decoded = json_decode($resp, true);
+    if (!is_array($decoded) || empty($decoded['success'])) {
+        jsonResponse(['success' => false, 'error' => $decoded['error'] ?? 'Claim failed']);
+        return;
+    }
+
+    // Auto-register the freshly-issued JWT.
+    $regResult = registerLicense($pdo, $decoded['license_key']);
+    jsonResponse(array_merge($regResult, [
+        'license_key' => $decoded['license_key'],
+        'expires_at'  => $decoded['expires_at'] ?? null,
+    ]));
+}
+
+// ── Migrate legacy HS256 license to RS256 ──
+//
+// Body: { license_key (legacy HS256) }
+// Calls Worker /api/migrate. Re-issues an RS256 JWT bound to this
+// instance_id. Auto-registers on success.
+function handle_license_migrate(PDO $pdo, array $admin_session, $json_input): void {
+    requirePermission('system_settings', $admin_session);
+
+    $legacyKey = trim($json_input['license_key'] ?? '');
+    if (empty($legacyKey)) {
+        jsonResponse(['success' => false, 'error' => 'license_key is required']);
+        return;
+    }
+
+    $instanceId = getInstanceId($pdo);
+    $body = json_encode([
+        'license_key' => $legacyKey,
         'instance_id' => $instanceId,
-        'message'     => "Development {$tierDef['label']} license generated. Paste it into the registration field.",
     ]);
+    $ctx = stream_context_create([
+        'http' => [
+            'method'  => 'POST',
+            'header'  => "Content-Type: application/json\r\n",
+            'content' => $body,
+            'timeout' => 10,
+            'ignore_errors' => true,
+        ],
+    ]);
+    $resp = @file_get_contents(KEYGATE_LICENSE_SERVER . '/api/migrate', false, $ctx);
+    if ($resp === false) {
+        jsonResponse(['success' => false, 'error' => 'Could not reach license server']);
+        return;
+    }
+    $decoded = json_decode($resp, true);
+    if (!is_array($decoded) || empty($decoded['success'])) {
+        jsonResponse(['success' => false, 'error' => $decoded['error'] ?? 'Migration failed']);
+        return;
+    }
+
+    // Auto-register the freshly-issued RS256 JWT.
+    $regResult = registerLicense($pdo, $decoded['license_key']);
+    jsonResponse(array_merge($regResult, [
+        'license_key' => $decoded['license_key'],
+        'expires_at'  => $decoded['expires_at'] ?? null,
+    ]));
 }
diff --git a/FINAL_PRODUCTION_SYSTEM/database/docker-init/00-init.sh b/FINAL_PRODUCTION_SYSTEM/database/docker-init/00-init.sh
index fb6bcc1..55ca959 100644
--- a/FINAL_PRODUCTION_SYSTEM/database/docker-init/00-init.sh
+++ b/FINAL_PRODUCTION_SYSTEM/database/docker-init/00-init.sh
@@ -149,6 +149,9 @@ run_sql "task_pipeline_migration.sql"         25
 # Phase 14: Production tracking & enterprise key management
 run_sql "production_tracking_migration.sql"   26
 
+# Phase 15: License row integrity HMAC (P0 anti-piracy)
+run_sql "license_p0_hmac_migration.sql"       27
+
 echo ""
 echo "=== Database initialization complete ==="
 echo ""
diff --git a/FINAL_PRODUCTION_SYSTEM/database/license_p0_hmac_migration.sql b/FINAL_PRODUCTION_SYSTEM/database/license_p0_hmac_migration.sql
new file mode 100644
index 0000000..a6d965d
--- /dev/null
+++ b/FINAL_PRODUCTION_SYSTEM/database/license_p0_hmac_migration.sql
@@ -0,0 +1,18 @@
+-- =============================================================
+-- KeyGate v2.3.0 P0 — License row integrity HMAC
+-- =============================================================
+-- Adds an HMAC column to license_info so any row directly INSERTed/UPDATEd
+-- without going through registerLicense() (which knows the per-instance
+-- row secret) is detected as tampered and forced back to community tier.
+--
+-- The HMAC formula and verification live in functions/license-helpers.php
+-- (computeLicenseRowHmac / verifyLicenseRow).
+-- =============================================================
+
+ALTER TABLE `#__license_info`
+  ADD COLUMN integrity_hmac CHAR(64) NOT NULL DEFAULT '' AFTER validation_status;
+
+-- Existing rows (legacy paid customers from v2.2.x) have an empty hmac
+-- → verifyLicenseRow returns false → they fall back to community on
+-- next read. Customers re-register via /api/migrate to get a fresh
+-- RS256 JWT, and that path computes a valid HMAC on insert.
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/api/license.ts b/FINAL_PRODUCTION_SYSTEM/frontend/src/api/license.ts
index 348615f..eb38457 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/api/license.ts
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/api/license.ts
@@ -56,7 +56,7 @@ export function deactivateLicense() {
   return apiPostJson<{ success: boolean; message: string }>('license_deactivate')
 }
 
-export function generateDevLicense(tier: string) {
+export function generateDevLicense(tier: string, devToken: string) {
   return apiPostJson<{
     success: boolean
     license_key?: string
@@ -64,5 +64,30 @@ export function generateDevLicense(tier: string) {
     instance_id?: string
     message?: string
     error?: string
-  }>('license_generate_dev', { tier })
+  }>('license_generate_dev', { tier, dev_token: devToken })
+}
+
+// P0: claim a pending GitHub Sponsors / LemonSqueezy / T-Bank purchase by
+// binding it to this install's instance_id. Worker mints an RS256 JWT.
+export function claimLicense(email: string, sponsorLogin?: string) {
+  return apiPostJson<{
+    success: boolean
+    license_key?: string
+    tier?: string
+    expires_at?: string
+    message?: string
+    error?: string
+  }>('license_claim', { email, sponsor_login: sponsorLogin || '' })
+}
+
+// P0: migrate a legacy HS256 license to RS256 (90-day window post v2.3.0).
+export function migrateLegacyLicense(licenseKey: string) {
+  return apiPostJson<{
+    success: boolean
+    license_key?: string
+    tier?: string
+    expires_at?: string
+    message?: string
+    error?: string
+  }>('license_migrate', { license_key: licenseKey })
 }
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/hooks/use-license.ts b/FINAL_PRODUCTION_SYSTEM/frontend/src/hooks/use-license.ts
index 678ece9..c8a7447 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/hooks/use-license.ts
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/hooks/use-license.ts
@@ -6,6 +6,8 @@ import {
   registerLicense,
   deactivateLicense,
   generateDevLicense,
+  claimLicense,
+  migrateLegacyLicense,
 } from '@/api/license'
 
 export function useLicenseStatus() {
@@ -47,7 +49,8 @@ export function useDeactivateLicense() {
 export function useGenerateDevLicense() {
   const { t } = useTranslation()
   return useMutation({
-    mutationFn: (tier: string) => generateDevLicense(tier),
+    mutationFn: ({ tier, devToken }: { tier: string; devToken: string }) =>
+      generateDevLicense(tier, devToken),
     onSuccess: (data) => {
       if (data.success) {
         toast.success(data.message || t('license.dev_generated', 'Dev license generated'))
@@ -56,3 +59,34 @@ export function useGenerateDevLicense() {
     onError: (e: Error) => toast.error(e.message),
   })
 }
+
+export function useClaimLicense() {
+  const qc = useQueryClient()
+  const { t } = useTranslation()
+  return useMutation({
+    mutationFn: ({ email, sponsorLogin }: { email: string; sponsorLogin?: string }) =>
+      claimLicense(email, sponsorLogin),
+    onSuccess: (data) => {
+      qc.invalidateQueries({ queryKey: ['license-status'] })
+      if (data.success) {
+        toast.success(data.message || t('license.claimed', 'License claimed and activated'))
+      }
+    },
+    onError: (e: Error) => toast.error(e.message),
+  })
+}
+
+export function useMigrateLegacyLicense() {
+  const qc = useQueryClient()
+  const { t } = useTranslation()
+  return useMutation({
+    mutationFn: (key: string) => migrateLegacyLicense(key),
+    onSuccess: (data) => {
+      qc.invalidateQueries({ queryKey: ['license-status'] })
+      if (data.success) {
+        toast.success(data.message || t('license.migrated', 'License migrated to RS256'))
+      }
+    },
+    onError: (e: Error) => toast.error(e.message),
+  })
+}
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/en.json b/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/en.json
index ea1d80d..95eab65 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/en.json
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/en.json
@@ -1733,6 +1733,18 @@
     "sub.tab_payment": "Payment",
     "sub.tab_key": "License Key",
     "sub.tab_billing": "Billing",
+    "sub.claim_title": "Claim a GitHub Sponsors / pending purchase",
+    "sub.claim_desc": "If you sponsored ChesnoTech on GitHub or your LemonSqueezy/T-Bank checkout did not include your instance ID, claim your license here. The server binds it to this installation and issues your key.",
+    "sub.claim_email": "Email used at checkout / GitHub sponsor email",
+    "sub.claim_sponsor": "GitHub sponsor login (optional)",
+    "sub.claim_button": "Claim & bind to this install",
+    "sub.migrate_title": "Migrate legacy license (pre-v2.3)",
+    "sub.migrate_desc": "If you have a license key issued before May 2026 (HS256 algorithm), use this to upgrade it to the new RS256 format. Available until 2026-08-08.",
+    "sub.migrate_placeholder": "Paste the legacy HS256 license key...",
+    "sub.migrate_button": "Migrate to RS256 & activate",
+    "sub.dev_token_placeholder": "DEV_TOKEN (matches Worker secret)",
+    "license.claimed": "License claimed and activated",
+    "license.migrated": "License migrated to RS256",
     "sub.registered_to": "Registered to {{email}}",
     "sub.free_tier": "Free tier — limited to 1 technician and 50 keys",
     "sub.technicians": "Technicians",
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/ru.json b/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/ru.json
index 93eb629..178ff1d 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/ru.json
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/ru.json
@@ -1733,6 +1733,18 @@
     "sub.tab_payment": "Оплата",
     "sub.tab_key": "Лицензия",
     "sub.tab_billing": "Биллинг",
+    "sub.claim_title": "Привязать спонсорство GitHub / ожидающую покупку",
+    "sub.claim_desc": "Если вы оформили спонсорство ChesnoTech на GitHub или ваша оплата через LemonSqueezy/Т-Банк не содержала идентификатор экземпляра, привяжите лицензию здесь. Сервер свяжет её с этой установкой и выдаст ключ.",
+    "sub.claim_email": "Email при оплате / email GitHub-спонсора",
+    "sub.claim_sponsor": "Логин GitHub-спонсора (необязательно)",
+    "sub.claim_button": "Привязать к этой установке",
+    "sub.migrate_title": "Миграция старой лицензии (до v2.3)",
+    "sub.migrate_desc": "Если у вас лицензия, выданная до мая 2026 (алгоритм HS256), используйте это, чтобы обновить её до нового формата RS256. Доступно до 2026-08-08.",
+    "sub.migrate_placeholder": "Вставьте старый ключ HS256...",
+    "sub.migrate_button": "Перевести в RS256 и активировать",
+    "sub.dev_token_placeholder": "DEV_TOKEN (совпадает с секретом Worker)",
+    "license.claimed": "Лицензия привязана и активирована",
+    "license.migrated": "Лицензия переведена в RS256",
     "sub.registered_to": "Зарегистрирована на {{email}}",
     "sub.free_tier": "Бесплатный тариф — 1 техник, 50 ключей",
     "sub.technicians": "Техники",
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/pages/license/index.tsx b/FINAL_PRODUCTION_SYSTEM/frontend/src/pages/license/index.tsx
index f5b661f..ffd20da 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/pages/license/index.tsx
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/pages/license/index.tsx
@@ -40,6 +40,8 @@ import {
   useRegisterLicense,
   useDeactivateLicense,
   useGenerateDevLicense,
+  useClaimLicense,
+  useMigrateLegacyLicense,
 } from '@/hooks/use-license'
 
 const TIER_COLORS: Record<string, string> = {
@@ -61,11 +63,17 @@ export function LicensePage() {
   const [activeTab, setActiveTab] = useState<Tab>('plan')
   const [licenseKey, setLicenseKey] = useState('')
   const [devLicenseKey, setDevLicenseKey] = useState('')
+  const [devToken, setDevToken] = useState('')
+  const [claimEmail, setClaimEmail] = useState('')
+  const [claimSponsor, setClaimSponsor] = useState('')
+  const [legacyKey, setLegacyKey] = useState('')
 
   const statusQuery = useLicenseStatus()
   const registerMut = useRegisterLicense()
   const deactivateMut = useDeactivateLicense()
   const devGenMut = useGenerateDevLicense()
+  const claimMut = useClaimLicense()
+  const migrateMut = useMigrateLegacyLicense()
 
   const license = statusQuery.data?.license
   const usage = statusQuery.data?.usage
@@ -77,12 +85,36 @@ export function LicensePage() {
   }
 
   const handleGenerateDev = async (tier: string) => {
-    const result = await devGenMut.mutateAsync(tier)
+    if (!devToken.trim()) {
+      alert('DEV_TOKEN required. Set it via `wrangler secret put DEV_TOKEN` on the Worker, then paste here.')
+      return
+    }
+    const result = await devGenMut.mutateAsync({ tier, devToken: devToken.trim() })
     if (result.license_key) {
       setDevLicenseKey(result.license_key)
     }
   }
 
+  const handleClaim = async () => {
+    if (!claimEmail.trim()) return
+    const result = await claimMut.mutateAsync({
+      email: claimEmail.trim(),
+      sponsorLogin: claimSponsor.trim() || undefined,
+    })
+    if (result.license_key) {
+      setClaimEmail('')
+      setClaimSponsor('')
+    }
+  }
+
+  const handleMigrateLegacy = async () => {
+    if (!legacyKey.trim()) return
+    const result = await migrateMut.mutateAsync(legacyKey.trim())
+    if (result.success) {
+      setLegacyKey('')
+    }
+  }
+
   if (statusQuery.isLoading) {
     return (
       <div className="flex-1 p-6 flex items-center justify-center">
@@ -479,7 +511,7 @@ export function LicensePage() {
             <CardContent className="space-y-3">
               <textarea
                 className="w-full h-24 p-3 text-xs font-mono bg-muted/50 border rounded-md resize-none focus:outline-none focus:ring-2 focus:ring-primary"
-                placeholder="eyJhbGciOiJIUzI1NiIs..."
+                placeholder="eyJhbGciOiJSUzI1NiIs..."
                 value={licenseKey}
                 onChange={(e) => setLicenseKey(e.target.value)}
               />
@@ -490,6 +522,58 @@ export function LicensePage() {
             </CardContent>
           </Card>
 
+          {/* P0: Claim purchase (GitHub Sponsors / pending payments) */}
+          <Card>
+            <CardHeader>
+              <CardTitle className="text-base">{t('sub.claim_title', 'Claim a GitHub Sponsors / pending purchase')}</CardTitle>
+              <CardDescription>
+                {t('sub.claim_desc', 'If you sponsored ChesnoTech on GitHub or your LemonSqueezy/T-Bank checkout did not include your instance ID, claim your license here. The server binds it to this installation and issues your key.')}
+              </CardDescription>
+            </CardHeader>
+            <CardContent className="space-y-3">
+              <input
+                type="email"
+                className="w-full p-2 text-sm bg-muted/50 border rounded-md focus:outline-none focus:ring-2 focus:ring-primary"
+                placeholder={t('sub.claim_email', 'Email used at checkout / GitHub sponsor email')}
+                value={claimEmail}
+                onChange={(e) => setClaimEmail(e.target.value)}
+              />
+              <input
+                type="text"
+                className="w-full p-2 text-sm bg-muted/50 border rounded-md focus:outline-none focus:ring-2 focus:ring-primary"
+                placeholder={t('sub.claim_sponsor', 'GitHub sponsor login (optional)')}
+                value={claimSponsor}
+                onChange={(e) => setClaimSponsor(e.target.value)}
+              />
+              <Button onClick={handleClaim} disabled={!claimEmail.trim() || claimMut.isPending} variant="outline">
+                {claimMut.isPending && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
+                {t('sub.claim_button', 'Claim & bind to this install')}
+              </Button>
+            </CardContent>
+          </Card>
+
+          {/* P0: Migrate legacy HS256 license */}
+          <Card className="border-dashed">
+            <CardHeader>
+              <CardTitle className="text-base">{t('sub.migrate_title', 'Migrate legacy license (pre-v2.3)')}</CardTitle>
+              <CardDescription>
+                {t('sub.migrate_desc', 'If you have a license key issued before May 2026 (HS256 algorithm), use this to upgrade it to the new RS256 format. Available until 2026-08-08.')}
+              </CardDescription>
+            </CardHeader>
+            <CardContent className="space-y-3">
+              <textarea
+                className="w-full h-20 p-3 text-xs font-mono bg-muted/50 border rounded-md resize-none focus:outline-none focus:ring-2 focus:ring-primary"
+                placeholder={t('sub.migrate_placeholder', 'Paste the legacy HS256 license key...')}
+                value={legacyKey}
+                onChange={(e) => setLegacyKey(e.target.value)}
+              />
+              <Button onClick={handleMigrateLegacy} disabled={!legacyKey.trim() || migrateMut.isPending} variant="outline">
+                {migrateMut.isPending && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
+                {t('sub.migrate_button', 'Migrate to RS256 & activate')}
+              </Button>
+            </CardContent>
+          </Card>
+
           {/* Dev Tools (localhost only) */}
           {(window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') && (
             <Card className="border-dashed border-yellow-300 dark:border-yellow-700">
@@ -502,11 +586,18 @@ export function LicensePage() {
                 </CardDescription>
               </CardHeader>
               <CardContent className="space-y-3">
+                <input
+                  type="password"
+                  className="w-full p-2 text-sm bg-muted/50 border rounded-md focus:outline-none focus:ring-2 focus:ring-primary"
+                  placeholder={t('sub.dev_token_placeholder', 'DEV_TOKEN (matches Worker secret)')}
+                  value={devToken}
+                  onChange={(e) => setDevToken(e.target.value)}
+                />
                 <div className="flex gap-2">
-                  <Button variant="outline" size="sm" onClick={() => handleGenerateDev('pro')} disabled={devGenMut.isPending}>
+                  <Button variant="outline" size="sm" onClick={() => handleGenerateDev('pro')} disabled={devGenMut.isPending || !devToken.trim()}>
                     {t('sub.gen_pro', 'Generate Pro')}
                   </Button>
-                  <Button variant="outline" size="sm" onClick={() => handleGenerateDev('enterprise')} disabled={devGenMut.isPending}>
+                  <Button variant="outline" size="sm" onClick={() => handleGenerateDev('enterprise')} disabled={devGenMut.isPending || !devToken.trim()}>
                     {t('sub.gen_enterprise', 'Generate Enterprise')}
                   </Button>
                 </div>
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/test/api-contracts.test.ts b/FINAL_PRODUCTION_SYSTEM/frontend/src/test/api-contracts.test.ts
index 77c2e0e..a37b8af 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/test/api-contracts.test.ts
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/test/api-contracts.test.ts
@@ -177,6 +177,8 @@ const BACKEND_ACTIONS: Record<string, { method: 'GET' | 'POST'; csrf: boolean }>
   license_register:            { method: 'POST', csrf: true },
   license_deactivate:          { method: 'POST', csrf: true },
   license_generate_dev:        { method: 'POST', csrf: true },
+  license_claim:               { method: 'POST', csrf: true },
+  license_migrate:             { method: 'POST', csrf: true },
 
   // system upgrade
   upgrade_check_github:        { method: 'GET',  csrf: false },
diff --git a/FINAL_PRODUCTION_SYSTEM/functions/license-helpers.php b/FINAL_PRODUCTION_SYSTEM/functions/license-helpers.php
index 9aa8877..5212a20 100644
--- a/FINAL_PRODUCTION_SYSTEM/functions/license-helpers.php
+++ b/FINAL_PRODUCTION_SYSTEM/functions/license-helpers.php
@@ -1,9 +1,16 @@
 <?php
 /**
- * KeyGate — License Validation & Enforcement
+ * KeyGate — License Validation & Enforcement (P0: RS256 + DB row HMAC)
  *
  * Provides JWT-based license validation, tier checking, and feature gating.
- * The license system uses a simple JWT format signed with HMAC-SHA256.
+ * As of v2.3.0 the license system uses **RS256 (asymmetric)** signing:
+ *   - Private key lives ONLY on the Cloudflare Worker (LICENSE_PRIVATE_KEY).
+ *   - Public key is embedded in this source file. Verification is local;
+ *     forging a license requires the private key, which never ships.
+ *
+ * Backward-compatibility: a legacy HS256 secret is accepted for 90 days
+ * after a v2.2.x → v2.3.x upgrade so existing customers can re-issue via
+ * the Worker /api/migrate endpoint without losing access.
  *
  * License tiers:
  *   community  — 1 technician, 50 keys, basic features (free)
@@ -15,6 +22,27 @@
 define('KEYGATE_LICENSE_SERVER', 'https://keygate-license-server.msamirvip.workers.dev');
 define('KEYGATE_SPONSORS_URL', 'https://github.com/sponsors/ChesnoTech');
 
+// ── License Verification Public Key (RS256, PKCS#8 SPKI) ─────
+// Generated 2026-05-08 alongside Worker secret LICENSE_PRIVATE_KEY.
+// Safe to commit — public key is only useful for verification.
+define('KEYGATE_LICENSE_PUBLIC_KEY', "-----BEGIN PUBLIC KEY-----\n"
+    . "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA108D/sn25MJwnRtSpl56\n"
+    . "Vr/z8X8dzywMueB7gwDr1gcsgjYSFsqiPQLwxwptap8dl2iifkTVv0wGlSf6/1Sc\n"
+    . "GHQbzISZWO8W4SsADiOZhlV3KLdlLp0A4ttY5OHYQVa52BnANJdBKHqPH1s7/D2k\n"
+    . "t+aaMWYEzaAEjkZzwuxgtyhdDa9Mkk2J7y0TCbo+uGP1cLPwfHcSCuO9LRY14R2f\n"
+    . "OAK3rwrOSoUIw0/xAPaSkx7tW6aOzRAbRMcE++Ppq+GpYg6ZOaROVyrKX2zuNjh8\n"
+    . "8NGYB0IDggRDspi0MAjELUZ/XBm20oXzWLE5T3O+8hBjaeQJ1q5Xk2Rbe080SjxU\n"
+    . "LwIDAQAB\n"
+    . "-----END PUBLIC KEY-----\n");
+
+// ── Legacy HS256 secret (90-day migration window) ────────────
+// REMOVE on 2026-08-08. After that date, only RS256 JWTs verify.
+// Customers with a pre-v2.3 JWT must visit /license and click
+// "Re-register license" — the UI calls /api/migrate which re-issues
+// an RS256 token bound to the same email + new instance_id.
+define('KEYGATE_LEGACY_HS256_SECRET', 'keygate-community-verification-key-2026');
+define('KEYGATE_LEGACY_HS256_DEADLINE', '2026-08-08');
+
 // ── Tier Definitions ────────────────────────────────────────
 
 define('LICENSE_TIERS', [
@@ -109,58 +137,145 @@ function getInstanceId(PDO $pdo): string {
     return $instanceId;
 }
 
-// ── JWT Helpers (HMAC-SHA256, no external deps) ─────────────
+// ── JWT Helpers (RS256 verify-only) ─────────────────────────
 
 function base64UrlEncode(string $data): string {
     return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
 }
 
 function base64UrlDecode(string $data): string {
+    $remainder = strlen($data) % 4;
+    if ($remainder) {
+        $data .= str_repeat('=', 4 - $remainder);
+    }
     return base64_decode(strtr($data, '-_', '+/'));
 }
 
 /**
  * Decode and verify a KeyGate license JWT.
+ *
+ * Verification path:
+ *   1. RS256 with KEYGATE_LICENSE_PUBLIC_KEY (production tokens)
+ *   2. HS256 with KEYGATE_LEGACY_HS256_SECRET (legacy tokens, 90-day window)
+ *      — only attempted if today's date is on/before KEYGATE_LEGACY_HS256_DEADLINE.
+ *
  * Returns the payload array on success, or null on failure.
+ * The `_alg` key in the returned payload tells the caller which path verified.
  *
- * @param string $jwt    The license JWT string
- * @param string $secret The HMAC secret (KeyGate public verification key)
- * @return array|null    Decoded payload or null
+ * Note: production code never signs JWTs locally. The Worker is the only
+ * issuer. createLicenseJwt() was removed in v2.3.0.
  */
-function decodeLicenseJwt(string $jwt, string $secret = 'keygate-community-verification-key-2026'): ?array {
+function decodeLicenseJwt(string $jwt): ?array {
     $parts = explode('.', $jwt);
     if (count($parts) !== 3) {
         return null;
     }
 
     [$headerB64, $payloadB64, $signatureB64] = $parts;
-
-    // Verify signature
-    $signatureCheck = base64UrlEncode(
-        hash_hmac('sha256', "$headerB64.$payloadB64", $secret, true)
-    );
-
-    if (!hash_equals($signatureCheck, $signatureB64)) {
+    $headerJson = base64UrlDecode($headerB64);
+    $header = json_decode($headerJson, true);
+    if (!is_array($header) || empty($header['alg'])) {
         return null;
     }
 
-    $payload = json_decode(base64UrlDecode($payloadB64), true);
-    if (!is_array($payload)) {
-        return null;
+    $signingInput = "$headerB64.$payloadB64";
+    $signature    = base64UrlDecode($signatureB64);
+
+    // ── 1. RS256 (production) ────────────────────────────────
+    if ($header['alg'] === 'RS256') {
+        $verified = openssl_verify(
+            $signingInput,
+            $signature,
+            KEYGATE_LICENSE_PUBLIC_KEY,
+            OPENSSL_ALGO_SHA256
+        );
+        if ($verified !== 1) {
+            return null;
+        }
+        $payload = json_decode(base64UrlDecode($payloadB64), true);
+        if (!is_array($payload)) return null;
+        $payload['_alg'] = 'RS256';
+        return $payload;
+    }
+
+    // ── 2. HS256 legacy (migration window only) ──────────────
+    if ($header['alg'] === 'HS256') {
+        if (!defined('KEYGATE_LEGACY_HS256_DEADLINE') || date('Y-m-d') > KEYGATE_LEGACY_HS256_DEADLINE) {
+            return null;
+        }
+        $expected = hash_hmac(
+            'sha256',
+            $signingInput,
+            KEYGATE_LEGACY_HS256_SECRET,
+            true
+        );
+        if (!hash_equals($expected, $signature)) {
+            return null;
+        }
+        $payload = json_decode(base64UrlDecode($payloadB64), true);
+        if (!is_array($payload)) return null;
+        $payload['_alg'] = 'HS256-legacy';
+        return $payload;
     }
 
-    return $payload;
+    // Unknown alg
+    return null;
+}
+
+// ── DB Row Integrity HMAC (P0.2) ────────────────────────────
+
+/**
+ * Get or generate the per-instance secret used to HMAC license_info rows.
+ * Stored in system_config('license_row_secret'). Rotated on every successful
+ * license registration and (in P2) every successful phone-home validate.
+ */
+function getLicenseRowSecret(PDO $pdo): string {
+    $cached = getConfig('license_row_secret');
+    if (!empty($cached)) return $cached;
+    $secret = bin2hex(random_bytes(32));
+    saveConfigBatch($pdo, ['license_row_secret' => $secret]);
+    return $secret;
+}
+
+/**
+ * Force-rotate the per-instance row secret. Returns the new value.
+ * Caller is responsible for re-stamping any active license_info row.
+ */
+function rotateLicenseRowSecret(PDO $pdo): string {
+    $secret = bin2hex(random_bytes(32));
+    saveConfigBatch($pdo, ['license_row_secret' => $secret]);
+    return $secret;
+}
+
+/**
+ * Compute the integrity HMAC for a license_info row.
+ *
+ *   HMAC_SHA256( license_key | tier | max_techs | max_keys | exp_unix | instance_id, row_secret )
+ *
+ * Anything else in the row (timestamps, JSON features blob, etc.) is not
+ * covered — those fields are derivative or non-security-critical.
+ */
+function computeLicenseRowHmac(string $secret, array $row): string {
+    $material = implode('|', [
+        (string)($row['license_key']     ?? ''),
+        (string)($row['tier']            ?? ''),
+        (string)((int)($row['max_technicians'] ?? 0)),
+        (string)((int)($row['max_keys']        ?? 0)),
+        // expires_at is stored as DATETIME — convert to unix epoch for stable hashing.
+        (string)(empty($row['expires_at']) ? 0 : strtotime($row['expires_at'])),
+        (string)($row['instance_id']     ?? ''),
+    ]);
+    return hash_hmac('sha256', $material, $secret);
 }
 
 /**
- * Create a license JWT (for testing/development only — production keys
- * are generated by the KeyGate license server).
+ * Verify a license_info row's integrity HMAC. Returns true if valid.
+ * Rows missing integrity_hmac (legacy or directly-INSERTed) fail.
  */
-function createLicenseJwt(array $payload, string $secret = 'keygate-community-verification-key-2026'): string {
-    $header = base64UrlEncode(json_encode(['alg' => 'HS256', 'typ' => 'JWT']));
-    $body = base64UrlEncode(json_encode($payload));
-    $signature = base64UrlEncode(hash_hmac('sha256', "$header.$body", $secret, true));
-    return "$header.$body.$signature";
+function verifyLicenseRow(PDO $pdo, array $row): bool {
+    if (empty($row['integrity_hmac'])) return false;
+    $expected = computeLicenseRowHmac(getLicenseRowSecret($pdo), $row);
+    return hash_equals($expected, $row['integrity_hmac']);
 }
 
 // ── License Validation ──────────────────────────────────────
@@ -181,12 +296,16 @@ function getCurrentLicense(PDO $pdo): ?array {
 
 /**
  * Get the effective license tier and limits.
- * Falls back to community tier if no valid license.
+ * Falls back to community tier if no valid license OR row HMAC fails
+ * (defeats direct INSERT/UPDATE bypass against license_info).
  */
 function getEffectiveLicense(PDO $pdo): array {
     $license = getCurrentLicense($pdo);
 
-    if ($license && $license['validation_status'] === 'valid') {
+    if ($license
+        && $license['validation_status'] === 'valid'
+        && verifyLicenseRow($pdo, $license)
+    ) {
         $tier = $license['tier'] ?? 'community';
         $tierDef = LICENSE_TIERS[$tier] ?? LICENSE_TIERS['community'];
 
@@ -203,6 +322,19 @@ function getEffectiveLicense(PDO $pdo): array {
         ];
     }
 
+    // Row HMAC failed → mark the row invalid so admin sees the issue.
+    // Best-effort; ignore failures (e.g. integrity_hmac column missing
+    // pre-migration; legacy installs land here on first boot).
+    if ($license && $license['validation_status'] === 'valid') {
+        try {
+            $stmt = $pdo->prepare(
+                "UPDATE `" . t('license_info') . "` SET validation_status = 'invalid' WHERE id = ?"
+            );
+            $stmt->execute([$license['id']]);
+            error_log("KeyGate: license row HMAC mismatch on id=" . $license['id'] . ", forced to community");
+        } catch (Exception $e) { /* legacy installs */ }
+    }
+
     // Default community tier
     $communityDef = LICENSE_TIERS['community'];
     return [
@@ -236,12 +368,22 @@ function registerLicense(PDO $pdo, string $licenseKey): array {
         }
     }
 
-    // Validate instance ID matches
+    // Reject wildcard binding — every license MUST be bound to a specific instance.
+    // Customers paste their instance ID into the checkout form (LemonSqueezy custom
+    // field, T-Bank OrderId encoding, GitHub Sponsors /api/claim flow).
+    if ($payload['instance_id'] === '*') {
+        return [
+            'success' => false,
+            'error' => 'This license uses a deprecated wildcard binding. Re-issue from your purchase email or run /api/claim.',
+        ];
+    }
+
+    // Validate instance ID matches this install
     $instanceId = getInstanceId($pdo);
-    if ($payload['instance_id'] !== $instanceId && $payload['instance_id'] !== '*') {
+    if ($payload['instance_id'] !== $instanceId) {
         return [
             'success' => false,
-            'error' => 'License is for a different installation. Your instance ID: ' . substr($instanceId, 0, 12) . '...',
+            'error' => 'License is bound to a different installation. Your instance ID: ' . substr($instanceId, 0, 12) . '...',
         ];
     }
 
@@ -257,6 +399,25 @@ function registerLicense(PDO $pdo, string $licenseKey): array {
 
     $tierDef = LICENSE_TIERS[$tier];
 
+    // Build the row payload up-front so we can HMAC it.
+    $maxTechs = (int)($payload['max_technicians'] ?? $tierDef['max_technicians']);
+    $maxKeys  = (int)($payload['max_keys']        ?? $tierDef['max_keys']);
+    $expIso   = date('Y-m-d H:i:s', (int)$payload['exp']);
+
+    // ── P0.3: rotate per-instance row secret on every register ──
+    $rowSecret = rotateLicenseRowSecret($pdo);
+
+    // Compute integrity HMAC for the row.
+    $rowForHmac = [
+        'license_key'     => $licenseKey,
+        'tier'            => $tier,
+        'max_technicians' => $maxTechs,
+        'max_keys'        => $maxKeys,
+        'expires_at'      => $expIso,
+        'instance_id'     => $instanceId,
+    ];
+    $integrityHmac = computeLicenseRowHmac($rowSecret, $rowForHmac);
+
     // Deactivate any existing license
     $pdo->exec("UPDATE `" . t('license_info') . "` SET is_active = 0");
 
@@ -265,8 +426,10 @@ function registerLicense(PDO $pdo, string $licenseKey): array {
         INSERT INTO `" . t('license_info') . "`
             (license_key, instance_id, tier, licensed_to_email, licensed_to_name,
              max_technicians, max_keys, features,
-             issued_at, expires_at, last_validated_at, validation_status, is_active)
-        VALUES (?, ?, ?, ?, ?, ?, ?, ?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), NOW(), 'valid', 1)
+             issued_at, expires_at, last_validated_at, validation_status, is_active,
+             integrity_hmac)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), NOW(), 'valid', 1,
+                ?)
     ");
     $stmt->execute([
         $licenseKey,
@@ -274,11 +437,12 @@ function registerLicense(PDO $pdo, string $licenseKey): array {
         $tier,
         $payload['email'] ?? null,
         $payload['name'] ?? null,
-        $payload['max_technicians'] ?? $tierDef['max_technicians'],
-        $payload['max_keys'] ?? $tierDef['max_keys'],
+        $maxTechs,
+        $maxKeys,
         json_encode($tierDef['features']),
         $payload['iat'],
         $payload['exp'],
+        $integrityHmac,
     ]);
 
     // Update system_config
@@ -288,7 +452,11 @@ function registerLicense(PDO $pdo, string $licenseKey): array {
         'success' => true,
         'tier'    => $tier,
         'label'   => $tierDef['label'],
-        'message' => "License registered successfully — {$tierDef['label']} tier activated",
+        'algorithm'=> $payload['_alg'] ?? 'unknown',
+        'message' => "License registered successfully — {$tierDef['label']} tier activated"
+            . (($payload['_alg'] ?? '') === 'HS256-legacy'
+                ? ' (legacy algorithm; please re-issue via Re-register button before ' . KEYGATE_LEGACY_HS256_DEADLINE . ')'
+                : ''),
     ];
 }
 
diff --git a/FINAL_PRODUCTION_SYSTEM/install/ajax.php b/FINAL_PRODUCTION_SYSTEM/install/ajax.php
index d361a41..835106a 100644
--- a/FINAL_PRODUCTION_SYSTEM/install/ajax.php
+++ b/FINAL_PRODUCTION_SYSTEM/install/ajax.php
@@ -463,6 +463,7 @@ function installerMigrationList(): array {
         ['product_variants_migration.sql',   17],
         ['missing_drivers_migration.sql',    18],
         ['unallocated_space_migration.sql',  19],
+        ['license_p0_hmac_migration.sql',    20],
     ];
 }
 
diff --git a/license-server/worker.js b/license-server/worker.js
index 8d45231..39f1989 100644
--- a/license-server/worker.js
+++ b/license-server/worker.js
@@ -30,20 +30,70 @@ function base64UrlEncodeString(str) {
   return btoa(str).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
 }
 
-async function createJwt(payload, secret) {
-  const header = base64UrlEncodeString(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
+// ── PEM PKCS#8 → CryptoKey (cached for the lifetime of an isolate) ──
+let cachedSigningKey = null
+async function importLicensePrivateKey(pemPkcs8) {
+  if (cachedSigningKey) return cachedSigningKey
+  // Strip header/footer + whitespace; decode base64.
+  const b64 = pemPkcs8
+    .replace(/-----BEGIN PRIVATE KEY-----/, '')
+    .replace(/-----END PRIVATE KEY-----/, '')
+    .replace(/\s+/g, '')
+  const bin = Uint8Array.from(atob(b64), c => c.charCodeAt(0))
+  cachedSigningKey = await crypto.subtle.importKey(
+    'pkcs8',
+    bin.buffer,
+    { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+    false,
+    ['sign']
+  )
+  return cachedSigningKey
+}
+
+// ── createJwt (RS256, P0 hardening) ──
+// Switched from HS256 → RS256 in v2.3.0. Private key lives ONLY in the
+// Worker secret store (env.LICENSE_PRIVATE_KEY, PEM PKCS#8). KeyGate PHP
+// instances verify with the matching public key embedded in source.
+async function createJwt(payload, env) {
+  const header = base64UrlEncodeString(JSON.stringify({ alg: 'RS256', typ: 'JWT' }))
   const body = base64UrlEncodeString(JSON.stringify(payload))
   const data = `${header}.${body}`
 
+  const key = await importLicensePrivateKey(env.LICENSE_PRIVATE_KEY)
+  const signature = await crypto.subtle.sign(
+    { name: 'RSASSA-PKCS1-v1_5' },
+    key,
+    new TextEncoder().encode(data)
+  )
+  return `${data}.${base64UrlEncode(signature)}`
+}
+
+// ── Legacy HS256 verify (used only by /api/migrate during transition) ──
+async function verifyLegacyHs256(jwt, secret) {
+  const parts = jwt.split('.')
+  if (parts.length !== 3) return null
+  const [headerB64, payloadB64, sigB64] = parts
+  const header = JSON.parse(atob(headerB64.replace(/-/g, '+').replace(/_/g, '/')))
+  if (header.alg !== 'HS256') return null
   const key = await crypto.subtle.importKey(
     'raw',
     new TextEncoder().encode(secret),
     { name: 'HMAC', hash: 'SHA-256' },
     false,
-    ['sign']
+    ['verify']
   )
-  const signature = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(data))
-  return `${data}.${base64UrlEncode(signature)}`
+  const sig = Uint8Array.from(
+    atob(sigB64.replace(/-/g, '+').replace(/_/g, '/').padEnd(Math.ceil(sigB64.length / 4) * 4, '=')),
+    c => c.charCodeAt(0)
+  )
+  const ok = await crypto.subtle.verify(
+    'HMAC',
+    key,
+    sig,
+    new TextEncoder().encode(`${headerB64}.${payloadB64}`)
+  )
+  if (!ok) return null
+  return JSON.parse(atob(payloadB64.replace(/-/g, '+').replace(/_/g, '/')))
 }
 
 // ── GitHub Webhook Verification ─────────────────────────────
@@ -123,34 +173,21 @@ async function handleGitHubWebhook(request, env) {
     const tier = getTierFromAmount(amountCents)
     const limits = TIER_LIMITS[tier]
 
-    // Generate license JWT
-    const licensePayload = {
-      iss: 'keygate-license-server',
-      tier: tier,
-      instance_id: '*', // Wildcard — will bind on first use
-      email: email,
-      name: name,
-      github_sponsor: sponsor,
-      max_technicians: limits.max_technicians,
-      max_keys: limits.max_keys,
-      iat: Math.floor(Date.now() / 1000),
-      exp: isOneTime
-        ? Math.floor(Date.now() / 1000) + (10 * 365 * 86400) // 10 years for one-time
-        : Math.floor(Date.now() / 1000) + (400 * 86400),      // ~13 months for monthly
-    }
-
-    const jwt = await createJwt(licensePayload, env.JWT_SECRET)
-
-    // Store in KV
+    // P0: GitHub Sponsors webhooks don't carry an instance_id. We store
+    // the sponsorship with `pending_claim:true` and the customer must call
+    // POST /api/claim to bind their KeyGate instance and receive a JWT.
+    // No wildcard JWT issued at this stage.
     await env.LICENSES.put(`license:${email}`, JSON.stringify({
-      jwt,
       tier,
       sponsor,
       email,
       name,
+      pending_claim: true,
       created_at: new Date().toISOString(),
       amount_cents: amountCents,
       is_one_time: isOneTime,
+      max_technicians: limits.max_technicians,
+      max_keys: limits.max_keys,
     }), { expirationTtl: isOneTime ? 10 * 365 * 86400 : 400 * 86400 })
 
     // TODO: Send email with license key via SendGrid
@@ -158,8 +195,9 @@ async function handleGitHubWebhook(request, env) {
 
     return new Response(JSON.stringify({
       ok: true,
-      message: `License generated for ${email} (${tier} tier)`,
+      message: `Sponsorship recorded for ${email} (${tier} tier). Customer must call POST /api/claim to bind their installation.`,
       tier,
+      pending_claim: true,
     }), { status: 200 })
   }
 
@@ -212,7 +250,7 @@ async function handleRegister(request, env) {
     exp: Math.floor(Date.now() / 1000) + (365 * 86400), // 1 year
   }
 
-  const jwt = await createJwt(payload, env.JWT_SECRET)
+  const jwt = await createJwt(payload, env)
 
   await env.LICENSES.put(`license:${email}`, JSON.stringify({
     jwt,
@@ -319,36 +357,52 @@ async function handleLemonSqueezyWebhook(request, env) {
     const limits = TIER_LIMITS[tier]
     const isLifetime = variantName.includes('lifetime')
 
-    const licensePayload = {
-      iss: 'keygate-license-server',
-      tier: tier,
-      instance_id: '*',
-      email: email,
-      name: name,
-      payment_provider: 'lemonsqueezy',
-      max_technicians: limits.max_technicians,
-      max_keys: limits.max_keys,
-      iat: Math.floor(Date.now() / 1000),
-      exp: isLifetime
-        ? Math.floor(Date.now() / 1000) + (10 * 365 * 86400)
-        : Math.floor(Date.now() / 1000) + (400 * 86400),
-    }
-
-    const jwt = await createJwt(licensePayload, env.JWT_SECRET)
+    // P0: LemonSqueezy may carry instance_id as custom_data; if absent, mark pending.
+    const lsInstanceId = payload.meta?.custom_data?.instance_id || null
 
-    await env.LICENSES.put(`license:${email}`, JSON.stringify({
-      jwt,
+    const baseRecord = {
       tier,
       email,
       name,
       payment_provider: 'lemonsqueezy',
       created_at: new Date().toISOString(),
       is_lifetime: isLifetime,
-    }), { expirationTtl: isLifetime ? 10 * 365 * 86400 : 400 * 86400 })
+      max_technicians: limits.max_technicians,
+      max_keys: limits.max_keys,
+    }
+
+    let jwt = null
+    if (lsInstanceId) {
+      const licensePayload = {
+        iss: 'keygate-license-server',
+        tier,
+        instance_id: lsInstanceId,
+        email,
+        name,
+        payment_provider: 'lemonsqueezy',
+        max_technicians: limits.max_technicians,
+        max_keys: limits.max_keys,
+        iat: Math.floor(Date.now() / 1000),
+        exp: isLifetime
+          ? Math.floor(Date.now() / 1000) + (10 * 365 * 86400)
+          : Math.floor(Date.now() / 1000) + (400 * 86400),
+      }
+      jwt = await createJwt(licensePayload, env)
+      baseRecord.jwt = jwt
+      baseRecord.instance_id = lsInstanceId
+    } else {
+      baseRecord.pending_claim = true
+    }
+
+    await env.LICENSES.put(`license:${email}`, JSON.stringify(baseRecord),
+      { expirationTtl: isLifetime ? 10 * 365 * 86400 : 400 * 86400 })
 
     return new Response(JSON.stringify({
       ok: true,
-      message: `License generated for ${email} (${tier} tier via LemonSqueezy)`,
+      message: jwt
+        ? `License generated for ${email} (${tier} tier via LemonSqueezy)`
+        : `Sponsorship recorded for ${email} — customer must call /api/claim with instance_id`,
+      pending_claim: !jwt,
     }), { status: 200 })
   }
 
@@ -388,48 +442,62 @@ async function handleTBankWebhook(request, env) {
   // For now, we trust the payload (T-Bank sends from known IPs)
 
   if (success && status === 'CONFIRMED') {
-    // Order ID format: "keygate_{email_base64}_{tier}"
+    // Order ID format: "keygate_{email_base64}_{tier}_{instance_id_base64}"
+    // Old 3-part format also accepted but produces a pending_claim record.
     const parts = orderId.split('_')
     if (parts.length < 3 || parts[0] !== 'keygate') {
       return new Response(JSON.stringify({ ok: true, message: 'Not a KeyGate order' }), { status: 200 })
     }
 
-    let email, tier
+    let email, tier, instanceId
     try {
       email = atob(parts[1])
       tier = parts[2] || 'pro'
+      instanceId = parts.length >= 4 ? atob(parts[3]) : null
     } catch {
       return new Response(JSON.stringify({ error: 'Invalid order ID format' }), { status: 400 })
     }
 
     const limits = TIER_LIMITS[tier] || TIER_LIMITS.pro
-
-    const licensePayload = {
-      iss: 'keygate-license-server',
-      tier: tier,
-      instance_id: '*',
-      email: email,
+    const baseRecord = {
+      tier,
+      email,
       payment_provider: 'tbank',
+      amount_kopecks: amount,
+      created_at: new Date().toISOString(),
       max_technicians: limits.max_technicians,
       max_keys: limits.max_keys,
-      iat: Math.floor(Date.now() / 1000),
-      exp: Math.floor(Date.now() / 1000) + (400 * 86400),
     }
 
-    const jwt = await createJwt(licensePayload, env.JWT_SECRET)
+    let jwt = null
+    if (instanceId) {
+      const licensePayload = {
+        iss: 'keygate-license-server',
+        tier,
+        instance_id: instanceId,
+        email,
+        payment_provider: 'tbank',
+        max_technicians: limits.max_technicians,
+        max_keys: limits.max_keys,
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + (400 * 86400),
+      }
+      jwt = await createJwt(licensePayload, env)
+      baseRecord.jwt = jwt
+      baseRecord.instance_id = instanceId
+    } else {
+      baseRecord.pending_claim = true
+    }
 
-    await env.LICENSES.put(`license:${email}`, JSON.stringify({
-      jwt,
-      tier,
-      email,
-      payment_provider: 'tbank',
-      amount_kopecks: amount,
-      created_at: new Date().toISOString(),
-    }), { expirationTtl: 400 * 86400 })
+    await env.LICENSES.put(`license:${email}`, JSON.stringify(baseRecord),
+      { expirationTtl: 400 * 86400 })
 
     return new Response(JSON.stringify({
       ok: true,
-      message: `License generated for ${email} (${tier} tier via T-Bank)`,
+      message: jwt
+        ? `License generated for ${email} (${tier} tier via T-Bank)`
+        : `Payment recorded for ${email} — customer must call /api/claim with instance_id`,
+      pending_claim: !jwt,
     }), { status: 200 })
   }
 
@@ -453,6 +521,165 @@ async function handleTBankWebhook(request, env) {
   return new Response(JSON.stringify({ ok: true }), { status: 200 })
 }
 
+// ── /api/claim — bind a pending_claim sponsorship to instance_id (P0.5) ──
+//
+// Body: { email, instance_id, sponsor_login? }
+// Looks up KV record. Requires pending_claim:true. Once claimed, mints an
+// RS256 JWT bound to the supplied instance_id. Subsequent claim attempts
+// are rejected (one-shot binding) unless the founder manually clears
+// pending_claim via the future P4 admin dashboard.
+async function handleClaim(request, env) {
+  const { email, instance_id, sponsor_login } = await request.json()
+  if (!email || !instance_id) {
+    return new Response(JSON.stringify({ error: 'email and instance_id required' }), { status: 400 })
+  }
+
+  const stored = await env.LICENSES.get(`license:${email}`, 'json')
+  if (!stored) {
+    return new Response(JSON.stringify({ error: 'No sponsorship found for this email' }), { status: 404 })
+  }
+  if (stored.revoked) {
+    return new Response(JSON.stringify({ error: 'License revoked' }), { status: 403 })
+  }
+  if (!stored.pending_claim) {
+    return new Response(JSON.stringify({ error: 'License already claimed; contact support to rebind' }), { status: 409 })
+  }
+  // Optional sanity check — sponsor_login matches stored sponsor, if provided.
+  if (sponsor_login && stored.sponsor && stored.sponsor !== sponsor_login) {
+    return new Response(JSON.stringify({ error: 'Sponsor login mismatch' }), { status: 403 })
+  }
+
+  const tier = stored.tier
+  const limits = TIER_LIMITS[tier] || TIER_LIMITS.community
+  const isLifetime = !!stored.is_one_time || !!stored.is_lifetime
+  const exp = isLifetime
+    ? Math.floor(Date.now() / 1000) + (10 * 365 * 86400)
+    : Math.floor(Date.now() / 1000) + (400 * 86400)
+
+  const licensePayload = {
+    iss: 'keygate-license-server',
+    tier,
+    instance_id,
+    email,
+    name: stored.name || email.split('@')[0],
+    payment_provider: stored.payment_provider || 'github_sponsors',
+    max_technicians: limits.max_technicians,
+    max_keys: limits.max_keys,
+    iat: Math.floor(Date.now() / 1000),
+    exp,
+  }
+  const jwt = await createJwt(licensePayload, env)
+
+  // Update KV record — pending_claim cleared, jwt + instance_id stored.
+  delete stored.pending_claim
+  stored.jwt = jwt
+  stored.instance_id = instance_id
+  stored.claimed_at = new Date().toISOString()
+  await env.LICENSES.put(`license:${email}`, JSON.stringify(stored),
+    { expirationTtl: isLifetime ? 10 * 365 * 86400 : 400 * 86400 })
+
+  return new Response(JSON.stringify({
+    success: true,
+    license_key: jwt,
+    tier,
+    expires_at: new Date(exp * 1000).toISOString(),
+  }), { status: 200 })
+}
+
+// ── /api/migrate — re-issue legacy HS256 token as RS256 (P0 transition) ──
+//
+// Body: { license_key (legacy HS256), instance_id }
+// Verifies the legacy token with LEGACY_HS256_SECRET, then mints a fresh
+// RS256 JWT bound to the supplied instance_id. Does NOT change the email
+// binding or tier. Available for 90 days post-deploy; remove the secret
+// from Worker after that.
+async function handleMigrate(request, env) {
+  const { license_key, instance_id } = await request.json()
+  if (!license_key || !instance_id) {
+    return new Response(JSON.stringify({ error: 'license_key and instance_id required' }), { status: 400 })
+  }
+  if (!env.LEGACY_HS256_SECRET) {
+    return new Response(JSON.stringify({ error: 'Legacy migration window has closed' }), { status: 410 })
+  }
+
+  const payload = await verifyLegacyHs256(license_key, env.LEGACY_HS256_SECRET)
+  if (!payload) {
+    return new Response(JSON.stringify({ error: 'Legacy JWT signature invalid' }), { status: 400 })
+  }
+  if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+    return new Response(JSON.stringify({ error: 'Legacy JWT expired; purchase a new license' }), { status: 403 })
+  }
+
+  // Mint RS256 with same tier/email/exp but bind to caller's instance_id.
+  const newPayload = {
+    ...payload,
+    instance_id,
+    iss: 'keygate-license-server',
+    iat: Math.floor(Date.now() / 1000),
+    _migrated_from: 'HS256',
+  }
+  delete newPayload._alg
+  const jwt = await createJwt(newPayload, env)
+
+  // Refresh KV if we have an email anchor.
+  if (payload.email) {
+    const stored = await env.LICENSES.get(`license:${payload.email}`, 'json') || {}
+    stored.jwt = jwt
+    stored.instance_id = instance_id
+    stored.tier = payload.tier
+    stored.email = payload.email
+    delete stored.pending_claim
+    stored.migrated_at = new Date().toISOString()
+    await env.LICENSES.put(`license:${payload.email}`, JSON.stringify(stored),
+      { expirationTtl: Math.max(86400, payload.exp - Math.floor(Date.now() / 1000)) })
+  }
+
+  return new Response(JSON.stringify({
+    success: true,
+    license_key: jwt,
+    tier: payload.tier,
+    expires_at: new Date(payload.exp * 1000).toISOString(),
+  }), { status: 200 })
+}
+
+// ── /api/dev-issue — local dev license (gated by DEV_TOKEN) ────────────
+//
+// Body: { tier, email, instance_id, dev_token }
+// Replaces the old "PHP signs locally with hardcoded secret" path. Now
+// the founder hits the Worker directly; no signing capability ever lives
+// on the customer's PHP host.
+async function handleDevIssue(request, env) {
+  const { tier, email, instance_id, dev_token } = await request.json()
+  if (!env.DEV_TOKEN) {
+    return new Response(JSON.stringify({ error: 'Dev issuance disabled on this Worker' }), { status: 403 })
+  }
+  if (dev_token !== env.DEV_TOKEN) {
+    return new Response(JSON.stringify({ error: 'Invalid dev token' }), { status: 401 })
+  }
+  if (!tier || !instance_id) {
+    return new Response(JSON.stringify({ error: 'tier and instance_id required' }), { status: 400 })
+  }
+  const limits = TIER_LIMITS[tier] || TIER_LIMITS.community
+  const payload = {
+    iss: 'keygate-license-server',
+    tier,
+    instance_id,
+    email: email || 'dev@keygate.local',
+    payment_provider: 'dev',
+    max_technicians: limits.max_technicians,
+    max_keys: limits.max_keys,
+    iat: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + (90 * 86400),  // 90-day dev license
+  }
+  const jwt = await createJwt(payload, env)
+  return new Response(JSON.stringify({
+    success: true,
+    license_key: jwt,
+    tier,
+    expires_at: new Date(payload.exp * 1000).toISOString(),
+  }), { status: 200 })
+}
+
 // ── License Retrieval (for manual invoice flow) ─────────────
 
 async function handleRetrieveLicense(request, env) {
@@ -510,6 +737,12 @@ export default {
         response = await handleValidate(request, env)
       } else if (path === '/api/retrieve' && request.method === 'GET') {
         response = await handleRetrieveLicense(request, env)
+      } else if (path === '/api/claim' && request.method === 'POST') {
+        response = await handleClaim(request, env)
+      } else if (path === '/api/migrate' && request.method === 'POST') {
+        response = await handleMigrate(request, env)
+      } else if (path === '/api/dev-issue' && request.method === 'POST') {
+        response = await handleDevIssue(request, env)
       } else if (path === '/api/health' && request.method === 'GET') {
         response = new Response(JSON.stringify({
           status: 'ok',
diff --git a/license-server/wrangler.toml b/license-server/wrangler.toml
index 4b151b5..83bfc5a 100644
--- a/license-server/wrangler.toml
+++ b/license-server/wrangler.toml
@@ -7,13 +7,26 @@ compatibility_date = "2024-01-01"
 binding = "LICENSES"
 id = "44c93c6286f44ae1ba2711651a34e78a"
 
-# Environment variables (set via Cloudflare dashboard or `wrangler secret put`)
-# GITHUB_WEBHOOK_SECRET      = "your-github-webhook-secret"
-# LEMONSQUEEZY_WEBHOOK_SECRET = "your-lemonsqueezy-signing-secret"
-# TBANK_TERMINAL_PASSWORD     = "your-tbank-terminal-password"
-# JWT_SECRET                  = "your-jwt-signing-secret"
-# SENDGRID_API_KEY            = "your-sendgrid-key"
-# ADMIN_EMAIL                 = "admin@keygate.dev"
+# Secrets (set via `wrangler secret put NAME` then paste value)
+#
+#   LICENSE_PRIVATE_KEY         RSA PEM PKCS#8. Generated locally with:
+#                                 openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out license_priv.pem
+#                                 openssl pkey -in license_priv.pem -pubout -out license_pub.pem
+#                               Public key embedded in PHP source as KEYGATE_LICENSE_PUBLIC_KEY.
+#                               Private key NEVER leaves Worker secret store.
+#   LEGACY_HS256_SECRET         The pre-v2.3 hardcoded HMAC secret. Used by /api/migrate ONLY.
+#                               Delete after 2026-08-08 (90-day window).
+#                               Value: 'keygate-community-verification-key-2026'
+#   DEV_TOKEN                   Random 32-byte hex; gates /api/dev-issue.
+#                               Generate: php -r "echo bin2hex(random_bytes(32));"
+#   GITHUB_WEBHOOK_SECRET       Set by GitHub Sponsors webhook configuration.
+#   LEMONSQUEEZY_WEBHOOK_SECRET Set by LemonSqueezy webhook configuration.
+#   TBANK_TERMINAL_PASSWORD     Set by T-Bank Касса webhook configuration.
+#   SENDGRID_API_KEY            Optional, for email delivery.
+#   ADMIN_EMAIL                 Optional, recipient for admin notifications.
+#
+# Legacy:
+#   JWT_SECRET                  Pre-v2.3.0 HS256 secret. No longer used. Delete after migration window.
 
 [vars]
 ENVIRONMENT = "production"

From 9770b2e745102140106f3743571d45f9f81d0b5c Mon Sep 17 00:00:00 2001
From: ChesnoTech <263363000+ChesnoTech@users.noreply.github.com>
Date: Fri, 8 May 2026 00:50:27 +0300
Subject: [PATCH 2/2] ci: trigger workflows for PR #24