diff --git a/.gitignore b/.gitignore
index c0bd259..2417e1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,6 +30,9 @@ FINAL_PRODUCTION_SYSTEM/uploads/client-resources/
 FINAL_PRODUCTION_SYSTEM/install/install.log
 FINAL_PRODUCTION_SYSTEM/install/.progress.json
 
+# ── License-server private keys (never committed; uploaded to CF) ──
+license-server/.keys/
+
 # ── PHP Dependencies (managed by Composer) ────────────────
 FINAL_PRODUCTION_SYSTEM/vendor/
 
diff --git a/CLAUDE.md b/CLAUDE.md
index b9433bf..b7b2912 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -27,7 +27,7 @@ main_v3.PS1                                 │   ├── get-key.php
   │                                         │   ├── LicenseController.php
   ├─ Network Diagnostics (MAS-style)        │   └── ... (21 total)
   │   (4-host ping + COM fallback           │
-  │    + MS licensing server test)           ├── admin_v2.php        ← 85 action router
+  │    + MS licensing server test)           ├── admin_v2.php        ← 90 action router
   │                                         │
   ├─ QC Compliance ────────POST──►          ├── functions/           ← 23 helper modules
   │                                         │   ├── email-helpers.php
@@ -70,12 +70,12 @@ CLOUDFLARE WORKER (License Server)
 |--------|-------|
 | Admin Controllers | 21 |
 | API Endpoints | 19 |
-| Admin Actions | 85 |
+| Admin Actions | 90 |
 | Frontend Pages | 24 |
 | Frontend Hooks | 22 |
 | Frontend API Files | 21 |
-| PHP Helper Modules | 23 |
-| DB Migrations | 26 |
+| PHP Helper Modules | 25 |
+| DB Migrations | 29 |
 | Languages | 18 |
 | Sidebar Nav Items | 30 |
 
@@ -191,8 +191,11 @@ CLOUDFLARE WORKER (License Server)
 | 24 | usb_devices_migration.sql | USB device registry |
 | 25 | task_pipeline_migration.sql | Task templates + execution logs |
 | 26 | production_tracking_migration.sql | CBR reports, key pools, work orders, DPK batches |
+| 27 | license_p0_hmac_migration.sql | License row integrity HMAC (P0 anti-piracy) |
+| 28 | license_p1_hwbind_migration.sql | Hardware-bound licensing + 3-per-365 rebind quota (P1) |
+| 29 | license_p2_phonehome_migration.sql | Phone-home grace + revocation jti + clock-drift (P2) |
 
-### Helper Modules (23 files in `functions/`)
+### Helper Modules (25 files in `functions/`)
 | File | Purpose |
 |------|---------|
 | acl.php | Permission checking, role management |
@@ -205,7 +208,9 @@ CLOUDFLARE WORKER (License Server)
 | i18n.php | Translation loading |
 | integration-helpers.php | Event dispatch to osTicket / 1C |
 | key-helpers.php | Key status, recycling logic |
-| license-helpers.php | JWT license validation, tier enforcement |
+| license-helpers.php | JWT license validation, tier enforcement, RS256 verify, row HMAC, hwfp gate |
+| license-phone-home.php | Phone-home validate, grace bands, clock drift, revocation handling (P2) |
+| hardware-fingerprint.php | Cross-OS server hardware fingerprint (machine-id + system UUID + MAC + volume UUID) (P1) |
 | logger.php | Structured logging |
 | network-utils.php | IP whitelisting, trusted networks |
 | push-helpers.php | VAPID push notifications |
diff --git a/FINAL_PRODUCTION_SYSTEM/VERSION.php b/FINAL_PRODUCTION_SYSTEM/VERSION.php
index a500890..d176e6b 100644
--- a/FINAL_PRODUCTION_SYSTEM/VERSION.php
+++ b/FINAL_PRODUCTION_SYSTEM/VERSION.php
@@ -5,6 +5,6 @@
  * This file is updated automatically by the upgrade system.
  * Do NOT edit manually unless you know what you are doing.
  */
-define('APP_VERSION', '2.2.0');
-define('APP_VERSION_CODE', 220);
-define('APP_VERSION_DATE', '2026-05-07');
+define('APP_VERSION', '2.3.0');
+define('APP_VERSION_CODE', 230);
+define('APP_VERSION_DATE', '2026-05-08');
diff --git a/FINAL_PRODUCTION_SYSTEM/admin_v2.php b/FINAL_PRODUCTION_SYSTEM/admin_v2.php
index 5937524..c825fbe 100644
--- a/FINAL_PRODUCTION_SYSTEM/admin_v2.php
+++ b/FINAL_PRODUCTION_SYSTEM/admin_v2.php
@@ -337,6 +337,11 @@
     'license_register'         => ['LicenseController.php', 'handle_license_register',       true,  true],
     'license_deactivate'       => ['LicenseController.php', 'handle_license_deactivate',     true,  true],
     'license_generate_dev'     => ['LicenseController.php', 'handle_license_generate_dev',   true,  true],
+    'license_claim'            => ['LicenseController.php', 'handle_license_claim',          true,  true],
+    'license_migrate'          => ['LicenseController.php', 'handle_license_migrate',        true,  true],
+    'license_redetect_hw'      => ['LicenseController.php', 'handle_license_redetect_hw',    true,  true],
+    'license_rebind'           => ['LicenseController.php', 'handle_license_rebind',         true,  true],
+    'license_force_validate'   => ['LicenseController.php', 'handle_license_force_validate', true,  true],
 
     // system upgrade
     'upgrade_check_github'     => ['UpgradeController.php', 'handle_upgrade_check_github',     false, true],
diff --git a/FINAL_PRODUCTION_SYSTEM/cli/license-validate.php b/FINAL_PRODUCTION_SYSTEM/cli/license-validate.php
new file mode 100644
index 0000000..5ca4f5f
--- /dev/null
+++ b/FINAL_PRODUCTION_SYSTEM/cli/license-validate.php
@@ -0,0 +1,49 @@
+<?php
+/**
+ * KeyGate — License phone-home CLI shim (P2)
+ *
+ * Daily cron entry runs this script to call /api/validate even when no
+ * admin pages have been hit. Idempotent — phoneHomeValidate() throttles
+ * itself via license_info.last_validated_at, so running this hourly or
+ * every minute is safe (only the first call inside the interval fires).
+ *
+ * Suggested cron (Linux):
+ *   0 3 * * * cd /var/www/keygate && /usr/bin/php FINAL_PRODUCTION_SYSTEM/cli/license-validate.php >> /var/log/keygate-phonehome.log 2>&1
+ *
+ * The Windows/IIS path goes through firePhoneHomeAsync()'s synchronous
+ * fallback — the 6-second Worker timeout is tolerable as a once-per-day
+ * blocking call.
+ */
+
+// Run only from CLI — refuse to expose this over HTTP.
+if (PHP_SAPI !== 'cli') {
+    http_response_code(403);
+    echo "This script must be run from the command line.\n";
+    exit(1);
+}
+
+require_once __DIR__ . '/../config.php';
+require_once __DIR__ . '/../functions/admin-helpers.php';
+require_once __DIR__ . '/../functions/license-helpers.php';
+require_once __DIR__ . '/../functions/license-phone-home.php';
+
+$force = in_array('--force', $argv ?? [], true);
+echo '[' . date('c') . "] phone-home start (force=" . ($force ? '1' : '0') . ")\n";
+
+try {
+    $resp = phoneHomeValidate($pdo, $force);
+    if ($resp === null) {
+        echo "[" . date('c') . "] no-op (throttled or no license)\n";
+        exit(0);
+    }
+    echo '[' . date('c') . '] OK valid=' . (!empty($resp['valid']) ? '1' : '0')
+        . ' tier=' . ($resp['tier'] ?? '-')
+        . ' must_rebind=' . (!empty($resp['must_rebind']) ? '1' : '0')
+        . ' revoked=' . (!empty($resp['revoked']) ? '1' : '0')
+        . ' jti=' . substr((string)($resp['jti'] ?? ''), 0, 8)
+        . "\n";
+    exit(0);
+} catch (Exception $e) {
+    fwrite(STDERR, '[' . date('c') . '] ERROR: ' . $e->getMessage() . "\n");
+    exit(2);
+}
diff --git a/FINAL_PRODUCTION_SYSTEM/controllers/admin/LicenseController.php b/FINAL_PRODUCTION_SYSTEM/controllers/admin/LicenseController.php
index 4020115..d0ebd33 100644
--- a/FINAL_PRODUCTION_SYSTEM/controllers/admin/LicenseController.php
+++ b/FINAL_PRODUCTION_SYSTEM/controllers/admin/LicenseController.php
@@ -6,6 +6,7 @@
  */
 
 require_once __DIR__ . '/../../functions/license-helpers.php';
+require_once __DIR__ . '/../../functions/license-phone-home.php';
 
 // ── Get License Status (no auth required — needed for registration wall) ──
 
@@ -26,6 +27,20 @@ function handle_license_status(PDO $pdo, array $admin_session, $json_input): voi
         $keyCount = (int)$stmt->fetchColumn();
     } catch (Exception $e) { /* table may not exist */ }
 
+    // P1: hardware fingerprint info — current host, bound row, drift state.
+    $hwfp = ['composite' => '', 'components' => []];
+    try { $hwfp = getServerHardwareFingerprint($pdo, false); } catch (Exception $e) { /* fail open */ }
+
+    $rebindCount = 0;
+    $boundFingerprint = '';
+    try {
+        $stmt = $pdo->query("SELECT hardware_fingerprint, hwfp_rebind_count, hwfp_bound_at, hwfp_last_rebind_at
+                             FROM `" . t('license_info') . "` WHERE is_active = 1 ORDER BY id DESC LIMIT 1");
+        $row = $stmt->fetch(PDO::FETCH_ASSOC) ?: [];
+        $boundFingerprint = (string)($row['hardware_fingerprint'] ?? '');
+        $rebindCount = (int)($row['hwfp_rebind_count'] ?? 0);
+    } catch (Exception $e) { /* pre-P1 install, columns absent */ }
+
     jsonResponse([
         'success' => true,
         'license' => [
@@ -38,11 +53,97 @@ function handle_license_status(PDO $pdo, array $admin_session, $json_input): voi
             'max_keys'        => $license['max_keys'],
             'features'        => $license['features'],
             'instance_id'     => $instanceId,
+            'rebind_required' => !empty($license['rebind_required']),
+            'rebind_grace_ends' => $license['rebind_grace_ends'] ?? null,
         ],
         'usage' => [
             'technicians' => $techCount,
             'keys'        => $keyCount,
         ],
+        'hardware' => [
+            'current_fingerprint' => (string)($hwfp['composite'] ?? ''),
+            'components'          => $hwfp['components'] ?? [],
+            'bound_fingerprint'   => $boundFingerprint,
+            'rebind_count'        => $rebindCount,
+            'rebind_quota_limit'  => 3,
+            'rebind_window_days'  => 365,
+        ],
+        'phonehome' => _phonehomeStatus($pdo, $license),
+    ]);
+}
+
+/**
+ * Build the phone-home status block for the License page UI (P2).
+ * Reads license_info row + grace band + cached validation response.
+ */
+function _phonehomeStatus(PDO $pdo, array $effective): array {
+    try {
+        $stmt = $pdo->query("SELECT last_validated_at, validation_failure_count,
+                                     last_validation_error, server_time_drift_seconds,
+                                     clock_drift_strikes, current_jti
+                              FROM `" . t('license_info') . "`
+                              WHERE is_active = 1 ORDER BY id DESC LIMIT 1");
+        $row = $stmt->fetch(PDO::FETCH_ASSOC) ?: [];
+    } catch (Exception $e) {
+        return ['available' => false];
+    }
+    $grace = function_exists('checkPhoneHomeGrace')
+        ? checkPhoneHomeGrace($row)
+        : ['band' => 'ok', 'days_since' => 0, 'banner' => null];
+
+    return [
+        'available'                 => true,
+        'last_validated_at'         => $row['last_validated_at'] ?? null,
+        'failure_count'             => (int)($row['validation_failure_count'] ?? 0),
+        'last_error'                => $row['last_validation_error'] ?? null,
+        'server_time_drift_seconds' => (int)($row['server_time_drift_seconds'] ?? 0),
+        'clock_drift_strikes'       => (int)($row['clock_drift_strikes'] ?? 0),
+        'current_jti'               => $row['current_jti'] ?? null,
+        'grace_band'                => $grace['band'],
+        'grace_days'                => $grace['days_since'],
+        'grace_banner'              => $grace['banner'],
+        'grace_banner_threshold_d'  => 14,
+        'grace_hard_threshold_d'    => 30,
+        // Surface the P2 phone-home banner from getEffectiveLicense() so the
+        // UI can show the same message even after community degrade.
+        'effective_band'            => $effective['phonehome_band'] ?? null,
+        'effective_banner'          => $effective['phonehome_banner'] ?? null,
+    ];
+}
+
+// ── Force phone-home validate (P2) ──
+//
+// Body: {} — admin clicks "Validate now" in the Phone-home card.
+// Bypasses the 24h throttle and synchronously calls the Worker.
+function handle_license_force_validate(PDO $pdo, array $admin_session, $json_input): void {
+    requirePermission('system_settings', $admin_session);
+
+    $resp = phoneHomeValidate($pdo, /*force=*/true);
+    if ($resp === null) {
+        jsonResponse([
+            'success' => false,
+            'error'   => 'Phone-home failed (network or no active license)',
+        ]);
+        return;
+    }
+
+    logAdminActivity(
+        $admin_session['admin_id'],
+        $admin_session['id'] ?? 0,
+        'LICENSE_FORCE_VALIDATE',
+        'Forced phone-home validate (jti=' . substr((string)($resp['jti'] ?? ''), 0, 8) . ')'
+    );
+
+    jsonResponse([
+        'success'      => true,
+        'valid'        => !empty($resp['valid']),
+        'tier'         => $resp['tier']      ?? null,
+        'revoked'      => !empty($resp['revoked']),
+        'must_rebind'  => !empty($resp['must_rebind']),
+        'expires_at'   => $resp['expires_at'] ?? null,
+        'jti'          => $resp['jti']        ?? null,
+        'server_time'  => $resp['server_time'] ?? null,
+        'message'      => 'Validated against license server',
     ]);
 }
 
@@ -89,8 +190,11 @@ function handle_license_deactivate(PDO $pdo, array $admin_session, $json_input):
     jsonResponse(['success' => true, 'message' => 'License deactivated']);
 }
 
-// ── Generate Development License (dev/testing only) ──
-
+// ── Generate Development License (calls Worker /api/dev-issue) ──
+//
+// Local signing was removed in v2.3.0 (P0 hardening). The Worker is the
+// only entity that holds the RS256 private key. Founder provides a
+// DEV_TOKEN (matching the Cloudflare secret) to authorize.
 function handle_license_generate_dev(PDO $pdo, array $admin_session, $json_input): void {
     requirePermission('system_settings', $admin_session);
 
@@ -101,34 +205,293 @@ function handle_license_generate_dev(PDO $pdo, array $admin_session, $json_input
         return;
     }
 
-    $tier = $json_input['tier'] ?? 'pro';
+    $tier      = $json_input['tier'] ?? 'pro';
+    $devToken  = $json_input['dev_token'] ?? '';
     if (!isset(LICENSE_TIERS[$tier])) {
         jsonResponse(['success' => false, 'error' => 'Invalid tier']);
         return;
     }
+    if (empty($devToken)) {
+        jsonResponse([
+            'success' => false,
+            'error'   => 'DEV_TOKEN required. Set the same value via wrangler secret put DEV_TOKEN on the Worker.',
+        ]);
+        return;
+    }
 
     $instanceId = getInstanceId($pdo);
-    $tierDef = LICENSE_TIERS[$tier];
-
-    $payload = [
-        'iss'              => 'keygate-dev',
-        'tier'             => $tier,
-        'instance_id'      => $instanceId,
-        'email'            => 'dev@localhost',
-        'name'             => 'Development License',
-        'max_technicians'  => $tierDef['max_technicians'],
-        'max_keys'         => $tierDef['max_keys'],
-        'iat'              => time(),
-        'exp'              => time() + (365 * 86400), // 1 year
-    ];
+    $hwfp       = getServerHardwareFingerprint($pdo, false);
+    $hwfpHex    = (string)($hwfp['composite'] ?? '');
+    if ($hwfpHex === '') {
+        jsonResponse(['success' => false, 'error' => 'Could not compute server hardware fingerprint']);
+        return;
+    }
 
-    $jwt = createLicenseJwt($payload);
+    $body = json_encode([
+        'tier'                 => $tier,
+        'email'                => 'dev@localhost',
+        'instance_id'          => $instanceId,
+        'hardware_fingerprint' => $hwfpHex,
+        'dev_token'            => $devToken,
+    ]);
+    $ctx = stream_context_create([
+        'http' => [
+            'method'  => 'POST',
+            'header'  => "Content-Type: application/json\r\n",
+            'content' => $body,
+            'timeout' => 10,
+            'ignore_errors' => true,
+        ],
+    ]);
+    $resp = @file_get_contents(KEYGATE_LICENSE_SERVER . '/api/dev-issue', false, $ctx);
+    if ($resp === false) {
+        jsonResponse(['success' => false, 'error' => 'Could not reach license server. Check network.']);
+        return;
+    }
+    $decoded = json_decode($resp, true);
+    if (!is_array($decoded)) {
+        jsonResponse(['success' => false, 'error' => 'License server returned invalid response.']);
+        return;
+    }
+
+    if (empty($decoded['success'])) {
+        jsonResponse(['success' => false, 'error' => $decoded['error'] ?? 'Worker rejected request.']);
+        return;
+    }
 
     jsonResponse([
         'success'     => true,
-        'license_key' => $jwt,
-        'tier'        => $tier,
+        'license_key' => $decoded['license_key'],
+        'tier'        => $decoded['tier'] ?? $tier,
         'instance_id' => $instanceId,
-        'message'     => "Development {$tierDef['label']} license generated. Paste it into the registration field.",
+        'expires_at'  => $decoded['expires_at'] ?? null,
+        'message'     => 'Development license issued by Worker. Paste into Registration field.',
+    ]);
+}
+
+// ── Claim license (GitHub Sponsors / pending payments) ──
+//
+// Body: { email, sponsor_login? }
+// Calls Worker /api/claim with the local instance_id. Worker mints an
+// RS256 JWT bound to this install.
+function handle_license_claim(PDO $pdo, array $admin_session, $json_input): void {
+    requirePermission('system_settings', $admin_session);
+
+    $email         = trim($json_input['email'] ?? '');
+    $sponsorLogin  = trim($json_input['sponsor_login'] ?? '');
+    if (empty($email)) {
+        jsonResponse(['success' => false, 'error' => 'Email is required']);
+        return;
+    }
+
+    $instanceId = getInstanceId($pdo);
+    $hwfp       = getServerHardwareFingerprint($pdo, false);
+    $hwfpHex    = (string)($hwfp['composite'] ?? '');
+    if ($hwfpHex === '') {
+        jsonResponse(['success' => false, 'error' => 'Could not compute server hardware fingerprint']);
+        return;
+    }
+    $body = json_encode([
+        'email'                => $email,
+        'instance_id'          => $instanceId,
+        'hardware_fingerprint' => $hwfpHex,
+        'sponsor_login'        => $sponsorLogin ?: null,
+    ]);
+    $ctx = stream_context_create([
+        'http' => [
+            'method'  => 'POST',
+            'header'  => "Content-Type: application/json\r\n",
+            'content' => $body,
+            'timeout' => 10,
+            'ignore_errors' => true,
+        ],
+    ]);
+    $resp = @file_get_contents(KEYGATE_LICENSE_SERVER . '/api/claim', false, $ctx);
+    if ($resp === false) {
+        jsonResponse(['success' => false, 'error' => 'Could not reach license server']);
+        return;
+    }
+    $decoded = json_decode($resp, true);
+    if (!is_array($decoded) || empty($decoded['success'])) {
+        jsonResponse(['success' => false, 'error' => $decoded['error'] ?? 'Claim failed']);
+        return;
+    }
+
+    // Auto-register the freshly-issued JWT.
+    $regResult = registerLicense($pdo, $decoded['license_key']);
+    jsonResponse(array_merge($regResult, [
+        'license_key' => $decoded['license_key'],
+        'expires_at'  => $decoded['expires_at'] ?? null,
+    ]));
+}
+
+// ── Migrate legacy HS256 license to RS256 ──
+//
+// Body: { license_key (legacy HS256) }
+// Calls Worker /api/migrate. Re-issues an RS256 JWT bound to this
+// instance_id. Auto-registers on success.
+function handle_license_migrate(PDO $pdo, array $admin_session, $json_input): void {
+    requirePermission('system_settings', $admin_session);
+
+    $legacyKey = trim($json_input['license_key'] ?? '');
+    if (empty($legacyKey)) {
+        jsonResponse(['success' => false, 'error' => 'license_key is required']);
+        return;
+    }
+
+    $instanceId = getInstanceId($pdo);
+    $hwfp       = getServerHardwareFingerprint($pdo, false);
+    $hwfpHex    = (string)($hwfp['composite'] ?? '');
+    if ($hwfpHex === '') {
+        jsonResponse(['success' => false, 'error' => 'Could not compute server hardware fingerprint']);
+        return;
+    }
+    $body = json_encode([
+        'license_key'          => $legacyKey,
+        'instance_id'          => $instanceId,
+        'hardware_fingerprint' => $hwfpHex,
+    ]);
+    $ctx = stream_context_create([
+        'http' => [
+            'method'  => 'POST',
+            'header'  => "Content-Type: application/json\r\n",
+            'content' => $body,
+            'timeout' => 10,
+            'ignore_errors' => true,
+        ],
+    ]);
+    $resp = @file_get_contents(KEYGATE_LICENSE_SERVER . '/api/migrate', false, $ctx);
+    if ($resp === false) {
+        jsonResponse(['success' => false, 'error' => 'Could not reach license server']);
+        return;
+    }
+    $decoded = json_decode($resp, true);
+    if (!is_array($decoded) || empty($decoded['success'])) {
+        jsonResponse(['success' => false, 'error' => $decoded['error'] ?? 'Migration failed']);
+        return;
+    }
+
+    // Auto-register the freshly-issued RS256 JWT.
+    $regResult = registerLicense($pdo, $decoded['license_key']);
+    jsonResponse(array_merge($regResult, [
+        'license_key' => $decoded['license_key'],
+        'expires_at'  => $decoded['expires_at'] ?? null,
+    ]));
+}
+
+// ── Re-detect server hardware fingerprint (P1) ──
+//
+// Body: {} — admin clicks "Re-detect hardware" button. Force-recomputes
+// the server hwfp helper (shells out for machine-id / system-uuid / MAC /
+// volume UUID), caches the new result, and returns the components.
+//
+// Does NOT change the license-bound fingerprint — that requires /api/rebind.
+function handle_license_redetect_hw(PDO $pdo, array $admin_session, $json_input): void {
+    requirePermission('system_settings', $admin_session);
+
+    try {
+        $hwfp = getServerHardwareFingerprint($pdo, true);
+    } catch (Exception $e) {
+        error_log("KeyGate redetect: " . $e->getMessage());
+        jsonResponse(['success' => false, 'error' => 'Hardware detection failed']);
+        return;
+    }
+
+    logAdminActivity(
+        $admin_session['admin_id'],
+        $admin_session['id'] ?? 0,
+        'LICENSE_HW_REDETECTED',
+        'Re-detected server hardware fingerprint'
+    );
+
+    jsonResponse([
+        'success'    => true,
+        'fingerprint'=> (string)($hwfp['composite'] ?? ''),
+        'components' => $hwfp['components'] ?? [],
+        'computed_at'=> $hwfp['computed_at'] ?? null,
+    ]);
+}
+
+// ── Rebind license to new hardware (P1) ──
+//
+// Body: { reason? }
+// Calls Worker /api/rebind with current license_key, instance_id, and the
+// freshly-detected hardware fingerprint. Worker enforces quota (3 per
+// rolling 365 days), mints a new RS256 JWT, returns rebind counters.
+// On success applyRebindResponse() updates the local row.
+function handle_license_rebind(PDO $pdo, array $admin_session, $json_input): void {
+    requirePermission('system_settings', $admin_session);
+
+    $current = getCurrentLicense($pdo);
+    if (!$current || empty($current['license_key'])) {
+        jsonResponse(['success' => false, 'error' => 'No active license to rebind']);
+        return;
+    }
+
+    // Always re-detect when rebinding — admin's intent is "the hardware just changed".
+    $hwfp = getServerHardwareFingerprint($pdo, true);
+    $hwfpHex = (string)($hwfp['composite'] ?? '');
+    if ($hwfpHex === '') {
+        jsonResponse(['success' => false, 'error' => 'Could not compute new server hardware fingerprint']);
+        return;
+    }
+
+    $reason = trim((string)($json_input['reason'] ?? ''));
+    $body = json_encode([
+        'license_key'              => $current['license_key'],
+        'instance_id'              => $current['instance_id'],
+        'new_hardware_fingerprint' => $hwfpHex,
+        'reason'                   => $reason ?: null,
+    ]);
+    $ctx = stream_context_create([
+        'http' => [
+            'method'        => 'POST',
+            'header'        => "Content-Type: application/json\r\n",
+            'content'       => $body,
+            'timeout'       => 10,
+            'ignore_errors' => true,
+        ],
+    ]);
+    $resp = @file_get_contents(KEYGATE_LICENSE_SERVER . '/api/rebind', false, $ctx);
+    if ($resp === false) {
+        jsonResponse(['success' => false, 'error' => 'Could not reach license server']);
+        return;
+    }
+    $decoded = json_decode($resp, true);
+    if (!is_array($decoded) || empty($decoded['success'])) {
+        jsonResponse([
+            'success' => false,
+            'error'   => $decoded['error'] ?? 'Rebind failed',
+            'quota_window_days'   => $decoded['quota_window_days']   ?? null,
+            'quota_limit'         => $decoded['quota_limit']         ?? null,
+            'retry_after_iso'     => $decoded['retry_after_iso']     ?? null,
+        ]);
+        return;
+    }
+
+    $apply = applyRebindResponse(
+        $pdo,
+        $decoded['license_key'],
+        (int)($decoded['rebind_count'] ?? 0)
+    );
+    if (!$apply['success']) {
+        jsonResponse(['success' => false, 'error' => $apply['error'] ?? 'Local rebind apply failed']);
+        return;
+    }
+
+    logAdminActivity(
+        $admin_session['admin_id'],
+        $admin_session['id'] ?? 0,
+        'LICENSE_REBOUND',
+        "Rebound license to new hardware fingerprint (count: {$apply['rebind_count']}, reason: " . ($reason ?: 'unspecified') . ')'
+    );
+
+    jsonResponse([
+        'success'                => true,
+        'tier'                   => $apply['tier'],
+        'rebind_count'           => $apply['rebind_count'],
+        'rebind_quota_remaining' => $decoded['rebind_quota_remaining'] ?? null,
+        'rebind_quota_limit'     => $decoded['rebind_quota_limit']     ?? 3,
+        'message'                => 'License rebound successfully',
     ]);
 }
diff --git a/FINAL_PRODUCTION_SYSTEM/database/docker-init/00-init.sh b/FINAL_PRODUCTION_SYSTEM/database/docker-init/00-init.sh
index fb6bcc1..93d85ad 100644
--- a/FINAL_PRODUCTION_SYSTEM/database/docker-init/00-init.sh
+++ b/FINAL_PRODUCTION_SYSTEM/database/docker-init/00-init.sh
@@ -149,6 +149,15 @@ run_sql "task_pipeline_migration.sql"         25
 # Phase 14: Production tracking & enterprise key management
 run_sql "production_tracking_migration.sql"   26
 
+# Phase 15: License row integrity HMAC (P0 anti-piracy)
+run_sql "license_p0_hmac_migration.sql"       27
+
+# Phase 16: License hardware-fingerprint binding + rebind quota (P1)
+run_sql "license_p1_hwbind_migration.sql"     28
+
+# Phase 17: License phone-home grace + revocation + clock-drift (P2)
+run_sql "license_p2_phonehome_migration.sql"  29
+
 echo ""
 echo "=== Database initialization complete ==="
 echo ""
diff --git a/FINAL_PRODUCTION_SYSTEM/database/license_p0_hmac_migration.sql b/FINAL_PRODUCTION_SYSTEM/database/license_p0_hmac_migration.sql
new file mode 100644
index 0000000..a6d965d
--- /dev/null
+++ b/FINAL_PRODUCTION_SYSTEM/database/license_p0_hmac_migration.sql
@@ -0,0 +1,18 @@
+-- =============================================================
+-- KeyGate v2.3.0 P0 — License row integrity HMAC
+-- =============================================================
+-- Adds an HMAC column to license_info so any row directly INSERTed/UPDATEd
+-- without going through registerLicense() (which knows the per-instance
+-- row secret) is detected as tampered and forced back to community tier.
+--
+-- The HMAC formula and verification live in functions/license-helpers.php
+-- (computeLicenseRowHmac / verifyLicenseRow).
+-- =============================================================
+
+ALTER TABLE `#__license_info`
+  ADD COLUMN integrity_hmac CHAR(64) NOT NULL DEFAULT '' AFTER validation_status;
+
+-- Existing rows (legacy paid customers from v2.2.x) have an empty hmac
+-- → verifyLicenseRow returns false → they fall back to community on
+-- next read. Customers re-register via /api/migrate to get a fresh
+-- RS256 JWT, and that path computes a valid HMAC on insert.
diff --git a/FINAL_PRODUCTION_SYSTEM/database/license_p1_hwbind_migration.sql b/FINAL_PRODUCTION_SYSTEM/database/license_p1_hwbind_migration.sql
new file mode 100644
index 0000000..8ce36b0
--- /dev/null
+++ b/FINAL_PRODUCTION_SYSTEM/database/license_p1_hwbind_migration.sql
@@ -0,0 +1,38 @@
+-- =============================================================
+-- KeyGate v2.3.0 P1 — Hardware-bound licensing
+-- =============================================================
+-- Binds each license_info row to the host's server-side hardware
+-- fingerprint (composite SHA256 of machine-id | system-uuid | NIC
+-- MAC | root volume UUID). A license cannot be moved to a different
+-- VM/host without invoking the Worker /api/rebind route, which is
+-- quota-limited (3 rebinds per rolling 365 days).
+--
+-- Enum extension adds:
+--   'rebinding_required' — set by getEffectiveLicense() when the
+--     host's current hwfp diverges from the row's bound hwfp; UI
+--     directs admin to click "Rebind hardware".
+--   'clock_drift'        — reserved for P2 (clock-rollback defense).
+-- =============================================================
+
+ALTER TABLE `#__license_info`
+  ADD COLUMN hardware_fingerprint CHAR(64) NULL DEFAULT NULL AFTER instance_id,
+  ADD COLUMN hwfp_bound_at        TIMESTAMP NULL DEFAULT NULL AFTER hardware_fingerprint,
+  ADD COLUMN hwfp_rebind_count    TINYINT UNSIGNED NOT NULL DEFAULT 0 AFTER hwfp_bound_at,
+  ADD COLUMN hwfp_last_rebind_at  TIMESTAMP NULL DEFAULT NULL AFTER hwfp_rebind_count,
+  ADD INDEX idx_hwfp (hardware_fingerprint);
+
+-- Extend validation_status enum to cover hardware rebind + clock drift.
+-- MariaDB requires the full enum list on MODIFY.
+ALTER TABLE `#__license_info`
+  MODIFY validation_status
+    ENUM('valid','expired','revoked','invalid','pending','rebinding_required','clock_drift')
+    NOT NULL DEFAULT 'pending';
+
+-- system_config slots used by P1.
+INSERT INTO `#__system_config` (config_key, config_value, description) VALUES
+    ('server_hwfp', '', 'Cached server-side hardware fingerprint (JSON, components + composite hash)')
+ON DUPLICATE KEY UPDATE config_key = config_key;
+
+INSERT INTO `#__system_config` (config_key, config_value, description) VALUES
+    ('license_prev_tier', '', 'Last-known good tier; used during 7-day rebinding_required grace')
+ON DUPLICATE KEY UPDATE config_key = config_key;
diff --git a/FINAL_PRODUCTION_SYSTEM/database/license_p2_phonehome_migration.sql b/FINAL_PRODUCTION_SYSTEM/database/license_p2_phonehome_migration.sql
new file mode 100644
index 0000000..441b01b
--- /dev/null
+++ b/FINAL_PRODUCTION_SYSTEM/database/license_p2_phonehome_migration.sql
@@ -0,0 +1,42 @@
+-- =============================================================
+-- KeyGate v2.3.0 P2 — Phone-home + grace + revocation + clock-drift
+-- =============================================================
+-- Phone-home turns the Cloudflare Worker into the authoritative tier
+-- source. Without it, a JWT registered once was good forever — pirates
+-- could buy one license, export the JWT, and seed unlimited installs.
+--
+-- Phone-home cadence: once per 24h on PHP boot OR daily cron, whichever
+-- fires first. Non-blocking; cached tier serves until next successful
+-- validate. Grace: 0–14d OK, 14–30d banner, >30d community fallback.
+--
+-- Revocation: each issued JWT carries a `jti` claim. Worker maintains
+-- a KV set `revoked:{jti}`. Validate response carries revoked:true →
+-- PHP forces community immediately, regardless of grace window.
+--
+-- Clock drift: Worker returns server_time; PHP records server vs local
+-- delta. Three consecutive checks with >5min drift → 'clock_drift'.
+-- Defeats pirates rolling system clock back to dodge expires_at.
+-- =============================================================
+
+ALTER TABLE `#__license_info`
+  ADD COLUMN validation_failure_count INT UNSIGNED NOT NULL DEFAULT 0
+    AFTER last_validated_at,
+  ADD COLUMN last_validation_error    TEXT NULL DEFAULT NULL
+    AFTER validation_failure_count,
+  ADD COLUMN server_time_drift_seconds INT NOT NULL DEFAULT 0
+    AFTER last_validation_error,
+  ADD COLUMN clock_drift_strikes      TINYINT UNSIGNED NOT NULL DEFAULT 0
+    AFTER server_time_drift_seconds,
+  ADD COLUMN current_jti              CHAR(36) NULL DEFAULT NULL
+    AFTER clock_drift_strikes;
+
+-- system_config slots used by P2.
+-- license_validation_cache: JSON of last validate response + HMAC anchor
+-- so the cache itself can't be forged via direct UPDATE.
+INSERT INTO `#__system_config` (config_key, config_value, description) VALUES
+    ('license_validation_cache', '', 'Last /api/validate response (JSON, HMAC-anchored to license_row_secret)')
+ON DUPLICATE KEY UPDATE config_key = config_key;
+
+INSERT INTO `#__system_config` (config_key, config_value, description) VALUES
+    ('license_phonehome_interval', '86400', 'Seconds between phone-home validate calls (default 24h)')
+ON DUPLICATE KEY UPDATE config_key = config_key;
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/api/license.ts b/FINAL_PRODUCTION_SYSTEM/frontend/src/api/license.ts
index 348615f..9a12967 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/api/license.ts
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/api/license.ts
@@ -32,10 +32,41 @@ export interface LicenseUsage {
   keys: number
 }
 
+// P1: hardware fingerprint metadata exposed to the License page so the
+// admin can see current vs. bound state and the rebind quota counter.
+export interface LicenseHardware {
+  current_fingerprint: string
+  components: Record<string, string>
+  bound_fingerprint: string
+  rebind_count: number
+  rebind_quota_limit: number
+  rebind_window_days: number
+}
+
+// P2: phone-home status surfaced to the License page.
+export interface LicensePhoneHome {
+  available: boolean
+  last_validated_at?: string | null
+  failure_count?: number
+  last_error?: string | null
+  server_time_drift_seconds?: number
+  clock_drift_strikes?: number
+  current_jti?: string | null
+  grace_band?: 'ok' | 'banner' | 'expired'
+  grace_days?: number
+  grace_banner?: string | null
+  grace_banner_threshold_d?: number
+  grace_hard_threshold_d?: number
+  effective_band?: string | null
+  effective_banner?: string | null
+}
+
 export interface LicenseStatusResponse {
   success: boolean
-  license: LicenseInfo
+  license: LicenseInfo & { rebind_required?: boolean; rebind_grace_ends?: string | null }
   usage: LicenseUsage
+  hardware?: LicenseHardware
+  phonehome?: LicensePhoneHome
 }
 
 export function getLicenseStatus() {
@@ -56,7 +87,7 @@ export function deactivateLicense() {
   return apiPostJson<{ success: boolean; message: string }>('license_deactivate')
 }
 
-export function generateDevLicense(tier: string) {
+export function generateDevLicense(tier: string, devToken: string) {
   return apiPostJson<{
     success: boolean
     license_key?: string
@@ -64,5 +95,75 @@ export function generateDevLicense(tier: string) {
     instance_id?: string
     message?: string
     error?: string
-  }>('license_generate_dev', { tier })
+  }>('license_generate_dev', { tier, dev_token: devToken })
+}
+
+// P0: claim a pending GitHub Sponsors / LemonSqueezy / T-Bank purchase by
+// binding it to this install's instance_id. Worker mints an RS256 JWT.
+export function claimLicense(email: string, sponsorLogin?: string) {
+  return apiPostJson<{
+    success: boolean
+    license_key?: string
+    tier?: string
+    expires_at?: string
+    message?: string
+    error?: string
+  }>('license_claim', { email, sponsor_login: sponsorLogin || '' })
+}
+
+// P0: migrate a legacy HS256 license to RS256 (90-day window post v2.3.0).
+export function migrateLegacyLicense(licenseKey: string) {
+  return apiPostJson<{
+    success: boolean
+    license_key?: string
+    tier?: string
+    expires_at?: string
+    message?: string
+    error?: string
+  }>('license_migrate', { license_key: licenseKey })
+}
+
+// P1: re-detect the server's hardware fingerprint (admin-triggered, force
+// refresh of the cached system_config('server_hwfp')).
+export function redetectHardware() {
+  return apiPostJson<{
+    success: boolean
+    fingerprint?: string
+    components?: Record<string, string>
+    computed_at?: string
+    error?: string
+  }>('license_redetect_hw')
+}
+
+// P1: rebind the active license to the current host's hardware
+// fingerprint. Worker enforces 3-per-365-day quota.
+export function rebindLicense(reason?: string) {
+  return apiPostJson<{
+    success: boolean
+    tier?: string
+    rebind_count?: number
+    rebind_quota_remaining?: number
+    rebind_quota_limit?: number
+    quota_window_days?: number
+    quota_limit?: number
+    retry_after_iso?: string
+    message?: string
+    error?: string
+  }>('license_rebind', { reason: reason || '' })
+}
+
+// P2: force a phone-home validate now (bypass 24h throttle).
+export function forceValidate() {
+  return apiPostJson<{
+    success: boolean
+    valid?: boolean
+    tier?: string
+    revoked?: boolean
+    must_rebind?: boolean
+    expires_at?: string | null
+    jti?: string | null
+    server_time?: string | null
+    message?: string
+    error?: string
+  }>('license_force_validate')
 }
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/hooks/use-license.ts b/FINAL_PRODUCTION_SYSTEM/frontend/src/hooks/use-license.ts
index 678ece9..8bd477b 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/hooks/use-license.ts
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/hooks/use-license.ts
@@ -6,6 +6,11 @@ import {
   registerLicense,
   deactivateLicense,
   generateDevLicense,
+  claimLicense,
+  migrateLegacyLicense,
+  redetectHardware,
+  rebindLicense,
+  forceValidate,
 } from '@/api/license'
 
 export function useLicenseStatus() {
@@ -47,7 +52,8 @@ export function useDeactivateLicense() {
 export function useGenerateDevLicense() {
   const { t } = useTranslation()
   return useMutation({
-    mutationFn: (tier: string) => generateDevLicense(tier),
+    mutationFn: ({ tier, devToken }: { tier: string; devToken: string }) =>
+      generateDevLicense(tier, devToken),
     onSuccess: (data) => {
       if (data.success) {
         toast.success(data.message || t('license.dev_generated', 'Dev license generated'))
@@ -56,3 +62,95 @@ export function useGenerateDevLicense() {
     onError: (e: Error) => toast.error(e.message),
   })
 }
+
+export function useClaimLicense() {
+  const qc = useQueryClient()
+  const { t } = useTranslation()
+  return useMutation({
+    mutationFn: ({ email, sponsorLogin }: { email: string; sponsorLogin?: string }) =>
+      claimLicense(email, sponsorLogin),
+    onSuccess: (data) => {
+      qc.invalidateQueries({ queryKey: ['license-status'] })
+      if (data.success) {
+        toast.success(data.message || t('license.claimed', 'License claimed and activated'))
+      }
+    },
+    onError: (e: Error) => toast.error(e.message),
+  })
+}
+
+export function useMigrateLegacyLicense() {
+  const qc = useQueryClient()
+  const { t } = useTranslation()
+  return useMutation({
+    mutationFn: (key: string) => migrateLegacyLicense(key),
+    onSuccess: (data) => {
+      qc.invalidateQueries({ queryKey: ['license-status'] })
+      if (data.success) {
+        toast.success(data.message || t('license.migrated', 'License migrated to RS256'))
+      }
+    },
+    onError: (e: Error) => toast.error(e.message),
+  })
+}
+
+// P1: re-detect server hardware fingerprint (force refresh of cached value).
+export function useRedetectHardware() {
+  const qc = useQueryClient()
+  const { t } = useTranslation()
+  return useMutation({
+    mutationFn: () => redetectHardware(),
+    onSuccess: (data) => {
+      qc.invalidateQueries({ queryKey: ['license-status'] })
+      if (data.success) {
+        toast.success(t('license.hw_redetected', 'Hardware fingerprint re-detected'))
+      }
+    },
+    onError: (e: Error) => toast.error(e.message),
+  })
+}
+
+// P1: rebind license to current host's hardware fingerprint.
+// Worker enforces 3 rebinds per rolling 365 days.
+export function useRebindLicense() {
+  const qc = useQueryClient()
+  const { t } = useTranslation()
+  return useMutation({
+    mutationFn: (reason?: string) => rebindLicense(reason),
+    onSuccess: (data) => {
+      qc.invalidateQueries({ queryKey: ['license-status'] })
+      if (data.success) {
+        toast.success(data.message || t('license.rebound', 'License rebound to current hardware'))
+      } else {
+        toast.error(data.error || t('license.rebind_failed', 'Rebind failed'))
+      }
+    },
+    onError: (e: Error) => toast.error(e.message),
+  })
+}
+
+// P2: force phone-home validate now (bypass 24h throttle).
+export function useForceValidate() {
+  const qc = useQueryClient()
+  const { t } = useTranslation()
+  return useMutation({
+    mutationFn: () => forceValidate(),
+    onSuccess: (data) => {
+      qc.invalidateQueries({ queryKey: ['license-status'] })
+      if (data.success) {
+        if (data.revoked) {
+          toast.error(t('license.validate_revoked', 'License revoked by issuer'))
+        } else if (data.must_rebind) {
+          toast.warning(t('license.validate_rebind', 'Hardware rebind required'))
+        } else if (data.valid) {
+          toast.success(t('license.validate_ok', 'Validated successfully'))
+        } else {
+          toast.error(t('license.validate_failed', 'Validation failed'))
+        }
+      } else {
+        toast.error(data.error || t('license.validate_failed', 'Validation failed'))
+      }
+    },
+    onError: (e: Error) => toast.error(e.message),
+  })
+}
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/en.json b/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/en.json
index ea1d80d..cc2e8c7 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/en.json
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/en.json
@@ -1733,6 +1733,43 @@
     "sub.tab_payment": "Payment",
     "sub.tab_key": "License Key",
     "sub.tab_billing": "Billing",
+    "sub.claim_title": "Claim a GitHub Sponsors / pending purchase",
+    "sub.claim_desc": "If you sponsored ChesnoTech on GitHub or your LemonSqueezy/T-Bank checkout did not include your instance ID, claim your license here. The server binds it to this installation and issues your key.",
+    "sub.claim_email": "Email used at checkout / GitHub sponsor email",
+    "sub.claim_sponsor": "GitHub sponsor login (optional)",
+    "sub.claim_button": "Claim & bind to this install",
+    "sub.migrate_title": "Migrate legacy license (pre-v2.3)",
+    "sub.migrate_desc": "If you have a license key issued before May 2026 (HS256 algorithm), use this to upgrade it to the new RS256 format. Available until 2026-08-08.",
+    "sub.migrate_placeholder": "Paste the legacy HS256 license key...",
+    "sub.migrate_button": "Migrate to RS256 & activate",
+    "sub.dev_token_placeholder": "DEV_TOKEN (matches Worker secret)",
+    "sub.hw_title": "Hardware binding",
+    "sub.hw_desc": "Each license is anchored to the host hardware fingerprint. Quota: 3 rebinds per 365 days.",
+    "sub.hw_rebind_required": "License is bound to different hardware. Click Rebind to anchor to current host. Grace ends on",
+    "sub.hw_current": "Current host fingerprint",
+    "sub.hw_bound": "Bound by license",
+    "sub.hw_unbound": "unbound",
+    "sub.hw_quota": "Rebinds used",
+    "sub.hw_redetect": "Re-detect hardware",
+    "sub.hw_rebind": "Rebind to current hardware",
+    "sub.rebind_reason_placeholder": "Reason (e.g. motherboard RMA, NIC swap)",
+    "license.claimed": "License claimed and activated",
+    "license.migrated": "License migrated to RS256",
+    "license.hw_redetected": "Hardware fingerprint re-detected",
+    "license.rebound": "License rebound to current hardware",
+    "license.rebind_failed": "Rebind failed",
+    "license.validate_ok": "Validated successfully",
+    "license.validate_failed": "Validation failed",
+    "license.validate_revoked": "License revoked by issuer",
+    "license.validate_rebind": "Hardware rebind required",
+    "sub.phonehome_title": "License validation (phone-home)",
+    "sub.phonehome_desc": "Daily check against the issuer. 14-day grace if offline; 30-day hard cutoff.",
+    "sub.phonehome_last": "Last validated",
+    "sub.phonehome_never": "never",
+    "sub.phonehome_failures": "Recent failures",
+    "sub.phonehome_drift": "Clock drift (sec)",
+    "sub.phonehome_last_error": "Last error",
+    "sub.phonehome_force": "Validate now",
     "sub.registered_to": "Registered to {{email}}",
     "sub.free_tier": "Free tier — limited to 1 technician and 50 keys",
     "sub.technicians": "Technicians",
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/ru.json b/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/ru.json
index 93eb629..bd223b5 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/ru.json
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/i18n/ru.json
@@ -1733,6 +1733,43 @@
     "sub.tab_payment": "Оплата",
     "sub.tab_key": "Лицензия",
     "sub.tab_billing": "Биллинг",
+    "sub.claim_title": "Привязать спонсорство GitHub / ожидающую покупку",
+    "sub.claim_desc": "Если вы оформили спонсорство ChesnoTech на GitHub или ваша оплата через LemonSqueezy/Т-Банк не содержала идентификатор экземпляра, привяжите лицензию здесь. Сервер свяжет её с этой установкой и выдаст ключ.",
+    "sub.claim_email": "Email при оплате / email GitHub-спонсора",
+    "sub.claim_sponsor": "Логин GitHub-спонсора (необязательно)",
+    "sub.claim_button": "Привязать к этой установке",
+    "sub.migrate_title": "Миграция старой лицензии (до v2.3)",
+    "sub.migrate_desc": "Если у вас лицензия, выданная до мая 2026 (алгоритм HS256), используйте это, чтобы обновить её до нового формата RS256. Доступно до 2026-08-08.",
+    "sub.migrate_placeholder": "Вставьте старый ключ HS256...",
+    "sub.migrate_button": "Перевести в RS256 и активировать",
+    "sub.dev_token_placeholder": "DEV_TOKEN (совпадает с секретом Worker)",
+    "sub.hw_title": "Привязка к оборудованию",
+    "sub.hw_desc": "Каждая лицензия привязана к отпечатку оборудования хоста. Квота: 3 переноса за 365 дней.",
+    "sub.hw_rebind_required": "Лицензия привязана к другому оборудованию. Нажмите «Перенести», чтобы зафиксировать на текущем хосте. Льготный период до",
+    "sub.hw_current": "Текущий отпечаток хоста",
+    "sub.hw_bound": "Привязан лицензией",
+    "sub.hw_unbound": "не привязан",
+    "sub.hw_quota": "Перенесено",
+    "sub.hw_redetect": "Обновить отпечаток",
+    "sub.hw_rebind": "Перенести на текущее оборудование",
+    "sub.rebind_reason_placeholder": "Причина (например, замена материнской платы, замена NIC)",
+    "license.claimed": "Лицензия привязана и активирована",
+    "license.migrated": "Лицензия переведена в RS256",
+    "license.hw_redetected": "Отпечаток оборудования обновлён",
+    "license.rebound": "Лицензия перенесена на текущее оборудование",
+    "license.rebind_failed": "Перенос не удался",
+    "license.validate_ok": "Проверка успешна",
+    "license.validate_failed": "Проверка не удалась",
+    "license.validate_revoked": "Лицензия отозвана издателем",
+    "license.validate_rebind": "Требуется привязка к оборудованию",
+    "sub.phonehome_title": "Проверка лицензии (phone-home)",
+    "sub.phonehome_desc": "Ежедневная проверка у издателя. 14 дней льготы при отсутствии сети; жёсткое отключение через 30 дней.",
+    "sub.phonehome_last": "Последняя проверка",
+    "sub.phonehome_never": "никогда",
+    "sub.phonehome_failures": "Недавние сбои",
+    "sub.phonehome_drift": "Сдвиг часов (сек)",
+    "sub.phonehome_last_error": "Последняя ошибка",
+    "sub.phonehome_force": "Проверить сейчас",
     "sub.registered_to": "Зарегистрирована на {{email}}",
     "sub.free_tier": "Бесплатный тариф — 1 техник, 50 ключей",
     "sub.technicians": "Техники",
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/pages/license/index.tsx b/FINAL_PRODUCTION_SYSTEM/frontend/src/pages/license/index.tsx
index f5b661f..01dd460 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/pages/license/index.tsx
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/pages/license/index.tsx
@@ -34,12 +34,18 @@ import {
   Clock,
   Zap,
   Check,
+  AlertTriangle,
 } from 'lucide-react'
 import {
   useLicenseStatus,
   useRegisterLicense,
   useDeactivateLicense,
   useGenerateDevLicense,
+  useClaimLicense,
+  useMigrateLegacyLicense,
+  useRedetectHardware,
+  useRebindLicense,
+  useForceValidate,
 } from '@/hooks/use-license'
 
 const TIER_COLORS: Record<string, string> = {
@@ -61,14 +67,26 @@ export function LicensePage() {
   const [activeTab, setActiveTab] = useState<Tab>('plan')
   const [licenseKey, setLicenseKey] = useState('')
   const [devLicenseKey, setDevLicenseKey] = useState('')
+  const [devToken, setDevToken] = useState('')
+  const [claimEmail, setClaimEmail] = useState('')
+  const [claimSponsor, setClaimSponsor] = useState('')
+  const [legacyKey, setLegacyKey] = useState('')
+  const [rebindReason, setRebindReason] = useState('')
 
   const statusQuery = useLicenseStatus()
   const registerMut = useRegisterLicense()
   const deactivateMut = useDeactivateLicense()
   const devGenMut = useGenerateDevLicense()
+  const claimMut = useClaimLicense()
+  const migrateMut = useMigrateLegacyLicense()
+  const redetectMut = useRedetectHardware()
+  const rebindMut = useRebindLicense()
+  const forceValidateMut = useForceValidate()
 
   const license = statusQuery.data?.license
   const usage = statusQuery.data?.usage
+  const hardware = statusQuery.data?.hardware
+  const phonehome = statusQuery.data?.phonehome
 
   const handleRegister = async () => {
     if (!licenseKey.trim()) return
@@ -77,12 +95,50 @@ export function LicensePage() {
   }
 
   const handleGenerateDev = async (tier: string) => {
-    const result = await devGenMut.mutateAsync(tier)
+    if (!devToken.trim()) {
+      alert('DEV_TOKEN required. Set it via `wrangler secret put DEV_TOKEN` on the Worker, then paste here.')
+      return
+    }
+    const result = await devGenMut.mutateAsync({ tier, devToken: devToken.trim() })
     if (result.license_key) {
       setDevLicenseKey(result.license_key)
     }
   }
 
+  const handleClaim = async () => {
+    if (!claimEmail.trim()) return
+    const result = await claimMut.mutateAsync({
+      email: claimEmail.trim(),
+      sponsorLogin: claimSponsor.trim() || undefined,
+    })
+    if (result.license_key) {
+      setClaimEmail('')
+      setClaimSponsor('')
+    }
+  }
+
+  const handleMigrateLegacy = async () => {
+    if (!legacyKey.trim()) return
+    const result = await migrateMut.mutateAsync(legacyKey.trim())
+    if (result.success) {
+      setLegacyKey('')
+    }
+  }
+
+  const handleRedetectHw = async () => {
+    await redetectMut.mutateAsync()
+  }
+
+  const handleRebind = async () => {
+    const reason = rebindReason.trim()
+    const result = await rebindMut.mutateAsync(reason || undefined)
+    if (result.success) setRebindReason('')
+  }
+
+  const handleForceValidate = async () => {
+    await forceValidateMut.mutateAsync()
+  }
+
   if (statusQuery.isLoading) {
     return (
       <div className="flex-1 p-6 flex items-center justify-center">
@@ -479,7 +535,7 @@ export function LicensePage() {
             <CardContent className="space-y-3">
               <textarea
                 className="w-full h-24 p-3 text-xs font-mono bg-muted/50 border rounded-md resize-none focus:outline-none focus:ring-2 focus:ring-primary"
-                placeholder="eyJhbGciOiJIUzI1NiIs..."
+                placeholder="eyJhbGciOiJSUzI1NiIs..."
                 value={licenseKey}
                 onChange={(e) => setLicenseKey(e.target.value)}
               />
@@ -490,6 +546,206 @@ export function LicensePage() {
             </CardContent>
           </Card>
 
+          {/* P0: Claim purchase (GitHub Sponsors / pending payments) */}
+          <Card>
+            <CardHeader>
+              <CardTitle className="text-base">{t('sub.claim_title', 'Claim a GitHub Sponsors / pending purchase')}</CardTitle>
+              <CardDescription>
+                {t('sub.claim_desc', 'If you sponsored ChesnoTech on GitHub or your LemonSqueezy/T-Bank checkout did not include your instance ID, claim your license here. The server binds it to this installation and issues your key.')}
+              </CardDescription>
+            </CardHeader>
+            <CardContent className="space-y-3">
+              <input
+                type="email"
+                className="w-full p-2 text-sm bg-muted/50 border rounded-md focus:outline-none focus:ring-2 focus:ring-primary"
+                placeholder={t('sub.claim_email', 'Email used at checkout / GitHub sponsor email')}
+                value={claimEmail}
+                onChange={(e) => setClaimEmail(e.target.value)}
+              />
+              <input
+                type="text"
+                className="w-full p-2 text-sm bg-muted/50 border rounded-md focus:outline-none focus:ring-2 focus:ring-primary"
+                placeholder={t('sub.claim_sponsor', 'GitHub sponsor login (optional)')}
+                value={claimSponsor}
+                onChange={(e) => setClaimSponsor(e.target.value)}
+              />
+              <Button onClick={handleClaim} disabled={!claimEmail.trim() || claimMut.isPending} variant="outline">
+                {claimMut.isPending && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
+                {t('sub.claim_button', 'Claim & bind to this install')}
+              </Button>
+            </CardContent>
+          </Card>
+
+          {/* P0: Migrate legacy HS256 license */}
+          <Card className="border-dashed">
+            <CardHeader>
+              <CardTitle className="text-base">{t('sub.migrate_title', 'Migrate legacy license (pre-v2.3)')}</CardTitle>
+              <CardDescription>
+                {t('sub.migrate_desc', 'If you have a license key issued before May 2026 (HS256 algorithm), use this to upgrade it to the new RS256 format. Available until 2026-08-08.')}
+              </CardDescription>
+            </CardHeader>
+            <CardContent className="space-y-3">
+              <textarea
+                className="w-full h-20 p-3 text-xs font-mono bg-muted/50 border rounded-md resize-none focus:outline-none focus:ring-2 focus:ring-primary"
+                placeholder={t('sub.migrate_placeholder', 'Paste the legacy HS256 license key...')}
+                value={legacyKey}
+                onChange={(e) => setLegacyKey(e.target.value)}
+              />
+              <Button onClick={handleMigrateLegacy} disabled={!legacyKey.trim() || migrateMut.isPending} variant="outline">
+                {migrateMut.isPending && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
+                {t('sub.migrate_button', 'Migrate to RS256 & activate')}
+              </Button>
+            </CardContent>
+          </Card>
+
+          {/* P1: Hardware fingerprint binding + rebind quota */}
+          {hardware && (
+            <Card className={license?.rebind_required ? 'border-amber-300 dark:border-amber-700' : ''}>
+              <CardHeader>
+                <CardTitle className="text-base flex items-center gap-2">
+                  {license?.rebind_required ? (
+                    <AlertTriangle className="h-4 w-4 text-amber-600" />
+                  ) : (
+                    <Shield className="h-4 w-4" />
+                  )}
+                  {t('sub.hw_title', 'Hardware binding')}
+                </CardTitle>
+                <CardDescription>
+                  {license?.rebind_required
+                    ? t('sub.hw_rebind_required', 'License is bound to different hardware. Click Rebind to anchor to current host. Grace ends on') +
+                      ` ${license.rebind_grace_ends ? new Date(license.rebind_grace_ends).toLocaleString() : '—'}`
+                    : t('sub.hw_desc', 'Each license is anchored to the host hardware fingerprint. Quota: 3 rebinds per 365 days.')}
+                </CardDescription>
+              </CardHeader>
+              <CardContent className="space-y-3">
+                <div className="grid grid-cols-1 md:grid-cols-2 gap-2 text-xs">
+                  <div className="space-y-1">
+                    <div className="text-muted-foreground">{t('sub.hw_current', 'Current host fingerprint')}</div>
+                    <div className="font-mono break-all bg-muted/50 p-2 rounded">
+                      {hardware.current_fingerprint || '—'}
+                    </div>
+                  </div>
+                  <div className="space-y-1">
+                    <div className="text-muted-foreground">{t('sub.hw_bound', 'Bound by license')}</div>
+                    <div className="font-mono break-all bg-muted/50 p-2 rounded">
+                      {hardware.bound_fingerprint || t('sub.hw_unbound', 'unbound')}
+                    </div>
+                  </div>
+                </div>
+
+                <div className="text-xs text-muted-foreground">
+                  {t('sub.hw_quota', 'Rebinds used')}: <strong>{hardware.rebind_count}</strong> /{' '}
+                  {hardware.rebind_quota_limit} ({hardware.rebind_window_days}d)
+                </div>
+
+                <input
+                  type="text"
+                  className="w-full p-2 text-sm bg-muted/50 border rounded-md focus:outline-none focus:ring-2 focus:ring-primary"
+                  placeholder={t('sub.rebind_reason_placeholder', 'Reason (e.g. motherboard RMA, NIC swap)')}
+                  value={rebindReason}
+                  onChange={(e) => setRebindReason(e.target.value)}
+                />
+
+                <div className="flex flex-wrap gap-2">
+                  <Button
+                    variant="outline"
+                    size="sm"
+                    onClick={handleRedetectHw}
+                    disabled={redetectMut.isPending}
+                  >
+                    {redetectMut.isPending && <Loader2 className="mr-2 h-3 w-3 animate-spin" />}
+                    {t('sub.hw_redetect', 'Re-detect hardware')}
+                  </Button>
+                  <Button
+                    onClick={handleRebind}
+                    disabled={rebindMut.isPending || !license?.is_registered}
+                    variant={license?.rebind_required ? 'default' : 'outline'}
+                    size="sm"
+                  >
+                    {rebindMut.isPending && <Loader2 className="mr-2 h-3 w-3 animate-spin" />}
+                    {t('sub.hw_rebind', 'Rebind to current hardware')}
+                  </Button>
+                </div>
+              </CardContent>
+            </Card>
+          )}
+
+          {/* P2: Phone-home / revocation / clock-drift status */}
+          {phonehome?.available && (
+            <Card className={
+              phonehome.grace_band === 'expired' || phonehome.effective_band === 'expired'
+                ? 'border-red-300 dark:border-red-700'
+                : phonehome.grace_band === 'banner'
+                  ? 'border-amber-300 dark:border-amber-700'
+                  : ''
+            }>
+              <CardHeader>
+                <CardTitle className="text-base flex items-center gap-2">
+                  {phonehome.grace_band === 'expired' || phonehome.effective_band === 'expired' ? (
+                    <AlertTriangle className="h-4 w-4 text-red-600" />
+                  ) : phonehome.grace_band === 'banner' ? (
+                    <AlertTriangle className="h-4 w-4 text-amber-600" />
+                  ) : (
+                    <Globe className="h-4 w-4" />
+                  )}
+                  {t('sub.phonehome_title', 'License validation (phone-home)')}
+                </CardTitle>
+                <CardDescription>
+                  {phonehome.grace_banner || phonehome.effective_banner ||
+                    t('sub.phonehome_desc', 'Daily check against the issuer. 14-day grace if offline; 30-day hard cutoff.')}
+                </CardDescription>
+              </CardHeader>
+              <CardContent className="space-y-3 text-xs">
+                <div className="grid grid-cols-2 md:grid-cols-3 gap-3">
+                  <div>
+                    <div className="text-muted-foreground">{t('sub.phonehome_last', 'Last validated')}</div>
+                    <div className="font-mono">
+                      {phonehome.last_validated_at
+                        ? new Date(phonehome.last_validated_at).toLocaleString()
+                        : t('sub.phonehome_never', 'never')}
+                    </div>
+                  </div>
+                  <div>
+                    <div className="text-muted-foreground">{t('sub.phonehome_failures', 'Recent failures')}</div>
+                    <div className="font-mono">{phonehome.failure_count ?? 0}</div>
+                  </div>
+                  <div>
+                    <div className="text-muted-foreground">{t('sub.phonehome_drift', 'Clock drift (sec)')}</div>
+                    <div className="font-mono">
+                      {phonehome.server_time_drift_seconds ?? 0}
+                      {(phonehome.clock_drift_strikes ?? 0) > 0 &&
+                        ` · strikes: ${phonehome.clock_drift_strikes}`}
+                    </div>
+                  </div>
+                </div>
+
+                {phonehome.last_error && (
+                  <div className="text-amber-700 dark:text-amber-400 font-mono text-[11px] break-all">
+                    {t('sub.phonehome_last_error', 'Last error')}: {phonehome.last_error}
+                  </div>
+                )}
+
+                {phonehome.current_jti && (
+                  <div className="text-muted-foreground">
+                    JTI: <span className="font-mono">{phonehome.current_jti}</span>
+                  </div>
+                )}
+
+                <div className="flex flex-wrap gap-2">
+                  <Button
+                    variant="outline"
+                    size="sm"
+                    onClick={handleForceValidate}
+                    disabled={forceValidateMut.isPending || !license?.is_registered}
+                  >
+                    {forceValidateMut.isPending && <Loader2 className="mr-2 h-3 w-3 animate-spin" />}
+                    {t('sub.phonehome_force', 'Validate now')}
+                  </Button>
+                </div>
+              </CardContent>
+            </Card>
+          )}
+
           {/* Dev Tools (localhost only) */}
           {(window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') && (
             <Card className="border-dashed border-yellow-300 dark:border-yellow-700">
@@ -502,11 +758,18 @@ export function LicensePage() {
                 </CardDescription>
               </CardHeader>
               <CardContent className="space-y-3">
+                <input
+                  type="password"
+                  className="w-full p-2 text-sm bg-muted/50 border rounded-md focus:outline-none focus:ring-2 focus:ring-primary"
+                  placeholder={t('sub.dev_token_placeholder', 'DEV_TOKEN (matches Worker secret)')}
+                  value={devToken}
+                  onChange={(e) => setDevToken(e.target.value)}
+                />
                 <div className="flex gap-2">
-                  <Button variant="outline" size="sm" onClick={() => handleGenerateDev('pro')} disabled={devGenMut.isPending}>
+                  <Button variant="outline" size="sm" onClick={() => handleGenerateDev('pro')} disabled={devGenMut.isPending || !devToken.trim()}>
                     {t('sub.gen_pro', 'Generate Pro')}
                   </Button>
-                  <Button variant="outline" size="sm" onClick={() => handleGenerateDev('enterprise')} disabled={devGenMut.isPending}>
+                  <Button variant="outline" size="sm" onClick={() => handleGenerateDev('enterprise')} disabled={devGenMut.isPending || !devToken.trim()}>
                     {t('sub.gen_enterprise', 'Generate Enterprise')}
                   </Button>
                 </div>
diff --git a/FINAL_PRODUCTION_SYSTEM/frontend/src/test/api-contracts.test.ts b/FINAL_PRODUCTION_SYSTEM/frontend/src/test/api-contracts.test.ts
index 77c2e0e..fbb85d0 100644
--- a/FINAL_PRODUCTION_SYSTEM/frontend/src/test/api-contracts.test.ts
+++ b/FINAL_PRODUCTION_SYSTEM/frontend/src/test/api-contracts.test.ts
@@ -177,6 +177,11 @@ const BACKEND_ACTIONS: Record<string, { method: 'GET' | 'POST'; csrf: boolean }>
   license_register:            { method: 'POST', csrf: true },
   license_deactivate:          { method: 'POST', csrf: true },
   license_generate_dev:        { method: 'POST', csrf: true },
+  license_claim:               { method: 'POST', csrf: true },
+  license_migrate:             { method: 'POST', csrf: true },
+  license_redetect_hw:         { method: 'POST', csrf: true },
+  license_rebind:              { method: 'POST', csrf: true },
+  license_force_validate:      { method: 'POST', csrf: true },
 
   // system upgrade
   upgrade_check_github:        { method: 'GET',  csrf: false },
diff --git a/FINAL_PRODUCTION_SYSTEM/functions/hardware-fingerprint.php b/FINAL_PRODUCTION_SYSTEM/functions/hardware-fingerprint.php
new file mode 100644
index 0000000..09fba34
--- /dev/null
+++ b/FINAL_PRODUCTION_SYSTEM/functions/hardware-fingerprint.php
@@ -0,0 +1,230 @@
+<?php
+/**
+ * KeyGate — Server-side hardware fingerprint (P1 anti-piracy)
+ *
+ * Computes a cross-OS composite SHA256 fingerprint of host-stable
+ * hardware identifiers. Bound into license_info.hardware_fingerprint
+ * by registerLicense() and verified on every getEffectiveLicense().
+ *
+ * Components (each best-effort; missing components contribute the
+ * empty string, never crash the install):
+ *   - machine_id      — /etc/machine-id (Linux), MachineGuid registry (Windows)
+ *   - system_uuid     — dmidecode -s system-uuid (Linux), Win32_ComputerSystemProduct.UUID (Windows)
+ *   - primary_mac     — first non-loopback NIC MAC, normalised lowercase
+ *   - root_volume_uuid — root volume UUID (blkid Linux, vol C: Windows)
+ *   - host_os         — 'linux' or 'windows' (so Linux↔Windows host migration is detected)
+ *
+ * Composite: hash('sha256', join('|', [machine_id, system_uuid, primary_mac, root_volume_uuid, host_os]))
+ *
+ * Cache: stored in system_config('server_hwfp') as JSON. Recompute only
+ * on force=true (admin clicks "Re-detect hardware") or after a successful
+ * Worker /api/rebind. The shell-out cost (~50–200ms) is non-trivial and
+ * hardware identifiers don't change on reboot.
+ *
+ * Spoof resistance: a 3-of-5 component-match threshold (compareHwfp())
+ * tolerates legitimate single-component changes (NIC swap during RMA,
+ * disk replaced) without forcing a rebind. Patching all 5 components
+ * requires admin tooling on every clone — a meaningful work factor.
+ */
+
+/**
+ * Read /etc/machine-id (Linux) or Windows MachineGuid registry value.
+ * Returns lowercase hex string with no dashes/braces, or '' if unreachable.
+ */
+function hwfpMachineId(): string {
+    if (PHP_OS_FAMILY === 'Windows') {
+        $out = @shell_exec('reg query "HKLM\\SOFTWARE\\Microsoft\\Cryptography" /v MachineGuid 2>nul');
+        if ($out && preg_match('/MachineGuid\s+REG_SZ\s+([0-9a-fA-F-]+)/', $out, $m)) {
+            return strtolower(str_replace(['-', '{', '}'], '', $m[1]));
+        }
+        return '';
+    }
+    // Linux: /etc/machine-id is the canonical 32-char id
+    foreach (['/etc/machine-id', '/var/lib/dbus/machine-id'] as $p) {
+        if (is_readable($p)) {
+            $v = trim((string)@file_get_contents($p));
+            if ($v !== '' && preg_match('/^[0-9a-f]{32}$/', $v)) return $v;
+        }
+    }
+    return '';
+}
+
+/**
+ * System UUID — DMI / SMBIOS provided. Stable across reboots, OS reinstalls.
+ */
+function hwfpSystemUuid(): string {
+    if (PHP_OS_FAMILY === 'Windows') {
+        // PowerShell is far cleaner than wmic for parsing.
+        $cmd = 'powershell -NoProfile -ExecutionPolicy Bypass -Command "(Get-CimInstance Win32_ComputerSystemProduct).UUID"';
+        $out = @shell_exec($cmd);
+        if ($out) {
+            $v = strtolower(trim($out));
+            if (preg_match('/^[0-9a-f-]{32,36}$/', $v)) return str_replace('-', '', $v);
+        }
+        return '';
+    }
+    // Linux: prefer /sys/class/dmi over shell-out for unprivileged hosts.
+    $sys = '/sys/class/dmi/id/product_uuid';
+    if (is_readable($sys)) {
+        $v = strtolower(trim((string)@file_get_contents($sys)));
+        if ($v !== '' && $v !== '00000000-0000-0000-0000-000000000000') {
+            return str_replace('-', '', $v);
+        }
+    }
+    // Fallback: dmidecode (often requires root, may fail silently)
+    $out = @shell_exec('dmidecode -s system-uuid 2>/dev/null');
+    if ($out) {
+        $v = strtolower(trim($out));
+        if (preg_match('/^[0-9a-f-]{32,36}$/', $v)) return str_replace('-', '', $v);
+    }
+    return '';
+}
+
+/**
+ * Primary network MAC — first non-loopback, non-virtual interface.
+ * Normalised to lowercase no-separator hex.
+ */
+function hwfpPrimaryMac(): string {
+    if (PHP_OS_FAMILY === 'Windows') {
+        // Build PS command using a heredoc-like approach: PowerShell sees
+        // single-quoted 'Up'; PHP doesn't escape it (we use double-quoted PHP
+        // strings with no $-vars or escapes that PowerShell would misread).
+        $psScript = "(Get-NetAdapter | Where-Object { \$_.Status -eq 'Up' -and \$_.HardwareInterface -eq \$true }"
+                  . " | Sort-Object -Property ifIndex | Select-Object -First 1).MacAddress";
+        $cmd = 'powershell -NoProfile -ExecutionPolicy Bypass -Command "' . $psScript . '"';
+        $out = @shell_exec($cmd);
+        if ($out) {
+            $v = strtolower(trim($out));
+            $v = preg_replace('/[^0-9a-f]/', '', $v);
+            if (strlen($v) === 12) return $v;
+        }
+        return '';
+    }
+    // Linux: walk /sys/class/net, skip loopback / docker / virtual.
+    $skipPrefixes = ['lo', 'docker', 'br-', 'veth', 'virbr', 'kube'];
+    $dirs = @glob('/sys/class/net/*');
+    if (!$dirs) return '';
+    sort($dirs);
+    foreach ($dirs as $d) {
+        $name = basename($d);
+        foreach ($skipPrefixes as $p) {
+            if (strpos($name, $p) === 0) continue 2;
+        }
+        $macFile = $d . '/address';
+        if (is_readable($macFile)) {
+            $v = strtolower(trim((string)@file_get_contents($macFile)));
+            $v = preg_replace('/[^0-9a-f]/', '', $v);
+            if (strlen($v) === 12 && $v !== '000000000000') return $v;
+        }
+    }
+    return '';
+}
+
+/**
+ * Root volume UUID. On Linux: blkid for the device backing /. On Windows:
+ * `vol C:` — first volume serial in 8-hex format.
+ */
+function hwfpRootVolumeUuid(): string {
+    if (PHP_OS_FAMILY === 'Windows') {
+        $out = @shell_exec('vol C: 2>nul');
+        if ($out && preg_match('/Serial Number is\s+([0-9A-F-]+)/i', $out, $m)) {
+            return strtolower(str_replace('-', '', $m[1]));
+        }
+        return '';
+    }
+    // Linux: findmnt → blkid
+    $src = trim((string)@shell_exec("findmnt -no SOURCE / 2>/dev/null"));
+    if ($src !== '') {
+        $u = trim((string)@shell_exec('blkid -s UUID -o value ' . escapeshellarg($src) . ' 2>/dev/null'));
+        if ($u !== '') return strtolower(str_replace('-', '', $u));
+    }
+    return '';
+}
+
+/**
+ * Compute the full hwfp tuple (components + composite hash).
+ * Pure function — no PDO, no caching.
+ */
+function computeServerHwfp(): array {
+    $components = [
+        'machine_id'       => hwfpMachineId(),
+        'system_uuid'      => hwfpSystemUuid(),
+        'primary_mac'      => hwfpPrimaryMac(),
+        'root_volume_uuid' => hwfpRootVolumeUuid(),
+        'host_os'          => strtolower(PHP_OS_FAMILY),
+    ];
+    $material = implode('|', [
+        $components['machine_id'],
+        $components['system_uuid'],
+        $components['primary_mac'],
+        $components['root_volume_uuid'],
+        $components['host_os'],
+    ]);
+    return [
+        'components'    => $components,
+        'composite'     => hash('sha256', $material),
+        'computed_at'   => date('c'),
+    ];
+}
+
+/**
+ * Cached server hwfp; recompute on $force=true. Stored as JSON in
+ * system_config('server_hwfp').
+ */
+function getServerHardwareFingerprint(PDO $pdo, bool $force = false): array {
+    if (!$force) {
+        $cached = getConfig('server_hwfp');
+        if (!empty($cached)) {
+            $decoded = json_decode($cached, true);
+            if (is_array($decoded) && !empty($decoded['composite'])) {
+                return $decoded;
+            }
+        }
+    }
+    $hwfp = computeServerHwfp();
+    if (function_exists('saveConfigBatch')) {
+        saveConfigBatch($pdo, ['server_hwfp' => json_encode($hwfp)]);
+    }
+    return $hwfp;
+}
+
+/**
+ * Compare two hwfp arrays component-by-component. Returns a struct:
+ *   match_count    — int 0..5
+ *   total          — int 5
+ *   composite_eq   — bool
+ *   accepted       — bool (composite_eq OR match_count >= 3)
+ *   diff_components — list of names that differ
+ *
+ * The 3-of-5 soft threshold is a deliberate trade-off: legitimate
+ * hardware events (NIC swap, disk replacement, BIOS reset clearing UUID)
+ * rarely change more than 2 components. Forging all 5 requires admin
+ * tooling on every clone.
+ */
+function compareHwfp(array $a, array $b): array {
+    $ac = $a['components'] ?? [];
+    $bc = $b['components'] ?? [];
+    $names = ['machine_id', 'system_uuid', 'primary_mac', 'root_volume_uuid', 'host_os'];
+    $matches = 0;
+    $diff = [];
+    foreach ($names as $n) {
+        $av = (string)($ac[$n] ?? '');
+        $bv = (string)($bc[$n] ?? '');
+        // Empty-string components on both sides count as a non-match
+        // (defensively ignore them rather than treat them as agreement).
+        if ($av !== '' && $av === $bv) {
+            $matches++;
+        } else {
+            $diff[] = $n;
+        }
+    }
+    $compositeEq = !empty($a['composite']) && !empty($b['composite'])
+                   && hash_equals($a['composite'], $b['composite']);
+    return [
+        'match_count'    => $matches,
+        'total'          => count($names),
+        'composite_eq'   => $compositeEq,
+        'accepted'       => $compositeEq || $matches >= 3,
+        'diff_components'=> $diff,
+    ];
+}
diff --git a/FINAL_PRODUCTION_SYSTEM/functions/license-helpers.php b/FINAL_PRODUCTION_SYSTEM/functions/license-helpers.php
index 9aa8877..5b645c0 100644
--- a/FINAL_PRODUCTION_SYSTEM/functions/license-helpers.php
+++ b/FINAL_PRODUCTION_SYSTEM/functions/license-helpers.php
@@ -1,9 +1,16 @@
 <?php
 /**
- * KeyGate — License Validation & Enforcement
+ * KeyGate — License Validation & Enforcement (P0: RS256 + DB row HMAC)
  *
  * Provides JWT-based license validation, tier checking, and feature gating.
- * The license system uses a simple JWT format signed with HMAC-SHA256.
+ * As of v2.3.0 the license system uses **RS256 (asymmetric)** signing:
+ *   - Private key lives ONLY on the Cloudflare Worker (LICENSE_PRIVATE_KEY).
+ *   - Public key is embedded in this source file. Verification is local;
+ *     forging a license requires the private key, which never ships.
+ *
+ * Backward-compatibility: a legacy HS256 secret is accepted for 90 days
+ * after a v2.2.x → v2.3.x upgrade so existing customers can re-issue via
+ * the Worker /api/migrate endpoint without losing access.
  *
  * License tiers:
  *   community  — 1 technician, 50 keys, basic features (free)
@@ -15,6 +22,36 @@
 define('KEYGATE_LICENSE_SERVER', 'https://keygate-license-server.msamirvip.workers.dev');
 define('KEYGATE_SPONSORS_URL', 'https://github.com/sponsors/ChesnoTech');
 
+// P1: server-side hardware fingerprint + rebind grace window.
+// 7-day grace lets admins click "Rebind hardware" before tier degrades.
+require_once __DIR__ . '/hardware-fingerprint.php';
+define('KEYGATE_REBIND_GRACE_SECONDS', 7 * 86400);
+
+// P2: phone-home grace bands (14d soft / 30d hard) live in license-phone-home.php.
+// Required there too, but loaded lazily from getEffectiveLicense() to avoid a
+// circular include — this file is required by license-phone-home.php.
+
+// ── License Verification Public Key (RS256, PKCS#8 SPKI) ─────
+// Generated 2026-05-08 alongside Worker secret LICENSE_PRIVATE_KEY.
+// Safe to commit — public key is only useful for verification.
+define('KEYGATE_LICENSE_PUBLIC_KEY', "-----BEGIN PUBLIC KEY-----\n"
+    . "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA108D/sn25MJwnRtSpl56\n"
+    . "Vr/z8X8dzywMueB7gwDr1gcsgjYSFsqiPQLwxwptap8dl2iifkTVv0wGlSf6/1Sc\n"
+    . "GHQbzISZWO8W4SsADiOZhlV3KLdlLp0A4ttY5OHYQVa52BnANJdBKHqPH1s7/D2k\n"
+    . "t+aaMWYEzaAEjkZzwuxgtyhdDa9Mkk2J7y0TCbo+uGP1cLPwfHcSCuO9LRY14R2f\n"
+    . "OAK3rwrOSoUIw0/xAPaSkx7tW6aOzRAbRMcE++Ppq+GpYg6ZOaROVyrKX2zuNjh8\n"
+    . "8NGYB0IDggRDspi0MAjELUZ/XBm20oXzWLE5T3O+8hBjaeQJ1q5Xk2Rbe080SjxU\n"
+    . "LwIDAQAB\n"
+    . "-----END PUBLIC KEY-----\n");
+
+// ── Legacy HS256 secret (90-day migration window) ────────────
+// REMOVE on 2026-08-08. After that date, only RS256 JWTs verify.
+// Customers with a pre-v2.3 JWT must visit /license and click
+// "Re-register license" — the UI calls /api/migrate which re-issues
+// an RS256 token bound to the same email + new instance_id.
+define('KEYGATE_LEGACY_HS256_SECRET', 'keygate-community-verification-key-2026');
+define('KEYGATE_LEGACY_HS256_DEADLINE', '2026-08-08');
+
 // ── Tier Definitions ────────────────────────────────────────
 
 define('LICENSE_TIERS', [
@@ -109,58 +146,152 @@ function getInstanceId(PDO $pdo): string {
     return $instanceId;
 }
 
-// ── JWT Helpers (HMAC-SHA256, no external deps) ─────────────
+// ── JWT Helpers (RS256 verify-only) ─────────────────────────
 
 function base64UrlEncode(string $data): string {
     return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
 }
 
 function base64UrlDecode(string $data): string {
+    $remainder = strlen($data) % 4;
+    if ($remainder) {
+        $data .= str_repeat('=', 4 - $remainder);
+    }
     return base64_decode(strtr($data, '-_', '+/'));
 }
 
 /**
  * Decode and verify a KeyGate license JWT.
+ *
+ * Verification path:
+ *   1. RS256 with KEYGATE_LICENSE_PUBLIC_KEY (production tokens)
+ *   2. HS256 with KEYGATE_LEGACY_HS256_SECRET (legacy tokens, 90-day window)
+ *      — only attempted if today's date is on/before KEYGATE_LEGACY_HS256_DEADLINE.
+ *
  * Returns the payload array on success, or null on failure.
+ * The `_alg` key in the returned payload tells the caller which path verified.
  *
- * @param string $jwt    The license JWT string
- * @param string $secret The HMAC secret (KeyGate public verification key)
- * @return array|null    Decoded payload or null
+ * Note: production code never signs JWTs locally. The Worker is the only
+ * issuer. createLicenseJwt() was removed in v2.3.0.
  */
-function decodeLicenseJwt(string $jwt, string $secret = 'keygate-community-verification-key-2026'): ?array {
+function decodeLicenseJwt(string $jwt): ?array {
     $parts = explode('.', $jwt);
     if (count($parts) !== 3) {
         return null;
     }
 
     [$headerB64, $payloadB64, $signatureB64] = $parts;
-
-    // Verify signature
-    $signatureCheck = base64UrlEncode(
-        hash_hmac('sha256', "$headerB64.$payloadB64", $secret, true)
-    );
-
-    if (!hash_equals($signatureCheck, $signatureB64)) {
+    $headerJson = base64UrlDecode($headerB64);
+    $header = json_decode($headerJson, true);
+    if (!is_array($header) || empty($header['alg'])) {
         return null;
     }
 
-    $payload = json_decode(base64UrlDecode($payloadB64), true);
-    if (!is_array($payload)) {
-        return null;
+    $signingInput = "$headerB64.$payloadB64";
+    $signature    = base64UrlDecode($signatureB64);
+
+    // ── 1. RS256 (production) ────────────────────────────────
+    if ($header['alg'] === 'RS256') {
+        $verified = openssl_verify(
+            $signingInput,
+            $signature,
+            KEYGATE_LICENSE_PUBLIC_KEY,
+            OPENSSL_ALGO_SHA256
+        );
+        if ($verified !== 1) {
+            return null;
+        }
+        $payload = json_decode(base64UrlDecode($payloadB64), true);
+        if (!is_array($payload)) return null;
+        $payload['_alg'] = 'RS256';
+        return $payload;
+    }
+
+    // ── 2. HS256 legacy (migration window only) ──────────────
+    if ($header['alg'] === 'HS256') {
+        if (!defined('KEYGATE_LEGACY_HS256_DEADLINE') || date('Y-m-d') > KEYGATE_LEGACY_HS256_DEADLINE) {
+            return null;
+        }
+        $expected = hash_hmac(
+            'sha256',
+            $signingInput,
+            KEYGATE_LEGACY_HS256_SECRET,
+            true
+        );
+        if (!hash_equals($expected, $signature)) {
+            return null;
+        }
+        $payload = json_decode(base64UrlDecode($payloadB64), true);
+        if (!is_array($payload)) return null;
+        $payload['_alg'] = 'HS256-legacy';
+        return $payload;
     }
 
-    return $payload;
+    // Unknown alg
+    return null;
+}
+
+// ── DB Row Integrity HMAC (P0.2) ────────────────────────────
+
+/**
+ * Get or generate the per-instance secret used to HMAC license_info rows.
+ * Stored in system_config('license_row_secret'). Rotated on every successful
+ * license registration and (in P2) every successful phone-home validate.
+ */
+function getLicenseRowSecret(PDO $pdo): string {
+    $cached = getConfig('license_row_secret');
+    if (!empty($cached)) return $cached;
+    $secret = bin2hex(random_bytes(32));
+    saveConfigBatch($pdo, ['license_row_secret' => $secret]);
+    return $secret;
+}
+
+/**
+ * Force-rotate the per-instance row secret. Returns the new value.
+ * Caller is responsible for re-stamping any active license_info row.
+ */
+function rotateLicenseRowSecret(PDO $pdo): string {
+    $secret = bin2hex(random_bytes(32));
+    saveConfigBatch($pdo, ['license_row_secret' => $secret]);
+    return $secret;
+}
+
+/**
+ * Compute the integrity HMAC for a license_info row.
+ *
+ *   HMAC_SHA256(
+ *     license_key | tier | max_techs | max_keys | exp_unix | instance_id | hardware_fingerprint,
+ *     row_secret
+ *   )
+ *
+ * P1 added the trailing hardware_fingerprint field. P0 rows (no hwfp
+ * column or NULL value) hash with empty-string for the field; after P1
+ * migration the field is always present so empty-string only means an
+ * intentionally unbound row (claim-pending).
+ */
+function computeLicenseRowHmac(string $secret, array $row): string {
+    $material = implode('|', [
+        (string)($row['license_key']     ?? ''),
+        (string)($row['tier']            ?? ''),
+        (string)((int)($row['max_technicians'] ?? 0)),
+        (string)((int)($row['max_keys']        ?? 0)),
+        // expires_at is stored as DATETIME — convert to unix epoch for stable hashing.
+        (string)(empty($row['expires_at']) ? 0 : strtotime($row['expires_at'])),
+        (string)($row['instance_id']     ?? ''),
+        // P1: hardware_fingerprint (composite SHA256 from hardware-fingerprint.php)
+        (string)($row['hardware_fingerprint'] ?? ''),
+    ]);
+    return hash_hmac('sha256', $material, $secret);
 }
 
 /**
- * Create a license JWT (for testing/development only — production keys
- * are generated by the KeyGate license server).
+ * Verify a license_info row's integrity HMAC. Returns true if valid.
+ * Rows missing integrity_hmac (legacy or directly-INSERTed) fail.
  */
-function createLicenseJwt(array $payload, string $secret = 'keygate-community-verification-key-2026'): string {
-    $header = base64UrlEncode(json_encode(['alg' => 'HS256', 'typ' => 'JWT']));
-    $body = base64UrlEncode(json_encode($payload));
-    $signature = base64UrlEncode(hash_hmac('sha256', "$header.$body", $secret, true));
-    return "$header.$body.$signature";
+function verifyLicenseRow(PDO $pdo, array $row): bool {
+    if (empty($row['integrity_hmac'])) return false;
+    $expected = computeLicenseRowHmac(getLicenseRowSecret($pdo), $row);
+    return hash_equals($expected, $row['integrity_hmac']);
 }
 
 // ── License Validation ──────────────────────────────────────
@@ -181,31 +312,164 @@ function getCurrentLicense(PDO $pdo): ?array {
 
 /**
  * Get the effective license tier and limits.
- * Falls back to community tier if no valid license.
+ *
+ * Decision tree (highest priority first):
+ *   1. No row OR row HMAC fail              → community (mark row invalid).
+ *   2. validation_status='rebinding_required' → previous tier inside 7d grace,
+ *                                              else community.
+ *   3. validation_status!='valid'            → community.
+ *   4. hwfp drift detected (3-of-5 fail)     → set rebinding_required, recurse.
+ *   5. Otherwise                             → row's tier.
+ *
+ * Defeats direct INSERT/UPDATE bypass (HMAC) AND VM-clone bypass (hwfp).
  */
 function getEffectiveLicense(PDO $pdo): array {
     $license = getCurrentLicense($pdo);
 
-    if ($license && $license['validation_status'] === 'valid') {
-        $tier = $license['tier'] ?? 'community';
-        $tierDef = LICENSE_TIERS[$tier] ?? LICENSE_TIERS['community'];
+    // ── 1. Missing row OR HMAC mismatch → community ──────────
+    if (!$license || !verifyLicenseRow($pdo, $license)) {
+        // If row exists but HMAC failed, mark it invalid so admin sees the issue.
+        // Best-effort; ignore failures (column missing pre-migration, etc.).
+        if ($license && $license['validation_status'] === 'valid') {
+            try {
+                $stmt = $pdo->prepare(
+                    "UPDATE `" . t('license_info') . "` SET validation_status = 'invalid' WHERE id = ?"
+                );
+                $stmt->execute([$license['id']]);
+                error_log("KeyGate: license row HMAC mismatch on id=" . $license['id'] . ", forced to community");
+            } catch (Exception $e) { /* legacy installs */ }
+        }
+        return _communityLicense($license !== null);
+    }
 
-        return [
-            'tier'             => $tier,
-            'label'            => $tierDef['label'],
-            'max_technicians'  => (int)$license['max_technicians'],
-            'max_keys'         => (int)$license['max_keys'],
-            'features'         => $tierDef['features'],
-            'licensed_to'      => $license['licensed_to_email'] ?? '',
-            'expires_at'       => $license['expires_at'],
-            'is_registered'    => true,
-            'instance_id'      => $license['instance_id'],
-        ];
+    $tier    = $license['tier'] ?? 'community';
+    $tierDef = LICENSE_TIERS[$tier] ?? LICENSE_TIERS['community'];
+
+    // ── 2. rebinding_required → grace window of previous tier ──
+    if (($license['validation_status'] ?? '') === 'rebinding_required') {
+        $boundAt   = !empty($license['hwfp_last_rebind_at'])
+                     ? strtotime($license['hwfp_last_rebind_at'])
+                     : (int)strtotime($license['updated_at'] ?? 'now');
+        $graceEnds = $boundAt + KEYGATE_REBIND_GRACE_SECONDS;
+        if (time() < $graceEnds) {
+            $prevTier = (string)getConfig('license_prev_tier');
+            if ($prevTier && isset(LICENSE_TIERS[$prevTier])) {
+                $prevDef = LICENSE_TIERS[$prevTier];
+                return [
+                    'tier'             => $prevTier,
+                    'label'            => $prevDef['label'],
+                    'max_technicians'  => (int)($prevDef['max_technicians']),
+                    'max_keys'         => (int)($prevDef['max_keys']),
+                    'features'         => $prevDef['features'],
+                    'licensed_to'      => $license['licensed_to_email'] ?? '',
+                    'expires_at'       => $license['expires_at'],
+                    'is_registered'    => true,
+                    'instance_id'      => $license['instance_id'],
+                    'rebind_required'  => true,
+                    'rebind_grace_ends'=> date('c', $graceEnds),
+                ];
+            }
+        }
+        // Grace exhausted → community.
+        return _communityLicense(true, ['rebind_required' => true]);
+    }
+
+    // ── 3. Anything other than 'valid' → community ────────────
+    if (($license['validation_status'] ?? '') !== 'valid') {
+        return _communityLicense(true);
+    }
+
+    // ── 4. hwfp drift detection (P1) ──────────────────────────
+    // Only enforce if the row has a bound fingerprint (post-P1 install).
+    // Pre-P1 rows have NULL hardware_fingerprint and skip this gate until
+    // the customer re-registers (auto-binds current host hwfp).
+    if (!empty($license['hardware_fingerprint'])) {
+        try {
+            $current = getServerHardwareFingerprint($pdo, false);
+            $bound   = ['composite' => $license['hardware_fingerprint'], 'components' => []];
+            $cmp     = compareHwfp($current, $bound);
+            if (!$cmp['accepted']) {
+                _markRebindingRequired($pdo, $license, $tier);
+                error_log("KeyGate: hwfp drift on license id=" . $license['id']
+                    . ", matches=" . $cmp['match_count'] . "/" . $cmp['total']
+                    . ", composite_eq=" . ($cmp['composite_eq'] ? '1' : '0'));
+                // Recurse — caller now sees rebinding_required path.
+                return getEffectiveLicense($pdo);
+            }
+        } catch (Exception $e) {
+            // Hardware-fingerprint helper unavailable (PHP module missing,
+            // unsupported OS) — fail open, log, continue with bound tier.
+            error_log("KeyGate: hwfp comparison threw: " . $e->getMessage());
+        }
+    }
+
+    // ── 5. Phone-home grace bands (P2) ────────────────────────
+    // Lazy-include phone-home helper (avoids circular require at file top).
+    $phPath = __DIR__ . '/license-phone-home.php';
+    if (is_file($phPath)) {
+        @include_once $phPath;
+        if (function_exists('checkPhoneHomeGrace') && function_exists('firePhoneHomeAsync')) {
+            $grace = checkPhoneHomeGrace($license);
+            if ($grace['band'] === 'expired') {
+                // >30d since last successful validate → degrade to community.
+                try {
+                    $stmt = $pdo->prepare("UPDATE `" . t('license_info') . "`
+                        SET validation_status = 'expired',
+                            last_validation_error = ?
+                        WHERE id = ?");
+                    $stmt->execute([$grace['banner'], $license['id']]);
+                } catch (Exception $e) { /* legacy */ }
+                return _communityLicense(true, [
+                    'phonehome_band'   => 'expired',
+                    'phonehome_banner' => $grace['banner'],
+                    'phonehome_days'   => $grace['days_since'],
+                ]);
+            }
+            // Fire async phone-home (throttled internally to once per 24h).
+            try { firePhoneHomeAsync($pdo); } catch (Exception $e) { /* fail open */ }
+
+            $extra = [];
+            if ($grace['band'] === 'banner') {
+                $extra = [
+                    'phonehome_band'   => 'banner',
+                    'phonehome_banner' => $grace['banner'],
+                    'phonehome_days'   => $grace['days_since'],
+                ];
+            }
+            return array_merge([
+                'tier'             => $tier,
+                'label'            => $tierDef['label'],
+                'max_technicians'  => (int)$license['max_technicians'],
+                'max_keys'         => (int)$license['max_keys'],
+                'features'         => $tierDef['features'],
+                'licensed_to'      => $license['licensed_to_email'] ?? '',
+                'expires_at'       => $license['expires_at'],
+                'is_registered'    => true,
+                'instance_id'      => $license['instance_id'],
+            ], $extra);
+        }
     }
 
-    // Default community tier
-    $communityDef = LICENSE_TIERS['community'];
     return [
+        'tier'             => $tier,
+        'label'            => $tierDef['label'],
+        'max_technicians'  => (int)$license['max_technicians'],
+        'max_keys'         => (int)$license['max_keys'],
+        'features'         => $tierDef['features'],
+        'licensed_to'      => $license['licensed_to_email'] ?? '',
+        'expires_at'       => $license['expires_at'],
+        'is_registered'    => true,
+        'instance_id'      => $license['instance_id'],
+    ];
+}
+
+/**
+ * Build the canonical community-tier response. Shared by all the
+ * fallback paths in getEffectiveLicense().
+ */
+function _communityLicense(bool $isRegistered, array $extra = []): array {
+    $communityDef = LICENSE_TIERS['community'];
+    return array_merge([
         'tier'             => 'community',
         'label'            => 'Community',
         'max_technicians'  => $communityDef['max_technicians'],
@@ -213,9 +477,32 @@ function getEffectiveLicense(PDO $pdo): array {
         'features'         => $communityDef['features'],
         'licensed_to'      => '',
         'expires_at'       => null,
-        'is_registered'    => ($license !== null),
+        'is_registered'    => $isRegistered,
         'instance_id'      => '',
-    ];
+    ], $extra);
+}
+
+/**
+ * Set validation_status='rebinding_required' and persist the previous
+ * tier so the 7-day grace window can serve it. Called by the hwfp-drift
+ * branch of getEffectiveLicense() and (in P2) by phone-home responses
+ * carrying must_rebind:true.
+ */
+function _markRebindingRequired(PDO $pdo, array $license, string $prevTier): void {
+    try {
+        // Persist prev tier for the grace path.
+        if (function_exists('saveConfigBatch')) {
+            saveConfigBatch($pdo, ['license_prev_tier' => $prevTier]);
+        }
+        $stmt = $pdo->prepare(
+            "UPDATE `" . t('license_info') . "`
+             SET validation_status = 'rebinding_required'
+             WHERE id = ?"
+        );
+        $stmt->execute([$license['id']]);
+    } catch (Exception $e) {
+        error_log("KeyGate: failed to mark rebinding_required: " . $e->getMessage());
+    }
 }
 
 /**
@@ -236,12 +523,22 @@ function registerLicense(PDO $pdo, string $licenseKey): array {
         }
     }
 
-    // Validate instance ID matches
+    // Reject wildcard binding — every license MUST be bound to a specific instance.
+    // Customers paste their instance ID into the checkout form (LemonSqueezy custom
+    // field, T-Bank OrderId encoding, GitHub Sponsors /api/claim flow).
+    if ($payload['instance_id'] === '*') {
+        return [
+            'success' => false,
+            'error' => 'This license uses a deprecated wildcard binding. Re-issue from your purchase email or run /api/claim.',
+        ];
+    }
+
+    // Validate instance ID matches this install
     $instanceId = getInstanceId($pdo);
-    if ($payload['instance_id'] !== $instanceId && $payload['instance_id'] !== '*') {
+    if ($payload['instance_id'] !== $instanceId) {
         return [
             'success' => false,
-            'error' => 'License is for a different installation. Your instance ID: ' . substr($instanceId, 0, 12) . '...',
+            'error' => 'License is bound to a different installation. Your instance ID: ' . substr($instanceId, 0, 12) . '...',
         ];
     }
 
@@ -257,41 +554,178 @@ function registerLicense(PDO $pdo, string $licenseKey): array {
 
     $tierDef = LICENSE_TIERS[$tier];
 
+    // Build the row payload up-front so we can HMAC it.
+    $maxTechs = (int)($payload['max_technicians'] ?? $tierDef['max_technicians']);
+    $maxKeys  = (int)($payload['max_keys']        ?? $tierDef['max_keys']);
+    $expIso   = date('Y-m-d H:i:s', (int)$payload['exp']);
+
+    // ── P1: hardware fingerprint binding ─────────────────────
+    // Compute current host fingerprint. If the JWT carries an `hwfp`
+    // claim, validate against current with the 3-of-5 soft threshold.
+    // If absent (legacy or pre-P1 mint), auto-bind to current.
+    $serverHwfp = ['composite' => '', 'components' => []];
+    try {
+        $serverHwfp = getServerHardwareFingerprint($pdo, false);
+    } catch (Exception $e) {
+        error_log("KeyGate: hwfp helper unavailable on register: " . $e->getMessage());
+    }
+    $hostHwfpComposite = (string)($serverHwfp['composite'] ?? '');
+
+    if (!empty($payload['hwfp']) && $hostHwfpComposite !== '') {
+        $bound = ['composite' => $payload['hwfp'], 'components' => []];
+        $cmp   = compareHwfp($serverHwfp, $bound);
+        if (!$cmp['accepted']) {
+            return [
+                'success' => false,
+                'error'   => 'License is bound to different hardware. '
+                    . 'Match: ' . $cmp['match_count'] . '/' . $cmp['total']
+                    . ' components. Run /api/rebind from your previous host '
+                    . 'or contact support if the previous host is unrecoverable.',
+            ];
+        }
+    }
+
+    // ── P0.3: rotate per-instance row secret on every register ──
+    $rowSecret = rotateLicenseRowSecret($pdo);
+
+    // Compute integrity HMAC for the row (P1 formula includes hwfp).
+    $rowForHmac = [
+        'license_key'          => $licenseKey,
+        'tier'                 => $tier,
+        'max_technicians'      => $maxTechs,
+        'max_keys'             => $maxKeys,
+        'expires_at'           => $expIso,
+        'instance_id'          => $instanceId,
+        'hardware_fingerprint' => $hostHwfpComposite,
+    ];
+    $integrityHmac = computeLicenseRowHmac($rowSecret, $rowForHmac);
+
     // Deactivate any existing license
     $pdo->exec("UPDATE `" . t('license_info') . "` SET is_active = 0");
 
-    // Insert new license
+    // Insert new license (P1 columns included).
     $stmt = $pdo->prepare("
         INSERT INTO `" . t('license_info') . "`
-            (license_key, instance_id, tier, licensed_to_email, licensed_to_name,
+            (license_key, instance_id, hardware_fingerprint, hwfp_bound_at,
+             tier, licensed_to_email, licensed_to_name,
              max_technicians, max_keys, features,
-             issued_at, expires_at, last_validated_at, validation_status, is_active)
-        VALUES (?, ?, ?, ?, ?, ?, ?, ?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), NOW(), 'valid', 1)
+             issued_at, expires_at, last_validated_at, validation_status, is_active,
+             integrity_hmac)
+        VALUES (?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, FROM_UNIXTIME(?), FROM_UNIXTIME(?), NOW(),
+                'valid', 1, ?)
     ");
     $stmt->execute([
         $licenseKey,
         $instanceId,
+        $hostHwfpComposite ?: null,
         $tier,
         $payload['email'] ?? null,
         $payload['name'] ?? null,
-        $payload['max_technicians'] ?? $tierDef['max_technicians'],
-        $payload['max_keys'] ?? $tierDef['max_keys'],
+        $maxTechs,
+        $maxKeys,
         json_encode($tierDef['features']),
         $payload['iat'],
         $payload['exp'],
+        $integrityHmac,
     ]);
 
-    // Update system_config
-    saveConfigBatch($pdo, ['license_tier' => $tier]);
+    // Update system_config — store both current tier and the prev-tier
+    // anchor used by the rebinding_required grace window.
+    saveConfigBatch($pdo, [
+        'license_tier'      => $tier,
+        'license_prev_tier' => $tier,
+    ]);
 
     return [
-        'success' => true,
-        'tier'    => $tier,
-        'label'   => $tierDef['label'],
-        'message' => "License registered successfully — {$tierDef['label']} tier activated",
+        'success'   => true,
+        'tier'      => $tier,
+        'label'     => $tierDef['label'],
+        'algorithm' => $payload['_alg'] ?? 'unknown',
+        'hwfp'      => $hostHwfpComposite,
+        'message'   => "License registered successfully — {$tierDef['label']} tier activated"
+            . (($payload['_alg'] ?? '') === 'HS256-legacy'
+                ? ' (legacy algorithm; please re-issue via Re-register button before ' . KEYGATE_LEGACY_HS256_DEADLINE . ')'
+                : ''),
     ];
 }
 
+// ── Rebind support (P1) ─────────────────────────────────────
+
+/**
+ * Apply a successful /api/rebind response to the active license row.
+ * Caller hands in the fresh JWT (RS256, hwfp bound to current host) and
+ * the new rebind quota counters.
+ *
+ * Returns ['success'=>true, 'tier'=>...] on apply or ['success'=>false]
+ * on failure. The new JWT must validate via decodeLicenseJwt() and bind
+ * to the same instance_id as the existing row.
+ */
+function applyRebindResponse(PDO $pdo, string $newJwt, int $rebindCount): array {
+    $payload = decodeLicenseJwt($newJwt);
+    if (!$payload) {
+        return ['success' => false, 'error' => 'Rebind response carried invalid JWT'];
+    }
+    $current = getCurrentLicense($pdo);
+    if (!$current) {
+        return ['success' => false, 'error' => 'No active license to rebind'];
+    }
+    if (($payload['instance_id'] ?? '') !== $current['instance_id']) {
+        return ['success' => false, 'error' => 'Rebind response mismatched instance_id'];
+    }
+
+    $serverHwfp = getServerHardwareFingerprint($pdo, true); // force re-detect post-rebind
+    $hostHwfpComposite = (string)($serverHwfp['composite'] ?? '');
+
+    $tier    = $payload['tier'] ?? $current['tier'];
+    $tierDef = LICENSE_TIERS[$tier] ?? LICENSE_TIERS['community'];
+    $maxT    = (int)($payload['max_technicians'] ?? $tierDef['max_technicians']);
+    $maxK    = (int)($payload['max_keys']        ?? $tierDef['max_keys']);
+    $expIso  = date('Y-m-d H:i:s', (int)$payload['exp']);
+
+    $rowSecret = rotateLicenseRowSecret($pdo);
+    $hmac = computeLicenseRowHmac($rowSecret, [
+        'license_key'          => $newJwt,
+        'tier'                 => $tier,
+        'max_technicians'      => $maxT,
+        'max_keys'             => $maxK,
+        'expires_at'           => $expIso,
+        'instance_id'          => $current['instance_id'],
+        'hardware_fingerprint' => $hostHwfpComposite,
+    ]);
+
+    $stmt = $pdo->prepare("
+        UPDATE `" . t('license_info') . "`
+        SET license_key          = ?,
+            hardware_fingerprint = ?,
+            hwfp_bound_at        = NOW(),
+            hwfp_rebind_count    = ?,
+            hwfp_last_rebind_at  = NOW(),
+            tier                 = ?,
+            max_technicians      = ?,
+            max_keys             = ?,
+            expires_at           = FROM_UNIXTIME(?),
+            validation_status    = 'valid',
+            integrity_hmac       = ?,
+            last_validated_at    = NOW()
+        WHERE id = ?
+    ");
+    $stmt->execute([
+        $newJwt,
+        $hostHwfpComposite ?: null,
+        $rebindCount,
+        $tier,
+        $maxT,
+        $maxK,
+        (int)$payload['exp'],
+        $hmac,
+        $current['id'],
+    ]);
+
+    saveConfigBatch($pdo, ['license_tier' => $tier, 'license_prev_tier' => $tier]);
+
+    return ['success' => true, 'tier' => $tier, 'rebind_count' => $rebindCount];
+}
+
 // ── Enforcement ─────────────────────────────────────────────
 
 /**
diff --git a/FINAL_PRODUCTION_SYSTEM/functions/license-phone-home.php b/FINAL_PRODUCTION_SYSTEM/functions/license-phone-home.php
new file mode 100644
index 0000000..1f7b3ff
--- /dev/null
+++ b/FINAL_PRODUCTION_SYSTEM/functions/license-phone-home.php
@@ -0,0 +1,264 @@
+<?php
+/**
+ * KeyGate — License phone-home (P2 anti-piracy)
+ *
+ * Without phone-home, a JWT registered once was good forever; pirates
+ * could register a single legit license, export the JWT, and seed an
+ * unlimited number of installs. Phone-home turns the Cloudflare Worker
+ * into the authoritative tier source and enables revocation.
+ *
+ * Cadence: at most every 24h on PHP boot OR daily cron (whichever fires
+ * first). Non-blocking — request runs with a tight timeout so admin
+ * pages never wait on it. Cached response serves the tier between calls.
+ *
+ * Grace bands (enforced by checkPhoneHomeGrace):
+ *    0–14d  → cached tier, no banner.
+ *   14–30d  → cached tier, banner ("validation failed for N days").
+ *   >30d    → community fallback (validation_status='expired').
+ *   revoked → community immediately, regardless of grace.
+ *   must_rebind → 'rebinding_required' (P1 grace path takes over).
+ *   clock drift > 5min × 3 consecutive checks → 'clock_drift'.
+ */
+
+require_once __DIR__ . '/license-helpers.php';
+
+define('KEYGATE_PHONEHOME_TIMEOUT_SEC', 6);
+define('KEYGATE_PHONEHOME_GRACE_BANNER_S', 14 * 86400);
+define('KEYGATE_PHONEHOME_GRACE_HARD_S',   30 * 86400);
+define('KEYGATE_CLOCK_DRIFT_THRESHOLD_S',  5 * 60);
+define('KEYGATE_CLOCK_DRIFT_STRIKE_LIMIT', 3);
+
+/**
+ * Validate license against the Cloudflare Worker. Returns the parsed
+ * response array on success or null on network/parse error. Does NOT
+ * mutate the DB; caller is responsible for that via applyValidateResponse.
+ *
+ * Caller usually passes $force=false so the call is throttled by
+ * `license_phonehome_interval` (default 86400s).
+ */
+function phoneHomeValidate(PDO $pdo, bool $force = false): ?array {
+    $row = getCurrentLicense($pdo);
+    if (!$row || empty($row['license_key'])) return null;
+
+    if (!$force) {
+        $intervalCfg = (int)getConfig('license_phonehome_interval');
+        $interval = $intervalCfg > 0 ? $intervalCfg : 86400;
+        if (!empty($row['last_validated_at'])) {
+            $age = time() - (int)strtotime($row['last_validated_at']);
+            if ($age < $interval) return null; // throttled
+        }
+    }
+
+    $instanceId = (string)($row['instance_id'] ?? '');
+    $hwfp       = (string)($row['hardware_fingerprint'] ?? '');
+    $body = json_encode([
+        'license_key'          => $row['license_key'],
+        'instance_id'          => $instanceId,
+        'hardware_fingerprint' => $hwfp,
+        'version'              => defined('KEYGATE_VERSION') ? KEYGATE_VERSION : '',
+    ]);
+
+    $ctx = stream_context_create([
+        'http' => [
+            'method'        => 'POST',
+            'header'        => "Content-Type: application/json\r\n",
+            'content'       => $body,
+            'timeout'       => KEYGATE_PHONEHOME_TIMEOUT_SEC,
+            'ignore_errors' => true,
+        ],
+    ]);
+    $resp = @file_get_contents(KEYGATE_LICENSE_SERVER . '/api/validate', false, $ctx);
+    if ($resp === false) {
+        recordPhoneHomeFailure($pdo, $row, 'network_unreachable');
+        return null;
+    }
+    $decoded = json_decode($resp, true);
+    if (!is_array($decoded)) {
+        recordPhoneHomeFailure($pdo, $row, 'parse_error');
+        return null;
+    }
+
+    applyValidateResponse($pdo, $row, $decoded);
+    return $decoded;
+}
+
+/**
+ * Persist a successful validate response to the DB + system_config cache.
+ * Drives all the grace-band / revocation / clock-drift logic.
+ */
+function applyValidateResponse(PDO $pdo, array $row, array $resp): void {
+    $now = time();
+
+    // ── Server time drift ────────────────────────────────────
+    $drift = 0;
+    $strike = (int)($row['clock_drift_strikes'] ?? 0);
+    if (!empty($resp['server_time'])) {
+        $serverTs = (int)strtotime($resp['server_time']);
+        if ($serverTs > 0) {
+            $drift = $now - $serverTs; // local clock vs server, signed
+            $absDrift = abs($drift);
+            if ($absDrift > KEYGATE_CLOCK_DRIFT_THRESHOLD_S) {
+                $strike++;
+            } else {
+                $strike = 0;
+            }
+        }
+    }
+
+    // ── Decide validation_status ─────────────────────────────
+    $newStatus = $row['validation_status'] ?? 'valid';
+    $msg       = null;
+
+    if (!empty($resp['revoked'])) {
+        $newStatus = 'revoked';
+        $msg = 'License revoked by issuer';
+    } elseif (!empty($resp['must_rebind'])) {
+        $newStatus = 'rebinding_required';
+        $msg = 'Hardware fingerprint mismatch — rebind required';
+        // Persist prev_tier so rebind grace path can serve it.
+        if (function_exists('saveConfigBatch')) {
+            saveConfigBatch($pdo, ['license_prev_tier' => $row['tier'] ?? 'community']);
+        }
+    } elseif (!empty($resp['valid'])) {
+        $newStatus = 'valid';
+        $msg = null;
+    } else {
+        // valid:false with reason other than revoked/must_rebind.
+        $newStatus = $resp['reason'] === 'expired' ? 'expired' : 'invalid';
+        $msg = 'Worker validate: ' . ($resp['reason'] ?? 'unknown');
+    }
+
+    // Clock drift override — three strikes wins.
+    if ($strike >= KEYGATE_CLOCK_DRIFT_STRIKE_LIMIT && $newStatus === 'valid') {
+        $newStatus = 'clock_drift';
+        $msg = 'Local clock drifted from server time on ' . $strike . ' consecutive checks';
+    }
+
+    // ── Update license_info row ──────────────────────────────
+    try {
+        $stmt = $pdo->prepare("
+            UPDATE `" . t('license_info') . "`
+            SET last_validated_at         = NOW(),
+                validation_status         = ?,
+                validation_failure_count  = 0,
+                last_validation_error     = ?,
+                server_time_drift_seconds = ?,
+                clock_drift_strikes       = ?,
+                current_jti               = ?
+            WHERE id = ?
+        ");
+        $stmt->execute([
+            $newStatus,
+            $msg,
+            $drift,
+            $strike,
+            $resp['jti'] ?? null,
+            $row['id'],
+        ]);
+    } catch (Exception $e) {
+        error_log('KeyGate phonehome: update failed: ' . $e->getMessage());
+    }
+
+    // ── HMAC-anchored cache (defeats UPDATE-the-cache forgery) ──
+    try {
+        $secret = getLicenseRowSecret($pdo);
+        $cacheBlob = json_encode($resp, JSON_UNESCAPED_SLASHES);
+        $hash = hash_hmac('sha256', $cacheBlob, $secret);
+        if (function_exists('saveConfigBatch')) {
+            saveConfigBatch($pdo, [
+                'license_validation_cache' => json_encode([
+                    'response'   => $resp,
+                    'fetched_at' => $now,
+                    'jti'        => $resp['jti'] ?? null,
+                    'hmac'       => $hash,
+                ], JSON_UNESCAPED_SLASHES),
+            ]);
+        }
+    } catch (Exception $e) {
+        error_log('KeyGate phonehome: cache write failed: ' . $e->getMessage());
+    }
+}
+
+/**
+ * Increment validation_failure_count and persist the error reason.
+ * Caller arrives here when network or parse fails — does NOT change the
+ * tier (cached tier serves until grace exhausted).
+ */
+function recordPhoneHomeFailure(PDO $pdo, array $row, string $reason): void {
+    try {
+        $stmt = $pdo->prepare("
+            UPDATE `" . t('license_info') . "`
+            SET validation_failure_count = validation_failure_count + 1,
+                last_validation_error    = ?
+            WHERE id = ?
+        ");
+        $stmt->execute([$reason, $row['id']]);
+    } catch (Exception $e) { /* legacy install */ }
+}
+
+/**
+ * Compute the current grace band based on last_validated_at age.
+ * Pure read; getEffectiveLicense() consults this and degrades the tier
+ * once the >30d band is reached.
+ *
+ * Returns:
+ *   ['band' => 'ok'|'banner'|'expired', 'days_since' => N, 'banner' => string|null]
+ */
+function checkPhoneHomeGrace(?array $row): array {
+    if (!$row || empty($row['last_validated_at'])) {
+        return ['band' => 'ok', 'days_since' => 0, 'banner' => null];
+    }
+    $age = time() - (int)strtotime($row['last_validated_at']);
+    $days = (int)floor($age / 86400);
+
+    if ($age >= KEYGATE_PHONEHOME_GRACE_HARD_S) {
+        return [
+            'band'        => 'expired',
+            'days_since'  => $days,
+            'banner'      => 'License has not validated against the issuer for ' . $days . ' days. Reverted to community tier.',
+        ];
+    }
+    if ($age >= KEYGATE_PHONEHOME_GRACE_BANNER_S) {
+        return [
+            'band'        => 'banner',
+            'days_since'  => $days,
+            'banner'      => 'License validation failed for ' . $days . ' days. Re-connect to the network within '
+                            . (int)floor((KEYGATE_PHONEHOME_GRACE_HARD_S - $age) / 86400)
+                            . ' days to keep your tier.',
+        ];
+    }
+    return ['band' => 'ok', 'days_since' => $days, 'banner' => null];
+}
+
+/**
+ * Fire phoneHomeValidate() in the background so admin page renders don't
+ * block on it. On Linux/macOS this uses popen(); on Windows it just calls
+ * synchronously inside the request — the timeout is short enough that it's
+ * acceptable.
+ *
+ * Caller is typically `getEffectiveLicense()` once per request, throttled
+ * via the last_validated_at check inside phoneHomeValidate().
+ */
+function firePhoneHomeAsync(PDO $pdo): void {
+    // Cheap throttle before forking.
+    $row = getCurrentLicense($pdo);
+    if (!$row || empty($row['license_key'])) return;
+    $intervalCfg = (int)getConfig('license_phonehome_interval');
+    $interval = $intervalCfg > 0 ? $intervalCfg : 86400;
+    if (!empty($row['last_validated_at'])
+        && (time() - strtotime($row['last_validated_at'])) < $interval) {
+        return;
+    }
+
+    if (PHP_OS_FAMILY !== 'Windows' && function_exists('proc_open')) {
+        // Spawn a one-shot CLI worker. The shim is small + idempotent.
+        $cli = realpath(__DIR__ . '/../cli/license-validate.php');
+        if ($cli && is_file($cli)) {
+            $cmd = '/usr/bin/env php ' . escapeshellarg($cli) . ' >/dev/null 2>&1 &';
+            @exec($cmd);
+            return;
+        }
+    }
+    // Fallback: synchronous (Windows or no CLI shim found).
+    @phoneHomeValidate($pdo, false);
+}
diff --git a/FINAL_PRODUCTION_SYSTEM/install/ajax.php b/FINAL_PRODUCTION_SYSTEM/install/ajax.php
index d361a41..d53c40f 100644
--- a/FINAL_PRODUCTION_SYSTEM/install/ajax.php
+++ b/FINAL_PRODUCTION_SYSTEM/install/ajax.php
@@ -463,6 +463,9 @@ function installerMigrationList(): array {
         ['product_variants_migration.sql',   17],
         ['missing_drivers_migration.sql',    18],
         ['unallocated_space_migration.sql',  19],
+        ['license_p0_hmac_migration.sql',    20],
+        ['license_p1_hwbind_migration.sql',  21],
+        ['license_p2_phonehome_migration.sql', 22],
     ];
 }
 
diff --git a/license-server/worker.js b/license-server/worker.js
index 8d45231..7a8b6a9 100644
--- a/license-server/worker.js
+++ b/license-server/worker.js
@@ -30,20 +30,78 @@ function base64UrlEncodeString(str) {
   return btoa(str).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
 }
 
-async function createJwt(payload, secret) {
-  const header = base64UrlEncodeString(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
+// ── PEM PKCS#8 → CryptoKey (cached for the lifetime of an isolate) ──
+let cachedSigningKey = null
+async function importLicensePrivateKey(pemPkcs8) {
+  if (cachedSigningKey) return cachedSigningKey
+  // Strip header/footer + whitespace; decode base64.
+  const b64 = pemPkcs8
+    .replace(/-----BEGIN PRIVATE KEY-----/, '')
+    .replace(/-----END PRIVATE KEY-----/, '')
+    .replace(/\s+/g, '')
+  const bin = Uint8Array.from(atob(b64), c => c.charCodeAt(0))
+  cachedSigningKey = await crypto.subtle.importKey(
+    'pkcs8',
+    bin.buffer,
+    { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+    false,
+    ['sign']
+  )
+  return cachedSigningKey
+}
+
+// ── createJwt (RS256, P0 hardening) ──
+// Switched from HS256 → RS256 in v2.3.0. Private key lives ONLY in the
+// Worker secret store (env.LICENSE_PRIVATE_KEY, PEM PKCS#8). KeyGate PHP
+// instances verify with the matching public key embedded in source.
+//
+// P2 addition: every minted JWT carries a `jti` (JWT ID) UUID. The Worker
+// maintains a `revoked:{jti}` KV set; webhook cancellation/refund handlers
+// write to it; /api/validate checks it and returns revoked:true. PHP-side
+// then forces community fallback on next phone-home regardless of grace.
+async function createJwt(payload, env) {
+  // Stamp jti unless caller already supplied one (rebind preserves chain).
+  if (!payload.jti) payload.jti = crypto.randomUUID()
+
+  const header = base64UrlEncodeString(JSON.stringify({ alg: 'RS256', typ: 'JWT' }))
   const body = base64UrlEncodeString(JSON.stringify(payload))
   const data = `${header}.${body}`
 
+  const key = await importLicensePrivateKey(env.LICENSE_PRIVATE_KEY)
+  const signature = await crypto.subtle.sign(
+    { name: 'RSASSA-PKCS1-v1_5' },
+    key,
+    new TextEncoder().encode(data)
+  )
+  return `${data}.${base64UrlEncode(signature)}`
+}
+
+// ── Legacy HS256 verify (used only by /api/migrate during transition) ──
+async function verifyLegacyHs256(jwt, secret) {
+  const parts = jwt.split('.')
+  if (parts.length !== 3) return null
+  const [headerB64, payloadB64, sigB64] = parts
+  const header = JSON.parse(atob(headerB64.replace(/-/g, '+').replace(/_/g, '/')))
+  if (header.alg !== 'HS256') return null
   const key = await crypto.subtle.importKey(
     'raw',
     new TextEncoder().encode(secret),
     { name: 'HMAC', hash: 'SHA-256' },
     false,
-    ['sign']
+    ['verify']
   )
-  const signature = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(data))
-  return `${data}.${base64UrlEncode(signature)}`
+  const sig = Uint8Array.from(
+    atob(sigB64.replace(/-/g, '+').replace(/_/g, '/').padEnd(Math.ceil(sigB64.length / 4) * 4, '=')),
+    c => c.charCodeAt(0)
+  )
+  const ok = await crypto.subtle.verify(
+    'HMAC',
+    key,
+    sig,
+    new TextEncoder().encode(`${headerB64}.${payloadB64}`)
+  )
+  if (!ok) return null
+  return JSON.parse(atob(payloadB64.replace(/-/g, '+').replace(/_/g, '/')))
 }
 
 // ── GitHub Webhook Verification ─────────────────────────────
@@ -123,34 +181,21 @@ async function handleGitHubWebhook(request, env) {
     const tier = getTierFromAmount(amountCents)
     const limits = TIER_LIMITS[tier]
 
-    // Generate license JWT
-    const licensePayload = {
-      iss: 'keygate-license-server',
-      tier: tier,
-      instance_id: '*', // Wildcard — will bind on first use
-      email: email,
-      name: name,
-      github_sponsor: sponsor,
-      max_technicians: limits.max_technicians,
-      max_keys: limits.max_keys,
-      iat: Math.floor(Date.now() / 1000),
-      exp: isOneTime
-        ? Math.floor(Date.now() / 1000) + (10 * 365 * 86400) // 10 years for one-time
-        : Math.floor(Date.now() / 1000) + (400 * 86400),      // ~13 months for monthly
-    }
-
-    const jwt = await createJwt(licensePayload, env.JWT_SECRET)
-
-    // Store in KV
+    // P0: GitHub Sponsors webhooks don't carry an instance_id. We store
+    // the sponsorship with `pending_claim:true` and the customer must call
+    // POST /api/claim to bind their KeyGate instance and receive a JWT.
+    // No wildcard JWT issued at this stage.
     await env.LICENSES.put(`license:${email}`, JSON.stringify({
-      jwt,
       tier,
       sponsor,
       email,
       name,
+      pending_claim: true,
       created_at: new Date().toISOString(),
       amount_cents: amountCents,
       is_one_time: isOneTime,
+      max_technicians: limits.max_technicians,
+      max_keys: limits.max_keys,
     }), { expirationTtl: isOneTime ? 10 * 365 * 86400 : 400 * 86400 })
 
     // TODO: Send email with license key via SendGrid
@@ -158,18 +203,26 @@ async function handleGitHubWebhook(request, env) {
 
     return new Response(JSON.stringify({
       ok: true,
-      message: `License generated for ${email} (${tier} tier)`,
+      message: `Sponsorship recorded for ${email} (${tier} tier). Customer must call POST /api/claim to bind their installation.`,
       tier,
+      pending_claim: true,
     }), { status: 200 })
   }
 
   if (action === 'cancelled') {
-    // Mark license as revoked in KV
+    // Mark license as revoked in KV + add jti to revocation set (P2).
     const existing = await env.LICENSES.get(`license:${email}`, 'json')
     if (existing) {
       existing.revoked = true
       existing.revoked_at = new Date().toISOString()
       await env.LICENSES.put(`license:${email}`, JSON.stringify(existing))
+      // Best-effort: extract jti from stored JWT and revoke it.
+      try {
+        if (existing.jwt) {
+          const p = JSON.parse(atob(existing.jwt.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')))
+          await revokeJti(env, p.jti, 'github_sponsorship_cancelled')
+        }
+      } catch { /* ignore */ }
     }
 
     return new Response(JSON.stringify({
@@ -182,11 +235,18 @@ async function handleGitHubWebhook(request, env) {
 }
 
 async function handleRegister(request, env) {
-  const { email, name, instance_id } = await request.json()
+  // P1: hardware_fingerprint required so the issued JWT carries an `hwfp`
+  // claim. PHP-side enforcement rejects mismatched fingerprints.
+  const { email, name, instance_id, hardware_fingerprint } = await request.json()
 
   if (!email || !instance_id) {
     return new Response(JSON.stringify({ error: 'Email and instance_id are required' }), { status: 400 })
   }
+  if (!hardware_fingerprint || typeof hardware_fingerprint !== 'string' || hardware_fingerprint.length < 32) {
+    return new Response(JSON.stringify({
+      error: 'hardware_fingerprint required (composite SHA256 from getServerHardwareFingerprint())',
+    }), { status: 400 })
+  }
 
   // Check if already registered
   const existing = await env.LICENSES.get(`license:${email}`, 'json')
@@ -199,11 +259,12 @@ async function handleRegister(request, env) {
     }), { status: 200 })
   }
 
-  // Generate community license
+  // Generate community license — bind to instance_id AND hwfp.
   const payload = {
     iss: 'keygate-license-server',
     tier: 'community',
     instance_id: instance_id,
+    hwfp: hardware_fingerprint,
     email: email,
     name: name || email.split('@')[0],
     max_technicians: 1,
@@ -212,7 +273,7 @@ async function handleRegister(request, env) {
     exp: Math.floor(Date.now() / 1000) + (365 * 86400), // 1 year
   }
 
-  const jwt = await createJwt(payload, env.JWT_SECRET)
+  const jwt = await createJwt(payload, env)
 
   await env.LICENSES.put(`license:${email}`, JSON.stringify({
     jwt,
@@ -220,6 +281,8 @@ async function handleRegister(request, env) {
     email,
     name: name || email.split('@')[0],
     instance_id,
+    hardware_fingerprint,
+    rebind_count: 0,
     created_at: new Date().toISOString(),
   }), { expirationTtl: 365 * 86400 })
 
@@ -231,42 +294,117 @@ async function handleRegister(request, env) {
   }), { status: 200 })
 }
 
+// ── /api/validate (P2-extended) ──
+//
+// Body: { license_key, instance_id, hardware_fingerprint?, version? }
+// Response includes everything the PHP-side phone-home decision needs:
+//   {
+//     valid, tier, revoked, expires_at, hardware_fingerprint,
+//     rebind_quota_remaining, server_time, must_rebind, jti, reason?
+//   }
+// PHP-side caches this response (HMAC-anchored) and uses it to drive
+// the 14d / 30d grace bands.
 async function handleValidate(request, env) {
-  const { license_key, instance_id } = await request.json()
-
+  const { license_key, instance_id, hardware_fingerprint } = await request.json()
   if (!license_key) {
     return new Response(JSON.stringify({ valid: false, error: 'License key required' }), { status: 400 })
   }
+  const serverTime = new Date().toISOString()
+  const nowSec = Math.floor(Date.now() / 1000)
 
-  // Decode JWT (basic check — full verification happens client-side too)
+  let payload
   try {
     const parts = license_key.split('.')
     if (parts.length !== 3) throw new Error('Invalid JWT')
+    payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')))
+  } catch {
+    return new Response(JSON.stringify({
+      valid: false, reason: 'invalid_format', server_time: serverTime,
+    }), { status: 400 })
+  }
 
-    const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')))
+  // Expiration first — short-circuit the lookups for stale tokens.
+  if (payload.exp && payload.exp < nowSec) {
+    return new Response(JSON.stringify({
+      valid: false, reason: 'expired',
+      tier: payload.tier, jti: payload.jti || null,
+      expires_at: new Date(payload.exp * 1000).toISOString(),
+      server_time: serverTime,
+    }), { status: 200 })
+  }
 
-    // Check expiration
-    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
-      return new Response(JSON.stringify({ valid: false, reason: 'expired' }), { status: 200 })
+  // jti revocation check.
+  if (payload.jti) {
+    const revoked = await env.LICENSES.get(`revoked:${payload.jti}`)
+    if (revoked !== null) {
+      return new Response(JSON.stringify({
+        valid: false, reason: 'revoked', revoked: true,
+        tier: payload.tier, jti: payload.jti,
+        server_time: serverTime,
+      }), { status: 200 })
     }
+  }
 
-    // Check if revoked
-    const email = payload.email
-    if (email) {
-      const stored = await env.LICENSES.get(`license:${email}`, 'json')
-      if (stored && stored.revoked) {
-        return new Response(JSON.stringify({ valid: false, reason: 'revoked' }), { status: 200 })
-      }
+  // Email-anchored KV lookup — provides hwfp, rebind_count, revoked flag.
+  let stored = null
+  if (payload.email) {
+    stored = await env.LICENSES.get(`license:${payload.email}`, 'json')
+    if (stored && stored.revoked) {
+      return new Response(JSON.stringify({
+        valid: false, reason: 'revoked', revoked: true,
+        tier: payload.tier, jti: payload.jti || null,
+        server_time: serverTime,
+      }), { status: 200 })
     }
+  }
 
-    return new Response(JSON.stringify({
-      valid: true,
-      tier: payload.tier,
-      expires_at: new Date(payload.exp * 1000).toISOString(),
-    }), { status: 200 })
-  } catch (e) {
-    return new Response(JSON.stringify({ valid: false, error: 'Invalid license format' }), { status: 400 })
+  // hwfp drift detection — must_rebind iff JWT and KV agree on fp but
+  // caller's reported hwfp differs from the bound one.
+  let mustRebind = false
+  const boundFp = (stored && stored.hardware_fingerprint) || payload.hwfp || null
+  if (boundFp && hardware_fingerprint && hardware_fingerprint !== boundFp) {
+    mustRebind = true
   }
+
+  // Optional: instance_id mismatch is informational here; PHP enforces it.
+  void instance_id
+
+  // Rolling-window rebind quota for the email.
+  const QUOTA_LIMIT = 3
+  const QUOTA_WINDOW_S = 365 * 86400
+  let remaining = QUOTA_LIMIT
+  if (payload.email) {
+    const list = await env.LICENSES.list({ prefix: `rebind:${payload.email}:` })
+    let count = 0
+    for (const k of list.keys) {
+      const ts = Date.parse(k.name.split(':')[2]) / 1000
+      if (!isNaN(ts) && (nowSec - ts) < QUOTA_WINDOW_S) count++
+    }
+    remaining = Math.max(0, QUOTA_LIMIT - count)
+  }
+
+  return new Response(JSON.stringify({
+    valid: true,
+    tier: payload.tier,
+    revoked: false,
+    expires_at: payload.exp ? new Date(payload.exp * 1000).toISOString() : null,
+    hardware_fingerprint: boundFp,
+    rebind_quota_remaining: remaining,
+    rebind_quota_limit: QUOTA_LIMIT,
+    server_time: serverTime,
+    must_rebind: mustRebind,
+    jti: payload.jti || null,
+  }), { status: 200 })
+}
+
+// ── Helper: revoke by jti, called by webhook cancel/refund handlers ──
+async function revokeJti(env, jti, reason) {
+  if (!jti) return
+  // KV value is a small JSON tag — useful for forensics.
+  await env.LICENSES.put(`revoked:${jti}`, JSON.stringify({
+    revoked_at: new Date().toISOString(),
+    reason: reason || 'webhook_cancellation',
+  }), { expirationTtl: 10 * 365 * 86400 })
 }
 
 // ── LemonSqueezy Webhook ────────────────────────────────────
@@ -319,36 +457,52 @@ async function handleLemonSqueezyWebhook(request, env) {
     const limits = TIER_LIMITS[tier]
     const isLifetime = variantName.includes('lifetime')
 
-    const licensePayload = {
-      iss: 'keygate-license-server',
-      tier: tier,
-      instance_id: '*',
-      email: email,
-      name: name,
-      payment_provider: 'lemonsqueezy',
-      max_technicians: limits.max_technicians,
-      max_keys: limits.max_keys,
-      iat: Math.floor(Date.now() / 1000),
-      exp: isLifetime
-        ? Math.floor(Date.now() / 1000) + (10 * 365 * 86400)
-        : Math.floor(Date.now() / 1000) + (400 * 86400),
-    }
-
-    const jwt = await createJwt(licensePayload, env.JWT_SECRET)
+    // P0: LemonSqueezy may carry instance_id as custom_data; if absent, mark pending.
+    const lsInstanceId = payload.meta?.custom_data?.instance_id || null
 
-    await env.LICENSES.put(`license:${email}`, JSON.stringify({
-      jwt,
+    const baseRecord = {
       tier,
       email,
       name,
       payment_provider: 'lemonsqueezy',
       created_at: new Date().toISOString(),
       is_lifetime: isLifetime,
-    }), { expirationTtl: isLifetime ? 10 * 365 * 86400 : 400 * 86400 })
+      max_technicians: limits.max_technicians,
+      max_keys: limits.max_keys,
+    }
+
+    let jwt = null
+    if (lsInstanceId) {
+      const licensePayload = {
+        iss: 'keygate-license-server',
+        tier,
+        instance_id: lsInstanceId,
+        email,
+        name,
+        payment_provider: 'lemonsqueezy',
+        max_technicians: limits.max_technicians,
+        max_keys: limits.max_keys,
+        iat: Math.floor(Date.now() / 1000),
+        exp: isLifetime
+          ? Math.floor(Date.now() / 1000) + (10 * 365 * 86400)
+          : Math.floor(Date.now() / 1000) + (400 * 86400),
+      }
+      jwt = await createJwt(licensePayload, env)
+      baseRecord.jwt = jwt
+      baseRecord.instance_id = lsInstanceId
+    } else {
+      baseRecord.pending_claim = true
+    }
+
+    await env.LICENSES.put(`license:${email}`, JSON.stringify(baseRecord),
+      { expirationTtl: isLifetime ? 10 * 365 * 86400 : 400 * 86400 })
 
     return new Response(JSON.stringify({
       ok: true,
-      message: `License generated for ${email} (${tier} tier via LemonSqueezy)`,
+      message: jwt
+        ? `License generated for ${email} (${tier} tier via LemonSqueezy)`
+        : `Sponsorship recorded for ${email} — customer must call /api/claim with instance_id`,
+      pending_claim: !jwt,
     }), { status: 200 })
   }
 
@@ -358,6 +512,12 @@ async function handleLemonSqueezyWebhook(request, env) {
       existing.revoked = true
       existing.revoked_at = new Date().toISOString()
       await env.LICENSES.put(`license:${email}`, JSON.stringify(existing))
+      try {
+        if (existing.jwt) {
+          const p = JSON.parse(atob(existing.jwt.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')))
+          await revokeJti(env, p.jti, eventName)
+        }
+      } catch { /* ignore */ }
     }
 
     return new Response(JSON.stringify({
@@ -388,53 +548,67 @@ async function handleTBankWebhook(request, env) {
   // For now, we trust the payload (T-Bank sends from known IPs)
 
   if (success && status === 'CONFIRMED') {
-    // Order ID format: "keygate_{email_base64}_{tier}"
+    // Order ID format: "keygate_{email_base64}_{tier}_{instance_id_base64}"
+    // Old 3-part format also accepted but produces a pending_claim record.
     const parts = orderId.split('_')
     if (parts.length < 3 || parts[0] !== 'keygate') {
       return new Response(JSON.stringify({ ok: true, message: 'Not a KeyGate order' }), { status: 200 })
     }
 
-    let email, tier
+    let email, tier, instanceId
     try {
       email = atob(parts[1])
       tier = parts[2] || 'pro'
+      instanceId = parts.length >= 4 ? atob(parts[3]) : null
     } catch {
       return new Response(JSON.stringify({ error: 'Invalid order ID format' }), { status: 400 })
     }
 
     const limits = TIER_LIMITS[tier] || TIER_LIMITS.pro
-
-    const licensePayload = {
-      iss: 'keygate-license-server',
-      tier: tier,
-      instance_id: '*',
-      email: email,
+    const baseRecord = {
+      tier,
+      email,
       payment_provider: 'tbank',
+      amount_kopecks: amount,
+      created_at: new Date().toISOString(),
       max_technicians: limits.max_technicians,
       max_keys: limits.max_keys,
-      iat: Math.floor(Date.now() / 1000),
-      exp: Math.floor(Date.now() / 1000) + (400 * 86400),
     }
 
-    const jwt = await createJwt(licensePayload, env.JWT_SECRET)
+    let jwt = null
+    if (instanceId) {
+      const licensePayload = {
+        iss: 'keygate-license-server',
+        tier,
+        instance_id: instanceId,
+        email,
+        payment_provider: 'tbank',
+        max_technicians: limits.max_technicians,
+        max_keys: limits.max_keys,
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + (400 * 86400),
+      }
+      jwt = await createJwt(licensePayload, env)
+      baseRecord.jwt = jwt
+      baseRecord.instance_id = instanceId
+    } else {
+      baseRecord.pending_claim = true
+    }
 
-    await env.LICENSES.put(`license:${email}`, JSON.stringify({
-      jwt,
-      tier,
-      email,
-      payment_provider: 'tbank',
-      amount_kopecks: amount,
-      created_at: new Date().toISOString(),
-    }), { expirationTtl: 400 * 86400 })
+    await env.LICENSES.put(`license:${email}`, JSON.stringify(baseRecord),
+      { expirationTtl: 400 * 86400 })
 
     return new Response(JSON.stringify({
       ok: true,
-      message: `License generated for ${email} (${tier} tier via T-Bank)`,
+      message: jwt
+        ? `License generated for ${email} (${tier} tier via T-Bank)`
+        : `Payment recorded for ${email} — customer must call /api/claim with instance_id`,
+      pending_claim: !jwt,
     }), { status: 200 })
   }
 
   if (status === 'REVERSED' || status === 'REFUNDED') {
-    // Attempt to find and revoke the license
+    // Attempt to find and revoke the license + add jti to revocation set.
     const parts = orderId.split('_')
     if (parts.length >= 2) {
       try {
@@ -445,6 +619,10 @@ async function handleTBankWebhook(request, env) {
           existing.revoked_at = new Date().toISOString()
           existing.revoke_reason = status.toLowerCase()
           await env.LICENSES.put(`license:${email}`, JSON.stringify(existing))
+          if (existing.jwt) {
+            const p = JSON.parse(atob(existing.jwt.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')))
+            await revokeJti(env, p.jti, `tbank_${status.toLowerCase()}`)
+          }
         }
       } catch { /* ignore parse errors */ }
     }
@@ -453,6 +631,306 @@ async function handleTBankWebhook(request, env) {
   return new Response(JSON.stringify({ ok: true }), { status: 200 })
 }
 
+// ── /api/claim — bind a pending_claim sponsorship to instance_id (P0.5) ──
+//
+// Body: { email, instance_id, sponsor_login? }
+// Looks up KV record. Requires pending_claim:true. Once claimed, mints an
+// RS256 JWT bound to the supplied instance_id. Subsequent claim attempts
+// are rejected (one-shot binding) unless the founder manually clears
+// pending_claim via the future P4 admin dashboard.
+async function handleClaim(request, env) {
+  // P1: hardware_fingerprint required so the minted JWT carries hwfp.
+  const { email, instance_id, sponsor_login, hardware_fingerprint } = await request.json()
+  if (!email || !instance_id) {
+    return new Response(JSON.stringify({ error: 'email and instance_id required' }), { status: 400 })
+  }
+  if (!hardware_fingerprint || typeof hardware_fingerprint !== 'string' || hardware_fingerprint.length < 32) {
+    return new Response(JSON.stringify({
+      error: 'hardware_fingerprint required (composite SHA256)',
+    }), { status: 400 })
+  }
+
+  const stored = await env.LICENSES.get(`license:${email}`, 'json')
+  if (!stored) {
+    return new Response(JSON.stringify({ error: 'No sponsorship found for this email' }), { status: 404 })
+  }
+  if (stored.revoked) {
+    return new Response(JSON.stringify({ error: 'License revoked' }), { status: 403 })
+  }
+  if (!stored.pending_claim) {
+    return new Response(JSON.stringify({ error: 'License already claimed; contact support to rebind' }), { status: 409 })
+  }
+  // Optional sanity check — sponsor_login matches stored sponsor, if provided.
+  if (sponsor_login && stored.sponsor && stored.sponsor !== sponsor_login) {
+    return new Response(JSON.stringify({ error: 'Sponsor login mismatch' }), { status: 403 })
+  }
+
+  const tier = stored.tier
+  const limits = TIER_LIMITS[tier] || TIER_LIMITS.community
+  const isLifetime = !!stored.is_one_time || !!stored.is_lifetime
+  const exp = isLifetime
+    ? Math.floor(Date.now() / 1000) + (10 * 365 * 86400)
+    : Math.floor(Date.now() / 1000) + (400 * 86400)
+
+  const licensePayload = {
+    iss: 'keygate-license-server',
+    tier,
+    instance_id,
+    hwfp: hardware_fingerprint,
+    email,
+    name: stored.name || email.split('@')[0],
+    payment_provider: stored.payment_provider || 'github_sponsors',
+    max_technicians: limits.max_technicians,
+    max_keys: limits.max_keys,
+    iat: Math.floor(Date.now() / 1000),
+    exp,
+  }
+  const jwt = await createJwt(licensePayload, env)
+
+  // Update KV record — pending_claim cleared, jwt + instance_id + hwfp stored.
+  delete stored.pending_claim
+  stored.jwt = jwt
+  stored.instance_id = instance_id
+  stored.hardware_fingerprint = hardware_fingerprint
+  stored.rebind_count = 0
+  stored.claimed_at = new Date().toISOString()
+  await env.LICENSES.put(`license:${email}`, JSON.stringify(stored),
+    { expirationTtl: isLifetime ? 10 * 365 * 86400 : 400 * 86400 })
+
+  return new Response(JSON.stringify({
+    success: true,
+    license_key: jwt,
+    tier,
+    expires_at: new Date(exp * 1000).toISOString(),
+  }), { status: 200 })
+}
+
+// ── /api/migrate — re-issue legacy HS256 token as RS256 (P0 transition) ──
+//
+// Body: { license_key (legacy HS256), instance_id }
+// Verifies the legacy token with LEGACY_HS256_SECRET, then mints a fresh
+// RS256 JWT bound to the supplied instance_id. Does NOT change the email
+// binding or tier. Available for 90 days post-deploy; remove the secret
+// from Worker after that.
+async function handleMigrate(request, env) {
+  // P1: hardware_fingerprint required for the new RS256 token.
+  const { license_key, instance_id, hardware_fingerprint } = await request.json()
+  if (!license_key || !instance_id) {
+    return new Response(JSON.stringify({ error: 'license_key and instance_id required' }), { status: 400 })
+  }
+  if (!hardware_fingerprint || typeof hardware_fingerprint !== 'string' || hardware_fingerprint.length < 32) {
+    return new Response(JSON.stringify({
+      error: 'hardware_fingerprint required (composite SHA256)',
+    }), { status: 400 })
+  }
+  if (!env.LEGACY_HS256_SECRET) {
+    return new Response(JSON.stringify({ error: 'Legacy migration window has closed' }), { status: 410 })
+  }
+
+  const payload = await verifyLegacyHs256(license_key, env.LEGACY_HS256_SECRET)
+  if (!payload) {
+    return new Response(JSON.stringify({ error: 'Legacy JWT signature invalid' }), { status: 400 })
+  }
+  if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+    return new Response(JSON.stringify({ error: 'Legacy JWT expired; purchase a new license' }), { status: 403 })
+  }
+
+  // Mint RS256 with same tier/email/exp but bind to caller's instance_id + hwfp.
+  const newPayload = {
+    ...payload,
+    instance_id,
+    hwfp: hardware_fingerprint,
+    iss: 'keygate-license-server',
+    iat: Math.floor(Date.now() / 1000),
+    _migrated_from: 'HS256',
+  }
+  delete newPayload._alg
+  const jwt = await createJwt(newPayload, env)
+
+  // Refresh KV if we have an email anchor.
+  if (payload.email) {
+    const stored = await env.LICENSES.get(`license:${payload.email}`, 'json') || {}
+    stored.jwt = jwt
+    stored.instance_id = instance_id
+    stored.hardware_fingerprint = hardware_fingerprint
+    stored.rebind_count = stored.rebind_count || 0
+    stored.tier = payload.tier
+    stored.email = payload.email
+    delete stored.pending_claim
+    stored.migrated_at = new Date().toISOString()
+    await env.LICENSES.put(`license:${payload.email}`, JSON.stringify(stored),
+      { expirationTtl: Math.max(86400, payload.exp - Math.floor(Date.now() / 1000)) })
+  }
+
+  return new Response(JSON.stringify({
+    success: true,
+    license_key: jwt,
+    tier: payload.tier,
+    expires_at: new Date(payload.exp * 1000).toISOString(),
+  }), { status: 200 })
+}
+
+// ── /api/dev-issue — local dev license (gated by DEV_TOKEN) ────────────
+//
+// Body: { tier, email, instance_id, dev_token }
+// Replaces the old "PHP signs locally with hardcoded secret" path. Now
+// the founder hits the Worker directly; no signing capability ever lives
+// on the customer's PHP host.
+async function handleDevIssue(request, env) {
+  // P1: hardware_fingerprint required so dev tokens behave like prod.
+  const { tier, email, instance_id, hardware_fingerprint, dev_token } = await request.json()
+  if (!env.DEV_TOKEN) {
+    return new Response(JSON.stringify({ error: 'Dev issuance disabled on this Worker' }), { status: 403 })
+  }
+  if (dev_token !== env.DEV_TOKEN) {
+    return new Response(JSON.stringify({ error: 'Invalid dev token' }), { status: 401 })
+  }
+  if (!tier || !instance_id) {
+    return new Response(JSON.stringify({ error: 'tier and instance_id required' }), { status: 400 })
+  }
+  if (!hardware_fingerprint || typeof hardware_fingerprint !== 'string' || hardware_fingerprint.length < 32) {
+    return new Response(JSON.stringify({
+      error: 'hardware_fingerprint required (composite SHA256)',
+    }), { status: 400 })
+  }
+  const limits = TIER_LIMITS[tier] || TIER_LIMITS.community
+  const payload = {
+    iss: 'keygate-license-server',
+    tier,
+    instance_id,
+    hwfp: hardware_fingerprint,
+    email: email || 'dev@keygate.local',
+    payment_provider: 'dev',
+    max_technicians: limits.max_technicians,
+    max_keys: limits.max_keys,
+    iat: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + (90 * 86400),  // 90-day dev license
+  }
+  const jwt = await createJwt(payload, env)
+  return new Response(JSON.stringify({
+    success: true,
+    license_key: jwt,
+    tier,
+    expires_at: new Date(payload.exp * 1000).toISOString(),
+  }), { status: 200 })
+}
+
+// ── /api/rebind — move a license to a new hardware fingerprint (P1) ──
+//
+// Body: { license_key, instance_id, new_hardware_fingerprint, reason? }
+//
+// Verifies the supplied license_key (RS256). Looks up the email in KV.
+// Enforces a rolling 365-day quota of 3 rebinds per email by recording
+// each rebind under `rebind:{email}:{ts_iso}` with a 365-day expiration —
+// a list/count then yields the rolling-window count without external state.
+// On success, mints a fresh RS256 JWT bound to the new fingerprint and
+// returns the new rebind_count.
+async function handleRebind(request, env) {
+  const { license_key, instance_id, new_hardware_fingerprint, reason } =
+    await request.json()
+  if (!license_key || !instance_id || !new_hardware_fingerprint) {
+    return new Response(JSON.stringify({
+      error: 'license_key, instance_id and new_hardware_fingerprint required',
+    }), { status: 400 })
+  }
+  if (typeof new_hardware_fingerprint !== 'string' || new_hardware_fingerprint.length < 32) {
+    return new Response(JSON.stringify({
+      error: 'new_hardware_fingerprint must be a SHA256 composite hex string',
+    }), { status: 400 })
+  }
+
+  // Lazy verify: decode JWT body without checking signature so legacy
+  // RS256 tokens still rebind. The signature was already verified PHP-side
+  // when the customer registered. Any hostile rebind would still need the
+  // KV record to exist and the email to match — Worker-side correctness
+  // anchor is the KV record, not the supplied JWT.
+  const parts = license_key.split('.')
+  if (parts.length !== 3) {
+    return new Response(JSON.stringify({ error: 'Invalid license_key format' }), { status: 400 })
+  }
+  let payload
+  try {
+    payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')))
+  } catch {
+    return new Response(JSON.stringify({ error: 'Invalid license_key payload' }), { status: 400 })
+  }
+  const email = payload.email
+  if (!email) {
+    return new Response(JSON.stringify({ error: 'License has no email anchor' }), { status: 400 })
+  }
+  if (payload.instance_id !== instance_id) {
+    return new Response(JSON.stringify({ error: 'instance_id does not match license' }), { status: 403 })
+  }
+
+  const stored = await env.LICENSES.get(`license:${email}`, 'json')
+  if (!stored) {
+    return new Response(JSON.stringify({ error: 'License not found' }), { status: 404 })
+  }
+  if (stored.revoked) {
+    return new Response(JSON.stringify({ error: 'License revoked' }), { status: 403 })
+  }
+
+  // ── 365-day quota check (rolling window) ──────────────────
+  const QUOTA_LIMIT = 3
+  const QUOTA_WINDOW_S = 365 * 86400
+  const list = await env.LICENSES.list({ prefix: `rebind:${email}:` })
+  const now = Math.floor(Date.now() / 1000)
+  let recentCount = 0
+  for (const k of list.keys) {
+    const tsStr = k.name.split(':')[2]
+    const ts = Date.parse(tsStr) / 1000
+    if (!isNaN(ts) && (now - ts) < QUOTA_WINDOW_S) recentCount++
+  }
+  const remaining = QUOTA_LIMIT - recentCount
+  if (remaining <= 0) {
+    return new Response(JSON.stringify({
+      error: 'rebind quota exceeded',
+      quota_limit: QUOTA_LIMIT,
+      quota_window_days: 365,
+      retry_after_iso: list.keys.length > 0
+        ? new Date((Math.min(...list.keys.map(k => Date.parse(k.name.split(':')[2])/1000)) + QUOTA_WINDOW_S) * 1000).toISOString()
+        : null,
+    }), { status: 429 })
+  }
+
+  // ── Mint fresh RS256 JWT bound to new hwfp ────────────────
+  const newPayload = {
+    ...payload,
+    hwfp: new_hardware_fingerprint,
+    iat: now,
+    _rebound_at: now,
+    _rebind_count: (stored.rebind_count || 0) + 1,
+  }
+  delete newPayload._alg
+  delete newPayload._migrated_from
+  const newJwt = await createJwt(newPayload, env)
+
+  // Persist KV: bump rebind counter, record this rebind event, store new fp.
+  stored.jwt = newJwt
+  stored.hardware_fingerprint = new_hardware_fingerprint
+  stored.rebind_count = (stored.rebind_count || 0) + 1
+  stored.last_rebind_at = new Date().toISOString()
+  if (reason) stored.last_rebind_reason = String(reason).slice(0, 200)
+  await env.LICENSES.put(`license:${email}`, JSON.stringify(stored),
+    { expirationTtl: Math.max(86400, payload.exp - now) })
+
+  // Audit record — auto-expires at 365d so quota window self-cleans.
+  await env.LICENSES.put(
+    `rebind:${email}:${stored.last_rebind_at}`,
+    JSON.stringify({ instance_id, new_hwfp: new_hardware_fingerprint, reason: reason || null }),
+    { expirationTtl: QUOTA_WINDOW_S }
+  )
+
+  return new Response(JSON.stringify({
+    success: true,
+    license_key: newJwt,
+    rebind_count: stored.rebind_count,
+    rebind_quota_remaining: remaining - 1,
+    rebind_quota_limit: QUOTA_LIMIT,
+    rebind_quota_window_days: 365,
+  }), { status: 200 })
+}
+
 // ── License Retrieval (for manual invoice flow) ─────────────
 
 async function handleRetrieveLicense(request, env) {
@@ -510,6 +988,14 @@ export default {
         response = await handleValidate(request, env)
       } else if (path === '/api/retrieve' && request.method === 'GET') {
         response = await handleRetrieveLicense(request, env)
+      } else if (path === '/api/claim' && request.method === 'POST') {
+        response = await handleClaim(request, env)
+      } else if (path === '/api/migrate' && request.method === 'POST') {
+        response = await handleMigrate(request, env)
+      } else if (path === '/api/dev-issue' && request.method === 'POST') {
+        response = await handleDevIssue(request, env)
+      } else if (path === '/api/rebind' && request.method === 'POST') {
+        response = await handleRebind(request, env)
       } else if (path === '/api/health' && request.method === 'GET') {
         response = new Response(JSON.stringify({
           status: 'ok',
diff --git a/license-server/wrangler.toml b/license-server/wrangler.toml
index 4b151b5..83bfc5a 100644
--- a/license-server/wrangler.toml
+++ b/license-server/wrangler.toml
@@ -7,13 +7,26 @@ compatibility_date = "2024-01-01"
 binding = "LICENSES"
 id = "44c93c6286f44ae1ba2711651a34e78a"
 
-# Environment variables (set via Cloudflare dashboard or `wrangler secret put`)
-# GITHUB_WEBHOOK_SECRET      = "your-github-webhook-secret"
-# LEMONSQUEEZY_WEBHOOK_SECRET = "your-lemonsqueezy-signing-secret"
-# TBANK_TERMINAL_PASSWORD     = "your-tbank-terminal-password"
-# JWT_SECRET                  = "your-jwt-signing-secret"
-# SENDGRID_API_KEY            = "your-sendgrid-key"
-# ADMIN_EMAIL                 = "admin@keygate.dev"
+# Secrets (set via `wrangler secret put NAME` then paste value)
+#
+#   LICENSE_PRIVATE_KEY         RSA PEM PKCS#8. Generated locally with:
+#                                 openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out license_priv.pem
+#                                 openssl pkey -in license_priv.pem -pubout -out license_pub.pem
+#                               Public key embedded in PHP source as KEYGATE_LICENSE_PUBLIC_KEY.
+#                               Private key NEVER leaves Worker secret store.
+#   LEGACY_HS256_SECRET         The pre-v2.3 hardcoded HMAC secret. Used by /api/migrate ONLY.
+#                               Delete after 2026-08-08 (90-day window).
+#                               Value: 'keygate-community-verification-key-2026'
+#   DEV_TOKEN                   Random 32-byte hex; gates /api/dev-issue.
+#                               Generate: php -r "echo bin2hex(random_bytes(32));"
+#   GITHUB_WEBHOOK_SECRET       Set by GitHub Sponsors webhook configuration.
+#   LEMONSQUEEZY_WEBHOOK_SECRET Set by LemonSqueezy webhook configuration.
+#   TBANK_TERMINAL_PASSWORD     Set by T-Bank Касса webhook configuration.
+#   SENDGRID_API_KEY            Optional, for email delivery.
+#   ADMIN_EMAIL                 Optional, recipient for admin notifications.
+#
+# Legacy:
+#   JWT_SECRET                  Pre-v2.3.0 HS256 secret. No longer used. Delete after migration window.
 
 [vars]
 ENVIRONMENT = "production"