Release v2.3.0 — Anti-piracy hardening (P0 + P1 + P2)

.gitignore

@@ -30,6 +30,9 @@ FINAL_PRODUCTION_SYSTEM/uploads/client-resources/
 FINAL_PRODUCTION_SYSTEM/install/install.log
 FINAL_PRODUCTION_SYSTEM/install/.progress.json
 
+# ── License-server private keys (never committed; uploaded to CF) ──
+license-server/.keys/
+
 # ── PHP Dependencies (managed by Composer) ────────────────
 FINAL_PRODUCTION_SYSTEM/vendor/
 

CLAUDE.md

@@ -27,7 +27,7 @@ main_v3.PS1                                 │   ├── get-key.php
   │                                         │   ├── LicenseController.php
   ├─ Network Diagnostics (MAS-style)        │   └── ... (21 total)
   │   (4-host ping + COM fallback           │
-  │    + MS licensing server test)           ├── admin_v2.php        ← 85 action router
+  │    + MS licensing server test)           ├── admin_v2.php        ← 90 action router
   │                                         │
   ├─ QC Compliance ────────POST──►          ├── functions/           ← 23 helper modules
   │                                         │   ├── email-helpers.php
@@ -70,12 +70,12 @@ CLOUDFLARE WORKER (License Server)
 |--------|-------|
 | Admin Controllers | 21 |
 | API Endpoints | 19 |
-| Admin Actions | 85 |
+| Admin Actions | 90 |
 | Frontend Pages | 24 |
 | Frontend Hooks | 22 |
 | Frontend API Files | 21 |
-| PHP Helper Modules | 23 |
-| DB Migrations | 26 |
+| PHP Helper Modules | 25 |
+| DB Migrations | 29 |
 | Languages | 18 |
 | Sidebar Nav Items | 30 |
 
@@ -191,8 +191,11 @@ CLOUDFLARE WORKER (License Server)
 | 24 | usb_devices_migration.sql | USB device registry |
 | 25 | task_pipeline_migration.sql | Task templates + execution logs |
 | 26 | production_tracking_migration.sql | CBR reports, key pools, work orders, DPK batches |
+| 27 | license_p0_hmac_migration.sql | License row integrity HMAC (P0 anti-piracy) |
+| 28 | license_p1_hwbind_migration.sql | Hardware-bound licensing + 3-per-365 rebind quota (P1) |
+| 29 | license_p2_phonehome_migration.sql | Phone-home grace + revocation jti + clock-drift (P2) |
 
-### Helper Modules (23 files in `functions/`)
+### Helper Modules (25 files in `functions/`)
 | File | Purpose |
 |------|---------|
 | acl.php | Permission checking, role management |
@@ -205,7 +208,9 @@ CLOUDFLARE WORKER (License Server)
 | i18n.php | Translation loading |
 | integration-helpers.php | Event dispatch to osTicket / 1C |
 | key-helpers.php | Key status, recycling logic |
-| license-helpers.php | JWT license validation, tier enforcement |
+| license-helpers.php | JWT license validation, tier enforcement, RS256 verify, row HMAC, hwfp gate |
+| license-phone-home.php | Phone-home validate, grace bands, clock drift, revocation handling (P2) |
+| hardware-fingerprint.php | Cross-OS server hardware fingerprint (machine-id + system UUID + MAC + volume UUID) (P1) |
 | logger.php | Structured logging |
 | network-utils.php | IP whitelisting, trusted networks |
 | push-helpers.php | VAPID push notifications |

FINAL_PRODUCTION_SYSTEM/VERSION.php

@@ -5,6 +5,6 @@
  * This file is updated automatically by the upgrade system.
  * Do NOT edit manually unless you know what you are doing.
  */
-define('APP_VERSION', '2.2.0');
-define('APP_VERSION_CODE', 220);
-define('APP_VERSION_DATE', '2026-05-07');
+define('APP_VERSION', '2.3.0');
+define('APP_VERSION_CODE', 230);
+define('APP_VERSION_DATE', '2026-05-08');

FINAL_PRODUCTION_SYSTEM/admin_v2.php

@@ -337,6 +337,11 @@
     'license_register'         => ['LicenseController.php', 'handle_license_register',       true,  true],
     'license_deactivate'       => ['LicenseController.php', 'handle_license_deactivate',     true,  true],
     'license_generate_dev'     => ['LicenseController.php', 'handle_license_generate_dev',   true,  true],
+    'license_claim'            => ['LicenseController.php', 'handle_license_claim',          true,  true],
+    'license_migrate'          => ['LicenseController.php', 'handle_license_migrate',        true,  true],
+    'license_redetect_hw'      => ['LicenseController.php', 'handle_license_redetect_hw',    true,  true],
+    'license_rebind'           => ['LicenseController.php', 'handle_license_rebind',         true,  true],
+    'license_force_validate'   => ['LicenseController.php', 'handle_license_force_validate', true,  true],
 
     // system upgrade
     'upgrade_check_github'     => ['UpgradeController.php', 'handle_upgrade_check_github',     false, true],

FINAL_PRODUCTION_SYSTEM/cli/license-validate.php

@@ -0,0 +1,49 @@
+<?php
+/**
+ * KeyGate — License phone-home CLI shim (P2)
+ *
+ * Daily cron entry runs this script to call /api/validate even when no
+ * admin pages have been hit. Idempotent — phoneHomeValidate() throttles
+ * itself via license_info.last_validated_at, so running this hourly or
+ * every minute is safe (only the first call inside the interval fires).
+ *
+ * Suggested cron (Linux):
+ *   0 3 * * * cd /var/www/keygate && /usr/bin/php FINAL_PRODUCTION_SYSTEM/cli/license-validate.php >> /var/log/keygate-phonehome.log 2>&1
+ *
+ * The Windows/IIS path goes through firePhoneHomeAsync()'s synchronous
+ * fallback — the 6-second Worker timeout is tolerable as a once-per-day
+ * blocking call.
+ */
+
+// Run only from CLI — refuse to expose this over HTTP.
+if (PHP_SAPI !== 'cli') {
+    http_response_code(403);
+    echo "This script must be run from the command line.\n";
+    exit(1);
+}
+
+require_once __DIR__ . '/../config.php';
+require_once __DIR__ . '/../functions/admin-helpers.php';
+require_once __DIR__ . '/../functions/license-helpers.php';
+require_once __DIR__ . '/../functions/license-phone-home.php';
+
+$force = in_array('--force', $argv ?? [], true);
+echo '[' . date('c') . "] phone-home start (force=" . ($force ? '1' : '0') . ")\n";
+
+try {
+    $resp = phoneHomeValidate($pdo, $force);
+    if ($resp === null) {
+        echo "[" . date('c') . "] no-op (throttled or no license)\n";
+        exit(0);
+    }
+    echo '[' . date('c') . '] OK valid=' . (!empty($resp['valid']) ? '1' : '0')
+        . ' tier=' . ($resp['tier'] ?? '-')
+        . ' must_rebind=' . (!empty($resp['must_rebind']) ? '1' : '0')
+        . ' revoked=' . (!empty($resp['revoked']) ? '1' : '0')
+        . ' jti=' . substr((string)($resp['jti'] ?? ''), 0, 8)
+        . "\n";
+    exit(0);
+} catch (Exception $e) {
+    fwrite(STDERR, '[' . date('c') . '] ERROR: ' . $e->getMessage() . "\n");
+    exit(2);
+}