{
  "entitlement_payload_fields": [
    "license_id",
    "user_id",
    "plan_id",
    "subscription_id",
    "device_hash",
    "features",
    "valid_from",
    "valid_until",
    "offline_grace_until",
    "issued_at",
    "issuer",
    "signature_alg"
  ],
  "external_reuse_judgment": {
    "internal_state_machine_needed": "normalize provider states and decide our download/license unlocks",
    "license_system_provider": "our license issuer needed because payment providers do not issue app entitlements",
    "payment_providers_have_own_state": true
  },
  "flow": [
    "subscription_active",
    "issue activation_code",
    "user installs app",
    "app sends activation_code + device_hash",
    "server validates quota/state",
    "server binds device",
    "server returns signed_entitlement",
    "app verifies with public key",
    "online refresh handles renewal/revocation"
  ],
  "marker": "WEBSITE_F4_LICENSE_ISSUER_SKELETON_1780391122",
  "private_key_storage": "Cloudflare secret LICENSE_SIGNING_PRIVATE_KEY only, never repo",
  "real_activation_enabled": false,
  "real_license_issuance_enabled": false,
  "schema_version": "website_f4.license_issuer_contract.v1",
  "security_boundaries": [
    "no private key in repo",
    "no activation without subscription_active",
    "no trading authority from license alone",
    "device binding quota required",
    "revocation/renewal supported later",
    "support bundle must not expose raw secrets"
  ],
  "signing_algorithm": "Ed25519 planned",
  "stage": "license_issuer_activation_code_skeleton"
}