# License Activation App

Small offline Go web app for generating signed licenses for the protected `force_monitor` application.

## What this app does

- generates Ed25519 keypairs
- parses activation request JSON copied from the target machine
- creates signed license JSON bound to that machine fingerprint
- shows the public key that must be configured in the protected app

## Important deployment answer

**Recommended setup:**

- Run the **activator on your laptop** or on a secure internal office PC.
- Run the **protected app on the machine PC**.
- **Do not** ship the activator together with the machine app.
- **Do not** place the private signing key on the customer machine.

### Why

The protected machine should only contain the **public key** so it can verify licenses.
The activator should keep the **private key** secret, because the private key is what creates valid licenses.
If the private key is copied to the machine, anyone with access to that PC could generate licenses.

## Recommended workflow

1. Install the protected app on the target machine.
2. Open the protected app in browser.
3. Copy the activation request JSON from:
   - `GET /api/license/request`
   - or the activation page if you added one in the UI.
4. Run this activator on your laptop:
   ```bash
   go run .
   ```
5. Open:
   ```text
   http://localhost:8090
   ```
6. Paste the activation request JSON.
7. Generate or load your signing key.
8. Generate the signed license JSON.
9. Copy that license JSON back to the target machine.
10. Activate it in the protected app using:
    - `POST /api/license/activate`
    - or the protected app activation page.

## First-time key setup

You only need to create the signing keypair once.

### Option A — generate in the activator UI

- Click **Generate new keypair**
- Save the private key somewhere safe
- Copy the public key into the protected app config:

```yaml
license:
  public_key_base64: "PASTE_PUBLIC_KEY_HERE"
```

### Option B — use environment variable for the private key

Set this before running the activator:

### Windows PowerShell

```powershell
$env:LICENSE_PRIVATE_KEY_BASE64="PASTE_PRIVATE_KEY_HERE"
go run .
```

### Linux/macOS shell

```bash
export LICENSE_PRIVATE_KEY_BASE64="PASTE_PRIVATE_KEY_HERE"
go run .
```

Then the UI can generate licenses without pasting the private key each time.

## Project files

- `main.go` — activator web app
- `go.mod` — module definition
- `README.md` — usage instructions

## Run

```bash
go run .
```

Then open:

```text
http://localhost:8090
```

## Optional environment variables

- `ACTIVATOR_LISTEN_ADDR` — default `:8090`
- `ACTIVATOR_DEFAULT_PRODUCT` — default `force_monitor`
- `LICENSE_PRIVATE_KEY_BASE64` — private signing key

Example:

```powershell
$env:ACTIVATOR_LISTEN_ADDR=":8095"
$env:ACTIVATOR_DEFAULT_PRODUCT="force_monitor"
$env:LICENSE_PRIVATE_KEY_BASE64="PASTE_PRIVATE_KEY_HERE"
go run .
```

## Practical recommendation

For your case, the safest and cleanest model is:

- laptop/office PC = **license generator / activator**
- machine PC = **protected runtime app only**

That way you can activate many customer machines without exposing your private signing key.