Feature(Go): issue-token subcommand for minting customer JWTs

2026-06-04 10:04:02 +02:00
parent 4064bbe25d
commit be09b271e1
7 changed files with 328 additions and 36 deletions
--- a/server/go/licensing/factory.go
+++ b/server/go/licensing/factory.go
@@ -13,8 +13,10 @@ const (
 	EnvSignPassword       = "YAMA_SIGN_PASSWORD"        // LocalSigner master HMAC key
 	EnvLicenseServer      = "YAMA_LICENSE_SERVER"       // RemoteSigner: License Server base URL
 	EnvLicenseToken       = "YAMA_LICENSE_TOKEN"        // RemoteSigner: customer JWT
+	EnvLicensePrivKeyPath = "YAMA_LICENSE_PRIVATE_KEY"  // issue-token: RSA private key PEM path (paired with public key)
 	EnvLicensePubKeyPath  = "YAMA_LICENSE_PUBLIC_KEY"   // LocalSigner-as-LS: RSA public key PEM path
 	EnvLicenseHTTPAddr    = "YAMA_LICENSE_HTTP_ADDR"    // LocalSigner-as-LS: listen address, e.g. ":8443"
+	EnvLicenseStatePath   = "YAMA_LICENSE_STATE_PATH"   // LocalSigner-as-LS: quota state persistence file path
 	EnvLicenseOfflineHrs  = "YAMA_LICENSE_OFFLINE_HRS"  // RemoteSigner: cache TTL hours (default 24)
 	EnvLicenseDisabled    = "YAMA_LICENSE_DISABLED"     // set to 1 to force NoOpSigner (offline / dev)
 )
@@ -176,7 +178,7 @@ func LicenseServerFromEnv(signer Signer, lg Logger) (*LicenseServer, string, err

 	// 5-minute eviction window — twice a typical heartbeat interval. Matches
 	// the discussion in quota.go.
-	ls := NewLicenseServer(local, pubKey, 5*time.Minute, lg)
+	ls := NewLicenseServer(local, pubKey, 5*time.Minute, lg, os.Getenv(EnvLicenseStatePath))

 	// Reuse the web's trust-proxy env var: standard deployment puts both
 	// /ws and /license/ behind the same nginx, so the answer is always the