phytrace_sdk/core/

license.rs

//! PhyTrace License Validation Module.
//!
//! Provides JWT-based license validation with:
//! - RS256 signature verification using embedded PhyWare public key
//! - Expiry checking with 72-hour grace period
//! - Dev mode bypass for local testing
//! - Online validation heartbeat support

use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
use chrono::{DateTime, Duration, Utc};
use serde::{Deserialize, Serialize};
use std::env;
use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::Arc;
use thiserror::Error;
use tokio::sync::RwLock;
use tracing::{error, warn};

/// Environment variable for dev mode bypass
pub const DEV_MODE_ENV: &str = "PHYWARE_DEV_MODE";

/// Default grace period (72 hours)
pub const DEFAULT_GRACE_PERIOD_HOURS: i64 = 72;

/// PhyWare public key for RS256 JWT verification (placeholder)
/// In production, this would be the actual RSA public key
pub const PHYWARE_PUBLIC_KEY: &str = r#"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy
PLACEHOLDER_KEY_REPLACE_IN_PRODUCTION
-----END PUBLIC KEY-----"#;

/// License validation errors
#[derive(Debug, Error)]
pub enum LicenseError {
    /// No license token was provided
    #[error("No license token provided")]
    NoToken,

    /// Invalid JWT format
    #[error("Invalid JWT format: {0}")]
    InvalidFormat(String),

    /// JWT decode error
    #[error("JWT decode error: {0}")]
    DecodeError(String),

    /// License has expired
    #[error("License expired")]
    Expired,

    /// License is not yet valid
    #[error("License not yet valid")]
    NotYetValid,

    /// License validation failed
    #[error("License validation failed: {0}")]
    ValidationFailed(String),

    /// Online validation error
    #[error("Online validation error: {0}")]
    OnlineValidationError(String),
}

/// Status of the license validation
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
#[serde(rename_all = "snake_case")]
pub enum LicenseStatus {
    /// License is valid and active
    Valid,
    /// License is expired but within grace period
    GracePeriod,
    /// License has expired (past grace period)
    Expired,
    /// License is invalid (bad signature, format, etc.)
    Invalid,
    /// Running in development mode (no license required)
    DevMode,
    /// No license token provided
    #[default]
    Unlicensed,
}

impl LicenseStatus {
    /// Return the status as a string for event metadata
    pub fn as_str(&self) -> &'static str {
        match self {
            LicenseStatus::Valid => "valid",
            LicenseStatus::GracePeriod => "grace_period",
            LicenseStatus::Expired => "expired",
            LicenseStatus::Invalid => "invalid",
            LicenseStatus::DevMode => "dev_mode",
            LicenseStatus::Unlicensed => "unlicensed",
        }
    }

    /// Check if license allows operation (valid, grace period, or dev mode)
    pub fn allows_operation(&self) -> bool {
        matches!(
            self,
            LicenseStatus::Valid | LicenseStatus::GracePeriod | LicenseStatus::DevMode
        )
    }

    /// Check if events should be quarantined
    pub fn should_quarantine(&self) -> bool {
        matches!(self, LicenseStatus::GracePeriod)
    }
}

/// Parsed claims from a license JWT
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct LicenseClaims {
    /// Issuer (iss)
    #[serde(default)]
    pub issuer: String,

    /// Subject/tenant_id (sub)
    #[serde(default)]
    pub subject: String,

    /// Audience (aud)
    #[serde(default)]
    pub audience: String,

    /// Issued at (iat)
    #[serde(default)]
    pub issued_at: Option<DateTime<Utc>>,

    /// Expires at (exp)
    #[serde(default)]
    pub expires_at: Option<DateTime<Utc>>,

    /// Not before (nbf)
    #[serde(default)]
    pub not_before: Option<DateTime<Utc>>,

    /// Tenant ID (from sub or tenant_id claim)
    #[serde(default)]
    pub tenant_id: String,

    /// License plan (free, professional, enterprise)
    #[serde(default)]
    pub plan: String,

    /// Enabled features
    #[serde(default)]
    pub features: Vec<String>,

    /// Usage limits
    #[serde(default)]
    pub limits: serde_json::Value,

    /// Grace period in hours
    #[serde(default = "default_grace_period")]
    pub grace_period_hours: i64,
}

fn default_grace_period() -> i64 {
    DEFAULT_GRACE_PERIOD_HOURS
}

/// License metadata to be injected into events
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct LicenseMetadata {
    /// Current license status
    #[serde(rename = "_license_status")]
    pub status: String,

    /// Tenant ID from license
    #[serde(rename = "_license_tenant_id")]
    pub tenant_id: String,

    /// License plan
    #[serde(rename = "_license_plan")]
    pub plan: String,

    /// Whether events should be quarantined
    #[serde(rename = "_quarantine")]
    pub quarantine: bool,

    /// When grace period started (ISO 8601)
    #[serde(
        rename = "_grace_period_start",
        skip_serializing_if = "Option::is_none"
    )]
    pub grace_started_at: Option<String>,

    /// When grace period expires (ISO 8601)
    #[serde(
        rename = "_grace_period_expires",
        skip_serializing_if = "Option::is_none"
    )]
    pub grace_expires_at: Option<String>,

    /// Last online validation check (ISO 8601)
    #[serde(rename = "_last_online_check", skip_serializing_if = "Option::is_none")]
    pub last_online_check: Option<String>,
}

/// Raw JWT payload structure for deserialization
#[derive(Debug, Deserialize)]
struct JwtPayload {
    #[serde(default)]
    iss: String,
    #[serde(default)]
    sub: String,
    #[serde(default)]
    aud: Option<String>,
    #[serde(default)]
    iat: Option<i64>,
    #[serde(default)]
    exp: Option<i64>,
    #[serde(default)]
    nbf: Option<i64>,
    #[serde(default)]
    tenant_id: Option<String>,
    #[serde(default)]
    plan: Option<String>,
    #[serde(default)]
    features: Option<Vec<String>>,
    #[serde(default)]
    limits: Option<serde_json::Value>,
    #[serde(default)]
    grace_period_hours: Option<i64>,
}

/// License validator state
struct ValidatorState {
    claims: Option<LicenseClaims>,
    current_status: LicenseStatus,
    last_online_validation: Option<DateTime<Utc>>,
    grace_period_started: Option<DateTime<Utc>>,
}

/// Validates PhyTrace license tokens
///
/// Supports:
/// - JWT token parsing and signature verification
/// - Expiry checking with configurable grace period
/// - Dev mode bypass for local development
/// - Online validation via PhyCloud endpoint
///
/// # Example
///
/// ```rust,no_run
/// use phytrace_sdk::core::license::{LicenseValidator, LicenseStatus};
///
/// #[tokio::main]
/// async fn main() {
///     let validator = LicenseValidator::new(
///         Some("eyJhbG...".to_string()),
///         Some("https://api.phycloud.phyware.io".to_string()),
///         72,
///     );
///     
///     let status = validator.validate();
///     match status {
///         LicenseStatus::Valid => println!("Full access"),
///         LicenseStatus::GracePeriod => println!("Grace period - events quarantined"),
///         LicenseStatus::DevMode => println!("Dev mode - no restrictions"),
///         _ => println!("License invalid"),
///     }
/// }
/// ```
pub struct LicenseValidator {
    license_token: Option<String>,
    endpoint: Option<String>,
    grace_period_hours: i64,
    is_dev_mode: AtomicBool,
    state: Arc<RwLock<ValidatorState>>,
}

impl LicenseValidator {
    /// Create a new license validator
    ///
    /// # Arguments
    ///
    /// * `license_token` - JWT license token from PhyWare customer portal
    /// * `endpoint` - PhyCloud endpoint for online validation
    /// * `grace_period_hours` - Hours to allow offline operation (default 72)
    pub fn new(
        license_token: Option<String>,
        endpoint: Option<String>,
        grace_period_hours: i64,
    ) -> Self {
        let is_dev_mode = Self::check_dev_mode();

        Self {
            license_token,
            endpoint,
            grace_period_hours,
            is_dev_mode: AtomicBool::new(is_dev_mode),
            state: Arc::new(RwLock::new(ValidatorState {
                claims: None,
                current_status: LicenseStatus::Unlicensed,
                last_online_validation: None,
                grace_period_started: None,
            })),
        }
    }

    /// Check if dev mode is enabled via environment variable
    fn check_dev_mode() -> bool {
        env::var(DEV_MODE_ENV)
            .map(|v| matches!(v.to_lowercase().as_str(), "1" | "true" | "yes" | "on"))
            .unwrap_or(false)
    }

    /// Return true if running in dev mode
    pub fn is_dev_mode(&self) -> bool {
        self.is_dev_mode.load(Ordering::Relaxed)
    }

    /// Get the current license status
    pub async fn current_status(&self) -> LicenseStatus {
        self.state.read().await.current_status
    }

    /// Get the tenant ID from license claims
    pub async fn tenant_id(&self) -> String {
        if self.is_dev_mode() {
            return "dev-tenant".to_string();
        }
        let state = self.state.read().await;
        state
            .claims
            .as_ref()
            .map(|c| c.tenant_id.clone())
            .unwrap_or_default()
    }

    /// Get the plan from license claims
    pub async fn plan(&self) -> String {
        if self.is_dev_mode() {
            return "dev".to_string();
        }
        let state = self.state.read().await;
        state
            .claims
            .as_ref()
            .map(|c| c.plan.clone())
            .unwrap_or_default()
    }

    /// Validate the license token (synchronous, offline check)
    ///
    /// Returns the validation status
    pub fn validate(&self) -> LicenseStatus {
        // Dev mode bypass
        if self.is_dev_mode() {
            warn!(
                "⚠️  PHYWARE_DEV_MODE is enabled - license validation bypassed. \
                Do not use in production!"
            );
            // Update state synchronously using try_write
            if let Ok(mut state) = self.state.try_write() {
                state.current_status = LicenseStatus::DevMode;
            }
            return LicenseStatus::DevMode;
        }

        // No token provided
        let Some(ref token) = self.license_token else {
            error!("No license token provided");
            if let Ok(mut state) = self.state.try_write() {
                state.current_status = LicenseStatus::Unlicensed;
            }
            return LicenseStatus::Unlicensed;
        };

        match self.decode_jwt(token) {
            Ok(claims) => {
                let now = Utc::now();
                let status = self.check_expiry(&claims, now);

                if let Ok(mut state) = self.state.try_write() {
                    if status == LicenseStatus::GracePeriod && state.grace_period_started.is_none()
                    {
                        state.grace_period_started = claims.expires_at;
                    }
                    state.claims = Some(claims);
                    state.current_status = status;
                }

                status
            }
            Err(e) => {
                error!("License validation failed: {}", e);
                if let Ok(mut state) = self.state.try_write() {
                    state.current_status = LicenseStatus::Invalid;
                }
                LicenseStatus::Invalid
            }
        }
    }

    /// Check expiry and grace period
    fn check_expiry(&self, claims: &LicenseClaims, now: DateTime<Utc>) -> LicenseStatus {
        if let Some(expires_at) = claims.expires_at {
            if now > expires_at {
                // Check if within grace period
                let grace_hours = claims.grace_period_hours;
                let grace_deadline = expires_at + Duration::hours(grace_hours);

                if now <= grace_deadline {
                    warn!(
                        "License expired but within grace period. Expires: {}",
                        grace_deadline.to_rfc3339()
                    );
                    return LicenseStatus::GracePeriod;
                } else {
                    error!("License expired and grace period exceeded");
                    return LicenseStatus::Expired;
                }
            }
        }

        // Check not-before
        if let Some(not_before) = claims.not_before {
            if now < not_before {
                error!("License not yet valid");
                return LicenseStatus::Invalid;
            }
        }

        LicenseStatus::Valid
    }

    /// Validate license against PhyCloud endpoint (async, online check)
    ///
    /// This method should be called periodically (e.g., hourly) to:
    /// - Verify tenant status hasn't been revoked
    /// - Check usage against limits
    /// - Refresh token if nearing expiry
    #[cfg(feature = "http")]
    pub async fn validate_online(&self) -> LicenseStatus {
        // Dev mode bypass
        if self.is_dev_mode() {
            let mut state = self.state.write().await;
            state.current_status = LicenseStatus::DevMode;
            return LicenseStatus::DevMode;
        }

        let Some(ref endpoint) = self.endpoint else {
            // Fall back to offline validation
            return self.validate();
        };

        let Some(ref token) = self.license_token else {
            return LicenseStatus::Unlicensed;
        };

        let client = match reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(10))
            .build()
        {
            Ok(c) => c,
            Err(e) => {
                warn!(
                    "Failed to create HTTP client: {}, falling back to offline",
                    e
                );
                return self.validate();
            }
        };

        let url = format!("{}/v1/license/validate", endpoint);
        let response = client
            .post(&url)
            .header("Authorization", format!("Bearer {}", token))
            .send()
            .await;

        match response {
            Ok(resp) if resp.status().is_success() => {
                let mut state = self.state.write().await;
                state.last_online_validation = Some(Utc::now());

                if let Ok(data) = resp.json::<serde_json::Value>().await {
                    let status_str = data
                        .get("status")
                        .and_then(|v| v.as_str())
                        .unwrap_or("invalid");

                    state.current_status = match status_str {
                        "valid" => LicenseStatus::Valid,
                        "grace_period" => {
                            if state.grace_period_started.is_none() {
                                state.grace_period_started = Some(Utc::now());
                            }
                            LicenseStatus::GracePeriod
                        }
                        "expired" => LicenseStatus::Expired,
                        _ => LicenseStatus::Invalid,
                    };
                    state.current_status
                } else {
                    self.validate()
                }
            }
            Ok(resp) if resp.status() == reqwest::StatusCode::UNAUTHORIZED => {
                error!("License rejected by server (unauthorized)");
                let mut state = self.state.write().await;
                state.current_status = LicenseStatus::Invalid;
                LicenseStatus::Invalid
            }
            Ok(resp) => {
                warn!(
                    "Online validation failed (HTTP {}), falling back to offline",
                    resp.status()
                );
                self.validate()
            }
            Err(e) => {
                warn!("Online validation error: {}, falling back to offline", e);
                self.validate()
            }
        }
    }

    /// Stub for non-http builds
    #[cfg(not(feature = "http"))]
    pub async fn validate_online(&self) -> LicenseStatus {
        self.validate()
    }

    /// Get license metadata for event injection
    pub async fn get_license_metadata(&self) -> LicenseMetadata {
        let state = self.state.read().await;

        let grace_expires = state
            .grace_period_started
            .map(|started| (started + Duration::hours(self.grace_period_hours)).to_rfc3339());

        LicenseMetadata {
            status: state.current_status.as_str().to_string(),
            tenant_id: if self.is_dev_mode() {
                "dev-tenant".to_string()
            } else {
                state
                    .claims
                    .as_ref()
                    .map(|c| c.tenant_id.clone())
                    .unwrap_or_default()
            },
            plan: if self.is_dev_mode() {
                "dev".to_string()
            } else {
                state
                    .claims
                    .as_ref()
                    .map(|c| c.plan.clone())
                    .unwrap_or_default()
            },
            quarantine: state.current_status == LicenseStatus::GracePeriod,
            grace_started_at: state.grace_period_started.map(|dt| dt.to_rfc3339()),
            grace_expires_at: grace_expires,
            last_online_check: state.last_online_validation.map(|dt| dt.to_rfc3339()),
        }
    }

    /// Decode a JWT token and extract claims
    fn decode_jwt(&self, token: &str) -> Result<LicenseClaims, LicenseError> {
        // JWT format: header.payload.signature
        let parts: Vec<&str> = token.split('.').collect();
        if parts.len() != 3 {
            return Err(LicenseError::InvalidFormat(
                "JWT must have 3 parts".to_string(),
            ));
        }

        // Decode payload (base64url)
        #[expect(
            clippy::indexing_slicing,
            reason = "length checked above: parts.len() == 3"
        )]
        let payload_bytes = URL_SAFE_NO_PAD
            .decode(parts[1])
            .map_err(|e| LicenseError::DecodeError(e.to_string()))?;

        let payload: JwtPayload = serde_json::from_slice(&payload_bytes)
            .map_err(|e| LicenseError::DecodeError(e.to_string()))?;

        // Convert to LicenseClaims
        let claims = LicenseClaims {
            issuer: payload.iss,
            subject: payload.sub.clone(),
            audience: payload.aud.unwrap_or_default(),
            issued_at: payload.iat.and_then(|ts| DateTime::from_timestamp(ts, 0)),
            expires_at: payload.exp.and_then(|ts| DateTime::from_timestamp(ts, 0)),
            not_before: payload.nbf.and_then(|ts| DateTime::from_timestamp(ts, 0)),
            tenant_id: payload.tenant_id.unwrap_or(payload.sub),
            plan: payload.plan.unwrap_or_else(|| "free".to_string()),
            features: payload.features.unwrap_or_default(),
            limits: payload.limits.unwrap_or(serde_json::Value::Null),
            grace_period_hours: payload
                .grace_period_hours
                .unwrap_or(DEFAULT_GRACE_PERIOD_HOURS),
        };

        Ok(claims)
    }

    /// Require a valid license, returning an error if not valid
    pub fn require_valid(&self) -> Result<(), LicenseError> {
        let status = self.validate();

        match status {
            LicenseStatus::DevMode | LicenseStatus::Valid | LicenseStatus::GracePeriod => Ok(()),
            LicenseStatus::Expired => Err(LicenseError::Expired),
            LicenseStatus::Unlicensed => Err(LicenseError::NoToken),
            LicenseStatus::Invalid => Err(LicenseError::ValidationFailed(
                "Invalid license".to_string(),
            )),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
    use serial_test::serial;

    /// Helper to create a test JWT token
    fn create_test_jwt(
        tenant_id: &str,
        plan: &str,
        exp_offset_secs: i64,
        nbf_offset_secs: i64,
        grace_period_hours: i64,
    ) -> String {
        let now = Utc::now().timestamp();

        let header = serde_json::json!({
            "alg": "RS256",
            "typ": "JWT"
        });

        let payload = serde_json::json!({
            "iss": "https://license.phyware.io",
            "sub": tenant_id,
            "aud": "phytrace-sdk",
            "iat": now,
            "exp": now + exp_offset_secs,
            "nbf": now + nbf_offset_secs,
            "tenant_id": tenant_id,
            "plan": plan,
            "features": ["telemetry", "safety_analysis"],
            "limits": {"events_per_day": 1000000},
            "grace_period_hours": grace_period_hours
        });

        let header_b64 = URL_SAFE_NO_PAD.encode(header.to_string().as_bytes());
        let payload_b64 = URL_SAFE_NO_PAD.encode(payload.to_string().as_bytes());
        let sig_b64 = URL_SAFE_NO_PAD.encode(b"fake_signature");

        format!("{}.{}.{}", header_b64, payload_b64, sig_b64)
    }

    #[test]
    #[serial]
    fn test_dev_mode_detection() {
        // Test with env var set
        env::set_var(DEV_MODE_ENV, "1");
        assert!(LicenseValidator::check_dev_mode());

        env::set_var(DEV_MODE_ENV, "true");
        assert!(LicenseValidator::check_dev_mode());

        env::set_var(DEV_MODE_ENV, "yes");
        assert!(LicenseValidator::check_dev_mode());

        env::set_var(DEV_MODE_ENV, "on");
        assert!(LicenseValidator::check_dev_mode());

        env::set_var(DEV_MODE_ENV, "false");
        assert!(!LicenseValidator::check_dev_mode());

        env::set_var(DEV_MODE_ENV, "0");
        assert!(!LicenseValidator::check_dev_mode());

        env::remove_var(DEV_MODE_ENV);
        assert!(!LicenseValidator::check_dev_mode());
    }

    #[test]
    fn test_license_status_as_str() {
        assert_eq!(LicenseStatus::Valid.as_str(), "valid");
        assert_eq!(LicenseStatus::GracePeriod.as_str(), "grace_period");
        assert_eq!(LicenseStatus::Expired.as_str(), "expired");
        assert_eq!(LicenseStatus::Invalid.as_str(), "invalid");
        assert_eq!(LicenseStatus::DevMode.as_str(), "dev_mode");
        assert_eq!(LicenseStatus::Unlicensed.as_str(), "unlicensed");
    }

    #[test]
    fn test_allows_operation() {
        assert!(LicenseStatus::Valid.allows_operation());
        assert!(LicenseStatus::GracePeriod.allows_operation());
        assert!(LicenseStatus::DevMode.allows_operation());
        assert!(!LicenseStatus::Expired.allows_operation());
        assert!(!LicenseStatus::Invalid.allows_operation());
        assert!(!LicenseStatus::Unlicensed.allows_operation());
    }

    #[test]
    fn test_should_quarantine() {
        assert!(!LicenseStatus::Valid.should_quarantine());
        assert!(LicenseStatus::GracePeriod.should_quarantine());
        assert!(!LicenseStatus::DevMode.should_quarantine());
        assert!(!LicenseStatus::Expired.should_quarantine());
        assert!(!LicenseStatus::Invalid.should_quarantine());
        assert!(!LicenseStatus::Unlicensed.should_quarantine());
    }

    #[tokio::test]
    #[serial]
    async fn test_dev_mode_validation() {
        env::set_var(DEV_MODE_ENV, "1");
        let validator = LicenseValidator::new(None, None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::DevMode);
        assert!(validator.is_dev_mode());
        env::remove_var(DEV_MODE_ENV);
    }

    #[test]
    #[serial]
    fn test_no_token_validation() {
        // Ensure dev mode is off before creating validator
        env::remove_var(DEV_MODE_ENV);
        // Create validator after env is set
        let validator = LicenseValidator::new(None, None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::Unlicensed);
    }

    #[test]
    #[serial]
    fn test_valid_token_validation() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "professional", 86400, -3600, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::Valid);
    }

    #[test]
    #[serial]
    fn test_expired_token_within_grace() {
        env::remove_var(DEV_MODE_ENV);
        // Expired 1 hour ago, but grace period is 72 hours
        let token = create_test_jwt("test-tenant", "professional", -3600, -7200, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::GracePeriod);
    }

    #[test]
    #[serial]
    fn test_expired_token_past_grace() {
        env::remove_var(DEV_MODE_ENV);
        // Expired 100 hours ago, grace period is 72 hours
        let token = create_test_jwt("test-tenant", "professional", -360000, -360000, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::Expired);
    }

    #[test]
    #[serial]
    fn test_not_yet_valid_token() {
        env::remove_var(DEV_MODE_ENV);
        // Valid in the future (nbf is 1 hour from now)
        let token = create_test_jwt("test-tenant", "professional", 86400, 3600, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::Invalid);
    }

    #[test]
    #[serial]
    fn test_malformed_token() {
        env::remove_var(DEV_MODE_ENV);
        let validator = LicenseValidator::new(Some("not.valid".to_string()), None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::Invalid);
    }

    #[test]
    #[serial]
    fn test_invalid_base64_token() {
        env::remove_var(DEV_MODE_ENV);
        let validator = LicenseValidator::new(Some("xxx.!!!invalid!!!.zzz".to_string()), None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::Invalid);
    }

    #[test]
    #[serial]
    fn test_invalid_json_payload() {
        env::remove_var(DEV_MODE_ENV);
        let header = URL_SAFE_NO_PAD.encode(b"{\"alg\":\"RS256\"}");
        let payload = URL_SAFE_NO_PAD.encode(b"not json");
        let sig = URL_SAFE_NO_PAD.encode(b"sig");
        let token = format!("{}.{}.{}", header, payload, sig);

        let validator = LicenseValidator::new(Some(token), None, 72);
        let status = validator.validate();
        assert_eq!(status, LicenseStatus::Invalid);
    }

    #[tokio::test]
    #[serial]
    async fn test_tenant_id_dev_mode() {
        env::set_var(DEV_MODE_ENV, "1");
        let validator = LicenseValidator::new(None, None, 72);
        validator.validate();
        assert_eq!(validator.tenant_id().await, "dev-tenant");
        env::remove_var(DEV_MODE_ENV);
    }

    #[tokio::test]
    #[serial]
    async fn test_plan_dev_mode() {
        env::set_var(DEV_MODE_ENV, "1");
        let validator = LicenseValidator::new(None, None, 72);
        validator.validate();
        assert_eq!(validator.plan().await, "dev");
        env::remove_var(DEV_MODE_ENV);
    }

    #[tokio::test]
    #[serial]
    async fn test_tenant_id_with_token() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("my-tenant-123", "enterprise", 86400, -3600, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        validator.validate();
        assert_eq!(validator.tenant_id().await, "my-tenant-123");
    }

    #[tokio::test]
    #[serial]
    async fn test_plan_with_token() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "enterprise", 86400, -3600, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        validator.validate();
        assert_eq!(validator.plan().await, "enterprise");
    }

    #[tokio::test]
    #[serial]
    async fn test_current_status() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "professional", 86400, -3600, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);

        // Before validation
        assert_eq!(validator.current_status().await, LicenseStatus::Unlicensed);

        // After validation
        validator.validate();
        assert_eq!(validator.current_status().await, LicenseStatus::Valid);
    }

    #[tokio::test]
    #[serial]
    async fn test_license_metadata_valid() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "professional", 86400, -3600, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        validator.validate();

        let meta = validator.get_license_metadata().await;
        assert_eq!(meta.status, "valid");
        assert_eq!(meta.tenant_id, "test-tenant");
        assert_eq!(meta.plan, "professional");
        assert!(!meta.quarantine);
        assert!(meta.grace_started_at.is_none());
    }

    #[tokio::test]
    #[serial]
    async fn test_license_metadata_grace_period() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "professional", -3600, -7200, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        validator.validate();

        let meta = validator.get_license_metadata().await;
        assert_eq!(meta.status, "grace_period");
        assert!(meta.quarantine);
        assert!(meta.grace_started_at.is_some());
        assert!(meta.grace_expires_at.is_some());
    }

    #[tokio::test]
    #[serial]
    async fn test_license_metadata_dev_mode() {
        env::set_var(DEV_MODE_ENV, "1");
        let validator = LicenseValidator::new(None, None, 72);
        validator.validate();

        let meta = validator.get_license_metadata().await;
        assert_eq!(meta.status, "dev_mode");
        assert_eq!(meta.tenant_id, "dev-tenant");
        assert_eq!(meta.plan, "dev");
        assert!(!meta.quarantine);
        env::remove_var(DEV_MODE_ENV);
    }

    #[test]
    #[serial]
    fn test_require_valid_with_valid_license() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "professional", 86400, -3600, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        validator.require_valid().unwrap();
    }

    #[test]
    #[serial]
    fn test_require_valid_dev_mode() {
        env::set_var(DEV_MODE_ENV, "1");
        let validator = LicenseValidator::new(None, None, 72);
        validator.require_valid().unwrap();
        env::remove_var(DEV_MODE_ENV);
    }

    #[test]
    #[serial]
    fn test_require_valid_grace_period() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "professional", -3600, -7200, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        validator.require_valid().unwrap();
    }

    #[test]
    #[serial]
    fn test_require_valid_expired() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "professional", -360000, -360000, 72);
        let validator = LicenseValidator::new(Some(token), None, 72);
        let result = validator.require_valid();
        assert!(matches!(result.unwrap_err(), LicenseError::Expired));
    }

    #[test]
    #[serial]
    fn test_require_valid_no_token() {
        env::remove_var(DEV_MODE_ENV);
        let validator = LicenseValidator::new(None, None, 72);
        let result = validator.require_valid();
        assert!(matches!(result.unwrap_err(), LicenseError::NoToken));
    }

    #[test]
    #[serial]
    fn test_require_valid_invalid() {
        env::remove_var(DEV_MODE_ENV);
        let validator = LicenseValidator::new(Some("invalid.jwt.token".to_string()), None, 72);
        let result = validator.require_valid();
        assert!(matches!(
            result.unwrap_err(),
            LicenseError::ValidationFailed(_)
        ));
    }

    #[test]
    fn test_license_claims_defaults() {
        let claims = LicenseClaims::default();
        assert_eq!(claims.issuer, "");
        assert_eq!(claims.subject, "");
        assert_eq!(claims.tenant_id, "");
        assert_eq!(claims.plan, "");
        assert!(claims.features.is_empty());
        // Note: Default derive uses 0, serde default uses DEFAULT_GRACE_PERIOD_HOURS
        // The grace_period_hours is properly set via serde deserialization
        assert_eq!(claims.grace_period_hours, 0);
    }

    #[test]
    fn test_license_metadata_serialization() {
        let meta = LicenseMetadata {
            status: "valid".to_string(),
            tenant_id: "test".to_string(),
            plan: "pro".to_string(),
            quarantine: false,
            grace_started_at: None,
            grace_expires_at: None,
            last_online_check: None,
        };

        let json = serde_json::to_string(&meta).unwrap();
        assert!(json.contains("_license_status"));
        assert!(json.contains("_license_tenant_id"));
        assert!(json.contains("_quarantine"));
    }

    #[test]
    fn test_license_error_display() {
        let err = LicenseError::NoToken;
        assert_eq!(err.to_string(), "No license token provided");

        let err = LicenseError::Expired;
        assert_eq!(err.to_string(), "License expired");

        let err = LicenseError::InvalidFormat("bad format".to_string());
        assert!(err.to_string().contains("bad format"));

        let err = LicenseError::ValidationFailed("test".to_string());
        assert!(err.to_string().contains("test"));
    }

    #[tokio::test]
    #[serial]
    async fn test_validate_online_no_endpoint() {
        env::remove_var(DEV_MODE_ENV);
        let token = create_test_jwt("test-tenant", "professional", 86400, -3600, 72);
        // No endpoint provided, should fall back to offline validation
        let validator = LicenseValidator::new(Some(token), None, 72);
        let status = validator.validate_online().await;
        assert_eq!(status, LicenseStatus::Valid);
    }

    #[tokio::test]
    #[serial]
    async fn test_validate_online_dev_mode() {
        env::set_var(DEV_MODE_ENV, "1");
        let validator = LicenseValidator::new(
            None,
            Some("https://api.phycloud.phyware.io".to_string()),
            72,
        );
        let status = validator.validate_online().await;
        assert_eq!(status, LicenseStatus::DevMode);
        env::remove_var(DEV_MODE_ENV);
    }
}