License runtime and entitlements
Version 0.1.64 adds the first license runtime foundation required to turn NFZ Docs Notion Editor into a distributable SaaS product.
Goal
The validated product architecture remains straightforward:
- DockerHub distributes application images;
- NFZ License Server manages editions, subscriptions, entitlements, quotas, tenants and grace periods;
- the application never exposes the full license key in the browser.
Administration page
The /admin/license page displays:
- the active edition:
community,starter,proorenterprise; - the runtime mode:
local,remoteordisabled; - the license state:
local,active,trialing,grace,expired,invalid,unconfiguredorunreachable; - feature entitlements;
- main quotas;
- server-side variables required for DockerHub/Portainer deployments.
Server variables
NFZ_PRODUCT_ID=nfz-docs-builder
NFZ_PRODUCT_DOMAIN=vitepress-buider.com
NFZ_EDITION=community
NFZ_LICENSE_MODE=local
NFZ_LICENSE_KEY=
NFZ_LICENSE_SERVER_URL=https://licence.nfz-serveur.fr
NFZ_LICENSE_VERIFY_PATH=/api/license/verify
NFZ_LICENSE_CACHE_TTL_SECONDS=900
NFZ_LICENSE_GRACE_PERIOD_HOURS=72Available modes
Local mode
local mode keeps the developer experience simple. The edition is read from NFZ_EDITION and entitlements are computed locally.
This mode is suitable for development, demos and Community instances.
Remote mode
remote mode calls NFZ License Server through NFZ_LICENSE_SERVER_URL and NFZ_LICENSE_VERIFY_PATH.
The server-side request only sends the required data: product, domain, requested edition, license key and current tenant when available.
Grace period
When the license server is unavailable, the application may remain temporarily usable with the grace state. Its duration is controlled by NFZ_LICENSE_GRACE_PERIOD_HOURS.
Initial entitlements
The initial rights cover:
- documentation editor;
- VitePress build;
- static ZIP and source project ZIP exports;
- publishing connectors;
- custom branding;
- RustFS/S3 media provider;
- audit trail;
- multi-tenancy;
- advanced i18n;
- priority support;
- Enterprise SSO.
Security best practice
The administration page is an operational helper. Real enforcement must also happen in Feathers hooks for sensitive actions: build, export, publishing, S3 media, audit, multi-tenancy and administration.
Server guards 0.1.67
Version 0.1.67 adds real entitlement enforcement on Feathers/NFZ services. The UI disables unauthorized actions, but the authoritative rule is now server-side.
Protected services:
| Action | Service | Entitlement |
|---|---|---|
| Create/update/delete a Markdown page | docs-pages | docsEditor |
| Import Markdown | docs-imports | docsEditor |
| Run a VitePress build | docs-builds | buildVitePress |
| Export the VitePress source project | docs-exports | exportSourceProject |
| Export the built static site | docs-exports | exportStaticZip |
| Use an S3/RustFS media provider | docs-assets / docs-imports | mediaS3 |
Local mode keeps the developer experience simple. Production should use NFZ_LICENSE_MODE=remote and a NFZ_LICENSE_KEY verified by NFZ License Server.
NFZ_LICENSE_MODE=remote
NFZ_LICENSE_ENFORCEMENT=true
NFZ_LICENSE_SERVER_URL=https://licence.nfz-serveur.fr
NFZ_LICENSE_VERIFY_PATH=/api/license/verify
NFZ_LICENSE_KEY=...NFZ_LICENSE_ENFORCEMENT=false is only a local development escape hatch and must not be used in production.