Configuration
1. Environment Variables
Source:
packages/core/src/common/environments.ts+ this package's certificate keys. The licensing service reads core's standard application/DB/Redis/auth env set; only the certificate keys are package-specific.
Application
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
APP_ENV_APPLICATION_NAME | string | licensing | Service name | |
APP_ENV_APPLICATION_CODE | string | SVC-00140-LICENSING | Service code (reassigned from SVC-00110; see ADR-0002) | |
APP_ENV_APPLICATION_SECRET | string | — | ✓ (for certs) | AES-256-GCM secret for certificate payload encryption |
APP_ENV_SERVER_HOST | string | localhost | Bind host | |
APP_ENV_SERVER_PORT | number | 31120 | HTTP listen port | |
APP_ENV_SERVER_BASE_PATH | string | /v1/api/licensing | Route prefix | |
APP_ENV_SNOWFLAKE_WORKER_ID | number | 11 | ✓ | Snowflake worker ID |
Database
| Name | Type | Required | Description |
|---|---|---|---|
APP_ENV_POSTGRES_HOST / _PORT / _DATABASE / _USERNAME / _PASSWORD | string | ✓ | PostgreSQL connection (PostgresCoreDataSource) |
Redis (cache component)
| Name | Type | Default | Description |
|---|---|---|---|
APP_ENV_CACHE_REDIS_MODE | single | cluster | — | Connection mode |
APP_ENV_CACHE_REDIS_IDENTIFIER | string | cache | Logical identifier |
APP_ENV_CACHE_REDIS_HOST / _PORT | string / number | — | Single-mode endpoint |
APP_ENV_CACHE_REDIS_CLUSTER_NODES | string | — | Comma-separated host:port (cluster mode) |
APP_ENV_CACHE_REDIS_PASSWORD | string | — | Redis password |
No Kafka or BullMQ env is consumed — those components are not registered.
Auth
| Name | Type | Description |
|---|---|---|
APP_ENV_IDENTITY_SERVICE_BASE_URL | string | Identity base URL for JWKS verification |
APP_ENV_JWKS_REST_PATH | string | JWKS endpoint path |
APP_ENV_BASIC_AUTH_USERNAME / _PASSWORD | string | HTTP Basic credentials (alternate auth strategy) |
Service-specific — Certificates
| Name | Type | Default | Required | Description |
|---|---|---|---|---|
APP_ENV_LICENSING_ED25519_PRIVATE_KEY | string (PEM) | — | ✓ (to sign) | Ed25519 private key for signing certificates |
APP_ENV_LICENSING_ED25519_PUBLIC_KEY | string (PEM) | — | ✓ (consumers verify) | Ed25519 public key — shipped to verifier services via @nx/core |
APP_ENV_LICENSING_CERT_TTL_SECONDS | number | 86400 | Cert TTL → both Redis EX and payload certExpiresAt | |
APP_ENV_LICENSING_SERVICE_BASE_URL | string | — | Defined in core env registry; not used at runtime (consumers read the cached cert, not the service) |
Graceful degradation: if
APP_ENV_LICENSING_ED25519_PRIVATE_KEYorAPP_ENV_APPLICATION_SECRETis missing,publishCertificate()logs a warning and skips cert generation. Licenses still issue, butLicense.certificatestaysnulland consumers receivenullfromLicenseMiddleware.
2. Feature Flags
| Flag | Default | Owner | Description |
|---|---|---|---|
| None | — | — | No runtime feature flags. PolicyFeature entitlements are domain data, not deployment flags. |
3. Seeded Data
Migration processes in
src/migrations/processes/— allalwaysRun: true(idempotent upserts) on bootstrap (RUN_MODE=migrate).
| File | Seeds | Idempotent | Notes |
|---|---|---|---|
licensing-0001-seed-permissions.ts | All LicensingPermissions (CRUD on 4 subjects + license lifecycle actions) | ✓ | Upserts each permission by code |
licensing-0002-seed-free-trial-plan.ts | 1 Policy (FREE_TRIAL: TRIAL, 30-day, ACTIVATED, product Trial) | ✓ | Upserts by (product, type, status) |
licensing-0003-seed-role-permissions.ts | Grants ALL licensing permissions to OWNER, EMPLOYEE, CASHIER | ✓ | Lenient baseline — tightened later via policy-definition API |
licensing-0004-seed-guest-permissions.ts | Grants License.issueFreeTrial to GUEST (wildcard domain *) | ✓ | Pre-merchant onboarding self-service trial |
4. Configuration Storage (Configuration table)
| Configuration kind | Encryption | Read by |
|---|---|---|
| None | — | Licensing does not use the per-merchant Configuration table. Certificate secrets come from env, not encrypted runtime config. |